Implementing Sound CASS Governance

Transcription

1 Implementing Sound CASS Governance TISA Seminar 26 September 2012 Kevin Huby and Deb Weston Kinetic Partners 2010 Agenda What do we mean by CASS governance? Building a robust CASS oversight framework The role of the CF10a Preparing for a FSA CASS visit and if it goes wrong Next steps self diagnosis, resolution packs Summing up Q&A 1

2 CASS Governance What is Governance? According to Wikipedia. Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting the way people direct, administer or control a corporation 2

3 So. Corporate CASS governance consists of the set of processes, customs behaviours, policies, laws and institutions organisational structures affecting the way people direct, administer or control a corporation client assets Common CASS Issues Revisited Not recognising what is and isn t a client asset or client money Poor visibility over product features, contractual terms and obligations Lack of attention to business process management and controls Insufficiently rigorous product inception procedures Lack of 24/7 compliance, eg. intra day exposure Ineffective management information Over-reliance reliance on high level assurance 26 3

4 CASS Governance Components Stakeholders where is the client in Client Assets? The FSA principles and CASS rules themselves Culture and behaviours Policies and procedures Organisational structure Systems and controls Assurance Implementing a sound CASS control framework 4

5 Scope This is about generic good controls practice CASS Control Framework Complete picture of CASS risks Detailed understanding of what we do to manage the CASS risks, ie. controls CASS Oversight Management visibility that CASS controls exist, are adequate and are working Management visibility of control outputs and current exposure of clients Controls assurance Management information The CASS challenge 5

6 Building a Complete Picture of CASS Risk Empathise with the regulator s principles Follow the client s money/assets from the point of receiving or creation to the point of return or outward transfer Document all transactions i.e. (asset and money movement between accounts) and scenarios Identify the actual or potential scenarios where client assets and money are or may be exposed to charge, fraud or diversion Make sure all products are covered by the above Practical Challenges to Identifying CASS Risk State of the overall risk and controls framework of the organisation Quality of procedure documentation Quality of procedure documentation Process knowledge culture Legacy products and systems These types of difficulty are usually indicative of plenty of other unmitigated risks or weak controls 6

7 Capturing Money/Asset Flow Here s a simple technique analogous to process mapping for capturing money/asset flow Identifying Client Money/Asset Risk Can you identify sources of risk to client money/assets? 7

8 Identifying Client Money/Asset Risk Payments posted to wrong bank Account Negative client positions subsidised by positive client positions Bank account places deposits at too much risk Bank account insufficiently trust protected Insufficient restrictions on Bank account transactions Settlements posted to wrong bank account Asset account insufficiently trust protected Implementing appropriate mitigating controls Once risks are clearly identified, the required control-points and controls will often almost suggest themselves. Key controls Detective: Reconciliations, Breach reporting. Preventive: Account controls, Reduction of money/assets-in-transit timelags and intermediate transactions. Controls to affirm that new products/product changes and production changes have been examined for CASS risk and made compliant is the other key aspect. Reconciliations Understanding their objectives Understanding the impact of reconciliation exceptions 8

9 CASS and information systems Leveraging technology is often critical to robust CASS compliance Audit trails, tagging transactions to facilitate reconciliation Automated reconciliation tools Spreadsheets should be avoided, especially as primary records CASS Controls Oversight Controls need to be documented such that they reference CASS risks and how the controls mitigate them This documentation needs to be live and accessed routinely as part of training, operational issues management, and business change. Regular testing of the controls is required to ensure that they are undisturbed and that their outputs can be relied upon 9

10 Controls Monitoring Risk assessment of custody/banking arrangements Funding calculation and execution Reconciliations performance and exceptions resolution Suspense accounts Trust letter maintenance Breach reporting and management Change and new product pipeline monitoring Timely mgt info on the above Third party outsourcing SYSC If a firm outsources critical or important operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system How active is your TPA oversight? This means if your TPA fails, FSA will hold you as accountable as your TPA. Your oversight needs to go deeper than blind faith in an SLA clause that states compliance with CASS regulations. We suggest: Rigorous due diligence prior to engagement to ensure that the TPA has capable CASS oversight in place and reaches across Product development, business change and systems development Terms that ensure appropriate pressure can be applied to correct underperformance Ongoing oversight of their oversight i.e. receive, read and actively review the TPA s CASS monitoring, and intervene appropriately 10

11 Training Lots of CASS compliance failures within firms with a high degree (even CPD-tracked) of training in CASS-awareness Training often aimed at knowledge of the regulations and not how they apply to the activities undertaken i.e. Employees become CASS-aware but not CASS-minded Achieving CASS-mindedness in Product design, business configuration and financial control functions is as important as it is for operational transacting The CF10a Role 11

12 Evolution of the Approved Persons Regime Catalysts for changes Global financial crisis Turner review Walker review Approved Person regime objectives Strong, balanced and independent oversight Separation of functions and independence Expertise and independence in risk management 43 Why introduce CF10a? The context Dear CEO letters 2005 & 2009 Thematic reviews of intermediaries and investment firms Lehman s litigation Resolution plans for investment banks The concerns Weak senior management oversight Weak senior management oversight Fragmentation and confusion over roles and responsibilities Lack of regulatory accountability 12

13 CF10a responsibilities Three key responsibilities Oversight of the firm s operational compliance with CASS Reporting to the firm s governing body in respect of that oversight Completing and submitting the CMAR to the FSA CF10a responsibilities What the role requires Ensure compliant client money and asset flows, systems and processes, including those operated by third parties Ensure appropriate operational control framework and identification of risks therein Ensure reliable and compliant third party service providers Ensure appropriate compliance monitoring and breach reporting Oversee CMAR reporting Ensuring ongoing CASS training Open communication with FSA and CASS auditor Develop CASS Resolution Pack 13

14 CF10a reporting Reporting to board/governing body Based on appropriate and sufficient management information, eg breaches, control failures, ageing analysis, Key Man risks, etc Relationship with the CASS auditor and their findings Relationship with the FSA and visits, issues Approved Persons Enforcement Action Sanctions Prohibition either permanent or for a limited period Prohibit fully or from significant influence functions Fine Private warning Require training 14

15 Preparing for a FSA CASS Visit FSA expectations The FSA expects firms to ensure the following in order to promote customer confidence: Clients money and assets are protected Monies and assets will be returned within a reasonable timeframe in the event of insolvency There is strong management oversight and control Firms do not fund their own activities with client monies and assets Client assets and monies are not lost or diminished through insolvency Key messages coming from the FSA Expect CASS to receive more regulatory attention Strengthen your management, oversight and control of CASS arrangements 50 15

16 CASS visits An FSA visit can be an intrusive process and can include the following: Advanced information requests Interviews with staff members at all levels Testing of processes and documentation Review and discussion of the CASS audit report Interview with the CASS auditor Identification of risk mitigation programme items Indication that S166 report or Enforcement will be required Visits led by the FSA CASS team rather than a firm s regular supervisor 51 Handling a S166 Skilled Persons Report 16

17 Typical s166 scenario Evidence of issues or breaches exists FSA CASS Review s166 Skilled Persons Review Remedial action delivery Post implementation review Issues may be identified but not adequately escalated FSA CASS visit scheduled FSA report findings and request s166 FSA appoint s166 Skilled Person in tripartite agreement S166 Report and recommendations Decision on enforcement or disciplinary action FSA require independent review of remedial action May be performed by Skilled Person but outside s166 remit Post review report to FSA FSA closure 53 FSA and the s166 report A Skilled Person s Report Understanding of your needs Approach and deliverables Structure and governance Resources FSA Interaction Opening meeting together with the FSA and the client Intermediate meeting with the FSA and the client Delivery of draft report to the steering committee (If requested also delivered to the FSA) Delivery of final report Closing meeting with the FSA and the client FSA may request a further meeting with the skilled person only Report Development Process Discussion between the FSA, the firm and the skilled person Where appropriate the FSA meets the firm and/or the skilled person to discuss the final report Progress monitored The report completed by the skilled person The firm adds management comments to the report The report sent by the firm to the FSA 54 17

18 How to manage a s166 Be prepared it can be a very intrusive process Always refer back to the Requirement Notice The co-ordinator s role is important Ensure regular communication with the FSA Address findings at a sufficiently senior level Prepare well researched management responses and carefully considered remedial action plan Commit adequate resource and budget to execute the remedial action plan quickly and rigorously 55 Next Steps 18

19 If you haven t already got one, foster a suspicious mind. Self Diagnosis We have a reliable and complete inventory of current and legacy products and related components (e.g. accounts, safe custody arrangements) All associated documentation is readily to hand, complete and accurate All staff are sufficiently trained to understand the rules in order to perform competent calculations and reconciliations Our approach to accounting for and reconciling client money is in accordance with industry best practice All the client money touchpoints within the transactional workflow for all our products are visible and their implications clear and understood by all 58 Client asset compliance is properly considered whenever processes and systems are built or changed Segregation of client money and corporate money is always timely and accurate Our client money requirement calculations can always be relied on to identify and make good any individual client shortfalls Client money funding transfers are always made by close of business, irrespective of the circumstances Client money records and management information can always be relied upon Strong controls are maintained over any spreadsheets used 19

20 CASS Resolution Pack Part of the broader Recovery and Resolution Plans (RRPs) proposed in the recently published CP11/16 Broader RRPs will apply to some investment firms (full scope BIPRU 730k firms with assets exceeding 15bn) CASS RP will be required by any firm subject to CASS 6 or 7 (but not a firm which just arranges safeguarding and administration of assets) CASS RPs will be due by end of 2012 Purpose is to ensure a firm maintains information that in the event of its insolvency would assist an insolvency practitioner in achieving timely return of client money and assets 59 Resolution Pack Contents Concept of a Resolution Weekend Documents must be capable of being retrieved within 48 hours Section 1 new documents, eg. Signposting documents, important firm-specific information that would be helpful to an IP Section 2 documents already required by existing CASS rules Requirement for on-going review and update for any material change within 5 business days Annual compliance attestation by CF10a 60 20

21 Summing Up Foundations of Good CASS Governance Firm-wide, clear and consistent understanding of the regulatory principles and requirements in the context of your products and operational model Clear understanding of all your business processes and the CASS touchpoints within them Processes that are efficient and rigorously controlled Staff who are CASS-minded, not just CASS-aware Culture of robust challenge and accountability 21

22 Conclusions CASS is towards the top of the FSA s agenda Expectations are high, compliance is challenging materiality is not generally a consideration or an excuse for non-compliance Many FSA thematic reviews result in adverse findings s166 Skilled Persons reports are a common result S166 process is intrusive and remedial action plans need to be completed swiftly and rigorously Make sure you continue to build on the foundations of good CASS governance 63 Q&A kevin.huby@kinetic-partners.com deborah.weston@kinetic-partners.com Kinetic Partners