Welcome! Email: info@internalcontrol.co.uk, Call mobile: 07597 386728

Our News

Understanding the FCA’s systems and controls rulebook

The Systems and controls rulebook can mean different things for different firms, depending on the scale and nature of your business, as the rules have to be appropriate to each business as detailed in rule 3.1

A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

To assist a firm fully understand the requirements it may in some cases be better to start with rules later in the rulebook. Rule 14.1.27

A firm must take reasonable steps to establish and maintain adequate internal controls. These will vary from firm to firm, but controls must be established to help the firm meet the following business objectives:

  1. Safeguarding assets of the firm as well as identifying and managing liabilities.
  2. Maintaining efficiency and effectiveness of operations.
  3. Ensuring the reliability and completeness of all accounting, financial and management information.
  4. Ensuring compliance with internal policies and all applicable laws and regulations.
  5. It may be a good idea to add a couple more (treatment of customers and staff competency spring to mind).

A firm must then consider the risks and potential risks that prevent the business meeting its objectives and the extent that controls are required to mitigate these risks. Remember controls will need to be implemented to cover every risk, so this can become quite a big exercise.

Now to my favourite SYSC rule 4.1.1.

A firm must have robust governance arrangements, which include a clear organisation structure, with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.

Another key rule that you must consider when building your framework is 6.1.1 compliance.

A firm must establish and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable tied agents) with its obligations under the regulatory system and for countering that the firm may be used to further financial crime

By establishing a framework based around your firms objectives and undertaking a thorough risk assessment and establishing controls, policies and procedures to mitigate these risks you will be well on the way to developing a framework that meets rules 4.1.1 and 6.1.1

Policies and procedures will need to be established and maintained to meet the following chapters of the systems and controls rulebook and align to rule 3.1.

  • Organisation
  • Apportionment
  • Oversight and establishment of appropriate systems and controls
  • Areas covered by systems and controls (including Financial Crime
  • Committees, Management Information, Business Continuity and Information security)
  • Skill, knowledge and expertise
  • Compliance audit and financial crime
  • Risk control
  • Outsourcing
  • Conflicts of interest
  • Remuneration
  • Whistleblowing


The Systems and Controls rulebook has broad implications for many regulated firms, this post is intended to assist new firms to regulation understand how to establish a framework that is appropriate to their organisation.