GEN 3.3.37

An Authorised Person must have systems and controls to fulfil the Authorised Person's legal and regulatory obligations with respect to adequacy, access, period of retention and security of records.