You cannot outsource responsibility
Engaging a third-party supplier or provider makes great commercial sense, it can bring expertise, efficiencies, or quickly achieve scale. Whatever your reasons for outsourcing and no matter who you choose to partner with, you will always remain responsible for complying with the regulations that apply to those activities as if you were still performing them inhouse.
In Charles Schwab's case their UK entity decided to outsource their arrangements for safeguarding clients' assets and money to their US entity. Assets were custodised in the US and the UK entity swept all money across to accounts in the US.
In doing so they mistakenly thought that made the US responsible for compliance with any safeguarding regulations in the US, and they were outwith any such UK regulations. This was an incorrect assumption which led to Charles Schwab thinking they had effectively outsourced safeguarding of clients' assets and money to the US.
Any outsourcing arrangement has to consider how the original owner will continue to comply with the regulations that apply to it. Even if you engage a service provider in another jurisdiction which may have different regulatory regime. That may mean your chosen service provider having to comply with regulations local to them, as well as your country regulations.
With an area of rules such as UK CASS, you will likely find that there are still aspects of the regime that you will never be able to get a service provider to take on. Taking a Charles Schwab example, your external reconciliation – because of course the UK remained custodian and still had to know what is being held for their clients by the sub-custodian (in the US). How could Charles Schwab do that if they didn’t have a second-by-second penny-by-penny record of all the transactions across their clients accounts.
Align your permissions to your business activities
This might be stating the obvious but think about it – when did you or a colleague last check through or map what your business is doing to the regulatory permissions that you hold? Do you always check your permissions, and know what permissions are available, before you start that new business line or service offering?
Charles Schwab’s oversight was to take custody when they didn’t have permission to safeguard and administer assets. Their mistake was to assume that arranging safeguarding was the same as actually safeguarding. The UK regime frequently makes this distinction between introducing, arranging and actually performing the activity.
In the UK you have to look beyond just the permitted activities. Your permissions include certain underlying instruments or products that sit under those activities. The best way to manage this is to map your business activities to all the regulatory permissions and check. Gaps are surprisingly common place and you are much better off finding that gap yourself and telling the FCA, than leaving it to fester.
As we are all well aware the regulations change frequently and it is sadly quite easy to overlook a new permitted activity, especially when it’s a newly regulated instrument. So you would be well advised to have in place a good arrangement for tracking regulatory changes.
Stick to facts
This is a point Leaman Crellin frequently makes to its clients when they are preparing for FCA discussions. However informal your conversation may feel with FCA, always make sure that you are relying on facts. If you are not sure whether what you are saying is factually accurate then tell the FCA that you need to check and revert. Don’t give your view and say you’ll check, only say you will check.
In Charles Schwab's case they mistakenly told the FCA that they had a clean CASS audit. In fact the auditors had only carried out an audit of compliance with the US CASS-like rules – the UK FCA CASS audit may have some overlaps but it does not result in an auditors opinion about compliance with the UK CASS rules. You can perhaps see why someone at Charles Schwab thought they had what was needed but had made an incorrect assumption about the facts – the scope of the US audit and what the UK regulators require. Whomever made that misstatement to the FCA had made some incorrect assumptions.
Remember that you should never speak for someone else, or another function. You will not be sparing them a conversation with the regulator by doing so, in fact you could be misrepresenting exactly what they actually do and create more problems.
Our regulatory relationships training and coaching is popular, particularly amongst people new to the SMCR. We can run a course in house for your firm or provide one on one coaching for key personnel.