As many as 25 percent of the client asset audit reports received by the Financial Conduct Authority (FCA) from regulated firms in the first three quarters of 2017 were not up to scratch, a freedom of information (FoI) response has revealed.
Consultants have said the regulator is likely to take action on some of these cases.
“Historically, adverse audits have received the greater interest. If you’re in receipt of an adverse auditor report, it’s fair to assume that you’ll be receiving contact from the FCA at some point,” said Nicola Green, a Bovill consultant and CASS specialist, who had made the FoI request.
The FCA received 133 adverse client asset audit reports, about 5 percent of the 2,942 reports in the relevant period, between January and October 2017, according to the FoI response. The regulator received a further 572 qualified reports, 20 percent of the total.
These figures come after the Financial Reporting Council introduced its standard, “Providing Assurance on Client Assets to the FCA”, to which auditors have been required to adhere since January 1, 2016 for CASS audits carried out under SUP 3.10.5B of the FCA Handbook. This has led to a new approach to CASS audits by auditors.
“We have seen the FCA communicate with firms on adverse and qualified reports and ask them how they are resolving the issues identified in the reports. I have heard instances of the FCA approaching firms with clean reports and, in one instance, following up with a thematic visit,” Green said.
“The FCA wants to ensure auditors are qualified and skilled. In choosing a CASS auditor, firms must consider the auditor’s experience,” she said.
“They should then communicate clearly with the auditor about the risks and how the firm controls them, and how CASS impacts the business,” she said.
The FCA declined to comment.
“On a qualified report, the FCA will look at the content. It will consider whether the issues are now resolved or ongoing,” Green said.
“Some firms are failing to identify client money or custody assets. This can be related to assets in a long-standing business, particularly in bigger firms with multiple product lines, “she said.
For smaller firms, the problem is often a failure to understand FCA client money rules and how they apply to firms, she said.
“My advice to any firm is to assess how CASS applies to your business, looking from the bottom up at every part of it, every product line and service. The firm must make sure it can explain how and why CASS applies,” Green said.
The new FRC standard is more focused on controls, so firms must be able to explain what CASS risks the business is exposed to as well as what controls they have in place to address those risks, according to Green.
“Historically some firms have focused reactively on past CASS breaches. Now a proactive approach is required, with the priority on understanding CASS risks faced and ensuring appropriate controls are in place,” she said.
If a firm was expecting an FCA visit in the near future, Green said that it should do whatever work was required to satisfy itself it could explain its CASS processes and demonstrate that its controls are appropriate. This could be quite a large job for some firms, she said.
“If issues have been identified during the audit, firms should have already started addressing them by the time the audit report has gone to the FCA. This process will have taken several months,” she said.
“My advice to firms is that if they get an adverse or qualified report, they should be able to explain what has gone wrong and why, and what is being done to correct the problem,” Green said.
The individual responsible for oversight of CASS should lead the way on making sure issues were remediated, Green said, pointing out that past FCA enforcement actions had singled individuals out for failure to oversee the CASS process.
“If the FCA visits a firm and finds it has not gone far enough to remedy failures found in an audit, the firm could end up with a s 166 requirement notice. The s 166s are frequently used, not just for enforcement but also as one of the FCA’s supervision tools. They will still cost the firm a lot of money and time,” she said.
“Ideally before the auditor’s report, the firm should have self-identified the issues to go in the audit report, and if there has been a reportable breach, it should have reported it to the FCA. Ideally, there should never be a breach included in an audit report that the firm hasn’t already identified,” Green said.
Alex Davidson is senior editor, AML/financial crime, in London for Thomson Reuters Regulatory Intelligence.
Copyright © Thomson Reuters 2017. All rights reserved.