U N C L A S S I F I E D
2009

COMPLIANCE PROCEDURES
GUIDE
The guide describes the key procedures and tools used in day to day compliance. It also
contains useful references and contact details to support compliance operations.
UK Financial Investments | Compliance Procedures Guide 1

U N C L A S S I F I E D
Document Control

Author
UKFI Compliance
Date
04 December 2008
Title
UKFI Compliance Procedures Guide
Description
Operating manual for UKFI Compliance setting out step by step
approach to Compliance activities and tasks
Latest version
1.1
Version Control

1.1

1.2

UK Financial Investments | Compliance Procedures Guide  3

U N C L A S S I F I E D
Introduction
Welcome to the UKFI Compliance Procedures Guide.  The purpose of this document is to
assist UKFI Compliance staff with the day to day operation of the Compliance function.  It
serves as a guide to tasks, projects and repositories, and a step to step process guide for key
compliance activities.

As a “live” document, the Compliance Manual wil  inevitably require monitoring and updating.
This wil  be a designated responsibility for a UKFI Compliance staff, however, all Policy and
Operations staff should take it upon themselves to identify and notify the relevant individual
when they come across something that is incorrect or out of date.

As UKFI Compliance matures as a function, there wil  inevitably be additional compliance
activities and tasks that need to be added to this manual. Please ensure that you have the
most up to date version before you go ahead with a new task.

UK Financial Investments | Compliance Procedures Guide  4

U N C L A S S I F I E D
Governance and Reporting
1.  UKFI Compliance Operating Framework (COF)

Introduction
The Compliance Objectives and Policies are set out in the Compliance Manual. This
document was agreed by the UKFI Board and sets out the compliance policies and controls
adopted by UKFI.

Objective
The objectives of the compliance function are to:
1.  provide the Board with assurance that the policies and controls are operating
effectively;
2.  provide advice and support to staff in dealing with compliance issues; and,
3.  monitor the compliance risks and external environment to keep the control framework
up to date with the risks faced by UKFI.

  INFORMATION
L I N K
Compliance Manual
..\Compliance Manual

Process
There are a number of processes that require oversight by Compliance, the mechanism for
achieving this oversight are described in this manual.  As the role of UKFI matures it may well
develop new activities which wil  have new or evolving compliance risks.  The Compliance
Officer should make sure that he has a detailed understanding of the UKFI business plan and
strategy so that the Board can be effectively advised on compliance risks.

Reporting
The Compliance Officer should prepare an annual report for the Board on the effectiveness of
the Compliance Arrangements. The report wil  form part of the Board’s assessment of the
effectiveness of the Internal Controls and Systems for the Annual Report. The report should
focus on:
1.  management of the key compliance risks
2.  material breaches of policies or procedures
3.  emerging risks
4.  general assessment of compliance with all policies and procedures
5.  adherence to compliance monitoring plan

In addition Compliance should prepare a summary report for each meeting of the Audit
committee that summarises;
1.  adherence to the monitoring plan
2.  significant breaches or issues arising
3.  key activities for the following period, including seeking agreement to material
changes to the forward monitoring plan

In the event of a breach of policy or procedure Compliance should prepare a short incident
report that assesses the materiality of the breach, the actual or potential impact, any
weaknesses in internal controls or procedures and recommendations for actions.
UK Financial Investments | Compliance Procedures Guide  5

U N C L A S S I F I E D
DATA STORAGE
The information collated by Compliance for the report, and the draft and final
reports c ontain c onfidential and  bus iness s ensitive i nformation. T he
individual that is responsible for the preparation of this report should set up a
subfolder to store all information flows for each report.  A hard copy of the
final report should be filed in the “Compliance Report” folder, located in the
secure filing cabinet.

There wil  be circumstances when personnel information may be present in
this r eporting  process e.g. if an  individual ( client or  s taff m ember) is under
investigation, or  if in r elation to a  par ticular c omplaint.    When this s ituation
arises, we need to ensure that Data Protection requirements are adhered to
(see Compliance manual).


UK Financial Investments | Compliance Procedures Guide  6

U N C L A S S I F I E D

2.  Committees

Committees are an essential mechanism for communication and reporting issues and
progress to the Board. Compliance wil  inevitably be involved in various committees, often
being required to chair or secretariat the meetings. The generic responsibilities of the
chairperson and Secretariat are detailed below.

•  Appoint committee members
•  Adopt the terms of reference at the first committee meeting and approve
any subsequent changes
•  Ensure that the committee meets and conducts its business in accordance
r
s
o
n

with the committee’s terms of reference
pe
•  Chair discussions, encourage debate and draw out views of committee
ir
members
C
ha
•  Ensure that any material concerns that are not being adequately addressed
are escalated
•  Review the effectiveness of the committee’s execution of its responsibilities
and the TOR on an annual basis.
•  Deputise responsibilities to an alternate Chair if absent.

•  Construct and agree the agenda with the Chairperson
•  Provide guidance to presenters on the format and content of papers
•  Circulate papers 48 hours in advance of the meeting to committee
t

members, deputies and other attendees
•  Take and circulate the minutes and actions to committee members,
deputies and other attendees, as wel  as individuals tasked to complete
actions arising
S
e
c
r
e
t
a
r
ia
•  Maintain the actions log and monitor completion of actions
•  Maintain and update the committees’ records e.g. TOR, membership,
ensuring changes are communicated to interested parties and relevant
records are amended

  INFORMATION
L I N K
See link opposite for the terms of reference of the
..\terms of
main commit ees
reference\Draft Board
Governance manual
v1.0.doc

UK Financial Investments | Compliance Procedures Guide  7

U N C L A S S I F I E D

3.  Compliance One - to - Ones

The quarterly One-2-One meetings held between the Heads of Functions and Compliance are
an essential part of the overall monitoring plan.  The functional areas are:
•  Market Investments (MktInv)
•  Wholly Owned Investments (WOI)
•  Policy and Operations (P&O)
•  HM Treasury
o  Finance
o  HR
o  IA
o  IT

Compliance is responsible for setting up quarterly meetings with representative of the
functional area.

Each meeting should be scheduled for between 30 and 60 minutes.  Where it is not possible
for the individuals to meet face to face, a conference call should be arranged. Additional
meetings can be requested by either party.

  INFORMATION
L I N K
See link opposite for a contacts list of the Heads

of Functional areas / senior managers within
UKFI Centre.

The purpose of the meetings is to al ow UKFI Compliance to be kept informed and up to date
with all issues arising within a particular function. The agenda should reflect what is occurring
within that particular function for that quarter.  However, as a minimum standard it should
include the following:
•  A review of action items from the previous meeting
•  A review of the current status of the regulatory and financial crime risks
•  A discussion of current issues impacting the function
•  Process breaches
•  AOB

Other than action points, there is no formal requirement for minutes to be taken or distributed.
The minimum requirement is that these meetings should take place quarterly. However close
and continuous communication should be encouraged so that any issues arising of
significance are escalated to UKFI Compliance immediately. Should such matters arise it wil
be necessary to schedule further meetings until the issues are resolved.
UK Financial Investments | Compliance Procedures Guide  8

U N C L A S S I F I E D

4.   Risk controls

The Compliance Function wil  maintain the UKFI Risk Log and, with the CEO, arrange for the
periodic review of risks and the controls.  The risk log should be reviewed annually by the
Board.

The risks within UKFI are tracked and monitored using the Risk Framework (RF).  Each risk
has a Risk Owner (RO). UKFI Compliance is RO for the Regulatory and Financial Crime risks
across UKFI.  In this role, we perform a quarterly attestation that the risks to UKFI operations
are adequately managed and control ed. This report is submitted to the Audit Committee.

UKFI Compliance requires that the business units report on their risks on a [quarterly] basis at
the one to one meetings. The information is used to highlight where there are potential issues
for discussion with the Board.

DATA STORAGE
The UKFI Risk Log is stored in the following location:
..\risk mgt\UKFI Risk Log - draft v0.1 14 Nov 08 v2.0.xls
Guidance on Risk Management Procedures is contained in the Orange Book
..\risk mgt\orange book.pdf

UK Financial Investments | Compliance Procedures Guide  9

U N C L A S S I F I E D

5.  Procedures and segregation of functions

UKFI is a small company and as such functional duties and responsibilities wil  be shared
amongst a small group of the management team. Head of Policy and Operations holds the
current structure chart.

[Al  members of staff should have a thorough understanding of their roles and responsibilities
which are set out in their job descriptions/role profiles.  These are held by HR].

The Accounting/Finance manual contains processes and controls to ensure that no one
person can:
1.  initiate a transaction;
2.  bind the company;
3.  make payments; and
4.  account for it.
These  processes  and  controls  should  be  included  within  the  Compliance  and  Audit
monitoring plan and be reviewed in accordance with the inherent risk they represent.

6.  Breaches

It is likely that Breaches wil  come to light from a variety of sources including breach reports in
accordance with Compliance Policy, monitoring, audit or in the general course of events.  In
all  cases  the  breach  must  be  investigated  so  that  the  root  causes  of  the  breach  are
understood and remedial or corrective action can be put in place.
Al  br eaches  must be r ecorded i n t he  Breach L og a nd dep ending on t he m ateriality of  t he
incident s hould be  r eported t o t he m anagement t eam i n l ine  with t he f ollowing gu idelines.
Material or significant breaches, including fraud or false accounting, leakage of Commercial
Sensitive information to another investee company, Market Abuse rules, Money Laundering,
or i ncidents  with a  high r eputational r isk, s hould  be  reported t o t he  CEO  and  the H ead  of
Policy and Operations at the first opportunity, you should not wait for an initial investigation to
be completed in these cases. In less serious cases the Head of Policy and Operations should
be informed of the breach and i n initial investigation completed to assess the potential size
and impact.
The CEO wil  decide whether the Audit Committee of Board should be informed of the breach,
taking advice from the Head of Policy and Operations.
The Breaches Log wil  form part of the annual compliance report to the Audit Committee.
Investigating Procedure
The investigating officer should follow these steps:
•  Full details and clarifications of the incident should be obtained.
•  With the exception of potential criminal investigations the investigating officer should
inform the member of staff against whom the complaint is made as soon as is
practically possible. The member of staff wil  be informed of their right to be
accompanied by a trade union or other representative at any future interview or
hearing held under the provision of these procedures.
•  The investigating officer in consultation with the CEO should consider the
involvement of the Company auditors and the Police at this stage and should consult
with the Chairman / Chief Executive
UK Financial Investments | Compliance Procedures Guide  1 0

U N C L A S S I F I E D
•  The allegations should be fully investigated by the investigating officer with the
assistance where appropriate, of other individuals / bodies.
•  A judgement concerning the incident and recommended courses of action will be
made by the investigating officer. This judgement wil  be detailed in a written report
containing the findings of the investigations and reasons for the judgement. The
report wil  be passed to the Chief Executive or Chairman as appropriate.

The Chief Executive / Chairman wil  decide what action to take. If appropriate, they will invoke
the disciplinary or other appropriate procedures.

If appropriate, the CEO or Chairman may pass a copy of the report to the Company Auditors
to enable a review of the procedures.

7.  Business continuity
http:/ www.thebci.org/gpgdownloadpage.htm
Business C ontinuity M anagement is the  responsibility  of the Acting H ead of  Operations. A
Business C ontinuity  Plan  wil   be  put i n p lace an d  wil   be per iodically tested.   Compliance’s
role is to ensure that the BCP meets the requirements of the Security Framework Policy and
other adopted requirements.
8.  Outsourcing

The Accounting/Finance manual contains processes and controls to ensure UKFI complies
with Government Procurement Policies and that appropriate controls are put in place to
manage outsourced arrangements Compliance should ensure that as part of the procurement
process and in the ongoing management arrangements appropriate contractual terms are in
place to al ow UKFI to effectively implement the Board’s Compliance Policies where these
apply to the role the Outsource provider is performing. For instance, the Provider must be
subject to our Information Management Policies including the Freedom of Information
requirements. There is no proscriptive list and each case must be considered in turn however
a chapter by chapter review of the Compliance Manual is probably the most effective
mechanism to use in assessing the requirements.

If Compliance has any concerns about the ability of an Outsource Provider to comply with the
appropriately assigned Compliance Policies, the issue should be raised with the Head of
Policy and Operations, also informing the person responsible for the outsourcing.

Where outsourcing has taken place the processes and controls should be included within
the Compliance and Audit monitoring plan and be reviewed in accordance with the inherent
risk they represent.

9.  Compliance Monitoring

It is a requirement of good governance and for the effective management of risks that a
Compliance and Internal Controls Monitoring plan is put in place and followed.  The review of
internal systems and controls is owned by the Audit Committee. The Compliance Officer must
prepare an annual plan for the Audit Committee and adequately fol ow and report on the
implementation of that plan in the annual compliance report to the Board and to the Audit
committee.

In constructing the plan the following factors should be taken into consideration:
•  The inherent risks faced by UKFI
•  The materiality and impact of individual risks
UK Financial Investments | Compliance Procedures Guide  1 1

U N C L A S S I F I E D
•  The effectiveness of the controls in place
•  An assessment of the robustness of the controls in place including any management
self-assessment on the controls robustness and effectiveness
•  How long the controls have been in place
•  Breaches of policy and controls
•  Previous audits of the controls and audit findings or the outcomes of previous
monitoring
•  Requirements of the Board, Audit Committee, or Executive

Process

DATA STORAGE
The UKFI Monitoring Plan is stored in the following location:
..\risk mgt\UKFI Risk Log - draft v0.1 14 Nov 08 v2.0.xls

Guidance on Internal Audit Procedure:

http://www.hm-treasury.gov.uk/psr_governance_gia_guidance.htm

The Monitoring and Audit plan has the following characteristics:
•  The plan is owned by the Audit Committee
•  The compliance Officer has responsibility for delivering the plan
•  It is risk based
•  It takes into account the size and complexity of UKFI’s business
•  The Audit Committee wil  agree changes and amendments to the plan.

The types of monitoring or audit carried out may include;

•  Systematic audit : A “full” audit in which every aspect and stage of the audited subject
is considered. It includes review of both the design and operation of controls
•  Compliance audits : Where there is pre-existing confidence that controls are wel
designed, but effective operation of the controls is a material issue, audits which test
only for effective operation of controls can be appropriate
•  Key control testing : A variation on compliance audits, but clearly focussed on a small
number of material or key controls
•  Quality Assurance Review : Reviewing the approach and competency of other
reviewers rather than reviewing risks and controls. Designed to form an opinion of the
reliance which can be placed on the work of others
•  Risk Self-Assessment (see Risk Management) : A technique in which the people who
run a system or process review their own risks and controls, usually with a facilitator
who ensures a structured approach. Facilitating RSA workshops serves both as an
assurance technique and a consultancy technique for internal audit

Contacts in Internal Audit:



UK Financial Investments | Compliance Procedures Guide  1 2

U N C L A S S I F I E D

10. Conflicts of Interest

Compliance must maintain the Conflicts of Interest log and ensure that all members of staff
are aware of:
•  What a conflict of interest is
•  How to identify potential conflicts of interest, and
•  What to do if a conflict, or potential conflict, arises.
•
Detailed processes and procedures are set out in the Compliance Policy Manual

The Conflicts Log should be reviewed regularly, at least annually, with the CEO and Senior
Management Team.  The Conflicts Log should also be reviewed by the Board on request.

Any breaches of conflicts of interest policy should be investigated in accordance with the
Breach Investigations process.

The Board wil  maintain its own Conflict Log to record any potential conflicts arising from
individual Board member’s associations (see section 11).

DATA STORAGE
The Conflict of Interest Log is stored in the following location:
Compliance logs.xls


Process for setting up Chinese Walls

‘Chinese Walls’ may be required during periods when sensitive transactions are being
planned or underway.  It is impractical to establish a physical Chinese Wall between individual
employees or teams within the UKFI premises however system solutions can be implemented
in liaison with the IS Service Provider and staff can be briefed on restrictions and precautions
to be taken in the handling of information and documents. The Head of Market Investments
wil  have the responsibility for establishing the control environment required for transactions.
These may include some or all of the following:
•  Segregation of IT folders and firewal s
•  Password protected access to documentation and folders
•  Active monitoring of attempts to access documents
•  Physical security of documents and access controls
•  Briefing of staff on responsibilities
•  Re-location of transaction staff to another building (eg – the advisor’s or broker’s
location)
•  Suppression of emails and email availability
•  Such controls as a relevant to the transaction.

UK Financial Investments | Compliance Procedures Guide  1 3

U N C L A S S I F I E D
11. Personal transactions and relationships

Personal relationships

Compliance must maintain the Personal Relationships log and ensure that al  members of
staff are aware of:
•  How to recognise relationships that may cause a potential conflict of interest
•  Their duty to record personal relationships.

Detailed processes and procedures are set out in the Compliance Policy Manual. Completion
of the log should be included in the employee induction programme and the annual review of
compliance policies by each member of staff.

The Personal Relationship Log should be reviewed regularly, at least annual y, by the CEO.
Al  newly recorded relationships on the Log should be reported to the Head of Policy and
Operations who wil  decide whether or not to inform the CEO.

Any breaches of policy should be investigated in accordance with the Breach Investigations
process.

The Board wil  maintain its own Conflict Log to record any potential conflicts arising from
individual Board member’s associations.

Personal Account Dealing

DATA STORAGE
The Personal Relationships Log and PA Dealing Log is stored in the following
location:
Compliance logs.xls

http:/ fsahandbook.info/FSA/html/handbook/Glossary/D


Al  staff should be aware of their responsibilities in respect of Personal Account Dealing as set
out in the Compliance Manual. Before selling or buying any designated investment in a
financial services company the member of staff should complete the PA Dealing form which
wil  be reviewed and signed by compliance.  Designated investment is as defined in the
Regulated Activities Order which can be seen in the FSA’s Handbook Glossary.  Financial
Services Sector is intended to be a wide definition, aiming at al  firms that are, or would be if
they were located in the UK, regulated by the FSA (deposit takers, insurers, financial
advisors, brokers etc).

Upon receipt of a dealing request form the compliance officer should:
1.  Review the form to ensure it is complete and seek any clarification or further
information from the submitter
2.  If the request is in respect of an investee company refuse the request and explain the
reasoning to the submitter, referring them to the Compliance Manual
3.  Discuss the request with the Head of Market Investments to ensure that no imminent
transactions or UKFI activity wil  prevent the request being approved.
4.  Respond to the submitter with an explanation of the reason
5.  Record the outcome on the PA dealing log.
UK Financial Investments | Compliance Procedures Guide  1 4

U N C L A S S I F I E D
6.  If the request has come from a Non-Executive Member of the Board discuss the
response with the CEO before informing the submitter.
UK Financial Investments | Compliance Procedures Guide  1 5

U N C L A S S I F I E D

12. Inducements including gifts and hospitality

Al  queries in relation to gifts and hospitality from third parties offered to UKFI staff should be
referred to UKFI Compliance. The gifts and hospitality policy can be found in the UKFI
Compliance Policies Manual.
Upon receipt of an enquiry, the details should be logged on the gifts and hospitality log,
ensuring that the key details are captured in the log.  This document can be found, and
should be updated and saved in the location shown below:
  INFORMATION
L I N K
See link opposite for the Gifts and Hospitality
link
register

If the request was received by email, UKFI Compliance should respond by referring to the
Group Gifts and Hospitality policy and that the Requestor must complete Annex 2 – Gift and
Hospitality Approval form. Each query should be responded to on an individual basis;
however the following generic wording might be useful.

As you are aware there is a Group Gifts & Hospitality Policy which all
employees must adhere to. I have attached a copy of the policy for
your reference.

If you could please assist me by completing Annex 2 of the document,
UKFI Compliance can then process the request based on all the

available information.

Of note would be the relationship between UKFI and the supplier and
any potential or current conflict of interest or perception there in.

The requestor should fil  out the Gifts and Hospitality Approval form to ensure that all the core
information is captured.
  INFORMATION
L I N K
See link opposite for the Gifts and
\\link
Hospitality Approval form

Upon receipt of the Approval form it wil  be necessary to review the information provided,
identifying anything that needs to be clarified or which requires additional information. It may
also be necessary to contact other areas of UKFI e.g. another department that deals with a
particular supplier, or to conduct research into the event that the individual has been invited
to. Once all the relevant information has been established an assessment should be
conducted. It is important that you refer to the gifts and hospitality register for precedents.
The final decision should be documented in an email to the individual that referred the query,
providing details of how and why the decision has been made. See below for an example
email where a gift or hospitality has not been approved.

UK Financial Investments | Compliance Procedures Guide  1 6

U N C L A S S I F I E D
Following a review of the available information on the gift/hospitality
you have been offered from X supplier, I have concluded that it would
be inappropriate to accept this.
The reasoning for this decision is based on a number of factors:

- the value of the gift;
- that it is from an existing vendor;
- the gift is for travel, accommodation and tickets in an international
location; and
- the ongoing relationship with the vendor who has the only approved
product within UKFI.
I understand you may be disappointed by this decision and the
opportunity you have to give up.  However, I am sure you will
understand that the Gifts and Hospitality Policy must be applied to
protect our staff and UKFI.
Please let me know if you have any questions.

Depending on the seniority of the individual that has been offered the gift or hospitality, it may
be necessary for the email to be sent by the Head of Operations and Policy.

DATA STORAGE
Al  emails in relation to each Gifts and Hospitality query should be saved
under the relevant Gifts and Hospitality register number in the
Compliance folder.
Any relevant hard copies of documents should be filed in the “Gifts and
Hospitality” file under the relevant G&E log number.

UK Financial Investments | Compliance Procedures Guide  1 7

U N C L A S S I F I E D

13. Training and competency

[New Joiner Compliance Process and Checklist – to be done]

Given the size and nature of UKFI’s activities the primary consideration for an individual’s
training requirements for their role wil  lie with line managers. However we are required by law
and by our policies to ensure that members of staff undertake certain periodic training.
Where appropriate these courses wil  be provided through the HMT training facility or the
UKFI Training Provider (
).

The following training has been identified:

Subject
Provider
Frequency
Health and Safety
Annual
Protecting Our Information
Annual
Market Abuse
Annual
Understanding procedures
UKFI Compliance
On joining

Current contact list (Dec 2008):
  People, Personal conduct, Individual responsibilities –

  Health and Safety, ;

  Protecting our Information,

  DPA/FOI:
Head of Information Rights Unit.





UKFI Compliance is responsible for monitoring the completion of mandatory training
requirements and the successful completion of training.

On joining all UKFI employees must read the Compliance Manual and complete Confirmation
Log to indicate that they have read and understood the Compliance Procedures.  Compliance
UK Financial Investments | Compliance Procedures Guide  1 8

U N C L A S S I F I E D
wil  hold the log. Compliance should arrange any explanatory or further training that
employees require to help them comply with the Manual.

DATA STORAGE
Compliance Logs

14. Insider dealing and market abuse

Compliance must ensure that al  members of staff are aware of the Market Abuse Rules and
that they comply with the Insider dealing and Marker Abuse policy. The reputational damage
to UKFI from any breaches of the policy wil  be great and individuals may face criminal
prosecution.  Annual compliance training must be given to employees to ensure that they are
aware of their obligations.

Detailed processes and procedures are set out in the Compliance Policy Manual

The Conflicts Log should be reviewed regularly, at least annually, with the CEO and Senior
Management Team.  The Conflicts Log should also be reviewed by the Board on request.

Any breaches of conflicts of interest policy should be investigated in accordance with the
Breach Investigations process.

The Board wil  maintain its own Conflict Log to record any potential conflicts arising from
individual Board member’s associations (see section 11).

Any actual or potential breach of Market Abuse or Insider information requirements must be
reported to the CEO at the first opportunity, before the initial investigation. If the incident is
serious enough on its own ground or the initial investigation merits it other stakeholders
including the supplier of and the subject of the insider information should be informed of the
incident.  The subject of the information may have a duty to report the incident to the
Regulated Investment Exchange on which it is listed.

The Board wil  decide whether or not to refer any market abuse or insider dealing to the
Police or regulator authorities.

DATA STORAGE
The Conflict of Interest Log is stored in the following location:
Compliance logs.xls



UK Financial Investments | Compliance Procedures Guide  1 9

U N C L A S S I F I E D
15. Money Laundering

Under the current arrangements it is highly improbable that UKFI wil  be used for Money
Laundering purposes as we have no external client relationships and wil  not be dealing
directly with the Market. However staff should be kept aware of AML procedures including
their obligations under the law and how to identify a suspicious transaction and what to do if
they do.
If a suspicious activity is reported the Compliance Officer should seek external advice on
handling the investigation and on reporting the incident to SOCA.
UK Financial Investments | Compliance Procedures Guide  2 0

U N C L A S S I F I E D

16. Fraud prevention

Any Fraud or theft needs to be reported IMMEDIATELY to the Financial Controller and CEO.
They wil  determine whether or not to inform the Police or the Auditors.

The issue should be recorded in the Breaches Log which should then be updated to record
subsequent investigation or action

FRAUD DO’s & DON’T’s
•  If you are suspicious or have concerns DO tel  someone – confidentiality will be
respected as far as possible and the ‘whistleblowers’ policy will apply
•  DO NOT confront the individual with your suspicions.
•  DO NOT discuss the matter with anyone you think could be involved.
•  DO keep or copy any documents that arouses suspicions.
•  DO NOT contact the police – notify the Financial Controller or CEO, who wil  take
responsibility for notifying the appropriate authorities.

Investigating Procedure
The investigating officer should follow these steps:
•  Full details and clarifications of the incident should be obtained.
•  The investigating officer should NOT inform the member of staff under investigation
without consulting the CEO.
•  The investigating officer in consultation with the CEO should consider the
involvement of the Company auditors and the Police at this stage and should consult
with the Chairman / Chief Executive
•  The allegations should be fully investigated by the investigating officer with the
assistance where appropriate, of other individuals / bodies.
•  A judgement concerning the incident and recommended courses of action will be
made by the investigating officer. This judgement wil  be detailed in a written report
containing the findings of the investigations and reasons for the judgement. The
report wil  be passed to the Chief Executive or Chairman as appropriate.

The Chief Executive / Chairman wil  decide what action to take. If appropriate, they will invoke
the disciplinary or other appropriate procedures.

If appropriate, the CEO or Chairman may pass a copy of the report to the Company Auditors
to enable a review of the procedures.
UK Financial Investments | Compliance Procedures Guide  2 1

U N C L A S S I F I E D

17. Whistleblowing

The Raising Concerns policy (“whistleblowing”) requires UKFI to have arrangements for
receiving and investigating whistleblower reports.   With extraordinary exceptions,
Compliance is responsible for investigating reported incidents and for deciding who the most
appropriate person to assist them is.   It may for example be appropriate to involve HR in
allegations of staff grievance or welfare.   UKFI Compliance wil  agree with the Chairman the
types of concerns raised that should be immediately escalated to UKFI Compliance prior to
investigation.
It is envisaged that al  concerns raised that relate to ‘Questionable Accounting Practices or
other Financial Impropriety’ or are in respect of a member of the the Senior Management
team would be investigated immediately.

UKFI Compliance reports wil  include a summary of current whistleblowing reports and status
of significant whistleblowing reports (subject to confidentiality requirements).

Training and communication of the UKFI whistleblowing reporting process wil  be developed
by UKFI Compliance. This wil  ensure that al  UKFI staff are aware of their options under the
arrangements.

Detailed procedures
Procedures for Making a Disclosure
On receipt of a complaint of malpractice, the member of staff who receives and takes note of
the complaint, must pass this information as soon as is reasonably possible, to the
appropriate designated investigating officer as follows:
•  Complaints of malpractice wil  be investigated by compliance unless the complaint is
against a Director or is in any way related to the actions of compliance. In such
cases, the complaint should be passed to the Chief Executive for referral.
•  In the case of a complaint, which is any way connected with but not against the
compliance, the Chief Executive wil  nominate a Senior Manager to act as the
alternative investigating officer.
•  Complaints against the Chief Executive should be passed to the Chairman who wil
nominate an appropriate investigating officer.

The complainant has the right to bypass the line management structure and take their
complaint direct to the Chairman. The Chairman has the right to refer the complaint back to
management if he/she feels that the management without any conflict of interest can more
appropriately investigate the complaint.

If there is evidence of criminal activity then the investigating officer should inform the police.
The Company wil  ensure that any internal investigation does not hinder a formal police
investigation.

Timescales
Due to the varied nature of these sorts of complaints, which may involve internal investigators
and / or the police, it is not possible to lay down precise timescales for such investigations.
The investigating officer should ensure that the investigations are undertaken as quickly as
possible without affecting the quality and depth of those investigations. The investigating
officer, should as soon as practically possible, send a written acknowledgement of the
concern to the complainant and thereafter report back to them in writing the outcome of the
investigation and on the action that is proposed. If the investigation is a prolonged one, the
investigating officer should keep the complainant informed, in writing, as to the progress of
the investigation and as to when it is likely to be concluded. Al  responses to the complainant
should be in writing and sent to their home address.

UK Financial Investments | Compliance Procedures Guide  2 2

U N C L A S S I F I E D
Investigating Procedure
The investigating officer should follow these steps:
•  Full details and clarifications of the complaint should be obtained.
•  The investigating officer should inform the member of staff against whom the
complaint is made as soon as is practical y possible. The member of staff wil  be
informed of their right to be accompanied by a trade union or other representative at
any future interview or hearing held under the provision of these procedures.
•  The investigating officer should consider the involvement of the Company auditors
and the Police at this stage and should consult with the Chairman / Chief Executive
•  The allegations should be fully investigated by the investigating officer with the
assistance where appropriate, of other individuals / bodies.
•  A judgement concerning the complaint and validity of the complaint wil  be made by
the investigating officer. This judgement wil  be detailed in a written report containing
the findings of the investigations and reasons for the judgement. The report wil  be
passed to the Chief Executive or Chairman as appropriate.

The Chief Executive / Chairman wil  decide what action to take. If the complaint is shown to
be justified, then they wil  invoke the disciplinary or other appropriate procedures.

The complainant should be kept informed of the progress of the investigations and, if
appropriate, of the final outcome.

If appropriate, a copy of the outcomes wil  be passed to the Company Auditors to enable a
review of the procedures.

If the complainant is not satisfied that their concern is being properly dealt with by the
investigating officer, they have the right to raise it in confidence with the Chairman.

If the investigation finds the allegations unsubstantiated and al  internal procedures have been
exhausted, but the complainant is not satisfied with the outcome, the complainant is not
satisfied with the outcome of the investigation, UKFI recognises the lawful rights of employees
and ex-employees to make disclosures to prescribed persons (such as the Health and Safety
Executive, the Audit Commission, or the regulators), or, where justified, elsewhere.

UK Financial Investments | Compliance Procedures Guide  2 3

U N C L A S S I F I E D

18. Data Privacy Act and Subject Access Requests

Our obligations under the Data Protection Act are;
•  to notify the Information Commissioner we are processing information
•  to process the personal data we hold in accordance with the eight Data Protection
Principles laid down by the Data Protection Act. Additional requirements and
restrictions apply to the processing of sensitive personal data (such as an individual's
health records, ethnic origin, trade union membership or political opinions).
•  to answer subject access requests received from individuals. (we may be able to
charge a fee of up to £10 for doing this.)

It is anticipated that we wil  only hold personal data in respect of employees, potential
employees and in certain circumstances information on the people we are nominating to join
the Board, or current Board members, of investee companies. The Information
Commissioners site holds Good Practice Guides in respect of handling data and responding
to Subject Access Requests. If the data we hold changes such that we only hold data on
employees and potential employees we wil  not have to register the data controller with the
ICO; this can be tested using the following link;
(http://forms.informationcommissioner.gov.uk/notify/self/question1.html)

The following checklist should be reviewed annually and the outcome reported to the Board
as part of the compliance report.
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_appl
ication/geting_it_right_-_how_to_comply_checklist.pdf

Sources of information
   DPA Practice  Notes:
http:/ www.ico.gov.uk/what_we_cover/data_protection/guidance/good_practice_note
s.aspx
  Notify Data Controller:
http://www.ico.gov.uk/tools_and_resources/register_of_data_controllers.asp
x
  FOI Specialist:


UK Financial Investments | Compliance Procedures Guide  2 4

U N C L A S S I F I E D

19. Freedom of Information Requests

Requests under the FOI should be handled in accordance with the Secretary of State for
Constitutional Affairs' Code of Practice on the discharge of public authorities' functions under
Part I of the Freedom of Information Act 2000 (see link below).

Before responding to any FOI request the COO should review the request and the information
to be provided to ensure that it does not breach the terms of any Non-Disclosure Agreement
(NDA) in place with any Investee Company. If it does then the COO must act in accordance
with the terms of the NDA before providing the information to the requestor.

Guidance to employees is provided in the Compliance Manual
   FOI Practice Notes: http://www.justice.gov.uk/guidance/foi-step-by-
step.htm
  Exemptions: http://www.foi.gov.uk/guidance/index.htm
  FOI Specialist:


DATA STORAGE
FoI and Subject Access Requests need careful control and effective
recording of the outcomes. A folder has been established to store
individual requests and correspondence.  Each new request should be
put into a new sub-folder within that drive. It is important to scan all
associated letters and transfer any email correspondence and store it in
the relevant folder.

Each request should be logged on the following log [link]

UK Financial Investments | Compliance Procedures Guide  2 5

U N C L A S S I F I E D

Appendices
Acronyms
COF – UKFI Compliance Operating Framework
DRACA – Detailed Risk and Controls Assessment
HoC – Head of Compliance
HPO – Head of Policy and Operations
HR – Human Resources
MktInv – Market Investments Department
RF – Risk Framework
RO – Risk Owner
SH – Staff Handbook (including the Code of Conduct)
WOI – Wholly Owned Investments Department
UKFI – United Kingdom Financial Investments Limited

UK Financial Investments | Compliance Procedures Guide 2 6

Document Outline

Governance and Reporting
- UKFI Compliance Operating Framework (COF)
  - Introduction
  - Objective
  - Process
  - Reporting
- Committees
- Compliance One - to - Ones
- Risk controls
- Procedures and segregation of functions
- Breaches
  - Investigating Procedure
- Business continuity
- Outsourcing
- Compliance Monitoring
  - Process
- Conflicts of Interest
  - Process for setting up Chinese Walls
- Personal transactions and relationships
  - Personal relationships
  - Personal Account Dealing
- Inducements including gifts and hospitality
- Training and competency
  - [New Joiner Compliance Process and Checklist � to be done]
- Insider dealing and market abuse
- Money Laundering
- Fraud prevention
  - Investigating Procedure
- Whistleblowing
  - Detailed procedures
  - Timescales
  - Investigating Procedure
- Data Privacy Act and Subject Access Requests
- Freedom of Information Requests
Acronyms