| Global | Articles
With over £14.6 trillion assets under custody and developments within the sector, it is not surprising that it has become an increasing area of focus for the FCA. In their latest supervision strategy update, the FCA highlights the key risks it sees within the sector.
These risks are driven by the Operational Resilience regime coming into force, with firms in the sector being identified as critical third parties to a lot of market participants in the wealth and asset management space. Below we discuss the six key risks highlighted by the FCA.
1. Falling standards
The FCA highlighted a trend of falling standards in business services performed by firms within the custody and funds sector, ranging from deficiencies in processing transactions, settlement, and collateral management. This also brings into question their books and records accuracy, but also for other market participants, who rely on these firms. This is not limited only to the relationships of third party custodians or fund managers, but also where firms use these parties as service providers and where they perform CASS operational services for the regulated firm.
2. Third party risk
This risk is further compounded by firms in the sector having inadequate oversight and mapping of their third, fourth and Nth parties. This implies a lack of understanding of the level of operational risk within the custody chain or business services chain. It also highlights the shortcomings of firms’ mapping and testing performed as required by Policy Statement PS21/3. As such, there are weaknesses in the level of assurance that operational resilience scenario testing would provide in relation to firms’ ability to remain within the impact tolerances for each important business service in severe but plausible scenarios.
Furthermore, it was highlighted that firms don’t have appropriate exit strategies and contingency arrangements in place in regard to their own critical third parties, such as having alternative providers aligned should a relationship prove sub-optimal or be a threat to Operational Resilience. As such, achieving cross-sector resilience becomes more challenging across the sector.
3. Change management
Change management also continues to play a critical role in the industry. Change initiatives are driven by developments in the market, such as digital asset innovation and DLT; regulatory change, such as changes to the settlement cycles introduced in the US and planned in the UK; or by technological developments. Firms in the sector are at different points in their IT infrastructure design, with some still using near end-of-life technology inherited from prior acquisitions, and others being in the process of updating obsolete technology to increase automation and looking towards AI as a solution.
Firms should be migrating away from these in order to reduce risk to their books and records. This would help migrate a highly manual CASS environment, which itself carries a higher risk of error, to an automated environment and therefore address some of the FCA’s long standing concerns. However, it also poses a challenge to firms, especially as CASS tends to be an afterthought within such initiatives. Firms need to ensure that CASS is kept front of mind within change management processes, be that technology or product related, and be considered at the design stage. Otherwise, unforeseen issues can arise, which can be more difficult to resolve retrospectively and increase the risk of inaccurate books and records further.
With technology-driven change management initiatives it is always good to remember that automation, if done correctly can alleviate pressures on firms and improve their control environment, but on the other hand, due to its pervasive nature, if done incorrectly can cause highly material issues.
4. Sanctions systems and controls
The FCA also highlights increased risk that firms’ sanctions systems and controls do not account adequately for evolving requirements, with an increase in sanctions around the world due to political instability. Most firms in the sector rely on sanctions screening platforms. However, it is still the firm’s responsibility to ensure that the data these companies provide is complete, accurate and updated regularly. Effective governance, skills and resources, timely screening and CDD and KYC procedures can only go so far if the firm is not aware of what the processes within these platforms actually are and are unable to justify why they are able to rely on this data.
5. Cyber resilience
Sub-optimal cyber resilience and security measures are also emphasised as driving risk in the sector. The FCA’s focus is on how effectively firms manage critical vulnerabilities, threat detection, business recovery, stakeholder communication and remediation efforts to improve cyber resilience.
6. Depositaries
The last risk highlighted by the FCA is to the widening expectations gap among market participants, the FCA and, potentially, consumers over the role of depositaries in relation to the safekeeping of fund assets and cashflow monitoring. Whenever there is a misunderstanding or misalignment on who is responsible for what part of the custody chain within a transaction or offering, there is an increased risk of consumers not receiving the appropriate level of protection and can cause consumer harm.
Next steps
To address the FCA’s concerns you need to ask yourself the following questions:
- What are the most common discrepancies and breaches that we are dealing with and are they indicative of falling standards within our business?
- Do we have a clear and full picture of our critical third parties and what they have done on Operational Resilience for their own Nth critical third parties?
- What is our role within achieving cross-sector resilience? Where do we sit in the custody chain?
- Are there any change management initiatives ongoing currently in our business?
- Have we considered the wider firm and the regulatory impact these may have?
- Are we comfortable with our sanction screening processes and understanding of the third parties we use to support our efforts in this space?
- What are our cyber security and resilience measures? Are they appropriate and sufficient?
How can Bovill Newgate help?
At Bovill Newgate we pride ourselves on our expertise across CASS, Operational Resilience and Financial Crime regulation. We help you assess your arrangements across these areas and provide constructive feedback on the next steps your firm needs to take to meet the FCA’s feedback. For more information, reach out to the team.
Get in touch
