CREDS 2
Senior management arrangements, systems and controls
CREDS 2.1
Application and purpose
- 08/01/2012
Application
CREDS 2.1.1
See Notes
- 08/01/2012
Purpose
CREDS 2.1.2
See Notes
- 08/01/2012
CREDS 2.1.3
See Notes
- 08/01/2012
CREDS 2.1.4
See Notes
The purposes of SYSC, which applies to all credit unions, are:
- (1) to encourage directors and senior managers to take appropriate practical responsibility for the arrangements that all firms must put in place on matters likely to be of interest to the FSA because they impinge on the FSA's function under the Act;
- (2) to reinforce Principle 3, under which all firms must take reasonable care to organise and control their affairs responsibly and effectively with adequate risk management systems;
- (3) to encourage all firms to vest responsibility for effective and responsible organisation in specific directors and senior managers.
- 08/01/2012
CREDS 2.2
General provisions
- 08/01/2012
Appropriate systems and controls
CREDS 2.2.1
See Notes
- 08/01/2012
CREDS 2.2.2
See Notes
- 08/01/2012
CREDS 2.2.3
See Notes
- 08/01/2012
Business plan
CREDS 2.2.4
See Notes
- 08/01/2012
CREDS 2.2.5
See Notes
- 08/01/2012
Policies and procedures manual
CREDS 2.2.6
See Notes
- 08/01/2012
CREDS 2.2.7
See Notes
- 08/01/2012
System of control
CREDS 2.2.8
See Notes
- 08/01/2012
CREDS 2.2.9
See Notes
- 08/01/2012
Internal audit function
CREDS 2.2.10
See Notes
- (1) A credit union must have an internal audit function (this may be either in-house or outsourced to a third party).
- (2) Contravention of (1) may be relied on as tending to establish contravention of SYSC 4.1.1 R (see CREDS 2.2.1 G).
- 08/01/2012
CREDS 2.2.11
See Notes
- (1) The term 'internal audit function' in CREDS 2.2.10 E refers to the generally understood concept of internal audit within a firm, in other words the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).
- (2) Guidance on internal audit is given in CREDS 2.2.40 G to CREDS 2.2.50 G.
- 08/01/2012
Segregation of duties
CREDS 2.2.12
See Notes
- 08/01/2012
CREDS 2.2.13
See Notes
- 08/01/2012
Committee of management
CREDS 2.2.14
See Notes
- 08/01/2012
CREDS 2.2.15
See Notes
- 08/01/2012
CREDS 2.2.16
See Notes
- (1) As the credit union's governing body, the committee of management has responsibility for ensuring that the credit union complies with the requirements of SYSC 4.1.1 R (see CREDS 2.2.1 G and CREDS 2.2.2 G). So, the committee of management has overall responsibility for:
- (a) establishing objectives and formulating a business plan;
- (b) monitoring the financial position of the credit union;
- (c) determining and documenting policies and procedures;
- (d) directing and coordinating the work of all employees and volunteers, and ensuring that they are capable and properly trained;
- (e) maintaining adequate reserves;
- (f) making provision for bad and doubtful debts;
- (g) recommending a dividend on shares to members subject to the credit union's financial position;
- (h) ensuring that the credit union complies with all statutory and regulatory requirements; and
- (i) ensuring that the credit union complies with the requirements of its registered rules.
- (2) Where a committee of management has responsibility for these matters on a day-to-day basis (that is, they are not delegated to a chief executive or manager) it seems highly likely that each member of the committee would be performing the apportionment and oversight function, and would therefore require individual approval.
- 08/01/2012
CREDS 2.2.17
See Notes
- 08/01/2012
Organisation
CREDS 2.2.18
See Notes
- 08/01/2012
CREDS 2.2.19
See Notes
- 08/01/2012
Documentation of systems of control
CREDS 2.2.20
See Notes
- 08/01/2012
CREDS 2.2.21
See Notes
- (1) The committee of management should decide what form this documentation should take, but the committee should have in mind the following points.
- (a) Documents should be comprehensive: they should cover all material aspects of the operations of the credit union.
- (b) Documents should be integrated: separate elements of the system should be cross-referred so that the system can be viewed as a whole.
- (c) Documents should identify risks and the controls established to manage those risks. The controls should be identified and their purpose defined so that their effectiveness can be evaluated.
- (d) There should be named persons or posts for each control function and alternatives in case of absence.
- (e) Documents should state how the operation of the control is evidenced. Evidence might include signatures, records and registers. Documents should also state for how long that evidence is to be retained, taking account of SYSC 9.1.
- (f) Documents should be unambiguous. Instructions should be clear and precise, avoiding expressions such as "normally" and "if possible".
- (g) Documents should be practical and easy to consult and use when operating and reviewing systems.
- (h) Documents should be up to date. There should be an accurate description of the function that the control is to address. When changes are made to the function, the appropriate systems of control need to be updated and documented at the same time.
- (2) The committee of management should, from time to time, seek confirmation that the systems of control are being complied with.
- 08/01/2012
CREDS 2.2.22
See Notes
Documentation should not be restricted to "lower level" controls applied in processing transactions, but should also cover "high level" controls including:
- (1) identifying those powers to be exercised only by the committee of management, and the powers delegated to others;
- (2) the purpose, composition and reporting lines of sub-committees, and senior managers to whom responsibilities are delegated;
- (3) the specific roles and responsibilities of individual officers;
- (4) the timing, form and purpose of meetings of the committee of management and sub-committees, and the way in which policies and decisions are recorded and their implementation monitored.
- 08/01/2012
CREDS 2.2.23
See Notes
- 08/01/2012
Accounting records and systems
CREDS 2.2.24
See Notes
- 08/01/2012
CREDS 2.2.25
See Notes
- 08/01/2012
CREDS 2.2.26
See Notes
The main reasons why a credit union should maintain adequate accounting and other records are:
- (1) to provide the committee of management with adequate financial and other information to enable it to conduct its business in a prudent manner on a day-to-day basis;
- (2) to safeguard the assets of the credit union and the interests of members and persons too young to be members;
- (3) to assist officers of the credit union to fulfil their regulatory and statutory duties in relation to the preparation of annual accounts;
- (4) to provide the committee of management with sufficient timely and accurate information to assist them to submit the information required or requested by the FSA.
- 08/01/2012
CREDS 2.2.27
See Notes
When forming their opinion of whether the accounting and other records are adequate, the committee of management should satisfy itself that they capture and record on a timely basis, and in an orderly fashion, every transaction. The accounting and other records should provide sufficient information in respect of each transaction to explain:
- (1) its nature and purpose;
- (2) the asset or liability, actual and contingent, which arises (or may arise) from it;
- (3) the income or expenditure, current and deferred, which arises from it.
- 08/01/2012
CREDS 2.2.28
See Notes
- 08/01/2012
The compliance function
CREDS 2.2.29
See Notes
- (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a credit union to have a separate compliance function.
- (2) The organisation and responsibilities of a compliance function should be documented.
- (3) A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the credit union's relevant records as well as ultimate recourse to its governing body.
- 08/01/2012
CREDS 2.2.30
See Notes
Guidance on compliance is located in SYSC 6.1.3 R.
[Note: As explained in SYSC 1 Annex 1.3.3G, SYSC 6.1.3 R is to be read as guidance rather than as a rule, and as if "should" appeared in that provision instead of "must".]
- 08/01/2012
CREDS 2.2.31
See Notes
Some important compliance issues include:
- (1) insurance against fraud and dishonesty;
- (2) arrangements for the prevention, detection and reporting of money laundering;
- (3) establishing and maintaining a satisfactory system of control;
- (4) keeping proper books of account;
- (5) computation and application of profits;
- (6) investment of surplus funds;
- (7) capital requirements;
- (8) liquidity requirements;
- (9) limits on shares and loans;
- (10) maintenance of membership records;
- (11) submission of financial reports to the regulator;
- (12) approved persons regime;
- (13) payment of regulatory fees.
- 08/01/2012
Management information
CREDS 2.2.32
See Notes
Guidance on management information is located in SYSC 7.1.4 R.
[Note: As explained in SYSC 1 Annex 1.3.3G, SYSC 7.1.4 R is to be read as guidance rather than as a rule, and as if "should" appeared in that provision instead of "must".]
- 08/01/2012
CREDS 2.2.33
See Notes
- 08/01/2012
CREDS 2.2.34
See Notes
The committee of management should be satisfied that:
- (1) the information available is sufficient for the proper assessment of the potential risks for the credit union, and in order to determine its need for capital and liquidity;
- (2) the information available is sufficiently comprehensive to provide a clear statement of the performance and financial position of the credit union;
- (3) management information reports are prepared with sufficient frequency;
- (4) sufficient attention is focused on key factors affecting income and expenditure and that appropriate performance indicators are employed;
- (5) actual performance is compared with planned and previous performance.
- 08/01/2012
CREDS 2.2.35
See Notes
In forming a view on whether the management information system is sufficiently comprehensive, the committee of management should consider whether, where relevant, the substance of reports provides a clear statement of:
- (1) the capital position;
- (2) the liquidity position;
- (3) profits and losses, assets and liabilities, and flow of funds;
- (4) loans, arrears, and provisions.
- 08/01/2012
CREDS 2.2.36
See Notes
- 08/01/2012
Information for the FSA
CREDS 2.2.37
See Notes
- 08/01/2012
Personnel
CREDS 2.2.38
See Notes
- 08/01/2012
CREDS 2.2.39
See Notes
- 08/01/2012
Internal Audit
CREDS 2.2.40
See Notes
- 08/01/2012
CREDS 2.2.41
See Notes
- 08/01/2012
CREDS 2.2.42
See Notes
- 08/01/2012
CREDS 2.2.43
See Notes
The purposes of an internal audit are:
- (1) to ensure that the policies and procedures of the credit union are followed;
- (2) to provide the committee of management with a continuous appraisal of the overall effectiveness of the control systems, including proposed changes;
- (3) to recommend improvements where desirable or necessary;
- (4) to determine whether the internal controls established by the committee of management are being maintained properly and operated as laid down in the policy, and comply with relevant Acts, secondary legislation, rules, policies and procedures;
- (5) to ensure that accounting records are prepared promptly and accurately, and that they are in order;
- (6) to assess whether financial and operating information supplied to the committee of management is accurate, pertinent, timely, and complete.
- 08/01/2012
CREDS 2.2.44
See Notes
- 08/01/2012
CREDS 2.2.45
See Notes
The internal audit work programme should include items such as:
- (1) verification of cash (counting and reconciliation) without prior notification;
- (2) bank reconciliation (checking records against bank statements);
- (3) verification of passbooks or account statements;
- (4) checking for compliance with policies and procedures;
- (5) checking for compliance with relevant Acts, secondary legislation and rules;
- (6) checking minutes and reports of the committee of management and other sub-committees for compliance, and assessing regularity and completeness;
- (7) checking loan applications;
- (8) verification of the credit union's assets and investments.
- 08/01/2012
CREDS 2.2.46
See Notes
The key elements of a satisfactory system of internal audit include the following:
- (1) Terms of reference. These should be specified with precision and include, amongst other things, scope and objectives of the audit committee and the internal audit function (see CREDS 2.2.11G), access to records, powers to obtain information and explanations for officers, and reporting requirements. These should be approved by the committee of management.
- (2) Risk analysis. Key risks in each area of the credit union's business should be identified. The adequacy of the specific controls put in place to address those risks should be assessed.
- (3) Internal audit plan. This should be developed on the basis of the risk analysis.
- (4) Detailed programmes. These should be based on the internal audit plan, together with the controls and their objectives specified in the control documentation. Each programme should be comprehensive, specifying the frequency with which the various parts of the programme are to be carried out and how the work is to be performed.
- (5) Working papers. These should be maintained to evidence who performed the work, how it was controlled and supervised, and to record the conclusions reached. They should be cross referenced to reports made and action taken.
- (6) System of reporting. Formal reports should be submitted at the completion of each aspect of programmed work, stating the areas covered together with any recommendations and conclusions reached.
- 08/01/2012
CREDS 2.2.47
See Notes
- 08/01/2012
CREDS 2.2.48
See Notes
- 08/01/2012
CREDS 2.2.49
See Notes
- 08/01/2012
CREDS 2.2.50
See Notes
The committee of management should be satisfied that the internal audit function (see CREDS 2.2.11 G) is being properly carried out. In order to review the overall effectiveness of the internal audit function it should consider the following:
- (1) the adequacy and scope of planning;
- (2) the adequacy and scope of work performed in relation to the plans and programmes;
- (3) the regularity and level of reporting on matters arising from the inspections;
- (4) the disposal of points and recommendations raised, and reasons for the rejection of any major points;
- (5) a review of the overall effectiveness of the internal audit function.
- 08/01/2012
Business planning
CREDS 2.2.51
See Notes
- 08/01/2012
CREDS 2.2.52
See Notes
- 08/01/2012
CREDS 2.2.53
See Notes
Guidance on business strategy is located in SYSC 6.1.2 R and SYSC 7.1.2 R.
[Note: As explained in SYSC 1 Annex 1.3.3G, SYSC 6.1.2 R and SYSC 7.1.2 R are to be read as guidance rather than as rules, and as if "should" appeared in those provisions instead of "must".]
- 08/01/2012
CREDS 2.2.54
See Notes
- 08/01/2012
CREDS 2.2.55
See Notes
- 08/01/2012
CREDS 2.2.56
See Notes
- 08/01/2012
CREDS 2.2.57
See Notes
- 08/01/2012
CREDS 2.2.58
See Notes
- 08/01/2012
Documentation of policies and procedures
CREDS 2.2.59
See Notes
- 08/01/2012
CREDS 2.2.60
See Notes
- 08/01/2012
CREDS 2.2.61
See Notes
The policy and procedures manual should cover all aspects of the credit union's operations, including matters such as:
- (1) cash handling and disbursements;
- (2) collection procedures;
- (3) lending, including large exposures (see CREDS 7.1 to CREDS 7.5);
- (4) arrears management (see CREDS 7.2.9 G to CREDS 7.2.10 G);
- (5) provisioning (see CREDS 7.5);
- (6) liquidity management (see CREDS 6);
- (7) financial risk management (see CREDS 3);
- (8) money laundering prevention (see SYSC 6.3);
- (9) internal audit (see CREDS 2.2.40 G to CREDS 2.2.50 G);
- (10) information technology (see CREDS 2.2.23 G);
- (11) business continuity, otherwise known as disaster recovery (see CREDS 2.2.62 G to CREDS 2.2.64 G);
- (12) marketing;
- (13) training;
- (14) connected persons and managing conflicts of interest (see CREDS 2.2.19 G);
- (15) complaints handling (see DISP 1).
- 08/01/2012
Business continuity
CREDS 2.2.62
See Notes
Guidance on business continuity is located in SYSC 4.1.6R to SYSC 4.1.8 G.
[Note: As explained in SYSC 1 Annex 1.3.3G, SYSC 4.1.6R is to be read as guidance rather than as a rule, and as if "should" appeared in that provision instead of "must".]
- 08/01/2012
CREDS 2.2.63
See Notes
- 08/01/2012
CREDS 2.2.64
See Notes
- 08/01/2012