Entire Section
GEN 5.3 GEN 5.3 Systems and controls
General requirement
GEN 5.3.1 GEN 5.3.1
(1) AnAuthorised Person must establish and maintain systems and controls, including but not limited to financial and risk systems and controls, that ensure that its affairs are managed effectively and responsibly by its senior management.(2) AnAuthorised Person must undertake regular reviews of its systems and controls.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM43/2007 (Made 1st June 2007). [VER14/06-07]GEN 5.3.1 Guidance
The nature and extent of the systems and controls of an
Authorised Person will depend upon a variety of factors including the nature, scale and complexity of its business. While allAuthorised Persons , irrespective of the nature, scale, and complexity of their business and legal structure or organisation need to comply with this chapter, theDFSA will take into account these factors and the differences that exist betweenAuthorised Persons when assessing the adequacy of anAuthorised Person's systems and controls. Nevertheless, neither these factors nor the differences relieve anAuthorised Person from compliance with its regulatory obligations.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]Organisation
GEN 5.3.2 GEN 5.3.2
(1) AnAuthorised Person must establish and implement, taking due account of the nature, scale and complexity of its business and structure, adequate measures to ensure that:(a) the roles and responsibilities assigned to itsGoverning Body and the members of that body, senior management andPersons Undertaking Key Control Functions are clearly defined;(b) there are clear reporting lines applicable to the individuals undertaking those functions; and(c) the roles, responsibilities and reporting lines referred to in (a) and (b), are documented and communicated to all relevantEmployees .(2) AnAuthorised Firm must ensure that anyEmployee who will be deliveringFinancial Services to its customers is clearly identified, together with his respective lines of accountability and supervision.(3) AnAuthorised Firm which is conductingInvestment Business or theFinancial Services ofProviding Fund Administration orProviding Trust Services , must ensure it makes publically available details of anyEmployee who deliversFinancial Services to its customers, by including such information:(a) in a register, maintained by theAuthorised Firm at its place of business and open for inspection during business hours; or(b) on the website of theAuthorised Firm .(4) AnAuthorised Firm referred to in (3), must have complete and up to date information on its register or website, including:(a) the date on which the relevantEmployee commenced delivering ofFinancial Services to customers; and(b) theFinancial Services which thatEmployee is permitted by theAuthorised Firm to deliver to customers.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended][VER10/06-06]
[Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
[Amended] DFSA RM96/2012 (Made 24th July 2012) [VER30/07-12]GEN 5.3.2 Guidance
1. The termEmployee is defined in theGLO widely and includes members of theGoverning Body or directors and senior managers of theAuthorised Firm . Therefore, the requirements relating toEmployees in Rules 5.3.3 and 5.3.6 apply to allEmployees including those across the organisation.2. The division of responsibilities between theGoverning Body and the senior management should be clearly established and set out in writing. In assigning duties, theGoverning Body should take care that no one individual has unfettered powers in making material decisions.3. Members of theGoverning Body may include individuals undertaking senior management functions (such as the chief executive of the firm) andPersons Undertaking Key Control Functions . In assigning specific functions to such individuals, care should be taken to ensure that the integrity and effectiveness of the functions they are to perform are not compromised. For example, if theChairperson of theGoverning Body is also the chief executive officer of theAuthorised Person , theGoverning Body should ensure that the performance assessment of that individual in his roles should be undertaken by a senior non-executive member of theGoverning Body or an independent external consultant.4.Persons Undertaking Key Control Functions are defined inGLO in an inclusive manner to encompassPersons such as the heads of risk control, compliance and internal audit functions. In the case of anInsurer , the actuary also is aPerson whoUndertakes a Key Control Function .5. An example of anEmployee providingFinancial Services to a customer is a client relationship manager employed by anAuthorised Firm providing wealth management services. In contrast, anEmployee who may be employed in the back office of anAuthorised Firm with responsibility for setting up client accounts would not be client facing.[Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]
[Amended] DFSA RM96/2012 (Made 24th July 2012) [VER30/07-12]GEN 5.3.3
An
Authorised Person must ensure that key duties and functions are segregated. Such segregation must ensure that the duties and functions to be performed by the same individual do not conflict with each other, thereby impairing the effective discharge of those functions by the relevant individuals (such as undetected errors or any abuse of positions) and thus exposing theAuthorised Person or its customers or users to inappropriate risks.[Added] DFSA RM96/2012 (Made 24th July 2012) [VER30/07-12]Risk management
GEN 5.3.4
An
Authorised Person must establish and maintain risk management systems and controls to enable it to identify, assess, mitigate, control and monitor its risks.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]GEN 5.3.5
An
Authorised Person must develop, implement and maintain policies and procedures to manage the risks to which theAuthorised Person and where applicable, its customers or users, are exposed.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]GEN 5.3.6
(1) AnAuthorised Person must appoint an individual to advise itsGoverning Body and senior management of such risks.(2) AnAuthorised Person which is part of aGroup should be aware of the implications of anyGroup wide risk policy and systems and controls regime.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]Compliance
GEN 5.3.7
An
Authorised Person must establish and maintain compliance arrangements, including processes and procedures that ensure and evidence, as far as reasonably practicable, that theAuthorised Person complies with all legislation applicable in theDIFC .
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]
[Amended] DFSA RM211/2018 (Made 22nd February 2018). [VER41/04-18]GEN 5.3.8
An
Authorised Person must document the organisation, responsibilities and procedures of the compliance function.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]GEN 5.3.9
An
Authorised Person must ensure that theCompliance Officer has access to sufficient resources, including an adequate number of competent staff, to perform his duties objectively and independently of operational and business functions.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]GEN 5.3.10
An
Authorised Person must ensure that theCompliance Officer has unrestricted access to relevant records and to theAuthorised Person's Governing Body and senior management.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]GEN 5.3.11
An
Authorised Person must establish and maintain monitoring and reporting processes and procedures to ensure that any compliance breaches are readily identified, reported and promptly acted upon.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]GEN 5.3.12 GEN 5.3.12
An
Authorised Person must document the monitoring and reporting processes and procedures as well as keep records of breaches of any of legislation applicable in theDIFC .Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13][Deleted]
[Deleted] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]Internal audit
GEN 5.3.13 GEN 5.3.13
(1) AnAuthorised Person must establish and maintain an internal audit function with responsibility for monitoring the appropriateness and effectiveness of its systems and controls.(2) The internal audit function must be independent from operational and business functions.(3) An Authorised Firm is not required to have an internal audit function if the only Financial Service it carries on is Managing a Venture Capital Fund.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM278/2020 (Made 28th October 2020) [VER49/11-20].GEN 5.3.13 Guidance
The
Person appointed as theInternal Auditor of anAuthorised Market Institution is aKey Individual pursuant to AMI Rule 5.3.1.[Added] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]GEN 5.3.14
An
Authorised Person must ensure that its internal audit function has unrestricted access to all relevant records and recourse when needed to theAuthorised Person's Governing Body or the relevant committee, established by itsGoverning Body for this purpose.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]GEN 5.3.15
An
Authorised Person must document the organisation, responsibilities and procedures of the internal audit function.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]Business plan and strategy
GEN 5.3.16
(1) AnAuthorised Person must produce a business plan which enables it, amongst other things, to manage the risks to which it and its customers are exposed.(2) The business plan must take into account theAuthorised Person's current business activities and the business activities forecast for the next twelve months.(3) The business plan must be documented and updated as appropriate to take account of changes in the business environment and to reflect changes in the business of theAuthorised Person .
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]Management information
GEN 5.3.17
An
Authorised Person must establish and maintain arrangements to provide itsGoverning Body and senior management with the information necessary to organise, monitor and control its activities, to comply with legislation applicable in theDIFC and to manage risks. The information must be relevant, accurate, comprehensive, timely and reliable.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]Staff and agents
GEN 5.3.18
An
Authorised Person must establish and maintain systems and controls that enable it to satisfy itself of the suitability of anyone who acts for it.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]GEN 5.3.19 GEN 5.3.19
(1) AnAuthorised Firm must ensure, as far as reasonably practical, that itsEmployees are:(a) fit and proper;(b) competent and capable of performing the functions which are to be assigned to thoseEmployees ; and(c) trained in the requirements of the legislation applicable in theDIFC .(2) AnAuthorised Firm must establish and maintain systems and controls to comply with (1). AnAuthorised Firm must be able to demonstrate that it has complied with these requirements through appropriate measures, including the maintenance of relevant records.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] [VER10/06-06]
[Amended] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]GEN 5.3.19 Guidance
1. When considering whether anEmployee is fit and proper, competent and capable, anAuthorised Firm should consider any training undertaken or required by anEmployee , the nature of theClients to whom anEmployee providesFinancial Services , and the type of activities performed by anEmployee in the provision of suchFinancial Services including any interface withClients .2. When assessing the fitness and propriety ofEmployees , anAuthorised Firm should be guided by the matters set out in section 2.3 of the RPP Sourcebook and should also monitor conflicts or potential conflicts of interest arising from all of the individual's links and activities.3. When assessing the competence and capability of anAuthorised Firm should:a. obtain details of the skills, knowledge and experience of theEmployee relevant to the nature and requirements of the role;b. take reasonable steps to verify the relevance, accuracy and authenticity of any information obtained;c. determine, in light of theEmployee's relevant skills, knowledge and experience, that theEmployee is competent and capable of fulfilling the duties of the role; andd. consider the level of responsibility that theEmployee will assume within theAuthorised Firm , including whether theEmployee will be providingFinancial Services toRetail Clients in an interfacing role.4. AnAuthorised Firm should also satisfy itself that anEmployee :a. continues to be competent and capable of performing its the role;b. has kept abreast of market, product, technology, legislative and regulatory developments that are relevant to the role, through training or other means; andc. is able to apply his knowledge.5. Refer to section 2.2.13 of the RPP Sourcebook for criteria for suitability of members of theGoverning Body of theAuthorised Firm .Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] [VER10/06-06]
[Amended] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]
[Amended] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]Continuing Professional Development
GEN 5.3.19A GEN 5.3.19A
(1) An Authorised Firm must ensure that an Employee who falls within a category specified in (2) remains competent by completing a minimum of 15 hours of continuing professional development (CPD) in each calendar year.(2) The categories of Employees specified for the purposes of (1) are:(a) the Senior Executive Officer;(b) the Compliance Officer; and(c) the Money Laundering Reporting Officer.(3) An Authorised Firm must ensure that:(a) the CPD in (1) is relevant to the Employee’s:(i) current role and any anticipated change in that role; and(ii) professional skill and knowledge;(b) the CPD consists of structured activities; and(c) the Employee keeps adequate records of CPD activities to be able to demonstrate that the requirements in this Rule have been met.(4) In (3), “structured activities” means courses, seminars, lectures, conferences, workshops, web-based seminars or e-learning which require a commitment of thirty minutes or more.GEN 5.3.19A Guidance
(1) The requirement in Rule 5.3.19A does not derogate from the requirement in Rule 5.3.19 for an Authorised Firm to ensure that Employees generally are competent and capable of performing their functions. This requires the Authorised Firm to consider what training is undertaken or required for all Employees, including Employees not covered by this Rule.(2) The structured activities that are completed as CPD may consist of activities conducted internally or externally, and may include activities conducted by a professional body.Conduct
GEN 5.3.20 GEN 5.3.20
An
Authorised Person must establish and maintain systems and controls that ensure, as far as reasonably practical, that theAuthorised Person and itsEmployees do not engage in conduct, or facilitate others to engage in conduct, which may constitute:(a) market abuse, whether in theDIFC or elsewhere; or(b) a financial crime under any applicableU.A.E. laws.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]
[Amended] DFSA RM184/2016 (Made 7th December 2016). [VER38/02-17]GEN 5.3.20 Guidance [Deleted]
[Deleted] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]Outsourcing
GEN 5.3.21 GEN 5.3.21
(1) AnAuthorised Person which outsources any of its functions or activities directly related toFinancial Services to service providers (including within itsGroup ) is not relieved of its regulatory obligations and remains responsible for compliance with legislation applicable in theDIFC .(2) The outsourced function under thisRule shall be deemed as being carried out by theAuthorised Person itself.(3) AnAuthorised Person which uses such third party providers must ensure that it:(a) has undertaken due diligence in choosing suitable service providers;(b) effectively supervises the outsourced functions or activities; and(c) deals effectively with any act or failure to act by the service provider that leads, or might lead, to a breach of any legislation applicable in theDIFC .
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]GEN 5.3.21 Guidance
Deleted in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]GEN 5.3.22 GEN 5.3.22
(1) AnAuthorised Person must inform theDFSA about any material outsourcing arrangements.(2) AnAuthorised Person which has a material outsourcing arrangement must:(a) establish and maintain comprehensive outsourcing policies, contingency plans and outsourcing risk management programmes;(b) enter into an appropriate and written outsourcing contract; and(c) ensure that the outsourcing arrangements neither reduce its ability to fulfil its obligations to customers and theDFSA , nor hinder supervision of theAuthorised Person by theDFSA .(3) AnAuthorised Person must ensure that the terms of its outsourcing contract with each service provider under a material outsourcing arrangement require the service provider to:(a) provide for the provision of information under section 11.1 in relation to theAuthorised Person and access to their business premises; and(b) deal in an open and co-operative way with theDFSA .Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]GEN 5.3.22 Guidance
1. AnAuthorised Person's outsourcing arrangements should include consideration of:a. applicable guiding principles for outsourcing in financial services issued by theJoint Forum ; orb. any equivalent principles or regulations theAuthorised Person is subject to in its home country jurisdiction.2. An outsourcing arrangement would be considered to be material if it is a service of such importance that weakness or failure of that service would cast serious doubt on theAuthorised Person's continuing ability to remain fit and proper or to comply withDFSA administered Laws and Rules.Derived from Notice of Amendments to Legislation April 2011 [VER27/02-11]Business continuity and disaster recovery
GEN 5.3.23 GEN 5.3.23
(1) AnAuthorised Person must have in place adequate arrangements to ensure that it can continue to function and meet its obligations under the legislation applicable in theDIFC in the event of an unforeseen interruption.(2) These arrangements must be kept up to date and regularly tested to ensure their effectiveness.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]GEN 5.3.23 Guidance
1. In considering the adequacy of anAuthorised Person's business continuity arrangements, theDFSA will have regard to theAuthorised Person's management of the specific risks arising from interruptions to its business including its crisis management and disaster recovery plans.2. TheDFSA expects anAuthorised Person to have:a. arrangements which establish and maintain theAuthorised Person's physical security and protection for its information systems for business continuity purposes in the event of planned or unplanned information system interruption or other events that impact on its operations;b. considered its primary data centres' and business operations' reliance on infrastructure components, for example transportation, telecommunications networks and utilities and made the necessary arrangements to minimise the risk of interruption to its operations by arranging backup of infrastructure components and service providers; andc. considered, in its plans for dealing with a major interruption to its primary data centre or business operations, its alternative data centres' and business operations' reliance on infrastructure components and made the necessary arrangements such that these do not rely on the same infrastructure components and the same service provider as the primary data centres and operations.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04][Deleted]
[Deleted] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]GEN 5.3.24 GEN 5.3.24 [Deleted]
[Deleted] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08][Deleted]
[Deleted] DFSA RM56/2008 (Made 1st July 2008). [VER19/07-08]Records
GEN 5.3.24
(1) AnAuthorised Person must make and retain records of matters and dealings, includingAccounting Records and corporate governance practices which are the subject of requirements and standards under the legislation applicable in the DIFC.(2) Such records, however stored, must be capable of reproduction on paper within a reasonable period not exceeding 3 business days.Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
[Amended] DFSA RM42/2007 (Made 15th February 2007). [VER13/02-07]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]
[Amended] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]GEN 5.3.25
Subject to GEN Rule 5.3.26, the records required by GEN Rule 5.3.24 or by any other rule in this
Rulebook must be maintained by theAuthorised Person in the English language.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]GEN 5.3.26
If an
Authorised Person's records relate to business carried on from an establishment in a territory outside theDIFC , an official language of that territory may be used instead of the English language as required by GEN Rule 5.3.25.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]GEN 5.3.27
An
Authorised Person must have systems and controls to fulfil theAuthorised Person's legal and regulatory obligations with respect to adequacy, access, period of retention and security of records.
Derived from DFSA RM01/2004 (Made 16th September 2004). [VER1/09-04]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11]Fraud
GEN 5.3.28
An
Authorised Person must establish and maintain effective systems and controls to:(a) deter and prevent suspected fraud against theAuthorised Person ; and(b) report suspected fraud and other financial crimes to the relevant authorities.[Added]DFSA RM43/2007 (Made 1st June 2007). [VER14/06-07]
Amended in accordance with Notice of Amendments to Legislation April 2011 [VER27/02-11][Deleted]
[Deleted] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]GEN 5.3.29 GEN 5.3.29 [Deleted]
[Deleted] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]GEN 5.3.29 Guidance [Deleted]
[Deleted] DFSA RM119/2013 (Made 14th July 2013). [VER33/07-13]Corporate Governance
GEN 5.3.30 GEN 5.3.30
(1) AnAuthorised Person must have aGoverning Body and senior management that meet the requirements in (2) and (3) respectively.(2) TheGoverning Body of theAuthorised Person must:(a) be clearly responsible for setting or approving (or both) the business objectives of the firm and the strategies for achieving those objectives and for providing effective oversight of the management of the firm;(b) comprise an adequate number and mix of individuals who have, among them, the relevant knowledge, skills, expertise and time commitment necessary to effectively carry out the duties and functions of theGoverning Body ; and(c) have adequate powers and resources, including its own governance practices and procedures, to enable it to discharge those duties and functions effectively.(3) The senior management of theAuthorised Person must be clearly responsible for the day-to-day management of the firm's business in accordance with the business objectives and strategies approved or set by theGoverning Body .[Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]GEN 5.3.30 Guidance
Scope of corporate governance
1. Corporate governance is a framework of systems, policies, procedures and controls through which an entity:a. promotes the sound and prudent management of its business;b. protects the interests of its customers and stakeholders; andc. places clear responsibility for achieving (a) and (b) on theGoverning Body and its members and the senior management of theAuthorised Person .2. Many requirements designed to ensure sound corporate governance of companies, such as those relating to shareholder and minority protection and responsibilities of theBoard of Directors of companies, are found in the company laws and apply toAuthorised Persons . Additional disclosure requirements also apply if they are listed companies. The requirements in this Module are tailored toAuthorised Persons and are designed to augment and not to exclude the application of those requirements.3. Whilst Rule 5.3.30 deals with two aspects of corporate governance, the requirements included in other provisions under sections 5.2 and 5.3 also go to the heart of sound corporate governance by promoting prudent and sound management of theAuthorised Person's business in the interest of its customers and stakeholders. These requirements together are designed to promote sound corporate governance practices inAuthorised Persons whilst also providing a greater degree of flexibility forAuthorised Persons in establishing and implementing a corporate governance framework that are both appropriate and practicable to suit their operations.4. Stakeholder groups of anAuthorised Person , who would benefit from the sound and prudent management of firms, can be varied but generally encompass its owners (shareholders), customers (in the case of anAMI , its members and investors), creditors, counterparties and employees, whose interests may not necessarily be mutually coextensive. A key objective in enhancing corporate governance standards applicable toAuthorised Persons is to ensure that firms are soundly and prudently managed, with the primary regard being had to its customers.Proportionate application to firms depending on the nature of their business
5. One of the key considerations that underpins how the corporate governance requirements set out in Rule 5.3.30 apply to anAuthorised Person is the nature, scale and complexity of theAuthorised Person's business, and its organisational structure.6. While requiring banks, insurers and dealers to have more detailed and complex corporate governance systems and controls, simpler systems and procedures could be required for other firms, depending on the nature and scale of theirFinancial Services . For example, in the case of certain types ofCategory 4 Financial Service providers such as arranging or advising only firms, less extensive and simpler corporate governance systems and procedures may be sufficient to meet their corporate governance obligations.7. For example, anAuthorised Person which is a small scale operation with a tightly held ownership structure may not have aGoverning Body which comprises members who are fully independent of the firm's business and from each other, nor be sufficiently large to be able to form numerous committees of theGoverning Body to undertake various functions such as nomination and remuneration. In such cases, whilst strict adherence to such aspects of best practice would not be required, overall measures as appropriate to achieve the sound and prudent management of the business would be needed. For example, a firm with no regulatory track record would be expected to have additional corporate governance controls in place to ensure the sound and prudent management of its business, such as the appointment of an independent director (who has relevant regulatory experience) to itsGoverning Body .Application to Branches and Groups
8. As part of the flexible and proportionate application of corporate governance standards to firms, whether a firm is aBranch or a subsidiary within aGroup is also taken into account. AnAuthorised Person which is a member of aGroup may, instead of developing its own corporate governance policies, adopt group-wide corporate governance standards. However, theGoverning Body of theAuthorised Person should consider whether those standards are appropriate for the firm, and to the extent possible, make any changes as necessary.9. In the case of aBranch , corporate governance practices adopted at the head office would generally apply to theBranch and are expected to be adequate. TheDFSA considers, as part of its authorisation of aBranch and on-going supervision, the adequacy of regulatory and supervisory arrangements applicable in the home jurisdiction, including a corporate governance framework adopted and implemented by the head office (see section 3.2.15 of the RPP Sourcebook).Best practice relating to corporate governance
10. In addition to the considerations noted above, best practice that anAuthorised Person may adopt to achieve compliance with the applicable corporate governance standards is set out in Guidance at Appendix 3.1. AnAuthorised Person may, where the best practice set out in App3.1 is not suited to its particular business or structure, deviate from such best practice or any aspects thereof. TheDFSA will expect theAuthorised Person to demonstrate to theDFSA , upon request, what the deviations are and why such deviations are considered by theAuthorised Person to be appropriate.[Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]Remuneration structure and strategies
GEN 5.3.31 GEN 5.3.31
(1) TheGoverning Body of anAuthorised Person must ensure that the remuneration structure and strategy of the firm:(a) are consistent with the business objectives and strategies and the identified risk parameters within which the firm's business is to be conducted;(b) provide for effective alignment of risk outcomes and the roles and functions of theEmployees , taking account of:(i) the nature of the roles and functions of the relevantEmployees ; and(ii) whether the actions of theEmployees may expose the firm to unacceptable financial, reputational and other risks;(c) at a minimum, include the members of itsGoverning Body , the senior management,Persons Undertaking Key Control Functions and any major risk-takingEmployees ; and(d) are implemented and monitored to ensure that they operate, on an on-going basis, effectively and as intended.(2) TheGoverning Body must provide to theDFSA and relevant stakeholders sufficient information about its remuneration structure and strategies to demonstrate that such structure and strategies meet the requirements in (1) on an on-going basis.(3) For the purposes of this Rule, "major risk-takingEmployees " areEmployees whose actions have a material impact on the risk exposure of theAuthorised Person .[Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]GEN 5.3.31 Guidance
Proportionate application to firms depending on the nature of their business
1. Those considerations set out in Guidance items 5 – 7 under Rule 5.3.30 apply equally to the way in which the remuneration structure and strategies related requirement in Rule 5.3.31 is designed to apply to anAuthorised Person . Accordingly, whilst most Category 4 firms may have simple arrangements to achieve the outcome of aligning performance outcomes and risks associated with remuneration structure and strategies, banks, insurers and dealers are expected to have more stringent measures to address such risks.Application to Branches and Groups
2. As part of the flexible and proportionate application of corporate governance standards to firms, whether a firm is aBranch or a subsidiary within aGroup is also taken into account. As such, the considerations noted in Guidance items 8 – 9 under Rule 5.3.30 apply equally to the application of the remuneration related requirements forBranches andGroups . For example, where anAuthorised Person is a member of aGroup , itsGoverning Body should consider whether the Group wide policies, such as those relating to theEmployees covered under the remuneration strategy and the disclosure relating to remuneration made at theGroup level are adequate to meet its obligations under Rule 5.3.31.Best practice relating to corporate governance
3. In addition to the considerations noted above, best practice that anAuthorised Person may adopt to promote sound remuneration structure and strategies within the firm is set out as Guidance at Appendix 3.2. Where such best practice or any aspects thereof are not suited to a particularAuthorised Person's business or structure, it may deviate from such best practice. TheDFSA will expect theAuthorised Person to demonstrate, upon request, what the deviations are and why such deviations are considered appropriate.Disclosure of information relating to remuneration structure and strategy
4. The information which anAuthorised Person provides to theDFSA relating to its remuneration structure and strategies should be included in the annual report or accounting statements. TheDFSA expects the annual report ofAuthorised Persons to include, at a minimum, information relating to:a. the decision making process used to determine the firm-wide remuneration policy (such as by a remuneration committee or an external consultant if any, or by theGoverning Body ):b. the most important elements of its remuneration structure (such as, in the case of performance based remuneration, the link between pay and performance and the relevant assessment criteria); andc. aggregate quantitative information on remuneration of its Governing Body, the senior management,Persons Undertaking Key Control Functions and any major risk takingEmployees .5. TheDFSA may, pursuant to its supervisory powers, require additional information relating to the remuneration structure and strategy of anAuthorised Firm to assess whether the general elements relating to remuneration under Rule 5.3.31(1) are met by the firm. Any significant changes to the remuneration structure and strategy should also be notified to theDFSA before being implemented. See Rule 11.10.20.6. The information included in the annual report is made available to theDFSA and the shareholders, and in the case of a listed company, to the public. TheGoverning Body of theAuthorised Person should also consider what additional information should be included in the annual report. In the case of banks, insurers and dealers, more detailed disclosure of remuneration structure and strategy and its impact on the financial soundness of the firm would be required. When providing disclosure relating to remuneration in its annual report,Authorised Persons should take account of the legal obligations that apply to the firm including the confidentiality of information obligations.[Added] DFSA RM95/2012 (Made 14th June 2012). [VER29/06-12]