@uktisa@uktisa

CASS Seminar28th February 2017

Standard Life, Dundas House 20 Brandon Street, Edinburgh

@uktisa@uktisa

Jeffrey Mushens - ChairTISA

@uktisa@uktisa

Agenda

• Opening remarks by – Jeffrey Mushens, Technical Policy Director, TISA - Chair

• Ash Saluja, Partner, CMS Cameron McKenna LLP ‘CASS Oversight – satisfying regulatory requirements and expectations’

• Anna Dawson, Associate Director, Deloitte LLP ‘FRC CASS Assurance Standard’

• Jennifer Duncan, Director, Risk Consulting, KPMG ‘The expectations of the second and third lines of defence’

• Coffee Break

• Mark Lester, Director, Walbrook Partners ‘Gaps in meeting the new CASS Assurance Standards’

• Shaid Moughal, Head of CASS, Standard Life ‘Cleared Funds’

• Mike Sims, Elevate Financial Controller, Standard Life ‘Oversight and Governance – lessons from Aviva ’

• Closing remarks by Jeffrey Mushens - Chair

@uktisa@uktisa

Ash Saluja, PartnerCMS Cameron McKenna LLP

CASS Oversight:

Satisfying regulatory requirements and expectations

Ash Saluja, Partner and Alison McHaffie, Partner

CMS London

24 January 2017

Looking at ………….

The legal and regulatory responsibilities

The FCA focus

What to do if you identify a CASS breach

When enforcement takes action and lessons to be learned

6

CF 10A

CASS auditor

Outsource service provider

Board

Where responsibility can exist

7

SUP 10A.7.9 - Dynamic responsibility?

Oversight of the operational effectiveness of the firm's systems and

controls that are designed to achieve compliance with CASS

Reporting to the firm's governing body

Completing and submitting CMAR

CASS operational oversight function (CF10A)

8

Distinction between consultancy and audit roles

If auditor finds a problem - immediate breach

If auditor finds nothing - no comfort

CASS Auditor

9

CMAR

CASS Resolution Pack

Board reports

CASS audit reports

Trust letters

Checkpoints

10

Choice of outsourcing provider

Terms of agreement, SLAs etc

Adequate monitoring

Adequate access

Outsourcing CASS responsibility

11

SYSC 4.1.1 - A firm must have robust governance arrangements,

which include … internal control mechanisms, including sound

administrative and accounting procedures ….

SYSC 4.1.10 - A common platform firm must monitor and, on a regular

basis, evaluate the adequacy and effectiveness of its systems,

internal control mechanisms and arrangements established in

accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate

measures to address any deficiencies.

Responsibility of the Board

12

Held separately on trust

Duty to return assets to client

Duty to account for income

Duty to monitor third party custodians

Legal responsibility for client assets

13

Held on statutory trust

Trust letters

Duty of diversification

Prudent segregation

Legal responsibility for client money

14

The FCA focus

“We will continue to ensure firms have appropriate mechanisms to protect client

assets to ensure consumers are protected in the event of failure.”

FCA Business Plan 2016/17

FCA continues to focus on this area:

• Increasing the supervision of firms holding client money and safe custody of assets through

more intrusive visits to firms, thematic projects and desk-based reviews, actions initiated

through CMAR /audit information and taking regulatory action where firm failings are

identified.

• Increasing use of attestations

• S166 skilled person reports (14 over last 18 months – about 20% of all s166)

• 3 of 8 enforcement actions against firms in 2016

FCA expects firms and senior management to learn lessons from enforcement action

• 'We have issued repeated warnings to the industry on the importance of complying with

client money rules which are designed to ensure that client money is adequately protected in

the event of a firm failing. There can be no excuses given these warnings and the stakes

involved” “Senior management are ultimately responsible for ensuring that firms are

following our rules”

Mark Steward, Director of Enforcement and Market Oversight at the FCA July 2016

15

16

What if you identify a breach of CASS?

Identify:

• What has gone wrong?

• How significant is it?

• Length/frequency of breach?

• Evidence of any weaknesses in controls?

• Is remedial action required?

Notify FCA depending on significance/ materiality of breach

• Principle 11 – anything which the regulator might reasonably expect notice

• SUP 15.3.11R – significant breach of rule

• CASS specific notification rules – “without delay”... if unable or materially fails to

comply with various CASS requirements (see CASS 6.6.57 & 7.15.33 etc)

Ensure self reporting is prompt, clear and provides assurance that management is in

control and appropriate remedial action is being taken

Consequences of failure

17

What goes wrong

Triggers for investigation & enforcement action:

• Actual loss for clients

• Risk of loss to clients and risk of set off by banks

• Risk of delay in return of money

• Failure to heed warnings – “firms….should ensure they continue to strengthen

their management, oversight and controls in this area”

• Lengthy breaches

• Systemic importance of firm

• Failure to identify, notify & false attestations

• Governance or cultural failings

• Previous fines

Breaches of:

• Principle 10 (adequate protection for clients’ assets) & Principle 3 (systems &

controls)

• CASS rules

• Statements of Principle for Approved Persons (APER or COCON) for individuals

18

What has gone wrong?

Failure to:

• Segregate and comingling with firm’s own funds

• Carry out sufficient due diligence on institutions holding monies

• Recognise firm is “holding” client money

• Obtain trust letters

• Perform client money calculations and reconciliations accurately and promptly

• Inadequate records to distinguish one client’s money from another

• Manage acquisitions and re-organisations weakening CASS oversight

• Use appropriate naming conventions to make it clear it was client money

• Cover shortfalls and notify FCA

• Have adequate oversight and controls over TPAs

• Oversee, monitor and obtain adequate MI

• Train relevant staff

• Carry out sufficient enquiries before providing affirmations to FCA

19

Penalties

FCA has discretion to increase or decrease in 5 step framework and can decide

that average balance of client money/assets is not an appropriate indicator.

Higher fines

Risk of individual action against senior management where there is personal

responsibility for failings (see Philip July 2016)

Most cases settle - 30% discount

Level of seriousness

Percentage – Client Money

Percentage – Safe custody assets

Level 1 0 0 Level 2 1 0.2 Level 3 2 0.4 Level 4 3 0.6 Level 5 4 0.8

20

How to handle a CASS investigation

Some practical points………

Seeking to avoid an enforcement referral

• Robust systems and controls kept under review

• Prompt and effective notification of any breaches

• Accurate attestations

• Firm identifies and carries out remedial action on own initiative

• No risk of loss or delay

• Good and constructive relationship with supervisors

Managing an investigation effectively

• Prompt and well ordered response to requests for information and well prepared

interviewees

• Put issues in context and show actions were reasonable

• Seek to understand FCA’s concerns and address them early in the process

• Demonstrate lack of risk to client assets – consider expert IP evidence

• Show lessons learned and acted on by firm

• Settle where appropriate

CMS Legal Services EEIG (CMS EEIG) is a European Economic Interest Grouping that coordinates an organisation of independent law firms. CMS EEIG provides no client services. Such services are solely provided by

CMS EEIG’s member firms in their respective jurisdictions. CMS EEIG and each of its member firms are separate and legally distinct entities, and no such entity has any authority to bind any other. CMS EEIG and each

member firm are liable only for their own acts or omissions and not those of each other. The brand name “CMS” and the term “f irm” are used to refer to some or all of the member firms or their offices.

CMS locations:

Aberdeen, Algiers, Amsterdam, Antwerp, Barcelona, Beijing, Belgrade, Berlin, Bratislava, Bristol, Brussels, Bucharest, Budapest, Casablanca, Cologne, Dubai, Duesseldorf, Edinburgh, Frankfurt, Geneva, Glasgow,

Hamburg, Istanbul, Kyiv, Leipzig, Lisbon, Ljubljana, London, Luxembourg, Lyon, Madrid, Mexico City, Milan, Moscow, Munich, Muscat, Paris, Prague, Rio de Janeiro, Rome, Sarajevo, Seville, Shanghai, Sofia, Strasbourg,

Stuttgart, Tirana, Utrecht, Vienna, Warsaw, Zagreb and Zurich.

www.cmslegal.com

21

@uktisa@uktisa

Anna Dawson, Associate DirectorAndrew Stirling, Senior Manager

Deloitte LLP

28 February 2017

FRC Client Assets Standard

24

FRC Standard

Rules mapping, risk assessment and internal controls

25

Background of the FRC Client Assets Assurance Standard

Financial Reporting Council (‘FRC’) Standard “Providing Assurance on Client Assets to the Financial Conduct Authority” was published in November 2015 and it is applicable to CASS Auditors

The FRC Client Assets Assurance Standard replaces reporting under Bulletin 2011/2 and Bulletin 3

Bulletins provided auditors with guidance that was “persuasive” whereas the Standard is “prescriptive”, i.e. now a requirement rather than guidance

FRC Client Assets Assurance Standard effective for periods commencing on or after 1 January 2016

Scope of the FRC Client Assets Assurance Standard in relation to the CASS rules has not changed, i.e. still limited to compliance with the rules in CASS 3, 6, 7 and 8 (where applicable) for “during the period” and “as at the period end”

Where the firm outsources functions to a Third Party Administrator (“TPA”) the CASS auditor and the firm should explicitly set out the rights of access to the TPA in the engagement letter

The CASS auditor is required to adopt an insolvency mind-set, which places greater emphasis on evaluating whether the firm’s processes and controls are deemed adequate to ensure protection of client assets in the event of insolvency

Reporting under the FRC Client Assets Assurance Standard significantly raises the bar from previous reporting regime – particularly for reasonable assurance engagements where a firm holds client money and / or custody assets

Firms are expected to have in place from 1 January 2016 a CASS risk and control framework which includes CASS risk assessment, CASS rules and controls mapping for every applicable CASS rule, and clear roles and responsibilities for CASS in the three lines of defence framework.

26

Significant increase in scope

Key changes under the new FRC Standard

3. CASS Control Activities

1. Control Environment over CASS , i.e. Governance

2. CASS Risk Assessment

1st line Self Assessment

Compliance Monitoring

Internal Audit

4.

In

form

ati

on

an

d C

om

mu

nic

ati

on

‘Tone from the top’ and CASS risk appetite

Management information,

reporting and

escalation

Regulated Firm

Identification Segregation ReconciliationsBooks and Records

Third Party Administrators (if applicable)

6. Other matters to consider

CMAR

5. CASS Monitoring Activities

New products and services

Change management, IT and business

recovery

27

CASS Rules Mapping and Risk Assessment

Key changes under the new FRC Standard

Factors affecting

significance of the risk

Factors affecting likelihood of the risk occurring

Highly significant

Very likely

CASS Rules Applicability

CASS 3.x.x R No - rationale

CASS 7.x.x RYes -

interpretation

CASS 6.x.x R Yes

… …

CASS 7.x.x R Yes

CASS 8.x.x R Yes

Risk Description Inherent Risk

CASS Risk 1 H

CASS Risk 2 L

CASS Risk 3 L

CASS Risk 4 M

… M

CASS Risk 999 M

Actions taken

by firm

Residual

Risk

E.g. Mitigate with

Control 1M

E.g. Mitigate with

Control 2M

E.g. Accept Risk

(unlikely action)M

E.g. Mitigate with

Control 3L

One-to-one, one-to-many or many-to-one

relationships

Risk 1Risk 1

Risk

999

Risk

999

One-to-one, one-to-many or many-to-one

relationships

Risk 3

Firm’s risk assessment should consider each relevant CASS rule that applies to the firm, i.e. rule by rule applicability matrix

CASS auditor to evaluate firm’s process for identifying risks relevant to compliance with CASS, evaluating significance of the risk, likelihood of their occurrence, and actions to address those risks.

CASS auditor to raise an observation if it identifies a risk that management has failed to identify.

28

Internal controls

Background and context – COSO 2013

• The COSO 2013 Framework provides a formal structure for the design and evaluation of the effectiveness of internal control

• It categorizes controls into five components, and each component is addressed by a variety of principles and points of focus

Five components of internal controls (based on the COSO 2013 framework)

Control

Environment

Risk

Assessment

Control

Activities

Information

&

Communication

Monitoring

Activities

Indirect controls

Direct controls

Indirect controls

© 2017 Deloitte LLP. All rights reserved.

29

Control design

Key design factors (1)

Appropriateness of the purpose of the control:

Appropriateness of the control considering the nature and significance of the risk:

Competence and authority of control performer:

• Explicitly demonstrate how the control addresses the identified risks

• Ensure all risks the control is mapped to are addressed

• Preventative vs detective – to address timeliness of the control, e.g. immediate segregation of client money

• For more significant risks, identify and implement a mix of controls, including process level controls over the transaction flows

• The greater the inherent risk, the more precise the controls are expected to be

• Ensure the experience is appropriate in the control area

Frequency and consistency with whichthe control is performed:

Level of aggregation and predictability:

• Consider the required frequency of the control based on the risk

• Is the control timely to prevent or detect an error, e.g. 10 day allocation rule and reconciliation frequency?

• Assess whether the aggregation is sufficiently direct and precise to address the risk

© 2017 Deloitte LLP. All rights reserved.

30

Control design

Key design factors (2)

Criteria for investigation/ process for follow-up:

• Investigation is a key part of the control; ensure the reviewer can identify matters for further follow-up and magnitude of such items

• Ensure timeliness of their investigation and follow-up

• If thresholds should be applied, make these explicit where possible

Dependency on other controls or information:

• Understand if the control is dependent on other controls including effective GITC’s or information (data or reports)

© 2017 Deloitte LLP. All rights reserved.

31

Disclaimer

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

CASS Contacts

Regio

© 2017 Deloitte LLP. All rights reserved.

Ross MillarPartner

Tel:+44 (0) 131 535 7395

Mobile: +44 (0) 7990 825 749

Email: rmillar@deloitte.co.uk

Jamie PartridgePartner

Tel:+44 (0) 141 314 5956

Mobile: +44 (0) 7770 867712

Email: jpartridge@deloitte.co.uk

Anna DawsonAssociate Director

Tel:+44 (0) 113 292 1688

Mobile: +44 (0) 7887 628699

Email: adawson@deloitte.co.uk

Andrew StirlingSenior Manager

Tel:+44 (0) 131 535 7017

Mobile: +44 (0) 7515 354110

Email: andrstirling@deloitte.co.uk

Email:

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

© 2016 Deloitte LLP. All rights reserved.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.

@uktisa

Jennifer Duncan, Director, Risk Consulting

KPMG

CASS Roles of the

2nd and 3rd

lines of

defence

January 2017

Third Line of Defence

(Independent Assurance)

First Line of Defence

(Management Controls)

CASS processes and controls

Second Line of Defence

(Control functions)

Compliance Risk

Internal Audit

Accountability for regulatory compliance

Ongoing monitoring

Not a new area of focus

Regulators have been highlighting inadequacies with firms’ approaches to the three lines of defence model for a number of years

A factor in enforcementactions

A number of enforcement cases have cited failings in Compliance and Internal Audit monitoring as contributing factors

Blurred lines A concern that not all monitoring activity is truly independent

Developments in the CASS space

Section 166sFCA has been commissioning a number of Skilled Persons Reviews over Governance arrangements and the roles of Compliance and Internal Audit

CASS operational oversight

SMFs and CF10as proactively considering what assurance they need to demonstrate effective oversight, and what needs to come from the 2nd and 3rd lines

CASS as a distinct area of risk

CASS-specific Risk, Compliance and Internal Audit teams and monitoring programmes are being established

FRC CASS AssuranceStandard

The new Standard brings Compliance and Internal Audit into the scope of the CASS Audit

Externalassistance

Increased use of specialist advisors to help develop monitoring plans, and to develop and perform specific CASS reviews

— Split between monitoring and advice (independent and objective) – understand role

— Systematic and disciplined monitoring and periodic testing of CASS risks

— Compliance monitoring plan to specifically include CASS related elements in line with the

firm’s evaluation of CASS risks

— Assessment of materiality of risk and breaches in terms of FCA notification of reportable

events – recorded in dedicated CASS issues and breaches logs

— Timely root cause and trend analysis of breaches evidenced as part of the function’s

activities in relevant registers, minutes, reports

— The Compliance team should have CASS technical knowledge and expertise to be able

to conduct robust and independent CASS reviews

Monitoring plan

does not clearly

link to the firm’s

CASS risk

footprint

‘Light touch’

testing

Blurred lines

between monitoring

and advisory

Monitoring against

internal procedures

and not against

compliance with the

regulatory

requirements

No consideration

of industry events

or emerging

thematic CASS

risks

Lack of

specialist

resources within

the 2nd line

— Understand the roles and responsibilities of the independent Internal Audit function

— Conduct periodic independent CASS related reviews over the firm’s CASS arrangements

forming part of the function’s annual monitoring plans

— Review plans are assessed on a risk basis, approved and reviewed on a periodic basis

to capture new issues or risks

— Clarity regarding scope and approach to CASS IA reviews

— Timely follow up as part of IA review and assessment of sufficient evidencing of breaches

in relevant CASS registers

— Members of the Internal Audit function should have the required CASS technical

knowledge and expertise to be able to conduct robust and independent CASS reviews

Little, infrequent

or no CASS

related testing

post PS 14/9

despite FCA and

industry focus

IA reviews lack

robustness

and focus

Quality of

outsourced

reviews varies

Inconsistent

approach to

evaluating proposed

management actions

Failure to follow up

on management

actions to ensure

appropriate steps

taken to close gaps

Lack of specialist

resource in 3rd line

Smaller firms with

no IA functions

struggle to find

CASS experts

Inadequate or

lack of any

CASS training

for the 3rd line

Document Classification: KPMG Confidential

The information contained herein is of a general nature and is not intended to address the circumstances of

any particular individual or entity. Although we endeavour to provide accurate and timely information,

there can be no guarantee that such information is accurate as of the date it is received or that it will

continue to be accurate in the future. No one should act on such information without appropriate

professional advice after a thorough examination of the particular situation.

© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a

Swiss entity. All rights reserved.

kpmg.com/uk

@uktisa

Mark Lester, Director

Walbrook Partners

albrook Partners

FRC CASS Assurance Standards

- Where are the Gaps?

TISA CASS Seminar

October 2016

© Walbrook Partners Limited

Introduction

The FRC standards for CASS Assurance Reviews require more effort from firms than might be apparent at first.

In many cases the gap between current evidence and controls and those now required is unexpectedly large.

A few examples are discussed in the following slides.

45

© Walbrook Partners Limited

Putting it all together

Business model documentation:

‣ Does it include an overview of the type of business done?

‣ Is it understandable to an external reader?

‣ Does it explain intra-group relationships and activities?

‣ Does it include full cashflow documentation?

‣ Can your staff clearly explain it?

….and is it in your Resolution Pack?

46

© Walbrook Partners Limited

The biggest gap?

Rule/Risks Mapping and Controls

‣ The detail required is often underestimated – every rulebook/every rule?

‣ Explain why rules are out of scope – and controls to ensure it stays that way

‣ Ensure controls are real, specific and can be evidenced

‣ Show regular reviews

47

If you don’t produce the documentation,

your auditors will!

© Walbrook Partners Limited

The chain of evidence

The evidence required has substantially increased

‣ Ensure consistency of the business model , rule mapping, controls, procedures and evidence

‣ Consider how to prove oversight, management etc.

‣ Be prepared to prove all of the figures in reconciliations, including prudent segregation figures

‣ Prove remediation actions, including root causes

48

Make it easy for the auditors

© Walbrook Partners Limited

Failing validation

Is there a gap in your figures?

‣ Be prepared to show the validation of CMAR figures against other sources

‣ Show how you confirm the CASS RP is up to date

‣ Evidence testing of client entitlements, including reconciliation to other figures

49

© Walbrook Partners Limited

From gap to overlap

Three lines of defence:

‣ Is it clear who does what and where the boundaries lie?

‣ How do you preserve independence e.g. compliance advice vs. compliance

monitoring?

‣ How knowledgeable are your 2nd and 3rd lines?

‣ How are activities planned in conjunction with risks?

‣ How are actions followed up?

50

© Walbrook Partners Limited

Culture

How can you evidence a strong CASS culture?

‣ Knowledge and training from the top of the firm down

‣ Consideration of Principles and the clients’ best interests evidenced in decision making and policies

‣ Investment in addressing root causes, whether through manual processes, systems changes or prudent

segregation

51

‣ Other indicators:

‣ Standards set

‣ Meeting attendance & engagement

‣ Prioritisation

© Walbrook Partners Limited 52

Good luck!

© Walbrook Partners Limited

Contact Details

Karen Bond | DirectorMobile: +44(0)7801 706192kebond@walbrookpartners.co.uk

Mark Lester | Director Mobile: +44(0)7702 340 470mblester@walbrookpartners.co.uk

www.walbrookpartners.co.uk

Follow @WalbrookFS on Twitter

….and please support our sponsored Guide dog, Cassie!http://walbrookpartners.co.uk/cassie/

Page 53

cc ccccc ccc

@uktisa@uktisa

Shaid Moughal, Head of CASSStandard Life

Cleared Funds

TISA CASS SeminarOctober 2016

Shaid Moughal Head of CASS

Agenda

• Cleared Funds

• Shortfalls

• Prudent Segregation

• Prefunding

• Governance

• Questions

56

Cleared Funds

‣ A key principle of CASS is that client money is held according to the statutory trust requirements (CASS 7.17).

‣ This section creates a fiduciary relationship between the firm and its client under which client money is the legal ownership of the firm and but remains in the beneficial ownership of the client

‣ However, a firm is not permitted, in its capacity as trustee, to allow one client’s money to fund another client’s transactions.

“Peter’s money should not be used to fund Paul’s transactions”

‣ 7.17.5 G: The statutory trust under CASS 7.17.2R does not permit a firm, in its capacity as trustee, to use client money to advance credit to the firm's clients, itself, or any other person. For example, if a firm wishes to undertake a transaction for a client in advance of receiving client money from that client to fund that transaction, it should not advance credit to that client or itself using other clients’ client money (i.e., it should not ‘pre-fund’ the transaction using other clients’ client money).

57

Cleared Funds

The PS14/9 feedback stated that a firm should not rely upon its internal

reconciliation to determine whether or how much client money it should

segregate.

Instead, the internal reconciliation should be used as an internal control to verify

that the amount of client money segregated meets the firm’s obligations to clients.

The FCA had “clarified” the requirement to address shortfalls that arise the day

before reconciliation is performed....

“CASS 7.12.3 G: The risk of loss or diminution of rights in connection with client

money can arise where a firm’s organisational arrangements give rise to the

possibility that client money held by the firm may be paid for the account of a

client whose money is yet to be received by the firm. Consistent with the

requirement to hold client money as trustee (see CASS 7.17.5G), a firm should

ensure its organisational arrangements are adequate to minimise such a risk.”

58

ShortfallsHow could a shortfall arise?

‣ A risk of shortfall can arise through many different scenarios depending :

‣ Where contractual settlement exists on the client side but not on the market side

‣ Transaction settlement shortfall

‣ Intra-day exposure between the receipt and payment of client money

‣ Switches, e.g. T+4 funds to T+1 funds

‣ Work conducted on non-business days that results in a difference in the sequence of receipts and payments

‣ Timing of the removal of fees and account charges

‣ Bounced cheques and rejected direct debit receipts

‣ BACS payments which leave the account before expected receipts arrive

‣ Internal systems failures

‣ Banking systems failures

59

ShortfallsWhat do you need to understand about shortfalls?

‣ Identify the contractual obligations of the firm

‣ Understand and document the transaction flows, particularly the timing of money movements

‣ Identify whether shortfalls could or could not arise (document the scenarios)

‣ Determine any mitigations (which may be funding but could be others)

‣ Consider financial resources available to provide funding

‣ Establish and document the processes required

‣ Review with business areas, 2nd and 3rd lines of defence, (auditors, etc.)

‣ Monitor actual money movements and test whether shortfalls arise?

‣ Document a policy towards shortfalls and funding

60

ShortfallsHow can shortfalls be managed?

‣ Change processes

‣ Changing T&Cs and/or processes and systems to avoid the risk of a shortfall arising

‣ Not funding

‣ Establish why shortfalls will not arise & justify the rationale for not funding

‣ Prudent Segregation

‣ For exposures when the amounts and/or the timing of the exposures

cannot be calculated precisely.

‣ Prefunding

‣ For exposures where an event has been identified that will cause a

quantifiable shortfall.

61

Prudent Segregation

‣ “Prudent Segregation” in the context of CASS relates to the activity in which a regulated investment firm for Client Money is permitted and decides it is prudent to treat its own money as client money and then segregates that money in a client bank account.

‣ CASS 7.13.41R to 7.13.53R

‣ For firms that operate the alternative approach this is mandatory where they are required to hold a “Mandatory Prudent Segregation Amount”.

62

Prudent SegregationWhat do the rules say?

‣ CASS 7.13.41R – if prudent to do so to prevent a shortfall in client money on the occurrence of a primary pooling event, a firm may pay money of its own into a client bank account and subsequently retain that money in the client bank account (prudent segregation). Moneythat the firm retains in a client bank account under this rule is client money for purposes of the client money rules and the client money distribution rules.

‣ CASS 7.13.48R – to the extent that the firm no longer considers it prudent to retain moneyin its client bank account pursuant to CASS 7.13.41R in order to ensure that client money is protected, the firm may cease to treat that money as client money.

‣ CASS 7.13.49R – any money that the firm ceases to treat as client money pursuant to CASS 7.13.48R must be withdrawn from its client bank account as an excess…as part of its next [internal client money reconciliation].

‣ Funding should NOT to be used as a fix for inadequate systems or controls or bad recordkeeping

63

Prudent SegregationDocumentation

‣ Prudent Segregation Policy & Record

‣ The policy must be approved by the firm’s governing body and retained for at least five years after the date it ceases to retain such money as a prudent segregation amount

‣ A Prudent Segregation Record must be up to date and must include specific details on the amount of prudent segregation calculated and the changes to that amount

‣ What should be documented in the policy?

‣ The specific anticipated risks that would be prudent for the firm to protect

‣ Why the firm considers the use of such a payment is reasonable for the firm

‣ The method the firm will use to calculate the amount of money required

‣ Prefunding Policy

‣ Similarly to Prudent Segregation a policy document relating to the firm’s prefunding approach should documented as a best practice.

‣ It should cover the same components captured in a Prudent Segregation policy.

64

‣ Prudent Segregation Record must contain

‣ Outcome of the firm’s calculation of its prudent segregation

‣ The amounts paid into or withdrawn from a client bank account under the prudent segregation rules

‣ Why each payment was made

‣ Whether each payment was made in accordance with the policy

‣ Whether the policy was created or amended for this specific payment

‣ That the money was paid in accordance with the prudent segregation rule

‣ The up-to-date total amount of client money held pursuant to the prudent segregation rules

‣ All records must be held for 5 years

‣ Firms are reminded that payments and records made in accordance with the above should not be a substitute for firms keeping accurate and timely records under their other CASS and SYSC obligations.

Prudent SegregationWhat should be documented?

65

Prefunding

‣ Firms may chose to prefund, i.e. put firm money into client money accounts to fund shortfalls that will occur during the course of settlement activity

‣ They may consider to prefund and use prudent segregation along with the other measures to mitigate the risk of a shortfall on the client bank account

‣ When can a firm Prefund?

‣ If the information is available to do so it may be preferable to prefund any payments related to unfunded transactions

‣ This may be when shortfalls arise on an intraday basis and can be prefunded for a short period of time until the expected proceeds are received.

‣ It could be used for covering shortfalls that are easier to calculate and may be predictable such as expected settlement proceeds or BACS payments

‣ It may be more difficult to use prefunding to cover an unexpected scenarios such transaction failures; bounced cheques, failed direct debits.

66

Organisational Requirements

‣ CASS 7.12.1R to 7.12.3G

‣ Firms must ensure that they have adequate organisational arrangements in place to minimise the risks to client money

‣ Firms must understand the risks to the business and client money operations and put in measures to minimise those risks

‣ Document the risks, the measures available to mitigate and the decisions taken in response along with the reasons

‣ Check that all funding requirements are in line with the risks documented in the policy papers. Consider making changes to the policy to incorporate any new risks.

‣ Track and monitor the funding requirement and add it to your MI pack that is reviewed by the firm’s CASS committee.

‣ Make it easy for auditors to follow and understand your prefunding processes.

‣ Share your approach with your 3rd party providers who support that part of your business. Review their performance in this process.

Governance

67

Questions

Shaid Moughal – Head of CASSStandard Life plcTel: 0131 245 2991shaid_moughal@standardlife.com

68

@uktisa@uktisa

Mike Sims, Elevate Financial Controller

Standard Life

Aviva FCA Fine Overview

24/01/2017

Oversight and Governance – lessons from Aviva Fine

1. Overview of key findings from the FCA Final Notice

2. What have my Firm done on the back of this?

3. Summary

4. Questions

AVIVA CASS FINE

5th October 2016 – In relation to 2 legal entities

Original fine £11.8m

30% Discount for settling at an early stage

Fine Paid £8.2m

WHAT WERE THE REASONS FOR THE FINE?

Principle 3 (management

& Control)

Principle 10 (Client Assets)

CASS RulesChapter 8

(outsourcing) of SYSC

Failings – Principle 3

Oversight

• Failed to implement and maintain adequate policies and procedures to detect and manage the high level of client money and custody assets risks which arose from the Firms’ outsourcing their CASS functions.

• In particular, the Firms failed to carry out adequate and formal compliance oversight and review exercises of both the performance of the TPAs, and the quality of the MI provided by the TPAs, in relation to outsourced CASS functions

Resource & Expertise

• Failed to dedicate sufficient resource and technical expertise to enable them to implement effective CASS oversight arrangements;

Prioritisation

• Failed to prioritise sufficiently CASS compliance, resulting in inadequate oversight of the outsourced CASS functions and the delayed detection and rectification of CASS risks and compliance issues.

Failings Principle 10

Client Money Rec

• failed to identify and promptly rectify issues within their internal client money reconciliation process resulting in the Firms’ under-segregation of client money

• mislabelled transactions within the Firms’ client money calculations (CASS 7.6.2R and CASS 7.15.3R);

CMAR & CASS RP

• failed to submit accurate CMARs

• held inadequate CASS RPs

Segregation & Supervision

• failed to ensure the adequate and accurate segregation of client money

• the Firms failed to retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing (SYSC 8.1.6R and SYSC 8.1.8(5)R)

Background

2012 audit failures –organisational

arrangements£111.69 distnwas rec’d for an asset not

on firms system

2013 audit issues with internal client money rec and concerns over asset records outsourced to a

TPA.

2013 audit – 4 instances of non-compliance with CASS 6.5.10R identified, involving

assets with approxaggregate. value of £1K,

after firm confirmed improved processes

FCA visit in Feb 2015, identified same and similar CASS complaince issues to those identified by external auditors.FCA also noted

their Non Standard Method of internal reconciliation not

appropriate although auditors had signed it off in

2015

Aug 2015 – Based on the gravity of the firms failures to comply with the CASS

rules the FCA required the Firms to appoint a Skilled

Person to conduct an independent review (S166)

Jan 2016 Skilled Persons Report confirmed issues

identified during the CASS visit and expanded on the issues previously identified

by the Firms’ external CASS audit reports

FCA Visit Findings

• In February 2015, the Authority’s CASS Department visited the Firms. During the visit the

Authority identified the same and similar CASS compliance issues to those identified by the

external auditors. These issues were confirmed to the Firms in a letter of 10 August 2015,

which included the following concerns:

(1) serious deficiencies in the Firms’ governance and oversight of CASS functions;

(2) the Firms’ lack of individuals with combined CASS and financial experience;

(3) a convoluted committee structure which, in particular, lacked any dedicated committee

for overseeing the Firms’ outsourced CASS functions;

(4) a lack of CASS specific compliance monitoring reports, particularly given the breadth of

the rule changes following Policy Statement 14/9 and the Firms’ compliance history based

on earlier external CASS audit reports

(5) mislabelling of transactions within the client money calculation, prompting wider

concerns regarding the Firms’ failure to maintain accurate records and accounts and

inadequate organisational arrangements; and

(6) inaccuracies with the Firms’ CMAR submissions given that the Firms had made

disclosures which were inconsistent with SUP 16.14.3.R.

Skilled Persons Finding

• In August 2015, the Authority required the Firms to provide a Skilled Person’s report under section 166 of

the Act. On 29 January 2016, the Skilled Person issued its report, which confirmed issues identified

during the CASS Visit and expanded on the issues previously identified by the Firms’ external CASS

audit reports. The findings included:

a) deficiencies with the Firms’ reconciliation processes resulting in the over-and under-segregation of

client money with the Firms’ under-segregation having peaked at approximately £74.4m during the period

from 10 February 2014 to 9 February 2015;

b) inadequate first (business) and second (compliance) lines of defence in relation to the Firms’

submission of inaccurate CMARs;

c) inaccuracies/failings with the Firms’ CASS RPs in breach of CASS 10.1.3R;

d) the inadequacy of the management information (“MI”) provided to senior management in relation to

CASS breaches, particularly in relation to the Firms’ outsourcing of CASS functions to TPAs; and

e) concerning the Firms’ use of a non-standard client money calculation, the Skilled Person confirmed

that the Firms’ method of internal client money reconciliation did not provide the degree of protection

provided by the standard method as set out in CASS 7 Annex 1 G. ((CASS 7.15.18R and 7.6.8R) and

Annex 1G).

Inadequate organisational arrangements to ensure effective

oversight of outsourced CASS functions

• Outsourcing arrangements are common in the asset management industry in relation to

purchases and sales of investment fund interests for clients. TPAs typically perform back

office activities such as cash and transaction processing, settlement, record keeping,

reconciliations and similar CASS compliance functions.

• In such circumstances, since a firm is one step removed from CASS operations as a result

of its outsourcing arrangements with a TPA, a heightened CASS compliance risk may arise.

A firm is therefore required to ensure that it has robust controls and oversight systems in

place to monitor and identify any issues arising with the TPA’s performance of the CASS

functions for which the firm remains fully responsible.

• This also requires that a firm outsourcing CASS functions ensures that it has adequate

CASS skills, expertise and resources to carry out effective oversight of the TPA.

Inadequate Reconciliation Processes

• During the Relevant Period, the Firms operated a non-standard internal client money reconciliation

method. However, during the CASS Visit, a number of issues with the Firms’ internal reconciliation

process were identified which had resulted in the under- and over-segregation of client money.

• Client money relating to trade purchases was removed from clients’ accounts before trades settled. The

Firms also failed to set aside funding for returned cheques in the reconciliation process which meant that

purchases could potentially be funded using other clients’ money. During the Relevant Period, these

failings in the Firms’ internal reconciliation processes resulted in under-segregation of client money in

amounts ranging from £0.4m to £74.4m during the period from 10 February 2014 to 9 February 2015.

• There were also a number of weaknesses in the design of the Firms’ oversight of their reconciliation

processes. For example, the spread sheets which the Firms used to record data in the daily and weekly

reconciliation checks did not provide any guidance or parameters to ensure the consistency of checks

conducted. There was also no record of who was scheduled to conduct the daily and weekly checks and

whether those checks had been conducted and if so, by whom.

• Lack of consistency in the checking approach are indicative of the inadequate resourcing in relation to

the reconciliation process

Client Money and Assets Return

• During the Relevant Period, the Firms lacked a formal system or adequate guidance in

relation to the CMAR process and controls, including in respect of the requirement for the

submission of a monthly CMAR. The Firms’ CMAR procedures did not identify who was

responsible for the completion and review of the Firms’ submissions. The Firms also failed

to provide proper guidance on the extent of review required prior to the Firms’ submission of

their CMARs to the Authority.

• The Firms relied on summary data provided by the TPAs as input data for the Firms’ CMAR

submissions. The Firms also had inadequate technical expertise to effectively challenge the

accuracy of the external data which resulted in delays in the Firms’ detection of CMAR

inaccuracies.

• Overall, the failings associated with the Firms’ CMAR submissions indicated a weak control

environment around the preparation, review and submission of the Firms’ CMARs.

Inaccuracies with the Firms’ CASS RP’s

• The Authority identified that for part of the Relevant Period, the Firms did not have a formal control

process in place to ensure effective prevention, detection and remediation of breaches in the

Firms’ CASS RPs.

• In addition, during the Relevant Period the Firms lacked formal controls and formal lines of

responsibility regarding the prevention, detection and remediation of breaches of rules within

Chapter 10 (Resolution Packs) of the CASS Rules.

• In particular, the Authority identified the following failings with the Firms’ CASS RPs: specific

omissions within the Firms’ CASS RPs such as a lack of procedures for recording and transferring

client money and safe custody assets, delays in the Firms’ updating of the CASS RPs for the

opening of new bank accounts and a lack of a clear timetable for the production of the CASS RPs.

• During 2015 the Firms took steps to improve the CASS RP process by implementing a formal

CASS RP checklist but the Firms’ review and updating process remained inadequate.

Inadequacy of CASS resources and technical expertise

• The Firms’ CASS resources were inadequate which undermined their ability to conduct effective

oversight of the TPAs. The Firms’ lack of CASS technical expertise brought about the Firms’

overreliance on the TPAs which further compromised the Firms’ ability to identify, resolve and

report CASS breaches and control weaknesses in a timely manner.

• During the Relevant Period, there was no formal requirement established within the Firms for

CASS training to be undertaken by members of the Firms’ CASS team. Nor were there any formal

training records maintained of any “ad hoc” CASS training completed by the CASS team

members. The Firms have now instituted a formal CASS skills and knowledge matrix for CASS

team members.

• In addition, during the Relevant Period the Firms combined the CF10 and CF10a functions which

further constrained the available resource and technical expertise dedicated to CASS compliance.

• This lack of technical knowledge and experience rendered the Firms incapable of effectively

challenging the TPAs’ performance of the CASS functions.

Failure to prioritise CASS compliance

• The Firms understated the high risks associated with CASS non-compliance which may

have prevented and/or delayed the Firms’ escalation of CASS issues. The Authority

identified inconsistencies in the Firms’ risk rating in relation to CASS oversight. In light of the

CASS breaches identified in the Firms’ external CASS audit reports, the Firms ought to

have accorded CASS compliance a higher risk rating.

• The fact that additional CASS breaches arose in consecutive annual external CASS audits

should have prompted the Firms to re-categorise CASS compliance as high risk. The Firms

did not appear to have had adequate systems and controls in place to challenge the basis

upon which CASS risks had been assessed.

What has our firm done in light of this report?

Analysed Report in detail and produced a

spreadsheet detailing each finding

Each business area then had to asses and

document what controls and processes we have in place to mitigate the issue

raised in the report.

Gap analysis then performed based on

consolidated returns to identify an areas where improvements could be

made.

Requested an analysis by our key outsourcer of how

they assessed themselves against the

findings

Action plan and summary of findings consolidated

into a report for the CASS Governance Committee

and Board

Action plan tracked through to delivery.

Summary

The final notice from the FCA was extremely detailed, whilst not

good news for Aviva it provided the industry with a good checklist

Has enabled firms to self assess there controls and processes

against these findings.

In relation to outsourcers, the FCA has made it clear in the past

this was an area they are focussing on, so all firms should have been aware of the focus

here.

Majority of fund managers and Platforms use outsource providers, this report has

highlighted how easily you can lose expertise within your business and also fail to

understand fully your outsourcers CASS model

Highlighted the importance of focus on CASS within large

organisations especially where it may only be a small part of the

overall business performed by the organisation.

Information about tax is based on our understanding of current legislation and HM Revenue & Customs' practice. Tax treatment can change and depends on your personal circumstances.

The information contained in this presentation does not constitute advice. It is designed for financial adviser use only and is not intended for use with individual investors. Any sample screen shots displayed are correct at date of issue but may be subject tochange.

Elevate, Winterthur Way, Basingstoke RG21 6SZ. Telephone number: 01256 470707. As part of our commitment to quality service and security, telephone calls may be monitored and/or recorded.

Elevate is a trading name used by AXA Portfolio Services Limited. AXA Portfolio Services Limited has been acquired by Standard Life Savings Limited and forms part of Standard Life Group. The trade mark “AXA” is used under licence from AXA SA.

AXA Portfolio Services Limited (01128611) is registered in England at 14th Floor, 30 St. Mary Axe, London, England, EC3A 8BF and is authorised and regulated by the Financial Conduct Authority.

Standard Life Savings Limited (SC180203) is registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh, EH1 2DH and is authorised and regulated by the Financial Conduct Authority.

Important Information

@uktisa

Thank You!

TISADakota House

25 Falcon CourtPreston Farm Business Park

STOCKTON-ON-TEESTS18 3TX

www.tisa.uk.com01642 666999

enquiries@tisa.uk.com

@uktisa