3. 3. Supervision: Being Regulated
3.1 3.1 Our approach to supervision
We adopt a risk-based approach to the regulation and supervision of all regulated firms in order to concentrate our resources on the mitigation of risks to our objectives. We will work with a regulated entity to identify, assess, mitigate and control these risks where appropriate.
Our supervisory risk-based approach involves:(a) establishing the supervisory intensity of a given firm based on the combination of its size and complexity (impact rating) and its risk profile (risk rating), see paragraphs 3.1.8–3.1.11 below). The higher the impact and/or risk profile of the firm, the higher the supervisory intensity and the resources deployed by us;(b) continuous risk management cycle, utilising sectoral and firm-specific data, notifications by the firm, risk assessments and the risk and impact ratings;(c) using appropriate supervisory tools; and(d) where applicable, considering any lead or consolidated supervision which a firm or its Group may be subject to in other jurisdictions, taking into account our relationship with other regulators and the extent to which it or they meet appropriate regulatory criteria and standards.
We believe a firm's culture and behaviour affects both its overall financial condition and its interaction with individual customers and market counterparties. Our aim is to reduce the risk and impact of a failure or inappropriate conduct by requiring our regulated firms to have sound risk management systems and adequate internal controls.
Risk management cycle
We adopt a structured risk management cycle. This comprises the identification, assessment, prioritisation, mitigation and monitoring of risks. It ensures appropriate action is taken upon the identification and/or materialisation of risks.
We will identify and collate a comprehensive set of indicators on a regular basis which provides insights into the financial position and business activities of all our regulated entities. This data set allows us to assess the specific risk profile of regulated entities, sectoral risks by types of entities, and systemic risks posed by the firms to other market counterparties and the wider financial system.
Based on the analysis of this data set, we will prioritise and step up our supervision with respect to certain firms as appropriate, or use thematic reviews to target certain products, services or practices across a set of firms, to mitigate any emerging, specific or systemic risks.
We will monitor and use this data, amongst other factors, to review the effectiveness of our mitigation plans, and set organisational risk tolerances to allocate our supervisory resources.
Impact and risk ratings
The impact and risk rating is an assessment of the potential adverse consequences that could follow from the failure of, or significant misconduct by, a firm. The potential adverse consequences include not only the direct financial impact on such firm's customers, counterparties and stakeholders, but also the potential for damage to our reputation and objectives.
In assessing the impact rating, we will consider a variety of factors such as:(a) the complexity of the firm's activities and structure, which is dependent on the nature and type of Regulated Activities it conducts. For instance, a firm that holds customers' deposits and assets will be operationally more complex and more difficult to resolve any issues or to supervise into compliance, as opposed to a Regulated Activity that does not involve accepting / holding customers' assets;(b) the scale of the firm's activities and its linkages with other financial institutions and the wider financial system.
The risk rating is an assessment of the firm's level of risk exposure or probability of failure across a wide range of risk factors. It takes into consideration a number of broad risk groups, including:(a) Financial Strength(b) Liquidity(c) Credit Risk(d) Market Risk(e) AML/CFT and Financial Crime(f) Conduct Risk(g) Operational Risk(h) Corporate Governance(i) Internal Control System(j) Business Model Risk
The combination of the risk and the impact will determine the level and intensity of supervision. Firms with higher ratings will be subject to higher supervisory intensity. Our supervisory oversight of these firms will entail more frequent and routine engagements and on-site visits to oversee the activities and developments in the firm. These engagements would typically involve discussions with the board and senior management, business and compliance heads, auditors and risk managers of the firm and, in the case of overseas financial Groups, its head office staff and home country regulators.
Whenever appropriate, we may inform the firm of the steps it needs to take in relation to specific risks. We then expect the firm to demonstrate that it has taken appropriate steps to mitigate these risks.
Where necessary, risk mitigation programmes may be developed for a firm in order to mitigate or remove identified areas of risk.
Our relationship with firms
In order to meet our objectives, we require an open, transparent and co-operative relationship with our regulated firms. We expect to establish and maintain an on-going dialogue with the firm's senior management in order to develop and sustain a thorough understanding of the firm's business, systems and controls and, through this relationship, to be aware of all areas of risk to our objectives.
We seek to reinforce the responsibilities of senior management for the risk oversight and governance of the firm's activities, to ensure financial soundness, fair dealing and compliance with regulatory standards.
We seek to maintain an up-to-date knowledge of a firm's business. However, a firm is also required to keep us informed of significant events, or anything related to the firm of which we would reasonably expect to be notified (as set out below).
Notifications to us
GEN 8.10 sets out the requirements on a firm to notify us of specified events, changes or circumstances a firm (other than a Representative Office) may encounter. The list of notifications outlined in GEN 8.10 is not exhaustive and there are other areas of the Rulebooks that also specify additional notification requirements. (See appendix A)
Co-operation with other regulators
We view co-operation with other regulators as an important component of our supervisory activities. Effective co-operation arrangements with other regulators will provide for prompt exchange of information in relation to supervision, investigation and enforcement matters. The information exchange may enhance, for example, our understanding of the operations of a firm's Group and the effect on our firm.
We may also exercise our powers for the purposes of assisting other regulators or agencies, see sections 215 – 217 of the FSMR.
3.2 3.2 Supervision of Firms
When we authorise a firm, we take into consideration the relationship the firm has within its Group, with related parties or other parties closely linked to it. We may also take into account lead or consolidated supervision to which a firm or its Group may be subject to in another jurisdiction.
A firm is expected to provide information as required or reasonably requested relating to the Authorised Person and, where applicable, its consolidated or lead regulatory arrangements. This information may include:(a) prudential information;(b) reports on systems and controls relating to a firm's Group;(c) internal and external audit reports;(d) details of disciplinary proceedings or any matters which may have financial consequences, reputational impact or pose any significant risk to the ADGM or to the firm; and(e) the group-wide corporate governance practices and policies, and the remuneration structure and strategies adopted.
This information may be taken into account as part of our fit and proper test as set out in Chapter 2.2 0 above and the supervision of the firm. Further Rules and Guidance with regard to obtaining information from a Representative office's lead regulator are set out in GEN 9.15.3.
We have an interest in the relationship of a firm with other regulators, particularly in order to determine the level of reliance we may place on a regulator in another jurisdiction concerning any lead supervision arrangements. Depending on the legal structure of a firm and our relationship with the regulator in question, we may place appropriate reliance on the supervision undertaken by this regulator.
Domestic Firm's Group with ADGM head office
We will usually be the lead and consolidated regulator of any Group headquartered as a Domestic Firm in the ADGM. Members of the Group, that is, any of the firm's Subsidiaries or Branches, will be either subject to our exclusive supervision or, where members of the Group are located in a jurisdiction outside the ADGM, generally subject to lead or consolidated supervision by us in co-operation with another regulator, provided we are satisfied that it meets appropriate regulatory criteria and standards.
Subsidiary of a non-ADGM firm
We will be the host regulator for the purpose of prudential supervision of a firm which is an ADGM incorporated Subsidiary of a non-ADGM firm.
Where a firm is a Subsidiary of a regulated non-ADGM parent company, we take into account any consolidated prudential supervision arrangements to which the firm is subject and will liaise with other regulators as necessary to ensure that these are adequately carried out, taking into account the firm's activities. We may place appropriate reliance on the firm's consolidated regulator in another jurisdiction if we are satisfied that it meets appropriate regulatory criteria and standards.
A firm carrying on Regulated Activities as a Subsidiary of an unregulated non-ADGM parent company may be subject to our consolidated prudential supervision, taking into account the parent's activities.
Branch of a non-ADGM firm
A firm carrying on Regulated Activities through a Branch will be subject to supervision by both us and the regulator in its head office jurisdiction.
We will have regard to any lead or consolidated prudential supervision arrangements to which a firm is subject. We may place appropriate reliance on a firm's lead regulator in another jurisdiction and, where appropriate, it's consolidated prudential regulator if we are satisfied that it meets appropriate regulatory criteria and standards. Where a firm is subject to lead regulation arrangements with a foreign regulator, we will usually not seek to impose consolidated prudential supervision on the firm's Group.
In determining the level of regulatory and supervisory oversight required for a specific firm, we will consider:(a) the degree of home country regulation and supervision by the home regulator;(b) the fitness and propriety of the head office and its Controllers;(c) the strength of support, both financial and managerial, which the head office is capable of providing to the branch, taking into account the branch's activities and the adequacy of, among other things, the corporate governance framework and practices at the head office; and(d) the risk and control mechanisms within the Branch itself.
Based on this assessment, we may consider granting a waiver or modification notice in respect of specific prudential or other regulatory requirements relating to a Branch.
Periodic returns for Firms
A firm is required to submit periodic returns. In addition, a firm may be required to submit copies of its Group's annual interim and audited accounts. We may also require a firm to provide copies of Group returns which are sent to any other regulator.
Collecting this data in a timely and accurate manner is imperative to our risk management cycle.
Review of risk management systems
Under GEN 3.3.4, a firm must ensure that its risk management systems provide the firm with the means to identify, assess, mitigate, monitor and control its risks. In addition to undertaking our own assessment of the firm, we may review the firm's internal risk self-assessment and determine the extent to which each of the firm's risks impacts on our objectives, the likelihood of the risk occurring, and the controls and mitigation programmes the firm has in place.
We may undertake desktop analyses to review a firm's business activities and compliance with our laws. A desktop review may involve analysing information provided by the firm through periodic returns, internal management information, ad-hoc questionnaires, published financial information or specially requested information. Through monitoring key indicators and the development of the firm's business, we seek to detect emerging issues for further in-depth reviews through meetings with the firm's management, onsite examinations, or otherwise. Apart from reports such as regular prudential returns, we may from time to time also request from a firm additional supplementary information and documents, including non-financial information such as a firm's internal policies on particular areas of risk and compliance.
On-site visits provide us with an overview of the firm's operations and enable us to form a first-hand view of the personnel, systems and controls and compliance culture within the firm as well as identifying and evaluating the risks to our objectives, taking into account any mitigation by the firm. They enable us to test the soundness of the firm's systems and controls and the extent to which we can continue to rely on them and the firm's senior management to prevent or mitigate risks to our objectives. On-site visits will also assist us to assess the extent of supervision and the use of other supervisory tools required to address certain key risk areas.
We are committed to open and transparent communication with firms. From time to time, we may issue letters to Senior Executive Officers or equivalent persons across the ADGM. Frequently, these letters will be issued as a means of communicating findings arising from thematic visits, emerging trends and risks in the financial sector, or in response to any major events or developments.
From time to time, we may consider a particular item of communication to a firm to be of key regulatory importance. For this reason, it may be necessary to issue such communications directly to a senior member of staff at the board level of the ADGM entity copied (where appropriate) to the group's home regulator. For entities established as a Branch in the ADGM, these communications will likely be delivered to the Chairman of the Board at the ADGM Branch entity's head or Parent office. For ADGM incorporated entities, these communications will likely be delivered directly to the Chairman of the firm's board or head office. These communications may include, for example, the findings of our risk assessment visits where a risk mitigation plan has been sent that contains significant matters of concern to our objectives.
External Auditor reports, statements and meetings
An Auditor of a firm is required to provide reports to us addressing the matters outlined in section 191 of the FSMR. As part of an audit, we would expect an Auditor to review any relevant correspondence between us and the firm (e.g. on matters of regulatory concern) and ensure that appropriate follow-up actions have been taken by the firm. We may also require the firm to commission the auditor to conduct a special purpose audit to certify and ensure that any risk mitigation plan has been appropriately implemented. Further, we may from time to time, request tripartite meetings between the firm's senior management, the Auditor, and ourselves.
Controllers — Our approval
A person who proposes to become a Controller of a Domestic Firm or an existing Controller who proposes to increase the level of control which that person has in a domestic firm beyond the threshold of 20%, 30% or 50% is required to obtain our prior approval before doing so. Our assessment of a proposed acquisition or increase in control of a domestic firm is a review of such a firm's continued fitness and propriety and ability to conduct business soundly and prudently, and takes into account considerations set out in para 2.2.8.
Under GEN Rule 8.8.5(1), a person who proposes either to acquire or increase the level of control in a Domestic Firm must provide written notice to us in such form as we shall set. We may approve of, object to or impose conditions relating to the proposed acquisition or the proposed increase in the level of control of the firm. If the information in the written application lodged with us is incomplete or unclear, we may in writing request further clarification or information. We may do so at any time during the processing of such an application. The period of 90 days within which we will make a decision will not commence until such clarification or additional information is provided to our satisfaction. We may, in our absolute discretion, agree to a shorter period for processing an application where an applicant requests for such a period, provided all the information required is available to us.
Where we propose to object to or impose conditions relating to a proposed acquisition of or increase in the level of control in a domestic firm, we will first notify the applicant in writing of its proposal to do so and its reasons. We will take into account any representations made by an applicant before making our final decision.
We may consider whether a person has become an unacceptable Controller as a result of any notification given by a firm, including under GEN Rule 8.8.11(2) or as a result of our own supervisory work. The considerations which we will take into account in assessing whether a person is an acceptable Controller are those set out in paragraphs 3.2.21 above.
We may request, in writing, any further information required to enable us to complete our assessment of the application no later than the 50th Business Day of the assessment period.
3.3 3.3 Supervision of Representative Offices
As part of our risk-based approach to supervising firms we may undertake periodic visits to Representative Offices and may also include Representative Offices in our thematic visits.
Onsite visits to Representative Offices are likely to focus on issues including:(a) confirming that activities undertaken by the Representative Office are allowed under its Financial Services Permission;(b) reviewing the adequacy of its systems and controls to comply with its responsibilities;(c) reviewing the material distributed by the Representative Office to ensure it is clear, fair and not misleading;(d) any solvency concerns with the head office or Group; and(e) the firm's disclosure of its regulated status.
The onsite visit is likely to include interviews with the Principal Representative and a review of relevant records.
3.4 3.4 Supervision of Recognised Bodies
The FSMR and the Rules establishes a principles-based framework for the recognition and supervision of Recognised Bodies and for taking regulatory action against those recognised institutions. This framework is supplemented by supervisory powers and other requirements in MIR and MKT rulebooks.
When we recognise a Recognised Body, we take into consideration the relationship with any wider group to which the Recognised Body may belong or with other Persons closely linked to it. We will also take into account lead or consolidated supervision to which a Recognised Body or its Group may be subject in another jurisdiction to the extent it is satisfied that it meets appropriate regulatory criteria and standards. This may lead to us placing some reliance on the supervisory arrangements in another jurisdiction or creating and participating in special arrangements for the supervision of the Recognised Body and its Group. The Recognised Body is expected to provide information required or reasonably requested in relation to these consolidated or lead supervisory arrangements before final supervisory arrangements are established.
Each relationship will be considered on a case by case basis and according to the risks posed by the Recognised Body's activities identified during supervisory arrangements. Such supervisory arrangements may include a process to be agreed by us, the Recognised Body itself and other relevant regulators.
Effective co-operation with regulators will provide for prompt exchange of information and co-operation in relation to supervision and enforcement between jurisdictions. This may include exchanges of information and co-operation in respect of activities conducted by a Recognised Body. Usually co-operation arrangements will be in the form of memoranda of understanding. The information exchange will enhance our understanding of the operations of the Group and the impact (if any) on the Recognised Body.
Application for a change in control
GEN 8.8 sets out the requirements relating to a change in control. See also paragraphs 3.2.21 to 3.2.25 above.
MIR Chapter 6 empowers us to give a Recognised Body certain directions in relation to the Recognised Body's duties under the laws. It also gives us the power to direct a Recognised Body to do specified things, including closing the market, suspending transactions and prohibiting trading in Investments. MIR Chapter 6 also empowers us to exercise the powers contained in the Recognised Body's rules for participants as though it was the Recognised Body where we consider that the Recognised Body has not exercised the powers under those rules.
In considering whether to exercise such powers, we may take into account the following factors:(a) what steps the Recognised Body has taken or is taking in respect of the issue being addressed in the planned direction;(b) the impact on our objectives if a direction were not issued; or(c) whether it is in the interests of the ADGM.
The written notice given by us will specify what a Recognised Body is required to do under the exercise of such directions. Though we are not required to do so under MIR, in most cases we will endeavour to contact the Recognised Body prior to issuing such a direction.
Part 14 of the FSMR and MIR 6.1 allow us to direct a Recognised Body to suspend or delist Securities from its Official List. Such directions may take effect immediately or from a date and time as may be specified in the direction. MKT Chapter 2 contains details in this regard.