17 CFR § 240.15c3-4 - Internal risk management control systems for OTC derivatives dealers.

§ 240.15c3-4 Internal risk management control systems for OTC derivatives dealers.

(a) An OTC derivatives dealer shall establish, document, and maintain a system of internal risk management controls to assist it in managing the risks associated with its business activities, including market, credit, leverage, liquidity, legal, and operational risks.

(b) An OTC derivatives dealer shall consider the following when adopting its internal control system guidelines, policies, and procedures:

(1) The ownership and governance structure of the OTC derivatives dealer;

(2) The composition of the governing body of the OTC derivatives dealer;

(3) The management philosophy of the OTC derivatives dealer;

(4) The scope and nature of established risk management guidelines;

(5) The scope and nature of the permissible OTC derivatives activities;

(6) The sophistication and experience of relevant trading, risk management, and internal audit personnel;

(7) The sophistication and functionality of information and reporting systems; and

(8) The scope and frequency of monitoring, reporting, and auditing activities.

(c) An OTC derivatives dealer's internal risk management control system shall include the following elements:

(1) A risk control unit that reports directly to senior management and is independent from business trading units;

(2) Separation of duties between personnel responsible for entering into a transaction and those responsible for recording the transaction in the books and records of the OTC derivatives dealer;

(3) Periodic reviews (which may be performed by internal audit staff) and annual reviews (which must be conducted by independent certified public accountants) of the OTC derivatives dealer's risk management systems;

(4) Definitions of risk, risk monitoring, and risk management; and

(5) Written guidelines, approved by the OTC derivatives dealer's governing body, that include and discuss the following:

(i) The OTC derivatives dealer's consideration of the elements in paragraph (b) of this section;

(ii) The scope, and the procedures for determining the scope, of authorized activities or any nonquantitative limitation on the scope of authorized activities;

(iii) Quantitative guidelines for managing the OTC derivatives dealer's overall risk exposure;

(iv) The type, scope, and frequency of reporting by management on risk exposures;

(v) The procedures for and the timing of the governing body's periodic review of the risk monitoring and risk management written guidelines, systems, and processes;

(vi) The process for monitoring risk independent of the business or trading units whose activities create the risks being monitored;

(vii) The performance of the risk management function by persons independent from or senior to the business or trading units whose activities create the risks;

(viii) The authority and resources of the groups or persons performing the risk monitoring and risk management functions;

(ix) The appropriate response by management when internal risk management guidelines have been exceeded;

(x) The procedures to monitor and address the risk that an OTC derivatives transaction contract will be unenforceable;

(xi) The procedures requiring the documentation of the principal terms of OTC derivatives transactions and other relevant information regarding such transactions;

(xii) The procedures authorizing specified employees to commit the OTC derivatives dealer to particular types of transactions;

(xiii) The procedures to prevent the OTC derivatives dealer from engaging in any securities transaction that is not permitted under § 240.15a–1; and

(xiv) The procedures to prevent the OTC derivatives dealer from improperly relying on the exceptions to § 240.15a–1(c) and § 240.15a–1(d), including the procedures to determine whether a counterparty is acting in the capacity of principal or agent.

(d) Management must periodically review, in accordance with written procedures, the OTC derivatives dealer's business activities for consistency with risk management guidelines including that:

(1) Risks arising from the OTC derivatives dealer's OTC derivatives activities are consistent with prescribed guidelines;

(2) Risk exposure guidelines for each business unit are appropriate for the business unit;

(3) The data necessary to conduct the risk monitoring and risk management function as well as the valuation process over the OTC derivatives dealer's portfolio of products is accessible on a timely basis and information systems are available to capture, monitor, analyze, and report relevant data;

(4) Procedures are in place to enable management to take action when internal risk management guidelines have been exceeded;

(5) Procedures are in place to monitor and address the risk that an OTC derivatives transaction contract will be unenforceable;

(6) Procedures are in place to identify and address any deficiencies in the operating systems and to contain the extent of losses arising from unidentified deficiencies;

(7) Procedures are in place to authorize specified employees to commit the OTC derivatives dealer to particular types of transactions, to specify any quantitative limits on such authority, and to provide for the oversight of their exercise of such authority;

(8) Procedures are in place to prevent the OTC derivatives dealer from engaging in any securities transaction that is not permitted under § 240.15a–1;

(9) Procedures are in place to prevent the OTC derivatives dealer from improperly relying on the exceptions to § 240.15a–1(c) and § 240.15a–1(d), including procedures to determine whether a counterparty is acting in the capacity of principal or agent;

(10) Procedures are in place to provide for adequate documentation of the principal terms of OTC derivatives transactions and other relevant information regarding such transactions;

(11) Personnel resources with appropriate expertise are committed to implementing the risk monitoring and risk management systems and processes; and

(12) Procedures are in place for the periodic internal and external review of the risk monitoring and risk management functions.

[63 FR 59400, Nov. 3, 1998]