3.1 3.1 Our approach to supervision
We adopt a risk-based approach to the regulation and supervision of all regulated firms in order to concentrate our resources on the mitigation of risks to our objectives. We will work with a regulated entity to identify, assess, mitigate and control these risks where appropriate.
Our supervisory risk-based approach involves:(a) establishing the supervisory intensity of a given firm based on the combination of its size and complexity (impact rating) and its risk profile (risk rating), see paragraphs 3.1.8–3.1.11 below). The higher the impact and/or risk profile of the firm, the higher the supervisory intensity and the resources deployed by us;(b) continuous risk management cycle, utilising sectoral and firm-specific data, notifications by the firm, risk assessments and the risk and impact ratings;(c) using appropriate supervisory tools; and(d) where applicable, considering any lead or consolidated supervision which a firm or its Group may be subject to in other jurisdictions, taking into account our relationship with other regulators and the extent to which it or they meet appropriate regulatory criteria and standards.
We believe a firm's culture and behaviour affects both its overall financial condition and its interaction with individual customers and market counterparties. Our aim is to reduce the risk and impact of a failure or inappropriate conduct by requiring our regulated firms to have sound risk management systems and adequate internal controls.
Risk management cycle
We adopt a structured risk management cycle. This comprises the identification, assessment, prioritisation, mitigation and monitoring of risks. It ensures appropriate action is taken upon the identification and/or materialisation of risks.
We will identify and collate a comprehensive set of indicators on a regular basis which provides insights into the financial position and business activities of all our regulated entities. This data set allows us to assess the specific risk profile of regulated entities, sectoral risks by types of entities, and systemic risks posed by the firms to other market counterparties and the wider financial system.
Based on the analysis of this data set, we will prioritise and step up our supervision with respect to certain firms as appropriate, or use thematic reviews to target certain products, services or practices across a set of firms, to mitigate any emerging, specific or systemic risks.
We will monitor and use this data, amongst other factors, to review the effectiveness of our mitigation plans, and set organisational risk tolerances to allocate our supervisory resources.
Impact and risk ratings
The impact and risk rating is an assessment of the potential adverse consequences that could follow from the failure of, or significant misconduct by, a firm. The potential adverse consequences include not only the direct financial impact on such firm's customers, counterparties and stakeholders, but also the potential for damage to our reputation and objectives.
In assessing the impact rating, we will consider a variety of factors such as:(a) the complexity of the firm's activities and structure, which is dependent on the nature and type of Regulated Activities it conducts. For instance, a firm that holds customers' deposits and assets will be operationally more complex and more difficult to resolve any issues or to supervise into compliance, as opposed to a Regulated Activity that does not involve accepting / holding customers' assets;(b) the scale of the firm's activities and its linkages with other financial institutions and the wider financial system.
The risk rating is an assessment of the firm's level of risk exposure or probability of failure across a wide range of risk factors. It takes into consideration a number of broad risk groups, including:(a) Financial Strength(b) Liquidity(c) Credit Risk(d) Market Risk(e) AML/CFT and Financial Crime(f) Conduct Risk(g) Operational Risk(h) Corporate Governance(i) Internal Control System(j) Business Model Risk
The combination of the risk and the impact will determine the level and intensity of supervision. Firms with higher ratings will be subject to higher supervisory intensity. Our supervisory oversight of these firms will entail more frequent and routine engagements and on-site visits to oversee the activities and developments in the firm. These engagements would typically involve discussions with the board and senior management, business and compliance heads, auditors and risk managers of the firm and, in the case of overseas financial Groups, its head office staff and home country regulators.
Whenever appropriate, we may inform the firm of the steps it needs to take in relation to specific risks. We then expect the firm to demonstrate that it has taken appropriate steps to mitigate these risks.
Where necessary, risk mitigation programmes may be developed for a firm in order to mitigate or remove identified areas of risk.
Our relationship with firms
In order to meet our objectives, we require an open, transparent and co-operative relationship with our regulated firms. We expect to establish and maintain an on-going dialogue with the firm's senior management in order to develop and sustain a thorough understanding of the firm's business, systems and controls and, through this relationship, to be aware of all areas of risk to our objectives.
We seek to reinforce the responsibilities of senior management for the risk oversight and governance of the firm's activities, to ensure financial soundness, fair dealing and compliance with regulatory standards.
We seek to maintain an up-to-date knowledge of a firm's business. However, a firm is also required to keep us informed of significant events, or anything related to the firm of which we would reasonably expect to be notified (as set out below).
Notifications to us
GEN 8.10 sets out the requirements on a firm to notify us of specified events, changes or circumstances a firm (other than a Representative Office) may encounter. The list of notifications outlined in GEN 8.10 is not exhaustive and there are other areas of the Rulebooks that also specify additional notification requirements. (See appendix A)
Co-operation with other regulators
We view co-operation with other regulators as an important component of our supervisory activities. Effective co-operation arrangements with other regulators will provide for prompt exchange of information in relation to supervision, investigation and enforcement matters. The information exchange may enhance, for example, our understanding of the operations of a firm's Group and the effect on our firm.
We may also exercise our powers for the purposes of assisting other regulators or agencies, see sections 215 – 217 of the FSMR.