What you need to know about Singapore’s Individual Accountability and Conduct (IAC) guidelines
When did IAC come into effect?
The IAC guidelines came into effect on 10 September 2021.
What organisations are affected by IAC?
This has currently been identified as all financial institutions regulated by The Monetary Authority of Singapore (MAS) with a few key exclusions:
- An exempt financial adviser
- An exempt corporate finance adviser
- An exempt trust business
- An exempt over-the-counter derivatives broker
- An exempt futures broker
- An exempt payment services provider
- A Recognised Market Operator incorporated outside Singapore
- A Recognised Clearing House incorporated outside Singapore
- A Licensed Foreign Trade Repository
- The Continuous Linked Settlement Bank
For institutions with a smaller employee headcount, such as those with fewer than 50 headcount, you are still expected to achieve the five outcomes listed below, but you will not ordinarily be expected to adopt the specific guidance described in the Guidelines.
For institutions with a larger number of employees, you will also have flexibility around which guidance you adopt based on its relevance to your business. However, be aware that in taking this route you must be able to evidence your decision.
Why has IAC been introduced?
The IAC, along with many other regional regimes, is inspired by the already successful implementation of similar regulation in the UK; the Senior Managers & Certification regime (SM&CR). These changes represent an overall shift towards individual accountability in the regulatory landscape for financial services.
The primary purpose of the IAC is to support the country’s effort to promote the accountability of senior managers, strengthen the oversight over material risk personnel and reinforcing professional conduct standards – for all employees.
The MAS note that the outcomes they have defined serve to strengthen a responsible and ethical culture, underpinned by positive conduct, within financial institutions in Singapore.
What are the new guidelines?
The IAC is epitomised by five high-level outcomes which all firms within those that aren’t exempt are expected to achieve. These are not designed to be exhaustive nor prescriptive but are instead intended as a best practice framework.
- Outcome One: Senior managers’ responsibilities for managing and conducting the FI’s core functions are identified.
- Outcome Two: Senior managers are fit and proper for their roles and held responsible for the actions of their employees and the conduct of the business under their purview.
- Outcome Three: The FI’s governance framework supports senior managers’ performance of their roles and responsibilities, with a clear and transparent management structure and reporting relationships.
- Outcome Four: Material risk personnel are fit and proper for their roles, and subject to effective risk governance, and appropriate incentive structures and standards of conduct.
- Outcome Five: The FI has a framework that promotes and sustains among all employees the desired conduct.
This is supported by extensive guidelines on how to achieve these outcomes, which you can find here on the MAS website along with common FAQs.
What are the new guidelines?
Here are a few of the most important changes that will affect how your financial organisation manages their individual and organisational regulatory compliance.
Roles and responsibilities
FIs must evidence the defined roles and responsibilities outlined by MAS. This includes maintaining comprehensive and accurate records and reporting.
Equally, the Terms of Reference and reporting structure for Management Committees must be clearly defined.
Note, that the definition of Material risk personnel (MRP) has changed and now extends beyond the previous definition of senior managers (see glossary).
The guidelines in IAR also provide a list of core management functions (which is neither prescriptive nor exhaustive, see glossary) which FIs should apply in a manner that reflects their senior managers’ actual responsibilities.
Cultural frameworks
The outcomes-based approach provides flexibility for each firm to create a framework the suits their business, but these must still achieve the objectives listed
Despite this, FIs are expected to go “the extra mile” to promote a healthy culture of ethical behaviour, conduct and compliance, not just tick boxes. Several actions have been outlined for firms to adopt to monitor and assess this culture/conduct.
Evidencing
If you plan to take advantage of the flexibility given around adopting specific guidance, then you must be prepared to not only justify your decision but demonstrate how you have achieved the relevant outcomes through other means.
How can you prepare your finance business?
Download our guide to get key considerations for implementation and practical solutions from Trailight to help you maintain transparency
Other FAQs about IAC
How should FIs determine headcount?
The guidelines recognise that the composition of headcount may vary, so the method for defining it is not prescriptive. The overarching principle is it should include all personnel that engage with or support the core management functions of the business, with consideration for their nature and complexity.
How should FIs identify CMFs that apply to their business?
This falls under the responsibility of the board or the head office. They must primarily consider the relevance of the functions in context of the organisation’s growth strategy and whether they could have a significant impact on its risk profile.
How often should FIs assess senior managers’ fitness and propriety?
The frequency of fit and proper assessments is at the discretion of the FI. The IAC guidelines recommend this to be done on an annual basis or whenever a matter arises that might necessitate a review.
Can senior managers delegate their responsibilities?
Simply put, yes. They may delegate responsibilities, but they cannot delegate accountability and they must maintain oversight.
How should FIs govern the activities of MRPs and enforce risk ownership?
Board and senior management are responsible for implementing the necessary policies and procedures for governing MRPs and enforcing ownership. For example, these actors should consider risk outcomes and proper conduct when creating incentivisation schemes.
How should conduct frameworks work with existing policies and procedures?
The conduct frameworks put in place should integrate with the entire employee lifecycle of HR process, from hiring to termination.
Glossary of IAC terms
Material risk personnel: Individuals who have the authority to make decisions or conduct activities that can significantly impact the FI’s safety and soundness, or cause harm to a significant segment of the FI’s customers or other stakeholders.
Senior managers: Individuals who are employed by, or acting for or by arrangement with, the FI, and are principally responsible for the day-to-day management of the FI.
Board: In the case of an FI incorporated in Singapore, this refers to the Board of directors; and in the case of an FI incorporated or established outside Singapore, a governing body or committee beyond local management that is charged with oversight and supervision responsibilities for the FI’s operations in Singapore.
Core management functions
Chief executive officer: Individual who is principally responsible for the management and conduct of the business of the financial institution, including its subsidiaries and branches if any, in accordance with the strategy and risk appetite approved by the Board or Head Office, as applicable.
Chief financial officer or Head of finance: Individual who is principally responsible for managing the financial resources and financial reporting processes of the financial institution.
Chief risk officer or Head of risk: Individual who is principally responsible for establishing and implementing the risk management framework to identify, monitor, and manage the risks of the financial institution.
Chief operating officer or Head of operations: Individual who is principally responsible for managing the day-to-day operations of the financial institution.
Chief information officer, Chief technology officer or Head of information technology: Individual who is principally responsible for establishing and implementing the overall information technology strategy, overseeing the day-to-day information technology operations, and managing the information technology risks of the financial institution.
Chief information security officer or Head of information security: Individual who is principally responsible for the information security strategy and programme of the financial institution, including but not limited to information security policies and procedures to safeguard information assets, information security controls, and the management of information security breaches.
Chief data officer: Individual who is principally responsible for establishing and implementing the policies, systems, and processes of the financial institution as regard to the governance, use, and analysis of data.
Chief regulatory officer: Individual who, in relation to an approved exchange, approved clearing house, or approved holding company, as the case may be, is principally responsible for overseeing the regulatory functions and changes to the business rules of the approved exchange, approved clearing house, or approved holding company.
Head of business function: Individual who is principally responsible for the management and conduct of a function which undertakes the business activities of the financial institution.
Head of actuarial, Appointed actuary, or Certifying actuary: Individual who, in relation to a licensed insurer or foreign insurer operating in Singapore under a foreign insurer scheme, as the case may be, is principally responsible for the actuarial function, including but not limited to the approval of premium rates, valuation of liabilities, computation of protected liabilities relating to policy owners’ protection scheme, financial condition investigation, risk management, investment, and product pricing and development of the insurer.
Head of human resources: Individual who is principally responsible for establishing and implementing the financial institution’s employment policies and processes, including on recruitment, on-boarding, regular training, performance evaluation, compensation, promotion, consequence management, and termination.
Head of compliance: Individual who is principally responsible for monitoring and managing the financial institution’s compliance with regulatory requirements under the applicable laws and regulations as well as internal policies and procedures.
Head of financial crime prevention: Individual who is principally responsible for establishing and managing the policies, systems, and processes to counter the risks of the financial institution’s involvement in money laundering, terrorism financing, weapons proliferation and sanctions evasion, bribery, and corruption, as well as for filing Suspicious Transactions Reports (STRs)15.
Head of internal audit: Individual who is principally responsible for ensuring the adequacy and effectiveness of the financial institution’s internal controls, and reporting directly to the Board Audit Committee or the financial institution’s Head Office, as appropriate, on these matters.