FCA custody and fund services supervision strategy
What has happened?
In March 2022, the FCA issued a Dear CEO letter outlining its supervision strategy for custody and fund services firms.
What did the letter focus on?
Firms receiving the letter have been allocated to the FCA’s ‘custody and fund services’ portfolio, which covers firms acting as third-party custodians, depositaries for authorised and non-authorised funds and third-party administrators that provide services such as fund accounting and transfer agency.
The letter outlines the FCA’s view of the key risks that custody and fund services firms need to manage in order to protect investors and the integrity of the markets in which they operate. The FCA expects these firms to take the necessary action to ensure that these risks are appropriately mitigated, and it asks that CEOs consider and discuss them with their fellow Directors and/or Board and agree what further action they should take to ensure that their firm meets the requirements.
In the course of future FCA supervisory engagement with firms, they can expect to be asked about the actions taken in response to the letter to ensure that customers and markets are adequately protected.
The FCA sees four principal areas of potential harm to clients and end consumers and to market integrity. These are as follows.
Operational resilience and cyber
Operational resilience and cyber defences are key sector risks. and are also areas where the FCA has observed significant weakness at some firms. It may seek assurances and evidence that investment programmes are sufficient to ensure that critical services are not too heavily reliant on legacy technology, resulting in resilience, or security risks. The levels of interconnectedness between systems, lack of internal knowledge on how the systems operate, and ineffective oversight of third party or intra-group service providers can all threaten resilience. These are areas where firms can expect questioning on how risks have been mitigated.
Policy Statement PS21/3 sets out final rules and guidance on building operational resilience, and these come into force on 31 March 2022. By 31 March 2022, in scope firms must have identified their important business services, set impact tolerances for maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. These firms must also have identified any vulnerabilities in their operational resilience. As soon as practicable after March 2022, and no later than 31 March 2025, in scope firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service and must have made the necessary investments to enable them to operate consistently within impact tolerances.
Firms need to ensure that the services they provide to the market are underpinned by robust security measures. This includes ensuring sufficient protection and security of data from loss, theft, misuse, alteration or destruction. Firms identified as posing a greater risk of harm are now subject to proactive technology reviews. The FCA may choose additional firms for an ad hoc review, and may use its cyber and operational resilience assessment tools and its threat-led penetration testing scheme (CBEST).
If a firm suffers material technological failures or cyber-attacks, the FCA expects it to report this promptly as part of its responsibilities under Principle 11. SUP 15.3 sets out additional rules and guidance on when the FCA would expect notice of matters relating to a firm. This means that it expects a firm to report material operational incidents. An incident may be material if it results in a significant loss of data, results in the unavailability or loss of control of IT systems, affects a significant number of customers, or results in unauthorised access to information systems.
The current level of incident reporting from the sector is considered inconsistent by the FCA and firms should review their policies and procedures to ensure they are meeting their reporting obligations.
Protection of Custody Assets and Money (CASS)
The FCA states that, reflecting its importance, CASS will be subject to significant ongoing supervisory engagement. The FCA has observed weaknesses in change management (operational, regulatory and business), high dependence on legacy/end of life IT infrastructure and high levels of manual processing and controls in some cases and it believes that challenges with CASS compliance often have their root causes in poor governance and oversight, under-investment in systems, and failure fully to consider CASS impacts when managing change. It has also seen cases where the root causes also include a lack of adequate CASS knowledge.
The FCA expects firms to take steps to deal with these challenges. When considering CASS compliance, it will act where it sees firms falling below expectations and will be prepared to use the full range of regulatory tools, including enforcement action where serious misconduct is identified.
The FCA also expects firms to have considered and to be appropriately prepared for technological developments, such as potentially increasing use of distributed ledger technology (DLT).
Depositary oversight
The FCA continues to observe weaknesses in depositaries’ oversight and often an absence of effective challenge of the fund manager. It also has concerns about the robustness of controls used to oversee fund liquidity, and investment and borrowing limits. It has seen examples of a lack of holistic judgements in these areas, including for example a narrow interpretation of the COLL rule requiring a ‘prudent spread of risk’ and the lack of policies or procedures related to it.
The FCA may seek evidence that depositary firms have an appropriate level of access to an Authorised Fund Manager’s operations and adequate resourcing, and it may ask them to demonstrate that they have been able to challenge AFMs effectively in investors’ and unitholders’ interests.
Speculative and illiquid investments
The FCA has not observed custody and fund service firms manufacturing or promoting these products. However, firms in this sector may contract with and provide services to the issuers or promoters of these products, such as trustee, safekeeping and administrative services. In some cases, FCA regulated custody and fund services firms may inadvertently provide increased legitimacy to the marketing of unregulated products. Promoters of these products may exploit the status of a regulated entity from which it is procuring services, to create false confidence surrounding a product, marketing claims or consumer protections.
In supervising this sector, the FCA has observed a small number of instances where firms have displayed a disregard for consumer outcomes in their activities and inadequate due diligence on parties with which they have contracted.
Market and regulatory changes
In addition, the FCA expects firms to keep abreast of, and adequately prepare for market developments and regulatory change such as the Investment Firms Prudential Regime (IFPR). IFPR came into force on 1 January 2022 and refocuses prudential requirements and expectations away from a sole focus on the risks firms face, to also consider and look to ensure adequate capital to manage the potential harm firms can pose to consumers and markets. Firms are expected to understand how the new standards apply to them
Firms in this sector typically have business models that rely heavily on technology and often have complex system infrastructures. The FCA wants firms in the sector to understand how future technology developments could impact the services that they offer and whether there are risks to their business model that could be caused by disruption from new technology, and to plan appropriately.
How can we help you?
If you’d like to know more about how we can help you with your operational resilience, CASS, fund depositary or fund administration arrangements, or with any other regulatory compliance issues, our specialist team is here to help.
Contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.