Monetary Authority of Singapore Risk Management Practices Guidelines – Internal Controls: Overview and Summary of Requirements

• By: Staff Editor
• Date: March 01, 2013
• Source: Monetary Authority of Singapore

• Each regulated institution must possess Board-approved polices for careful management of business risks.
• These policies need to be consistent with the complexity and nature of the company’s activities.
• The institution must have a clear demarcation of responsibilities, accountability and roles for implementation of these policies.
• Implementation of policies is possible through establishment of necessary processes and procedures, which remain in procedural manuals.
• Deviation from procedures and policies warrant independent investigation.

• A regulated institution must implement a code of conduct to carry out its activities with integrity and prudence.
• This code of conduct needs to mention the institution’s ethical values and establish staff guidelines.
• Moreover, apart from general guidelines, each institution must form specific guidelines for functional area operations. These guidelines must extend to dealings between the institution and its frequent customers.
• There should be sufficient procedures, controls and policies in an institution for handling conflict of interest scenarios. Employees must disclose such conflicts on time.
• It is the responsibility of the institution to ensure that employees understand and stick to the code of conduct.

• Each regulated institution must define the levels and responsibilities of authority necessary for different kinds of exposures and activities.
• An institution must have sufficient monitoring methods to ensure proper authorization of activities.

• There must be sufficient duty segregation in an institution to protect against unauthorized transaction risk, data manipulation for irregularity concealment or personal profit, and economic losses.
• No single staff should have permission to control a complete transactional flow.

• Oversight of the audit function is the responsibility of an Audit Committee.
• The Board must make sure that the Audit Committee members are eligible to discharge their duties. The formalization and documentation of the Committee is necessary.
• The Audit Committee needs to fulfill its tasks in an impartial and objective manner.
• Auditors need to audit internal controls and the process of risk management on a regular basis.
• An increase in the frequency and scope of internal audits is acceptable in light of considerable weaknesses or if significant chances take place in the product lines, risk oversight method, internal controls, modeling procedures or risk profile.
• Senior management should accept timely audit reports to incorporate corrective actions.

• To highlight the compliance function’s importance, an institution must appoint senior staff to supervise compliance issues.

• It should be made mandatory by an institution for employees in risk management, risk control or risk-taking positions to avail a minimum of 5 consecutive business days as leave every year.
• Employees on mandatory leave must not have the permission to execute instructions, transact or perform their allotted duties during their leave.

• Complaints at regular intervals might indicate insufficient controls or non-compliance with present procedures.
• Steps must be taken by the institution to ensure handling of complaints in a prompt, fair and consistent manner.
• Prompt action must be taken by the institution to control weaknesses and rectify systems brought to attention through complaints.
• Senior management must address the complaints from the customer in an efficient manner.

• Compensation policies of an institution must draw and retain veteran staff. But incentives must not be inadvertently given for inappropriate tasks.

• Institutions must ensure that potential recruits pass adequate screening for honesty, professional qualifications, experience and integrity.

• Employees must possess knowledge regarding new products along with regulations and legislation changes. They should obtain adequate training to improve their effectiveness.

• Institutions should have clearly written, Board-approved policies on issues pertaining to customer handling and risk disclosures. These policies will help in decreasing the chances of contractual disputes or misunderstandings between customers and the institution.

• Regulated institutions must have active controls to ensure that closure and opening of accounts gain proper authorization.

• The responsibilities and duties of each party need to be given in the form of written agreements with counterparties and customers of an institution.

• Each regulated institution must possess sufficient controls over recordkeeping processes like accounting for both off- and on-balance sheet liabilities and assets.

• Institutions need to possess effective management information systems for efficient control and management of every facet of their operations.

• There must be sufficient physical controls for an institution’s cash-in-transit and place of business.

• An institution must clearly state in its procedures and policies whether after hours and off-premises trading are permissible.

• New product policies are necessary for the institution to properly assess inherent risks in new business activities or lines.

• Valuation of assets should be done in an independent and fair manner through clear procedures and policies.
• Each institution must possess controls and policies to handle risks cropping up from illiquid positions.
• Documentation of effective valuation and price methodologies is necessary for audit trail reasons.

• Every institution must have reconciliation and verification procedures for ascertaining transaction information and activities accuracy.
• Employees performing verification must remain independent of staff responsible for preparing data or originating transaction.

• Prompt transaction confirmation must be an integral part of an institution’s procedures and processes. This will help in timely detection of unauthorized transactions or transaction errors and deal authentication.

• Basic settlement instructions must be present in the institution’s systems. The Board must review changes to these instructions after proper authorization from counterparties or customers.

Additional Resources

Read the Monetary Authority of Singapore Risk Management Practices Guidelines – Internal Controls in full here.