26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Implementing Sound CASS Governance
TISA Seminar – 26 September 2012
Kevin Huby and Deb Weston
© Kinetic Partners 2010
Agenda








What do we mean by “CASS governance”?
Building a robust CASS oversight framework
Th role
The
l off the
h CF10a
CF10
Preparing for a FSA CASS visit…
…and if it goes wrong
Next steps – self diagnosis, resolution packs
Summing up
Q&A
1
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
CASS Governance
What is “Governance”?
According to Wikipedia….
“Corporate governance consists of the set of processes,
customs, policies, laws and institutions affecting the way
people direct, administer or control a corporation”
2
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
So….
“Corporate CASS governance consists of the set of
processes, customs behaviours, policies, laws and institutions
organisational structures affecting the way people direct,
administer or control a corporation client assets”
Common CASS Issues Revisited
 Not recognising what is and isn’t a client asset or client money
 Poor visibility over product features, contractual terms and
obligations
 Lack of attention to business process management and controls
 Insufficiently rigorous product inception procedures
 Lack of “24/7 compliance”, eg. intra day exposure
 Ineffective management information
 Over
Over-reliance
reliance on “high
high level
level” assurance
26
3
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
CASS Governance Components







Stakeholders – where is the “client” in Client Assets?
The FSA principles and CASS rules themselves
C l
Culture
and
d behaviours
b h
Policies and procedures
Organisational structure
Systems and controls
Assurance
Implementing a sound CASS
control framework
4
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Scope
 This is about generic good controls practice
 CASS Control Framework
– Complete
C
l t picture
i t
off CASS risks
ik
– Detailed understanding of what we do to manage the CASS risks, ie. controls
 CASS Oversight
– Management visibility that CASS controls exist, are adequate and are
working
– Management visibility of control outputs and current exposure of clients
– Controls assurance
– Management information
The CASS challenge
5
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Building a Complete Picture of CASS Risk
 Empathise with the regulator’s “principles”
 Follow the client’s money/assets from the point of receiving or
creation to the point of return or outward transfer
 Document all transactions i.e. (asset and money movement
between accounts) and scenarios
 Identify the actual or potential scenarios where client assets and
money are or may be exposed to charge, fraud or diversion
 Make sure all products are covered by the above
Practical Challenges to Identifying CASS Risk
 State of the overall risk and controls framework of the
organisation
 Quality of procedure documentation
 Process knowledge culture
 Legacy products and systems
 These types of difficulty are usually indicative of plenty of other
unmitigated risks or weak controls
6
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Capturing Money/Asset Flow
 Here’s a simple technique
analogous to process mapping
for capturing money/asset flow
Identifying Client Money/Asset Risk
 Can you identify sources of risk
to client money/assets?
7
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Identifying Client Money/Asset Risk
Payments posted
to wrong bank
Account
Negative client positions
subsidised by positive client
positions
Bank account
places deposits at
too much risk
Bank account
insufficiently trust
protected
Insufficient
restrictions on
Bank account
transactions
Settlements
pposted to wrongg
bank account
Asset account
insufficiently trust
protected
Implementing appropriate mitigating controls
 Once risks are clearly identified, the required control-points and
controls will often almost suggest themselves.
 Key controls
– Detective: Reconciliations, Breach reporting.
– Preventive: Account controls, Reduction of money/assets-in-transit timelags and intermediate transactions.
– Controls to affirm that new products/product changes and production
changes have been examined for CASS risk and made compliant is the
other key aspect.
 Reconciliations
– Understanding their objectives
– Understanding the impact of reconciliation exceptions
8
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
CASS and information systems
 Leveraging technology is often critical
to robust CASS compliance
 Audit trails
trails, tagging transactions to
facilitate reconciliation
 Automated reconciliation tools
 Spreadsheets should be avoided,
especially as primary records
CASS Controls Oversight
 Controls need to be documented such
that they reference CASS risks and how
the controls mitigate them
 This documentation needs to be live and
accessed routinely as part of training,
operational issues management, and
business change.
 Regular testing of the controls is required
to ensure that they are undisturbed and
that their outputs can be relied upon
9
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Controls Monitoring
 Risk assessment of custody/banking
arrangements
 Funding calculation and execution
 Reconciliations performance and exceptions
resolution
 Suspense accounts
 Trust letter maintenance
p
g and management
g
 Breach reporting
 Change and new product pipeline
monitoring
 Timely mgt info on the above
Third party outsourcing
 SYSC 8.1.6 – If a firm
outsources critical or
important operational
functions or any relevant
services and activities, it
remains fully responsible for
discharging all of its
obligations under the
regulatory system
 How active is your TPA
oversight?



This means if your TPA fails, FSA will hold you as
accountable as your TPA.
Your oversight needs to go deeper than blind faith
i an SLA clause
in
l
that
h states ‘‘compliance
li
with
i h CASS
regulations’.
We suggest:
– Rigorous due diligence prior to engagement to
ensure that the TPA has capable CASS
oversight in place and reaches across Product
development, business change and systems
development
– Terms that ensure appropriate pressure can be
applied to correct underperformance
– Ongoing oversight of their oversight i.e.
receive, read and actively review the TPA’s
CASS monitoring, and intervene appropriately
10
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Training
 Lots of CASS compliance failures within firms
with a high degree (even CPD-tracked) of
training in CASS-awareness
 Training often aimed at knowledge of the
regulations and not how they apply to the
activities undertaken i.e. Employees become
“CASS-aware but not CASS-minded”
 Achieving CASS-mindedness in Product
design, business configuration and financial
control functions is as important as it is for
operational
i l transacting
i
The CF10a Role
11
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Evolution of the Approved Persons Regime
Catalysts for changes
 Global financial crisis
 Turner
T
review
 Walker review
Approved Person regime objectives
 Strong, balanced and independent oversight
 Separation of functions and independence
 Expertise and independence in risk management
43
Why introduce CF10a?
The context
 Dear CEO letters 2005 & 2009
 Thematic
Th
reviews off intermediaries
d
and
d investment firms
f
 Lehman’s litigation
 Resolution plans for investment banks
The concerns
 Weak senior management oversight
 Fragmentation and confusion over roles and responsibilities
 Lack of regulatory accountability
12
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
CF10a responsibilities
Three key responsibilities
 Oversight of the firm’s operational compliance with CASS
 Reporting
R
to the
h firm’s
f ’ governing body
b d in respect off that
h
oversight
 Completing and submitting the CMAR to the FSA
CF10a responsibilities
What the role requires
 Ensure compliant client money and asset flows, systems and
processes including those operated by third parties
processes,
 Ensure appropriate operational control framework and
identification of risks therein
 Ensure reliable and compliant third party service providers
 Ensure appropriate compliance monitoring and breach reporting
 Oversee CMAR reporting
p
g
 Ensuring ongoing CASS training
 Open communication with FSA and CASS auditor
 Develop CASS Resolution Pack
13
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
CF10a reporting
Reporting to board/governing body
 Based on appropriate and sufficient management information, eg
breaches control failures,
breaches,
failures ageing analysis,
analysis Key Man risks,
risks etc
 Relationship with the CASS auditor and their findings
 Relationship with the FSA and visits, issues
Approved Persons – Enforcement Action
Sanctions
 Prohibition either permanent or for a limited period
 Prohibit fully or from significant influence functions
 Fine
 Private warning
 Require training
14
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Preparing for a FSA CASS Visit
FSA expectations
 The FSA expects firms to ensure the following in order to
promote customer confidence:
– Clients’
Clients money and assets are protected
– Monies and assets will be returned within a reasonable timeframe in
the event of insolvency
– There is strong management oversight and control
– Firms do not fund their own activities with client monies and assets
– Client assets and monies are not lost or diminished through
insolvency
 Key messages coming from the FSA
– Expect CASS to receive more regulatory attention
– Strengthen your management, oversight and control of CASS
arrangements
50
15
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
CASS visits
 An FSA visit can be an intrusive process and can include the
following:
–
–
–
–
–
–
–
Advanced information requests
Interviews with staff members at all levels
Testing of processes and documentation
Review and discussion of the CASS audit report
Interview with the CASS auditor
Identification of risk mitigation programme items
Indication that S166 report or Enforcement will be required
 Visits led by the FSA CASS team rather than a firm’s regular
supervisor
51
Handling a S166 Skilled Persons
Report
16
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Typical s166 scenario
Evidence of
issues or
breaches exists
Issues may be
identified but
not adequately
escalated
FSA
CASS
Review
FSA CASS
visit
scheduled
s166 Skilled
Persons
Review
FSA report
findings and
request s166
Remedial
action
delivery
S166 Report and
recommendations
FSA appoint s166
Skilled Person in tripartite agreement
Decision on
enforcement or
disciplinary action
Post
implementation
review
FSA require
independent
review of
remedial action
Post review
report to FSA
FSA closure
cl s re
May be performed
by Skilled Person but
outside s166 remit
53
FSA and the s166 report
A Skilled Person’s Report
Understanding of your needs
Approach and deliverables
Structure and governance
Resources
FSA Interaction
Opening meeting
together with the
FSA and the
client
Intermediate
meeting with the
FSA and the
client
Delivery of draft
report to the
steering
committee (If
requested also
delivered to the
FSA)
Delivery of final
report
Closing meeting
with the FSA and
the client
FSA may
request a further
meeting with the
skilled person
only
Report Development Process
Where appropriate
the FSA meets the
firm and/or the skilled
person to discuss the
final report
Discussion
between the FSA,
the firm and the
skilled person
Progress
monitored
The report
completed by the
skilled person
The firm adds
management
comments to the
report
The report sent
by the firm to the
FSA
54
17
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
How to manage a s166
Be prepared – it can be a very intrusive process
Always refer back to the Requirement Notice
Th co-ordinator’s
The
d
’ role
l is important
Ensure regular communication with the FSA
Address findings at a sufficiently senior level
Prepare well researched management responses and carefully
considered remedial action plan
 Commit adequate resource and budget to execute the remedial
action plan quickly and rigorously






55
Next Steps
18
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
If you haven’t already got one, foster a ‘suspicious mind’.
Self Diagnosis
 We have a reliable and complete
inventory of current and legacy
products and related components (e.g.
accounts safe custody arrangements)
accounts,
 All associated documentation is readily
to hand, complete and accurate
 All staff are sufficiently trained to
understand the rules in order to
perform competent calculations and
reconciliations
 Our approach to accounting for and
reconciling
ili client
li
money iis iin
accordance with industry best practice
 All the client money touchpoints within
the transactional workflow for all our
products are visible and their
implications clear and understood by all
 Client asset compliance is properly
considered whenever processes and
systems are built or changed
 Segregation
S
i off client
li
money and
d
corporate money is always timely and
accurate
 Our client money requirement
calculations can always be relied on to
identify and make good any individual
client shortfalls
 Client money funding transfers are
l
made
d by
b close
l
off business,
b i
always
irrespective of the circumstances
 Client money records and management
information can always be relied upon
 Strong controls are maintained over any
spreadsheets used
58
19
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
CASS Resolution Pack
 Part of the broader Recovery and Resolution Plans (RRPs)
proposed in the recently published CP11/16
 Broader RRPs will apply to some investment firms (full scope
BIPRU 730k firms with assets exceeding £15bn)
 CASS RP will be required by any firm subject to CASS 6 or 7 (but
not a firm which just arranges safeguarding and administration of
assets)
 CASS RPs will be due by end of 2012
 Purpose is to ensure a firm maintains information that in the
event of its insolvency would assist an insolvency practitioner in
achieving timely return of client money and assets
59
Resolution Pack Contents
 Concept of a “Resolution Weekend”
 Documents must be capable of being retrieved within 48 hours
 Section
S
1 – new documents,
d
eg. Signposting
S
documents,
d
important firm-specific information that would be helpful to an IP
 Section 2 – documents already required by existing CASS rules
 Requirement for on-going review and update for any material
change within 5 business days
 Annual compliance
p
attestation byy CF10a
60
20
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Summing Up
Foundations of Good CASS Governance
 Firm-wide, clear and consistent understanding of the regulatory
principles and requirements in the context of your products and
operational model
 Clear understanding of all your business processes and the CASS
touchpoints within them
 Processes that are efficient and rigorously controlled
 Staff who are “CASS-minded, not just CASS-aware”
 Culture of robust challenge and accountability
21
26th September 2012
Beware of CASS – a practical workshop for management exploring the
challenges of complying with the FSA’s Client Assets and Client Money Rules
Conclusions
 CASS is towards the top of the FSA’s agenda
 Expectations are high, compliance is challenging – materiality is
not generally a consideration or an excuse for non-compliance
non compliance
 Many FSA thematic reviews result in adverse findings – s166
Skilled Persons reports are a common result
 S166 process is intrusive and remedial action plans need to be
completed swiftly and rigorously
 Make sure you continue to build on the foundations of good
CASS governance
63
Q&A
[email protected]
[email protected]
© Kinetic Partners 2010
22