CASS and Operational Resilience: Understanding the FCA’s latest portfolio letter

What are portfolio letters?

The FCA regularly issues portfolio letters to communicate with a suite of firms that share a similar business model. In doing so, the FCA aims to set out the main risks of potential harm to regulated firms, the actions they expect those firms to take, and the steps they will be taking as regulators to reduce the level of systemic harm in the sector.

In a letter issued on March 23, 2022, the FCA communicated its supervision strategy to the custody and fund services portfolio. While this sector includes firms acting as custodians, depositories, and third-party administrators, all regulated firms would benefit from awareness of the content of the letter and its implications for their business. As stated on the FCA website: “Firms should also review letters for other portfolios that may be relevant to their business and act on the expectations we set out.”

In this piece, we identify the most relevant topics from this letter, paying close attention to issues that may affect firms beyond the intended FCA portfolio. Of course, firms should review the letter in its entirety to fully understand the business implications.

Causes of harm

The FCA details four key areas of potential harm to clients relevant to custody and fund services. These are:

  1. Disruption to consumers and markets due to insufficient operational resilience
  2. A lack of control and oversight of client money and assets
  3. Insufficient oversight of fund managers
  4. Inadequate oversight of high risk, illiquid or speculative investment products

The letter makes clear that chief executives are responsible for ensuring staff have the appropriate knowledge and understanding of the rules in each of these areas and for ensuring their firm meets the requirements.

Supervisory priorities

In response to the potential causes of harm, the FCA documents five key supervisory priorities – two of which certainly carry a wider reach than the portfolio of firms that received the letter. Even if your firm does not fall under the custody and fund services portfolio, you should consider how the supervisory priorities impact your business model.

Operational resilience and cyber

The FCA’s rules and guidance on Operational Resilience come into effect at the end of this month for all regulated firms. It expects firms to prevent adverse impact on clients and markets caused by a lack of resilience.

The FCA emphasises that “levels of interconnectedness between systems, lack of internal knowledge on how the systems operate, and ineffective oversight of third party or intra-group service providers can all threaten resilience.” Firms are expected to mitigate these potential risks.

For the new rules, firms are required to identify all of their important business services, map out the key elements of those services and define impact tolerances for the maximum tolerable disruption without causing harm to consumers or markets. It therefore makes sense to expect this area to fall under the FCA’s upcoming supervisory priorities.

The FCA notes that operational resilience and cyber security are areas of significant weaknesses at certain firms. Reliance on legacy technology is one potential cause of risks to both operational resilience and security. Therefore, firms must assess their systems to identify any potential vulnerabilities and take action where identified.

Protection of custody assets and money (CASS)

Holding client money and/or custody assets comes with a responsibility to adhere to CASS rules in order to maintain the security of those assets. The protection this provides to clients falls under the FCA’s key objectives, meaning all firms holding client money or assets are a supervisory priority for the FCA.

While it is noted that investment in CASS compliance is evident across the sector, the FCA also states: “We have observed weaknesses in change management (operational, regulatory and business), high dependence on legacy/end of life IT infrastructure and high levels of manual processing and controls in some cases.”

The dangers of legacy

The FCA points to reliance on legacy systems as a potential cause for systemic harm across the sector. Again, this should serve as a wake-up call for firms to review their technology and identify where modernisation is required. The FCA is clear that they expect action to be taken in this regard.

Spreadsheets continue to frustrate regulators

Manual processes and controls are a continual theme noted by the FCA in almost every interaction they have with regulated firms. Firms should not need reminding that spreadsheets can only serve them so far and, in relation to operational resilience in particular, firms will struggle to maintain resilience while relying on significant manual intervention.

Automation is key

It is imperative that firms push for greater automation of daily business processes if they are to satisfy regulators. At a recent conference, a spokesperson from the FCA emphasised that this issue is especially acute for firms that fail to scale financial controls alongside business expansion. Reliance on manual processes for growing firms will therefore be the Achilles’ heel for many.

Reconciliations are a perfect example: firms very often introduce spreadsheet-based reconciliations at a time when their business volumes are at entry level. As they become more successful and take on greater volumes, how many of those firms put a corresponding investment into the systems that underlie those processes to ensure regulatory compliance? Very few in our experience.

Instead, regulated organisations continue to match and investigate breaks on a manual basis – a patently untenable scenario as regulators call for – and other firms realise the benefit of – investment in automated technologies.

Market and regulatory changes

The message from the FCA is that firms must ensure they are aware of market developments and any regulatory changes impacting them. This should be core within any regulated firm as it is widely understood that regulation does not stand still.

While new and evolving regulation clearly brings a complex challenge to firms, it can also present new business opportunities and areas for growth. In other words, horizon scanning for regulatory change makes commercial sense.

In a six-month period from January to July 2022, we will see finalised rules come into effect for the Investment Firms Prudential Regime (IFPR), Operational Resilience and the FCA’s new rules for Consumer Duty. It is therefore fundamental for firms not only to be aware of upcoming changes, but also to assess and methodically prepare for those changes.

The way forward

The FCA expects firms to take account of their communications and be able to explain actions taken in response. Firms should incorporate this as part of their governance agenda and take the following actions:

  1. Review the contents of this letter and other portfolio letters issued by the FCA that may also have an impact for the business of your firm. All resultant actions identified must be recorded and tracked to completion.
  2. Ensure your firm is ready to meet the Operational Resilience requirements. Preparation for this should already be underway to be ready for March 31, 2022.
  3. Identify all reliance on legacy systems throughout your organisation and develop a plan for modernisation.
  4. For CASS processes and controls – identify where there is a reliance on manual tasks and plan for automation that delivers benefits for your organisation, including enhanced resilience.
  5. Horizon scanning – be aware of all upcoming regulatory changes and assess the potential impact on your firm. Thereafter, plan for how your organisation will meet the new requirements.

At AutoRek, we provide a complete end-to-end CASS solution to help you achieve compliance with CASS and Operational Resilience.

Our solution automates reconciliations, provides real-time MI for SMF and CASS governance teams, and minimises the risk of CASS breaches.