Standard 4.1 Internal control arrangements - Etusivu - … · · 2015-04-275.3 Arrangement of...
Transcript of Standard 4.1 Internal control arrangements - Etusivu - … · · 2015-04-275.3 Arrangement of...
Standard 4 .1
Internal contro l arrangements
Regulations and guidelines
How to read a standard
A standard is a collection of subject-specific regulations and guidelines which both obliges and guides
supervised entities and other financial market participants, indicates the quality level expected by the
supervisor, sets out the supervisor’s key principles of good practice and provides justification for
regulation.
Each paragraph in a standard is furnished with a
particular margin note:
Norm: A reference to a current legal or regulatory
provision.
Binding: A FIN-FSA regulation that is legally
binding on supervised entities or other financial
market participants, issued by the FIN-FSA by
virtue of its regulatory power based in Finnish
law.
Recommendation: FIN-FSA recommendatory
guidance to supervised entities or other financial
market participants.
Application guideline/example: A practical
application guideline or example related to a
norm, binding regulation or recommendation. A
reference to a FIN-FSA standard or a particular
point in the standard. See the attached example.
Justifications: An explanation of the
background, purpose and objectives of a
regulation or standard.
Sample standard only
FIN-FSA standards may be accessed from www.fin-fsa.fi/eng
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 3 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
TABLE OF CONTENTS
1 Application ___________________________________________ 5
2 Objectives ____________________________________________ 7
3 International framework ________________________________ 8
4 Legal basis __________________________________________ 10
5 Key principles of internal control _________________________ 14
5.1 Internal control as part of skilled management based on sound and
prudent business principles _______________________________ 14
5.2 Responsibility for establishment and maintenance of internal control15
5.3 Arrangement of independent non-business functions ____________ 15
5.3.1 Risk control function ________________________________ 16
5.3.2 Compliance function _________________________________ 17
5.3.3 Internal audit function _______________________________ 17
6 Major elements of internal control ________________________ 18
6.1 Management policy and control culture ______________________ 18
6.2 Risk management _______________________________________ 19
6.3 Daily control and segregation of duties ______________________ 20
6.4 Reporting and communication _____________________________ 20
6.5 Monitoring the functioning of internal control __________________ 21
6.6 Prudential systems ______________________________________ 21
7 Reporting to FIN-FSA __________________________________ 23
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 4 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
8 Definitions __________________________________________ 24
9 Further details _______________________________________ 25
10 Revision history ______________________________________ 26
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 5 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
1 APPLICATION
Issued on 16.12.2008
Valid from 1 January 2009
(1) This standard comprises the key principles and arrangements of internal
control and of the risk management forming an integral part thereof. The
standard applies to the following companies as referred to in section 5 of the
Act on the Financial Supervision Authority:
credit institutions and their holding companies
investment firms and their holding companies
fund management companies
holding companies of financial and insurance conglomerates
whose primary business is financial
the central body referred to in the Act on Cooperative Banks
and Other Cooperative Credit Institutions (Cooperative Banks
Act) (1504/2001)
stock exchanges and organisations controlling stock exchanges
as referred to in chapter 1, section 5 of the Securities Markets
Act.
Issued on 27 May 2003
Valid from 1 July 2003
(2) In addition, the standard applies to parent companies of financial and
insurance conglomerates whose primary business is financial.
Issued on 27 May 2003
Valid from 1 July 2003 (3) Below, the general expression ‘supervised entity’ refers to all entities
mentioned in paragraphs 1 and 2.
Issued on 16 December 2008
Valid from 1 January 2009
(4) Internal control shall cover all functions of the supervised entity. The
internal control arrangements must be commensurate with the supervised
entity’s organisational structure and the nature, scale and complexity of its
activities. Particular attention must be paid to the internal control
arrangements when the entity in question is a group or it is engaged in
business in several countries.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 6 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
Issued on 16 December 2008
Valid from 1 January 2009
(5) If a supervised entity belongs to a group or another conglomerate, this
fact affects the organisation of its operations. A parent company guides and
controls the operations of its subsidiaries. Operations in the group can be
centrally planned and executed. Supervised entities that are subsidiaries shall
in the group see to the execution of the entity’s core operations and make
sure that related decisions are made in an appropriate manner in the entity.
Issued on 16.12.2008
Valid from 1 January 2009 (6) The standard applies to various supervised entities and functions. The
supervised entity shall consider the nature, scale and complexity of its
operations and other possible related factors when assessing how it in its
operations should meet the objectives of the standard in an appropriate and
efficient manner – what matters is that the board of directors can be assured
of the functioning and effectiveness of internal control. Compliance with
binding rules on internal control only as applicable requires a specific decision
by the board of directors concerning the observance of alternative control
practices. The supervised entity shall always ensure that the internal control is
adequate and commensurate with the risks involved in its operations.
Issued on 27 May 2003
Valid from 1 July 2003 (7) The Financial Supervision Authority (FIN-FSA) recommends that
supervised entities that are not bound by this standard also arrange their
internal control in accordance with the principles of the standard.
Issued on 16.12.2008
Valid from 1 January 2009 (8) The duties of the board of directors and the CEO and of the internal audit
and compliance functions and the performance of those duties have been
elaborated on in FIN-FSA standard 1.3 ‘Internal governance and organisation
of activities’.
Requirements on the integrity, fitness and professional competence (fitness
and propriety) of persons responsible for a supervised entity’s management
and core business functions and the principles to be followed in fit and proper
assessment have been dealt with in FIN-FSA standard 1.4 ‘Assessment of
fitness and propriety’.
Detailed risk management regulation is provided in the separate standards for
each risk area included in section 4 ‘Capital adequacy and risk management’
of the FIN-FSA set of regulations.
Separate standards have also been issued on the Internal Capital Adequacy
Assessment Process ICAAP (standard 4.2) and on outsourcing arrangements
(standard 1.6).
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 7 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
2 OBJECTIVES
Issued on 27 May 2003
Valid from 1 July 2003 (1) Entities supervised by FIN-FSA must be managed by skilled professionals
and according to sound and prudent business principles, and internal control
arrangements must form an integral part of this process.
Issued on 16.12.2008
Valid from 1 January 2009 (2) The objective of the regulation of internal control arrangements is to
ensure that
the internal control of a supervised entity and of companies
within its consolidation group is commensurate with the nature,
scale and complexity of their activities
the supervised entity and companies within its consolidation
group do not take such risks in their activities as could
materially jeopardise the supervised entity’s capital adequacy,
liquidity or consolidated capital adequacy
the supervised entity’s internal control methods enable
detection, assessment and limitation of the risks involved in the
business
the supervised entity complies with the code of conduct in its
customer relations.
Issued on 16.12.2008
Valid from 1 January 2009 (3) Another objective of the standard is to provide a general presentation of
the most important principles to be applied by the supervised entity in its
internal control arrangements. In particular, the standard emphasises the
responsibility of the supervised entity’s board of directors for the
establishment and maintenance of internal control.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 8 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
3 INTERNATIONAL FRAMEWORK
Issued on 16.12.2008
Valid from 1 January 2009 (1) The standard is based on the recommendations of the Basel Committee on
Banking Supervision and the Committee of European Banking Supervisors
(CEBS). In the October 2006 revision of its recommendation ‘Core Principles
for Effective Banking Supervision’, the Basel Committee has presented core
principles for internal control arrangements commensurate with the size of the
bank and the scale of the business. These principles include clear
arrangements for:
delegating authority and responsibility
separation of the functions that involve making commitments
on behalf of the bank, disbursement of funds from the bank,
and accounting for its assets and liabilities
reconciliation of these processes
safeguarding the bank’s assets
appropriate and independent functions to test the functioning
and effectiveness of internal control and adherence to applicable
laws and regulations.
Issued on 27 May 2003 Valid from 1 July 2003
(2) In September 1998, the Basel Committee issued the recommendation
‘Framework for Internal Control Systems in Banking Organisations’. In that
recommendation it emphasises that credit institutions’ board of directors, CEO
and other senior management as well as internal and external audit shall pay
increased attention to internal control arrangements and to ongoing
evaluation of their functioning. The principles of the recommendation
constitute the main contents of chapter 6 of this standard.
Issued on 16.12.2008
Valid from 1 January 2009 (3) In section 2.1 of the CEBS document ‘Guidelines on the Application of the
Supervisory Review Process under Pillar 2 (CP03 revised)’ of January 2006,
some basic principles assisting supervisors in achieving greater consistency
are presented in order to provide guidance on business organisation and
management and on assessment of internal control arrangements. Section
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 9 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
5.3 of this standard takes into account the principles of section 2.1 C of those
guidelines, ie principles for arranging independent non-business functions.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 10 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
4 LEGAL BASIS
Issued on 16.12.2008
Valid from 1 January 2009 (1) The national regulatory framework for internal control arrangements is
based on the following EC directives:
Directive 2006/48/EC of the European Parliament and of the
Council relating to the taking up and pursuit of the business of
credit institutions (32006L0048; OJ L 177, 30.6.2006, p.
1−200)
Directive 2004/39/EC of the European Parliament and of the
Council on markets in financial instruments amending Council
Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC
of the European Parliament and of the Council and repealing
Council Directive 93/22/EEC (32004L0039; OJ L 145,
30.4.2004, p. 1−44)
Commission Directive 2006/73/EC implementing Directive
2004/39/EC of the European Parliament and of the Council as
regards organisational requirements and operating conditions
for investment firms and defined terms for the purposes of that
Directive (32006L0073; OJ L 241, 2.9.2006, p. 26−58)
Directive 2006/49/EC of the European Parliament and of the
Council on the capital adequacy of investment firms and credit
institutions (32006L0049; OJ L 177, 30.6.2006, p. 201−255)
Council Directive 85/611/EEC on the coordination of laws,
regulations and administrative provisions relating to
undertakings for collective investment in transferable securities
(UCITS) (31985L0611; OJ L 375, 31.12.1985, p. 3−18) and
Directive 2001/107/EC of the European Parliament and of the
Council amending Council Directive 85/611/EEC on the
coordination of laws, regulations and administrative provisions
relating to undertakings for collective investment in transferable
securities (UCITS) with a view to regulating management
companies and simplified prospectuses (32001L0107; OJ L 41,
13.2.2002, p. 20−34)
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 11 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
Directive 2002/87/EC of the European Parliament and of the
Council on the supplementary supervision of credit institutions,
insurance undertakings and investment firms in a financial
conglomerate and amending Council Directives 73/239/EEC,
79/267/EEC, 92/49/EEC, 92/96/EEC, 93/6/EEC and 93/22/EEC,
and Directives 98/78/EC and 2000/12/EC of the European
Parliament and of the Council (32002L0087; OJ L 35,
11.2.2003, p. 1−27).
Issued on 16.12.2008
Valid from 1 January 2009 (2) Detailed provisions on internal control arrangements included in article 22
and Annex V of Directive 2006/48/EC deal with sound administrative
procedures and internal control arrangements as part of the criteria for taking
up the business of a credit institution. Annex V of Directive 2006/48/EC
includes detailed fundamental requirements on governance arrangements and
risk classification and management.
Issued on 16.12.2008
Valid from 1 January 2009 (3) Corresponding requirements pertain to investment firms on the basis of
article 34 of Directive 2006/49/EC of the European Parliament and of the
Council on the capital adequacy of investment firms and credit institutions.
The article states that each investment firm shall fulfil the requirements in
article 22 of Directive 2006/48/EC.
Issued on 16.12.2008
Valid from 1 January 2009 (4) Requirements on adequate internal control mechanisms, effective risk
management principles and procedures, and independent risk management
arrangements in supplying investment services are included in article 13 of
Directive 2004/39/EC and articles 5−9 of Directive 2006/73/EC.
Issued on 16.12.2008
Valid from 1 January 2009 (5) Internal control and the risk management forming an integral part thereof
are regulated nationally through
section 49, subsection 1 of the Credit Institutions Act
(121/2007, CIA), which includes a general provision on risk
management. The corresponding provision concerning a
consolidation group is included in section 74 of the same Act
section 54, subsection 2 of the CIA, which requires that credit
institutions have principles and procedures for solvency and risk
management. The corresponding provision concerning a
consolidation group is included in section 78, subsection 2 of the
same Act
sections 33−35 of the Investment Firms Act (922/2007, IFA)
and section 46, subsection 1 of the same Act (reference
provision; see also section 2, subsection 5 of the CIA and
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 12 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
section 5, subsection 5 of the MFA)
section 30, subsection 1 of the Mutual Funds Act (48/1999,
MFA), which includes requirements on internal control and
adequate risk management systems, and section 6, subsection
5 of the same Act (as regards fund management companies
providing asset management, reference to section 46,
subsection 1 of the IFA and thereby to the CIA)
section 5 of the Cooperative Banks Act (1504/2001, CBA),
which includes a general provision on risk management, and
section 8, subsections 3 and 5 of the same Act, which deal with
the capital adequacy assessment process in the amalgamation
section 16, subsections 1−2 of the Act on Supervision of
Financial and Insurance Conglomerates (699/2004, CSA), which
include a general provision on risk management
chapter 3, section 17 of the Securities Markets Act (495/1989,
SMA), which includes a provision on arrangement of operations
and chapter 4, section 12 of the same Act, which includes a
requirement as regards securities intermediaries on a policy for
identification and prevention of conflicts of interest (see also
section 26, subsection 2 of the MFA on avoidance of conflicts of
interest).
Issued on 16.12.2008
Valid from 1 January 2009 (6) FIN-FSA’s power to issue binding regulations on the subject of the
standard is based on the following provisions:
section 2, subsection 5 and section 93, subsection 1 of the CIA
section 35 and section 46, subsection 1 (reference provision to
the CIA) and subsection 2 of the IFA
section 5, subsection 5, section 26, subsection 3 and section
30a, subsection 3 of the MFA as well as section 6, subsection 5
of the same Act (as regards fund management companies
providing asset management, reference to section 46,
subsection 1 of the IFA and thereby to the CIA)
section 5 and section 8, subsection 5 (capital adequacy
assessment process) of the CBA
section 16, subsection 3 of the CSA
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 13 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
chapter 3, section 17, subsection 3 and chapter 4, section 12,
subsection 4 of the SMA.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 14 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
5 KEY PRINCIPLES OF INTERNAL
CONTROL
5.1 Internal control as part of skilled management
based on sound and prudent business principles
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(1) The supervised entity must have a skilled management that follows sound
and prudent business principles.
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(2) The key pillar of skilled management based on sound and prudent
business principles is effective and reliable internal control arrangements.
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(3) Internal control comprises economic and other control and is carried out
by the board of directors, CEO and other senior management as well as the
entire personnel. Internal control is by definition the part of management and
operations that seeks to ensure
accomplishment of stated goals and objectives
economic and effective use of resources
adequate management of risks inherent in operations
reliability and correctness of financial and other management
information
compliance with regulations
adequate safeguarding of operations, data and assets of
supervised entities and customers
adequately and appropriately organised manually operated and
IT-based systems to support the operations pursued.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 15 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
5.2 Responsibility for establishment and maintenance
of internal control
Norm
Issued on 16.12.2008 Valid from 1 January 2009
(4) The board of directors is responsible for a supervised entity’s
administration and for an appropriate organisation of its operations.1
Justifications
Issued on 16.12.2008 Valid from 1 January 2009
(5) The responsibilities of the board of directors and the CEO are specified in
corporate legislation and in the articles of association and rules of the
supervised entity.
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(6) The appropriate organisation of operations includes adequate and
functioning establishment and maintenance of internal control.
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(7) As regards the duties of the board of directors, this standard also takes
into account the possibility of a supervisory board within the supervised
entity. If there is a supervisory board, it is important that the segregation of
duties between the board of directors and the supervisory board is clearly
specified.
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(8) A parent company’s board of directors should be assured of the
compliance with harmonised principles of internal control in all entities
controlled by the company. The conduct of the parent company’s board of
directors in this respect does not affect the responsibility of a subsidiary’s
board of directors for the internal control arrangements within its own
company.
5.3 Arrangement of independent non-business
functions
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(9) In the supervised entity, the following independent non-business functions
shall be arranged to ensure effective and comprehensive internal control for
all areas of operation of the supervised entity:
risk control function
compliance function
internal audit function.
1 See chapter 6, section 2, subsection 1 of the Companies Act (CA), chapter 5, section 6, subsection 2 of the Cooperatives Act (COA) and section 52, subsection 1 of the Savings Bank Act (SBA).
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 16 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(10) The board of directors shall ensure that the risk control function,
compliance function and internal audit function have sufficient and skilled
human resources commensurate with the nature, scale and complexity of the
supervised entity’s activities.
5.3.1 Risk control function
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(11) An independent risk control function outside the risk-taking business
must be established to monitor the risk-taking activities.
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(12) By controlling risks and risk management, the risk control function shall
ensure the supervised entity’s compliance with the risk management
principles and risk strategy approved by the board of directors. The function
shall maintain, develop and prepare risk management principles for approval
by the board of directors and design and develop procedures for controlling
risks and risk management. It shall make sure that each risk remains within
confirmed limits. It shall also make sure that the procedures available for
measuring each risk are appropriate and reliable. The procedures must
include assessment of the impact of exceptional situations (stress tests).
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(13) In addition, the risk control function must ensure that the total effect of
all material business risks on the performance of the supervised entity and its
consolidation group and on the regulatory capital is reported to the board of
directors.
Binding Issued on 16.12.2008
Valid from 1 January 2009
(14) Furthermore, a comprehensive summary or account of the operations of
the risk control function and its observations shall be submitted at least once
a year to the board of directors. Measures taken to remedy possible
shortcomings shall be mentioned in the summary or account.
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(15) Based on the summary or account, the board of directors will make an
assessment of the reliability and effectiveness of risk control within the
supervised entity.
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(16) No risk control function need be established if the nature and scale of the
business carried out by the supervised entity is such that the board of
directors is otherwise capable of ensuring the functioning and effectiveness of
risk management.
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(17) Not to establish a risk control function in the supervised entity requires a
specific decision by the board of directors. The decision shall make it clear
how the board of directors can ensure the functioning and effectiveness of risk
management.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 17 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(18) If the supervised entity does not have a separate and independent risk
control function, it shall appoint a person responsible for the function.
5.3.2 Compliance function
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(19) The success of financial market participants requires that their customers
and the market have confidence in their activities. Careful compliance with
legislation, the guidelines and regulations issued by the authorities and the
self-regulation of the market will help to maintain such confidence.
Compliance with internal rules of the supervised entity, binding ethical
principles for the personnel and other instructions also support confidence.
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(20) Provisions on the compliance function are included in FIN-FSA Standard
1.3 ‘Internal governance and organisation of activities’.
5.3.3 Internal audit function
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(21) Internal audit is an independent and objective assessment and
verification function to test the adequacy, functioning and effectiveness of
internal control.
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(22) Provisions on the internal audit and internal audit arrangements are
included in FIN-FSA Standard 1.3 ‘Internal governance and organisation of
activities’.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 18 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
6 MAJOR ELEMENTS OF INTERNAL
CONTROL
6.1 Management policy and control culture
Norm
Issued on 16.12.2008
Valid from 1 January 2009
(1) The board of directors is responsible for a supervised entity’s
administration and for the appropriate organisation of its operations.2
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(2) Functioning and effective internal control requires that the board of
directors, CEO and other senior management:
promote the formation of a corporate culture that accepts
internal control as a normal and necessary part of corporate
operations
ensure that the employees are skilled, that they are suitable for
and committed to their job, and that they understand the
importance of internal control and their own contribution to it.
Application guideline/example
Issued on 16.12.2008
Valid from 1 January 2009
(3) Typical duties of the board of directors as regards internal control are to:
bear primary responsibility for internal control and its
functioning
approve the principles of risk management and ensure that they
contain a procedure for the start-up of new business activities
and for introducing new products
be assured of the functioning of risk management and of its
compliance with legislation and authority regulations or
guidelines
decide on reporting and other internal control procedures
through which the board of directors monitors operations,
2 See chapter 6, section 2, subsection 1 of the CA, chapter 5, section 6, subsection 2 of the COA and section 52, subsection 1 of the SBA.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 19 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
operating performance and the risks involved in the operations.
Norm
Issued on 16.12.2008
Valid from 1 January 2009
(4) The CEO shall take care of the executive management of the company in
accordance with instructions issued by the board of directors.3
Application
guideline/example
Issued on 16.12.2008
Valid from 1 January 2009
(5) The duties of the CEO and other senior management include:
ensuring that the practical measures of internal control are
taken
developing and maintaining procedures that are based on risk
management principles approved by the board of directors and
through which risks are recognised, assessed and measured as
well as monitored and limited; these procedures shall be
documented
maintaining an organisational structure in which responsibilities,
powers and reporting relationships are clearly and
comprehensively defined in writing
arranging independent non-business functions to ensure
effective and comprehensive internal control for all areas of
operation of the supervised entity.
6.2 Risk management
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(6) Risk management forms an integral part of internal control. The purpose
of risk management is to ensure that material risks are recognised, assessed
and measured as well as monitored as part of the daily management of
business activities.
Binding
Issued on 27 May 2003 Valid from 1 July 2003
(7) Risk management shall cover all material business risks of the supervised
entity: both internal and external, both measurable and non-measurable, both
risks controllable by the supervised entity and risks that cannot be controlled,
ie risks that the supervised entity can only protect itself against. The
supervised entity shall specify measurement methods for measurable risks
and develop appropriate assessment methods for the management of non-
measurable risks.
Binding
Issued on 27 May 2003
Valid from 1 July 2003
(8) The supervised entity must continuously develop and maintain risk
management procedures to ensure that all new and material but so far
unrecognised risks also become covered by risk management.
3 See chapter 6, section 17, subsection 1 of the CA, chapter 5, section 6, subsection 2 of the COA and section 56 of the SBA.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 20 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(9) Detailed risk management regulation by risk area is provided in the
separate standards for each risk area included in section 4 of FIN-FSA’s set of
regulations.
6.3 Daily control and segregation of duties
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(10) Internal control shall be part of the supervised entity’s daily activities.
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(11) Functioning and effective internal control requires that an appropriate
internal control structure is set up in the supervised entity with control
activities defined at every business level.
Justifications Issued on 16.12.2008
Valid from 1 January 2009
(12) Functioning and effective internal control also requires appropriate
segregation of duties between different individuals and that measures are
taken to ensure that no member of the supervised entity’s personnel, as a
representative of the entity, monitors its own business or the business of
related entities or otherwise influences and/or participates in decision-making
concerning such business. Possible high-risk combinations of duties in an
individual’s job description, or conflicts of interest, shall be recognised and, if
possible, eliminated.
Application
guideline/example
Issued on 16.12.2008
Valid from 1 January 2009
(13) Daily control activities include reports to the board of directors, CEO and
other senior management, appropriate measurements applicable to each
business area and unit, physical controls, checking for compliance with agreed
exposure limits and operating principles/instructions and follow-up on non-
compliance, a system of approvals and authorisations, and different
verification and reconciliation measures.
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(14) Management of conflicts of interest and other organisation of activities of
supervised entities providing investment services have been regulated in
detail in FIN-FSA Standard 1.3 ‘Internal governance and organisation of
activities’.
6.4 Reporting and communication
Justifications
Issued on 16.12.2008 Valid from 1 January 2009
(15) One of the preconditions of effective internal control is that the board of
directors, CEO and other senior management, as a basis for its decision-
making, is provided with adequate and comprehensive information, such as
its own internal financial and operational data and data on compliance with
external regulations and internal procedures as well as external data on the
business environment and market developments. The information shall be
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 21 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
reliable, material, timely, and provided in the agreed format.
Recommendation
Issued on 16.12.2008 Valid from 1 January 2009
(16) To ensure effective internal control, the flow of necessary information
should be free upward, downward and laterally throughout the organisation.
Justifications Issued on 16.12.2008
Valid from 1 January 2009
(17) A well-implemented organisational structure supports the upward flow of
information so that the board of directors, CEO and other senior management
get the information they need (on operating performance, risks, deviations,
observations of effective control etc.). An appropriate downward flow of
information ensures that the personnel have knowledge of policies and
procedures approved by the board of directors that are necessary for
executing their duties, and that they are also provided with other information
needed for executing their duties.
Binding
Issued on 16.12.2008
Valid from 1 January 2009
(18) The CEO and other senior management of the supervised entity shall
ensure that individuals at all levels in the organisation receive the information
they need for executing their duties.
6.5 Monitoring the functioning of internal control
Binding
Issued on 27 May 2003
Valid from 1 July 2003
(19) The functioning of internal control in the supervised entity shall be
assessed effectively and from a variety of perspectives. At agreed intervals,
internal control shall also be audited as a larger whole.
Justifications
Issued on 16.12.2008
Valid from 1 January 2009
(20) A precondition of effective and versatile internal control is that any
shortcomings and development issues therein detected in the business
activities of the supervised entity are documented and reported to the
appropriate management level and remedied promptly.
Recommendation
Issued on 27 May 2003
Valid from 1 July 2003
(21) Material observations should be reported all the way to the CEO and
board of directors. Summarising reports should also be prepared on identified
issues and corrective measures so that the supervised entity’s board of
directors and CEO can obtain an overall picture of the functioning and
effectiveness of internal control.
6.6 Prudential systems
Binding
Issued on 27 May 2003
Valid from 1 July 2003
(22) The supervised entity shall have adequate and appropriately designed
manual and IT systems commensurate with the nature and complexity of its
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 22 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
activities. The systems shall form the basis for the entity’s operational
activities.
Binding
Issued on 16 December 2008 Valid from 1 January 2009
(23) The activities, data processing and communication of the supervised
entity shall be arranged in an adequately prudential manner and the assets
and information shall also be secured.
Application guideline
Issued on 16 December 2008
Valid from 1 January 2009
(24) Detailed regulation on IT systems and IT security is provided in FIN-FSA
Standard 4.4b ‘Management of operational risk’.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 23 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
7 REPORTING TO FIN-FSA
Justifications
Issued on 27 May 2003
Valid from 1 July 2003
(1) The internal control arrangements do not involve a separate, regular
obligation of reporting to FIN-FSA.
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(2) However, the supervised entities shall in their financial statements also
provide regular information on arrangements for internal control and for the
risk management forming an integral part thereof.
Application guideline
Issued on 16.12.2008
Valid from 1 January 2009
(3) Detailed regulation of the contents of the information to be presented in
the financial statements is provided in the section ‘Accounting and financial
statements’ in FIN-FSA’s set of regulations.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 24 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
8 DEFINITIONS
Issued on 16.12.2008
Valid from 1 January 2009
Independent non-business functions neither participate in the business
management nor carry responsibility for the financial performance. As a rule,
a function may be considered independent when the following terms and
conditions are fulfilled:
within the organisation the function is separated from the activities
that it controls. The manager of the function is placed under a person
who is not responsible for the activities that the function controls
the staff of the function performs no duties that are included in those
that the function is supposed to control
the manager of the function is accountable directly to the board of
directors, CEO and other senior management and/or the audit
committee
the employment of the staff of the function is not connected to the
financial performance of the activities that the function controls.
Issued on 16.12.2008
Valid from 1 January 2009 Other senior management includes persons that in addition to the board of
directors and the CEO actually manage the activities of the supervised entity.
For example, the manager of an important business line of the supervised
entity may be such a person. Together with the board of directors and the
CEO, the members of other senior management constitute the senior
management of the supervised entity.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 25 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
9 FURTHER DETAILS
Please find the necessary contact information in the list of Persons
responsible for standards provided on the FSA website. For further
information, please contact:
Institutional Supervision, tel. +358 10 831 5207
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 26 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
10 REVISION HISTORY
When this standard entered into force (on 1 July 2003), it repealed the
following FIN-FSA regulations and guidelines:
Regulation on risk management and other aspects of internal
control in credit institutions (108.1)
Guideline on risk management and internal control principles as
well as internal audit function of credit institutions (108.2), with
the exception of the provisions on data processing and internal
audit. Details on those will be provided in standards to be
completed at a later date.
Guideline on risk management and other aspects of internal
control in stock exchange (202.13), with the exception of the
provisions on data processing and internal audit. Details on
those will be provided in standards to be completed at a later
date.
Regulation on risk management and other aspects of internal
control in investment firms (203.27)
Guideline on risk management and internal control principles as
well as internal audit function of investment firms (203.28),
with the exception of the provisions on data processing and
internal audit. Details on those will be provided in standards to
be completed at a later date.
Guideline on risk management and other aspects of internal
control in central securities depository (206.4), with the
exception of the provisions on data processing and internal
audit. Details on those will be provided in standards to be
completed at a later date.
Section 5.4 has been repealed by Standard 1.6 ‘Outsourcing arrangements’,
which became valid on 1 November 2007.
THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003
4 Capital adequacy and risk management Valid from 1 July 2003 until further notice
4.1 Internal control arrangements Changed on 16 December 2008
J. No. 5/790/2003 27 (27)
tel +358 10 831 51 For further details, please contact
fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207
www.rahoitustarkastus.fi
On 16 December 2008, the standard has been revised as follows:
Issued on 16 December 2008, valid from 1 January 2009
Changes in the international and national regulatory framework
have been taken into account.
The scope of application has been extended to include fund
management companies, holding companies of financial and
insurance conglomerates whose primary business is financial,
and stock exchanges and organisations controlling stock
exchanges as referred to in chapter 1, section 5 of the
Securities Markets Act.
The objectives of the standard have been presented more
clearly.
The name of the standard has been changed from
‘Establishment and maintenance of internal control and risk
management’ to ‘Internal control arrangements’.
A new section 5.3 ‘Arrangement of independent non-business
functions’ has been added.
The previous section 5.3 ‘Independent risk management
assessment’ has been moved and included as subsection 5.3.1
‘Risk control function’ after revision of the function task
description.
Two new subsections 5.3.2 ‘Compliance function’ and 5.3.3
‘Internal audit function’ have been added.
New margin notes have been introduced.
The definition of independent function has been revised.
The definitions of board of directors and senior management
have been removed.
A new definition of other senior management has been added.
The text of the standard has been rephrased.
All earlier versions of the standard have been gathered under Regulation/FSA
standards on the FIN-FSA website.