RM-A.2 RM-A.2 Module History
Evolution of the Module
RM-A.2.1
This Module was first issued in July 2007, as part of the second phase release of Volume 4's contents. It is dated July 2007. All subsequent changes to this Module are annotated with the end-calendar quarter date in which the change was made: UG-3 provides further details on Rulebook maintenance and version control.
Adopted: July 2007RM-A.2.2
A list of recent changes made to this Module is provided below:
Module Ref. Change Date Description of Changes RM-1.1.11 04/2008 Clarified the requirement for investment firm licensees to have a separate risk management function. RM-7.3.3 04/2008 Clarified that CBB prior approval is required for intra-group outsourcing. RM-7.1.6,
7.1.7 and
7.1.1607/2008 Clarified that CBB prior approval is required for outsourcing arrangements. RM-B.1.2 10/2009 Amended to reflect applicability of Chapters RM-7 and RM-8. RM-7.1.16 10/2009 Amended to read approved person. RM-7.3.7 10/2009 New Rule added to clarify that licensees may not outsource core business activities, including internal audit, to their group. RM-7.4 10/2009 Updated to reflect CBB's requirements for outsourcing the internal audit function. RM-1.1.10, RM-1.1.11, and RM-1.1.13 07/2010 Updated and amended to include requirements for the risk management function. RM-7.1.7 07/2010 New Rule added regarding outsourcing core business functions or activities to third parties. RM-A.1.4 01/2011 Clarified legal basis. RM-B.2 01/2011 Removed reference in title to affiliates. RM-4.1.8 and RM-4.1.9 07/2012 Replaced reference to "securities" with "financial instruments". RM-7.4.5 10/2012 Corrected typo. RM-7.4.2A 01/2013 New Paragraph added to require that the outsourcing of the internal audit function must be supported by a board resolution or ratified by the audit committee. RM-7.1.9 07/2013 Added cross reference. RM-7.1.9A and RM-7.3.4 07/2013 Made reference to considerable outsourcing. RM-7.4.4 07/2013 Changed Guidance to Rule. RM-1.1.10 to RM-1.1.13 10/2013 Amendments made to allow overseas investment firm licensees to outsource the risk management function to their head office, subject to the CBB's prior written approval. RM-1.1.7 01/2016 Corrected cross reference. RM-1.1.9 01/2016 Aligned risk categories as per Module RM. RM-4.1.17 01/2016 Restructured Subparagraphs to avoid duplication. RM-7.1.9 01/2016 Clarified Guidance. RM-7.1.1 10/2017 Amended Paragraph to allow the utilization of cloud services. RM-7.1.3A 10/2017 Added a new Paragraph on outsourcing requirements. RM-7.1.6 10/2017 Amended Paragraph. RM-7.1.9 10/2017 Amended Paragraph. RM-7.1.11 10/2017 Amended Paragraph. RM-7.1.11A 10/2017 Added a new Paragraph on outsourcing. RM-7.1.13 10/2017 Amended Paragraph. RM-7.1.14 10/2017 Amended Paragraph. RM-7.1.14(f) 10/2017 Added a new sub-Paragraph. RM-7.1.17 10/2017 Amended Paragraph. RM-7.2.4 10/2017 Amended Paragraph. RM-7.2.11 10/2017 Amended Paragraph. RM-7.2.12 10/2017 Amended Paragraph. RM-7.2.18 10/2017 Amended Paragraph. RM-7.2.19 10/2017 Added a new Paragraph on security measures related to cloud services. RM-7.3.3 10/2017 Amended Paragraph. RM-7.3.4 10/2017 Amended Paragraph. RM-9 04/2019 Added a new Chapter on Cyber Security Risk. RM-9.1 01/2022 Enhanced Section on Cyber Security Risk Management. RM-9.1.58 04/2022 Amended Paragraph on the cyber security reporting. RM-9.1.59 04/2022 Amended Paragraph on the submission of the cyber security report. RM-7 07/2022 Replaced Chapter RM-7 with new Outsourcing Requirements. RM-9.1.22 10/2022 Amended Paragraph on email domains requirements. RM-9.1.22A 10/2022 Added a new Paragraph on additional domains requirements. RM-7.1.7 07/2023 Amended Sub-paragraph (v) and added Sub-paragraph (viii) on Outsourcing Requirements. Superseded Requirements
RM-A.2.3
This Module does not replace any regulations or circulars in force prior to July 2007.
Adopted: July 2007RM-A.2.4
Further guidance on the implementation and transition to Volume 4 (Investment Business) is given in Module ES (Executive Summary).
Adopted: July 2007
