• CTRL Chapter 1 CTRL Chapter 1 General

    • CTRL Part 1.1 CTRL Part 1.1 Preliminary

      • CTRL 1.1.1 Name of rules

        These rules are the Governance and Controlled Functions Rules 2020 (or CTRL).

        Derived from QFCRA RM/2012-4 (as from 1st July 2013)
        Amended by QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 1.1.2 Commencement

        These rules commence on 1 July 2021.

        Derived from QFCRA RM/2012-4 (as from 1st July 2013)
        Amended by QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 1.1.3 Effect of definitions, notes and examples

        (1) A definition in the Glossary also applies to any instructions or document made under these rules.
        (2) A note in or to these rules is explanatory and is not part of these rules. However, examples and guidance are part of these rules.
        (3) An example is not exhaustive, and may extend, but does not limit, the meaning of these rules or the particular provision of these rules to which it relates.

        Note Under FSR, article 17 (4), guidance is indicative of the view of the Regulatory Authority at the time and in the circumstances in which it was given.
        Derived from QFCRA RM/2012-4 (as from 1st July 2013)
        Amended by QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 1.1.4 Application of CTRL

        (1) These rules apply to an authorised firm in relation to the carrying on of a regulated activity in or from the QFC.
        (2) These rules also apply to:
        (a) an authorised firm’s governance, its risk management framework, and its policies and procedures, outside the QFC to the extent that they relate to a regulated activity carried on in or from the QFC; and
        (b) every function exercised by or on behalf of an authorised firm outside the QFC (including any outsourced function), to the extent that the function relates to the carrying on of a regulated activity in or from the QFC.
        Derived from QFCRA RM/2012-4 (as from 1st July 2013)
        Amended by QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL Part 1.2 CTRL Part 1.2 Key Concepts

      • CTRL Division 1.2.A CTRL Division 1.2.A Key concepts — corporate governance

        • CTRL 1.2.1 CTRL 1.2.1 What is a firm’s governing body?

          For these rules, an authorised firm’s governing body is:

          (a) in the case of a firm that is incorporated as a company or a limited liability partnership in the QFC, or is a partnership constituted under the Partnership Regulations 2007 — its board of directors or the body (whatever it is called) that, under the firm’s constitutional document, has the responsibility of overseeing the firm’s business in or from the QFC; and
          (b) in the case of a firm that is a branch:
          (i) the firm’s board of directors, or a committee of that board, that has the responsibility of overseeing the firm’s business in or from the QFC; or
          (ii) that part of the firm’s committee of management or other body (whatever it is called) that has the responsibility of overseeing the firm’s business in or from the QFC.
          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

          • CTRL 1.2.1 Guidance

            This definition draws a distinction (for some purposes) between:

            • a firm that is incorporated or formed in the QFC; and
            • a firm that is incorporated or formed outside the QFC (that is, a branch).

            In the case of a branch, the firm’s board (wherever it is located) remains ultimately responsible for the oversight of the firm, but many policy decisions may be made by a part, or a delegate, of the firm’s board. These rules recognise that firms choose to allocate their responsibilities and undertake their business in different ways; these rules therefore place the responsibility for certain kinds of oversight on the firm’s board or the part or delegate of the board.

            Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.2 CTRL 1.2.2 What is a firm’s corporate governance framework?

          (1) An authorised firm’s corporate governance framework is made up of the firm’s organisational structures, policies, procedures and systems and controls as they relate to the firm’s business objectives and the means of achieving them.
          (2) An authorised firm’s corporate governance framework includes:
          (a) the firm’s risk management framework (see rule 1.2.3);
          (b) its internal control and assurance functions (that is, its risk management, compliance oversight, internal audit and actuarial functions);
          (c) its business objectives; and
          (d) the corporate governance obligations in these rules, the Companies Regulations, and other applicable regulations, rules and guidance.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

          • CTRL 1.2.2 Guidance

            Guidance

            1 The corporate governance framework deals with the relationships between a firm’s board, its senior management, depositors, policyholders, clients and other stakeholders. Other important aspects of corporate governance are the separation of functions within the firm and the accountabilities for the internal control and assurance functions.
            2 The corporate governance framework includes at least the firm’s objectives and the firm’s corporate governance obligations under these rules, the Companies Regulations, and other regulations, rules and guidance.

             

            Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.3 What is a firm’s risk management framework?

          (1) An authorised firm’s governing body must establish a risk management framework.
          Note For the firm’s risk management framework, see rule 7.1.2.
          (2) The firm’s risk management framework is made up of:
          (a) the firm’s systems for identifying, measuring, evaluating, monitoring, reporting, and controlling or mitigating risks that may affect the firm’s ability to meet its obligations; and
          (b) the structures, policies, processes and people that support those systems.
          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.4 What is a firm’s internal controls and assurance framework?

          (1) An authorised firm’s governing body must establish an internal controls and assurance framework made up of the firm’s internal control and assurance functions.
          Note In relation to an authorised firm’s internal controls and assurance framework, see Chapter 6.
          (2) The following controlled functions are the internal control and assurance functions:
          (a) the risk management function (see rule 1.2.12);
          (b) the compliance oversight function (see rule 1.2.13);
          (c) the internal audit function (see rule 1.2.14);
          (d) the actuarial function (see rule 1.2.15).
          (3) The internal controls and assurance framework must provide reasonable assurance on the effectiveness and efficiency of the firm’s operations, the reliability of its financial reporting and the extent of its compliance with applicable laws and regulations.
          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL Division 1.2.B CTRL Division 1.2.B Key concepts—controlled functions

        • CTRL 1.2.5 What are controlled functions?

          (1) FSR, article 41, requires that, to exercise a controlled function for an authorised firm, an individual must be an approved individual, and authorises the Regulatory Authority to specify, in rules, the functions that are controlled functions.
          Note The assessment, training and competency of individuals to exercise controlled functions is dealt with in INDI.
          (2) For FSR, article 41 (2), each of the following is a controlled function:
          (a) the non-executive governance function;
          (b) the executive governance function;
          (c) the senior executive function;
          (d) the finance function;
          (e) the senior management function;
          (f) the MLRO function;
          (g) the risk management function;
          (h) the compliance oversight function;
          (i) the internal audit function;
          (j) the actuarial function.
          Note 1 Each of the controlled functions mentioned in subrule (2) (other than the MLRO function) is described elsewhere in these rules. There are signpost definitions in the Glossary.
          Note 2 The non-executive governance function, the executive governance function, the senior executive function, the finance function and the senior management function are responsible for the firm’s governance and general management — see Chapter 3.
          Note 3 The MLRO function is to do with compliance and reporting under the law relating to money laundering and preventing the financing of terrorism — see AML/CFTR or (for general insurance firms only) AMLG. The MLRO function is not further dealt with in these rules.
          Note 4 The matters referred to in FSR, article 41 (3) (application for approval as an approved individual, principles to be adhered to by approved individuals, reporting by approved individuals and withdrawal of authorisation) are set out in INDI.
          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.6 What is the executive governance function?

          (1) The executive governance function for an authorised firm that is a QFC entity is the function of being a member (other than a non-executive member) of the firm’s governing body.
          (2) The executive governance function for an authorised firm that is a branch is the function of being a member of the firm’s governing body with responsibility for the firm’s business in or from the QFC.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.7 What is the non-executive governance function?

          The non-executive governance function for an authorised firm that is a QFC entity is the function of being a member of the firm’s governing body but not being responsible for the day-to-day direction of the firm’s affairs.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.8 What is the senior executive function?

          The senior executive function for an authorised firm is the function of being responsible for:

          (a) the whole business of the firm; or
          (b) in the case of an authorised firm that is a branch — the business of the firm carried on in or from the QFC.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.9 What is the finance function?

          The finance function for an authorised firm includes the functions of being responsible for the prudential returns that the firm is required to prepare, and ensuring that the firm’s financial records are accurate and complete.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.10 What is the senior management function?

          The senior management function for an authorised firm is the function of being responsible (alone or with others) for managing and supervising a part or parts of the firm’s business related to its regulated activities (other than parts that are included in any of the other controlled functions).

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.11 What is the MLRO function?

          The MLRO function for an authorised firm is the function of being the firm’s MLRO under either AML/CFTR or AMLG.

          Note The MLRO function is not dealt with further in these rules. For firms’ obligations in relation to the MLRO function see:

          • for general insurance firms — AMLG
          • for all other authorised firms — AML/CFTR.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.12 What is the risk management function?

          The risk management function for an authorised firm is the function of being responsible for:

          (a) the firm’s risk management framework; and
          (b) overseeing and reviewing the firm’s implementation of, and its compliance with, those policies, procedures and controls.

          Note For more on the risk management function, see Part 6.2; for risk management generally, see Chapter 7.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.13 What is the compliance oversight function?

          The compliance oversight function for an authorised firm is the function of being responsible for:

          (a) the firm’s compliance policies, procedures and controls; and
          (b) overseeing and reviewing the firm’s implementation of, and its compliance with, those policies, procedures and controls.
          Note For more on the compliance oversight function, see Part 6.3.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.14 What is the internal audit function?

          The internal audit function for an authorised firm is the function of being responsible for:

          (a) the firm’s internal audit policies, procedures and controls; and
          (b) overseeing and reviewing the firm’s implementation of, and its compliance with, those policies, procedures and controls.
          Note For more on the internal audit function, see Part 6.4.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 1.2.15 What is the actuarial function?

          The actuarial function for an authorised firm is the function of being responsible for:

          (a) the firm’s actuarial policies, procedures and controls; and
          (b) overseeing and reviewing the firm’s implementation of, and its compliance with, those policies, procedures and controls.
          Note For more on the actuarial function, see Part 6.5.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)