As the due date for licensed corporations to submit their Managers-In-Charge (MICs) details to the Securities and Futures Commission (SFC) is approaching (17 July 2017), it is timely for senior management and the respective MICs to revisit the Management, Supervision and Internal Control Guidelines For Persons Licensed by or Registered with the Securities and Futures Commission (Internal Control Guidelines or ICG) to examine whether they have in place adequate and effective internal control.
All eight areas set out in the ICG are relevant to the MICs for Overall Management Oversight and Key Business Lines. There are also specific sections which are directly relevant to the MIC core functions: Operational Control and Review, Risk Management, Information Technology and Compliance.
We urge clients to give the ICG due focus. The ICG, written back in 2003, may be considered tricky to reconcile with the provisions of the Code of Conduct for Persons Licensed by or Registered by the Securities and Futures Commission(Code of Conduct) as the two documents have a different structure. However, we hope that clients would find this summary useful and timely for their roles under the new senior management accountability regime.
Paragraph 4.3 of the Code of Conductrequires licensed firms to have sufficient internal control procedures to protect their operations and clients from financial loss caused by theft, fraud and other misconduct.
Areas requiring internal control
Suggested control techniques
In addition to guidance in the above areas, the ICG provides additional practical steps in connection with operational control and risk management (see separately Parts A and B of the Appendix of the ICG).
Although these steps are described as “suggested control”, it is advisable for them to be considered as regulatory requirements and followed by licensed firms, including their employees, directors and other persons performing services on behalf of the firm and these persons are collectively referred to as “staff”.
Who is responsible?
The “management” personnel of licensed firms are responsible for ensuring their firms have in place effective internal control to ensure compliance with all the relevant laws and regulations.
The term “management” includes the firms and their senior management, including the board of directors, Chief Executive Officer, Managing Director, or other senior operating management personnel.
1. Management and supervision
Qualified and experienced individuals should take up management and supervisory roles. Management should have in place a robust internal control system including:
2. Segregation of duties and functions
3. Personnel and training
Staff should be fit and proper for their roles and responsibilities and appropriately licensed. Staff should also be provided with:
In particular, the policies must include staff personal account dealing rules that requires semi-annual disclosure of investment holdings by staff.
4. Information management
Qualified and experienced staff should be assigned to manage information and it should be managed in a secure and controlled environment. Management should ensure the firm has in place:
Qualified and experienced staff should be responsible for the compliance function. Management should ensure the firm has in place the following written rules:
6. Operation control
Management should have in place control measures covering the following areas:
Please read Part A of the Appendix to the ICG for the details of the control required.
Qualified and experienced audit personnel should be responsible for the internal audit function. Management should ensure the internal audit function is effective, independent and objective, and report directly to the management / audit committee.
Management should also ensure the following are in place:
8. Risk management
Management should have in place an appropriate and effective risk management function, as well as written policies and procedures including risk measurement, reporting methodologies and review mechanism. Please read Part B of the Appendix to the ICG for the details of the control required.