FCA works on a risk-based approach and as such they group firms according to the level of risk the firm poses to the FCA objectives. For CASS (the FCA’s Clients Assets Sourcebook), the FCA determines this according to how much client money and or custody assets the firm holds and classifies them as small, medium, or large. FCA supervises you in these brackets slightly differently.
Generally, FCA expects firms posing higher risks to its objectives to have greater and more robust processes, controls, and generally more mature cultures as they relate to CASS.
Strong governance and oversight
CASS medium and large firms are required to have an annual external audit of their compliance with certain areas of the CASS rules. Considering that obligation why would you want an external auditor reporting breaches to your regulator that you have not already considered internally, discussed with your supervisor, and remediated?
Sure, it is not possible to have identified and remediated everything before the 30 April deadline, but you certainly would want to be in control of any message to your regulator about any breach that is notifiable. You need to be looking internally for issues.
This means making sure that Internal Audit and Compliance Monitoring both have CASS on their schedule regularly and you will want to have some first line testing in place ahead of their reviews.
There are plenty of CASS topics that means you can scope your testing and reviews to ensure there is limited overlap using, for example end to end reviews and focussed reviews. These simple steps are one way of evidencing you have a more mature culture and testing that your processes really are robust.
What you agree with your clients
It is increasingly common in our outcomes focussed regulator that they start with the client outcome. That is true of CASS. The FCA will want to start with what you have agreed with your clients: what do your contracts say and what do you actually do in practice.
Therein lies the challenge: how do you practically ensure that your legal team is actively alerting your operations team to bespoke clauses perhaps about right of reuse (CASS 3, collateral), or when a relationship manager agrees with a client to move assets between accounts while they are on holiday (CASS 8, mandates).
“Total capture” is a term used by the FCA CASS unit to mean have you assessed the completeness of your CASS compliance. If you are a medium or large CASS firm then your auditor will expect you to have a register of all the rules mapped to your controls, as a linear means of demonstrating total capture.
In creating your rules register you need to also consider carrying out a desk by desk review of your business activities, asking the question what products or services each desk is offering and then how could the CASS rules apply. The combination of those two exercises will give you confidence that you have “total capture”.
Reconciliation breaks are a natural feature of an efficient, well-run operations function. However, in the eyes of CASS a break is a breach. This is because the underlying has not been allocated immediately casting doubt on ownership of the underlying in event of a firm failure.
This means that you need to be clearing your reconciliation breaks more quickly, that can only be good for business because the underlying is where is needs to be and if available for re-use, then becomes available for the business. Start looking at your ageing breaks and ask how you can reduce the median age of your breaks.
FCA expects your due diligence to be a regularly repeated exercise. Of course, it might be more structured at the outset of a relationship, but it is well worth considering how well structured your due diligence is once the relationship has commenced.
Consider due diligence both in the sense of your third-party relationships as well as internal relationships. For example, when you establish a hub or one of your Senior Managers is reliant on another for delivery or performance of their responsibilities: operations being a good example.
How do you escalate issues during a relationship and to whom do you escalate? At what point do issues become untenable that your firm has to fundamentally reconsider if continuing the relationship remains viable and then who at your firm has the expertise to take that work on? These are all questions the FCA will expect you to not only have considered but documented and being discussed by your governance forums.
Breaches are commonplace but should not be material
The CASS rules are really all about really well running operations underpinned by clear legal documentation. As we noted in our blog earlier this month, the nature of complying with CASS means that breaches will be inevitable and shows that you are checking that you remain in compliance with the regime.
FCA acknowledges this by having an annex to the CASS rules known as Schedule 2, which sets out which rule breaches the FCA wants to be told about. These fall broadly into three categories: material and immediately notifiable, notifiable, and not notifiable. A breach such as a reconciliation break will generally be not notifiable but finding that you cannot perform an external reconciliation on your safe custody assets is notifiable, and potentially immediately notifiable.