GEN 5 GEN 5 Management, Systems and Controls
GEN 5.1 GEN 5.1 Application
GEN 5.1.1 GEN 5.1.1(1) Subject to (5), this chapter applies to every
Authorised Personwith respect to the Financial Servicescarried on in or from the DIFC.(2) It also applies in a Prudential Contextto a Domestic Firmwith respect to all its activities wherever they are carried on.(3) GEN Section 5.3 also applies to an Authorised Firmin a Prudential Contextwith respect to its entire DIFCbranch's activities wherever they are carried on.(4) This chapter also applies to an Authorised Market Institution, if it has an endorsed Licenceauthorising it to maintain an Official List of Securities, with respect to such maintenance.(5) GEN Rules 5.3.13, 5.3.14, 5.3.15, 5.3.23, 5.3.24, 5.3.30 and 5.3.31 do not apply to an Authorised ISPV.(6) This chapter does not apply to a Representative Office.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM19/2005 (as from 19th April 2005). [VER3/04-05]
[Amended] DFSA RM48/2007 (Made 1st October 2007). [VER16/10-07]
[Amended] DFSA RM68/2009 (Made 3rd January 2010). [VER24/01-10]
[Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
GEN 5.1.1 Guidance1. The purpose of this chapter is to set out the requirements for the
Governing Bodyand the senior management within an Authorised Personwho are to take direct responsibility for the Authorised Person'sarrangements on matters likely to be of interest to the DFSAwherever they may give rise to risks to the DFSA'sobjectives or they affect the DFSA'sfunctions under the legislation applicable in the DIFC. See also the requirements relating to organisation in Rules 5.3.2 and 22.214.171.124. In relation to an Authorised Market Institution, this chapter should be read in conjunction with the AMI module.3. In relation to an Authorised Firmwhich is a Fund Manageror the Trustee, this chapter should be read in conjunction with the CIR module and construed to take into account any Fundwhich the Authorised Firmoperates or for which it acts as the Trustee.4. In relation to an Authorised Personwhich carries on Islamic Financial Businessin or from the DIFC, this chapter should be read in conjunction with the IFR module.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM19/2005 (as from 19th April 2005). [VER3/04-05]
[Amended] DFSA RM72/2010 (Made 11th July 2010) [VER26/07-10]
[Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
[Amended] DFSA RM105/2012 (Made 23rd December 2012). [VER32/12-12]
GEN 5.2 GEN 5.2 Allocation of significant responsibilities
Apportionment of significant responsibilities
Authorised Personmust apportion significant responsibilities between the members of its Governing Bodyand its senior management and maintain such apportionment in such a way that:(a) it meets the corporate governance requirements in Rule 5.3.30;(b) it is appropriate with regard to:(i) the nature, scale and complexity of the business of the Authorised Person; and(ii) the ability and qualifications of the responsible individuals;(c) it is clear who is responsible for which matters; and(d) the business of the Authorised Personcan be adequately monitored and controlled by the Authorised Person's Governing Bodyand senior management.
GEN 5.2.2 GEN 5.2.2
Authorised Personmust allocate to the Senior Executive Officeror to the individual holding equivalent responsibility for the conduct for the Authorised Person'sbusiness or the Governing Body, the functions of:(a) dealing with the apportionment of responsibilities; and(b) overseeing the establishment and maintenance of systems and controls.
Recording of apportionment
GEN 5.2.3(1) An
Authorised Personmust establish and maintain an up-to-date record of the arrangements it has made to comply with Rules GEN 5.2.1 and GEN 5.2.2.(2) The record must show that the members of the Governing Bodyand the senior management are aware of and have accepted the responsibilities apportioned in accordance with GEN Rule 5.2.1.(3) Where a responsibility has been allocated to more than one individual, the record must show clearly how that responsibility is allocated between the individuals.(4) The record must be retained for six years from the date on which it was established or superseded by a more up-to-date record.
GEN 5.3 GEN 5.3 Systems and controls
GEN 5.3.1 GEN 5.3.1(1) An
Authorised Personmust establish and maintain systems and controls, including but not limited to financial and risk systems and controls, that ensure that its affairs are managed effectively and responsibly by its senior management.(2) An Authorised Personmust undertake regular reviews of its systems and controls.
GEN 5.3.1 Guidance
The nature and extent of the systems and controls of an
Authorised Personwill depend upon a variety of factors including the nature, scale and complexity of its business. While all Authorised Persons, irrespective of the nature, scale, and complexity of their business and legal structure or organisation need to comply with this chapter, the DFSAwill take into account these factors and the differences that exist between Authorised Personswhen assessing the adequacy of an Authorised Person'ssystems and controls. Nevertheless, neither these factors nor the differences relieve an Authorised Personfrom compliance with its regulatory obligations.
GEN 5.3.2 GEN 5.3.2(1) An
Authorised Personmust establish and implement, taking due account of the nature, scale and complexity of its business and structure, adequate measures to ensure that:(a) the roles and responsibilities assigned to its Governing Bodyand the members of that body, senior management and Persons Undertaking Key Control Functionsare clearly defined;(b) there are clear reporting lines applicable to the individuals undertaking those functions; and(c) the roles, responsibilities and reporting lines referred to in (a) and (b), are documented and communicated to all relevant Employees.(2) An Authorised Firmmust ensure that any Employeewho will be delivering Financial Servicesto its customers is clearly identified, together with his respective lines of accountability and supervision.(3) An Authorised Firmwhich is conducting Investment Businessor the Financial Servicesof Providing Fund Administrationor Providing Trust Services, must ensure it makes publically available details of any Employeewho delivers Financial Servicesto its customers, by including such information:(a) in a register, maintained by the Authorised Firmat its place of business and open for inspection during business hours; or(b) on the website of the Authorised Firm.(4) An Authorised Firmreferred to in (3), must have complete and up to date information on its register or website, including:(a) the date on which the relevant Employeecommenced delivering of Financial Servicesto customers; and(b) the Financial Serviceswhich that Employeeis permitted by the Authorised Firmto deliver to customers.
GEN 5.3.2 Guidance1. The term
Employeeis defined in the GLOwidely and includes members of the Governing Bodyor directors and senior managers of the Authorised Firm. Therefore, the requirements relating to Employeesin Rules 5.3.3 and 5.3.6 apply to all Employeesincluding those across the organisation.2. The division of responsibilities between the Governing Bodyand the senior management should be clearly established and set out in writing. In assigning duties, the Governing Bodyshould take care that no one individual has unfettered powers in making material decisions.3. Members of the Governing Bodymay include individuals undertaking senior management functions (such as the chief executive of the firm) and Persons Undertaking Key Control Functions. In assigning specific functions to such individuals, care should be taken to ensure that the integrity and effectiveness of the functions they are to perform are not compromised. For example, if the Chairpersonof the Governing Bodyis also the chief executive officer of the Authorised Person, the Governing Bodyshould ensure that the performance assessment of that individual in his roles should be undertaken by a senior non-executive member of the Governing Bodyor an independent external consultant.4. Persons Undertaking Key Control Functionsare defined in GLOin an inclusive manner to encompass Personssuch as the heads of risk control, compliance and internal audit functions. In the case of an Insurer, the actuary also is a Personwho Undertakes a Key Control Function.5. An example of an Employeeproviding Financial Servicesto a customer is a client relationship manager employed by an Authorised Firmproviding wealth management services. In contrast, an Employeewho may be employed in the back office of an Authorised Firmwith responsibility for setting up client accounts would not be client facing.
Authorised Personmust ensure that key duties and functions are segregated. Such segregation must ensure that the duties and functions to be performed by the same individual do not conflict with each other, thereby impairing the effective discharge of those functions by the relevant individuals (such as undetected errors or any abuse of positions) and thus exposing the Authorised Personor its customers or users to inappropriate risks.[Added] DFSA RM96/2012 (Made 24th July 2012) [VER30/07-12]
Authorised Personmust establish and maintain risk management systems and controls to enable it to identify, assess, mitigate, control and monitor its risks.
Authorised Personmust develop, implement and maintain policies and procedures to manage the risks to which the Authorised Personand where applicable, its customers or users, are exposed.
GEN 5.3.6(1) An
Authorised Personmust appoint an individual to advise its Governing Bodyand senior management of such risks.(2) An Authorised Personwhich is part of a Groupshould be aware of the implications of any Groupwide risk policy and systems and controls regime.
Authorised Personmust establish and maintain compliance arrangements, including processes and procedures that ensure and evidence, as far as reasonably practicable, that the Authorised Personcomplies with all legislation applicable in the DIFC.
Authorised Personmust document the organisation, responsibilities and procedures of the compliance function.
Authorised Personmust ensure that the Compliance Officerhas access to sufficient resources, including an adequate number of competent staff, to perform his duties objectively and independently of operational and business functions.
Authorised Personmust ensure that the Compliance Officerhas unrestricted access to relevant records and to the Authorised Person's Governing Bodyand senior management.
Authorised Personmust establish and maintain monitoring and reporting processes and procedures to ensure that any compliance breaches are readily identified, reported and promptly acted upon.
GEN 5.3.12 GEN 5.3.12
Authorised Personmust document the monitoring and reporting processes and procedures as well as keep records of breaches of any of legislation applicable in the DIFC.
GEN 5.3.13 GEN 5.3.13(1) An
Authorised Personmust establish and maintain an internal audit function with responsibility for monitoring the appropriateness and effectiveness of its systems and controls.(2) The internal audit function must be independent from operational and business functions.(3) An Authorised Firm is not required to have an internal audit function if the only Financial Service it carries on is Managing a Venture Capital Fund.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM278/2020 (Made 28th October 2020) [VER49/11-20].
Authorised Personmust ensure that its internal audit function has unrestricted access to all relevant records and recourse when needed to the Authorised Person's Governing Bodyor the relevant committee, established by its Governing Bodyfor this purpose.
Authorised Personmust document the organisation, responsibilities and procedures of the internal audit function.
Business plan and strategy
GEN 5.3.16(1) An
Authorised Personmust produce a business plan which enables it, amongst other things, to manage the risks to which it and its customers are exposed.(2) The business plan must take into account the Authorised Person'scurrent business activities and the business activities forecast for the next twelve months.(3) The business plan must be documented and updated as appropriate to take account of changes in the business environment and to reflect changes in the business of the Authorised Person.
Authorised Personmust establish and maintain arrangements to provide its Governing Bodyand senior management with the information necessary to organise, monitor and control its activities, to comply with legislation applicable in the DIFCand to manage risks. The information must be relevant, accurate, comprehensive, timely and reliable.
Staff and agents
Authorised Personmust establish and maintain systems and controls that enable it to satisfy itself of the suitability of anyone who acts for it.
GEN 5.3.19 GEN 5.3.19(1) An
Authorised Firmmust ensure, as far as reasonably practical, that its Employeesare:(a) fit and proper;(b) competent and capable of performing the functions which are to be assigned to those Employees; and(c) trained in the requirements of the legislation applicable in the DIFC.(2) An Authorised Firmmust establish and maintain systems and controls to comply with (1). An Authorised Firmmust be able to demonstrate that it has complied with these requirements through appropriate measures, including the maintenance of relevant records.
GEN 5.3.19 Guidance1. When considering whether an
Employeeis fit and proper, competent and capable, an Authorised Firmshould consider any training undertaken or required by an Employee, the nature of the Clientsto whom an Employeeprovides Financial Services, and the type of activities performed by an Employeein the provision of such Financial Servicesincluding any interface with Clients.2. When assessing the fitness and propriety of Employees, an Authorised Firmshould be guided by the matters set out in section 2.3 of the RPP Sourcebook and should also monitor conflicts or potential conflicts of interest arising from all of the individual's links and activities.3. When assessing the competence and capability of an Authorised Firmshould:a. obtain details of the skills, knowledge and experience of the Employeerelevant to the nature and requirements of the role;b. take reasonable steps to verify the relevance, accuracy and authenticity of any information obtained;c. determine, in light of the Employee'srelevant skills, knowledge and experience, that the Employeeis competent and capable of fulfilling the duties of the role; andd. consider the level of responsibility that the Employeewill assume within the Authorised Firm, including whether the Employeewill be providing Financial Servicesto Retail Clientsin an interfacing role.4. An Authorised Firmshould also satisfy itself that an Employee:a. continues to be competent and capable of performing its the role;b. has kept abreast of market, product, technology, legislative and regulatory developments that are relevant to the role, through training or other means; andc. is able to apply his knowledge.5. Refer to section 2.2.13 of the RPP Sourcebook for criteria for suitability of members of the Governing Bodyof the Authorised Firm.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]
[Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
Continuing Professional Development
GEN 5.3.19A GEN 5.3.19A(1) An Authorised Firm must ensure that an Employee who falls within a category specified in (2) remains competent by completing a minimum of 15 hours of continuing professional development (CPD) in each calendar year.(2) The categories of Employees specified for the purposes of (1) are:(a) the Senior Executive Officer;(b) the Compliance Officer; and(c) the Money Laundering Reporting Officer.(3) An Authorised Firm must ensure that:(a) the CPD in (1) is relevant to the Employee’s:(i) current role and any anticipated change in that role; and(ii) professional skill and knowledge;(b) the CPD consists of structured activities; and(c) the Employee keeps adequate records of CPD activities to be able to demonstrate that the requirements in this Rule have been met.(4) In (3), “structured activities” means courses, seminars, lectures, conferences, workshops, web-based seminars or e-learning which require a commitment of thirty minutes or more.
GEN 5.3.19A Guidance(1) The requirement in Rule 5.3.19A does not derogate from the requirement in Rule 5.3.19 for an Authorised Firm to ensure that Employees generally are competent and capable of performing their functions. This requires the Authorised Firm to consider what training is undertaken or required for all Employees, including Employees not covered by this Rule.(2) The structured activities that are completed as CPD may consist of activities conducted internally or externally, and may include activities conducted by a professional body.
GEN 5.3.20 GEN 5.3.20
Authorised Personmust establish and maintain systems and controls that ensure, as far as reasonably practical, that the Authorised Personand its Employeesdo not engage in conduct, or facilitate others to engage in conduct, which may constitute:(a) market abuse, whether in the DIFCor elsewhere; or(b) a financial crime under any applicable U.A.E.laws.
GEN 5.3.20 Guidance [Deleted][Deleted] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
GEN 5.3.21 GEN 5.3.21(1) An
Authorised Personwhich outsources any of its functions or activities directly related to Financial Servicesto service providers (including within its Group) is not relieved of its regulatory obligations and remains responsible for compliance with legislation applicable in the DIFC.(2) The outsourced function under this Ruleshall be deemed as being carried out by the Authorised Personitself.(3) An Authorised Personwhich uses such third party providers must ensure that it:(a) has undertaken due diligence in choosing suitable service providers;(b) effectively supervises the outsourced functions or activities; and(c) deals effectively with any act or failure to act by the service provider that leads, or might lead, to a breach of any legislation applicable in the DIFC.
GEN 5.3.21 GuidanceDeleted in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]
GEN 5.3.22 GEN 5.3.22(1) An
Authorised Personmust inform the DFSAabout any material outsourcing arrangements.(2) An Authorised Personwhich has a material outsourcing arrangement must:(a) establish and maintain comprehensive outsourcing policies, contingency plans and outsourcing risk management programmes;(b) enter into an appropriate and written outsourcing contract; and(c) ensure that the outsourcing arrangements neither reduce its ability to fulfil its obligations to customers and the DFSA, nor hinder supervision of the Authorised Personby the DFSA.(3) An Authorised Personmust ensure that the terms of its outsourcing contract with each service provider under a material outsourcing arrangement require the service provider to:(a) provide for the provision of information under section 11.1 in relation to the Authorised Personand access to their business premises; and(b) deal in an open and co-operative way with the DFSA.
GEN 5.3.22 Guidance1. An
Authorised Person'soutsourcing arrangements should include consideration of:a. applicable guiding principles for outsourcing in financial services issued by the Joint Forum; orb. any equivalent principles or regulations the Authorised Personis subject to in its home country jurisdiction.2. An outsourcing arrangement would be considered to be material if it is a service of such importance that weakness or failure of that service would cast serious doubt on the Authorised Person'scontinuing ability to remain fit and proper or to comply with DFSAadministered Laws and Rules.Derived from Notice of Amendments to Legislation April 2011 [VER27/02-11]
Business continuity and disaster recovery
GEN 5.3.23 GEN 5.3.23(1) An
Authorised Personmust have in place adequate arrangements to ensure that it can continue to function and meet its obligations under the legislation applicable in the DIFCin the event of an unforeseen interruption.(2) These arrangements must be kept up to date and regularly tested to ensure their effectiveness.
GEN 5.3.23 Guidance1. In considering the adequacy of an
Authorised Person'sbusiness continuity arrangements, the DFSAwill have regard to the Authorised Person'smanagement of the specific risks arising from interruptions to its business including its crisis management and disaster recovery plans.2. The DFSAexpects an Authorised Personto have:a. arrangements which establish and maintain the Authorised Person'sphysical security and protection for its information systems for business continuity purposes in the event of planned or unplanned information system interruption or other events that impact on its operations;b. considered its primary data centres' and business operations' reliance on infrastructure components, for example transportation, telecommunications networks and utilities and made the necessary arrangements to minimise the risk of interruption to its operations by arranging backup of infrastructure components and service providers; andc. considered, in its plans for dealing with a major interruption to its primary data centre or business operations, its alternative data centres' and business operations' reliance on infrastructure components and made the necessary arrangements such that these do not rely on the same infrastructure components and the same service provider as the primary data centres and operations.
GEN 5.3.24 GEN 5.3.24 [Deleted]
GEN 5.3.24(1) An
Authorised Personmust make and retain records of matters and dealings, including Accounting Recordsand corporate governance practices which are the subject of requirements and standards under the legislation applicable in the DIFC.(2) Such records, however stored, must be capable of reproduction on paper within a reasonable period not exceeding 3 business days.
Authorised Person'srecords relate to business carried on from an establishment in a territory outside the DIFC, an official language of that territory may be used instead of the English language as required by GEN Rule 5.3.25.
Authorised Personmust have systems and controls to fulfil the Authorised Person'slegal and regulatory obligations with respect to adequacy, access, period of retention and security of records.
Authorised Personmust establish and maintain effective systems and controls to:(a) deter and prevent suspected fraud against the Authorised Person; and(b) report suspected fraud and other financial crimes to the relevant authorities.
GEN 5.3.29 GEN 5.3.29 [Deleted]
GEN 5.3.29 Guidance [Deleted]
GEN 5.3.30 GEN 5.3.30(1) An
Authorised Personmust have a Governing Bodyand senior management that meet the requirements in (2) and (3) respectively.(2) The Governing Bodyof the Authorised Personmust:(a) be clearly responsible for setting or approving (or both) the business objectives of the firm and the strategies for achieving those objectives and for providing effective oversight of the management of the firm;(b) comprise an adequate number and mix of individuals who have, among them, the relevant knowledge, skills, expertise and time commitment necessary to effectively carry out the duties and functions of the Governing Body; and(c) have adequate powers and resources, including its own governance practices and procedures, to enable it to discharge those duties and functions effectively.(3) The senior management of the Authorised Personmust be clearly responsible for the day-to-day management of the firm's business in accordance with the business objectives and strategies approved or set by the Governing Body.
GEN 5.3.30 Guidance
Scope of corporate governance1. Corporate governance is a framework of systems, policies, procedures and controls through which an entity:a. promotes the sound and prudent management of its business;b. protects the interests of its customers and stakeholders; andc. places clear responsibility for achieving (a) and (b) on the
Governing Bodyand its members and the senior management of the Authorised Person.2. Many requirements designed to ensure sound corporate governance of companies, such as those relating to shareholder and minority protection and responsibilities of the Board of Directorsof companies, are found in the company laws and apply to Authorised Persons. Additional disclosure requirements also apply if they are listed companies. The requirements in this Module are tailored to Authorised Personsand are designed to augment and not to exclude the application of those requirements.3. Whilst Rule 5.3.30 deals with two aspects of corporate governance, the requirements included in other provisions under sections 5.2 and 5.3 also go to the heart of sound corporate governance by promoting prudent and sound management of the Authorised Person'sbusiness in the interest of its customers and stakeholders. These requirements together are designed to promote sound corporate governance practices in Authorised Personswhilst also providing a greater degree of flexibility for Authorised Personsin establishing and implementing a corporate governance framework that are both appropriate and practicable to suit their operations.4. Stakeholder groups of an Authorised Person, who would benefit from the sound and prudent management of firms, can be varied but generally encompass its owners (shareholders), customers (in the case of an AMI, its members and investors), creditors, counterparties and employees, whose interests may not necessarily be mutually coextensive. A key objective in enhancing corporate governance standards applicable to Authorised Personsis to ensure that firms are soundly and prudently managed, with the primary regard being had to its customers.
Proportionate application to firms depending on the nature of their business5. One of the key considerations that underpins how the corporate governance requirements set out in Rule 5.3.30 apply to an
Authorised Personis the nature, scale and complexity of the Authorised Person'sbusiness, and its organisational structure.6. While requiring banks, insurers and dealers to have more detailed and complex corporate governance systems and controls, simpler systems and procedures could be required for other firms, depending on the nature and scale of their Financial Services. For example, in the case of certain types of Category 4 Financial Serviceproviders such as arranging or advising only firms, less extensive and simpler corporate governance systems and procedures may be sufficient to meet their corporate governance obligations.7. For example, an Authorised Personwhich is a small scale operation with a tightly held ownership structure may not have a Governing Bodywhich comprises members who are fully independent of the firm's business and from each other, nor be sufficiently large to be able to form numerous committees of the Governing Bodyto undertake various functions such as nomination and remuneration. In such cases, whilst strict adherence to such aspects of best practice would not be required, overall measures as appropriate to achieve the sound and prudent management of the business would be needed. For example, a firm with no regulatory track record would be expected to have additional corporate governance controls in place to ensure the sound and prudent management of its business, such as the appointment of an independent director (who has relevant regulatory experience) to its Governing Body.
Application to Branches and Groups8. As part of the flexible and proportionate application of corporate governance standards to firms, whether a firm is a
Branchor a subsidiary within a Groupis also taken into account. An Authorised Personwhich is a member of a Groupmay, instead of developing its own corporate governance policies, adopt group-wide corporate governance standards. However, the Governing Bodyof the Authorised Personshould consider whether those standards are appropriate for the firm, and to the extent possible, make any changes as necessary.9. In the case of a Branch, corporate governance practices adopted at the head office would generally apply to the Branchand are expected to be adequate. The DFSAconsiders, as part of its authorisation of a Branchand on-going supervision, the adequacy of regulatory and supervisory arrangements applicable in the home jurisdiction, including a corporate governance framework adopted and implemented by the head office (see section 3.2.15 of the RPP Sourcebook).
Best practice relating to corporate governance10. In addition to the considerations noted above, best practice that an
Authorised Personmay adopt to achieve compliance with the applicable corporate governance standards is set out in Guidance at Appendix 3.1. An Authorised Personmay, where the best practice set out in App3.1 is not suited to its particular business or structure, deviate from such best practice or any aspects thereof. The DFSAwill expect the Authorised Personto demonstrate to the DFSA, upon request, what the deviations are and why such deviations are considered by the Authorised Personto be appropriate.
Remuneration structure and strategies
GEN 5.3.31 GEN 5.3.31(1) The
Governing Bodyof an Authorised Personmust ensure that the remuneration structure and strategy of the firm:(a) are consistent with the business objectives and strategies and the identified risk parameters within which the firm's business is to be conducted;(b) provide for effective alignment of risk outcomes and the roles and functions of the Employees, taking account of:(i) the nature of the roles and functions of the relevant Employees; and(ii) whether the actions of the Employeesmay expose the firm to unacceptable financial, reputational and other risks;(c) at a minimum, include the members of its Governing Body, the senior management, Persons Undertaking Key Control Functionsand any major risk-taking Employees; and(d) are implemented and monitored to ensure that they operate, on an on-going basis, effectively and as intended.(2) The Governing Bodymust provide to the DFSAand relevant stakeholders sufficient information about its remuneration structure and strategies to demonstrate that such structure and strategies meet the requirements in (1) on an on-going basis.(3) For the purposes of this Rule, "major risk-taking Employees" are Employeeswhose actions have a material impact on the risk exposure of the Authorised Person.
GEN 5.3.31 Guidance
Proportionate application to firms depending on the nature of their business1. Those considerations set out in Guidance items 5 – 7 under Rule 5.3.30 apply equally to the way in which the remuneration structure and strategies related requirement in Rule 5.3.31 is designed to apply to an
Authorised Person. Accordingly, whilst most Category 4 firms may have simple arrangements to achieve the outcome of aligning performance outcomes and risks associated with remuneration structure and strategies, banks, insurers and dealers are expected to have more stringent measures to address such risks.
Application to Branches and Groups2. As part of the flexible and proportionate application of corporate governance standards to firms, whether a firm is a
Branchor a subsidiary within a Groupis also taken into account. As such, the considerations noted in Guidance items 8 – 9 under Rule 5.3.30 apply equally to the application of the remuneration related requirements for Branchesand Groups. For example, where an Authorised Personis a member of a Group, its Governing Bodyshould consider whether the Group wide policies, such as those relating to the Employeescovered under the remuneration strategy and the disclosure relating to remuneration made at the Grouplevel are adequate to meet its obligations under Rule 5.3.31.
Best practice relating to corporate governance3. In addition to the considerations noted above, best practice that an
Authorised Personmay adopt to promote sound remuneration structure and strategies within the firm is set out as Guidance at Appendix 3.2. Where such best practice or any aspects thereof are not suited to a particular Authorised Person'sbusiness or structure, it may deviate from such best practice. The DFSAwill expect the Authorised Personto demonstrate, upon request, what the deviations are and why such deviations are considered appropriate.
Disclosure of information relating to remuneration structure and strategy4. The information which an
Authorised Personprovides to the DFSArelating to its remuneration structure and strategies should be included in the annual report or accounting statements. The DFSAexpects the annual report of Authorised Personsto include, at a minimum, information relating to:a. the decision making process used to determine the firm-wide remuneration policy (such as by a remuneration committee or an external consultant if any, or by the Governing Body):b. the most important elements of its remuneration structure (such as, in the case of performance based remuneration, the link between pay and performance and the relevant assessment criteria); andc. aggregate quantitative information on remuneration of its Governing Body, the senior management, Persons Undertaking Key Control Functionsand any major risk taking Employees.5. The DFSAmay, pursuant to its supervisory powers, require additional information relating to the remuneration structure and strategy of an Authorised Firmto assess whether the general elements relating to remuneration under Rule 5.3.31(1) are met by the firm. Any significant changes to the remuneration structure and strategy should also be notified to the DFSAbefore being implemented. See Rule 126.96.36.199. The information included in the annual report is made available to the DFSAand the shareholders, and in the case of a listed company, to the public. The Governing Bodyof the Authorised Personshould also consider what additional information should be included in the annual report. In the case of banks, insurers and dealers, more detailed disclosure of remuneration structure and strategy and its impact on the financial soundness of the firm would be required. When providing disclosure relating to remuneration in its annual report, Authorised Personsshould take account of the legal obligations that apply to the firm including the confidentiality of information obligations.
GEN 5.4 Whistleblowing
In this section:(a) “money laundering” has the meaning given in Article 70(2)(b) of the Regulatory Law;(b) “regulatory concern”, in relation to an Authorised Person, means a concern held by any person that the Authorised Person, an officer or employee of the Authorised Person, an Affiliate of the Authorised Person or an officer or employee of an Affiliate of the Authorised Person has or may have:(i) contravened a provision of legislation administered by the DFSA; or(ii) engaged in money laundering, fraud or any other financial crime;(c) “whistleblower” means a person who reports a regulatory concern to a person specified in Article 68A(3) of the Regulatory Law.
Policies and procedures
GEN 5.4.2(1) An Authorised Person must have appropriate and effective policies and procedures in place:(a) to facilitate the reporting of regulatory concerns by whistleblowers; and(b) to assess and, where appropriate, escalate regulatory concerns reported to it.(2) The policies and procedures required under (1) must be in writing.(3) An Authorised Person must periodically review the policies and procedures to ensure they are appropriate, effective and up to date.
Record of whistleblowing reports
GEN 5.4.3 GEN 5.4.3
An Authorised Person must maintain a written record of each regulatory concern reported to it by a whistleblower, including appropriate details of the regulatory concern and the outcome of its assessment of the reported concern.
GEN 5.4.3 Guidance1. The DFSA expects an Authorised Person to implement policies and procedures under GEN Rule 5.4.2 that are appropriate based on the nature, scale and complexity of the Authorised Person’s business. For example, a larger or more complex firm is expected to have more detailed and comprehensive policies and procedures in place.2. The policies and procedures should:a. include internal arrangements to allow for reports to be made by whistleblowers;b. include adequate procedures to deal with, assess and, where appropriate, escalate reports to the senior management of the Authorised Person or, if necessary, to the DFSA or to any other relevant authority;c. include reasonable measures to protect the identity and confidentiality of whistleblowers;d. include reasonable measures to protect the whistleblower from suffering any detriment, as a result of the report;e. ensure that, where appropriate and feasible, feedback is provided to the whistleblower; andf. include reasonable measures to manage any conflicts of interest and ensure the fair treatment of any person who is the subject of an allegation in a report.3. An Authorised Person’s whistleblowing policies and procedures should generally encourage reporting of concerns first to the Authorised Person itself. However, the policies and procedures should also take into account that there may be circumstances where it is appropriate, or a whistleblower may prefer, to report the concerns directly to the DFSA or to another relevant authority.4. The records under GEN Rule 5.4.3 should include:a. the date the report was received;b. a summary of the concerns raised;c. steps taken by the Authorised Person in relation to the report until the matter is resolved;d. any steps taken to maintain the confidentiality of the whistleblower and to ensure fair treatment of the whistleblower;e. the list of persons who have knowledge of the report;f. the outcome of the assessment of the report including the rationale for the outcome and any decision on whether or not to disclose the report to the DFSA or any other relevant authority; andg. references or links to all documentation and review papers in relation to the report.5. An Authorised Person may be required to make its records of whistleblowing reports available to the DFSA for inspection.6. In addition to the requirements in these Rules, Article 68A of the Regulatory Law provides legal protection to a whistleblower who discloses information about suspected misconduct in good faith to a specified person, such as the relevant Authorised Person, the auditor of the Authorised Person, the DFSA or other relevant authorities.7. The protection under the Regulatory Law applies to any person who makes such a disclosure. For example, the disclosure may be made by a person who is or has been an officer, employee or agent of the Authorised Person, a Person who provides services or products to the Authorised Person or a person who has no formal connection with the Authorised Person.8. The protection under the Regulatory Law is from liability, dismissal or detriment for making that disclosure. However, it does not, for example, prevent an Authorised Person from taking action against an employee for other legitimate reasons, such as if the employee has engaged in misconduct.9. An Authorised Person should, as part of its whistleblowing policies and procedures, inform its officers and employees of the protection under Article 68A of the Regulatory Law.