Dear CEO letter to custody and fund services flags CASS concern

13 April 2022 | UK & Europe | Articles

The FCA’s recent Dear CEO letter outlined its supervision strategy for custody and fund services businesses and identified concerns around the oversight of client assets. The regulator expects firms to act on the letter, so recipients should have a CASS action plan in place. Other firms who hold client money and assets would also be wise to take notice of the continuing scrutiny in this area.

The Dear CEO letter, issued on 23 March, was sent to firms acting as third-party custodians, depositaries for authorised and non-authorised funds and third party administrators providing services such as fund accounting and transfer agency.

It identified four key risks that the FCA wants those firms to consider and address. One of these risks was “Sub-standard oversight and control of client money and assets leading to financial losses for investors and/or inability to recover assets efficiently.”

The letter goes on to set out the FCA’s supervisory priorities in relation to the protection of custody assets, as well as for the other key risk areas identified. It urges the reader to consider and discuss the contents of the letter with fellow directors and Board members and sets an expectation that during supervisory engagement, the FCA will ask firms what they’ve done to address the issues raised.

The FCA makes it clear that it will act when it sees firms failing to meet expectations in this area, including enforcement action where necessary.

CASS is an area of significant ongoing supervisory engagement in all sectors and the pandemic saw the FCA further increase efforts to ensure the prompt return or transfer of assets and money in the event of insolvency. The FCA letter acknowledges an investment in CASS compliance by firms but highlights issues in areas such as change management, dependency on legacy/end of life IT infrastructure and high levels of manual processing and controls.  The letter notes that challenges are often rooted in poor governance and oversight and inadequate CASS knowledge.

Preparing your CASS action plan

CASS governance and oversight
Getting this right is central to a firm’s ability to identify and manage issues and problems with CASS systems and controls.  Consider whether your approach incorporates the following:

• A suitable and knowledgeable senior manager responsible for CASS oversight with enough time and resources to do the job effectively
• CASS committees which are supported by comprehensive management information
• Documentation of ‘total capture’ – the  application of CASS to the business highlighting how and where client money and assets arise within the business and who the clients are in that context.  This is particularly important with complex business models or multiple service lines.
• CASS risk and control mapping to highlight risks and document controls to address those risks
• Auditor selection that ensures the selected auditor has the right knowledge and experience to carry out your CASS audit.  Bear in mind that your statutory auditor may not always be the right answer here.
• Clearly documented policies and procedures explaining how key CASS processes operate.  These should be prepared in a way that will help someone not familiar with the processes to understand how they work and how they ensure compliance with the rules.

Knowledge and experience
Having the right knowledge and experience is crucial for good CASS compliance.  You will need some of this knowledge and experience within your business, particularly at CASS Oversight Officer level, but you can also tap into external support to help provide you with challenge and assurance.  Good quality training is essential for all parts of the business and it should be relevant enough to your business model for it to be of real value to the attendees.  Training can be targeted at specific parts of the business, for example:

• High level training to equip people not involved in CASS processes to explain to clients the nature of CASS protection that the firm provides or to spot when something out of the ordinary might be happening.
• More detailed training for CASS operational staff to enable them to understand the regulatory requirements that underpin the processes they operate and how to spot when things could go wrong.
• Training for the governing body to help them understand the CASS risks that the business is exposed to, how those risks are managed and what the reports or management information they receive tell them about the controls in place.

Business and strategic change
There can be inadvertent CASS impacts to any business or strategic change.  Make sure that your change planning and management process include consideration of whether there are any CASS impacts to address.  It might be that the changes you’re planning to make will resolve a problem or give the business the ability to capitalise on new opportunities, but could impact CASS process operation.  We’ve seen cases where the most seemingly innocuous IT change has had a significant impact on a firm’s ability to maintain complete and accurate CASS books and records.

Systems, processes and controls
Many firms rely on IT systems for the maintenance of CASS books and records as well as for the operation of CASS processes and controls.  In some cases, the systems used are legacy systems or coming to the end of their lifespan.  They may not have been maintained and updated properly, because other parts of the business have moved into alternative platforms.  This can cause significant issues from a CASS perspective and we often see firms using manual work arounds to ensure CASS processes continue to operate in the face of systems that are no longer fit for purpose.  These issues often arise because firms see implementing or maintaining up to date systems as being an unnecessary expense and inconvenience when the system may be used for a relatively small part of the business.  Many firms also use manual CASS operational processes, particularly record checks and reconciliations.  This is often the case because automated systems are seen as an unnecessary expense or too difficult to embed into existing systems.

Any manual processes or work arounds will increase the risk of errors and breaches occurring and will result in a need for additional controls on an ongoing basis.  Ultimately, this will mean more ongoing cost and risk for the business.  There are some very cost effective solutions for automated processes available that work with existing systems, making the implementation far easier than many firms expect.

We can help

We have a wealth of CASS experience at Bovill and ways in which we can help you include:

• Reviewing your existing CASS controls and arrangements
• Carrying out total capture exercises or risk and control mapping
• Preparing and reviewing CASS policies and procedures
• Providing firm-specific CASS training to members of your team
• Sitting on your CASS Committee, providing challenge to your Board or reviewing your CASS governance and oversight arrangements
• Helping you to ensure that you select the right auditor
• Providing input and challenge to your change management processes, including providing input to specific change projects
• Helping you automate processes and controls.