cass seminar - tisa · cass seminar 24th january 2017 ... partner and paul leech, ... application...

@uktisa@uktisa

CASS Seminar24th January 2017

Deloitte LLP, New Street Square, London EC4A 3BZ

@uktisa@uktisa

Mike Williams, Partner - ChairDeloitte LLP

@uktisa@uktisa

Agenda

• Opening remarks by – Mike Williams, Partner, Deloitte LLP - Chair

• Mike Williams, Partner and Paul Leech, Director, Deloitte LLP ‘FRC CASS Assurance Standard’

• Ash Saluja, Partner and Alison McHaffie, Partner, CMS Cameron McKenna LLP ‘CASS Oversight – satisfying regulatory requirements and expectations’

• Jonathan Dark, Group CF10a, Smith & Williamson ‘CASS Resolution Pack – practical tips, lessons learnt’

• Nick Kinseley, Head of CASS, RBC Wealth ‘CASS Oversight in practice’

• Coffee Break

• Shaid Moughal, Head of CASS, Standard Life ‘Cleared Funds’

• Mike Sims, APS Finance Manager, Elevate part of Standard Life ‘Oversight and Governance – lessons from Aviva’

• Karen Bond, Director, Walbrook Partners ‘Gaps in meeting the new CASS Assurance Standards’

• Robert Forbes, Director of CASS, RBC Treasury & Investor Services ‘How to prepare for your next FCA visit’

• Hanish Arora, Director CASS, KPMG ‘The expectations of the second and third lines of defence’

• Closing remarks by Mike Williams, Chair

@uktisa@uktisa

Mike Williams, Partner &Paul Leech, Director

Deloitte LLP

24 January 2017

FRC Client Assets Standard

6

FRC Standard

Rules mapping, risk assessment and internal controls

7

Background of the FRC Client Assets Assurance Standard

Financial Reporting Council (‘FRC’) Standard “Providing Assurance on Client Assets to the Financial Conduct Authority” was published in November 2015 and it is applicable to CASS Auditors

The FRC Client Assets Assurance Standard replaces reporting under Bulletin 2011/2 and Bulletin 3

Bulletins provided auditors with guidance that was “persuasive” whereas the Standard is “prescriptive”, i.e. now a requirement rather than guidance

FRC Client Assets Assurance Standard effective for periods commencing on or after 1 January 2016

Scope of the FRC Client Assets Assurance Standard in relation to the CASS rules has not changed, i.e. still limited to compliance with the rules in CASS 3, 6, 7 and 8 (where applicable) for “during the period” and “as at the period end”

Where the firm outsources functions to a Third Party Administrator (“TPA”) the CASS auditor and the firm should explicitly set out the rights of access to the TPA in the engagement letter

The CASS auditor is required to adopt an insolvency mind-set, which places greater emphasis on evaluating whether the firm’s processes and controls are deemed adequate to ensure protection of client assets in the event of insolvency

Reporting under the FRC Client Assets Assurance Standard significantly raises the bar from previous reporting regime – particularly for reasonable assurance engagements where a firm holds client money and / or custody assets

Firms are expected to have in place from 1 January 2016 a CASS risk and control framework which includes CASS risk assessment, CASS rules and controls mapping for every applicable CASS rule, and clear roles and responsibilities for CASS in the three lines of defence framework.

8

Significant increase in scope

Key changes under the new FRC Standard

3. CASS Control Activities

1. Control Environment over CASS , i.e. Governance

2. CASS Risk Assessment

1st line Self Assessment

Compliance Monitoring

Internal Audit

4.

In

form

ati

on

an

d C

om

mu

nic

ati

on

‘Tone from the top’ and CASS risk appetite

Management information,

reporting and

escalation

Regulated Firm

Identification Segregation ReconciliationsBooks and Records

Third Party Administrators (if applicable)

6. Other matters to consider

CMAR

5. CASS Monitoring Activities

New products and services

Change management, IT and business

recovery

9

CASS Rules Mapping and Risk Assessment

Key changes under the new FRC Standard

Factors affecting

significance of the risk

Factors affecting likelihood of the risk occurring

Highly significant

Very likely

CASS Rules Applicability

CASS 3.x.x R No - rationale

CASS 7.x.x RYes -

interpretation

CASS 6.x.x R Yes

… …

CASS 7.x.x R Yes

CASS 8.x.x R Yes

Risk Description Inherent Risk

CASS Risk 1 H

CASS Risk 2 L

CASS Risk 3 L

CASS Risk 4 M

… M

CASS Risk 999 M

Actions taken

by firm

Residual

Risk

E.g. Mitigate with

Control 1M

E.g. Mitigate with

Control 2M

E.g. Accept Risk

(unlikely action)M

E.g. Mitigate with

Control 3L

One-to-one, one-to-many or many-to-one

relationships

Risk 1Risk 1

Risk

999

Risk

999

One-to-one, one-to-many or many-to-one

relationships

Risk 3

Firm’s risk assessment should consider each relevant CASS rule that applies to the firm, i.e. rule by rule applicability matrix

CASS auditor to evaluate firm’s process for identifying risks relevant to compliance with CASS, evaluating significance of the risk, likelihood of their occurrence, and actions to address those risks.

CASS auditor to raise an observation if it identifies a risk that management has failed to identify.

10

Internal controls

Background and context – COSO 2013

• The COSO 2013 Framework provides a formal structure for the design and evaluation of the effectiveness of internal control

• It categorizes controls into five components, and each component is addressed by a variety of principles and points of focus

Five components of internal controls (based on the COSO 2013 framework)

Control

Environment

Risk

Assessment

Control

Activities

Information

&

Communication

Monitoring

Activities

Indirect controls

Direct controls

Indirect controls

© 2016 Deloitte LLP. All rights reserved.

11

Control design

Key design factors (1)

Appropriateness of the purpose of the control:

Appropriateness of the control considering the nature and significance of the risk:

Competence and authority of control performer:

• Explicitly demonstrate how the control addresses the identified risks

• Ensure all risks the control is mapped to are addressed

• Preventative vs detective – to address timeliness of the control, e.g. immediate segregation of client money

• For more significant risks, identify and implement a mix of controls, including process level controls over the transaction flows

• The greater the inherent risk, the more precise the controls are expected to be

• Ensure the experience is appropriate in the control area

Frequency and consistency with whichthe control is performed:

Level of aggregation and predictability:

• Consider the required frequency of the control based on the risk

• Is the control timely to prevent or detect an error, e.g. 10 day allocation rule and reconciliation frequency?

• Assess whether the aggregation is sufficiently direct and precise to address the risk


12

Control design

Key design factors (2)

Criteria for investigation/ process for follow-up:

• Investigation is a key part of the control; ensure the reviewer can identify matters for further follow-up and magnitude of such items

• Ensure timeliness of their investigation and follow-up

• If thresholds should be applied, make these explicit where possible

Dependency on other controls or information:

• Understand if the control is dependent on other controls including effective GITC’s or information (data or reports)


13

Disclaimer

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

CASS Contacts


Mike WilliamsPartner

Tel:+44 (0) 207 303 5407

Mobile: +44 (0) 7785 528831

Email: [email protected]

Dennis ChengDirector

Tel:+44 (0) 207 303 6970

Mobile: +44 (0) 77 8797 4225


Paul LeechDirector

Tel:+44 (0) 207 303 5398

Mobile: +44 (0) 7770 867712


Anna DawsonAssociate Director

Tel:+44 (0) 113 292 1688

Mobile: +44 (0) 7887 628699


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.


Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.

http://www.deloitte.co.uk/about

@uktisa@uktisa

Ash Saluja, Partner and Alison McHaffie, Partner

CMS Cameron McKenna LLP

CASS Oversight:

Satisfying regulatory requirements and expectations

Ash Saluja, Partner and Alison McHaffie, Partner

CMS London

24 January 2017

Looking at ………….

The legal and regulatory responsibilities

The FCA focus

What to do if you identify a CASS breach

When enforcement takes action and lessons to be learned

17

CF 10A

CASS auditor

Outsource service provider

Board

Where responsibility can exist

18

SUP 10A.7.9 - Dynamic responsibility?

Oversight of the operational effectiveness of the firm's systems and

controls that are designed to achieve compliance with CASS

Reporting to the firm's governing body

Completing and submitting CMAR

CASS operational oversight function (CF10A)

19

Distinction between consultancy and audit roles

If auditor finds a problem - immediate breach

If auditor finds nothing - no comfort

CASS Auditor

20

CMAR

CASS Resolution Pack

Board reports

CASS audit reports

Trust letters

Checkpoints

21

Choice of outsourcing provider

Terms of agreement, SLAs etc

Adequate monitoring

Adequate access

Outsourcing CASS responsibility

22

SYSC 4.1.1 - A firm must have robust governance arrangements,

which include … internal control mechanisms, including sound

administrative and accounting procedures ….

SYSC 4.1.10 - A common platform firm must monitor and, on a regular

basis, evaluate the adequacy and effectiveness of its systems,

internal control mechanisms and arrangements established in

accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate

measures to address any deficiencies.

Responsibility of the Board

23

Held separately on trust

Duty to return assets to client

Duty to account for income

Duty to monitor third party custodians

Legal responsibility for client assets

24

Held on statutory trust

Trust letters

Duty of diversification

Prudent segregation

Legal responsibility for client money

25

The FCA focus

“We will continue to ensure firms have appropriate mechanisms to protect client

assets to ensure consumers are protected in the event of failure.”

FCA Business Plan 2016/17

FCA continues to focus on this area:

• Increasing the supervision of firms holding client money and safe custody of assets through

more intrusive visits to firms, thematic projects and desk-based reviews, actions initiated

through CMAR /audit information and taking regulatory action where firm failings are

identified.

• Increasing use of attestations

• S166 skilled person reports (14 over last 18 months – about 20% of all s166)

• 3 of 8 enforcement actions against firms in 2016

FCA expects firms and senior management to learn lessons from enforcement action

• 'We have issued repeated warnings to the industry on the importance of complying with

client money rules which are designed to ensure that client money is adequately protected in

the event of a firm failing. There can be no excuses given these warnings and the stakes

involved” “Senior management are ultimately responsible for ensuring that firms are

following our rules”

Mark Steward, Director of Enforcement and Market Oversight at the FCA July 2016

26

27

What if you identify a breach of CASS?

Identify:

• What has gone wrong?

• How significant is it?

• Length/frequency of breach?

• Evidence of any weaknesses in controls?

• Is remedial action required?

Notify FCA depending on significance/ materiality of breach

• Principle 11 – anything which the regulator might reasonably expect notice

• SUP 15.3.11R – significant breach of rule

• CASS specific notification rules – “without delay”... if unable or materially fails to

comply with various CASS requirements (see CASS 6.6.57 & 7.15.33 etc)

Ensure self reporting is prompt, clear and provides assurance that management is in

control and appropriate remedial action is being taken

Consequences of failure

28

What goes wrong

Triggers for investigation & enforcement action:

• Actual loss for clients

• Risk of loss to clients and risk of set off by banks

• Risk of delay in return of money

• Failure to heed warnings – “firms….should ensure they continue to strengthen

their management, oversight and controls in this area”

• Lengthy breaches

• Systemic importance of firm

• Failure to identify, notify & false attestations

• Governance or cultural failings

• Previous fines

Breaches of:

• Principle 10 (adequate protection for clients’ assets) & Principle 3 (systems &

controls)

• CASS rules

• Statements of Principle for Approved Persons (APER or COCON) for individuals

29

What has gone wrong?

Failure to:

• Segregate and comingling with firm’s own funds

• Carry out sufficient due diligence on institutions holding monies

• Recognise firm is “holding” client money

• Obtain trust letters

• Perform client money calculations and reconciliations accurately and promptly

• Inadequate records to distinguish one client’s money from another

• Manage acquisitions and re-organisations weakening CASS oversight

• Use appropriate naming conventions to make it clear it was client money

• Cover shortfalls and notify FCA

• Have adequate oversight and controls over TPAs

• Oversee, monitor and obtain adequate MI

• Train relevant staff

• Carry out sufficient enquiries before providing affirmations to FCA

30

Penalties

FCA has discretion to increase or decrease in 5 step framework and can decide

that average balance of client money/assets is not an appropriate indicator.

Higher fines

Risk of individual action against senior management where there is personal

responsibility for failings (see Philip July 2016)

Most cases settle - 30% discount

Level of seriousness

Percentage – Client Money

Percentage – Safe custody assets

Level 1 0 0 Level 2 1 0.2 Level 3 2 0.4 Level 4 3 0.6 Level 5 4 0.8

31

How to handle a CASS investigation

Some practical points………

Seeking to avoid an enforcement referral

• Robust systems and controls kept under review

• Prompt and effective notification of any breaches

• Accurate attestations

• Firm identifies and carries out remedial action on own initiative

• No risk of loss or delay

• Good and constructive relationship with supervisors

Managing an investigation effectively

• Prompt and well ordered response to requests for information and well prepared

interviewees

• Put issues in context and show actions were reasonable

• Seek to understand FCA’s concerns and address them early in the process

• Demonstrate lack of risk to client assets – consider expert IP evidence

• Show lessons learned and acted on by firm

• Settle where appropriate

CMS Legal Services EEIG (CMS EEIG) is a European Economic Interest Grouping that coordinates an organisation of independent law firms. CMS EEIG provides no client services. Such services are solely provided by

CMS EEIG’s member firms in their respective jurisdictions. CMS EEIG and each of its member firms are separate and legally distinct entities, and no such entity has any authority to bind any other. CMS EEIG and each

member firm are liable only for their own acts or omissions and not those of each other. The brand name “CMS” and the term “f irm” are used to refer to some or all of the member firms or their offices.

CMS locations:

Aberdeen, Algiers, Amsterdam, Antwerp, Barcelona, Beijing, Belgrade, Berlin, Bratislava, Bristol, Brussels, Bucharest, Budapest, Casablanca, Cologne, Dubai, Duesseldorf, Edinburgh, Frankfurt, Geneva, Glasgow,

Hamburg, Istanbul, Kyiv, Leipzig, Lisbon, Ljubljana, London, Luxembourg, Lyon, Madrid, Mexico City, Milan, Moscow, Munich, Muscat, Paris, Prague, Rio de Janeiro, Rome, Sarajevo, Seville, Shanghai, Sofia, Strasbourg,

Stuttgart, Tirana, Utrecht, Vienna, Warsaw, Zagreb and Zurich.

www.cmslegal.com

32

@uktisa@uktisa

Jonathan Dark, Group CF10aSmith & Williamson

CASS Resolution Pack –Hints, tips & lessons learnt

Jonathan Dark – Group CF10a

October 2016

35TISA CASS Conference

Table of contentsPage

1 Smith & Williamson Group Overview 3

2 Introduction to CASS 10 ‘CASS Resolution Pack’ 4

3 CASS 10.1 – Application and purpose 5

4 CASS 10.2 – Core content requirements 6

5 CASS 10.3 – Existing records which form part of the CASS RP 7

6 CASS Resolution Pack internal policy 8

7 Oversight, governance and review 9

8 Annual, monthly & weekly testing – common issues 10

9 Insolvency Practitioner Master document 11

10 CASS 10 key requirement considerations 14


Independently owned multi-disciplinary professional and financial services group;

Combines an accountancy firm* with investment management and private banking

house;

The group includes: private bank, custodian, in-house broker and in-house ACD;

Around £16.5bn of funds under management and advice;

Offices in Belfast, Birmingham, Bristol, Cheltenham, Dublin, Glasgow, Guildford,

Jersey, London, Manchester, Salisbury and Southampton; and

Around 1,600 people in 13 offices in the UK, Republic of Ireland and Jersey of which

over 170 are qualified investment managers.

*Top 10 largest firm of accountants in UK according to the Accountancy Age league table, 2015

Smith & Williamson Group Overview


The CASS Resolution Pack was introduced in 2012 in

light of the Lehman Brothers and MF Global

insolvencies.

The CASS Resolution pack is designed to facilitate the

timely distribution of client assets in the event of an

insolvency.

CASS 10.1.2G states: ‘The purpose of the CASS

resolution pack is to ensure that a firm maintains and

is able to retrieve information that would, in the

event of its insolvency, assist an insolvency

practitioner in achieving a timely return of client

money and safe custody assets held by the firm to that

firm's clients.

CASS 10 applies to all firms who have to comply with

CASS 6 ‘custody assets’ and/ or CASS 7 ‘client money’,

regardless of size.

CASS 10 remains a key area of focus for the FCA and

failings continue to be highlighted as evidenced by the

Aviva fine.

CASS 10 is split into three sections:

Application, purpose – 10.1

Core content requirements – 10.2

Existing records forming part of the CASS

Resolution pack – 10.3

Introduction to CASS 10 ‘CASS Resolution Pack’


The key elements of CASS 10.1 – Application purpose:

CASS 10.1.7R: adequate arrangements to retrieve

information within 48hrs;and

CASS 10.1.8R: adequate arrangements with group

companies.

CASS 10.1.9E(1) the following should be retrievable

immediately:

• (a) a document identifying the institutions that hold

client money/ assets;

• (d) & (e) internal and external custody asset

reconciliations; and

• (f) & (g) internal and external client money

reconciliations.

CASS 10.1.9E(2): continued operation of

systems to maintain a CASS resolution

pack in the event of insolvency;

CASS 10.1.11R: ensure the CASS RPs are

reviewed periodically and material

changes made within 5 business days;

and

CASS 10.1.14R: CF10a must report at

least annually to the governing body in

respect of compliance with CASS 10.

CASS 10.1: Application & purpose


The key elements of CASS 10.2 are:

CASS 10.2.1R: a CASS RP must included:

– Master document to enable an IP to

retrieve all of the information;

– A document outlining the institutions and

account numbers where client money &

assets have been placed;

– A document outlining each Senior Manager

& Director critical to the operation of CASS

controls; and

– Identify the CF10a.

CASS 10.2.1R:

– Executed agreements with third party

institutions;

– Procedures for management, recording and

transfer of client money & assets.

CASS 10.2.3R: name, postal address, email

and telephone number of each institution

appointed to hold client money & assets.

CASS 10.2 – Core content requirements


CASS 10.1.3R states the CASS RP should included:

(1) CASS 6.3.2A R: custody asset due diligence reviews;

(2) CASS 6.4.3 R: where firms use custody assets;

(3) CASS 6.6.2 R and CASS 6.6.3R: custody assets held

for each client;

(4) CASS 6.6.6 R: client agreements regarding a firm’s

right to use;

(4A) CASS 6.6.8 R: internal and external custody asset

reconciliations;

(5A) SYSC 6.1.1 R: policy and procedures for carrying

out record checks and reconciliations;

(6) CASS 7.13.25 R: client money due diligence

reviews;

(7) CASS 7.15.2 R, CASS 7.15.3 R and CASS 7.15.5 R:

client money held for each client;

(7A) CASS 7.15.7 R: internal and external client money

reconciliations;

(10) COBS 3.8.2 R (2)(a) and COBS 3.8.2 R (2)(c): client

categorisation; and

(11) COBS 8.1.4 R: retail and professional client

agreements.

CASS 10.3 – Existing records which form part of the CASS RP


S&W have an internal policy which explains how we comply with CASS 10. The policy is

reviewed annually by our CASS Oversight Committee and includes:

Location, structure and format;

Access & retrieval plans - explanation on how information would be obtained within

the required timeframes (immediately or within 48hrs);

External advisors – explanation that information will be made available to third

parties appointed by the Insolvency Practitioner;

Accuracy & completeness of information – an explanation on how we ensure the

accuracy and completeness of the information within the RP e.g. weekly, monthly and

annual attestations/ reviews;

Ownership – outlines who has been delegated responsibility on a day to day basis to

ensure the CASS RPS are up to date;

Material changes – defines what the firm classifies as a material change; and

FCA notifications – explains when the firm would notify the FCA.

CASS Resolution Pack internal policy


It is key to ensure the firm has strong oversight,

governance and review process regarding the CASS RP.

This could include:

An annual review of the internal CASS RP policy by

the CASS Oversight Committee (“CASSOC”); and

Annual reviews of the CASS RPs by CASS

department/ specialist with findings reported to

your CASSOC, senior management committee(s) and

respective governing bodies.

A 2nd line of defence review by Compliance may also

be considered.

To ensure the CASS RPs remain accurate and up to date

consider the following controls:

Monthly testing of hyperlinks by CASS RP owners.

Attestations that the hyperlinks all work and the

information is complete/ accurate; and

Weekly attestations from CASS RP owners that

there are no changes required.

Oversight, governance and review


The common issues which typically arise are from the weekly, monthly or annual

reviews:

• Hyperlinks, hyperlinks, hyperlinks…;

• Structure and format inconsistencies across regulated entities;

• Out of date file paths;

• Out of date information e.g. new bank accounts/ custody depots etc. not

communicated to CASS RP owners;

• Staff changes not communicated to CASS RP owners;

• Failures in attestation process due to annual leave or absence;

• CASS rule reference errors (PS14/9 changes); and

• Proactive management of weekly and monthly attestation process.

Periodic training is key for CASS RP owners and individuals responsible for key

documents to ensure a robust attestation process.

Annual, monthly & weekly testing -Common Issues


As required under CASS 10.2.1R(1) firms are required to have a master

document sufficient to retrieve each document within the CASS RP. We have an

‘Insolvency Practitioner Guide’ which includes the following information:

• Location and intranet page of the CASS RPs;

• IP login details and password request process to S&W network (super user

access);

• IP email address (Insolvency.Practitioner@smith.....);

• IP phone number and internal extension;

• Instructions on how to access the specific pages on our intranet; and

• CASS RP owners.

The policy is reviewed annually by our CASS Oversight Committee.

Insolvency Practitioner Master Document

mailto:Insolvency.Practitioner@smith


We have also reviewed each process flow and procedure manual to identify the

IT systems used in maintaining our CASS RP and the management, recording and

transfer of custody assets and client money.

This is primarily to ensure:

The IP has access to or can obtain access to these core systems promptly

(Excel/ internet explorer/ platforms/ sub custodian records etc.);

Outlines where applications can be found (desktop/ request from IT); and

Explains how and where login and passwords can be obtained (IT/ system

provider/ employee).

The process of drafting this document provided assurance that an IP could

retrieve all information within the required timeframes and has the necessary

IT access.

Insolvency Practitioner Master Document (cont.)


We have created an IP user who can log into and have access to our IT system.

This required the following:

IT create a ‘Global User’ with group wide access;

Understanding of the firm’s structure, format and restrictions over IT drives

to ensure the IP has group wide access, ‘Global User’;

Global User authorisation process may need to be introduce, agreed upon

and approved by governing body/ CASS Oversight Committee;

Confirm Global User works by testing the ability to open all file paths

embedded within the CASS RP; and

Confirm and test using the procedure guides embedded to retrieve

information on custody assets and client money both from internal systems

& all external third party systems e.g. CREST.

We identified that an IP would need an email and phone extension in order to

work effectively. Recommend firm’s simulate being an IP once setup up

(periodically thereafter).

Insolvency Practitioner Master Document (cont.)


Firms may want to consider the following:

CASS 10.2.1R(9): Procedures to transfer client

money – do they contain website addresses, login

details, instructions on how to obtain passwords for

each third party bank;

CASS 10.2.1R(8)(b) – As above but for all sub-

custodian(s) ;

CASS 10.1.8R – Internal agreements to provide

information e.g. separate legal entities (Front

Office);

CASS 10.1.9E(2) – Novating contracts for key IT

systems to separate non-trading group service

company to ensure the services continue in the

event of insolvency;

Executed agreements with third party banks –

standard terms & conditions may be contained on

the banks website; and

CASS 10.3.1R(11) – Location and access to retail

client agreements (paper/ electronic/ storage).

CASS 10 – key requirements considerations

@uktisa@uktisa

Nick Kinseley, Head of CASSRBC Wealth Management

Nick Kinseley, Head of CASS

CASS Oversight in Practice

50

Objectives

• Background

• Assumptions

• Understanding the TA Process

• BAU Monitoring

• CASS Training

• Governance

• Long Term Oversight

26 January 2017 Legal entity / line of business | Presentation Title

51

Background

• The firm employing outsourced provider retains the regulatory responsibility

• Major focus of the FCA

• Inclusive of TPAs, offshore processing and internal outsourcing

• Aviva Fine

• Failure to monitor outsourced services

• Tone used in the text of final report

• Aviva failed to act on previous external audit findings

Wake up call for the industry


52

Assumptions

• Due diligence completed

• Contracts in place

• SLAs in place

• Sufficient CASS knowledge within firm

• Key individuals identified


53

Understanding the Outsourced Process

• Regular reviews of the procedures

• Understanding of the business model

• Review of documentation relating to cash and asset flows

• Record Keeping

• NNA or ICBM?

• ISEM or Internal Custody Reconciliation?

• RP process?

• CMAR support?

• Internal policy statements to support the above?


54

BAU Monitoring and Oversight

• Daily cash reconciliation reviews, including breaks

• Asset reconciliation reviews, including breaks

• Daily breach reviews, including root cause analysis

• Reviews of key cashflows i.e. shortfalls

• Diversification process

The regulated firm must create a formal oversight process to evidence all checks made


55

CASS Training

• What CASS training does your outsourced provider have in place?

• Is it sufficiently comprehensive?

• What staff members does it cover?

• What is the process to identify staff and track the progress of training?

• How are results of assessments monitored?

• Is it tailored to the roles and responsibilities of staff?

• Does it provide continuous improvement and knowledge sharing?

• Does your outsourced provider attend industry forums?


56

Governance

• What governance structure is in place?

• Where does CASS fit into the overall structure of the organisation?

• Does CASS receive sufficient focus at all levels?

• What is the culture like?

• Is there an independent CASS Committee?

• What is the governance process around changes to processes and systems?

• Are attestations used within the organisation?


57

Longer Term Oversight

• Regular SLA reviews including CASS

• Annual due diligence

• RP tests

• One off deep dives

• Compliance/audit reviews within outsourced provider


® / ™ Trademark(s) of Royal Bank of Canada. Used under licence.

58

Thank you


@uktisa@uktisa

Shaid Moughal, Head of CASSStandard Life

Cleared Funds

TISA CASS SeminarOctober 2016

Shaid Moughal Head of CASS

Agenda

• Cleared Funds

• Shortfalls

• Prudent Segregation

• Prefunding

• Governance

• Questions

61

Cleared Funds

‣ A key principle of CASS is that client money is held according to the statutory trust requirements (CASS 7.17).

‣ This section creates a fiduciary relationship between the firm and its client under which client money is the legal ownership of the firm and but remains in the beneficial ownership of the client

‣ However, a firm is not permitted, in its capacity as trustee, to allow one client’s money to fund another client’s transactions.

“Peter’s money should not be used to fund Paul’s transactions”

‣ 7.17.5 G: The statutory trust under CASS 7.17.2R does not permit a firm, in its capacity as trustee, to use client money to advance credit to the firm's clients, itself, or any other person. For example, if a firm wishes to undertake a transaction for a client in advance of receiving client money from that client to fund that transaction, it should not advance credit to that client or itself using other clients’ client money (i.e., it should not ‘pre-fund’ the transaction using other clients’ client money).

62

Cleared Funds

The PS14/9 feedback stated that a firm should not rely upon its internal

reconciliation to determine whether or how much client money it should

segregate.

Instead, the internal reconciliation should be used as an internal control to verify

that the amount of client money segregated meets the firm’s obligations to clients.

The FCA had “clarified” the requirement to address shortfalls that arise the day

before reconciliation is performed....

“CASS 7.12.3 G: The risk of loss or diminution of rights in connection with client

money can arise where a firm’s organisational arrangements give rise to the

possibility that client money held by the firm may be paid for the account of a

client whose money is yet to be received by the firm. Consistent with the

requirement to hold client money as trustee (see CASS 7.17.5G), a firm should

ensure its organisational arrangements are adequate to minimise such a risk.”

63

ShortfallsHow could a shortfall arise?

‣ A risk of shortfall can arise through many different scenarios depending :

‣ Where contractual settlement exists on the client side but not on the market side

‣ Transaction settlement shortfall

‣ Intra-day exposure between the receipt and payment of client money

‣ Switches, e.g. T+4 funds to T+1 funds

‣ Work conducted on non-business days that results in a difference in the sequence of receipts and payments

‣ Timing of the removal of fees and account charges

‣ Bounced cheques and rejected direct debit receipts

‣ BACS payments which leave the account before expected receipts arrive

‣ Internal systems failures

‣ Banking systems failures

64

ShortfallsWhat do you need to understand about shortfalls?

‣ Identify the contractual obligations of the firm

‣ Understand and document the transaction flows, particularly the timing of money movements

‣ Identify whether shortfalls could or could not arise (document the scenarios)

‣ Determine any mitigations (which may be funding but could be others)

‣ Consider financial resources available to provide funding

‣ Establish and document the processes required

‣ Review with business areas, 2nd and 3rd lines of defence, (auditors, etc.)

‣ Monitor actual money movements and test whether shortfalls arise?

‣ Document a policy towards shortfalls and funding

65

ShortfallsHow can shortfalls be managed?

‣ Change processes

‣ Changing T&Cs and/or processes and systems to avoid the risk of a shortfall arising

‣ Not funding

‣ Establish why shortfalls will not arise & justify the rationale for not funding

‣ Prudent Segregation

‣ For exposures when the amounts and/or the timing of the exposures

cannot be calculated precisely.

‣ Prefunding

‣ For exposures where an event has been identified that will cause a

quantifiable shortfall.

66

Prudent Segregation

‣ “Prudent Segregation” in the context of CASS relates to the activity in which a regulated investment firm for Client Money is permitted and decides it is prudent to treat its own money as client money and then segregates that money in a client bank account.

‣ CASS 7.13.41R to 7.13.53R

‣ For firms that operate the alternative approach this is mandatory where they are required to hold a “Mandatory Prudent Segregation Amount”.

67

Prudent SegregationWhat do the rules say?

‣ CASS 7.13.41R – if prudent to do so to prevent a shortfall in client money on the occurrence of a primary pooling event, a firm may pay money of its own into a client bank account and subsequently retain that money in the client bank account (prudent segregation). Moneythat the firm retains in a client bank account under this rule is client money for purposes of the client money rules and the client money distribution rules.

‣ CASS 7.13.48R – to the extent that the firm no longer considers it prudent to retain moneyin its client bank account pursuant to CASS 7.13.41R in order to ensure that client money is protected, the firm may cease to treat that money as client money.

‣ CASS 7.13.49R – any money that the firm ceases to treat as client money pursuant to CASS 7.13.48R must be withdrawn from its client bank account as an excess…as part of its next [internal client money reconciliation].

‣ Funding should NOT to be used as a fix for inadequate systems or controls or bad recordkeeping

68

Prudent SegregationDocumentation

‣ Prudent Segregation Policy & Record

‣ The policy must be approved by the firm’s governing body and retained for at least five years after the date it ceases to retain such money as a prudent segregation amount

‣ A Prudent Segregation Record must be up to date and must include specific details on the amount of prudent segregation calculated and the changes to that amount

‣ What should be documented in the policy?

‣ The specific anticipated risks that would be prudent for the firm to protect

‣ Why the firm considers the use of such a payment is reasonable for the firm

‣ The method the firm will use to calculate the amount of money required

‣ Prefunding Policy

‣ Similarly to Prudent Segregation a policy document relating to the firm’s prefunding approach should documented as a best practice.

‣ It should cover the same components captured in a Prudent Segregation policy.

69

‣ Prudent Segregation Record must contain

‣ Outcome of the firm’s calculation of its prudent segregation

‣ The amounts paid into or withdrawn from a client bank account under the prudent segregation rules

‣ Why each payment was made

‣ Whether each payment was made in accordance with the policy

‣ Whether the policy was created or amended for this specific payment

‣ That the money was paid in accordance with the prudent segregation rule

‣ The up-to-date total amount of client money held pursuant to the prudent segregation rules

‣ All records must be held for 5 years

‣ Firms are reminded that payments and records made in accordance with the above should not be a substitute for firms keeping accurate and timely records under their other CASS and SYSC obligations.

Prudent SegregationWhat should be documented?

70

Prefunding

‣ Firms may chose to prefund, i.e. put firm money into client money accounts to fund shortfalls that will occur during the course of settlement activity

‣ They may consider to prefund and use prudent segregation along with the other measures to mitigate the risk of a shortfall on the client bank account

‣ When can a firm Prefund?

‣ If the information is available to do so it may be preferable to prefund any payments related to unfunded transactions

‣ This may be when shortfalls arise on an intraday basis and can be prefunded for a short period of time until the expected proceeds are received.

‣ It could be used for covering shortfalls that are easier to calculate and may be predictable such as expected settlement proceeds or BACS payments

‣ It may be more difficult to use prefunding to cover an unexpected scenarios such transaction failures; bounced cheques, failed direct debits.

71

Organisational Requirements

‣ CASS 7.12.1R to 7.12.3G

‣ Firms must ensure that they have adequate organisational arrangements in place to minimise the risks to client money

‣ Firms must understand the risks to the business and client money operations and put in measures to minimise those risks

‣ Document the risks, the measures available to mitigate and the decisions taken in response along with the reasons

‣ Check that all funding requirements are in line with the risks documented in the policy papers. Consider making changes to the policy to incorporate any new risks.

‣ Track and monitor the funding requirement and add it to your MI pack that is reviewed by the firm’s CASS committee.

‣ Make it easy for auditors to follow and understand your prefunding processes.

‣ Share your approach with your 3rd party providers who support that part of your business. Review their performance in this process.

Governance

72

Questions

Shaid Moughal – Head of CASSStandard Life plcTel: 0131 245 [email protected]

73

@uktisa@uktisa

Mike Sims, APS Finance ManagerElevate part of Standard Life

Aviva FCA Fine Overview

24/01/2017

Oversight and Governance – lessons from Aviva Fine

1. Overview of key findings from the FCA Final Notice

2. What have my Firm done on the back of this?

3. Summary

4. Questions

AVIVA CASS FINE

5th October 2016 – In relation to 2 legal entities

Original fine £11.8m

30% Discount for settling at an early stage

Fine Paid £8.2m

WHAT WERE THE REASONS FOR THE FINE?

Principle 3 (management

& Control)

Principle 10 (Client Assets)

CASS RulesChapter 8

(outsourcing) of SYSC

Failings – Principle 3

Oversight

• Failed to implement and maintain adequate policies and procedures to detect and manage the high level of client money and custody assets risks which arose from the Firms’ outsourcing their CASS functions.

• In particular, the Firms failed to carry out adequate and formal compliance oversight and review exercises of both the performance of the TPAs, and the quality of the MI provided by the TPAs, in relation to outsourced CASS functions

Resource & Expertise

• Failed to dedicate sufficient resource and technical expertise to enable them to implement effective CASS oversight arrangements;

Prioritisation

• Failed to prioritise sufficiently CASS compliance, resulting in inadequate oversight of the outsourced CASS functions and the delayed detection and rectification of CASS risks and compliance issues.

Failings Principle 10

Client Money Rec

• failed to identify and promptly rectify issues within their internal client money reconciliation process resulting in the Firms’ under-segregation of client money

• mislabelled transactions within the Firms’ client money calculations (CASS 7.6.2R and CASS 7.15.3R);

CMAR & CASS RP

• failed to submit accurate CMARs

• held inadequate CASS RPs

Segregation & Supervision

• failed to ensure the adequate and accurate segregation of client money

• the Firms failed to retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing (SYSC 8.1.6R and SYSC 8.1.8(5)R)

Background

2012 audit failures –organisational

arrangements£111.69 distnwas rec’d for an asset not

on firms system

2013 audit issues with internal client money rec and concerns over asset records outsourced to a

TPA.

2013 audit – 4 instances of non-compliance with CASS 6.5.10R identified, involving

assets with approxaggregate. value of £1K,

after firm confirmed improved processes

FCA visit in Feb 2015, identified same and similar CASS complaince issues to those identified by external auditors.FCA also noted

their Non Standard Method of internal reconciliation not

appropriate although auditors had signed it off in

2015

Aug 2015 – Based on the gravity of the firms failures to comply with the CASS

rules the FCA required the Firms to appoint a Skilled

Person to conduct an independent review (S166)

Jan 2016 Skilled Persons Report confirmed issues

identified during the CASS visit and expanded on the issues previously identified

by the Firms’ external CASS audit reports

FCA Visit Findings

• In February 2015, the Authority’s CASS Department visited the Firms. During the visit the

Authority identified the same and similar CASS compliance issues to those identified by the

external auditors. These issues were confirmed to the Firms in a letter of 10 August 2015,

which included the following concerns:

(1) serious deficiencies in the Firms’ governance and oversight of CASS functions;

(2) the Firms’ lack of individuals with combined CASS and financial experience;

(3) a convoluted committee structure which, in particular, lacked any dedicated committee

for overseeing the Firms’ outsourced CASS functions;

(4) a lack of CASS specific compliance monitoring reports, particularly given the breadth of

the rule changes following Policy Statement 14/9 and the Firms’ compliance history based

on earlier external CASS audit reports

(5) mislabelling of transactions within the client money calculation, prompting wider

concerns regarding the Firms’ failure to maintain accurate records and accounts and

inadequate organisational arrangements; and

(6) inaccuracies with the Firms’ CMAR submissions given that the Firms had made

disclosures which were inconsistent with SUP 16.14.3.R.

Skilled Persons Finding

• In August 2015, the Authority required the Firms to provide a Skilled Person’s report under section 166 of

the Act. On 29 January 2016, the Skilled Person issued its report, which confirmed issues identified

during the CASS Visit and expanded on the issues previously identified by the Firms’ external CASS

audit reports. The findings included:

a) deficiencies with the Firms’ reconciliation processes resulting in the over-and under-segregation of

client money with the Firms’ under-segregation having peaked at approximately £74.4m during the period

from 10 February 2014 to 9 February 2015;

b) inadequate first (business) and second (compliance) lines of defence in relation to the Firms’

submission of inaccurate CMARs;

c) inaccuracies/failings with the Firms’ CASS RPs in breach of CASS 10.1.3R;

d) the inadequacy of the management information (“MI”) provided to senior management in relation to

CASS breaches, particularly in relation to the Firms’ outsourcing of CASS functions to TPAs; and

e) concerning the Firms’ use of a non-standard client money calculation, the Skilled Person confirmed

that the Firms’ method of internal client money reconciliation did not provide the degree of protection

provided by the standard method as set out in CASS 7 Annex 1 G. ((CASS 7.15.18R and 7.6.8R) and

Annex 1G).

Inadequate organisational arrangements to ensure effective

oversight of outsourced CASS functions

• Outsourcing arrangements are common in the asset management industry in relation to

purchases and sales of investment fund interests for clients. TPAs typically perform back

office activities such as cash and transaction processing, settlement, record keeping,

reconciliations and similar CASS compliance functions.

• In such circumstances, since a firm is one step removed from CASS operations as a result

of its outsourcing arrangements with a TPA, a heightened CASS compliance risk may arise.

A firm is therefore required to ensure that it has robust controls and oversight systems in

place to monitor and identify any issues arising with the TPA’s performance of the CASS

functions for which the firm remains fully responsible.

• This also requires that a firm outsourcing CASS functions ensures that it has adequate

CASS skills, expertise and resources to carry out effective oversight of the TPA.

Inadequate Reconciliation Processes

• During the Relevant Period, the Firms operated a non-standard internal client money reconciliation

method. However, during the CASS Visit, a number of issues with the Firms’ internal reconciliation

process were identified which had resulted in the under- and over-segregation of client money.

• Client money relating to trade purchases was removed from clients’ accounts before trades settled. The

Firms also failed to set aside funding for returned cheques in the reconciliation process which meant that

purchases could potentially be funded using other clients’ money. During the Relevant Period, these

failings in the Firms’ internal reconciliation processes resulted in under-segregation of client money in

amounts ranging from £0.4m to £74.4m during the period from 10 February 2014 to 9 February 2015.

• There were also a number of weaknesses in the design of the Firms’ oversight of their reconciliation

processes. For example, the spread sheets which the Firms used to record data in the daily and weekly

reconciliation checks did not provide any guidance or parameters to ensure the consistency of checks

conducted. There was also no record of who was scheduled to conduct the daily and weekly checks and

whether those checks had been conducted and if so, by whom.

• Lack of consistency in the checking approach are indicative of the inadequate resourcing in relation to

the reconciliation process

Client Money and Assets Return

• During the Relevant Period, the Firms lacked a formal system or adequate guidance in

relation to the CMAR process and controls, including in respect of the requirement for the

submission of a monthly CMAR. The Firms’ CMAR procedures did not identify who was

responsible for the completion and review of the Firms’ submissions. The Firms also failed

to provide proper guidance on the extent of review required prior to the Firms’ submission of

their CMARs to the Authority.

• The Firms relied on summary data provided by the TPAs as input data for the Firms’ CMAR

submissions. The Firms also had inadequate technical expertise to effectively challenge the

accuracy of the external data which resulted in delays in the Firms’ detection of CMAR

inaccuracies.

• Overall, the failings associated with the Firms’ CMAR submissions indicated a weak control

environment around the preparation, review and submission of the Firms’ CMARs.

Inaccuracies with the Firms’ CASS RP’s

• The Authority identified that for part of the Relevant Period, the Firms did not have a formal control

process in place to ensure effective prevention, detection and remediation of breaches in the

Firms’ CASS RPs.

• In addition, during the Relevant Period the Firms lacked formal controls and formal lines of

responsibility regarding the prevention, detection and remediation of breaches of rules within

Chapter 10 (Resolution Packs) of the CASS Rules.

• In particular, the Authority identified the following failings with the Firms’ CASS RPs: specific

omissions within the Firms’ CASS RPs such as a lack of procedures for recording and transferring

client money and safe custody assets, delays in the Firms’ updating of the CASS RPs for the

opening of new bank accounts and a lack of a clear timetable for the production of the CASS RPs.

• During 2015 the Firms took steps to improve the CASS RP process by implementing a formal

CASS RP checklist but the Firms’ review and updating process remained inadequate.

Inadequacy of CASS resources and technical expertise

• The Firms’ CASS resources were inadequate which undermined their ability to conduct effective

oversight of the TPAs. The Firms’ lack of CASS technical expertise brought about the Firms’

overreliance on the TPAs which further compromised the Firms’ ability to identify, resolve and

report CASS breaches and control weaknesses in a timely manner.

• During the Relevant Period, there was no formal requirement established within the Firms for

CASS training to be undertaken by members of the Firms’ CASS team. Nor were there any formal

training records maintained of any “ad hoc” CASS training completed by the CASS team

members. The Firms have now instituted a formal CASS skills and knowledge matrix for CASS

team members.

• In addition, during the Relevant Period the Firms combined the CF10 and CF10a functions which

further constrained the available resource and technical expertise dedicated to CASS compliance.

• This lack of technical knowledge and experience rendered the Firms incapable of effectively

challenging the TPAs’ performance of the CASS functions.

Failure to prioritise CASS compliance

• The Firms understated the high risks associated with CASS non-compliance which may

have prevented and/or delayed the Firms’ escalation of CASS issues. The Authority

identified inconsistencies in the Firms’ risk rating in relation to CASS oversight. In light of the

CASS breaches identified in the Firms’ external CASS audit reports, the Firms ought to

have accorded CASS compliance a higher risk rating.

• The fact that additional CASS breaches arose in consecutive annual external CASS audits

should have prompted the Firms to re-categorise CASS compliance as high risk. The Firms

did not appear to have had adequate systems and controls in place to challenge the basis

upon which CASS risks had been assessed.

What has our firm done in light of this report?

Analysed Report in detail and produced a

spreadsheet detailing each finding

Each business area then had to asses and

document what controls and processes we have in place to mitigate the issue

raised in the report.

Gap analysis then performed based on

consolidated returns to identify an areas where improvements could be

made.

Requested an analysis by our key outsourcer of how

they assessed themselves against the

findings

Action plan and summary of findings consolidated

into a report for the CASS Governance Committee

and Board

Action plan tracked through to delivery.

Summary

The final notice from the FCA was extremely detailed, whilst not

good news for Aviva it provided the industry with a good checklist

Has enabled firms to self assess there controls and processes

against these findings.

In relation to outsourcers, the FCA has made it clear in the past

this was an area they are focussing on, so all firms should have been aware of the focus

here.

Majority of fund managers and Platforms use outsource providers, this report has

highlighted how easily you can lose expertise within your business and also fail to

understand fully your outsourcers CASS model

Highlighted the importance of focus on CASS within large

organisations especially where it may only be a small part of the

overall business performed by the organisation.

Information about tax is based on our understanding of current legislation and HM Revenue & Customs' practice. Tax treatment can change and depends on your personal circumstances.

The information contained in this presentation does not constitute advice. It is designed for financial adviser use only and is not intended for use with individual investors. Any sample screen shots displayed are correct at date of issue but may be subject tochange.

Elevate, Winterthur Way, Basingstoke RG21 6SZ. Telephone number: 01256 470707. As part of our commitment to quality service and security, telephone calls may be monitored and/or recorded.

Elevate is a trading name used by AXA Portfolio Services Limited. AXA Portfolio Services Limited has been acquired by Standard Life Savings Limited and forms part of Standard Life Group. The trade mark “AXA” is used under licence from AXA SA.

AXA Portfolio Services Limited (01128611) is registered in England at 14th Floor, 30 St. Mary Axe, London, England, EC3A 8BF and is authorised and regulated by the Financial Conduct Authority.

Standard Life Savings Limited (SC180203) is registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh, EH1 2DH and is authorised and regulated by the Financial Conduct Authority.

Important Information

@uktisa@uktisa

Karen Bond, DirectorWalbrook Partners

albrook Partners

FRC CASS Assurance Standards

- Where are the Gaps?

TISA CASS Seminar

October 2016

© Walbrook Partners Limited

Introduction

The FRC standards for CASS Assurance Reviews require more effort from firms than might be apparent at first.

In many cases the gap between current evidence and controls and those now required is unexpectedly large.

A few examples are discussed in the following slides.

95


Putting it all together

Business model documentation:

‣ Does it include an overview of the type of business done?

‣ Is it understandable to an external reader?

‣ Does it explain intra-group relationships and activities?

‣ Does it include full cashflow documentation?

‣ Can your staff clearly explain it?

….and is it in your Resolution Pack?

96


The biggest gap?

Rule/Risks Mapping and Controls

‣ The detail required is often underestimated – every rulebook/every rule?

‣ Explain why rules are out of scope – and controls to ensure it stays that way

‣ Ensure controls are real, specific and can be evidenced

‣ Show regular reviews

97

If you don’t produce the documentation,

your auditors will!


The chain of evidence

The evidence required has substantially increased

‣ Ensure consistency of the business model , rule mapping, controls, procedures and evidence

‣ Consider how to prove oversight, management etc.

‣ Be prepared to prove all of the figures in reconciliations, including prudent segregation figures

‣ Prove remediation actions, including root causes

98

Make it easy for the auditors


Failing validation

Is there a gap in your figures?

‣ Be prepared to show the validation of CMAR figures against other sources

‣ Show how you confirm the CASS RP is up to date

‣ Evidence testing of client entitlements, including reconciliation to other figures

99


From gap to overlap

Three lines of defence:

‣ Is it clear who does what and where the boundaries lie?

‣ How do you preserve independence e.g. compliance advice vs. compliance

monitoring?

‣ How knowledgeable are your 2nd and 3rd lines?

‣ How are activities planned in conjunction with risks?

‣ How are actions followed up?

100


Culture

How can you evidence a strong CASS culture?

‣ Knowledge and training from the top of the firm down

‣ Consideration of Principles and the clients’ best interests evidenced in decision making and policies

‣ Investment in addressing root causes, whether through manual processes, systems changes or prudent

segregation

101

‣ Other indicators:

‣ Standards set

‣ Meeting attendance & engagement

‣ Prioritisation


Contact Details

Karen Bond | DirectorMobile: +44(0)7801 [email protected]

Mark Lester | Director Mobile: +44(0)7702 340 [email protected]

www.walbrookpartners.co.uk

Follow @WalbrookFS on Twitter

….and please support our sponsored Guide dog, Cassie!http://walbrookpartners.co.uk/cassie/

cc ccccc ccc

@uktisa@uktisa

Robert Forbes, Director of CASSRBC Investor & Treasury Services

STRICTLY PRIVATE AND CONFIDENTIAL

RBC Investor &

Treasury Services

‘How to prepare for your next FCA visit’

RBC Investor & Treasury Services106 |

How prepare for your next FCA visit


Planning

1. CF10a responsibilities.

2. Documentation.

3. System architecture.

4. People.

5. Close out meeting.

6. Don’t do’s.

7. Post visit follow up.


CF10a Responsibilities

• Ensure the organisation including the most senior people are aware of the visit and that their attendance

maybe required.

• Understand the scope of the business - be able to explain the governance structure.

• Understand the firm’s CMAR and associated information that contributes to it.

• As part of the oversight function make sure you understand all the areas of the business and the controls

that are in place.

• Have a CASS plan and be able to talk to it.

• Be able to demonstrate that the firm has a good CASS culture.

• Understand the firm’s CASS breaches and remediation actions.

• Be aware of any outsourcing arrangements that the firm has in place – be able to speak about the

oversight of these.

• Consider project resource, budget, planning, legal costs.

• Be able to demonstrate how you get comfortable that the firm is complying with CASS.

• Sit in on all the meetings if possible – clarify any misunderstandings as you go.

• Book a room, arrange refreshments.

• Co-ordinate timings of people.


Documentation

• CASS governance document.

• CASS management information.

• CASS resolution pack.

• Rules mapping.

• Audit reports.

• Breach logs.

• Accountability matrix.

• Training records.

• Minutes.

• Demonstration of CASS culture.

• Policies and procedures.

• Client files/agreements.

• Custodian agreements and due diligence.

• Reconciliations – Internal, external, ISEM.

• 3 lines of defence.

• Oversight.


Governance framework document

Fully documents the governance structure of the firm, incl. committee’s, reporting lines,

escalation process .

Details firm’s permissions.

Defines roles and responsibilities of key personnel including the CF10a.

Defines firm’s CASS type.

Details rules mapping process.

Sets out policies and procedures required to support CASS framework.

Sets out the three lines of defence.

Details due diligence requirements.

Sets CASS standards around CASS 6 & 7 specifically details basis of reconciliations,

reconciliations completed, treatment of discrepancies, contractual settlement,

shortfalls, nominee companies, ISEM (if relevant), daily client money reconciliations.


CASS Management Information

Produced monthly by the business for review at the UK CASS Forum and by the

Firm’s governing board.

CASS MI, a key tool in evidencing effective oversight of CASS.

Overall dashboard of CASS status.

Cash and stock reconciliation KPI’s. Details on anything over 90 days.

Data for previous reporting month and rolling 12 month basis.

Breach reporting, root cause analysis, area breakdown, breach by rule type.

Diversification of client money.

Trend analysis.

CASS operational risk considerations.

Status of training.

Overview of third party relationships.


Assess all processes / procedures and map them to the relevant

CASS rules

Where gaps exist, complete an impact analysis to assess impact on the firm

Where processes and procedures only

partial meet the rules, assess remediation

action required.

Identify any recordkeeping documentation

requiring enhancing.

Identify any rules that do not impact the

company.

Produce CASS footprint and money

flow diagrams.

Rules Mapping Process


Audit Reports

• Understand the findings in Audit reports.

• Consider both internal and external findings as well as compliance reports.

• Be able to demonstrate that follow up actions have taken place and issues resolved.

• Demonstrate procedures, policy and the CASS RP (if applicable) have been updated.

• Evidence that if breaches have been discovered that these have been appropriately logged.


Breach Logs

• Ensure the breach log is up to date , current and complete.

• Demonstrate that you understand the breaches, both in terms of cause and remediation actions.

• Demonstrate inter action between your 3 lines of defence on breaches.

• Be able to talk FCA through the process of identifying, remediating and analysing breaches.


Accountability Matrix

Name Location Function Sub-Team

6.2

.1 R

6.2

.2 R

6.2

.3 R

6.2

.3A

R

6.2

.3B

G

6.2

.4 R

6.2

.5 R

6.2

.6 G

6.2

.7 R

6.2

.8 G

6.2

.9 G

6.2

.10 R

6.2

.11 E

6.2

.12 G

6.2

.13 R

6.2

.14 R

6.2

.15 R

6.2

.16 G

6.3

.1 R

6.3

.2 G

Name LondonNetwork Management Network Management

1 1 1 1 1 1 1 1 1

Name LondonNetwork Management Network Management

2 2 2 2 2 2 2 2 2

Name London Shared Services Entitlements 1 1

Name London Shared Services Entitlements 2 2

Name London Shared Services Tax 1 1

Name London Shared Services Tax 2 2

Name LondonClient Operations Transaction Management

1 1 1 1 1 1 1 1 1

Name LondonClient Operations Transaction Management

2 2 2 2 2 2 2 2 2

Name LondonClient Operations Securities Lending

2 2

Name LondonClient Operations Clt Serv and Soltns (Transitions)

1 1 1 1 1 1 1 1 1 1 1 1

Name LondonClient Operations Clt Serv and Soltns (Transitions)

2 2 2 2 2 2 2 2 2 2 2 2

Name LondonIT IT

1 1

Name LondonIT IT

2 2

Name LondonIT IT

2 2


CASS Training

Experienced staff are key to ensuring firm meets its CASS requirements and remains

compliant.

Training programme to be designed and delivered to all staff with CASS touch points.

Different levels of training throughout the firm.

Test to measure effectiveness of training / key learning objectives.

Training records available for inspection to evidence completion of programme.

Annual review of training requirements.

Trained staff prevent breaches and identify systemic failures in procedures.

Training records can evidence continuous learning.

Ensure key staff can speak knowledgeable about the rules impacting them.


Meeting Minutes

• Make sure the minutes of your governance meetings are comprehensive, up to date and

available.

• Key decision should be recorded.


Demonstration of CASS culture

Examples :

• Posters.

• Breach cards.

• Tested training.

• Good governance.

• Senior engagement.

• New employee welcome meetings.


Policies and Procedures

Form a key part of firm’s CASS governance structure.

Identified in the rule mapping exercise.

Identify requirements to enable firm to remain compliant.

Sets out expectations to job holder. Include specifics in mandates.

Rules referenced directly to procedures.


Client Files / Agreements

• Are your client files up to date.

• Can you locate all the customer agreements.

• Do you have a list of how your clients are categorised.

• Can you demonstrate communication with the client complies with CASS (9.5 for example).

• Have you considered non CASS issues for e.g. Suitability – scope of CASS visits can leak.


Custodian Agreements and Due Diligence

• Ensure signed agreements are available.

• Consider side letters.

• Legal opinions supporting registration.

• In date due diligence.

• Account naming reconciliation.

• Acknowledge letters – are they correct, follow template, correct entities, evidence of

signatories. – have you moved ?


Reconciliations

• Is the basis on which you complete your reconciliations recorded.

• If this is not daily , is this reviewed annually.

• Have you got a full list of reconciliation performed.

• Can you retreive archive reconciliations going back 5 years.

• Does you reconciliation clerk, understand all the items on the rec, can they speak to them.

• Does the CF10a understand the process, from delivery of the files to closing off of the

reconciliation.

• Can they talk to the client money calculation.

• Can you demonstrate you consider shortfall’s in your reconciliation process.

• Do you have policies around reconciliations, shortfalls etc.

• Can you demonstrate entity specific reconciliations.


3 Lines of Defence – How do they interact.

CASS

3rd Line of DefenceInternal Audit

additional level of review

2nd Line of Defence - Complianceprovide effective oversight, advisory,

monitoring and reporting arrangements. Compliance monitor plan and breach reporting.

CASS Teamresponsible for oversight of the firm’s operational

compliance with CASS and reporting to the firm’s governing body in respect of that oversight.

1st Line of DefenceBusiness Ownership and Accountability

Operations Department – Policies and procedures in place to adhere to CASS rules.Operational Risk Department – Risk Assessments, Heat Maps, Error Investigation.


Outsourcing

Due diligence.

CF10a visits.

Monthly reliable MI.

Effective demonstrable challenge.

Regular meetings between parties.

Minutes.

Regular internal meetings.

SLA including rule requirements.

Scorecard and issue tracking.

Attestations.

Sample checking.


System Architecture.

1. Ensure someone is available who can

articulate clearly how your systems

enable compliance with the CASS

rules.

2. What security processes you have

around system access.

3. How you can ensure that the book of

records are separate from any other

entity.

4. Entity specific reporting.

5. Distinguish one client record from

another from the firm’s.


People

• Ensure that you invite the correct people with relevant experience.

• Make sure that they fully understand the process that they are responsible for.

• Give them interview training. Quiz them about their roles, responsibilities and the CASS rules that impact

them. Need to understand the requirements. Grill them.

• Make sure they understand the breaches in their area and can talk to them and any remediation action

that the firm put in place.

• Make sure they can articulate the challenges that they face.

• Can they explain how they train their staff and how they ensure the CASS knowledge is applied to the

role.

• How do they ensure their staff comply with the CASS rules.

• What monitoring do they have in place.

• What CASS challenges do they face?

• Do not be afraid to challenge the FCA interpretation of a process/event/ rule.


Close Out meeting

• Make sure the correct people attend, ensure Senior people are available.

• Make notes of the issues discussed.

• Ensure that any misunderstandings are clarified before the FCA leave. Do not be afraid to challenge.

• Misunderstandings will appear in the FCA report as remediation points potentially.

• Implement any changes asap, do not wait for formal notification from the FCA.


Do’s and Don’ts

Do’s

• Be calm, open, honest and friendly.

• Be able to clearly articulate the process and how CASS is impacted by it.

• Make sure the FCA understand your business – spend time on this as it prevents later issues.

Don’ts

• Make last minute amendments to documentation – you have what you have.

• Rush to amend process and procedures.

• Answer questions where you are not 100% sure of the answer.


Post Visit follow up

• Follow up letter from the FCA within 8 weeks of visit.

• Possible / likely to have some remediation points and target completion dates.

• Must treat seriously.

• Put together a working team if required, have project support in place.

• Do not claim to have completed a task unless it is fully complete.

• Make sure you have consider all parts of the issue and remediated all.

• Update FCA on progress regularly. If you discover an issue which will impact the timeline inform them asap.


Final thought

It takes time.

Start your planning now

@uktisa@uktisa

Hanish Arora, Director of CASSKPMG

CASS Roles of the 2nd

and 3rd lines of defenceJanuary 2017

133

Document Classification: KPMG Confidential

© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Three lines of defence

Third Line of Defence

(Independent Assurance)

First Line of Defence

(Management Controls)

CASS processes and controls

Second Line of Defence

(Control functions)

Compliance Risk

Internal Audit

Accountability for regulatory compliance

Ongoing monitoring

134



A ‘hot topic’ for regulatorsNot a new

area of focus

Regulators have been highlighting inadequacies with firms’ approaches to the

three lines of defence model for a number of years

A factor in

enforcement

actions

A number of enforcement cases have cited failings in Compliance and Internal

Audit monitoring as contributing factors

Blurred lines A concern that not all monitoring activity is truly independent

135



Developments in the CASS space

Section 166sFCA has been commissioning a number of Skilled Persons Reviews over

Governance arrangements and the roles of Compliance and Internal Audit

CASS

operational

oversight

SMFs and CF10as proactively considering what assurance they need to

demonstrate effective oversight, and what needs to come from the 2nd and 3rd

lines

CASS as a

distinct area

of risk

CASS-specific Risk, Compliance and Internal Audit teams and monitoring

programmes are being established

FRC CASS

Assurance

Standard

The new Standard brings Compliance and Internal Audit into the scope of the

CASS Audit

External

assistance

Increased use of specialist advisors to help develop monitoring plans, and to

develop and perform specific CASS reviews

136



2nd line expectations

— Split between monitoring and advice (independent and objective) – understand role

— Systematic and disciplined monitoring and periodic testing of CASS risks

— Compliance monitoring plan to specifically include CASS related elements in line with the

firm’s evaluation of CASS risks

— Assessment of materiality of risk and breaches in terms of FCA notification of reportable

events – recorded in dedicated CASS issues and breaches logs

— Timely root cause and trend analysis of breaches evidenced as part of the function’s

activities in relevant registers, minutes, reports

— The Compliance team should have CASS technical knowledge and expertise to be able

to conduct robust and independent CASS reviews

137



2nd line poor practice

Monitoring plan

does not clearly

link to the firm’s

CASS risk

footprint

‘Light touch’

testing

Blurred lines

between monitoring

and advisory

Monitoring against

internal procedures

and not against

compliance with the

regulatory

requirements

No consideration

of industry events

or emerging

thematic CASS

risks

Lack of

specialist

resources within

the 2nd line

138



3rd line expectations

— Understand the roles and responsibilities of the independent Internal Audit function

— Conduct periodic independent CASS related reviews over the firm’s CASS arrangements

forming part of the function’s annual monitoring plans

— Review plans are assessed on a risk basis, approved and reviewed on a periodic basis

to capture new issues or risks

— Clarity regarding scope and approach to CASS IA reviews

— Timely follow up as part of IA review and assessment of sufficient evidencing of breaches

in relevant CASS registers

— Members of the Internal Audit function should have the required CASS technical

knowledge and expertise to be able to conduct robust and independent CASS reviews

139



3rd line poor practice

Little, infrequent

or no CASS

related testing

post PS 14/9

despite FCA and

industry focus

IA reviews lack

robustness

and focus

Quality of

outsourced

reviews varies

Inconsistent

approach to

evaluating proposed

management actions

Failure to follow up

on management

actions to ensure

appropriate steps

taken to close gaps

Lack of specialist

resource in 3rd line

Smaller firms with

no IA functions

struggle to find

CASS experts

Inadequate or

lack of any

CASS training

for the 3rd line


The information contained herein is of a general nature and is not intended to address the circumstances of

any particular individual or entity. Although we endeavour to provide accurate and timely information, there

can be no guarantee that such information is accurate as of the date it is received or that it will continue to be

accurate in the future. No one should act on such information without appropriate professional advice after a

thorough examination of the particular situation.

© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights

reserved.

kpmg.com/uk

https://www.linkedin.com/company/kpmg-advisory

https://plus.google.com/111087034030305010189

https://twitter.com/kpmguk

https://www.youtube.com/user/KPMGUK

@uktisa

Thank You!

TISADakota House

25 Falcon CourtPreston Farm Business Park

STOCKTON-ON-TEESTS18 3TX

www.tisa.uk.com01642 666999

[email protected]

@uktisa

cass seminar - tisa · cass seminar 24th january 2017 ... partner and paul leech, ... application...

Documents