Welcome! Email: info@internalcontrol.co.uk, Call mobile: 07597 386728


Written by

About Internal Control Ltd

Governance, Risk and Compliance
We are a risk and compliance consultancy providing regulatory support to Intermediaries, Lenders and Consumer Credit firms who require assistance in preparing for authorisation with the FCA. Internal Control Ltd provide policy governance, risk management, compliance monitoring, controls assurance and audit services.

Three lines of defense and internal control

Many newly regulated firms are struggling to understand the value of the three lines of defense, who can blame them, as many well established organisations also struggle with the concept.

Most organisations realise that they have business objectives that they strive to achieve. In pursuit of these objectives, the organisation will encounter events and circumstances which may threaten the achievement of these objectives. These potential events and circumstances create risks that must be identified, analysed, reported and actioned.

The responsibilities of each of the “lines”are:

  • First line. Own and manage risk and control (front line operations)
  • Second line. Monitor risk and control in support of management (risk and compliance functions).
  • Third line. Provide independent assurance to the board and senior management reporting the effectiveness of risk and control framework (internal and external audit).

Each of the three lines plays a distinct role within the organisation’s governance framework. When each performs its role effectively, it is more likely that the organisation will be successful in achieving its overall objectives.

The first line of defense lies with the business and process owners whose activities create and/or manage the risks that can either support or prevent an organisation’s objectives from being achieved and also the assessment of whether they are taking the right risks. The first line owns the risk, and the design and execution of the organisation’s controls to respond to those risks, these may be:

  • Front line operations
  • Risk and control owners

The second line is put in place to support management by bringing expertise, process excellence, and monitoring alongside the first line to help ensure that
 risk and control are effectively managed. The second 
line of defense functions are separate from the first line of defense but are still under the control and direction of senior management and typically perform some management functions.

These could be from the following:

  • Risk Management
  • Information Security
  • Financial Control
  • Quality assurance
  • Health and safety
  • Compliance
  • Legal

The third line provides assurance to senior management and the board over both the first and second lines’ efforts are in line with the expectations of the board of directors and senior management. The third line of defense should not perform management functions, this is to protect its objectivity and independence. In addition, the third line has a primary reporting line to the board. As such, the third line is an assurance not a management function, which separates it from the second line of defense.

This will normally be:

  • Internal Audit
  • External audit (can be considered where there is no internal Audit in place)

Each of the three “lines” has a distinct role within the organisation’s wider governance framework, and when each performs its assigned role effectively, the likelihood of a significant control breakdown is reduced and business objectives can be achieved.

Surviving a Section 166 Skilled Person Report

A Section 166 skilled persons report is one of the regulatory tools available to the PRA/FCA, this provides the regulator with an independent view of a firms operation and may be prompted by the regulator having a specific requirement for information from an authorised business.

Skilled person reports are clustered into ‘lots’ and listed into the following theme areas:

  • Lot 3 – Client Assets.
  • Lot 4 – Governance, controls and risk management.
  • Lot 5 – Conduct of business.
  • Lot 6 – Data and IT infrastructure.
  • Lot 7 – Financial Crime.
  • Lot 8 – Prudential – deposit takers and recognised clearing houses.
  • Lot 9 – Prudential – Insurance.
  • Lot 10 – Prudential – Investment firms, Intermediaries and recognised investment exchanges.

A panel of pre-selected firms have been approved to undertake skilled persons reports for each ‘lot’, these include lawyers, accountants, compliance consultants and other appropriate industry experts, the development of the panel of providers is to ensure that a consistent approach is taken to complete each report.

If the regulator believes that an authorised firms has contravened a requirement in the rules, the regulator can either:

Require the authorised firm to appoint a skilled person report, or
Appoint a skilled person report itself from the appropriate panel.

The target firm of the report may be the authorised firm or its Appointed Representatives and the scope of review can include activities which are not regulated. The Supervision manual (SUP5) explains the appointment and reporting process, also the duties and responsibilities of the authorised firm subject to review.

What can trigger a skilled person report?

  • Where the regulator needs to gather certain information to form an opinion.
  • Concerns identified following a supervisory visit.
  • Concerns triggered following a thematic review.
  • As a result of a development or incident at the firm.
  • From information provided by the firm.
  • Regulatory reporting.

A few good reasons to avoid a skilled person report:

  • They are very expensive.
  • They can caused severe business disruption.
  • Can create closer attention from the regulator.
  • May trigger enforcement action.
  • Can cause reputational damage.

How to avoid a skilled person report:

  • Ensure a robust compliance framework is in place and operating effectively.
  • Provide staff with an appropriate program of training.
  • Enhance monitoring processes to identify issues early.
  • Ensure regulatory reporting is concise, timely and accurate.
  • Keep thorough records that evidence conformance with the regulatory rules.
  • Ensure your conduct management information evidences that you are ‘treating your customers fairly’.

Further information can be found in the Financial Services and Markets At 2000 amended by the FSMA 2012 sections 165 to section 177 covers all the requirements applicable to the skilled persons report.

Appointed Representatives

This post is aimed at firms with either Interim Permissions or have recently received full authorisation and are considering entering the Appointed Representative regime either as a Principal firm or as an Appointed Representative.

Responsibility and accountability:- All firms thinking of taken on Appointed Representatives must remember that they (as the Principal) are fully accountable and responsible for all sales undertaken by the Appointed Representative (AR), this also applies to Introducer Appointed Representatives (IAR’s), and that this is not an easy option or a way of avoiding regulation.

The framework- An Appointed Representative (AR) is a firm that carries on regulated activities under the supervision of another firm that is directly authorised as the Principal. An Introducer Appointed Represented (IAR) is only authorised to introduce customers to the Principal and may with permission be allowed to distribute non real time financial promotions under the guidance and supervision of the Principal.

Example: Click Here AR regime












Appointed Representative responsibilities:- An AR is a person/firm who is party to a contract with an authorised firm permitting them to carry on certain regulated activities, such as selling products where the Principal has the appropriate permissions.

  • The AR has responsibility to understand and comply with the regulations.
  •  Provide the Principal firm access to staff, records and premises to enable the principal to carry out its responsibilities.
  • Notify the Principal firm of any breaches of rules or policies the Principal firm has put in place.
  • Provide relevant management information as defined in the contracts or as and when requested by the Principal firm.

The Principal firms responsibility- The Principal is the authorised and regulated entity who permits an AR/IAR to carry on regulated activities.

The Principal must have adequate controls and resource in place at all times to ensure the AR’s are fully compliant and appropriately monitored at all times. Remember the Principal firm is responsible for the actions of the AR’s and IAR’s within their network. The following list are some of the key areas the Principal firm is responsible for:

  • Maintain contracts with each Appointed Representative that clearly explains the responsibilities of both sides.
  • Monitor compliance within each of the Appointed Representatives, this should be risk based.
  • Supervise each Appointed Representative, ensuring management information can identify any trends.
  • Notify the FCA immediately via the online ‘connect’ system for any new AR’s or any terminated AR’s exiting the business.
  • Ensure Appointed Representatives are competent to perform their tasks ensuring records are maintained that evidence that the Training and Competence scheme is operating effectively.
  • Ensure AR complaints are reported and monitored effectively.
  • Embedding policies and procedures that enable their Appointed Representatives to understand how to meet their regulatory requirements.
  • Ensuring Gabriel reporting is timely and includes all AR relevant data.

Understanding the FCA’s systems and controls rulebook

The Systems and controls rulebook can mean different things for different firms, depending on the scale and nature of your business, as the rules have to be appropriate to each business as detailed in rule 3.1

A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

To assist a firm fully understand the requirements it may in some cases be better to start with rules later in the rulebook. Rule 14.1.27

A firm must take reasonable steps to establish and maintain adequate internal controls. These will vary from firm to firm, but controls must be established to help the firm meet the following business objectives:

  1. Safeguarding assets of the firm as well as identifying and managing liabilities.
  2. Maintaining efficiency and effectiveness of operations.
  3. Ensuring the reliability and completeness of all accounting, financial and management information.
  4. Ensuring compliance with internal policies and all applicable laws and regulations.
  5. It may be a good idea to add a couple more (treatment of customers and staff competency spring to mind).

A firm must then consider the risks and potential risks that prevent the business meeting its objectives and the extent that controls are required to mitigate these risks. Remember controls will need to be implemented to cover every risk, so this can become quite a big exercise.

Now to my favourite SYSC rule 4.1.1.

A firm must have robust governance arrangements, which include a clear organisation structure, with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.

Another key rule that you must consider when building your framework is 6.1.1 compliance.

A firm must establish and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable tied agents) with its obligations under the regulatory system and for countering that the firm may be used to further financial crime

By establishing a framework based around your firms objectives and undertaking a thorough risk assessment and establishing controls, policies and procedures to mitigate these risks you will be well on the way to developing a framework that meets rules 4.1.1 and 6.1.1

Policies and procedures will need to be established and maintained to meet the following chapters of the systems and controls rulebook and align to rule 3.1.

  • Organisation
  • Apportionment
  • Oversight and establishment of appropriate systems and controls
  • Areas covered by systems and controls (including Financial Crime
  • Committees, Management Information, Business Continuity and Information security)
  • Skill, knowledge and expertise
  • Compliance audit and financial crime
  • Risk control
  • Outsourcing
  • Conflicts of interest
  • Remuneration
  • Whistleblowing


The Systems and Controls rulebook has broad implications for many regulated firms, this post is intended to assist new firms to regulation understand how to establish a framework that is appropriate to their organisation.

Regulatory Reporting

If you are currently an FCA interim permission business or you have recently received full authorisation (full and limited permissions) you need to be aware of the on going regulatory reporting requirements.

This post should be of interest to consumer credit lenders, brokers, debt administration, debt collectors, car finance, hires and MCD secured mortgage lenders and brokers.

Once you become fully authorised by the FCA they require you to begin reporting information online on a regular basis, every six months or annually depending on the nature and size of your business.

The FCA use this information to calculate annual fees and to support their supervisory work. Beware there are fines and potential enforcement action for late returns.

There are three key areas to consider:

1. Connect – is the online system firms used to complete and submit the FCA applications. Once you receive your full permissions you need to use your firms approved persons IRN number (or registration key) to register and access the full connect system. Once you have registered the system allows for the following changes:

– Approved Persons
– Variation of Permissions
– Cancellations
– Standing Data
– Appointed Representatives
2. Gabriel- is the online reporting system which firms must use to submit regulatory reporting data. The reporting requirements are subject to strict time limits. If firms do not meet these time limits, they will be charged an administrative fee of £250. If a firm does not submit the information required the FCA may take enforcement action, which can mean the firm loses its permission to carry out regulated activity.

When your firm receives full authorisation you will need to register as a new user to Gabriel, the system will display the reportage schedules for your firm and there is a helpful (essential) 55 minute training session available to help new users.

Depending on the firms permissions you will need to report on relevant data on the following (Limited permission firms only report on CCR007).

– Financial data CCR001
– Volumes (CCR002)
– Lenders (CCR003)
– Debt Management (CCR004)
– Client Money and Assets (CCR005)
– Debt Collection (CCR006)
– Key Data (CCR007)
(note product sales data PSD will not be required till after March 2017)

3. invoicing – On line invoicing gives you access to your fees account and payment history.

– Access to your fee account online
– Immediate email notification of your invoices and credit notes.
– Ability to track three years history
– Facility to query invoices online
– Reminder letters
– Fee tariff request reminders
Regulatory Reporting has broad implications for all regulated firms, this post is intended to assist Consumer Credit and MCD second charge firms understand the key changes that they will need to incorporate into their day to day activities.

If you require further information on Regulatory Reporting please contact Gordon Docherty at Internal Control Ltd on 07597 386728. or visit the website www.internalcontrol.co.uk

Mortgage Credit Directive

The FCA recently released Policy Statement 15/9 ‘Implementing the Mortgage Credit Directive and the new regime for second charge mortgages’. This paper looks at the main points which second charge brokers need to focus their attention on as part of their preparation for authorisation and in order to meet the MCOB rulebook.

Training and Competence – Most businesses are aware that they will need to ensure that their Advisers gain a professional qualification and that they will have a two year extension (March 2019) to gain this, but they must also consider how they evidence that their staff meet the minimum levels of competence from March 2016. The minimum levels are:

– knowledge of MCD credit agreements and any ancillary services offered by the firm with them.
– knowledge of the laws relating to MCD credit agreements for consumers (in particular, consumer protection).
– knowledge and understanding of the property purchasing process.
– knowledge of security valuation.
– knowledge of the organisation and functioning of land registers.
– knowledge of the market.
– knowledge of business ethics standards.
– knowledge of the process of assessing a consumer’s creditworthiness.
– level of financial and economic competency.
Advising and Selling standards – The MCOB rulebooks have been updated to include the MCD requirements:

Disclosure- Customers must receive relevant disclosures from the outset, and before any intermediation activity has been carried out, these must include:

– Any fees payable and if refundable.
– Any commissions received and whether third parties receive commission payments.
– The exact amount of commission.
– Access to the market.
– Limitation of service (if limited to only first or second charge).
– Other disclosure should also be made at the outset, FOS, FSCS, Regulatory status, – complaints procedure.
– Alternative Finance Options- Secured second charge firms must make customers aware that there may be alternative options, such as a further advance or remortgage which may be more appropriate for their circumstances.

Adequate Explanation- A business must make available clear and comprehensible information about MCD regulated mortgage contracts. This must be on paper or another durable medium or in electronic format to help customers understand the items relating to the transaction. PS 15/9 provides more information on these requirements.

Suitability – The requirement is to provide and maintain a written statement for customer suitability. This must be provided in a durable medium.

Option to pay fees- Customers must be provided with the option to pay fees separate to the mortgage payment.

European Standardised Information Sheet (ESIS)- A firm must provide the customer with an ESIS for a MCD regulated mortgage contract before the consumer submits an application to a mortgage lender. The ESIS is a standard format and must be provided with all the relevant sections complete. PS 15/9 provides the requirements.

Approved Persons- A business must appoint a person performing a governing function to take responsibility for MCD credit intermediation activity. Meaning that an Approved Persons must be apportioned with MCD against their name of the Financial Services Register and that they are accountable for implementation of the MCD requirements in their business.

Remuneration – An MCD mortgage credit intermediary must not remunerate its members of staff or appointed representatives in a way that impedes the MCD mortgage credit intermediary from complying with the rules.

Professional Indemnity Insurance – Any firm which is advising on or arranging second charge regulated mortgage contracts is exempt from the requirement to hold PII. Any business that transacts MCD mortgage credit intermediation and regulated mortgage contract will fall under the requirements to have PII in place. See PS 15/9 for the relevant levels

Financial Services Compensation Scheme – The FSCS was not applicable under consumer credit legislation but will be under the MCD. This will be included in the annual fees payable by regulated firms and will require relevant customer disclosures at the outset.

Retail Mediation Activities Report – The RMAR regulatory reporting requirements for secured second charge intermediation will be for training & competence and profit & loss disclosures only.

Financial Promotions – New rules require that promotions must identify that the business is either a lender or a broker and a firm must make an adequate record of each non-real time financial promotion of qualifying credit, which it has confirmed as complying with the rules in chapter 3. The record must be retained for a year from the date at which the financial promotion was last communicated.

The Mortgage Credit Directive has broad implications for many regulated firms, this post is intended to assist second charge brokers understand the key changes that they will need to incorporate into their day to day activities.

If you require further information on the Mortgage Credit Directive please contact Gordon Docherty at Internal Control Ltd on 07597 386728. or visit the website www.internalcontrol.co.uk

Seven steps to compliance

I have been asked on a couple of occasions recently, what are the requirements for a compliance function, a strange question because this was raised by regulated firms.

The firms governing body has overall responsibility for compliance and they must through policies and training communicate its core values. The governing body and senior managers should work with the compliance function to drive the culture and embed a framework of compliance throughout the business, the following seven steps may help

1. Identify the regulations that you must comply with and undertake a risk assessment against each applicable regulation.

This may include:

  • Financial Conduct Authority
    Data Protection Act
    Money Laundering Regulations
    Health and Safety
    Advertising standards

The risk assessment must identify the inherent and residual risk, and consider the impact and probability before and after the establishment of your controls. Remember this is a living tool and must be revisited regularly.

2. Create procedures for staff to follow. This includes developing a number of key controls to reduce the impact and probability of your identified risks.

  • Procedures should have an owner and be kept up to date and version controlled. These should be made available to all staff.
    Key controls should be identified, documented and assigned a control owners.

3. Assess your controls to ensure that there are no gaps and that they are designed and operating effectively and develop a monitoring process to test whether they continue to operate as designed.
4. Create a compliance manual with all of your procedures, policies and guidelines for staff to follow. This should notify staff of their responsibilities and escalation procedures should they identify incidents or breaches of the regulatory system. The compliance function is there to provide your business with support and advise.
5. Train your staff on relevant regulatory matters. Make sure training is developed in line with your business needs and also covers your legal and regulatory obligations.
6. Carry out regular audits and assessments to ensure that you are still compliant and that your controls continue to meet the requirements. Report findings to relevant risk, compliance or audit committees.
7. Use Management Information and record keeping to demonstrate your compliance with the rules and ensure your key risk indicators (KRI’s) identify and monitor trends. Make sure your records are maintained in line with system and control record keeping requirements.

Social media marketing

The FCA has published its guidance on financial promotions in social media. This follows detailed engagement and consultation with the industry.

All communications that fail to be ‘fair, clear and not misleading’ can pose a risk as they could lead consumers to buy the wrong product – ultimately with unhappy outcomes for them and for firms. see the FCA paper for details Social media

Approved Persons

Consumer Credit firms new to regulation are facing the dilemma, how do the approved persons meet the code of practice requirements and the statements of principle.

Over 50,000 firms new to regulation will need to consider whether they need to implement new procedures to ensure that senior management who need to seek approval as approved persons meet the criteria in the FIT rulebook.

Under the Financial Services and Markets Act 2000, the FCA may approve an individual only where it is satisfied that a candidate is fit and proper to perform the controlled function(s) applied for. The FCA main criteria for assessing are:

– honesty, integrity and reputation;
– competence and capability;
– financial soundness.
Before a firm submits an approved persons application to the FCA they should have already undertaken sufficient checks to satisfy the criteria remembering that it is the firm who completes the candidates application and the firm who must sign the application declaration.

In making this application the firm believes on the basis of due and diligent enquiry that the candidate is a fit and proper person to perform the controlled function(s) listed in section 3. The firm also believes, on the basis of due and diligent enquiry, that the candidate is competent to fulfil the duties required in the performance of such function(s).

Being an approved person brings with it a number of important responsibilities, including a duty to be aware of and comply with FCA regulatory requirements and expectations and, understand how they apply to the day to day exercise of controlled functions. Approved Persons must:

Meet and comply on an ongoing basis with the FCA’s Fit and Proper test for Approved Persons;
Comply with the Statements of Principle and the Code of Practice for Approved Persons set out in the APER rulebook. The Statements of Principle describe the conduct that the FCA requires and expects of the individuals it approves;
Internal reporting within your own business and notification to the FCA any matter that may impact on their ongoing fitness and propriety.
Statements of principle

Principle 1
An approved person must act with integrity in carrying out his accountable functions.

Principle 2
An approved person must act with due skill, care and diligence in carrying out his accountable functions.

Principle 3
An approved person must observe proper standards of market conduct in carrying out his accountable functions

Principle 4
An approved person must deal with the FCA, the PRA and other regulators in an open and cooperative way and must disclose appropriately any information of which the FCA or the PRA would reasonably expect notice.

Principle 5
An approved person performing an accountable significant-influence function must take reasonable steps to ensure that the business of the firm for which he is responsible in his accountable function is organised so that it can be controlled effectively.

Principle 6
An approved person performing an accountable significant-influence function must exercise due skill, care and diligence in managing the business of the firm for which he is responsible in his accountable function.

Principle 7
An approved person performing an accountable significant-influence function must take reasonable steps to ensure that the business of the firm for which he is responsible in his accountable function complies with the relevant requirements and standards of the regulatory system.

If you are affected by the approved persons regime ask yourself the following key questions:

Question1. Have your approved persons been trained on the requirements and responsibilities under the approved persons regime?

Question 2. Have you undertaken sufficient checks on your senior management to know that they meet the main assessment criteria in FIT?

Question 3. Have you implemented processes for reporting changes to approved persons personal circumstances and are reporting processes in place to notify the regulator?

Question 4. Are approved persons responsibilities clearly defined in job descriptions?

Question 5. Do approved persons know which control function they have been apportioned?

Question 6. Are records of apportionment maintained in line with Systems and controls requirements.

Remember, approval must be obtained before a person can perform a controlled function and if a proposed candidate does not gain approval they will not be able to continue with the role. See slide for further details Approved Person