(1) An Authorised Person in Category 1, 2, 3A or 5 must implement and maintain a Market Risk policy which enables it to identify, assess, control and monitor Market Risk.
(2) The policy must be documented and include the Authorised Person's risk appetite and how it identifies, assesses, mitigates, controls and monitors that risk.
(3) An Authorised Person must:
(a) ensure that its risk management systems enable it to implement the Market Risk policy;
(b) identify, assess, mitigate, control and monitor its Market Risk; and
(c) review and update the policy at intervals that are appropriate to the nature, scale and complexity of its activities.