In addition to the requirements set out in section 37, an FSP that provides automated advice must—
(a) | have adequate and appropriate human resources that have the required competence to— |
(i) | understand the technology and algorithms used to provide the automated advice; |
(ii) | understand the methodological approaches, including assumptions, embedded in the algorithms; |
(iii) | understand the preferences or biases that exist in the approaches referred to in (ii); |
(iv) | understand the risks and rules underpinning the algorithms; |
(v) | identify the risks to clients arising from the automated advice; and |
(vi) | monitor and review the automated advice generated by algorithms to ensure quality and suitability of the advice and compliance with the Act; |
(b) | establish, implement and maintain adequate policies and procedures— |
(i) | to monitor, review and test the algorithms and the advice generated by it; |
(ii) | to monitor, review and test the filters implemented to ensure clients for whom the automated advice is not suitable are filtered out; and |
(iii) | that set out the level of human review that will be undertaken on the advice generated; |
(c) | in relation to the monitoring and testing of the algorithms and filters referred to in (b),— |
(i) | have appropriate system design documentation that sets out the purpose, scope and design of the algorithms and filters; |
(ii) | have a documented test strategy that explains the scope of testing, including test plans, test cases, test results, defect resolution, and final test results; |
(iii) | have appropriate processes for managing any changes to an algorithm and filters that include having security arrangements in place to monitor and prevent unauthorised access to the algorithms; |
(iv) | be able to control, monitor and reconstruct any changes to algorithms or filters; |
(v) | review and update algorithms whenever there are factors that may affect their relevance (such as market changes and changes in the law); |
(vi) | have in place controls and processes to suspend the provision of advice if an error within an algorithm or filters is detected; and |
(vii) | be able to frequently monitor and supervise the performance of algorithms and filters through an adequate and timely review of the advice provided; |
(d) | have adequate and sufficient technological resources to— |
(i) | maintain client records and data integrity; |
(ii) | protect confidential and other information; and |
(iii) | meet current and anticipated operational needs, including in relation to system capacity. |