cass seminar - tisa · cass seminar 24th january 2017 ... partner and paul leech, ... application...
TRANSCRIPT
@uktisa@uktisa
CASS Seminar24th January 2017
Deloitte LLP, New Street Square, London EC4A 3BZ
@uktisa@uktisa
Mike Williams, Partner - ChairDeloitte LLP
@uktisa@uktisa
Agenda
• Opening remarks by – Mike Williams, Partner, Deloitte LLP - Chair
• Mike Williams, Partner and Paul Leech, Director, Deloitte LLP ‘FRC CASS Assurance Standard’
• Ash Saluja, Partner and Alison McHaffie, Partner, CMS Cameron McKenna LLP ‘CASS Oversight – satisfying regulatory requirements and expectations’
• Jonathan Dark, Group CF10a, Smith & Williamson ‘CASS Resolution Pack – practical tips, lessons learnt’
• Nick Kinseley, Head of CASS, RBC Wealth ‘CASS Oversight in practice’
• Coffee Break
• Shaid Moughal, Head of CASS, Standard Life ‘Cleared Funds’
• Mike Sims, APS Finance Manager, Elevate part of Standard Life ‘Oversight and Governance – lessons from Aviva’
• Karen Bond, Director, Walbrook Partners ‘Gaps in meeting the new CASS Assurance Standards’
• Robert Forbes, Director of CASS, RBC Treasury & Investor Services ‘How to prepare for your next FCA visit’
• Hanish Arora, Director CASS, KPMG ‘The expectations of the second and third lines of defence’
• Closing remarks by Mike Williams, Chair
@uktisa@uktisa
Mike Williams, Partner &Paul Leech, Director
Deloitte LLP
24 January 2017
FRC Client Assets Standard
6
FRC Standard
Rules mapping, risk assessment and internal controls
7
Background of the FRC Client Assets Assurance Standard
Financial Reporting Council (‘FRC’) Standard “Providing Assurance on Client Assets to the Financial Conduct Authority” was published in November 2015 and it is applicable to CASS Auditors
The FRC Client Assets Assurance Standard replaces reporting under Bulletin 2011/2 and Bulletin 3
Bulletins provided auditors with guidance that was “persuasive” whereas the Standard is “prescriptive”, i.e. now a requirement rather than guidance
FRC Client Assets Assurance Standard effective for periods commencing on or after 1 January 2016
Scope of the FRC Client Assets Assurance Standard in relation to the CASS rules has not changed, i.e. still limited to compliance with the rules in CASS 3, 6, 7 and 8 (where applicable) for “during the period” and “as at the period end”
Where the firm outsources functions to a Third Party Administrator (“TPA”) the CASS auditor and the firm should explicitly set out the rights of access to the TPA in the engagement letter
The CASS auditor is required to adopt an insolvency mind-set, which places greater emphasis on evaluating whether the firm’s processes and controls are deemed adequate to ensure protection of client assets in the event of insolvency
Reporting under the FRC Client Assets Assurance Standard significantly raises the bar from previous reporting regime – particularly for reasonable assurance engagements where a firm holds client money and / or custody assets
Firms are expected to have in place from 1 January 2016 a CASS risk and control framework which includes CASS risk assessment, CASS rules and controls mapping for every applicable CASS rule, and clear roles and responsibilities for CASS in the three lines of defence framework.
8
Significant increase in scope
Key changes under the new FRC Standard
3. CASS Control Activities
1. Control Environment over CASS , i.e. Governance
2. CASS Risk Assessment
1st line Self Assessment
Compliance Monitoring
Internal Audit
4.
In
form
ati
on
an
d C
om
mu
nic
ati
on
‘Tone from the top’ and CASS risk appetite
Management information,
reporting and
escalation
Regulated Firm
Identification Segregation ReconciliationsBooks and Records
Third Party Administrators (if applicable)
6. Other matters to consider
CMAR
5. CASS Monitoring Activities
New products and services
Change management, IT and business
recovery
9
CASS Rules Mapping and Risk Assessment
Key changes under the new FRC Standard
Factors affecting
significance of the risk
Factors affecting likelihood of the risk occurring
Highly significant
Very likely
CASS Rules Applicability
CASS 3.x.x R No - rationale
CASS 7.x.x RYes -
interpretation
CASS 6.x.x R Yes
… …
CASS 7.x.x R Yes
CASS 8.x.x R Yes
Risk Description Inherent Risk
CASS Risk 1 H
CASS Risk 2 L
CASS Risk 3 L
CASS Risk 4 M
… M
CASS Risk 999 M
Actions taken
by firm
Residual
Risk
E.g. Mitigate with
Control 1M
E.g. Mitigate with
Control 2M
E.g. Accept Risk
(unlikely action)M
E.g. Mitigate with
Control 3L
One-to-one, one-to-many or many-to-one
relationships
Risk 1Risk 1
Risk
999
Risk
999
One-to-one, one-to-many or many-to-one
relationships
Risk 3
Firm’s risk assessment should consider each relevant CASS rule that applies to the firm, i.e. rule by rule applicability matrix
CASS auditor to evaluate firm’s process for identifying risks relevant to compliance with CASS, evaluating significance of the risk, likelihood of their occurrence, and actions to address those risks.
CASS auditor to raise an observation if it identifies a risk that management has failed to identify.
10
Internal controls
Background and context – COSO 2013
• The COSO 2013 Framework provides a formal structure for the design and evaluation of the effectiveness of internal control
• It categorizes controls into five components, and each component is addressed by a variety of principles and points of focus
Five components of internal controls (based on the COSO 2013 framework)
Control
Environment
Risk
Assessment
Control
Activities
Information
&
Communication
Monitoring
Activities
Indirect controls
Direct controls
Indirect controls
© 2016 Deloitte LLP. All rights reserved.
11
Control design
Key design factors (1)
Appropriateness of the purpose of the control:
Appropriateness of the control considering the nature and significance of the risk:
Competence and authority of control performer:
• Explicitly demonstrate how the control addresses the identified risks
• Ensure all risks the control is mapped to are addressed
• Preventative vs detective – to address timeliness of the control, e.g. immediate segregation of client money
• For more significant risks, identify and implement a mix of controls, including process level controls over the transaction flows
• The greater the inherent risk, the more precise the controls are expected to be
• Ensure the experience is appropriate in the control area
Frequency and consistency with whichthe control is performed:
Level of aggregation and predictability:
• Consider the required frequency of the control based on the risk
• Is the control timely to prevent or detect an error, e.g. 10 day allocation rule and reconciliation frequency?
• Assess whether the aggregation is sufficiently direct and precise to address the risk
© 2016 Deloitte LLP. All rights reserved.
12
Control design
Key design factors (2)
Criteria for investigation/ process for follow-up:
• Investigation is a key part of the control; ensure the reviewer can identify matters for further follow-up and magnitude of such items
• Ensure timeliness of their investigation and follow-up
• If thresholds should be applied, make these explicit where possible
Dependency on other controls or information:
• Understand if the control is dependent on other controls including effective GITC’s or information (data or reports)
© 2016 Deloitte LLP. All rights reserved.
13
Disclaimer
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
CASS Contacts
© 2016 Deloitte LLP. All rights reserved.
Mike WilliamsPartner
Tel:+44 (0) 207 303 5407
Mobile: +44 (0) 7785 528831
Email: [email protected]
Dennis ChengDirector
Tel:+44 (0) 207 303 6970
Mobile: +44 (0) 77 8797 4225
Email: [email protected]
Paul LeechDirector
Tel:+44 (0) 207 303 5398
Mobile: +44 (0) 7770 867712
Email: [email protected]
Anna DawsonAssociate Director
Tel:+44 (0) 113 292 1688
Mobile: +44 (0) 7887 628699
Email: [email protected]
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
© 2016 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.
@uktisa@uktisa
Ash Saluja, Partner and Alison McHaffie, Partner
CMS Cameron McKenna LLP
CASS Oversight:
Satisfying regulatory requirements and expectations
Ash Saluja, Partner and Alison McHaffie, Partner
CMS London
24 January 2017
Looking at ………….
The legal and regulatory responsibilities
The FCA focus
What to do if you identify a CASS breach
When enforcement takes action and lessons to be learned
17
CF 10A
CASS auditor
Outsource service provider
Board
Where responsibility can exist
18
SUP 10A.7.9 - Dynamic responsibility?
Oversight of the operational effectiveness of the firm's systems and
controls that are designed to achieve compliance with CASS
Reporting to the firm's governing body
Completing and submitting CMAR
CASS operational oversight function (CF10A)
19
Distinction between consultancy and audit roles
If auditor finds a problem - immediate breach
If auditor finds nothing - no comfort
CASS Auditor
20
CMAR
CASS Resolution Pack
Board reports
CASS audit reports
Trust letters
Checkpoints
21
Choice of outsourcing provider
Terms of agreement, SLAs etc
Adequate monitoring
Adequate access
Outsourcing CASS responsibility
22
SYSC 4.1.1 - A firm must have robust governance arrangements,
which include … internal control mechanisms, including sound
administrative and accounting procedures ….
SYSC 4.1.10 - A common platform firm must monitor and, on a regular
basis, evaluate the adequacy and effectiveness of its systems,
internal control mechanisms and arrangements established in
accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate
measures to address any deficiencies.
Responsibility of the Board
23
Held separately on trust
Duty to return assets to client
Duty to account for income
Duty to monitor third party custodians
Legal responsibility for client assets
24
Held on statutory trust
Trust letters
Duty of diversification
Prudent segregation
Legal responsibility for client money
25
The FCA focus
“We will continue to ensure firms have appropriate mechanisms to protect client
assets to ensure consumers are protected in the event of failure.”
FCA Business Plan 2016/17
FCA continues to focus on this area:
• Increasing the supervision of firms holding client money and safe custody of assets through
more intrusive visits to firms, thematic projects and desk-based reviews, actions initiated
through CMAR /audit information and taking regulatory action where firm failings are
identified.
• Increasing use of attestations
• S166 skilled person reports (14 over last 18 months – about 20% of all s166)
• 3 of 8 enforcement actions against firms in 2016
FCA expects firms and senior management to learn lessons from enforcement action
• 'We have issued repeated warnings to the industry on the importance of complying with
client money rules which are designed to ensure that client money is adequately protected in
the event of a firm failing. There can be no excuses given these warnings and the stakes
involved” “Senior management are ultimately responsible for ensuring that firms are
following our rules”
Mark Steward, Director of Enforcement and Market Oversight at the FCA July 2016
26
27
What if you identify a breach of CASS?
Identify:
• What has gone wrong?
• How significant is it?
• Length/frequency of breach?
• Evidence of any weaknesses in controls?
• Is remedial action required?
Notify FCA depending on significance/ materiality of breach
• Principle 11 – anything which the regulator might reasonably expect notice
• SUP 15.3.11R – significant breach of rule
• CASS specific notification rules – “without delay”... if unable or materially fails to
comply with various CASS requirements (see CASS 6.6.57 & 7.15.33 etc)
Ensure self reporting is prompt, clear and provides assurance that management is in
control and appropriate remedial action is being taken
Consequences of failure
28
What goes wrong
Triggers for investigation & enforcement action:
• Actual loss for clients
• Risk of loss to clients and risk of set off by banks
• Risk of delay in return of money
• Failure to heed warnings – “firms….should ensure they continue to strengthen
their management, oversight and controls in this area”
• Lengthy breaches
• Systemic importance of firm
• Failure to identify, notify & false attestations
• Governance or cultural failings
• Previous fines
Breaches of:
• Principle 10 (adequate protection for clients’ assets) & Principle 3 (systems &
controls)
• CASS rules
• Statements of Principle for Approved Persons (APER or COCON) for individuals
29
What has gone wrong?
Failure to:
• Segregate and comingling with firm’s own funds
• Carry out sufficient due diligence on institutions holding monies
• Recognise firm is “holding” client money
• Obtain trust letters
• Perform client money calculations and reconciliations accurately and promptly
• Inadequate records to distinguish one client’s money from another
• Manage acquisitions and re-organisations weakening CASS oversight
• Use appropriate naming conventions to make it clear it was client money
• Cover shortfalls and notify FCA
• Have adequate oversight and controls over TPAs
• Oversee, monitor and obtain adequate MI
• Train relevant staff
• Carry out sufficient enquiries before providing affirmations to FCA
30
Penalties
FCA has discretion to increase or decrease in 5 step framework and can decide
that average balance of client money/assets is not an appropriate indicator.
Higher fines
Risk of individual action against senior management where there is personal
responsibility for failings (see Philip July 2016)
Most cases settle - 30% discount
Level of seriousness
Percentage – Client Money
Percentage – Safe custody assets
Level 1 0 0 Level 2 1 0.2 Level 3 2 0.4 Level 4 3 0.6 Level 5 4 0.8
31
How to handle a CASS investigation
Some practical points………
Seeking to avoid an enforcement referral
• Robust systems and controls kept under review
• Prompt and effective notification of any breaches
• Accurate attestations
• Firm identifies and carries out remedial action on own initiative
• No risk of loss or delay
• Good and constructive relationship with supervisors
Managing an investigation effectively
• Prompt and well ordered response to requests for information and well prepared
interviewees
• Put issues in context and show actions were reasonable
• Seek to understand FCA’s concerns and address them early in the process
• Demonstrate lack of risk to client assets – consider expert IP evidence
• Show lessons learned and acted on by firm
• Settle where appropriate
CMS Legal Services EEIG (CMS EEIG) is a European Economic Interest Grouping that coordinates an organisation of independent law firms. CMS EEIG provides no client services. Such services are solely provided by
CMS EEIG’s member firms in their respective jurisdictions. CMS EEIG and each of its member firms are separate and legally distinct entities, and no such entity has any authority to bind any other. CMS EEIG and each
member firm are liable only for their own acts or omissions and not those of each other. The brand name “CMS” and the term “f irm” are used to refer to some or all of the member firms or their offices.
CMS locations:
Aberdeen, Algiers, Amsterdam, Antwerp, Barcelona, Beijing, Belgrade, Berlin, Bratislava, Bristol, Brussels, Bucharest, Budapest, Casablanca, Cologne, Dubai, Duesseldorf, Edinburgh, Frankfurt, Geneva, Glasgow,
Hamburg, Istanbul, Kyiv, Leipzig, Lisbon, Ljubljana, London, Luxembourg, Lyon, Madrid, Mexico City, Milan, Moscow, Munich, Muscat, Paris, Prague, Rio de Janeiro, Rome, Sarajevo, Seville, Shanghai, Sofia, Strasbourg,
Stuttgart, Tirana, Utrecht, Vienna, Warsaw, Zagreb and Zurich.
www.cmslegal.com
32
@uktisa@uktisa
Jonathan Dark, Group CF10aSmith & Williamson
CASS Resolution Pack –Hints, tips & lessons learnt
Jonathan Dark – Group CF10a
October 2016
35TISA CASS Conference
Table of contentsPage
1 Smith & Williamson Group Overview 3
2 Introduction to CASS 10 ‘CASS Resolution Pack’ 4
3 CASS 10.1 – Application and purpose 5
4 CASS 10.2 – Core content requirements 6
5 CASS 10.3 – Existing records which form part of the CASS RP 7
6 CASS Resolution Pack internal policy 8
7 Oversight, governance and review 9
8 Annual, monthly & weekly testing – common issues 10
9 Insolvency Practitioner Master document 11
10 CASS 10 key requirement considerations 14
36TISA CASS Conference
Independently owned multi-disciplinary professional and financial services group;
Combines an accountancy firm* with investment management and private banking
house;
The group includes: private bank, custodian, in-house broker and in-house ACD;
Around £16.5bn of funds under management and advice;
Offices in Belfast, Birmingham, Bristol, Cheltenham, Dublin, Glasgow, Guildford,
Jersey, London, Manchester, Salisbury and Southampton; and
Around 1,600 people in 13 offices in the UK, Republic of Ireland and Jersey of which
over 170 are qualified investment managers.
*Top 10 largest firm of accountants in UK according to the Accountancy Age league table, 2015
Smith & Williamson Group Overview
37TISA CASS Conference
The CASS Resolution Pack was introduced in 2012 in
light of the Lehman Brothers and MF Global
insolvencies.
The CASS Resolution pack is designed to facilitate the
timely distribution of client assets in the event of an
insolvency.
CASS 10.1.2G states: ‘The purpose of the CASS
resolution pack is to ensure that a firm maintains and
is able to retrieve information that would, in the
event of its insolvency, assist an insolvency
practitioner in achieving a timely return of client
money and safe custody assets held by the firm to that
firm's clients.
CASS 10 applies to all firms who have to comply with
CASS 6 ‘custody assets’ and/ or CASS 7 ‘client money’,
regardless of size.
CASS 10 remains a key area of focus for the FCA and
failings continue to be highlighted as evidenced by the
Aviva fine.
CASS 10 is split into three sections:
Application, purpose – 10.1
Core content requirements – 10.2
Existing records forming part of the CASS
Resolution pack – 10.3
Introduction to CASS 10 ‘CASS Resolution Pack’
38TISA CASS Conference
The key elements of CASS 10.1 – Application purpose:
CASS 10.1.7R: adequate arrangements to retrieve
information within 48hrs;and
CASS 10.1.8R: adequate arrangements with group
companies.
CASS 10.1.9E(1) the following should be retrievable
immediately:
• (a) a document identifying the institutions that hold
client money/ assets;
• (d) & (e) internal and external custody asset
reconciliations; and
• (f) & (g) internal and external client money
reconciliations.
CASS 10.1.9E(2): continued operation of
systems to maintain a CASS resolution
pack in the event of insolvency;
CASS 10.1.11R: ensure the CASS RPs are
reviewed periodically and material
changes made within 5 business days;
and
CASS 10.1.14R: CF10a must report at
least annually to the governing body in
respect of compliance with CASS 10.
CASS 10.1: Application & purpose
39TISA CASS Conference
The key elements of CASS 10.2 are:
CASS 10.2.1R: a CASS RP must included:
– Master document to enable an IP to
retrieve all of the information;
– A document outlining the institutions and
account numbers where client money &
assets have been placed;
– A document outlining each Senior Manager
& Director critical to the operation of CASS
controls; and
– Identify the CF10a.
CASS 10.2.1R:
– Executed agreements with third party
institutions;
– Procedures for management, recording and
transfer of client money & assets.
CASS 10.2.3R: name, postal address, email
and telephone number of each institution
appointed to hold client money & assets.
CASS 10.2 – Core content requirements
40TISA CASS Conference
CASS 10.1.3R states the CASS RP should included:
(1) CASS 6.3.2A R: custody asset due diligence reviews;
(2) CASS 6.4.3 R: where firms use custody assets;
(3) CASS 6.6.2 R and CASS 6.6.3R: custody assets held
for each client;
(4) CASS 6.6.6 R: client agreements regarding a firm’s
right to use;
(4A) CASS 6.6.8 R: internal and external custody asset
reconciliations;
(5A) SYSC 6.1.1 R: policy and procedures for carrying
out record checks and reconciliations;
(6) CASS 7.13.25 R: client money due diligence
reviews;
(7) CASS 7.15.2 R, CASS 7.15.3 R and CASS 7.15.5 R:
client money held for each client;
(7A) CASS 7.15.7 R: internal and external client money
reconciliations;
(10) COBS 3.8.2 R (2)(a) and COBS 3.8.2 R (2)(c): client
categorisation; and
(11) COBS 8.1.4 R: retail and professional client
agreements.
CASS 10.3 – Existing records which form part of the CASS RP
41TISA CASS Conference
S&W have an internal policy which explains how we comply with CASS 10. The policy is
reviewed annually by our CASS Oversight Committee and includes:
Location, structure and format;
Access & retrieval plans - explanation on how information would be obtained within
the required timeframes (immediately or within 48hrs);
External advisors – explanation that information will be made available to third
parties appointed by the Insolvency Practitioner;
Accuracy & completeness of information – an explanation on how we ensure the
accuracy and completeness of the information within the RP e.g. weekly, monthly and
annual attestations/ reviews;
Ownership – outlines who has been delegated responsibility on a day to day basis to
ensure the CASS RPS are up to date;
Material changes – defines what the firm classifies as a material change; and
FCA notifications – explains when the firm would notify the FCA.
CASS Resolution Pack internal policy
42TISA CASS Conference
It is key to ensure the firm has strong oversight,
governance and review process regarding the CASS RP.
This could include:
An annual review of the internal CASS RP policy by
the CASS Oversight Committee (“CASSOC”); and
Annual reviews of the CASS RPs by CASS
department/ specialist with findings reported to
your CASSOC, senior management committee(s) and
respective governing bodies.
A 2nd line of defence review by Compliance may also
be considered.
To ensure the CASS RPs remain accurate and up to date
consider the following controls:
Monthly testing of hyperlinks by CASS RP owners.
Attestations that the hyperlinks all work and the
information is complete/ accurate; and
Weekly attestations from CASS RP owners that
there are no changes required.
Oversight, governance and review
43TISA CASS Conference
The common issues which typically arise are from the weekly, monthly or annual
reviews:
• Hyperlinks, hyperlinks, hyperlinks…;
• Structure and format inconsistencies across regulated entities;
• Out of date file paths;
• Out of date information e.g. new bank accounts/ custody depots etc. not
communicated to CASS RP owners;
• Staff changes not communicated to CASS RP owners;
• Failures in attestation process due to annual leave or absence;
• CASS rule reference errors (PS14/9 changes); and
• Proactive management of weekly and monthly attestation process.
Periodic training is key for CASS RP owners and individuals responsible for key
documents to ensure a robust attestation process.
Annual, monthly & weekly testing -Common Issues
44TISA CASS Conference
As required under CASS 10.2.1R(1) firms are required to have a master
document sufficient to retrieve each document within the CASS RP. We have an
‘Insolvency Practitioner Guide’ which includes the following information:
• Location and intranet page of the CASS RPs;
• IP login details and password request process to S&W network (super user
access);
• IP email address (Insolvency.Practitioner@smith.....);
• IP phone number and internal extension;
• Instructions on how to access the specific pages on our intranet; and
• CASS RP owners.
The policy is reviewed annually by our CASS Oversight Committee.
Insolvency Practitioner Master Document
45TISA CASS Conference
We have also reviewed each process flow and procedure manual to identify the
IT systems used in maintaining our CASS RP and the management, recording and
transfer of custody assets and client money.
This is primarily to ensure:
The IP has access to or can obtain access to these core systems promptly
(Excel/ internet explorer/ platforms/ sub custodian records etc.);
Outlines where applications can be found (desktop/ request from IT); and
Explains how and where login and passwords can be obtained (IT/ system
provider/ employee).
The process of drafting this document provided assurance that an IP could
retrieve all information within the required timeframes and has the necessary
IT access.
Insolvency Practitioner Master Document (cont.)
46TISA CASS Conference
We have created an IP user who can log into and have access to our IT system.
This required the following:
IT create a ‘Global User’ with group wide access;
Understanding of the firm’s structure, format and restrictions over IT drives
to ensure the IP has group wide access, ‘Global User’;
Global User authorisation process may need to be introduce, agreed upon
and approved by governing body/ CASS Oversight Committee;
Confirm Global User works by testing the ability to open all file paths
embedded within the CASS RP; and
Confirm and test using the procedure guides embedded to retrieve
information on custody assets and client money both from internal systems
& all external third party systems e.g. CREST.
We identified that an IP would need an email and phone extension in order to
work effectively. Recommend firm’s simulate being an IP once setup up
(periodically thereafter).
Insolvency Practitioner Master Document (cont.)
47TISA CASS Conference
Firms may want to consider the following:
CASS 10.2.1R(9): Procedures to transfer client
money – do they contain website addresses, login
details, instructions on how to obtain passwords for
each third party bank;
CASS 10.2.1R(8)(b) – As above but for all sub-
custodian(s) ;
CASS 10.1.8R – Internal agreements to provide
information e.g. separate legal entities (Front
Office);
CASS 10.1.9E(2) – Novating contracts for key IT
systems to separate non-trading group service
company to ensure the services continue in the
event of insolvency;
Executed agreements with third party banks –
standard terms & conditions may be contained on
the banks website; and
CASS 10.3.1R(11) – Location and access to retail
client agreements (paper/ electronic/ storage).
CASS 10 – key requirements considerations
@uktisa@uktisa
Nick Kinseley, Head of CASSRBC Wealth Management
Nick Kinseley, Head of CASS
CASS Oversight in Practice
50
Objectives
• Background
• Assumptions
• Understanding the TA Process
• BAU Monitoring
• CASS Training
• Governance
• Long Term Oversight
26 January 2017 Legal entity / line of business | Presentation Title
51
Background
• The firm employing outsourced provider retains the regulatory responsibility
• Major focus of the FCA
• Inclusive of TPAs, offshore processing and internal outsourcing
• Aviva Fine
• Failure to monitor outsourced services
• Tone used in the text of final report
• Aviva failed to act on previous external audit findings
Wake up call for the industry
26 January 2017 Legal entity / line of business | Presentation Title
52
Assumptions
• Due diligence completed
• Contracts in place
• SLAs in place
• Sufficient CASS knowledge within firm
• Key individuals identified
26 January 2017 Legal entity / line of business | Presentation Title
53
Understanding the Outsourced Process
• Regular reviews of the procedures
• Understanding of the business model
• Review of documentation relating to cash and asset flows
• Record Keeping
• NNA or ICBM?
• ISEM or Internal Custody Reconciliation?
• RP process?
• CMAR support?
• Internal policy statements to support the above?
26 January 2017 Legal entity / line of business | Presentation Title
54
BAU Monitoring and Oversight
• Daily cash reconciliation reviews, including breaks
• Asset reconciliation reviews, including breaks
• Daily breach reviews, including root cause analysis
• Reviews of key cashflows i.e. shortfalls
• Diversification process
The regulated firm must create a formal oversight process to evidence all checks made
26 January 2017 Legal entity / line of business | Presentation Title
55
CASS Training
• What CASS training does your outsourced provider have in place?
• Is it sufficiently comprehensive?
• What staff members does it cover?
• What is the process to identify staff and track the progress of training?
• How are results of assessments monitored?
• Is it tailored to the roles and responsibilities of staff?
• Does it provide continuous improvement and knowledge sharing?
• Does your outsourced provider attend industry forums?
26 January 2017 Legal entity / line of business | Presentation Title
56
Governance
• What governance structure is in place?
• Where does CASS fit into the overall structure of the organisation?
• Does CASS receive sufficient focus at all levels?
• What is the culture like?
• Is there an independent CASS Committee?
• What is the governance process around changes to processes and systems?
• Are attestations used within the organisation?
26 January 2017 Legal entity / line of business | Presentation Title
57
Longer Term Oversight
• Regular SLA reviews including CASS
• Annual due diligence
• RP tests
• One off deep dives
• Compliance/audit reviews within outsourced provider
26 January 2017 Legal entity / line of business | Presentation Title
® / ™ Trademark(s) of Royal Bank of Canada. Used under licence.
58
Thank you
26 January 2017 Legal entity / line of business | Presentation Title
@uktisa@uktisa
Shaid Moughal, Head of CASSStandard Life
Cleared Funds
TISA CASS SeminarOctober 2016
Shaid Moughal Head of CASS
Agenda
• Cleared Funds
• Shortfalls
• Prudent Segregation
• Prefunding
• Governance
• Questions
61
Cleared Funds
‣ A key principle of CASS is that client money is held according to the statutory trust requirements (CASS 7.17).
‣ This section creates a fiduciary relationship between the firm and its client under which client money is the legal ownership of the firm and but remains in the beneficial ownership of the client
‣ However, a firm is not permitted, in its capacity as trustee, to allow one client’s money to fund another client’s transactions.
“Peter’s money should not be used to fund Paul’s transactions”
‣ 7.17.5 G: The statutory trust under CASS 7.17.2R does not permit a firm, in its capacity as trustee, to use client money to advance credit to the firm's clients, itself, or any other person. For example, if a firm wishes to undertake a transaction for a client in advance of receiving client money from that client to fund that transaction, it should not advance credit to that client or itself using other clients’ client money (i.e., it should not ‘pre-fund’ the transaction using other clients’ client money).
62
Cleared Funds
The PS14/9 feedback stated that a firm should not rely upon its internal
reconciliation to determine whether or how much client money it should
segregate.
Instead, the internal reconciliation should be used as an internal control to verify
that the amount of client money segregated meets the firm’s obligations to clients.
The FCA had “clarified” the requirement to address shortfalls that arise the day
before reconciliation is performed....
“CASS 7.12.3 G: The risk of loss or diminution of rights in connection with client
money can arise where a firm’s organisational arrangements give rise to the
possibility that client money held by the firm may be paid for the account of a
client whose money is yet to be received by the firm. Consistent with the
requirement to hold client money as trustee (see CASS 7.17.5G), a firm should
ensure its organisational arrangements are adequate to minimise such a risk.”
63
ShortfallsHow could a shortfall arise?
‣ A risk of shortfall can arise through many different scenarios depending :
‣ Where contractual settlement exists on the client side but not on the market side
‣ Transaction settlement shortfall
‣ Intra-day exposure between the receipt and payment of client money
‣ Switches, e.g. T+4 funds to T+1 funds
‣ Work conducted on non-business days that results in a difference in the sequence of receipts and payments
‣ Timing of the removal of fees and account charges
‣ Bounced cheques and rejected direct debit receipts
‣ BACS payments which leave the account before expected receipts arrive
‣ Internal systems failures
‣ Banking systems failures
64
ShortfallsWhat do you need to understand about shortfalls?
‣ Identify the contractual obligations of the firm
‣ Understand and document the transaction flows, particularly the timing of money movements
‣ Identify whether shortfalls could or could not arise (document the scenarios)
‣ Determine any mitigations (which may be funding but could be others)
‣ Consider financial resources available to provide funding
‣ Establish and document the processes required
‣ Review with business areas, 2nd and 3rd lines of defence, (auditors, etc.)
‣ Monitor actual money movements and test whether shortfalls arise?
‣ Document a policy towards shortfalls and funding
65
ShortfallsHow can shortfalls be managed?
‣ Change processes
‣ Changing T&Cs and/or processes and systems to avoid the risk of a shortfall arising
‣ Not funding
‣ Establish why shortfalls will not arise & justify the rationale for not funding
‣ Prudent Segregation
‣ For exposures when the amounts and/or the timing of the exposures
cannot be calculated precisely.
‣ Prefunding
‣ For exposures where an event has been identified that will cause a
quantifiable shortfall.
66
Prudent Segregation
‣ “Prudent Segregation” in the context of CASS relates to the activity in which a regulated investment firm for Client Money is permitted and decides it is prudent to treat its own money as client money and then segregates that money in a client bank account.
‣ CASS 7.13.41R to 7.13.53R
‣ For firms that operate the alternative approach this is mandatory where they are required to hold a “Mandatory Prudent Segregation Amount”.
67
Prudent SegregationWhat do the rules say?
‣ CASS 7.13.41R – if prudent to do so to prevent a shortfall in client money on the occurrence of a primary pooling event, a firm may pay money of its own into a client bank account and subsequently retain that money in the client bank account (prudent segregation). Moneythat the firm retains in a client bank account under this rule is client money for purposes of the client money rules and the client money distribution rules.
‣ CASS 7.13.48R – to the extent that the firm no longer considers it prudent to retain moneyin its client bank account pursuant to CASS 7.13.41R in order to ensure that client money is protected, the firm may cease to treat that money as client money.
‣ CASS 7.13.49R – any money that the firm ceases to treat as client money pursuant to CASS 7.13.48R must be withdrawn from its client bank account as an excess…as part of its next [internal client money reconciliation].
‣ Funding should NOT to be used as a fix for inadequate systems or controls or bad recordkeeping
68
Prudent SegregationDocumentation
‣ Prudent Segregation Policy & Record
‣ The policy must be approved by the firm’s governing body and retained for at least five years after the date it ceases to retain such money as a prudent segregation amount
‣ A Prudent Segregation Record must be up to date and must include specific details on the amount of prudent segregation calculated and the changes to that amount
‣ What should be documented in the policy?
‣ The specific anticipated risks that would be prudent for the firm to protect
‣ Why the firm considers the use of such a payment is reasonable for the firm
‣ The method the firm will use to calculate the amount of money required
‣ Prefunding Policy
‣ Similarly to Prudent Segregation a policy document relating to the firm’s prefunding approach should documented as a best practice.
‣ It should cover the same components captured in a Prudent Segregation policy.
69
‣ Prudent Segregation Record must contain
‣ Outcome of the firm’s calculation of its prudent segregation
‣ The amounts paid into or withdrawn from a client bank account under the prudent segregation rules
‣ Why each payment was made
‣ Whether each payment was made in accordance with the policy
‣ Whether the policy was created or amended for this specific payment
‣ That the money was paid in accordance with the prudent segregation rule
‣ The up-to-date total amount of client money held pursuant to the prudent segregation rules
‣ All records must be held for 5 years
‣ Firms are reminded that payments and records made in accordance with the above should not be a substitute for firms keeping accurate and timely records under their other CASS and SYSC obligations.
Prudent SegregationWhat should be documented?
70
Prefunding
‣ Firms may chose to prefund, i.e. put firm money into client money accounts to fund shortfalls that will occur during the course of settlement activity
‣ They may consider to prefund and use prudent segregation along with the other measures to mitigate the risk of a shortfall on the client bank account
‣ When can a firm Prefund?
‣ If the information is available to do so it may be preferable to prefund any payments related to unfunded transactions
‣ This may be when shortfalls arise on an intraday basis and can be prefunded for a short period of time until the expected proceeds are received.
‣ It could be used for covering shortfalls that are easier to calculate and may be predictable such as expected settlement proceeds or BACS payments
‣ It may be more difficult to use prefunding to cover an unexpected scenarios such transaction failures; bounced cheques, failed direct debits.
71
Organisational Requirements
‣ CASS 7.12.1R to 7.12.3G
‣ Firms must ensure that they have adequate organisational arrangements in place to minimise the risks to client money
‣ Firms must understand the risks to the business and client money operations and put in measures to minimise those risks
‣ Document the risks, the measures available to mitigate and the decisions taken in response along with the reasons
‣ Check that all funding requirements are in line with the risks documented in the policy papers. Consider making changes to the policy to incorporate any new risks.
‣ Track and monitor the funding requirement and add it to your MI pack that is reviewed by the firm’s CASS committee.
‣ Make it easy for auditors to follow and understand your prefunding processes.
‣ Share your approach with your 3rd party providers who support that part of your business. Review their performance in this process.
Governance
72
@uktisa@uktisa
Mike Sims, APS Finance ManagerElevate part of Standard Life
Aviva FCA Fine Overview
24/01/2017
Oversight and Governance – lessons from Aviva Fine
1. Overview of key findings from the FCA Final Notice
2. What have my Firm done on the back of this?
3. Summary
4. Questions
AVIVA CASS FINE
5th October 2016 – In relation to 2 legal entities
Original fine £11.8m
30% Discount for settling at an early stage
Fine Paid £8.2m
WHAT WERE THE REASONS FOR THE FINE?
Principle 3 (management
& Control)
Principle 10 (Client Assets)
CASS RulesChapter 8
(outsourcing) of SYSC
Failings – Principle 3
Oversight
• Failed to implement and maintain adequate policies and procedures to detect and manage the high level of client money and custody assets risks which arose from the Firms’ outsourcing their CASS functions.
• In particular, the Firms failed to carry out adequate and formal compliance oversight and review exercises of both the performance of the TPAs, and the quality of the MI provided by the TPAs, in relation to outsourced CASS functions
Resource & Expertise
• Failed to dedicate sufficient resource and technical expertise to enable them to implement effective CASS oversight arrangements;
Prioritisation
• Failed to prioritise sufficiently CASS compliance, resulting in inadequate oversight of the outsourced CASS functions and the delayed detection and rectification of CASS risks and compliance issues.
Failings Principle 10
Client Money Rec
• failed to identify and promptly rectify issues within their internal client money reconciliation process resulting in the Firms’ under-segregation of client money
• mislabelled transactions within the Firms’ client money calculations (CASS 7.6.2R and CASS 7.15.3R);
CMAR & CASS RP
• failed to submit accurate CMARs
• held inadequate CASS RPs
Segregation & Supervision
• failed to ensure the adequate and accurate segregation of client money
• the Firms failed to retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing (SYSC 8.1.6R and SYSC 8.1.8(5)R)
Background
2012 audit failures –organisational
arrangements£111.69 distnwas rec’d for an asset not
on firms system
2013 audit issues with internal client money rec and concerns over asset records outsourced to a
TPA.
2013 audit – 4 instances of non-compliance with CASS 6.5.10R identified, involving
assets with approxaggregate. value of £1K,
after firm confirmed improved processes
FCA visit in Feb 2015, identified same and similar CASS complaince issues to those identified by external auditors.FCA also noted
their Non Standard Method of internal reconciliation not
appropriate although auditors had signed it off in
2015
Aug 2015 – Based on the gravity of the firms failures to comply with the CASS
rules the FCA required the Firms to appoint a Skilled
Person to conduct an independent review (S166)
Jan 2016 Skilled Persons Report confirmed issues
identified during the CASS visit and expanded on the issues previously identified
by the Firms’ external CASS audit reports
FCA Visit Findings
• In February 2015, the Authority’s CASS Department visited the Firms. During the visit the
Authority identified the same and similar CASS compliance issues to those identified by the
external auditors. These issues were confirmed to the Firms in a letter of 10 August 2015,
which included the following concerns:
(1) serious deficiencies in the Firms’ governance and oversight of CASS functions;
(2) the Firms’ lack of individuals with combined CASS and financial experience;
(3) a convoluted committee structure which, in particular, lacked any dedicated committee
for overseeing the Firms’ outsourced CASS functions;
(4) a lack of CASS specific compliance monitoring reports, particularly given the breadth of
the rule changes following Policy Statement 14/9 and the Firms’ compliance history based
on earlier external CASS audit reports
(5) mislabelling of transactions within the client money calculation, prompting wider
concerns regarding the Firms’ failure to maintain accurate records and accounts and
inadequate organisational arrangements; and
(6) inaccuracies with the Firms’ CMAR submissions given that the Firms had made
disclosures which were inconsistent with SUP 16.14.3.R.
Skilled Persons Finding
• In August 2015, the Authority required the Firms to provide a Skilled Person’s report under section 166 of
the Act. On 29 January 2016, the Skilled Person issued its report, which confirmed issues identified
during the CASS Visit and expanded on the issues previously identified by the Firms’ external CASS
audit reports. The findings included:
a) deficiencies with the Firms’ reconciliation processes resulting in the over-and under-segregation of
client money with the Firms’ under-segregation having peaked at approximately £74.4m during the period
from 10 February 2014 to 9 February 2015;
b) inadequate first (business) and second (compliance) lines of defence in relation to the Firms’
submission of inaccurate CMARs;
c) inaccuracies/failings with the Firms’ CASS RPs in breach of CASS 10.1.3R;
d) the inadequacy of the management information (“MI”) provided to senior management in relation to
CASS breaches, particularly in relation to the Firms’ outsourcing of CASS functions to TPAs; and
e) concerning the Firms’ use of a non-standard client money calculation, the Skilled Person confirmed
that the Firms’ method of internal client money reconciliation did not provide the degree of protection
provided by the standard method as set out in CASS 7 Annex 1 G. ((CASS 7.15.18R and 7.6.8R) and
Annex 1G).
Inadequate organisational arrangements to ensure effective
oversight of outsourced CASS functions
• Outsourcing arrangements are common in the asset management industry in relation to
purchases and sales of investment fund interests for clients. TPAs typically perform back
office activities such as cash and transaction processing, settlement, record keeping,
reconciliations and similar CASS compliance functions.
• In such circumstances, since a firm is one step removed from CASS operations as a result
of its outsourcing arrangements with a TPA, a heightened CASS compliance risk may arise.
A firm is therefore required to ensure that it has robust controls and oversight systems in
place to monitor and identify any issues arising with the TPA’s performance of the CASS
functions for which the firm remains fully responsible.
• This also requires that a firm outsourcing CASS functions ensures that it has adequate
CASS skills, expertise and resources to carry out effective oversight of the TPA.
Inadequate Reconciliation Processes
• During the Relevant Period, the Firms operated a non-standard internal client money reconciliation
method. However, during the CASS Visit, a number of issues with the Firms’ internal reconciliation
process were identified which had resulted in the under- and over-segregation of client money.
• Client money relating to trade purchases was removed from clients’ accounts before trades settled. The
Firms also failed to set aside funding for returned cheques in the reconciliation process which meant that
purchases could potentially be funded using other clients’ money. During the Relevant Period, these
failings in the Firms’ internal reconciliation processes resulted in under-segregation of client money in
amounts ranging from £0.4m to £74.4m during the period from 10 February 2014 to 9 February 2015.
• There were also a number of weaknesses in the design of the Firms’ oversight of their reconciliation
processes. For example, the spread sheets which the Firms used to record data in the daily and weekly
reconciliation checks did not provide any guidance or parameters to ensure the consistency of checks
conducted. There was also no record of who was scheduled to conduct the daily and weekly checks and
whether those checks had been conducted and if so, by whom.
• Lack of consistency in the checking approach are indicative of the inadequate resourcing in relation to
the reconciliation process
Client Money and Assets Return
• During the Relevant Period, the Firms lacked a formal system or adequate guidance in
relation to the CMAR process and controls, including in respect of the requirement for the
submission of a monthly CMAR. The Firms’ CMAR procedures did not identify who was
responsible for the completion and review of the Firms’ submissions. The Firms also failed
to provide proper guidance on the extent of review required prior to the Firms’ submission of
their CMARs to the Authority.
• The Firms relied on summary data provided by the TPAs as input data for the Firms’ CMAR
submissions. The Firms also had inadequate technical expertise to effectively challenge the
accuracy of the external data which resulted in delays in the Firms’ detection of CMAR
inaccuracies.
• Overall, the failings associated with the Firms’ CMAR submissions indicated a weak control
environment around the preparation, review and submission of the Firms’ CMARs.
Inaccuracies with the Firms’ CASS RP’s
• The Authority identified that for part of the Relevant Period, the Firms did not have a formal control
process in place to ensure effective prevention, detection and remediation of breaches in the
Firms’ CASS RPs.
• In addition, during the Relevant Period the Firms lacked formal controls and formal lines of
responsibility regarding the prevention, detection and remediation of breaches of rules within
Chapter 10 (Resolution Packs) of the CASS Rules.
• In particular, the Authority identified the following failings with the Firms’ CASS RPs: specific
omissions within the Firms’ CASS RPs such as a lack of procedures for recording and transferring
client money and safe custody assets, delays in the Firms’ updating of the CASS RPs for the
opening of new bank accounts and a lack of a clear timetable for the production of the CASS RPs.
• During 2015 the Firms took steps to improve the CASS RP process by implementing a formal
CASS RP checklist but the Firms’ review and updating process remained inadequate.
Inadequacy of CASS resources and technical expertise
• The Firms’ CASS resources were inadequate which undermined their ability to conduct effective
oversight of the TPAs. The Firms’ lack of CASS technical expertise brought about the Firms’
overreliance on the TPAs which further compromised the Firms’ ability to identify, resolve and
report CASS breaches and control weaknesses in a timely manner.
• During the Relevant Period, there was no formal requirement established within the Firms for
CASS training to be undertaken by members of the Firms’ CASS team. Nor were there any formal
training records maintained of any “ad hoc” CASS training completed by the CASS team
members. The Firms have now instituted a formal CASS skills and knowledge matrix for CASS
team members.
• In addition, during the Relevant Period the Firms combined the CF10 and CF10a functions which
further constrained the available resource and technical expertise dedicated to CASS compliance.
• This lack of technical knowledge and experience rendered the Firms incapable of effectively
challenging the TPAs’ performance of the CASS functions.
Failure to prioritise CASS compliance
• The Firms understated the high risks associated with CASS non-compliance which may
have prevented and/or delayed the Firms’ escalation of CASS issues. The Authority
identified inconsistencies in the Firms’ risk rating in relation to CASS oversight. In light of the
CASS breaches identified in the Firms’ external CASS audit reports, the Firms ought to
have accorded CASS compliance a higher risk rating.
• The fact that additional CASS breaches arose in consecutive annual external CASS audits
should have prompted the Firms to re-categorise CASS compliance as high risk. The Firms
did not appear to have had adequate systems and controls in place to challenge the basis
upon which CASS risks had been assessed.
What has our firm done in light of this report?
Analysed Report in detail and produced a
spreadsheet detailing each finding
Each business area then had to asses and
document what controls and processes we have in place to mitigate the issue
raised in the report.
Gap analysis then performed based on
consolidated returns to identify an areas where improvements could be
made.
Requested an analysis by our key outsourcer of how
they assessed themselves against the
findings
Action plan and summary of findings consolidated
into a report for the CASS Governance Committee
and Board
Action plan tracked through to delivery.
Summary
The final notice from the FCA was extremely detailed, whilst not
good news for Aviva it provided the industry with a good checklist
Has enabled firms to self assess there controls and processes
against these findings.
In relation to outsourcers, the FCA has made it clear in the past
this was an area they are focussing on, so all firms should have been aware of the focus
here.
Majority of fund managers and Platforms use outsource providers, this report has
highlighted how easily you can lose expertise within your business and also fail to
understand fully your outsourcers CASS model
Highlighted the importance of focus on CASS within large
organisations especially where it may only be a small part of the
overall business performed by the organisation.
Information about tax is based on our understanding of current legislation and HM Revenue & Customs' practice. Tax treatment can change and depends on your personal circumstances.
The information contained in this presentation does not constitute advice. It is designed for financial adviser use only and is not intended for use with individual investors. Any sample screen shots displayed are correct at date of issue but may be subject tochange.
Elevate, Winterthur Way, Basingstoke RG21 6SZ. Telephone number: 01256 470707. As part of our commitment to quality service and security, telephone calls may be monitored and/or recorded.
Elevate is a trading name used by AXA Portfolio Services Limited. AXA Portfolio Services Limited has been acquired by Standard Life Savings Limited and forms part of Standard Life Group. The trade mark “AXA” is used under licence from AXA SA.
AXA Portfolio Services Limited (01128611) is registered in England at 14th Floor, 30 St. Mary Axe, London, England, EC3A 8BF and is authorised and regulated by the Financial Conduct Authority.
Standard Life Savings Limited (SC180203) is registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh, EH1 2DH and is authorised and regulated by the Financial Conduct Authority.
Important Information
@uktisa@uktisa
Karen Bond, DirectorWalbrook Partners
albrook Partners
FRC CASS Assurance Standards
- Where are the Gaps?
TISA CASS Seminar
October 2016
© Walbrook Partners Limited
Introduction
The FRC standards for CASS Assurance Reviews require more effort from firms than might be apparent at first.
In many cases the gap between current evidence and controls and those now required is unexpectedly large.
A few examples are discussed in the following slides.
95
© Walbrook Partners Limited
Putting it all together
Business model documentation:
‣ Does it include an overview of the type of business done?
‣ Is it understandable to an external reader?
‣ Does it explain intra-group relationships and activities?
‣ Does it include full cashflow documentation?
‣ Can your staff clearly explain it?
….and is it in your Resolution Pack?
96
© Walbrook Partners Limited
The biggest gap?
Rule/Risks Mapping and Controls
‣ The detail required is often underestimated – every rulebook/every rule?
‣ Explain why rules are out of scope – and controls to ensure it stays that way
‣ Ensure controls are real, specific and can be evidenced
‣ Show regular reviews
97
If you don’t produce the documentation,
your auditors will!
© Walbrook Partners Limited
The chain of evidence
The evidence required has substantially increased
‣ Ensure consistency of the business model , rule mapping, controls, procedures and evidence
‣ Consider how to prove oversight, management etc.
‣ Be prepared to prove all of the figures in reconciliations, including prudent segregation figures
‣ Prove remediation actions, including root causes
98
Make it easy for the auditors
© Walbrook Partners Limited
Failing validation
Is there a gap in your figures?
‣ Be prepared to show the validation of CMAR figures against other sources
‣ Show how you confirm the CASS RP is up to date
‣ Evidence testing of client entitlements, including reconciliation to other figures
99
© Walbrook Partners Limited
From gap to overlap
Three lines of defence:
‣ Is it clear who does what and where the boundaries lie?
‣ How do you preserve independence e.g. compliance advice vs. compliance
monitoring?
‣ How knowledgeable are your 2nd and 3rd lines?
‣ How are activities planned in conjunction with risks?
‣ How are actions followed up?
100
© Walbrook Partners Limited
Culture
How can you evidence a strong CASS culture?
‣ Knowledge and training from the top of the firm down
‣ Consideration of Principles and the clients’ best interests evidenced in decision making and policies
‣ Investment in addressing root causes, whether through manual processes, systems changes or prudent
segregation
101
‣ Other indicators:
‣ Standards set
‣ Meeting attendance & engagement
‣ Prioritisation
© Walbrook Partners Limited 102
Good luck!
© Walbrook Partners Limited
Contact Details
Karen Bond | DirectorMobile: +44(0)7801 [email protected]
Mark Lester | Director Mobile: +44(0)7702 340 [email protected]
www.walbrookpartners.co.uk
Follow @WalbrookFS on Twitter
….and please support our sponsored Guide dog, Cassie!http://walbrookpartners.co.uk/cassie/
Page 103
cc ccccc ccc
@uktisa@uktisa
Robert Forbes, Director of CASSRBC Investor & Treasury Services
STRICTLY PRIVATE AND CONFIDENTIAL
RBC Investor &
Treasury Services
‘How to prepare for your next FCA visit’
RBC Investor & Treasury Services106 |
How prepare for your next FCA visit
RBC Investor & Treasury Services107 |
Planning
1. CF10a responsibilities.
2. Documentation.
3. System architecture.
4. People.
5. Close out meeting.
6. Don’t do’s.
7. Post visit follow up.
RBC Investor & Treasury Services108 |
CF10a Responsibilities
• Ensure the organisation including the most senior people are aware of the visit and that their attendance
maybe required.
• Understand the scope of the business - be able to explain the governance structure.
• Understand the firm’s CMAR and associated information that contributes to it.
• As part of the oversight function make sure you understand all the areas of the business and the controls
that are in place.
• Have a CASS plan and be able to talk to it.
• Be able to demonstrate that the firm has a good CASS culture.
• Understand the firm’s CASS breaches and remediation actions.
• Be aware of any outsourcing arrangements that the firm has in place – be able to speak about the
oversight of these.
• Consider project resource, budget, planning, legal costs.
• Be able to demonstrate how you get comfortable that the firm is complying with CASS.
• Sit in on all the meetings if possible – clarify any misunderstandings as you go.
• Book a room, arrange refreshments.
• Co-ordinate timings of people.
RBC Investor & Treasury Services109 |
Documentation
• CASS governance document.
• CASS management information.
• CASS resolution pack.
• Rules mapping.
• Audit reports.
• Breach logs.
• Accountability matrix.
• Training records.
• Minutes.
• Demonstration of CASS culture.
• Policies and procedures.
• Client files/agreements.
• Custodian agreements and due diligence.
• Reconciliations – Internal, external, ISEM.
• 3 lines of defence.
• Oversight.
RBC Investor & Treasury Services110 |
Governance framework document
Fully documents the governance structure of the firm, incl. committee’s, reporting lines,
escalation process .
Details firm’s permissions.
Defines roles and responsibilities of key personnel including the CF10a.
Defines firm’s CASS type.
Details rules mapping process.
Sets out policies and procedures required to support CASS framework.
Sets out the three lines of defence.
Details due diligence requirements.
Sets CASS standards around CASS 6 & 7 specifically details basis of reconciliations,
reconciliations completed, treatment of discrepancies, contractual settlement,
shortfalls, nominee companies, ISEM (if relevant), daily client money reconciliations.
RBC Investor & Treasury Services111 |
CASS Management Information
Produced monthly by the business for review at the UK CASS Forum and by the
Firm’s governing board.
CASS MI, a key tool in evidencing effective oversight of CASS.
Overall dashboard of CASS status.
Cash and stock reconciliation KPI’s. Details on anything over 90 days.
Data for previous reporting month and rolling 12 month basis.
Breach reporting, root cause analysis, area breakdown, breach by rule type.
Diversification of client money.
Trend analysis.
CASS operational risk considerations.
Status of training.
Overview of third party relationships.
RBC Investor & Treasury Services112 |
Assess all processes / procedures and map them to the relevant
CASS rules
Where gaps exist, complete an impact analysis to assess impact on the firm
Where processes and procedures only
partial meet the rules, assess remediation
action required.
Identify any recordkeeping documentation
requiring enhancing.
Identify any rules that do not impact the
company.
Produce CASS footprint and money
flow diagrams.
Rules Mapping Process
RBC Investor & Treasury Services113 |
Audit Reports
• Understand the findings in Audit reports.
• Consider both internal and external findings as well as compliance reports.
• Be able to demonstrate that follow up actions have taken place and issues resolved.
• Demonstrate procedures, policy and the CASS RP (if applicable) have been updated.
• Evidence that if breaches have been discovered that these have been appropriately logged.
RBC Investor & Treasury Services114 |
Breach Logs
• Ensure the breach log is up to date , current and complete.
• Demonstrate that you understand the breaches, both in terms of cause and remediation actions.
• Demonstrate inter action between your 3 lines of defence on breaches.
• Be able to talk FCA through the process of identifying, remediating and analysing breaches.
RBC Investor & Treasury Services115 |
Accountability Matrix
Name Location Function Sub-Team
6.2
.1 R
6.2
.2 R
6.2
.3 R
6.2
.3A
R
6.2
.3B
G
6.2
.4 R
6.2
.5 R
6.2
.6 G
6.2
.7 R
6.2
.8 G
6.2
.9 G
6.2
.10 R
6.2
.11 E
6.2
.12 G
6.2
.13 R
6.2
.14 R
6.2
.15 R
6.2
.16 G
6.3
.1 R
6.3
.2 G
Name LondonNetwork Management Network Management
1 1 1 1 1 1 1 1 1
Name LondonNetwork Management Network Management
2 2 2 2 2 2 2 2 2
Name London Shared Services Entitlements 1 1
Name London Shared Services Entitlements 2 2
Name London Shared Services Tax 1 1
Name London Shared Services Tax 2 2
Name LondonClient Operations Transaction Management
1 1 1 1 1 1 1 1 1
Name LondonClient Operations Transaction Management
2 2 2 2 2 2 2 2 2
Name LondonClient Operations Securities Lending
2 2
Name LondonClient Operations Clt Serv and Soltns (Transitions)
1 1 1 1 1 1 1 1 1 1 1 1
Name LondonClient Operations Clt Serv and Soltns (Transitions)
2 2 2 2 2 2 2 2 2 2 2 2
Name LondonIT IT
1 1
Name LondonIT IT
2 2
Name LondonIT IT
2 2
RBC Investor & Treasury Services116 |
CASS Training
Experienced staff are key to ensuring firm meets its CASS requirements and remains
compliant.
Training programme to be designed and delivered to all staff with CASS touch points.
Different levels of training throughout the firm.
Test to measure effectiveness of training / key learning objectives.
Training records available for inspection to evidence completion of programme.
Annual review of training requirements.
Trained staff prevent breaches and identify systemic failures in procedures.
Training records can evidence continuous learning.
Ensure key staff can speak knowledgeable about the rules impacting them.
RBC Investor & Treasury Services117 |
Meeting Minutes
• Make sure the minutes of your governance meetings are comprehensive, up to date and
available.
• Key decision should be recorded.
RBC Investor & Treasury Services118 |
Demonstration of CASS culture
Examples :
• Posters.
• Breach cards.
• Tested training.
• Good governance.
• Senior engagement.
• New employee welcome meetings.
RBC Investor & Treasury Services119 |
Policies and Procedures
Form a key part of firm’s CASS governance structure.
Identified in the rule mapping exercise.
Identify requirements to enable firm to remain compliant.
Sets out expectations to job holder. Include specifics in mandates.
Rules referenced directly to procedures.
RBC Investor & Treasury Services120 |
Client Files / Agreements
• Are your client files up to date.
• Can you locate all the customer agreements.
• Do you have a list of how your clients are categorised.
• Can you demonstrate communication with the client complies with CASS (9.5 for example).
• Have you considered non CASS issues for e.g. Suitability – scope of CASS visits can leak.
RBC Investor & Treasury Services121 |
Custodian Agreements and Due Diligence
• Ensure signed agreements are available.
• Consider side letters.
• Legal opinions supporting registration.
• In date due diligence.
• Account naming reconciliation.
• Acknowledge letters – are they correct, follow template, correct entities, evidence of
signatories. – have you moved ?
RBC Investor & Treasury Services122 |
Reconciliations
• Is the basis on which you complete your reconciliations recorded.
• If this is not daily , is this reviewed annually.
• Have you got a full list of reconciliation performed.
• Can you retreive archive reconciliations going back 5 years.
• Does you reconciliation clerk, understand all the items on the rec, can they speak to them.
• Does the CF10a understand the process, from delivery of the files to closing off of the
reconciliation.
• Can they talk to the client money calculation.
• Can you demonstrate you consider shortfall’s in your reconciliation process.
• Do you have policies around reconciliations, shortfalls etc.
• Can you demonstrate entity specific reconciliations.
RBC Investor & Treasury Services123 |
3 Lines of Defence – How do they interact.
CASS
3rd Line of DefenceInternal Audit
additional level of review
2nd Line of Defence - Complianceprovide effective oversight, advisory,
monitoring and reporting arrangements. Compliance monitor plan and breach reporting.
CASS Teamresponsible for oversight of the firm’s operational
compliance with CASS and reporting to the firm’s governing body in respect of that oversight.
1st Line of DefenceBusiness Ownership and Accountability
Operations Department – Policies and procedures in place to adhere to CASS rules.Operational Risk Department – Risk Assessments, Heat Maps, Error Investigation.
RBC Investor & Treasury Services124 |
Outsourcing
Due diligence.
CF10a visits.
Monthly reliable MI.
Effective demonstrable challenge.
Regular meetings between parties.
Minutes.
Regular internal meetings.
SLA including rule requirements.
Scorecard and issue tracking.
Attestations.
Sample checking.
RBC Investor & Treasury Services125 |
System Architecture.
1. Ensure someone is available who can
articulate clearly how your systems
enable compliance with the CASS
rules.
2. What security processes you have
around system access.
3. How you can ensure that the book of
records are separate from any other
entity.
4. Entity specific reporting.
5. Distinguish one client record from
another from the firm’s.
RBC Investor & Treasury Services126 |
People
• Ensure that you invite the correct people with relevant experience.
• Make sure that they fully understand the process that they are responsible for.
• Give them interview training. Quiz them about their roles, responsibilities and the CASS rules that impact
them. Need to understand the requirements. Grill them.
• Make sure they understand the breaches in their area and can talk to them and any remediation action
that the firm put in place.
• Make sure they can articulate the challenges that they face.
• Can they explain how they train their staff and how they ensure the CASS knowledge is applied to the
role.
• How do they ensure their staff comply with the CASS rules.
• What monitoring do they have in place.
• What CASS challenges do they face?
• Do not be afraid to challenge the FCA interpretation of a process/event/ rule.
RBC Investor & Treasury Services127 |
Close Out meeting
• Make sure the correct people attend, ensure Senior people are available.
• Make notes of the issues discussed.
• Ensure that any misunderstandings are clarified before the FCA leave. Do not be afraid to challenge.
• Misunderstandings will appear in the FCA report as remediation points potentially.
• Implement any changes asap, do not wait for formal notification from the FCA.
RBC Investor & Treasury Services128 |
Do’s and Don’ts
Do’s
• Be calm, open, honest and friendly.
• Be able to clearly articulate the process and how CASS is impacted by it.
• Make sure the FCA understand your business – spend time on this as it prevents later issues.
Don’ts
• Make last minute amendments to documentation – you have what you have.
• Rush to amend process and procedures.
• Answer questions where you are not 100% sure of the answer.
RBC Investor & Treasury Services129 |
Post Visit follow up
• Follow up letter from the FCA within 8 weeks of visit.
• Possible / likely to have some remediation points and target completion dates.
• Must treat seriously.
• Put together a working team if required, have project support in place.
• Do not claim to have completed a task unless it is fully complete.
• Make sure you have consider all parts of the issue and remediated all.
• Update FCA on progress regularly. If you discover an issue which will impact the timeline inform them asap.
RBC Investor & Treasury Services130 |
Final thought
It takes time.
Start your planning now
@uktisa@uktisa
Hanish Arora, Director of CASSKPMG
CASS Roles of the 2nd
and 3rd lines of defenceJanuary 2017
133
Document Classification: KPMG Confidential
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Three lines of defence
Third Line of Defence
(Independent Assurance)
First Line of Defence
(Management Controls)
CASS processes and controls
Second Line of Defence
(Control functions)
Compliance Risk
Internal Audit
Accountability for regulatory compliance
Ongoing monitoring
134
Document Classification: KPMG Confidential
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
A ‘hot topic’ for regulatorsNot a new
area of focus
Regulators have been highlighting inadequacies with firms’ approaches to the
three lines of defence model for a number of years
A factor in
enforcement
actions
A number of enforcement cases have cited failings in Compliance and Internal
Audit monitoring as contributing factors
Blurred lines A concern that not all monitoring activity is truly independent
135
Document Classification: KPMG Confidential
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Developments in the CASS space
Section 166sFCA has been commissioning a number of Skilled Persons Reviews over
Governance arrangements and the roles of Compliance and Internal Audit
CASS
operational
oversight
SMFs and CF10as proactively considering what assurance they need to
demonstrate effective oversight, and what needs to come from the 2nd and 3rd
lines
CASS as a
distinct area
of risk
CASS-specific Risk, Compliance and Internal Audit teams and monitoring
programmes are being established
FRC CASS
Assurance
Standard
The new Standard brings Compliance and Internal Audit into the scope of the
CASS Audit
External
assistance
Increased use of specialist advisors to help develop monitoring plans, and to
develop and perform specific CASS reviews
136
Document Classification: KPMG Confidential
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2nd line expectations
— Split between monitoring and advice (independent and objective) – understand role
— Systematic and disciplined monitoring and periodic testing of CASS risks
— Compliance monitoring plan to specifically include CASS related elements in line with the
firm’s evaluation of CASS risks
— Assessment of materiality of risk and breaches in terms of FCA notification of reportable
events – recorded in dedicated CASS issues and breaches logs
— Timely root cause and trend analysis of breaches evidenced as part of the function’s
activities in relevant registers, minutes, reports
— The Compliance team should have CASS technical knowledge and expertise to be able
to conduct robust and independent CASS reviews
137
Document Classification: KPMG Confidential
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2nd line poor practice
Monitoring plan
does not clearly
link to the firm’s
CASS risk
footprint
‘Light touch’
testing
Blurred lines
between monitoring
and advisory
Monitoring against
internal procedures
and not against
compliance with the
regulatory
requirements
No consideration
of industry events
or emerging
thematic CASS
risks
Lack of
specialist
resources within
the 2nd line
138
Document Classification: KPMG Confidential
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
3rd line expectations
— Understand the roles and responsibilities of the independent Internal Audit function
— Conduct periodic independent CASS related reviews over the firm’s CASS arrangements
forming part of the function’s annual monitoring plans
— Review plans are assessed on a risk basis, approved and reviewed on a periodic basis
to capture new issues or risks
— Clarity regarding scope and approach to CASS IA reviews
— Timely follow up as part of IA review and assessment of sufficient evidencing of breaches
in relevant CASS registers
— Members of the Internal Audit function should have the required CASS technical
knowledge and expertise to be able to conduct robust and independent CASS reviews
139
Document Classification: KPMG Confidential
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
3rd line poor practice
Little, infrequent
or no CASS
related testing
post PS 14/9
despite FCA and
industry focus
IA reviews lack
robustness
and focus
Quality of
outsourced
reviews varies
Inconsistent
approach to
evaluating proposed
management actions
Failure to follow up
on management
actions to ensure
appropriate steps
taken to close gaps
Lack of specialist
resource in 3rd line
Smaller firms with
no IA functions
struggle to find
CASS experts
Inadequate or
lack of any
CASS training
for the 3rd line
Document Classification: KPMG Confidential
The information contained herein is of a general nature and is not intended to address the circumstances of
any particular individual or entity. Although we endeavour to provide accurate and timely information, there
can be no guarantee that such information is accurate as of the date it is received or that it will continue to be
accurate in the future. No one should act on such information without appropriate professional advice after a
thorough examination of the particular situation.
© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights
reserved.
kpmg.com/uk
@uktisa
Thank You!
TISADakota House
25 Falcon CourtPreston Farm Business Park
STOCKTON-ON-TEESTS18 3TX
www.tisa.uk.com01642 666999
@uktisa