A summary of the more relevant, in regards IT, rules within the FCA handbooks.

Biggest takeaway is get the compliance dept onside and they are mandated to force through the budget! SYSC 6.4.1 is your friend in this regard.

System Security

SYSC 3.2.6 & SYSC 6.1.1– A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.

System & User Monitoring

SYSC 6.1.2 – A common platform firm and a management company must, taking into account the nature, scale and complexity of its business, and the nature and range of financial services and activities undertaken in the course of that business, establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under the regulatory system, as well as associated risks, and put in place adequate measures and procedures designed to minimise such risks and to enable the appropriate regulator to exercise its powers effectively under the regulatory system and to enable any other competent authority to exercise its powers effectively under MiFID or the UCITS Directive.

SYSC 6.1.4 (1) the compliance function must have the necessary authority, resources, expertise and access to all relevant information;

Disaster Recovery

SYSC 4.1.6 – A common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the common platform firm must employ appropriate and proportionate systems, resources and procedures.

SYSC 4.1.8 The matters dealt with in a business continuity policy should include:
      (1) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
      (2) the recovery priorities for the firm’s operations;
      (3) communication arrangements for internal and external concerned parties (including the appropriate regulator, clients and the press);
      (4) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
      (5) processes to validate the integrity of information affected by the disruption; and
      (6) regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with SYSC 4.1.10 R.

File Archiving

SYSC 9.1.1 – A firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it, which must be sufficient to enable the appropriate regulator or any other relevant competent authority under MiFID or the UCITS Directive to monitor the firm’s compliance with the requirements under the regulatory system, and in particular to ascertain that the firm has complied with all obligations with respect to clients.

SYSC 9.1.2 – A common platform firm must retain all records kept by it under this chapter in relation to its MiFID business for a period of at least five years.

Voice Recording

COBS 11.8.5 – A firm must take reasonable steps to record relevant telephone conversations, and keep a copy of relevant electronic communications, made with, sent from or received on equipment:
      (1) provided by the firm to an employee or contractor; or
      (2) the use of which by an employee or contractor has been sanctioned or permitted by the firm;

COBS 11.8.10 – A firm must take reasonable steps to retain all records made by it under COBS 11.8.5 R:
      (1) for a period of at least 6 months from the date the record was created;
      (2) in a medium that allows the storage of the information in a way accessible for future reference by the FCA, and so that the following conditions are met:
            (a) the FCA must be able to access the records readily;
            (b) it must be possible for any corrections or other amendments, and the contents of the records prior to such corrections and amendments, to be easily ascertained;
      (c) it must not be possible for the records to be otherwise manipulated or altered.