Related links

PS7/15 - The PRA Rulebook: Part 2 https://www.bankofengland.co.uk/prudential-regulation/publication/2014/the-pra-rulebook-part-2
PS28/15 - The PRA Rulebook: Part 4 and response to Chapter 1 of CP41/15 https://www.bankofengland.co.uk/prudential-regulation/publication/2015/the-pra-rulebook-part-4
ESMA: Guidelines on certain aspects of the MiFID compliance function requirements http://www.esma.europa.eu/content/Guidelines-certain-aspects-MiFID-compliance-function-requirements
SS21/15 - Internal governance http://www.bankofengland.co.uk/pra/Pages/publications/ss/2016/ss2115update.aspx
SS28/15 - Strengthening individual accountability in banking http://www.bankofengland.co.uk/pra/Pages/publications/ss/2016/ss2815update2.aspx
SS20/15 - Supervising building societies’ treasury and lending activities http://www.bankofengland.co.uk/pra/Pages/publications/ss/2017/ss2015update.aspx
Delegated Regulation (EU) 2017/565 supplementing MiFID II on organisational requirements and operating conditions for investment firms http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2017.087.01.0001.01.ENG

Chapters

  • 1 Application
  • 2 Risk Control
  • 3 Risk Committee
  • 4 Group Arrangements

1

Application

1.1

Unless otherwise stated, this Part applies to a CRR firm

  1. (1) with respect to the carrying on of the following from an establishment in the UK:
    1. (a) regulated activities;
    2. (b) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of Regulated Activities Order;
    3. (c) ancillary activities;
    4. (d) in relation to MiFID business, ancillary services; and
    5. (e) unregulated activities in a prudential context; and
  2. (2) with respect to the carrying on of passported activities by it from a branch in another EEA state;
  3. (3) in a prudential context with respect to activities wherever they are carried on; and
  4. (4) taking into account any activity of other members of a group of which the firm is a member.

2

Risk Control

2.1

A firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.

[Note: Art. 7(1)(a) of the MiFID implementing Directive, Art. 13(5) second paragraph of MiFID]

2.2

A firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm’s activities, processes and systems, in light of that level of risk tolerance.

[Note: Art. 7(1)(b) of the MiFID implementing Directive]

2.3

The management body of a firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.

[Note: Art. 76(1) of the CRD]

2.4

A firm must monitor the following:

  1. (1) the adequacy and effectiveness of the firm's risk management policies and procedures;
  2. (2) the level of compliance by the firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with 2.2;
  3. (3) the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements or processes and mechanisms or follow such policies and procedures.

[Note: Art. 7(1)(c) of the MiFID implementing Directive]

2.5

A firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the investment services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:

  1. (1) implementation of the policies and procedures referred to in 2.1 to 2.4; and
  2. (2) provision of reports and advice to senior personnel in accordance with General Organisational Requirements 4.2.

[Note: Art. 7(2) first paragraph of the MiFID implementing Directive]

2.6

Where a firm is not required under 2.5 to maintain a risk management function that functions independently, it must nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with 2.1 to 2.4 satisfy the requirements of those rules and are consistently effective.

[Note: Art. 7(2) second paragraph of the MiFID implementing Directive]

2.7

  1. (1) The management body of a firm has overall responsibility for risk management. It must devote sufficient time to the consideration of risk issues.
  2. (2) The management body of a firm must be actively involved in and ensure that adequate resources are allocated to the management of all material risks addressed in the rules implementing the CRD and in the CRR as well as in the valuation of assets, the use of external ratings and internal models related to those risks.
  3. (3) A firm must establish reporting lines to the management body that cover all material risks and risk management policies and changes thereof.

[Note: Art. 76(2) of the CRD]

3

Risk Committee

3.1

  1. (1) A firm that is significant must establish a risk committee composed of members of the management body who do not perform any executive function in the firm. Members of the risk committee must have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the firm.
  2. (2) The risk committee must advise the management body on the institution's overall current and future risk appetite and assist the management body in overseeing the implementation of that strategy by senior management.
  3. (3) The risk committee must review whether prices of liabilities and assets offered to clients take fully into account the firm’s business model and risk strategy. Where prices do not properly reflect risks in accordance with the business model and risk strategy, the risk committee must present a remedy plan to the management body.

[Note: Art. 76(3) of the CRD]

3.2

  1. (1) A firm must ensure that the management body in its supervisory function and, where a risk committee has been established, the risk committee have adequate access to information on the risk profile of the firm and, if necessary and appropriate, to the risk management function and to external expert advice.
  2. (2) The management body in its supervisory function and, where one has been established, the risk committee must determine the nature, the amount, the format, and the frequency of the information on risk which it is to receive.

[Note: Art. 76(4) of the CRD]

3.3

In order to assist in the establishment of sound remuneration policies and practices, the risk committee must, without prejudice to the tasks of the remuneration committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings.

[Note: Art. 76(4) of the CRD]

3.4

  1. (1) A firm’s risk management function (2.5) must be independent from the operational functions and have sufficient authority, stature, resources and access to the management body.
  2. (2) The risk management function must ensure that all material risks are identified, measured and properly reported. It must be actively involved in elaborating the firm’s risk strategy and in all material risk management decisions and it must be able to deliver a complete view of the whole range of risks of the firm.
  3. (3) A firm must ensure that the risk management function is able to report directly to the management body in its supervisory function, independent from senior management and that it can raise concerns and warn the management body, where appropriate, where specific risk developments affect or may affect the firm, without prejudice to the responsibilities of the management body in its supervisory and/or managerial functions pursuant to the CRD and the CRR.

[Note: Art. 76(5) of the CRD]

3.5

The head of the risk management function must be an independent senior manager with distinct responsibility for the risk management function. Where the nature, scale and complexity of the activities of the firm do not justify a specially appointed person, another senior person within the firm may fulfil that function, provided there is no conflict of interest. The head of the risk management function must not be removed without prior approval of the management body and must be able to have direct access to the management body where necessary.

[Note: Art. 76(5) of the CRD]

4

Group Arrangements

4.1

Where a firm is a member of a consolidation group, the firm must ensure that the risk management processes and internal control mechanisms at the level of the consolidation group of which it is a member comply with the obligations set out in 2.3, 2.7 and Chapter 3 on a consolidated basis.

4.2

Compliance with the obligations referred to in 4.1 must enable the consolidation group to have arrangements, processes and mechanisms that are consistent and well integrated and that any data relevant to the purpose of supervision can be produced.

[Note: Art 109(2) of the CRD]