Global Precious Metals Code
3. Governance, Compliance and Risk Management (GCRM)
GCRM Leading Principle
Market Participants are expected to have a sound and effective governance framework to provide for clear responsibility and for comprehensive oversight of their market activity and to promote responsible engagement in the market. Market Participants are also expected to promote and maintain a robust control and compliance environment to effectively identify, manage and report on the risks associated with their engagement in the market.
Appropriate governance structures should be in place to promote and support the principles set out in this Code. Different firms’ governance structures may vary in complexity and scope. The precise structure adopted should be commensurate with the size and complexity of the Market Participants’ market activities and the nature of the engagement in the market, while taking into account Applicable Law.
- Appropriate risk management compliance and review structures should be in place to manage and mitigate the risks that arise from a Market Participant’s activities.
- Periodic reviews of risk and compliance controls should also be undertaken, including a review of the qualitative or quantitative assumptions within the risk management system.
- Those responsible for the risk and compliance controls should be independent from the front office.
3.1 GCRM Principle 1
The body or individual(s), that is ultimately responsible for the Market Participant’s Precious Metals business strategy and financial soundness should put in place adequate and effective structures and mechanisms to provide for appropriate oversight, supervision and controls with regard to the Market Participant’s activity
The body or individual(s) that is ultimately responsible for the Market Participant’s business strategy and financial soundness should put in place and maintain:
- An operational structure with clearly defined and transparent lines of responsibility for the Market Participant’s market activity;
- An effective oversight of the Market Participant’s market activity based on appropriate management information;
- An environment that encourages effective challenge to management charged with day-to- day responsibility for the Market Participant’s market activity; and
- Control of functions and mechanisms that are independent from the front office, to assess whether the Market Participant’s market activities are conducted in a manner that reflects the Market Participant’s operational risk and conduct requirements. Such functions should have sufficient stature, resources and access to the body or individual(s) ultimately responsible and accountable for the Market Participant’s business strategy and financial soundness.
In implementing the above, consideration should be given to the types of activities the Market Participant engages in.
3.2 GCRM Principle 2
Market Participants should have appropriate policies and procedures designed to handle and respond to potentially improper practices and behaviours effectively
Market Participants should maintain policies and procedures, where appropriate, supported by effective mechanisms, to (i) provide confidential channels for staff or external parties to raise concerns about potentially improper practices and behaviours, without fear of reprisal; and (ii) investigate and respond to such reports as appropriate.
Reports of potentially improper practices or behaviour of the Market Participant should be investigated by independent parties or functions, within a reasonable timeframe. Such parties or functions should possess sufficient skills and experience, and should be given the necessary resources and access to conduct the investigation.
The reports and results of an investigation should be brought to the attention of the appropriate individuals within the firm and, if appropriate, to the relevant regulatory or public authorities.
3.3 GCRM Principle 3
Market Participants should have frameworks for compliance and risk management
Market Participants may be subject to different risks and to varying degrees, depending on the size, complexity and nature of engagement in the market. Such risks may involve:
- Business Continuity; and
The common components of compliance and risk frameworks may include:
- Effective oversight by the senior body or individual(s), including support for the stature and independence of compliance and risk management functions. In particular:
- The senior body or individual(s) should make strategic decisions on the risk appetite of the Precious Metals business;
- The senior body or individual(s) should be responsible for the establishment, communication, enforcement and regular review of a compliance and risk management framework that clearly specifies authorities, limits and policies; and
- Risks should be managed prudently and responsibly in accordance with established principles of risk management and Applicable Law.
- The provision of concise, timely, accurate and understandable compliance risk related information to the senior body or individual(s);
- The appropriate segregation of duties and independent reporting lines, including the segregation of trading from the compliance and risk management functions and the deal processing, accounting and settlement functions;
- While risk managers and compliance staff may work closely with business units, the compliance and risk management functions should be independent of the business unit and should not be directly involved in revenue generation;
- Compensation structures should be designed not to compromise such independence;
- Adequate resources and employees with clearly defined roles, responsibilities and authority, including appropriate access to information and systems. These staff should have appropriate knowledge, experience and training.
3.4 GCRM Principle 4
Market Participants should familiarise themselves with and abide by all Applicable Laws, regulatory obligations and relevant industry standards, and should have an appropriate compliance framework in place
Market Participants should act in accordance with their firm’s compliance procedures at all times and seek clarification in case of doubt.
An effective compliance framework should provide independent oversight and control, and could comprise but not be limited to:
- Identification of Applicable Laws, regulations and industry standards that apply to the Market Participant’s activities;
- Appropriate processes designed to prevent and detect abusive, collusive or manipulative practice, fraud and financial crime, and to mitigate material risk that could arise in the general conduct of the Precious Metals business;
- Capturing and retaining adequate records to enable effective monitoring of compliance with Applicable Law and regulatory obligations and relevant industry standards;
- Well-defined escalation procedures for issues identified;
- Consideration of the need to periodically restrict relevant staff’s access through measures such as mandatory vacation to facilitate the detection of possible fraudulent activities;
- The provision of advice and guidance to management and staff on the appropriate implementation of Applicable Law, regulatory obligations and other relevant guidance in the form of policies and procedures, and other documents such as compliance manual and internal codes of conduct;
- A training and/or attestation process to promote awareness of, and compliance, with this Principle;
- Appropriate implementation and utilisation of audit and/or compliance programmes, for example, the establishment of processes to monitor daily activities and operations; and
- Periodic review and assessment of compliance functions and controls, including mechanisms to alert management about material gaps or failures in such function and controls. The appropriate senior body or individual(s) should oversee the timely resolution of any issues.
3.5 GCRM Principle 5
Market Participants should maintain an appropriate risk management framework with systems and controls to identify and manage the Precious Metal market risks they face
Effective risk management starts with the identification and understanding by Market Participants of the various types of risk to which they are exposed. This typically involves the establishment of risk limits and monitoring mechanisms as well as the adoption of risk mitigation and other prudent practices. An effective risk management framework could comprise but is not limited to:
- An appropriate and documented approval process for the setting of risk appetite and limits;
- A comprehensive and well-documented framework for the identification, measurement, aggregation and monitoring of risk across the Precious Metals business;
- Documented policies, procedures and controls, which are periodically reviewed and tested, where appropriate, to manage and mitigate risks as highlighted above;
- The clear communication of risk management policies and controls within the firm to promote awareness and ensure compliance. In addition, to have processes and programmes which facilitate the understanding of such polices and controls by staff;
- Information systems to facilitate the effective monitoring and timely reporting of risks;
- Robust incident management, including appropriate escalation, mitigation actions and lessons learnt;
- Robust risk assessment and approval processes for new products, services and procedures to identify new and emerging risks;
- Sound accounting policies and practices encompassing prudent and consistent valuation methods and procedures; and
- An appropriately robust risk control self-assessment process, including processes to remediate identified gaps or weaknesses.
Market Participants should have practices in place to limit, monitor and control the risks related to their Precious Metals market trading activity.
3.6 GCRM Principle 6
Market Participants should have processes in place to independently review the effectiveness of and adherence to the risk management and compliance framework
Independent review should be performed regularly, with any review findings recorded and corrective action tracked.
All material risk related to the market activities should be covered using an appropriate assessment methodology.
The individual or team carrying out the review should be given the necessary mandate and support, including adequate staff with requisite experience or expertise.
Findings should be reported to an appropriately senior level for review and follow-up.