Mon, Feb 8, 2016

CASS: Governance and the Operational Oversight Function (CF10a)

In the aftermath of the collapse of Lehman Brothers, the regulator, the government as well as other financial services firms and the wider public sought answers to the fundamental questions of what went wrong with CASS compliance, how broad and deep the problem was and what needed to change.

The doctrine of protection of Client Assets is enshrined in the Financial Conduct Authority’s (FCA) Principles For Businesses (Principle 10): “A firm must arrange adequate protection for clients’ assets when it is responsible for them”. The regulator’s task in tackling those fundamental questions is vast and significant. Indeed, it is now estimated that there are 1,500 investment businesses holding in excess of £100bn of client money and £11 trillion of safe custody assets which is greater than the GDP of China in 2013.

Alongside specific technical changes and clarifications with respect to the CASS Sourcebook, the regulator found that firms failed to implement a fit-for-purpose CASS framework that identifies and monitors CASS risks whilst maintaining effective oversight and challenge by senior management. Some specific areas include:

  • Weak senior management oversight
  • Fragmentation and confusion over roles and responsibilities
  • Lack of regulatory accountability

As a result, the FSA introduced the CASS operational oversight function, the CF10a in October 2011 for CASS medium and large firms. The role of the CF10a includes (CASS 1A.3.1A R):

  • Oversight of the operational effectiveness of that firm’s systems and controls that are designed to achieve compliance with CASS
  • Reporting to the firm’s governing body in respect of that oversight
  • Completing and submitting a CMAR to the FCA in accordance with SUP 16.14

The responsibility for the firm’s operational compliance with CASS must be allocated to a director or senior manager performing a significant influence function in CASS small firms.

However, despite the renewed focus on CASS, the FCA continues to find a range of issues with CASS compliance including a failure to introduce adequate organizational arrangements, lack of CASS oversight and inadequate CASS MI.

The CF10a, with support and challenge from the governing body, must build and maintain the CASS Control Framework including a complete picture of CASS risks and a detailed understanding of how to manage the CASS Risks. Management will then be responsible for CASS oversight including; visibility that relevant controls exist and are adequate and working, visibility of control outputs and an overview of the current exposure of clients and the receipt and challenge to Management Information (MI).

However, all too often, firms appear to still take an outdated and overly simplistic approach to CASS compliance and focus predominantly on the simple segregation of client assets from firm assets rather than a more holistic assessment and compliance with CASS. This is often caused by a lack of detailed understanding of CASS requirements at both the operational and management levels.

We outline below some of the key issues with respect to CASS governance and the role of the CF10a:

CASS Risks
Firms do not fully appreciate the CASS rules which are applicable to them nor do they understand their CASS risks including where and how client assets arise, the detailed front-to-back procedures and how fraud could occur.

Best practice includes creating a firm’s CASS Regulatory Footprint, mapping all actual and potential scenarios where client assets may arise, following client assets from receipt or creation to the point of return or outward transfer and identifying all areas within operational processes that CASS risks could arise.

Implementing mitigating controls
Given that many firms cannot fully identify their CASS risks, they subsequently lack relevant controls, implement ineffective controls or implement controls that don’t match their CASS risks.

Best practice includes the design of appropriate detective and preventative controls, oversight of the new product process and the documentation of controls such that they reference CASS risks and are kept updated.

Use of technology
Firms are often reliant on Excel to manage their CASS compliance including reconciliations. Spreadsheets are often poorly designed with formula errors and no in-built checks.

Best practice sees firms leverage the use of technology to include items such as user access (inputter/reviewer), automated reconciliation tools, audit trails and automatic feeds from third parties.

Monitoring of controls
Firms often implement ineffective monitoring of mitigating controls including a lack of focus on control performance and operational effectiveness and controls that are not adapted for change in line with business practices.

Best practice includes the ongoing monitoring by the CF10a of mitigating controls including the performance of reconciliations and exceptions, the maintenance of acknowledgement letters and adapting to change in both new and existing product lines.

Oversight of third party administrators/custodians
Firms continue to face risks rooted in the misguided belief that operational risk can be outsourced.

Best practice includes clear oversight and review of third party administrators and other outsourced providers including regular contract review, performance review and operational liaison.

Management Information
Firms often produce limited or ineffective MI for both the CF10a and the governing body. This may include a lack of trend analysis, insufficient focus on key risks and themes and insufficient focus on how CASS risks are being managed and mitigated.

Best practice includes MI that allows the CF10a to adequately monitor and oversee the CASS arrangements including breaches and errors and provides sufficient information to the governing body to provide effective challenge to the CF10a.

Reporting to governing body
The Board and/or relevant committee is often unable to effectively challenge the CF10a due to a combination of insufficient CASS knowledge and being unaware of the firm’s full CASS requirements.

Best practice includes an upskilling of the relevant governing body, an engaged Board and Non-Executive Directors and the receipt of clear and fit-for-purpose MI that supports effective challenge.

Notwithstanding all of the above, firms often have inadequate compliance monitoring of CASS arrangements.

Best practice includes a fit-for-purpose CASS compliance monitoring program built through the creation of a Regulatory Footprint and undertaking a Compliance Risk Assessment to identify key areas of focus.

Duff and Phelps’ Regulatory Consulting Practice has significant experience in designing and implementing CASS frameworks and is regularly appointed by firms to review all or part of their CASS arrangements or to undertake Skilled Persons reviews.

We can help your firm:

  • Undertake a bespoke review or shadow Section 166 of all or part of your CASS arrangements including an assessment of the design and operating effectiveness of controls
  • Undertake a gap analysis of your CASS control and governance framework against FCA requirements and best practice
  • Assist you in designing and implementing CASS change program
  • Work with you to enhance your firm’s governance and reporting framework
  • Provide tailored training to key CASS stakeholders and senior management
  • Work with you to turn your CASS MI into a strategic risk management tool

Design, implement or review your CASS compliance monitoring arrangements