Upload
hanga
View
213
Download
0
Embed Size (px)
Citation preview
@uktisa@uktisa
CASS Seminar28th February 2017
Standard Life, Dundas House 20 Brandon Street, Edinburgh
@uktisa@uktisa
Agenda
• Opening remarks by – Jeffrey Mushens, Technical Policy Director, TISA - Chair
• Ash Saluja, Partner, CMS Cameron McKenna LLP ‘CASS Oversight – satisfying regulatory requirements and expectations’
• Anna Dawson, Associate Director, Deloitte LLP ‘FRC CASS Assurance Standard’
• Jennifer Duncan, Director, Risk Consulting, KPMG ‘The expectations of the second and third lines of defence’
• Coffee Break
• Mark Lester, Director, Walbrook Partners ‘Gaps in meeting the new CASS Assurance Standards’
• Shaid Moughal, Head of CASS, Standard Life ‘Cleared Funds’
• Mike Sims, Elevate Financial Controller, Standard Life ‘Oversight and Governance – lessons from Aviva ’
• Closing remarks by Jeffrey Mushens - Chair
CASS Oversight:
Satisfying regulatory requirements and expectations
Ash Saluja, Partner and Alison McHaffie, Partner
CMS London
24 January 2017
Looking at ………….
The legal and regulatory responsibilities
The FCA focus
What to do if you identify a CASS breach
When enforcement takes action and lessons to be learned
6
SUP 10A.7.9 - Dynamic responsibility?
Oversight of the operational effectiveness of the firm's systems and
controls that are designed to achieve compliance with CASS
Reporting to the firm's governing body
Completing and submitting CMAR
CASS operational oversight function (CF10A)
8
Distinction between consultancy and audit roles
If auditor finds a problem - immediate breach
If auditor finds nothing - no comfort
CASS Auditor
9
Choice of outsourcing provider
Terms of agreement, SLAs etc
Adequate monitoring
Adequate access
Outsourcing CASS responsibility
11
SYSC 4.1.1 - A firm must have robust governance arrangements,
which include … internal control mechanisms, including sound
administrative and accounting procedures ….
SYSC 4.1.10 - A common platform firm must monitor and, on a regular
basis, evaluate the adequacy and effectiveness of its systems,
internal control mechanisms and arrangements established in
accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate
measures to address any deficiencies.
Responsibility of the Board
12
Held separately on trust
Duty to return assets to client
Duty to account for income
Duty to monitor third party custodians
Legal responsibility for client assets
13
Held on statutory trust
Trust letters
Duty of diversification
Prudent segregation
Legal responsibility for client money
14
The FCA focus
“We will continue to ensure firms have appropriate mechanisms to protect client
assets to ensure consumers are protected in the event of failure.”
FCA Business Plan 2016/17
FCA continues to focus on this area:
• Increasing the supervision of firms holding client money and safe custody of assets through
more intrusive visits to firms, thematic projects and desk-based reviews, actions initiated
through CMAR /audit information and taking regulatory action where firm failings are
identified.
• Increasing use of attestations
• S166 skilled person reports (14 over last 18 months – about 20% of all s166)
• 3 of 8 enforcement actions against firms in 2016
FCA expects firms and senior management to learn lessons from enforcement action
• 'We have issued repeated warnings to the industry on the importance of complying with
client money rules which are designed to ensure that client money is adequately protected in
the event of a firm failing. There can be no excuses given these warnings and the stakes
involved” “Senior management are ultimately responsible for ensuring that firms are
following our rules”
Mark Steward, Director of Enforcement and Market Oversight at the FCA July 2016
15
16
What if you identify a breach of CASS?
Identify:
• What has gone wrong?
• How significant is it?
• Length/frequency of breach?
• Evidence of any weaknesses in controls?
• Is remedial action required?
Notify FCA depending on significance/ materiality of breach
• Principle 11 – anything which the regulator might reasonably expect notice
• SUP 15.3.11R – significant breach of rule
• CASS specific notification rules – “without delay”... if unable or materially fails to
comply with various CASS requirements (see CASS 6.6.57 & 7.15.33 etc)
Ensure self reporting is prompt, clear and provides assurance that management is in
control and appropriate remedial action is being taken
Consequences of failure
17
What goes wrong
Triggers for investigation & enforcement action:
• Actual loss for clients
• Risk of loss to clients and risk of set off by banks
• Risk of delay in return of money
• Failure to heed warnings – “firms….should ensure they continue to strengthen
their management, oversight and controls in this area”
• Lengthy breaches
• Systemic importance of firm
• Failure to identify, notify & false attestations
• Governance or cultural failings
• Previous fines
Breaches of:
• Principle 10 (adequate protection for clients’ assets) & Principle 3 (systems &
controls)
• CASS rules
• Statements of Principle for Approved Persons (APER or COCON) for individuals
18
What has gone wrong?
Failure to:
• Segregate and comingling with firm’s own funds
• Carry out sufficient due diligence on institutions holding monies
• Recognise firm is “holding” client money
• Obtain trust letters
• Perform client money calculations and reconciliations accurately and promptly
• Inadequate records to distinguish one client’s money from another
• Manage acquisitions and re-organisations weakening CASS oversight
• Use appropriate naming conventions to make it clear it was client money
• Cover shortfalls and notify FCA
• Have adequate oversight and controls over TPAs
• Oversee, monitor and obtain adequate MI
• Train relevant staff
• Carry out sufficient enquiries before providing affirmations to FCA
19
Penalties
FCA has discretion to increase or decrease in 5 step framework and can decide
that average balance of client money/assets is not an appropriate indicator.
Higher fines
Risk of individual action against senior management where there is personal
responsibility for failings (see Philip July 2016)
Most cases settle - 30% discount
Level of seriousness
Percentage – Client Money
Percentage – Safe custody assets
Level 1 0 0 Level 2 1 0.2 Level 3 2 0.4 Level 4 3 0.6 Level 5 4 0.8
20
How to handle a CASS investigation
Some practical points………
Seeking to avoid an enforcement referral
• Robust systems and controls kept under review
• Prompt and effective notification of any breaches
• Accurate attestations
• Firm identifies and carries out remedial action on own initiative
• No risk of loss or delay
• Good and constructive relationship with supervisors
Managing an investigation effectively
• Prompt and well ordered response to requests for information and well prepared
interviewees
• Put issues in context and show actions were reasonable
• Seek to understand FCA’s concerns and address them early in the process
• Demonstrate lack of risk to client assets – consider expert IP evidence
• Show lessons learned and acted on by firm
• Settle where appropriate
CMS Legal Services EEIG (CMS EEIG) is a European Economic Interest Grouping that coordinates an organisation of independent law firms. CMS EEIG provides no client services. Such services are solely provided by
CMS EEIG’s member firms in their respective jurisdictions. CMS EEIG and each of its member firms are separate and legally distinct entities, and no such entity has any authority to bind any other. CMS EEIG and each
member firm are liable only for their own acts or omissions and not those of each other. The brand name “CMS” and the term “f irm” are used to refer to some or all of the member firms or their offices.
CMS locations:
Aberdeen, Algiers, Amsterdam, Antwerp, Barcelona, Beijing, Belgrade, Berlin, Bratislava, Bristol, Brussels, Bucharest, Budapest, Casablanca, Cologne, Dubai, Duesseldorf, Edinburgh, Frankfurt, Geneva, Glasgow,
Hamburg, Istanbul, Kyiv, Leipzig, Lisbon, Ljubljana, London, Luxembourg, Lyon, Madrid, Mexico City, Milan, Moscow, Munich, Muscat, Paris, Prague, Rio de Janeiro, Rome, Sarajevo, Seville, Shanghai, Sofia, Strasbourg,
Stuttgart, Tirana, Utrecht, Vienna, Warsaw, Zagreb and Zurich.
www.cmslegal.com
21
25
Background of the FRC Client Assets Assurance Standard
Financial Reporting Council (‘FRC’) Standard “Providing Assurance on Client Assets to the Financial Conduct Authority” was published in November 2015 and it is applicable to CASS Auditors
The FRC Client Assets Assurance Standard replaces reporting under Bulletin 2011/2 and Bulletin 3
Bulletins provided auditors with guidance that was “persuasive” whereas the Standard is “prescriptive”, i.e. now a requirement rather than guidance
FRC Client Assets Assurance Standard effective for periods commencing on or after 1 January 2016
Scope of the FRC Client Assets Assurance Standard in relation to the CASS rules has not changed, i.e. still limited to compliance with the rules in CASS 3, 6, 7 and 8 (where applicable) for “during the period” and “as at the period end”
Where the firm outsources functions to a Third Party Administrator (“TPA”) the CASS auditor and the firm should explicitly set out the rights of access to the TPA in the engagement letter
The CASS auditor is required to adopt an insolvency mind-set, which places greater emphasis on evaluating whether the firm’s processes and controls are deemed adequate to ensure protection of client assets in the event of insolvency
Reporting under the FRC Client Assets Assurance Standard significantly raises the bar from previous reporting regime – particularly for reasonable assurance engagements where a firm holds client money and / or custody assets
Firms are expected to have in place from 1 January 2016 a CASS risk and control framework which includes CASS risk assessment, CASS rules and controls mapping for every applicable CASS rule, and clear roles and responsibilities for CASS in the three lines of defence framework.
26
Significant increase in scope
Key changes under the new FRC Standard
3. CASS Control Activities
1. Control Environment over CASS , i.e. Governance
2. CASS Risk Assessment
1st line Self Assessment
Compliance Monitoring
Internal Audit
4.
In
form
ati
on
an
d C
om
mu
nic
ati
on
‘Tone from the top’ and CASS risk appetite
Management information,
reporting and
escalation
Regulated Firm
Identification Segregation ReconciliationsBooks and Records
Third Party Administrators (if applicable)
6. Other matters to consider
CMAR
5. CASS Monitoring Activities
New products and services
Change management, IT and business
recovery
27
CASS Rules Mapping and Risk Assessment
Key changes under the new FRC Standard
Factors affecting
significance of the risk
Factors affecting likelihood of the risk occurring
Highly significant
Very likely
CASS Rules Applicability
CASS 3.x.x R No - rationale
CASS 7.x.x RYes -
interpretation
CASS 6.x.x R Yes
… …
CASS 7.x.x R Yes
CASS 8.x.x R Yes
Risk Description Inherent Risk
CASS Risk 1 H
CASS Risk 2 L
CASS Risk 3 L
CASS Risk 4 M
… M
CASS Risk 999 M
Actions taken
by firm
Residual
Risk
E.g. Mitigate with
Control 1M
E.g. Mitigate with
Control 2M
E.g. Accept Risk
(unlikely action)M
E.g. Mitigate with
Control 3L
One-to-one, one-to-many or many-to-one
relationships
Risk 1Risk 1
Risk
999
Risk
999
One-to-one, one-to-many or many-to-one
relationships
Risk 3
Firm’s risk assessment should consider each relevant CASS rule that applies to the firm, i.e. rule by rule applicability matrix
CASS auditor to evaluate firm’s process for identifying risks relevant to compliance with CASS, evaluating significance of the risk, likelihood of their occurrence, and actions to address those risks.
CASS auditor to raise an observation if it identifies a risk that management has failed to identify.
28
Internal controls
Background and context – COSO 2013
• The COSO 2013 Framework provides a formal structure for the design and evaluation of the effectiveness of internal control
• It categorizes controls into five components, and each component is addressed by a variety of principles and points of focus
Five components of internal controls (based on the COSO 2013 framework)
Control
Environment
Risk
Assessment
Control
Activities
Information
&
Communication
Monitoring
Activities
Indirect controls
Direct controls
Indirect controls
© 2017 Deloitte LLP. All rights reserved.
29
Control design
Key design factors (1)
Appropriateness of the purpose of the control:
Appropriateness of the control considering the nature and significance of the risk:
Competence and authority of control performer:
• Explicitly demonstrate how the control addresses the identified risks
• Ensure all risks the control is mapped to are addressed
• Preventative vs detective – to address timeliness of the control, e.g. immediate segregation of client money
• For more significant risks, identify and implement a mix of controls, including process level controls over the transaction flows
• The greater the inherent risk, the more precise the controls are expected to be
• Ensure the experience is appropriate in the control area
Frequency and consistency with whichthe control is performed:
Level of aggregation and predictability:
• Consider the required frequency of the control based on the risk
• Is the control timely to prevent or detect an error, e.g. 10 day allocation rule and reconciliation frequency?
• Assess whether the aggregation is sufficiently direct and precise to address the risk
© 2017 Deloitte LLP. All rights reserved.
30
Control design
Key design factors (2)
Criteria for investigation/ process for follow-up:
• Investigation is a key part of the control; ensure the reviewer can identify matters for further follow-up and magnitude of such items
• Ensure timeliness of their investigation and follow-up
• If thresholds should be applied, make these explicit where possible
Dependency on other controls or information:
• Understand if the control is dependent on other controls including effective GITC’s or information (data or reports)
© 2017 Deloitte LLP. All rights reserved.
31
Disclaimer
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
CASS Contacts
Regio
© 2017 Deloitte LLP. All rights reserved.
Ross MillarPartner
Tel:+44 (0) 131 535 7395
Mobile: +44 (0) 7990 825 749
Email: [email protected]
Jamie PartridgePartner
Tel:+44 (0) 141 314 5956
Mobile: +44 (0) 7770 867712
Email: [email protected]
Anna DawsonAssociate Director
Tel:+44 (0) 113 292 1688
Mobile: +44 (0) 7887 628699
Email: [email protected]
Andrew StirlingSenior Manager
Tel:+44 (0) 131 535 7017
Mobile: +44 (0) 7515 354110
Email: [email protected]
Email:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
© 2016 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.
Third Line of Defence
(Independent Assurance)
First Line of Defence
(Management Controls)
CASS processes and controls
Second Line of Defence
(Control functions)
Compliance Risk
Internal Audit
Accountability for regulatory compliance
Ongoing monitoring
Not a new area of focus
Regulators have been highlighting inadequacies with firms’ approaches to the three lines of defence model for a number of years
A factor in enforcementactions
A number of enforcement cases have cited failings in Compliance and Internal Audit monitoring as contributing factors
Blurred lines A concern that not all monitoring activity is truly independent
Developments in the CASS space
Section 166sFCA has been commissioning a number of Skilled Persons Reviews over Governance arrangements and the roles of Compliance and Internal Audit
CASS operational oversight
SMFs and CF10as proactively considering what assurance they need to demonstrate effective oversight, and what needs to come from the 2nd and 3rd lines
CASS as a distinct area of risk
CASS-specific Risk, Compliance and Internal Audit teams and monitoring programmes are being established
FRC CASS AssuranceStandard
The new Standard brings Compliance and Internal Audit into the scope of the CASS Audit
Externalassistance
Increased use of specialist advisors to help develop monitoring plans, and to develop and perform specific CASS reviews
— Split between monitoring and advice (independent and objective) – understand role
— Systematic and disciplined monitoring and periodic testing of CASS risks
— Compliance monitoring plan to specifically include CASS related elements in line with the
firm’s evaluation of CASS risks
— Assessment of materiality of risk and breaches in terms of FCA notification of reportable
events – recorded in dedicated CASS issues and breaches logs
— Timely root cause and trend analysis of breaches evidenced as part of the function’s
activities in relevant registers, minutes, reports
— The Compliance team should have CASS technical knowledge and expertise to be able
to conduct robust and independent CASS reviews
Monitoring plan
does not clearly
link to the firm’s
CASS risk
footprint
‘Light touch’
testing
Blurred lines
between monitoring
and advisory
Monitoring against
internal procedures
and not against
compliance with the
regulatory
requirements
No consideration
of industry events
or emerging
thematic CASS
risks
Lack of
specialist
resources within
the 2nd line
— Understand the roles and responsibilities of the independent Internal Audit function
— Conduct periodic independent CASS related reviews over the firm’s CASS arrangements
forming part of the function’s annual monitoring plans
— Review plans are assessed on a risk basis, approved and reviewed on a periodic basis
to capture new issues or risks
— Clarity regarding scope and approach to CASS IA reviews
— Timely follow up as part of IA review and assessment of sufficient evidencing of breaches
in relevant CASS registers
— Members of the Internal Audit function should have the required CASS technical
knowledge and expertise to be able to conduct robust and independent CASS reviews
Little, infrequent
or no CASS
related testing
post PS 14/9
despite FCA and
industry focus
IA reviews lack
robustness
and focus
Quality of
outsourced
reviews varies
Inconsistent
approach to
evaluating proposed
management actions
Failure to follow up
on management
actions to ensure
appropriate steps
taken to close gaps
Lack of specialist
resource in 3rd line
Smaller firms with
no IA functions
struggle to find
CASS experts
Inadequate or
lack of any
CASS training
for the 3rd line
Document Classification: KPMG Confidential
The information contained herein is of a general nature and is not intended to address the circumstances of
any particular individual or entity. Although we endeavour to provide accurate and timely information,
there can be no guarantee that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information without appropriate
professional advice after a thorough examination of the particular situation.
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a
Swiss entity. All rights reserved.
kpmg.com/uk
© Walbrook Partners Limited
Introduction
The FRC standards for CASS Assurance Reviews require more effort from firms than might be apparent at first.
In many cases the gap between current evidence and controls and those now required is unexpectedly large.
A few examples are discussed in the following slides.
45
© Walbrook Partners Limited
Putting it all together
Business model documentation:
‣ Does it include an overview of the type of business done?
‣ Is it understandable to an external reader?
‣ Does it explain intra-group relationships and activities?
‣ Does it include full cashflow documentation?
‣ Can your staff clearly explain it?
….and is it in your Resolution Pack?
46
© Walbrook Partners Limited
The biggest gap?
Rule/Risks Mapping and Controls
‣ The detail required is often underestimated – every rulebook/every rule?
‣ Explain why rules are out of scope – and controls to ensure it stays that way
‣ Ensure controls are real, specific and can be evidenced
‣ Show regular reviews
47
If you don’t produce the documentation,
your auditors will!
© Walbrook Partners Limited
The chain of evidence
The evidence required has substantially increased
‣ Ensure consistency of the business model , rule mapping, controls, procedures and evidence
‣ Consider how to prove oversight, management etc.
‣ Be prepared to prove all of the figures in reconciliations, including prudent segregation figures
‣ Prove remediation actions, including root causes
48
Make it easy for the auditors
© Walbrook Partners Limited
Failing validation
Is there a gap in your figures?
‣ Be prepared to show the validation of CMAR figures against other sources
‣ Show how you confirm the CASS RP is up to date
‣ Evidence testing of client entitlements, including reconciliation to other figures
49
© Walbrook Partners Limited
From gap to overlap
Three lines of defence:
‣ Is it clear who does what and where the boundaries lie?
‣ How do you preserve independence e.g. compliance advice vs. compliance
monitoring?
‣ How knowledgeable are your 2nd and 3rd lines?
‣ How are activities planned in conjunction with risks?
‣ How are actions followed up?
50
© Walbrook Partners Limited
Culture
How can you evidence a strong CASS culture?
‣ Knowledge and training from the top of the firm down
‣ Consideration of Principles and the clients’ best interests evidenced in decision making and policies
‣ Investment in addressing root causes, whether through manual processes, systems changes or prudent
segregation
51
‣ Other indicators:
‣ Standards set
‣ Meeting attendance & engagement
‣ Prioritisation
© Walbrook Partners Limited
Contact Details
Karen Bond | DirectorMobile: +44(0)7801 [email protected]
Mark Lester | Director Mobile: +44(0)7702 340 [email protected]
www.walbrookpartners.co.uk
Follow @WalbrookFS on Twitter
….and please support our sponsored Guide dog, Cassie!http://walbrookpartners.co.uk/cassie/
Page 53
cc ccccc ccc
Cleared Funds
‣ A key principle of CASS is that client money is held according to the statutory trust requirements (CASS 7.17).
‣ This section creates a fiduciary relationship between the firm and its client under which client money is the legal ownership of the firm and but remains in the beneficial ownership of the client
‣ However, a firm is not permitted, in its capacity as trustee, to allow one client’s money to fund another client’s transactions.
“Peter’s money should not be used to fund Paul’s transactions”
‣ 7.17.5 G: The statutory trust under CASS 7.17.2R does not permit a firm, in its capacity as trustee, to use client money to advance credit to the firm's clients, itself, or any other person. For example, if a firm wishes to undertake a transaction for a client in advance of receiving client money from that client to fund that transaction, it should not advance credit to that client or itself using other clients’ client money (i.e., it should not ‘pre-fund’ the transaction using other clients’ client money).
57
Cleared Funds
The PS14/9 feedback stated that a firm should not rely upon its internal
reconciliation to determine whether or how much client money it should
segregate.
Instead, the internal reconciliation should be used as an internal control to verify
that the amount of client money segregated meets the firm’s obligations to clients.
The FCA had “clarified” the requirement to address shortfalls that arise the day
before reconciliation is performed....
“CASS 7.12.3 G: The risk of loss or diminution of rights in connection with client
money can arise where a firm’s organisational arrangements give rise to the
possibility that client money held by the firm may be paid for the account of a
client whose money is yet to be received by the firm. Consistent with the
requirement to hold client money as trustee (see CASS 7.17.5G), a firm should
ensure its organisational arrangements are adequate to minimise such a risk.”
58
ShortfallsHow could a shortfall arise?
‣ A risk of shortfall can arise through many different scenarios depending :
‣ Where contractual settlement exists on the client side but not on the market side
‣ Transaction settlement shortfall
‣ Intra-day exposure between the receipt and payment of client money
‣ Switches, e.g. T+4 funds to T+1 funds
‣ Work conducted on non-business days that results in a difference in the sequence of receipts and payments
‣ Timing of the removal of fees and account charges
‣ Bounced cheques and rejected direct debit receipts
‣ BACS payments which leave the account before expected receipts arrive
‣ Internal systems failures
‣ Banking systems failures
59
ShortfallsWhat do you need to understand about shortfalls?
‣ Identify the contractual obligations of the firm
‣ Understand and document the transaction flows, particularly the timing of money movements
‣ Identify whether shortfalls could or could not arise (document the scenarios)
‣ Determine any mitigations (which may be funding but could be others)
‣ Consider financial resources available to provide funding
‣ Establish and document the processes required
‣ Review with business areas, 2nd and 3rd lines of defence, (auditors, etc.)
‣ Monitor actual money movements and test whether shortfalls arise?
‣ Document a policy towards shortfalls and funding
60
ShortfallsHow can shortfalls be managed?
‣ Change processes
‣ Changing T&Cs and/or processes and systems to avoid the risk of a shortfall arising
‣ Not funding
‣ Establish why shortfalls will not arise & justify the rationale for not funding
‣ Prudent Segregation
‣ For exposures when the amounts and/or the timing of the exposures
cannot be calculated precisely.
‣ Prefunding
‣ For exposures where an event has been identified that will cause a
quantifiable shortfall.
61
Prudent Segregation
‣ “Prudent Segregation” in the context of CASS relates to the activity in which a regulated investment firm for Client Money is permitted and decides it is prudent to treat its own money as client money and then segregates that money in a client bank account.
‣ CASS 7.13.41R to 7.13.53R
‣ For firms that operate the alternative approach this is mandatory where they are required to hold a “Mandatory Prudent Segregation Amount”.
62
Prudent SegregationWhat do the rules say?
‣ CASS 7.13.41R – if prudent to do so to prevent a shortfall in client money on the occurrence of a primary pooling event, a firm may pay money of its own into a client bank account and subsequently retain that money in the client bank account (prudent segregation). Moneythat the firm retains in a client bank account under this rule is client money for purposes of the client money rules and the client money distribution rules.
‣ CASS 7.13.48R – to the extent that the firm no longer considers it prudent to retain moneyin its client bank account pursuant to CASS 7.13.41R in order to ensure that client money is protected, the firm may cease to treat that money as client money.
‣ CASS 7.13.49R – any money that the firm ceases to treat as client money pursuant to CASS 7.13.48R must be withdrawn from its client bank account as an excess…as part of its next [internal client money reconciliation].
‣ Funding should NOT to be used as a fix for inadequate systems or controls or bad recordkeeping
63
Prudent SegregationDocumentation
‣ Prudent Segregation Policy & Record
‣ The policy must be approved by the firm’s governing body and retained for at least five years after the date it ceases to retain such money as a prudent segregation amount
‣ A Prudent Segregation Record must be up to date and must include specific details on the amount of prudent segregation calculated and the changes to that amount
‣ What should be documented in the policy?
‣ The specific anticipated risks that would be prudent for the firm to protect
‣ Why the firm considers the use of such a payment is reasonable for the firm
‣ The method the firm will use to calculate the amount of money required
‣ Prefunding Policy
‣ Similarly to Prudent Segregation a policy document relating to the firm’s prefunding approach should documented as a best practice.
‣ It should cover the same components captured in a Prudent Segregation policy.
64
‣ Prudent Segregation Record must contain
‣ Outcome of the firm’s calculation of its prudent segregation
‣ The amounts paid into or withdrawn from a client bank account under the prudent segregation rules
‣ Why each payment was made
‣ Whether each payment was made in accordance with the policy
‣ Whether the policy was created or amended for this specific payment
‣ That the money was paid in accordance with the prudent segregation rule
‣ The up-to-date total amount of client money held pursuant to the prudent segregation rules
‣ All records must be held for 5 years
‣ Firms are reminded that payments and records made in accordance with the above should not be a substitute for firms keeping accurate and timely records under their other CASS and SYSC obligations.
Prudent SegregationWhat should be documented?
65
Prefunding
‣ Firms may chose to prefund, i.e. put firm money into client money accounts to fund shortfalls that will occur during the course of settlement activity
‣ They may consider to prefund and use prudent segregation along with the other measures to mitigate the risk of a shortfall on the client bank account
‣ When can a firm Prefund?
‣ If the information is available to do so it may be preferable to prefund any payments related to unfunded transactions
‣ This may be when shortfalls arise on an intraday basis and can be prefunded for a short period of time until the expected proceeds are received.
‣ It could be used for covering shortfalls that are easier to calculate and may be predictable such as expected settlement proceeds or BACS payments
‣ It may be more difficult to use prefunding to cover an unexpected scenarios such transaction failures; bounced cheques, failed direct debits.
66
Organisational Requirements
‣ CASS 7.12.1R to 7.12.3G
‣ Firms must ensure that they have adequate organisational arrangements in place to minimise the risks to client money
‣ Firms must understand the risks to the business and client money operations and put in measures to minimise those risks
‣ Document the risks, the measures available to mitigate and the decisions taken in response along with the reasons
‣ Check that all funding requirements are in line with the risks documented in the policy papers. Consider making changes to the policy to incorporate any new risks.
‣ Track and monitor the funding requirement and add it to your MI pack that is reviewed by the firm’s CASS committee.
‣ Make it easy for auditors to follow and understand your prefunding processes.
‣ Share your approach with your 3rd party providers who support that part of your business. Review their performance in this process.
Governance
67
Oversight and Governance – lessons from Aviva Fine
1. Overview of key findings from the FCA Final Notice
2. What have my Firm done on the back of this?
3. Summary
4. Questions
AVIVA CASS FINE
5th October 2016 – In relation to 2 legal entities
Original fine £11.8m
30% Discount for settling at an early stage
Fine Paid £8.2m
WHAT WERE THE REASONS FOR THE FINE?
Principle 3 (management
& Control)
Principle 10 (Client Assets)
CASS RulesChapter 8
(outsourcing) of SYSC
Failings – Principle 3
Oversight
• Failed to implement and maintain adequate policies and procedures to detect and manage the high level of client money and custody assets risks which arose from the Firms’ outsourcing their CASS functions.
• In particular, the Firms failed to carry out adequate and formal compliance oversight and review exercises of both the performance of the TPAs, and the quality of the MI provided by the TPAs, in relation to outsourced CASS functions
Resource & Expertise
• Failed to dedicate sufficient resource and technical expertise to enable them to implement effective CASS oversight arrangements;
Prioritisation
• Failed to prioritise sufficiently CASS compliance, resulting in inadequate oversight of the outsourced CASS functions and the delayed detection and rectification of CASS risks and compliance issues.
Failings Principle 10
Client Money Rec
• failed to identify and promptly rectify issues within their internal client money reconciliation process resulting in the Firms’ under-segregation of client money
• mislabelled transactions within the Firms’ client money calculations (CASS 7.6.2R and CASS 7.15.3R);
CMAR & CASS RP
• failed to submit accurate CMARs
• held inadequate CASS RPs
Segregation & Supervision
• failed to ensure the adequate and accurate segregation of client money
• the Firms failed to retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing (SYSC 8.1.6R and SYSC 8.1.8(5)R)
Background
2012 audit failures –organisational
arrangements£111.69 distnwas rec’d for an asset not
on firms system
2013 audit issues with internal client money rec and concerns over asset records outsourced to a
TPA.
2013 audit – 4 instances of non-compliance with CASS 6.5.10R identified, involving
assets with approxaggregate. value of £1K,
after firm confirmed improved processes
FCA visit in Feb 2015, identified same and similar CASS complaince issues to those identified by external auditors.FCA also noted
their Non Standard Method of internal reconciliation not
appropriate although auditors had signed it off in
2015
Aug 2015 – Based on the gravity of the firms failures to comply with the CASS
rules the FCA required the Firms to appoint a Skilled
Person to conduct an independent review (S166)
Jan 2016 Skilled Persons Report confirmed issues
identified during the CASS visit and expanded on the issues previously identified
by the Firms’ external CASS audit reports
FCA Visit Findings
• In February 2015, the Authority’s CASS Department visited the Firms. During the visit the
Authority identified the same and similar CASS compliance issues to those identified by the
external auditors. These issues were confirmed to the Firms in a letter of 10 August 2015,
which included the following concerns:
(1) serious deficiencies in the Firms’ governance and oversight of CASS functions;
(2) the Firms’ lack of individuals with combined CASS and financial experience;
(3) a convoluted committee structure which, in particular, lacked any dedicated committee
for overseeing the Firms’ outsourced CASS functions;
(4) a lack of CASS specific compliance monitoring reports, particularly given the breadth of
the rule changes following Policy Statement 14/9 and the Firms’ compliance history based
on earlier external CASS audit reports
(5) mislabelling of transactions within the client money calculation, prompting wider
concerns regarding the Firms’ failure to maintain accurate records and accounts and
inadequate organisational arrangements; and
(6) inaccuracies with the Firms’ CMAR submissions given that the Firms had made
disclosures which were inconsistent with SUP 16.14.3.R.
Skilled Persons Finding
• In August 2015, the Authority required the Firms to provide a Skilled Person’s report under section 166 of
the Act. On 29 January 2016, the Skilled Person issued its report, which confirmed issues identified
during the CASS Visit and expanded on the issues previously identified by the Firms’ external CASS
audit reports. The findings included:
a) deficiencies with the Firms’ reconciliation processes resulting in the over-and under-segregation of
client money with the Firms’ under-segregation having peaked at approximately £74.4m during the period
from 10 February 2014 to 9 February 2015;
b) inadequate first (business) and second (compliance) lines of defence in relation to the Firms’
submission of inaccurate CMARs;
c) inaccuracies/failings with the Firms’ CASS RPs in breach of CASS 10.1.3R;
d) the inadequacy of the management information (“MI”) provided to senior management in relation to
CASS breaches, particularly in relation to the Firms’ outsourcing of CASS functions to TPAs; and
e) concerning the Firms’ use of a non-standard client money calculation, the Skilled Person confirmed
that the Firms’ method of internal client money reconciliation did not provide the degree of protection
provided by the standard method as set out in CASS 7 Annex 1 G. ((CASS 7.15.18R and 7.6.8R) and
Annex 1G).
Inadequate organisational arrangements to ensure effective
oversight of outsourced CASS functions
• Outsourcing arrangements are common in the asset management industry in relation to
purchases and sales of investment fund interests for clients. TPAs typically perform back
office activities such as cash and transaction processing, settlement, record keeping,
reconciliations and similar CASS compliance functions.
• In such circumstances, since a firm is one step removed from CASS operations as a result
of its outsourcing arrangements with a TPA, a heightened CASS compliance risk may arise.
A firm is therefore required to ensure that it has robust controls and oversight systems in
place to monitor and identify any issues arising with the TPA’s performance of the CASS
functions for which the firm remains fully responsible.
• This also requires that a firm outsourcing CASS functions ensures that it has adequate
CASS skills, expertise and resources to carry out effective oversight of the TPA.
Inadequate Reconciliation Processes
• During the Relevant Period, the Firms operated a non-standard internal client money reconciliation
method. However, during the CASS Visit, a number of issues with the Firms’ internal reconciliation
process were identified which had resulted in the under- and over-segregation of client money.
• Client money relating to trade purchases was removed from clients’ accounts before trades settled. The
Firms also failed to set aside funding for returned cheques in the reconciliation process which meant that
purchases could potentially be funded using other clients’ money. During the Relevant Period, these
failings in the Firms’ internal reconciliation processes resulted in under-segregation of client money in
amounts ranging from £0.4m to £74.4m during the period from 10 February 2014 to 9 February 2015.
• There were also a number of weaknesses in the design of the Firms’ oversight of their reconciliation
processes. For example, the spread sheets which the Firms used to record data in the daily and weekly
reconciliation checks did not provide any guidance or parameters to ensure the consistency of checks
conducted. There was also no record of who was scheduled to conduct the daily and weekly checks and
whether those checks had been conducted and if so, by whom.
• Lack of consistency in the checking approach are indicative of the inadequate resourcing in relation to
the reconciliation process
Client Money and Assets Return
• During the Relevant Period, the Firms lacked a formal system or adequate guidance in
relation to the CMAR process and controls, including in respect of the requirement for the
submission of a monthly CMAR. The Firms’ CMAR procedures did not identify who was
responsible for the completion and review of the Firms’ submissions. The Firms also failed
to provide proper guidance on the extent of review required prior to the Firms’ submission of
their CMARs to the Authority.
• The Firms relied on summary data provided by the TPAs as input data for the Firms’ CMAR
submissions. The Firms also had inadequate technical expertise to effectively challenge the
accuracy of the external data which resulted in delays in the Firms’ detection of CMAR
inaccuracies.
• Overall, the failings associated with the Firms’ CMAR submissions indicated a weak control
environment around the preparation, review and submission of the Firms’ CMARs.
Inaccuracies with the Firms’ CASS RP’s
• The Authority identified that for part of the Relevant Period, the Firms did not have a formal control
process in place to ensure effective prevention, detection and remediation of breaches in the
Firms’ CASS RPs.
• In addition, during the Relevant Period the Firms lacked formal controls and formal lines of
responsibility regarding the prevention, detection and remediation of breaches of rules within
Chapter 10 (Resolution Packs) of the CASS Rules.
• In particular, the Authority identified the following failings with the Firms’ CASS RPs: specific
omissions within the Firms’ CASS RPs such as a lack of procedures for recording and transferring
client money and safe custody assets, delays in the Firms’ updating of the CASS RPs for the
opening of new bank accounts and a lack of a clear timetable for the production of the CASS RPs.
• During 2015 the Firms took steps to improve the CASS RP process by implementing a formal
CASS RP checklist but the Firms’ review and updating process remained inadequate.
Inadequacy of CASS resources and technical expertise
• The Firms’ CASS resources were inadequate which undermined their ability to conduct effective
oversight of the TPAs. The Firms’ lack of CASS technical expertise brought about the Firms’
overreliance on the TPAs which further compromised the Firms’ ability to identify, resolve and
report CASS breaches and control weaknesses in a timely manner.
• During the Relevant Period, there was no formal requirement established within the Firms for
CASS training to be undertaken by members of the Firms’ CASS team. Nor were there any formal
training records maintained of any “ad hoc” CASS training completed by the CASS team
members. The Firms have now instituted a formal CASS skills and knowledge matrix for CASS
team members.
• In addition, during the Relevant Period the Firms combined the CF10 and CF10a functions which
further constrained the available resource and technical expertise dedicated to CASS compliance.
• This lack of technical knowledge and experience rendered the Firms incapable of effectively
challenging the TPAs’ performance of the CASS functions.
Failure to prioritise CASS compliance
• The Firms understated the high risks associated with CASS non-compliance which may
have prevented and/or delayed the Firms’ escalation of CASS issues. The Authority
identified inconsistencies in the Firms’ risk rating in relation to CASS oversight. In light of the
CASS breaches identified in the Firms’ external CASS audit reports, the Firms ought to
have accorded CASS compliance a higher risk rating.
• The fact that additional CASS breaches arose in consecutive annual external CASS audits
should have prompted the Firms to re-categorise CASS compliance as high risk. The Firms
did not appear to have had adequate systems and controls in place to challenge the basis
upon which CASS risks had been assessed.
What has our firm done in light of this report?
Analysed Report in detail and produced a
spreadsheet detailing each finding
Each business area then had to asses and
document what controls and processes we have in place to mitigate the issue
raised in the report.
Gap analysis then performed based on
consolidated returns to identify an areas where improvements could be
made.
Requested an analysis by our key outsourcer of how
they assessed themselves against the
findings
Action plan and summary of findings consolidated
into a report for the CASS Governance Committee
and Board
Action plan tracked through to delivery.
Summary
The final notice from the FCA was extremely detailed, whilst not
good news for Aviva it provided the industry with a good checklist
Has enabled firms to self assess there controls and processes
against these findings.
In relation to outsourcers, the FCA has made it clear in the past
this was an area they are focussing on, so all firms should have been aware of the focus
here.
Majority of fund managers and Platforms use outsource providers, this report has
highlighted how easily you can lose expertise within your business and also fail to
understand fully your outsourcers CASS model
Highlighted the importance of focus on CASS within large
organisations especially where it may only be a small part of the
overall business performed by the organisation.
Information about tax is based on our understanding of current legislation and HM Revenue & Customs' practice. Tax treatment can change and depends on your personal circumstances.
The information contained in this presentation does not constitute advice. It is designed for financial adviser use only and is not intended for use with individual investors. Any sample screen shots displayed are correct at date of issue but may be subject tochange.
Elevate, Winterthur Way, Basingstoke RG21 6SZ. Telephone number: 01256 470707. As part of our commitment to quality service and security, telephone calls may be monitored and/or recorded.
Elevate is a trading name used by AXA Portfolio Services Limited. AXA Portfolio Services Limited has been acquired by Standard Life Savings Limited and forms part of Standard Life Group. The trade mark “AXA” is used under licence from AXA SA.
AXA Portfolio Services Limited (01128611) is registered in England at 14th Floor, 30 St. Mary Axe, London, England, EC3A 8BF and is authorised and regulated by the Financial Conduct Authority.
Standard Life Savings Limited (SC180203) is registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh, EH1 2DH and is authorised and regulated by the Financial Conduct Authority.
Important Information
@uktisa
Thank You!
TISADakota House
25 Falcon CourtPreston Farm Business Park
STOCKTON-ON-TEESTS18 3TX
www.tisa.uk.com01642 666999
@uktisa