• GEN 3.3 GEN 3.3 Systems and controls

    • General requirement

      • GEN 3.3.1 GEN 3.3.1

        (1) An Authorised Person must establish and maintain systems and controls, including but not limited to financial and risk systems and controls, that ensure that its affairs are managed effectively and responsibly by its senior management.
        (2) An Authorised Person must undertake regular reviews of its systems and controls.

        • Guidance

          The nature and extent of the systems and controls of an Authorised Person will depend upon a variety of factors including the nature, scale and complexity of its business. While all Authorised Persons, irrespective of the nature, scale, and complexity of their business and legal structure or organisation need to comply with this Chapter, the Regulator will take into account these factors and the differences that exist between Authorised Person when assessing the adequacy of an Authorised Person's systems and controls. Nevertheless, neither these factors nor the differences relieve an Authorised Person from compliance with its regulatory obligations.

    • Organisation

      • GEN 3.3.2 GEN 3.3.2

        (1) An Authorised Person must establish and implement, taking due account of the nature, scale and complexity of its business and structure, adequate measures to ensure that:
        (a) the roles and responsibilities assigned to its Governing Body and the members of that body, senior management and Persons Undertaking Key Control Functions are clearly defined;
        (b) there are clear reporting lines applicable to the individuals undertaking those functions; and
        (c) the roles, responsibilities and reporting lines referred to in (a) and (b) are documented and communicated to all relevant Employees.
        (2) An Authorised Person must ensure that any Employee who will be delivering Regulated Activities to its Customers is clearly identified, together with his respective lines of accountability and supervision.
        (3) An Authorised Person which is conducting Investment Business or the Regulated Activities of Acting as the Administrator of a Collective Investment Fund or Providing Trust Services must ensure it makes publically available details of any Employee who delivers Regulated Activities to its Customers, by including such information:
        (a) in a register, maintained by the Authorised Person at its place of business and open for inspection during business hours; or
        (b) on the website of the Authorised Person.
        (4) An Authorised Person referred to in (3), must have complete and up to date information on its register or website, including:
        (a) the date on which the relevant Employee commenced delivering of Regulated Activities to Customers; and
        (b) the Regulated Activities which that Employee is permitted by the Authorised Person to deliver to Customers.

        • Guidance

          1. The term Employee is defined in the Glossary ("GLO") widely and includes members of the Governing Body or Directors and Senior Managers of the Authorised Person. Therefore, the requirements relating to Employees in Rules 3.3.19, 3.3.20, 3.3.21 and 3.3.42 apply to all Employees including those across the organisation.
          2. The division of responsibilities between the Governing Body and the senior management should be clearly established and set out in writing. In assigning duties, the Governing Body should take care that no one individual has unfettered powers in making material decisions.
          3. Members of the Governing Body may include individuals undertaking senior management functions (such as the chief executive of the firm) and Persons Undertaking Key Control Functions. In assigning specific functions to such individuals, care should be taken to ensure that the integrity and effectiveness of the functions they are to perform are not compromised. For example, if the chairperson of the Governing Body is also the chief executive officer of the Authorised Person, the Governing Body should ensure that the performance assessment of that individual in his roles should be undertaken by a senior non-executive member of the Governing Body or a skilled person.
          4. Persons Undertaking Key Control Functions are defined in GLO in an inclusive manner to encompass Persons such as the heads of risk control, compliance and internal audit functions. In the case of an Insurer, the Actuary also is a Person who Undertakes a Key Control Function.
          5. An example of an Employee providing Regulated Activities to a Customer is a client relationship manager employed by an Authorised Person providing wealth management services. In contrast, an Employee who may be employed in the back office of an Authorised Person with responsibility for setting up Client Accounts would not be client facing.

      • GEN 3.3.3

        An Authorised Person must ensure that key duties and functions are segregated. Such segregation must ensure that the duties and functions to be performed by the same individual do not conflict with each other, thereby impairing the effective discharge of those functions by the relevant individuals (such as undetected errors or any abuse of positions) and thus exposing the Authorised Person or its Customers or users to inappropriate risks.

    • Risk management

      • GEN 3.3.4

        An Authorised Person must establish and maintain risk management systems and controls to enable it to identify, assess, mitigate, control and monitor its risks.

      • GEN 3.3.5

        An Authorised Person must develop, implement and maintain policies and procedures to manage the risks to which the Authorised Person and where applicable, its Customers or users, are exposed.

      • GEN 3.3.6

        (1) An Authorised Person must appoint an individual to advise its Governing Body and senior management of such risks.
        (2) An Authorised Person which is part of a Group should be aware of the implications of any Group wide risk policy and systems and controls regime.

    • Compliance

      • GEN 3.3.7

        An Authorised Person must establish and maintain compliance arrangements, including processes and procedures that ensure and evidence, as far as reasonably practicable, that the Authorised Person complies with all Regulations and Rules.

      • GEN 3.3.8

        An Authorised Person must document the organisation, responsibilities and procedures of the compliance function.

      • GEN 3.3.9

        An Authorised Person must ensure that the Compliance Officer has access to sufficient resources, including an adequate number of competent staff, to perform his duties objectively and independently of operational and business functions.

      • GEN 3.3.10

        An Authorised Person must ensure that the Compliance Officer has unrestricted access to relevant records and to the Authorised Person's Governing Body and senior management.

      • GEN 3.3.11

        An Authorised Person must establish and maintain monitoring and reporting processes and procedures to ensure that any compliance breaches are readily identified, reported and promptly acted upon.

      • GEN 3.3.12

        An Authorised Person must document the monitoring and reporting processes and procedures as well as keep records of breaches of any of Regulations and Rules.

    • Internal audit

      • GEN 3.3.13

        (1) An Authorised Person must establish and maintain an internal audit function with responsibility for monitoring the appropriateness and effectiveness of its systems and controls.
        (2) The internal audit function must be independent from operational and business functions.

      • GEN 3.3.14

        An Authorised Person must ensure that its internal audit function has unrestricted access to all relevant records and recourse when needed to the Authorised Person's Governing Body or the relevant committee, established by its Governing Body for this purpose.

      • GEN 3.3.15

        An Authorised Person must document the organisation, responsibilities and procedures of the internal audit function.

    • Business plan and strategy

      • GEN 3.3.16

        (1) An Authorised Person must produce a business plan which enables it, amongst other things, to manage the risks to which it and its Customers are exposed.
        (2) The business plan must take into account the Authorised Person's current business activities and the business activities forecast for the next twelve months and, additionally, inform the IRAP and the ICAAP where the Authorised Person is required to undertake them under Chapter 10 of PRU.
        (3) The business plan must be documented and updated as appropriate to take account of changes in the business environment and to reflect changes in and the complexities of the business of the Authorised Person.
        Amended on (3 February, 2020).

    • Management information

      • GEN 3.3.17

        An Authorised Person must establish and maintain arrangements to provide its Governing Body and senior management with the information necessary to organise, monitor and control its activities, to comply with the Regulations and Rules and to manage risks. The information must be relevant, accurate, comprehensive, timely and reliable.

    • Staff and agents

      • GEN 3.3.18

        An Authorised Person must establish and maintain systems and controls that enable it to satisfy itself of the suitability of anyone who acts for it.

      • GEN 3.3.19 GEN 3.3.19

        (1) An Authorised Person must ensure, as far as reasonably practical, that its Employees are:
        (a) fit and proper;
        (b) competent and capable of performing the functions which are to be assigned to those Employees; and
        (c) trained in the requirements of the Regulations and Rules.
        (2) An Authorised Person must establish and maintain systems and controls to comply with (1). An Authorised Person must be able to demonstrate that it has complied with these requirements through appropriate measures, including the maintenance of relevant records.

        • Guidance

          1. When considering whether an Employee is fit and proper, competent and capable, an Authorised Person should consider any training undertaken or required by an Employee, the nature of the Clients to whom an Employee provides Regulated Activities, and the type of activities performed by an Employee in the provision of such Regulated Activities including any interface with Clients.
          2. When assessing the fitness and propriety of Employees, an Authorised Person should be guided by the matters set out in the GPM and should also monitor conflicts or potential conflicts of interest arising from all of the individual's links and activities.
          3. When assessing the competence and capability of an Employee, an Authorised Person should:
          a. obtain details of the skills, knowledge and experience of the Employee relevant to the nature and requirements of the role;
          b. take reasonable steps to verify the relevance, accuracy and authenticity of any information obtained;
          c. determine, in light of the Employee's relevant skills, knowledge and experience, that the Employee is competent and capable of fulfilling the duties of the role; and
          d. consider the level of responsibility that the Employee will assume within the Authorised Person, including whether the Employee will be providing Regulated Activities to Retail Clients in an interfacing role.
          4. An Authorised Person should also satisfy itself that an Employee:
          a. continues to be competent and capable of performing the role;
          b. has kept abreast of market, product, technology, legislative and regulatory developments that are relevant to the role, through training or other means; and
          c. is able to apply his knowledge.
          5. Refer to the GPM for criteria for suitability of members of the Governing Body of the Authorised Person.

    • Conduct

      • GEN 3.3.20

        An Authorised Person must establish and maintain systems and controls that ensure, as far as reasonably practical, that the Authorised Person and their Employees do not engage in conduct, or facilitate others to engage in conduct, which may constitute:

        (a) market misconduct; or
        (b) a Financial Crime under any applicable U.A.E. laws.

    • Conflicts of Interest

      • GEN 3.3.21

        An Authorised Person must comply with Principle 7 as outlined in Rule 2.2.7, taking all reasonable steps to identify conflicts of interest between:

        (1) the Authorised Person, including its managers, Employees and Clients, or any person directly or indirectly linked to them by control; or
        (2) one Client of the Authorised Person and another Client,

        that arises or may arise in the course of the Authorised Person providing any Regulated Activities.

      • GEN 3.3.22

        For the purposes of identifying the types of conflict of interest that arise, or may arise, in the course of providing a service and whose existence may entail a material risk of damage to the interests of a Client, an Authorised Person must take into account, as a minimum, whether the Authorised Person or a person directly or indirectly linked by control to the Authorised Person:

        (1) is likely to make a financial gain, or avoid a financial loss, at the expense of the Client;
        (2) has an interest in the outcome of a service provided to the Client or of a Transaction carried out on behalf of the Client, which is distinct from the Client's interest in that outcome;
        (3) has a financial or other incentive to favour the interest of another Client or group of Clients over the interests of the Client;
        (4) carries on the same business as the Client; or
        (5) receives or will receive from a person other than the Client an inducement in relation to a service provided to the Client, in the form of monies, goods or services, other than the standard Commission or Fee for that service.

      • GEN 3.3.23

        If arrangements made by an Authorised Person to manage conflicts of interest in accordance with Principle 7 are not sufficient to ensure, with reasonable confidence, that risks of damage to the interests of a Client will be prevented, the Authorised Person must clearly disclose the general nature and/or sources of conflicts of interest to the Client before undertaking business for the Client.

      • GEN 3.3.24

        The disclosure in Rule 3.3.23 must:

        (1) be made in a durable medium; and
        (2) include sufficient detail, taking into account the nature of the Client, to enable that Client to take an informed decision with respect to the service in the context of which the conflict of interest arises.

    • Information barriers

      • GEN 3.3.25

        When an Authorised Person establishes and Maintains an information barrier (that is, an arrangement that requires information held by an Authorised Person in the course of carrying on one part of the business to be withheld from, or not to be used for, persons with or for whom its acts in the course of carrying on another part of its business) it may:

        (1) withhold or not use the information held; and
        (2) for that purpose, permit persons employed in the first part of its business to withhold the information held from those employed in that other part of the business,

        but only to the extent that the business of one of those parts involves the carrying on of Regulated Activities or ancillary activities.

      • GEN 3.3.26

        Information may also be withheld or not used by an Authorised Person when this is required by an established arrangement Maintained between different parts of the business (of any kind) in the same group. This provision does not affect any requirement to transmit or use information that may arise apart from the rules in COBS.

      • GEN 3.3.27

        For the purposes of this Rule, "Maintains" includes taking reasonable steps to ensure that the arrangements remain effective and are adequately monitored, and must be interpreted accordingly.

      • GEN 3.3.28

        Acting in conformity with Rule 3.3.25 does not amount to Market Abuse.

      • GEN 3.3.29

        When any of the rules of COBS apply to an Authorised Person that acts with knowledge, the Authorised Person will not be taken to act with knowledge for the purposes of that rule if none of the relevant individuals involved on behalf of the Authorised Person acts with that knowledge as a result of arrangements established under Rule 3.3.25.

      • GEN 3.3.30

        When an Authorised Person manages a conflict of interest using the arrangements in Rule 3.3.25 which take the form of an information barrier, individuals on the other side of the wall will not be regarded as being in possession of knowledge denied to them as a result of the information barrier.

    • Outsourcing

      • GEN 3.3.31

        (1) An Authorised Person which outsources any of its functions or activities directly related to Regulated Activities to service providers (including within its Group) is not relieved of its regulatory obligations and remains responsible for compliance with the Regulations and Rules.
        (2) The outsourced function under this Rule shall be deemed as being carried out by the Authorised Person itself.
        (3) An Authorised Person which uses such service providers must ensure that it:
        (a) has undertaken due diligence in choosing suitable service providers;
        (b) effectively supervises the outsourced functions or activities; and
        (c) deals effectively with any act or failure to act by the service provider that leads, or might lead, to a breach of any Regulations or Rules.

      • GEN 3.3.32 GEN 3.3.32

        (1) An Authorised Person must inform the Regulator about any material outsourcing arrangements.
        (2) An Authorised Person which has a material outsourcing arrangement must:
        (a) establish and maintain comprehensive outsourcing policies, contingency plans and outsourcing risk management programmes;
        (b) enter into an appropriate and written outsourcing contract; and
        (c) ensure that the outsourcing arrangements neither reduce its ability to fulfil its obligations to Customers and the Regulator, nor hinder supervision of the Authorised Person by the Regulator.
        (3) An Authorised Person must ensure that the terms of its outsourcing contract with each service provider under a material outsourcing arrangement require the service provider to:
        (a) provide for the provision of information under Rule 8.1 in relation to the Authorised Person and access to their business premises; and
        (b) deal in an open and co-operative way with the Regulator.

        • Guidance

          1. An Authorised Person's outsourcing arrangements should include consideration of:
          a. applicable guiding principles for outsourcing in financial services issued by the Basel Committee on Banking Supervision, IOSCO or any other international body promulgating standards for outsourcing by Financial Institutions; or
          b. any equivalent principles or regulations the Authorised Person is subject to in its home country jurisdiction.
          2. An outsourcing arrangement would be considered to be material if it is a service of such importance that weakness or failure of that service would cast serious doubt on the Authorised Person's continuing ability to remain fit and proper or to comply with the Regulator's administered Regulations and Rules.

    • Business continuity and disaster recovery

      • GEN 3.3.33 GEN 3.3.33

        (1) An Authorised Person must have in place adequate arrangements to ensure that they can continue to function and meet their obligations under the Regulations and Rules in the event of an unforeseen interruption.
        (2) These arrangements must be kept up to date and regularly tested to ensure their effectiveness.

        • Guidance

          1. In considering the adequacy of an Authorised Person's business continuity arrangements, the Regulator will have regard to the Authorised Person's management of the Specific Risks arising from interruptions to its business including its crisis management and disaster recovery plans.
          2. The Regulator expects an Authorised Person to have:
          a. arrangements which establish and maintain the Authorised Person's physical security and protection for its information systems for business continuity purposes in the event of planned or unplanned information system interruption or other events that impact on its operations;
          b. considered its primary data centres' and business operations' reliance on infrastructure components, for example transportation, telecommunications networks and utilities and made the necessary arrangements to minimise the risk of interruption to its operations by arranging backup of infrastructure components and service providers; and
          c. considered, in its plans for dealing with a major interruption to its primary data centre or business operations, its alternative data centres' and business operations' reliance on infrastructure components and made the necessary arrangements such that these do not rely on the same infrastructure components and the same service provider as the primary data centres and operations.

    • Records

      • GEN 3.3.34

        (1) An Authorised Person must make and retain records of matters and dealings, including Accounting Records and corporate governance practices which are the subject of requirements and standards under the Regulations and Rules.
        (2) Such records, however stored, must be capable of reproduction on paper within a reasonable period not exceeding three Business Days.

      • GEN 3.3.35

        Subject to Rule 3.3.36, the records required by Rule 3.3.34 or by any other Rule in this Rulebook must be maintained by the Authorised Person in the English language.

      • GEN 3.3.36

        If an Authorised Person's records relate to business carried on from an establishment in a country or territory outside the ADGM, an official language of that country or territory may be used instead of the English language as required by Rule 3.3.35.

      • GEN 3.3.37

        An Authorised Person must have systems and controls to fulfil the Authorised Person's legal and regulatory obligations with respect to adequacy, access, period of retention and security of records.

    • Fraud

      • GEN 3.3.38

        An Authorised Person must establish and maintain effective systems and controls to:

        (a) deter and prevent suspected fraud against the Authorised Person; and
        (b) report suspected fraud and other Financial Crimes to the relevant authorities.

      • GEN 3.3.39

        An Authorised Person must ensure that the systems and controls established and maintained in accordance with Rule 3.3.38:

        (1) enable it to identify, assess, monitor and manage Money Laundering Risk; and
        (2) are comprehensive and proportionate to the nature, scale and complexity of its activities.

      • GEN 3.3.40

        In Rule 3.3.39(1), "Money Laundering Risk" is the risk that an Authorised Person may be used to further money laundering. In identifying its Money Laundering Risk and establishing the necessary systems and controls, an Authorised Person should consider a range of factors, including:

        (1) its Customer, product and activity profiles;
        (2) its distribution channels;
        (3) the complexity and volume of its Transactions;
        (4) its processes and systems; and
        (5) its operating environment.

    • Corporate Governance

      • GEN 3.3.41 GEN 3.3.41

        (1) An Authorised Person must have a Governing Body and senior management that meet the requirements in (2) and (3) respectively.
        (2) The Governing Body of the Authorised Person must:
        (a) be clearly responsible for setting or approving (or both) the business objectives of the Authorised Person and the strategies for achieving those objectives and for providing effective oversight of the management of the Authorised Person;
        (b) comprise an adequate number and mix of individuals who have, among them, the relevant knowledge, skills, expertise and time commitment necessary to effectively carry out the duties and functions of the Governing Body; and
        (c) have adequate powers and resources, including its own governance practices and procedures, to enable it to discharge those duties and functions effectively.
        (3) The senior management of the Authorised Person must be clearly responsible for the day-to-day management of the Authorised Person's business in accordance with the business objectives and strategies approved or set by the Governing Body.

        • Guidance

          • Scope of corporate governance

            1. Corporate governance is a framework of systems, policies, procedures and controls through which an entity:
            a. promotes the sound and prudent management of its business;
            b. protects the interests of its Customers and stakeholders; and
            c. places clear responsibility for achieving Rule 3.3.41(2)(a) and (3) on the Governing Body and its members and the senior management of the Authorised Person.
            2. Many requirements designed to ensure sound corporate governance of companies, such as those relating to shareholder and minority protection and responsibilities of the Board of Directors of companies, are found in the company laws and apply to Authorised Persons. Additional disclosure requirements also apply if they are listed companies. The requirements in this Rulebook are tailored to Authorised Persons and are designed to augment and not to exclude the application of those requirements.
            3. Whilst Rule 3.3.41 deals with two aspects of corporate governance, the requirements included in other provisions under Rules 3.2 and 3.3 also go to the heart of sound corporate governance by promoting prudent and sound management of the Authorised Person's business in the interest of its Customers and stakeholders. These requirements together are designed to promote sound corporate governance practices in Authorised Persons whilst also providing a greater degree of flexibility for Authorised Persons in establishing and implementing a corporate governance framework that are both appropriate and practicable to suit their operations.
            4. Stakeholder groups of an Authorised Person, who would benefit from the sound and prudent management of Authorised Persons, can be varied but generally encompass its owners (e.g. its shareholders), Customers, creditors, Counterparties and Employees, whose interests may not necessarily be mutually coextensive. A key objective in enhancing corporate governance standards applicable to Authorised Persons is to ensure that they are soundly and prudently managed, with the primary regard being had to its Customers.
            Amended on (3 February, 2020).

          • Proportionate application to Authorised Persons depending on the nature of their business

            5. One of the key considerations that underpins how the corporate governance requirements set out in Rule 3.3.41 apply to an Authorised Person is the nature, scale and complexity of the Authorised Person's business, and its organisational structure.
            6. While requiring Banks, Insurers and dealers to have more detailed and complex corporate governance systems and controls, simpler systems and procedures could be required for other Authorised Persons, depending on the nature and scale of their Regulated Activities. For example, in the case of certain types of Category 4 Regulated Activity providers such as arranging or advising only Authorised Persons, less extensive and simpler corporate governance systems and procedures may be sufficient to meet their corporate governance obligations.
            7. For example, an Authorised Person which is a small scale operation with a tightly held ownership structure may not have a Governing Body which comprises members who are fully independent of the Authorised Person's business and from each other, nor be sufficiently large to be able to form numerous committees of the Governing Body to undertake various functions such as nomination and Remuneration. In such cases, whilst strict adherence to such aspects of best practice would not be required, overall measures as appropriate to achieve the sound and prudent management of the business would be needed. For example, an Authorised Person with no regulatory track record would be expected to have additional corporate governance controls in place to ensure the sound and prudent management of its business, such as the appointment of an independent Director (who has relevant regulatory experience) to its Governing Body.

          • Application to Branches and Groups

            8. As part of the flexible and proportionate application of corporate governance standards to Authorised Persons, whether an Authorised Person is a Branch or a Subsidiary within a Group is also taken into account. An Authorised Person which is a member of a Group may, instead of developing its own corporate governance policies, adopt Group-wide corporate governance standards. However, the Governing Body of the Authorised Person should consider whether those standards are appropriate for the Authorised Person, and to the extent possible, make any changes as necessary.
            9. In the case of a Branch, corporate governance practices adopted at the head office would generally apply to the Branch and are expected to be adequate. The Regulator considers, as part of its authorisation of a Branch and on-going supervision, the adequacy of regulatory and supervisory arrangements applicable in the home jurisdiction, including a corporate governance framework adopted and implemented by the head office (see the GPM).

          • Best practice relating to corporate governance

            10. In addition to the considerations noted above, best practice that an Authorised Person may adopt to achieve compliance with the applicable corporate governance standards is set out in Guidance at Appendix 1.1. An Authorised Person may, where the best practice set out in Appendix 1.1 is not suited to its particular business or structure, deviate from such best practice or any aspects thereof. The Regulator will expect the Authorised Person to demonstrate to the Regulator, upon request, what the deviations are and why such deviations are considered by the Authorised Person to be appropriate.

    • Remuneration structure and strategies

      • GEN 3.3.42 GEN 3.3.42

        (1) The Governing Body of an Authorised Person must ensure that the Remuneration structure and strategy of that Authorised Person:
        (a) are consistent with the business objectives and strategies and the identified risk parameters within which the Authorised Person's business is to be conducted;
        (b) provide for effective alignment of risk outcomes and the roles and functions of the Employees, taking account of:
        (i) the nature of the roles and functions of the relevant Employees; and
        (ii) whether the actions of the Employees may expose the Authorised Person to unacceptable financial, reputational and other risks;
        (c) at a minimum, include the members of its Governing Body, the senior management, Persons Undertaking Key Control Functions and any Major Risk-Taking Employees; and
        (d) are implemented and monitored to ensure that they operate, on an on-going basis, effectively and as intended.
        (2) The Governing Body must provide to the Regulator and relevant stakeholders sufficient information about its Remuneration structure and strategies to demonstrate that such structure and strategies meet the requirements in (1) on an on-going basis.
        (3) For the purposes of this Rule, "Major Risk-Taking Employees" are Employees whose actions have a material impact on the risk exposure of the Authorised Person.

        • Guidance

          • Proportionate application to Authorised Persons depending on the nature of their business

            1. Those considerations set out in Guidance items 5 — 7 under Rule 3.3.41 apply equally to the way in which the Remuneration structure and strategies related requirement in Rule 3.3.42 is designed to apply to an Authorised Person. Accordingly, whilst most Category 4 Authorised Persons may have simple arrangements to achieve the outcome of aligning performance outcomes and risks associated with Remuneration structure and strategies, Banks, Insurers and dealers are expected to have more stringent measures to address such risks.

          • Application to Branches and Groups

            2. As part of the flexible and proportionate application of corporate governance standards to Authorised Persons, whether an Authorised Person is a Branch or a Subsidiary within a Group is also taken into account. As such, the considerations noted in Guidance items 8 — 9 under Rule 3.3.41 apply equally to the application of the Remuneration related requirements for Branches and Groups. For example, where an Authorised Person is a member of a Group, its Governing Body should consider whether the Group wide policies, such as those relating to the Employees covered under the Remuneration strategy and the disclosure relating to Remuneration made at the Group level are adequate to meet its obligations under Rule 3.3.42.

          • Best practice relating to corporate governance

            3. In addition to the considerations noted above, best practice that an Authorised Person may adopt to promote sound Remuneration structure and strategies within the Authorised Person is set out as Guidance at Appendix 1.2. Where such best practice or any aspects thereof are not suited to a particular Authorised Person's business or structure, it may deviate from such best practice. The Regulator will expect the Authorised Person to demonstrate, upon request, what the deviations are and why such deviations are considered appropriate.

          • Disclosure of information relating to Remuneration structure and strategy

            4. The information which an Authorised Person provides to the Regulator relating to its Remuneration structure and strategies should be included in the annual report or accounting statements. The Regulator expects the annual report of Authorised Persons to include, at a minimum, information relating to:
            a. the decision making process used to determine the Authorised Person-wide Remuneration policy (such as by a Remuneration committee or an external consultant if any, or by the Governing Body);
            b. the most important elements of its Remuneration structure (such as, in the case of performance based Remuneration, the link between pay and performance and the relevant assessment criteria); and
            c. aggregate quantitative information on Remuneration of its Governing Body, the senior management, Persons Undertaking Key Control Functions and any Major Risk-Taking Employees.
            5. The Regulator may, pursuant to its supervisory powers, require additional information relating to the Remuneration structure and strategy of an Authorised Person to assess whether the general elements relating to Remuneration under Rule 3.3.42(1) are met by the Authorised Person. Any significant changes to the Remuneration structure and strategy should also be notified to the Regulator before being implemented.
            6. The information included in the annual report is made available to the Regulator and the shareholders, and in the case of a listed company, to the public. The Governing Body of the Authorised Person should also consider what additional information should be included in the annual report. In the case of Banks, Insurers and dealers, more detailed disclosure of Remuneration structure and strategy and its impact on the financial soundness of the Authorised Person would be required. When providing disclosure relating to Remuneration in its annual report, Authorised Persons should take account of the legal obligations that apply to them including the confidentiality of information obligations.