C4-4 C4-4 Risk Management
C4-4.1 C4-4.1 Risk Governance
C4-4.1.1
The Board of
category 4 investment firms is ultimately responsible for the establishment of an adequate and effective framework for identifying, measuring monitoring and managing risks. The CBB expects the Board to be able to demonstrate that it provides suitable oversight and establishes effective systems and controls proportionate to the nature, scale and complexity of thelicensee’s activities.Added: January 2022C4-4.1.2
Category 4 investment firms must have a risk management function, independent of risk-taking, commensurate with the nature, scale and complexity of their business. The duties of the risk management function include but are not limited to:(a) Identifying, measuring, monitoring, and controlling the major sources of risks associated with the operations of thelicensee including any entity it may own, control or manage on an ongoing basis;(b) Reporting to the Board andsenior management on all material risks thelicensee is exposed to; and(c) Documenting the processes and systems by which it identifies and monitors material risks, and how it reports to the Board and senior management these risks.Added: January 2022C4-4.2 C4-4.2 Risk Management Framework
C4-4.2.1
The risk management framework of
category 4 investment firms must provide for the establishment and maintenance of effective systems and controls including Board approved policies that enable thelicensee to identify, measure, monitor and manage the major sources of risk arising from its own books and those arising from the CIU it operates in each of the following categories:(a) Counterparty risk;(b) Market risk;(c) Liquidity risk;(d) Operational risk (including where relevant cyber security risk);(e) Outsourcing Risk; and(f) Any additional categories relevant to its business.Added: January 2022C4-4.2.2
Category 4 investment firms must have contingency arrangements to ensure, that they can access sufficient liquid financial resources to meet liabilities as they fall due.Added: January 2022C4-4.2.3
The risk reporting and monitoring systems of
category 4 investment firms must be independent of the employees who are responsible for exposing thelicensee to risk.Added: January 2022Valuation
C4-4.2.4
Category 4 investment firms must have policies and procedures for valuation of assets under management. Wherever possible, thelicensee must use mark to market approach for valuation purposes. Where mark to model approach is not used due to lack of market prices,licensees must follow internationally recognised standards for valuation.Licensees must also utilise independent valuation experts to verify accuracy of valuation models.Added: January 2022Business Continuity Planning
C4-4.2.5
Category 4 investment firms must maintain a business continuity plan (BCP) appropriate to the size and complexity if its operations. The BCP must include procedures for ensuring that critical systems, functions and operations can be maintained or recovered in a timely manner in the event of a disruptionAdded: January 2022Review
C4-4.2.6
Category 4 investment firms must establish mechanisms, including internal audits, to verify that controls, once established, are being followed.Added: January 2022C4-4.3 C4-4.3 Outsourcing Risk
C4-4.3.1
Category 4 investment firms must identify all material outsourcing contracts and ensure that the risks associated with such contracts are adequately controlled.Added: January 2022C4-4.3.2
Outsourcing means an arrangement whereby a third party performs on behalf of alicensee an activity that was previously undertaken by thelicensee itself (or in the case of a new activity, one which ordinarily would have been performed internally by thelicensee ).Added: January 2022C4-4.3.3
For purposes of C4-4.3.1, a contract is ‘material’ where, if it failed in any way, it would pose significant risks to the on-going operations of a
licensee , its reputation and/or the quality of service provided to itsclients . For instance, the outsourcing of all or a substantial part of functions such as financial control, risk management, internal audit would be considered “material”. Management should carefully consider whether a proposed outsourcing arrangement falls under this Module’s definition of “material”. If in doubt, management should consult with the CBB.Added: January 2022C4-4.3.4
Category 4 investment firms must retain ultimate responsibility for functions or activities that are outsourced. In particular,licensees must ensure that they continue to meet all their regulatory obligations with respect to outsourced activities.Added: January 2022C4-4.3.5
Category 4 investment firms must seek the CBB’s prior written approval before committing to a new material outsourcing arrangement in accordance with Paragraph C4-2.1.10. The approval request must contain sufficient detail to demonstrate that relevant issues raised in this Chapter have been addressed.Added: January 2022C4-4.3.6
Category 4 investment firms must immediately inform the CBB of any material problems encountered with an outsourcing provider.Added: January 2022C4-4.3.7
The CBB reserves the right to require a
licensee to terminate or make alternative outsourcing arrangements if, among other reasons, the confidentiality of its customer information was, or is likely to be, breached or the ability of the CBB to carry out its supervisory functions in view of the outsourcing arrangement cannot be assured or executed.Added: January 2022C4-4.3.8
The CBB requires ongoing access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.
Added: January 2022Risk Assessment
C4-4.3.9
Category 4 investment firms must undertake a thorough risk assessment of an outsourcing proposal, before formally submitting the request for approval to the CBB and committing itself to an agreement.Added: January 2022C4-4.3.10
Before entering into, or significantly changing, an outsourcing arrangement, a
licensee should:(a) Analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;(b) Consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;(c) Conduct appropriate due diligence of the service provider’s financial stability and expertise;(d) Consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract);(e) Consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms; and(f) Analyse the outsourcing provider’s financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk.Added: January 2022C4-4.3.11
In negotiating its contract with a service provider, a
licensee should have regard to:(a) Reporting or notification requirements it may wish to impose on the service provider;(b) Whether sufficient access will be available to its internal auditors, external auditors and to the CBB;(c) Information ownership rights, confidentiality agreements and Chinese walls to protectclient and other information (including arrangements at the termination of the contract);(d) The adequacy of any guarantees and indemnities;(e) The extent to which the service provider must comply with thelicensee’s policies and procedures (covering, for example, information security);(f) The extent to which a service provider will provide business continuity for outsourcing operations;(g) The processes for making changes to the outsourcing arrangement and the conditions under which thelicensee or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:(i) A change of ownership or control (including insolvency or receivership) of the service provider or firm;(ii) Significant change in the business operations (including sub-contracting) of the service provider or firm; or(iii) Inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.Added: January 2022C4-4.3.12
Category 4 investment firms must maintain and regularly review contingency plans to enable them to set up alternative arrangements with minimum disruption to business should the outsourcing contract be terminated, or the outsourcing provider fail. This may involve the identification of alternative outsourcing providers or the provision of the service in-house. These plans must consider how long the transition would take and what interim arrangements would apply.Added: January 2022C4-4.3.13
All material outsourcing arrangements by a
category 4 investment firm must be the subject of a legally enforceable outsourcing agreement. The contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. Where the outsourcing provider interacts directly with a licensee’s customers, the contract must, where relevant, reflect the licensee’s own standards regardingclient care. Once an outsourcing agreement has been entered into,licensees must regularly review the suitability of the outsourcing provider, and the on-going impact of the agreement on their risk profile and systems and controls framework.Added: January 2022C4-4.3.14
Category 4 investment firms must ensure that the outsourcing arrangement is in compliance with the Personal Data Protection Law (PDPL) and the outsourcing provider implements adequate safeguards and procedures to protectclient data confidentiality.Category 4 investment firms must ensure that they retain title under any outsourcing agreements for data, information and records that form part of the prudential records of thelicensee .Added: January 2022C4-4.3.15
Category 4 investment firms must ensure that its internal and external auditors have timely access to any relevant information they may require to fulfil their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.Added: January 2022C4-4.3.16
Category 4 investment firms must also ensure that the CBB inspectors andappointed experts have timely access to any relevant information they may reasonably require to fulfil its responsibilities under the law. Such access must allow the CBB to conduct on-site examinations of the outsourcing provider, if required.Added: January 2022C4-4.3.17
Termination under any other circumstances allowed under the agreement must give
category 4 investment firms a sufficient notice period in which they can affect a smooth transfer of the service to another provider or bring it back in-house.Added: January 2022Outsourcing Controls
Internal Audit Outsourcing
C4-4.3.18
Category 4 investment firms must not outsource their internal audit function to the same firm that acts as their external auditors.Added: January 2022C4-4.3.19
Board and management of
licensees must retain responsibility for ensuring that an adequate internal audit programme is implemented, and will be held accountable in this respect by the CBB.Added: January 2022
