CTRL 3.1.19 Specific obligations — periodic review

(1) An authorised firm’s governing body must ensure that the firm’s corporate governance framework and risk management framework are reviewed at least once every 3 years by:
(a) the firm’s internal auditor; or
(b) an independent and objective external reviewer.
Note For the meaning of governing body in this rule, see rule 3.1.18 (3).
(2) The person who carries out the review must report in writing to the body within 30 days after the review is completed.
(3) The firm must give a copy of the report to the Regulatory Authority within 30 days after the firm’s governing body receives the report.
(4) The Authority may direct an authorised firm to carry out more frequent reviews than are required by subrule (1).


Derived from QFCRA RM/2020-4 (as from 1st July 2021)