Guidelines for Internal Control System and Compliance Function for Securities Brokers
Guidelines for Internal Control
System and Compliance Function for
Securities Brokers
Contents Page Number
Introduction
3
Internal control 4
Definition
Principles
Detailed Processes /Sub Processes
A. Brokerage operation (both at Head Office and branches)
1. Account opening, KYC / AML Procedures and Processes
2. Periodic Reporting to Customer
3. Account closing
4. Controls over order acceptance and execution to ensure
compliance with regulatory requirements
5. Segregation of duties
6. Trading in Brokerage Operations/ Trade review
procedures to detect violation with regulations
7. Custody, Segregation of Customer’ Assets
8. Maintenance of Net capital/ Liquid Capital/ BMC
Requirements
9. Brokerage Commission
10. Conflict of interest
11. Confidentiality of Information
12. Controls over trading by employees including proprietary,
employees and associates trading through other
brokerage houses
13. Customer Complaints
14. Short Selling Requirements
15. Controls over completeness, accuracy and authenticity of
back office record and data
5
B. Finance
16. Financial statement closing process
15
C. Fixed Assets/ Intangible Assets
17. Additions, Deletions , Adjustment, Write-off
18. Maintenance of fixed asset register
16
D. Trade Debts
19. Exposure Limits
20. IT Controls
21. Ageing & Provisioning
22. Recoveries / write off
17
E.
Cash and Bank
23. Account opening / closing
24. Bank reconciliations
25. Payment / receipts of funds
18
Page 2 of 24
26. Petty cash
27. Profit computation on savings/ PLS accounts
F. Expenses
19
G. Information Technology General Controls (ITGCs)
28. Access security
29. Program changes
30. Data center and network operations
31. Application acquisition, development, and maintenance.
32. IT Governance
33. Operating System
34. Network
35. Disaster recovery planning / Business Continuity Plan
19
H. Compliance Department
36. Structure
37. Qualification of staff
38. Compliance plan / scope and monitoring mechanism
39. Follow-up mechanism on pending compliances
40. Internal Code of Practice
22
I. Entity Level Controls
41. Risk Assessment Process
42. Development and implementation of policies and
procedures
43. Internal Audit department
44. Compliance with the Corporate Governance Code for
Securities Brokers
23
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 3 of 24
INTRODUCTION
The Securities and Exchange Commission of Pakistan (SECP) issued the Securities Brokers (Licensing and
Operations) Regulations, 2016 (the Regulations).
These Regulations introduced various new requirements and strengthened existing requirements for the
securities brokers to help achieve the objectives of risk management and enhanced investor protection. The
Regulations require securities brokers to implement an adequate internal control system and compliance
function, commensurate with the size and nature of services performed. In order to provide guidance to the
securities brokers for effectively complying with the requirements of the Regulations, the Securities &
Exchange Commission of Pakistan has issued guidelines on internal control framework as laid down under
the Regulations.
This Guideline provides minimum controls along with policies and procedures required to promote control
structure and awareness to the securities brokers. Controls, processes or procedures given in the Guideline
covers basic internal accounting controls and risk management areas that are minimum and could be
increased by the securities brokers depending on the size and nature of the business. Policies and procedures
for the business support function as set out in this document should be developed by the securities brokers
with the intent to protect the interest of the investors and also for the smooth running of the business.
In case, there is inconsistency between Guideline and the Regulations the later shall prevail.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 4 of 24
INTERNAL CONTROL
DEFINITION OF INTERNAL CONTROL
Internal control is defined as follows:
Internal control is a process, effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives relating to operations,
reporting and compliance.
INTERNAL CONTROL PRINCIPLES
1. The organization demonstrates a commitment to integrity and ethical values;
2. The board of directors demonstrates independence from management and exercises oversight for the
development and performance of internal control;
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives;
4. The organization demonstrates a commitment to attract, develop, retain competent individuals in
alignment with the objectives;
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of
objectives;
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment
of risks relating to objectives;
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes
risks as a basis for determining how the risks should be managed;
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives;
9. The organization identifies and assesses changes that could significantly impact the system of internal
control;
10. The organization selects and develops control activities that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels;
11. The organization selects and develops general control activities over technology to support the
achievement of objectives;
12. The organization deploys control activities through policies that establish what is expected and in
procedures that put policies into action;
13. The organization obtains or generates and uses relevant, quality information to support the functioning
of internal control;
14. The organization internally communicates information, including objectives and responsibilities for
internal control, necessary to support the functioning of internal control;
15. The organization communicates with external parties regarding matters affecting the functioning of
internal control;
16. The organization selects, develops, and perform ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning;
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those
parties responsible for taking corrective action, including senior management and the board of
directors, as appropriate.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 5 of 24
DETAILED CONTROLS OF SECURITIES BROKERS
A. BROKRAGE OPERATIONS (BOTH AT HEAD OFFICE AND BRANCHES, WHERE APPLICABLE)
1. Account Opening, KYC/AML Procedures and Processes
1.1 A securities broker should maintain a list of all new and existing customers and also keep a record of
their account opening forms along with the KYC and CDD record of each customer.
1.2 Effective Know Your Customer (KYC) and Customer Due Diligence (CDD) policies and procedures
should be developed by the securities brokers in accordance with the Guidelines issued by Pakistan
Stock Exchange
1.3 KYC and CDD policies and procedures should contain the following information and documents and
shall be updated in accordance with changes in applicable law:
Individual/ Sole proprietorship Partnership Institutions/ Corporates
Copy of CNIC of Principal
and Joint holders/ NICOP for
Non-Residential Pakistanis
Passport for Foreign
Nationals
Business/ Employment Proof
NTN Certificate (If available)
Nominee details (Not in case
of Joint holders)
Present and permanent
address details with
supports (where possible).
Email address of the
customer
Name of Partnership and
Partners
Copy of CNIC/NICOP of all
Partners
Partnership Deed
Copy of Latest Financials
Certificate of Registration
(If registered partnership
firm)
NTN Certificate
Address of place of
business
Authorized partner to
operate the account
Mobile number and email
address of the authorized
person
Name of Directors and
Officers
Registered Address
Copy of CNIC/NICOP of
all Directors and
Authorized Signatories
Certificate of
Incorporation
Certificate of
Commencement of
Business
NTN Certificate
Tax exemption certificate
where applicable
Certified copy of Board
Resolution
Memorandum & Articles
of Association/ Bye
Laws/ Trust Deed
Audited Accounts of the
Institutions/ Corporate
Trust
Club Societies and
Associations
Executors/
Administrations
Copy of CNIC of all Trustees
Certified copy of Trust Deed
Copy of Latest Financials of
the Trust
Document Evidence of Tax
Exemption (If any)
Trustee/ Governing Body
Resolution
List of Members of
Governing Body
Copy of CNIC/ NICOP of
Members of Governing
Body
Certified Copy of
Certificate of Registration
Certified Copy of by-laws/
Rules and Regulations
Copy of Latest Financials
of Society/Association
Resolution of Board/
Governing Body
Copy of CNIC of all
Executors/
Administrators
Certified Copy of Letter
of Administration
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 6 of 24
1.4 The securities broker should have a control to ensure the retention of the records of the customer’s
identification their updation on a timely basis.
1.5 Senior personnel of compliance function, preferably the Compliance officer should give approval of the
opening of account of the customers and should prepare a checklist for all the relevant supporting
documents. The approval should be based on a checklist which covers the major areas of KYC
guidelines.
1.6 Total number of accounts opened/ client codes should be matched by the compliance officer with the
account opening forms and the checklist attached on regular intervals. Further, tagging of client code
and opening of the sub-account to be validated when performing this review.
1.7 Sufficient information as referred above in paragraph 1.3 should be obtained and documented on the
intended nature of the account to be opened/ maintained.
1.8 Reasonable steps/checks should be taken by the securities broker to assess the correctness of
information, provided by customer at the time of opening account.
1.9 There should be standard comprehensive policy for developing customer profile. The policy should take
into account all the relevant factors. Customer particulars/ profiles should be maintained through
appropriate database and remains available to relevant departments of brokers /inspections. The policy
should be implemented across the board and its implementation must be checked by the compliance
function.
1.10 There should be standard procedures and policy for risk assessment of all existing and prospective
customers. Policy should cover the identity, nature of income, source of funding, location etc. and based
on the outcome of such assessment; customers should be categorized as high risk, medium risk or low
risk.
1.11 There should be policies and procedures for conducting enhanced due diligence. The implementation
of these should be checked by the compliance officer. There should be system based controls such
as alert for trading beyond specified thresholds and should be monitored/ controlled by the authorized
personnel.
1.12 Any updation in client’s profile should be supported by reasonable evidence and the same should be
reviewed within a reasonable time period by the Compliance function.
1.13 The securities broker should have the policy and programs for training of its employees regarding
compliance of all relevant laws and other anti-money laundering obligations.
1.14 A securities broker should provide the customer with a risk disclosure document in accordance with the
specimen provided by the securities exchange containing basic risks involved in trading in securities
and risk associated with trading in derivatives and leverage products.
1.15 Written acknowledgement should be obtained from the customer confirming that he/she has
understood the nature/ contents of the risk disclosure document.
1.16 Client should be provided the CDC setup report for signatures. Copy of complete set of Account
Opening form should be provided to the client for his record. Further, a copy of the UIN Post Report
may also be provided to the Customer to ascertain that consistent and accurate information is entered
in all relevant systems.
1.17 The securities broker should have the policy and programs for reporting suspicious transactions and
suspicious accounts as per requirements of KYC guidelines.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 7 of 24
2. Periodic Reporting to Customers
2.1 The adherence of reporting framework with regulatory requirements should be ensured by the
securities broker/ compliance function in terms of frequency, comprehensiveness authenticity and
accuracy. This may include compliance with CDC regulatory requirement for sending securities balance
reports and with Pakistan Stock Exchange (PSX) rule book for account statements.
2.2 The compliance function should check adherence with reporting framework including maintenance of
evidence of sending the reports to customers.
3. Account Closing
3.1 A securities broker should maintain the details of accounts closed during the year and also ensure
that it is in compliance with the regulatory requirements.
3.2 A Securities broker should check that:
a. There is no balance/ securities outstanding against the customers;
b. Customer’s money has been transferred/ settled;
c. No transaction was carried subsequent to account closing date.
d. Requisite certificates and clearances as prescribed under the applicable regulatory framework
have been obtained for closing the account
3.3 There should be clear policies for account closing for:
e. Settlement of outstanding balance in the client’s regular bank account (money and shares/
securities held on client’s behalf);
f. Criteria for account closing date; whether after settlement or the date of application of account
closing.
Adherence with the above policies should be checked by the compliance function.
3.4 In case account of the customer is closed, Securities brokers should close the CDC sub account and UIN
of the account holder in NCCPL
4. Controls over order acceptance and execution to ensure compliance with regulatory
requirements
4.1 There should be a clear policy to deal on behalf of a customer.
4.2 A securities broker should not deal in securities on account of customer without instructions of such
customer. Appropriate controls must be developed and implemented to ensure this objective including
maintenance of evidence of instructions by the customers and matching the trades executed on behalf
of customer with the instructions by compliance function on a test basis.
4.3 An authorized personnel of a securities broker should take reasonable measures to execute the orders
placed by the customers on the most advantageous terms as expeditiously as practical in the prevailing
market conditions.
4.4 All orders placed by customers through telephone should be recorded by authorized personnel over
dedicated telephone lines. Orders received in-person from visiting customers should be adequately
recorded and acknowledgement should also be obtained from the customers. Priority should be given
to outstanding customer orders.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 8 of 24
4.5 The chronological register should be maintained in electronic form including the logs generated
from the system and telephone recording.
4.6 Records pertaining to all orders received from customers in writing or through any other document, fax,
email, or through any other means should be preserved.
5. Segregation of duties
5.1 There should be clear lines of responsibility, authority and tasks that are adequately assigned to its
employees and accredited representatives.
5.2 There should be segregation between front office and back office functions. Accordingly, person
responsible or authorized to execute proprietary trades or client trading should not have access to
books of accounts and should not have authority to access/ modify the back office record.
5.3 There should be an appropriate segregation of duties and information barriers between own account
or proprietary trading and customer dealing functions.
6. Trading in Brokerage Operations/ Trade review procedures to detect violation with regulations
6.1 Trading includes the following components:
Purchase / sale of securities (Ready/futures/OTC)
Settlement of securities
Purchase / sell / rollover of future contracts
Rate revision / agreement on rate / relaxations / waivers
Maintenance of margin (equity)
Transfer of profits on unutilized funds to customers and Maintenance of exposure deposits.
Operational manual should be developed covering the above components.
6.2 There should be a control environment and control procedures relating to trade activities. This includes
that trades in the customer accounts (over phone, off-site terminal) should be executed by the
authorized personnel as per the customer account / custody balance in accordance with the defined
procedures.
6.3 A securities broker should have approved policy and surveillance mechanism to discourage deposit
taking (on fixed/promised returns) by its all employees/dealers/accredited representatives.
6.4 Details of buying and selling should be corroborated with the following:
KAT Sheets
Broker intimation to customers
Trading Telephone recording/documentary evidence of placement of order.
A securities broker should have procedures to detect any illegal trading activities e.g. wash trades,
insider trading etc. Appropriateness of those procedures should be checked and implemented by
the compliance function
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 9 of 24
6.5 Amount transferred from securities broker’s bank account to NCCPL account for settlement of position
and transactions from daily NCCPL bank activity report should be on the same date. Controls should
be established for excess/ short payment, if any, and reason should be documented.
6.6 Trade procedures should ensure that the reconciled authorized orders are executed recorded,
confirmed, settled in the customer’s account and in the case of TSC or deemed TSC broker, the broker
maintains the segregated custody of customer balances to prevent misuse of client funds.
6.7 In the case of TSC or deemed TSC broker, the securities brokers should demonstrate that funds of
clients are not used for brokers own benefit. For this, a designated customer bank account should be
kept segregated from any account holding money belonging to the securities broker and its compliance
should be checked by securities broker.
6.8 In the case of TSC or deemed TSC broker, the securities broker should keep records of:
(a) all amounts deposited into the designated bank account(s), specifying the customers on whose
behalf the amounts are held and the dates on which the amounts were received;
(b) all payments from the designated bank account(s) through cross cheques or other banking
channels, the dates of those payments, and the names of the customers on whose behalf the
payments are made.
6.9 In the case of TSC or deemed TSC broker, there should be controls over movement of securities from
customer account and pledge or deposit of these securities as collaterals as per the customer
authorization.
6.10 Periodic trade activity reports should be sent to the clients for verifiable and agreed mode of
confirmation of trades and maintenance of client segregated assets where applicable. Verifiable and
agreed mode of confirmation should be used. The contents of the activity reports should be matched
with the securities brokers licensing regulations and the rule book of PSX. The frequency of reporting
should also adhere with the regulatory requirement.
6.11 In the case of TSC or deemed TSC broker, there should be adequate maintenance of control over
reconciliation of balances (custody and account balance) with a) customers; b) NCCPL; c) CDC.
6.12 A securities broker should ensure that roll forward of future contracts are carried accurately and
corresponding margin calls, if any, are made on timely basis from customer. Proper policy of
communication and settlement with the Exchange and customer should be prepared.
6.13 There should be controls over maintenance of key books and records including order register, trading
system generated reports, activity log and customer telephonic trading call logs as per the securities
broker’s SOPs and regulatory requirements.
6.14 There should be a standard policy over trade activities carried out by the employees of the broker, as
provided in the licensing regulations, including their written permissions, maintenance of unique
identification database stating the particulars of employees and establishment of required monitoring
procedures. The compliance function should check its compliance for design and implementation.
Control and procedures established to ensure compliance should be checked for design and
implementation
7. Custody, Segregation of Customer’ Assets (applicable on TSC or deemed TSC broker)
7.1 There should be a documented policy for controls over custody, segregation of client assets with own
assets and controls to prevent misuse of client assets. Separation of the custody of assets helps protect
embezzlement, cover up theft, and prevent fraud.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 10 of 24
7.2 Separate maintenance, custody, segregation and settlement of reconciled client assets and client
margins (including transfer of profits on unutilized funds to customers) should be as per the Securities
broker’s SOPs and regulatory requirements as applicable in Pakistan and there must be appropriate
controls to ensure the same.
7.3 Clients Assets Segregation Statement (CASS) should be prepared at least on fortnightly basis and
should be checked by the Compliance Officer.
a) Total number of securities held in securities brokers account and in clients’ accounts reported in
the Statement should be matched with the system generated report of the back office system and
CDC Account Balance Summary Report.
b) Total number of pledged securities under each of the following classifications held in own account
and in clients’ accounts reported in the Statement with the CDC Pledger Balance Activity Report
should be matched:
Securities pledged with PSX / NCCPL;
Securities pledged with banks.
c) Total number of securities held in house account and in clients’ accounts reported in the Statement
should agree with the total number of securities held as per CDC records as reported in the
Statement.
d) All the securities should be reported in the Statement.
e) Amount of Trade payables reported in the Statement should match with the books of accounts as
at cutoff date.
f) Amount of Cash at bank reported in the Statement should match with the amount appearing in the
bank statements of clients’ bank accounts at cutoff date.
g) Amount of Trade payables as reported in the Statement should agree with the cash at clients’ bank
account as reported in the Statement.
7.4 Compliance function should ensure the accuracy of CASS and also its timely filing to the Stock
Exchange in accordance with the guidelines prescribed by the regulator. For this, the securities brokers
should:
keep all clients’ monies & securities segregated and secure from its own assets
maintain a separate bank account(s), with word “clients” in the title to hold clients’ money.
At any point in time, clients’ payable as per clients’ cash ledger must be supported with
equivalent amount of in clients’ bank account(s).
At any point in time, clients’ securities position as per back office record must be
supported with equivalent holding balances as per CDS record.
Any difference should be justified through reconciling entries.
In addition to fortnightly un-verified submission, the securities brokers should also submit CASS to PSX
within 45 days of close of the financial year, duly verified by the statutory auditor.
7.5 The compliance officer or any other officer should regularly monitor the customer assets, movements
therein, and prepare reconciliations as required. ln case of any discrepancy, the same must be reported
to the securities broker for taking immediate remedial action. In case the securities broker fails to rectify
the position within three business days, the matter should be reported to the Commission and the
securities exchange by the compliance officer.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 11 of 24
8. Maintenance of Net Capital Balance/ Liquid Capital/ BMC Requirements
8.1 A securities broker should comply with the requirements given in the Third Schedule of the Securities
and Exchange Rules 1971, the Securities Brokers (licensing and Operations) Regulations 2016 and
the clarifications issued by Securities and Exchange Commission of Pakistan (SECP) for maintaining
net capital balance.
8.2 Compliance function should ensure that the calculation of Net Capital Balance (NCB)/ Liquid capital is
made in accordance with Schedule II & III of the Regulations. The calculation should also be reconciled
with the back office record.
8.3 NCB/ Liquid capital should be reported to the Stock Exchange in accordance with the guidelines
prescribed by the PSX/ SECP.
8.4 A securities broker should comply with the requisite Liquid Capital and BMC requirements.
8.5 A securities broker should submit an audited Statement of NBC/ Liquid Capital semiannually.
8.6 A compliance officer should ensure the accuracy and timely filing of the above statements.
9. Brokerage Commission
9.1 There should be a documented policy for brokerage commission. A securities broker should ensure
that approved brokerage commission is in accordance with the policy and is charged to individuals,
corporates and other clients as per the terms of agreement and policy of the Securities broker.
Adherence to the minimum brokerage commission rates prescribed by PSX, if any, should also be
ensured.
9.2 The compliance officer should ensure that commission rates are adequately maintained in the master
data list and are approved by the authorized personnel of the securities broker
9.3 The compliance officer should check the approved rates and if implemented through the IT system, the
related IT controls should be implemented and checked on regular basis.
9.4 The compliance officer should review invoice or bill issued to clients and should ensure that the same
has been duly reflected in respective clients’ ledger as well as ledger of commission income.
9.5 Ledger account of commission income should be reviewed to check that if any adjustment is appearing
therein. If so, check nature of such adjustment(s) whether it is used to refund commission to clients.
9.6 Commission income appearing in ledger(s) should be compared with figures appearing in audited
financial statements.
9.7 Review ledger account of commission expense to ensure if any adjustment is appearing therein. If, so,
check nature of such adjustment(s) whether it is used to adjust the commission.
9.8 List of dealer/agent wise commission should be reviewed to check un-accredited representatives of
unauthorized branches.
9.9 There should be clearly policy of disclosing the applicable brokerage commission to the customer at
the time of account opening any change in the cost charged to the customer should be communicated
to the customer in advance
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 12 of 24
10. Conflict of interest
10.1 There should be appropriate policies and procedures to minimize conflict of interest between securities
broker and its customers. The policies and procedures should identify and address situations where a
conflict may arise. For example, where the broker is also acting as an underwriter for an issue or where
the broker is also the book runner for a book building or acting as consultant for an issuer company etc.
Similarly conflict arising due to proprietary trading and trading on behalf of client should also be
addressed in the policies and procedures.
10.2 Controls in this regard should include ‘Chinese walls’ between staff performing conflicting duties and
timely disclosures to clients.
10.3 There must be documented procedures to address the above concerns and the compliance officer
should ensure adherence with the same.
10.4 Where conflict of interest arises between a securities broker and its customers, a securities broker
should immediately communicate the same to the clients.
10.5 A securities broker should not take any direct or indirect advantage from the situation and act in the
best interest of the customer.
10.6 A mechanism, including standard policies should be in place to resolve any conflict of interest.
10.7 A securities broker should make appropriate disclosure to customers of potential areas of conflict of
interest which could impair its ability to render fair, objective and unbiased service. Compliance function
must ensure adherence to the same on regular basis.
10.8 In case of any breach of policies by employees or accredited representatives, proper investigation
should be carried out and action should be taken by the securities broker.
11. Confidentiality of Information
11.1 There should be appropriate policies and procedures including IT controls to ensure confidentiality of
information and also to ensure that non-public information has not been misused.
11.2 A securities broker should establish ‘Chinese walls’ including policies and physical apparatus designed
to prevent the improper or unintended dissemination of market sensitive information from one division/
department to another and to ensure the following:
11.3 A securities broker should ensure that individuals making proprietary investment decisions are not
trading on the basis of material nonpublic information obtained from another department or unit of the
securities broker.
11.4 A securities broker and its employees and accredited representatives should neither profit nor seek to
profit from confidential information, nor provide such information to anyone with the objective of making
profit for itself or for its customers.
11.5 A securities broker and its employees and accredited representatives shall refrain from trading on the
basis of confidential information, and its employees and accredited representatives shall not reveal
such information outside the company.
11.6 A securities broker and its employees and accredited representatives shall not disclose or discuss with
any other person other than normal course of business or make improper use of the details of
investments of customers and other information of confidential nature of a customer.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 13 of 24
12. Controls over trading by employees including proprietary, employees and associates trading
through other brokerage houses
12.1 A securities broker should formulate policies and procedures in accordance with the Regulations for
trading by employees, accredited representatives, their spouses and dependent children. There should
be controls and mechanism, including monitoring the trading activities of these persons to ensure that
at least the following policies/procedures are being implemented:
a) disclosure by employee and accredited representative of any securities held by employee, spouse
and /or dependent children along with details of their accounts with a securities broker. Such
information should also be reported to the compliance officer;
(b) prior written approval for trading by employees and accredited representatives for their own
personal accounts or on behalf of their spouses and/or dependent children;
(c) approval or rejection of an application seeking trading or investment in securities by employees
and accredited representatives;
(d) periodic disclosure of securities held by employees and accredited representatives and their
spouses and dependent children, and reporting of actual transactions, including volume, date and
price, in a timely manner,
(e) restriction on employees and accredited representatives from deriving any benefit or personal
advantage from information which is generally not available and which is obtained by reason of or
in the course of their employment with the securities broker,
(f) prescribing a minimum holding period and discouraging frequent short-term trading or trading for
speculative purposes;
(g) prescribing trading windows and blackout periods to restrict the misuse of confidential
information; and
(h) compliance of employees and accredited representatives in accordance with the requirements
specified by the securities exchange and its code of conduct.
12.2 A securities broker should formulate policies and procedures for execution of proprietary trades in terms
of secrecy and trading ahead of outstanding orders of customers, and should also identify the persons
who are authorized to operate the proprietary trading account.
12.3 The proprietary trades of a securities broker should be executed through designated terminals and by
designated systems operators.
12.4 A securities broker should formulate policies and take reasonable measures to restrict its employees
and accredited representatives, including employees serving as directors on its board, from trading
through another securities broker of the same securities exchange.
13. Customer Complaints
13.1 Internal policies and procedures for customer complaints should be developed by the management of
the securities broker which covers the following:
Person responsible for handling of customer complaints;
Timeline for resolution of customers’ queries;
Periodic review and monitoring by an appropriate authority for proper handling;
Appropriate remedial action of customer complaints;
Unresolved complaints beyond required timeline.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 14 of 24
13.2 Quarterly reports regarding number of complaints received, redressed and unresolved should be
submitted to the PSX.
13.3 Special attention should be given for any unusual or frequent complaints which indicate control
deficiency.
13.4 The securities broker should have controls over customer complaint records and its related resolutions.
14. Short Selling Requirements
14.1 There should be an adequate framework developed by the securities broker for supervision and
monitoring of short selling activities to ensure its compliance with the Regulations and the conditions
specified by the securities exchange.
14.2 A securities broker engaging in short selling transaction on account of a customer should ensure that
such customer is aware of the risks involved and has the financial capacity to assume such risks.
14.3 A securities broker should establish internal guidelines for short selling prior to conducting short selling
transactions providing therein procedures for the supervision and monitoring of short selling activities
by the securities broker, to ensure compliance with these regulations and conditions specified by the
securities exchange.
14.4 There should be a documented policy for ensuring implementation of trade review procedure,
reasonably designed to identify trades that may violate the provisions of the Act and any rules and
regulations made thereunder.
14.5 There should be established procedures to prevent execution of blank sales. These should be
implemented through a system and include production of evidence of holding of securities by the
customer if the securities are not held under custody with broker (e.g. securities held in the Investor’s
Account).
14.6 Procedures should be there to ensure compliance with other requirements such as short sale on uptick
or zero-plus tick etc.
15. Controls over completeness, accuracy and authenticity of back office record and data
15.1 A securities broker should incorporate such internal controls as are approved by the Board, including
the following:
Proper log and sequencing of all input data and transaction documents.
All other controls as specified in paragraph 33 of the regulations should be followed including
proper indexing and arranging of all deals and transactions so as to permit prompt access to any
particular record
IT controls as detailed in paragraph 34 of the guidelines should be followed.
For processing and recording of transactions, an approved structure of authority matrix by the
securities broker should be in place
The recording of telephone orders placed by the customers should be kept by the I.T Department.
Brokerage amount should calculated by the system automatically on the basis of brokerage rate
entered in the system at the time of account opening.
Adjustment (If any) to the amount of brokerage should be made only after approval mail from
traders.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 15 of 24
All the equity brokerage transactions entered into by the company should be settled through
NCCPL.
The Securities Brokers should compare the Trade Summary (System Generated Report of
Trades) with NCCPL clearing report by comparing net amount receivable / payable as per
NCCPL report extracted from NCCPL terminal, in order to ensure that there are no unrecorded
transactions.
In case a difference is identified between the Trade Summary and NCCPL report, reconciliation
should be prepared.
The reconciliation should be reviewed by Head of Operations or other designated person.
Physical access to back office data should be restricted to authorized persons only. A policy in
this respect should be made and communicated to employees
15.2 A securities broker should also establish and implement a contingency plan to ensure continuity of its
operations in the event of disaster or crisis as detailed in the regulations.
B. FINANCE
16. Financial statement closing process
Preparation of financial statements
16.1 Finance department should have disclosure checklist for analyzing the completeness of disclosures in
the financial statements.
16.2 The personnel in finance department should prepare draft financial statement and its disclosures based
on the system generated trial balance and information received from various departments.
16.3 As the draft financial statements are prepared, it should be reviewed by the relevant personnel in the
finance department against the disclosures checklist to ensure that they are in compliance with
applicable laws and regulations relating to presentation and disclosure of financial statements.
Reconciliation of house securities with CDC/NCCPL
16.4 Reconciliations should be prepared by relevant officer and reviewed by Head of Operations and Risk
management department.
16.5 Appropriate adjustments should be recommended by relevant officer to back-office personnel and
should be approved by the Head of Operations.
16.6 These reconciliations should be performed on periodic basis.
Recording of tax expense, withholdings and payments
16.7 Taxation workings (Current and Deferred Taxation) should be prepared and reviewed by relevant
personnel.
16.8 System should contain list of customers/ vendors along with their applicable rates. Once the payment
is made to those customers, system should automatically compute the amount of withholding which is
show on the payment voucher. If a manual system is followed, controls should be implemented to
ensure correct calculations.
16.9 Relevant officer in the finance department should ensure that the amount has been actually withheld
and this should be reviewed by any competent authority in finance department.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 16 of 24
C. FIXED ASSETS/ INTANGIBLE ASSETS
The below mentioned controls are more relevant for public limited companies.
17. Additions, Deletions, Adjustment, Write-off
17.1 Requisition request should be raised by concerned department containing the reason, description and
amount. Such requisition should be approved by departmental head and then forwarded to
procurement department.
17.2 Requisition once approved by the CEO/ COO/ relevant authority, at least three quotations should be
obtained.
17.3 Award of quotation should be based on the selection criteria as defined in the SOPs. Purchase order
should be generated as approved by relevant authority which is then forwarded to relevant
departments.
17.4 Assets should be received by user department/ relevant department which intimates to finance
department after verifying and tagging it for entry in Fixed Asset Register.
17.5 Finance department personnel should check all the source documents supporting the acquisition and
then entry is made in system after obtaining the approval of relevant authority. The invoice is sent to
finance department by user department for payment processing.
17.6 Payment vouchers should be prepared and approved by the relevant personnel.
17.7 Disposals should be approved by relevant authorities of user department and administrative
department. The approved forms should be sent to the finance department for recording.
17.8 Gain/loss on disposal should be computed by the relevant department, but the responsible person in
finance department should check and record transaction.
17.9 Each year, internal audit department/ relevant department should perform the physical count of assets
and reconcile it to fixed asset register in order to determine whether any adjustments/write-offs are
required which is then communicated to finance department.
17.10 User departments should annually review the valuations and realizability of assets to identify permanent
impairment and then communicate adjustments to personnel in finance department which is recorded
in the system after obtaining the approval from CFO.
17.11 Approved gate pass should be prepared by user department/ relevant department which is then
forwarded to the administrative department for assets received or leaving the premises.
17.12 Depreciation should be calculated at the end of each month on the basis of policy either automatically
by system / relevant person in finance department. The calculation should be approved by the CFO/
authorized senior personnel from Finance after checking the rates and calculations in appropriate
period.
18. Maintenance of Fixed Asset Register
18.1 Fixed asset register should be maintained by the relevant personnel in finance department who updates
the register as per the intimation of user department after additions/ disposal/ adjustments/ write offs.
The recording of impact in books should be subject to the approval of CFO.
18.2 Fixed asset register should contain following minimum particulars as per the requirements of TR-6
issued by ICAP:
– detailed description of each item;
– original cost of the item;
– date of its acquisition;
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 17 of 24
– classification of the item;
– the location and/or the custodian of the item;
– the rate of depreciation;
– accumulated depreciation;
– depreciation charge for the period;
– the department/ cost center/ product to which the depreciation is charged date of revaluation
(if any);
– revalued amount (if any) of the items;
– depreciation on revalued amount;
– accumulated depreciation on the revalued amount.
D. TRADE DEBTS
19. Exposure Limits
19.1 There should be a criteria/policy of the securities broker to provide exposure limits to customers.
19.2 Exposure limits should be assigned to customer after proper review and approval.
19.3 The policy relating to exposure limits should not be in contravention to respective rules and regulations.
19.4 The compliance officer should monitor the trade debts on regular basis and any contravention or
violations should be brought to the knowledge the management to take necessary action.
20. IT Controls
20.1 IT team should ensure that:
Any unauthorized change in exposure limit in the system is restricted.
System generates a pop-up when the exposure limit is fulfilled/ breached.
Ageing is accurate based on (FIFO method).
User wise complete audit logs for access and updates are available in the system
21. Ageing & Provisioning
21.1 There should be detailed policy for aging and provisioning and its accuracy/calculations should be
checked on a regular basis.
22. Recoveries / write offs
22.1 There should be policy for recoveries / write offs. Policy should cover the person who is authorized to
write off /collect recoveries, approval by the BoD, working after consideration of the tax laws / IFRS.
22.2 Disclosure of provision should be made for the balances due for more than 5 days after taking into
consideration of value of custody after applying haircut (Regulations).
E. CASH AND BANK
23. Account opening/ closing
23.1 Approval for opening of accounts along with name of signatories authorized to operate should be
obtained from the Board.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 18 of 24
23.2 Personnel in finance department should fulfill necessary requirements which are reviewed and
approved by CFO and then account is opened.
23.3 CFO should authorize finance department personnel for the opening of new GL code for new account
opened.
23.4 The bank accounts should not be closed without obtaining the prior approval from the Board along with
the reasons for closing the account
24. Bank reconciliations
24.1 At least each month, finance department personnel, shall prepare bank reconciliation of all bank
accounts which should be reviewed and approved by the relevant authority.
24.2 All unusual items in bank reconciliation should be investigated by the approver.
25. Payment / receipts of funds
25.1 Authorized signatories should be defined for the issuance of cheques/ pay orders/instruments.
25.2 Once funds are received, finance department personnel shall verify relevant supporting documents and
entry shall then made in the system after the authorization from the relevant authority.
25.3 Payment voucher should be prepared by finance department personnel once the invoices or bills are
received from user department. Payment shall be processed after payment voucher is approved by the
relevant authority.
25.4 There should be a clear policy of receipts and payments from clients through cross cheques. Any
exception of cash receipt should be reported to the stock exchange.
26. Petty cash
26.1 Personnel should be authorized along with the limits of cash maintained with them.
26.2 Physical count should be performed periodically by relevant personnel in the presence of head of user
department.
26.3 Payments from petty cash should be made after taking the approval of user department head and then
supporting documentation is forwarded to the finance department relevant personnel who will review
and post the entry after the approval of the relevant authority.
27. Profit computation on savings/ PLS accounts
27.1 At the end of each month, Finance department personnel shall compute the profit on different accounts
using applicable rates which is approved by CFO/ authorized senior Finance Department official for
the recording in the system.
27.2 Profit accrual is computed by the relevant personnel in finance department which is then approved by
the CFO /authorized senior Finance Department official and entry shall then be recorded in the system.
27.3 Once profit is credited in the bank account by the respective bank, receipt voucher shall then be
prepared by the finance department personnel, approved by the relevant authority.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 19 of 24
27.4 Entry for the receipt shall then be recorded in the system.
27.5 Finance department personnel shall compare the amount received from the bank with the accrual
amount recorded already in system.
27.6 Any difference between such amounts should be recorded in the system after the approval of CFO/
authorized senior Finance Department official.
27.7 Distribution of profit on client related bank account to each client; in case client not ready to receive the
profit amount ensure that proper approval has been obtained from respective clients in accordance with
the applicable regulations
F. EXPENSES
Purchase order should be prepared / controlled for all the expenditure incurred by the Securities
broker above the threshold specified by the board or senior management. Before issuing the
purchase order, it should be signed by the relevant authorized person.
Invoices should be verified and compared with the purchase order.
Disbursement vouchers should be prepared and authorized by the relevant authority.
Authorization limits should be set for all the expenditure incurred by the Securities broker.
Capitalization policy should be designed to properly classify the expense into revenue / capital
expenditure.
All expense transactions and other cash disbursement should be recorded in a journal called cash
disbursements and accounts payable by check numbers (including void checks).
G. INFORMATION TECHNOLOGY GENERAL CONTROLS (ITGCS)
28. Access Security
28.1 The securities brokers should approve the nature and extent of user-access privileges for new and
modified user access, including standard application profiles/roles and critical financial reporting
transactions.
28.2 Only authorized software should be allowed to be installed on systems
28.3 Access for terminated and/or transferred users should be removed or modified in a timely manner in
accordance with the documented securities broker policy.
28.4 Privileged-level access should be authorized and appropriately restricted.
28.5 User access should be periodically reviewed in accordance with the established requirements in the
documented securities broker’s policy.
28.6 Logging should be enabled within the system.
28.7 Logs should be monitored or audited on a regular basis to detect unauthorized or inappropriate activity.
28.8 Access should be authenticated through unique user IDs and passwords or other methods as a
mechanism for validating that users are authorized to gain access to the system. Password parameters
should meet securities broker and/or professional policies and standards (e.g., password minimum
length and complexity, expiration, account lockout).
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 20 of 24
28.9 Changes should be appropriately approved and tested before being moved into the production
environment.
28.10 Any change should be communicated on a timely basis.
29. Program Change
29.1 End-users should perform acceptance testing of programs and systems in a protected environment
separate from production before the developed, or modified programs or systems are implemented into
the production environment.
29.2 Access to implement changes into the application production environment should be appropriately
restricted and segregated from the development environment.
30. Data center and network operations
30.1 Physical security mechanisms and environmental controls should be in place to protect its IT assets
in data centers/computer rooms from intentional or unintentional damage.
30.2 Financial data should be backed up on a regular basis according to an established schedule and
frequency. Backup media are stored in an appropriately secure location. Further, backup processes
should be monitored for successful execution, and failures are escalated and corrected to ensure data
is usable and available for retrieval and restoration if needed.
30.3 Restoration testing of backups should be performed on frequent basis to determine the usability and
integrity of the files.
30.4 The entity should have formal agreement(s) to obtain technical or application support from contractors
and/or software vendors to ensure availability of such support. Management of the securities brokers
should monitor compliance with these agreements.
31. Application Acquisition, Development & Maintenance
31.1 An established methodology or process, approved by the securities brokers, should be used to guide
the acquisition, development, modification, and maintenance of application systems, databases,
Network/Domain Controller and communication software, systems software, and hardware to establish
consistency of development and maintenance activities within the entity.
31.2 Management of the securities brokers should also approve all decisions related to aforementioned
acquisitions.
32. IT Governance
32.1 In the case of a public company, a detailed and approved IT Strategic Plan should exist to address both
long and short term IT related projects.
32.2 In the case of a public company, a dedicated IT Steering Committee should exist to govern all IT related
matters.
32.3 IT risk management framework should be established that is aligned to the organization’s (enterprise’s)
risk management framework.
32.4 A formal disaster recovery plan / business continuity plan should have been developed, approved and
tested on a regular basis.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 21 of 24
32.5 IT/ IS policies and procedures should be formally documented approved and updated on a periodic
basis.
32.6 Security Awareness trainings/programs should be conducted on periodic basis in order to enable the
users of information systems to understand applicable security policies and the measures that should
be taken to safeguard organizational assets.
32.7 A formally documented and approved Matrix should exist to address SOD related issues.
32.8 In the case of a public company or a Trading and Self Clearing Broker, the Internal Audit function should
also review IT related matters.
32.9 Compliance to the minimum computing, connectivity, security and other requirements as identified by
the Exchange, Depository and Clearing Company from time-to-time should be ensured
33. Operating System/ database
33.1 Management of the securities brokers should approve the nature and extent of user-access privileges
for new and modified user access, including standard application profiles/roles and critical financial
reporting transactions.
33.2 Access for terminated and/or transferred users should be removed or modified in a timely manner in
accordance with the documented securities broker policy.
33.3 Privileged-level access should be authorized and appropriately restricted.
33.4 User access should be periodically reviewed in accordance with the established requirements in the
documented securities broker policy.
33.5 Logging should be enabled within the system.
33.6 Logs should be monitored or audited on a regular basis to detect unauthorized or inappropriate activity.
33.7 Access should be authenticated through unique user IDs and passwords or other methods as a
mechanism for validating that users are authorized to gain access to the system. Password parameters
should meet securities broker and/or professional policies and standards (e.g., password minimum
length and complexity, expiration, account lockout).
33.8 Changes should be appropriately approved and tested before being moved into the production
environment.
33.9 Any change should be communicated on a timely basis.
33.10 Log of generated and deleted vouchers should also be maintained.
33.11 Systems should be safeguarded from malicious programs (e.g. viruses, worms, trojans etc.) through
updated anti-virus and other related software
34. Network
34.1 Access should be authenticated through unique user IDs and passwords or other methods as a
mechanism for validating that users are authorized to gain access to the system. Password parameters
meet securities broker and/or industry standards (e.g., password minimum length and complexity,
expiration, account lockout).
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 22 of 24
34.2 Network should be architected to segment web-facing applications from the internal network, where
ICFR relevant applications are accessed.
34.3 On a periodic basis, vulnerability scans of the network perimeter should be performed by the Network
management team who also investigate potential vulnerabilities.
34.4 On a periodic basis, alerts should be generated to provide notification of threats identified by the intrusion
detection systems. These threats are investigated by the Network management team.
34.5 Encryption and two factor authentication protocols should be implemented to restrict Virtual Private
Network (VPN) access to authorized and appropriate users.
34.6 Network / firewall changes should be appropriately reviewed and approved before being implemented
into the production environment.
35. Disaster recovery planning / Business Continuity Plan
35.1 Business Continuity and Disaster recovery plan should be in place duly approved by the Board of
Directors, having capability of restoring both the IT operations and business processes.
35.2 Coordinated strategy should be developed that involves plan, procedures and technical measures to
enable the recovery of systems, operations and data after a disruption.
35.3 Disaster recovery plan should be tested on periodic basis and proper documentation of the same should
be in place.
H. COMPLIANCE DEPARTMENT
36. Structure
36.1 A securities broker should, as applicable, either designate or appoint a whole-time compliance officer,
fulfilling the fit and proper criteria specified in the Regulations.
36.2 Appointment of compliance officer should be done by COO and CEO subject to the approval of Audit
Committee/ BOD.
36.3 Compliance officer should meet minimum criteria as specified in the Regulations.
36.4 Compliance officer should be held responsible for monitoring compliance of the securities broker with
the applicable regulatory regime.
36.5 Compliance Officer should report findings directly to the Audit Committee/ BOD for the actions.
37. Qualification of staff
37.1 The Board should formulate policy containing the following minimum criteria for appointment of staff in
the compliance department:
a. Education
b. Experience
c. Professional qualification
37.2 Regular trainings should be organized by the compliance department officer.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 23 of 24
38. Compliance plan / scope and monitoring mechanism
38.1 There should be a compliance department scope/policy/plan/manual, approved by the Board of Directors
which should contain the following particulars at a minimum:
– Frequency of monitoring
– Scope of work including compliance with all applicable regulatory requirements
– Areas for monitoring
– Thresholds for monitoring
– Risk assessments
– Reporting of exceptions to Audit Committee/ BOD
– Laws and regulations checklists covering all regulatory requirements
– Roles and responsibilities of the compliance department
– Basic process flow for conducting periodic reviews
38.2 Each year, compliance department officer shall review the scope in the light of new/amended laws and
regulations and then make recommendations to the Audit Committee/ BOD for the final approval.
38.3 At regular intervals, Compliance department personnel should observe/check the compliances as per
the approved scope and then report shall be prepared which is reviewed and approved by compliance
officer who will present the same in the Audit Committee/ BOD. The Audit Committee/ BOD shall then
decide the course of actions.
39. Follow-up mechanism on pending compliances
39.1 Compliance department should obtain the status from relevant departments on regular basis for any
pending non-compliances identified. The same should be reported to the Audit Committee/ BOD for the
further actions.
39.2 Compliance department personnel should communicate to the relevant departments for the
changes/amendments in the laws and regulations along with the deadlines for the compliance.
40. Internal Code of Practice
40.1 Internal code of practice should be developed and reviewed on a regular basis for ensuring that its board,
directors, employees and agents are acting in interest of the customer, the integrity of the market and
are in compliance of the Securities Act, 2015, Securities Brokers (Licensing and Operations) Regulations,
2016 and any other applicable laws, guidelines, directives, circulars etc.
I. ENTITY LEVEL CONTROLS
41. Risk Assessment Process
41.1 A process for identifying business risk relevant to financial reporting, estimating the significance of the
risks, assessing the likelihood of their occurrence, and determining actions to address those risks should
be in place. The accounting department should have processes to identify significant changes in the
financial reporting framework.
Guidelines for Internal Control System and Compliance Function for
Securities Brokers
Page 24 of 24
42. Development and implementation of policies and procedures
42.1 A comprehensive policies and procedures should be developed by the Board of Directors or executive
committee of the Board for all key areas of operations. These policies and procedures should be
periodically updated.
42.2 Once the policy is developed by the Board, it should be visible to and clearly understood by the entire
organization.
42.3 There should be a review mechanism for reporting compliance with established policies and procedures.
42.4 Internal audit department should cover the area of implementation of policies and procedures.
42.5 Process should be there for assessment of the effectiveness of established policies, and procedures on
regular basis. The evaluation should consider the results of established policies, changes in market.
43. Internal Audit department
43.1 Internal audit should be established / outsourced to provide the Board and the management of the
securities brokers with the evaluation of system of internal controls, assessment of risks, test operations
of systems, and communicate / recommend for improvement.
43.2 The department should be competent by employing the sufficient appropriately qualified staff having
Internal Audit background and relevant experience.
43.3 All significant business processes and IT operations should be covered in the Internal Audit’s plan for
each year.
43.4 Internal audit should be independent of the management and reporting to the audit committee.
43.5 Periodic annual review of the internal control system and assessment of overall level of compliance of
the securities broker should be carried out and report directly to the board of directors or its audit
committee.
43.6 Audit committee/ Board should review the activities of internal audit department and ensures that the
internal audit is adequately resourced.
43.7 The Board and Audit Committee should review significant reporting issues and accounting policies,
securities brokers’ financial statements, formal announcements, net capital balance and other regulatory
reporting, going concern assumption, transactions with related parties etc.
44. Compliance with the Corporate Governance Code for Securities Brokers
44.1 All securities brokers should ensure compliance with the Corporate Governance Code requirements
given in the Annexure D of the regulations.
44.2 The listed securities brokers should ensure compliance with the securities brokers Code in addition to
the Code of Corporate Governance (CCG) applicable on listed companies. In case, there is any
inconsistency with the CCG, the provisions of the CCG should prevail.
NEWS UPDATE
Downloads
Cloud Based Accounting
