Global Precious Metals Code V2
3. Governance, Compliance and Risk Management (GCRM)
GCRM Leading Principle
Market Participants are expected to have a sound and effective governance framework to provide for clear responsibility and for comprehensive oversight of their market activity and to promote responsible engagement in the market. Market Participants are also expected to promote and maintain a robust control and compliance environment to effectively identify, manage and report on the risks associated with their engagement in the market and to have appropriate “whistle-blowing” arrangements.
Appropriate governance structures should be in place to promote and support the principles set out in this Code. Different firms’ governance structures may vary in complexity and scope. The precise structure adopted should be commensurate with the size and complexity of the Market Participants’ market activities and the nature of the engagement in the market, while taking into account Applicable Law.
Firms should take appropriate steps to identify the risks applicable within their business. Such risks may include:
- Cyber Security;
- Business Continuity;
- Reputational; and
- Economic and Trade Sanctions
Risk and Compliance
- Appropriate risk management, compliance and review structures should be in place to manage and mitigate the risks that arise from a Market Participant’s activities.
- Periodic reviews of risk and compliance controls should also be undertaken, including a review of the qualitative or quantitative assumptions within the risk management system.
- Those responsible for the risk and compliance controls should be independent from the front office.
3.1 GCRM Principle 1
The internal body or individual(s) that is ultimately responsible for the Market Participant’s Precious Metals business strategy and financial soundness should put in place adequate and effective structures and mechanisms to provide for appropriate oversight, supervision and controls with regard to the Market Participant’s activity
The body or individual(s) that is ultimately responsible for the Market Participant’s business strategy and financial soundness should put in place and maintain:
- An operational structure with clearly defined and transparent lines of responsibility for the Market Participant’s market activity;
- An effective oversight of the Market Participant’s market activity based on appropriate management information;
- An environment that encourages effective challenge to management charged with the day-to-day responsibility for the Market Participant’s market activity; and
- Control of functions and mechanisms that are independent from the front office, to assess whether the Market Participant’s market activities are conducted in a manner that reflects the Market Participant’s operational risk and conduct requirements. Such functions should have sufficient stature, resources and access to the internal body or individual(s) ultimately responsible and accountable for the Market Participant’s business strategy and financial soundness
In implementing the above, consideration should be given to the types of activities the Market Participant engages in, and where the activity of personnel takes place, i.e. should personnel be working from remote locations.
3.2 GCRM Principle 2
Market Participants should have appropriate policies and procedures designed to handle and respond to potentially improper practices and behaviours effectively, including appropriate “whistle-blowing” arrangements
Market Participants should maintain policies and procedures, where appropriate, supported by effective mechanisms, to (i) provide confidential channels for personnel or external parties to raise concerns about potentially improper practices and behaviours, without fear of reprisal; and (ii) investigate and respond to such reports as appropriate.
Reports of potentially improper practices or behaviour of the Market Participant should be investigated by independent parties or functions, within a reasonable timeframe. Such parties or functions should possess sufficient skills and experience, and should be given the necessary resources and access to information and people to conduct the investigation.
The reports and results of an investigation should be brought to the attention of the appropriate governing body within the firm and, if appropriate, to the relevant regulatory or public authorities.
3.3 GCRM Principle 3
Market Participants should have frameworks for compliance and risk management
The common components of compliance and risk frameworks may include
- Effective oversight by the senior body or individual(s), including support for the stature and independence of compliance and risk management functions. In particular:
- The senior body or individual(s) should make strategic decisions on the risk appetite of the Market Participant, taking into consideration the nature of its engagement in the Precious Metals Market;
- The senior body or individual(s) should be responsible for the establishment, communication, enforcement and regular review of a compliance and risk management framework that clearly specifies authorities, limits and policies; and
- Risks should be managed prudently and responsibly in accordance with established principles of risk management, Applicable Law and industry best practice.
- The provision of concise, timely, accurate and understandable compliance risk related information to the senior body or individual(s).
- The appropriate segregation of duties and independent reporting lines, including the segregation of trading from the compliance and risk management functions and the deal processing, accounting and settlement functions;
- While risk managers and compliance personnel may work closely with business units, the compliance and risk management functions should be independent of the business units and should not be directly involved in revenue generation. ;
- Compensation structures should be designed not to compromise such independence;
- Adequate resources and employees with clearly defined roles, responsibilities and authority, including appropriate access to information and systems. These personnel should have appropriate knowledge, experience and training.
3.4 GCRM Principle 4
Market Participants should familiarise themselves with and abide by all Applicable Law, regulatory obligations and relevant industry standards, and should have an appropriate compliance framework in place
Market Participants should act in accordance with their firm’s compliance policies, or equivalent, at all times and seek clarification in case of doubt.
An effective compliance framework should provide independent oversight and control, and could comprise but not be limited to:
- Identification of Applicable Law and statements of best practice that apply to the Market Participant’s activities;
- Appropriate processes designed to prevent and detect abusive, collusive or manipulative practice, fraud and financial crime, and to mitigate material risk that could arise in the general conduct of the Precious Metals business;
- Capturing and retaining adequate records to enable effective monitoring of compliance with Applicable Law and regulatory obligations, and relevant industry standards;
- Well-defined escalation procedures for issues identified;
- Consideration of the need to periodically restrict relevant personnel’s access to the firm’s systems and premises, through measures such as mandatory vacation to facilitate the detection of possible fraudulent activities;
- The provision of advice and guidance to management and personnel on the appropriate implementation of Applicable Law, regulatory obligations and other relevant guidance in the form of policies and procedures, and other documents such as a compliance manual and internal codes of conduct;
- A training and/or attestation process to promote awareness of, and compliance, with this Principle;
- Appropriate implementation and utilisation of audit and/or compliance programmes, for example, the establishment of processes to monitor daily activities and operations; and
- Periodic review and assessment of compliance functions and controls, including mechanisms to alert management about material gaps or failures in such functions and controls. The appropriate senior body or individual(s) should oversee the timely resolution of any issues.
3.5 GCRM Principle 5
Market Participants should maintain an appropriate risk management framework with systems and controls to identify and manage the Precious Metals Market risks they face
Market Participants should have policies, or equivalent, in place to limit, monitor and control the risks related to their Precious Metals Market trading activity.
Effective risk management starts with the identification and understanding by Market Participants of the various types of risk to which they are exposed. This typically involves the establishment of risk limits and monitoring mechanisms as well as the adoption of risk mitigation and other prudent practices. An effective risk management framework could comprise but is not limited to:
- An appropriate and documented approval process for the setting of risk appetite and limits;
- A comprehensive and well-documented framework for the identification, measurement, aggregation and monitoring of risk, according to the nature of the Market Participant’s engagement in the Precious Metals Market;
- Documented policies, procedures and controls, which are periodically reviewed and tested, where appropriate, to manage and mitigate risks as highlighted above;
- The clear communication of risk management policies and controls within the firm to promote awareness and ensure compliance. In addition, to have processes and programmes which facilitate the understanding of such polices and controls by personnel;
- Information systems to facilitate the effective monitoring and timely reporting of risks;
- Robust incident management, including appropriate escalation, mitigation actions and lessons learnt;
- Robust risk assessment and approval processes for new products, services and procedures to identify new and emerging risks;
- Sound accounting policies and practices encompassing prudent and consistent valuation methods and procedures; and
- An appropriately robust risk control self-assessment process, including processes to remediate identified gaps or weaknesses.
3.6 GCRM Principle 6
Market Participants should have processes in place to independently review the effectiveness of and adherence to the governance, compliance framework and risk management.
Market Participants should undertake regular independent reviews of their risk management and compliance frameworks, and record and track corrective action of any findings.
All material risk related to the market activities should be covered in the independent review using an appropriate assessment methodology.
3.6.3 The individual or team carrying out the review should be given the necessary mandate and support, including adequate personnel with requisite experience or expertise.
Findings should be reported to an appropriately senior level for review and follow-up.