FCA Custody and Fund Services Supervision Strategy
The FCA have published a letter outlining the key risks that custody and fund services firms need to manage in order to protect investors and the integrity of the markets in which they operate. In the letter, the FCA outline the necessary action they expect firms to take to ensure that risks are appropriately mitigated.
The FCA consider the following four principal areas that may result in harm to clients, end-consumers, and market integrity:
- Disruption to consumers and market participants, or the loss, compromise, or lack of availability of data, due to insufficient operational resilience or weak cyber controls.
- Sub-standard oversight and control of client money and assets leading to financial losses for investors and/or an inability to recover assets efficiently.
- Inadequate depositary oversight of fund managers, and failure to take reasonable care to ensure an authorised Collective Investment Scheme (CIS) is managed in accordance with applicable rules and solely in the interests of the CIS and its unitholders.
- Inadequate oversight of business linked to high risk, illiquid or speculative investment products sold to retail investors, and failures to consider related consumer outcomes.
Below we outline the key concerns and expectations raised by the FCA in the letter:
The FCA have noted operational resilience and cyber defences as a key risk to the sector. These are also areas where the FCA have observed significant weakness at some firms. Weaknesses observed by the FCA include a lack of internal knowledge on how the systems operate, and ineffective oversight of third party or intra-group service providers
The FCA expect firms to prevent, respond to, recover and learn from operational disruptions and to act where weaknesses have been identified. The FCA have highlighted Policy Statement PS21/3 which sets out their final rules and guidance on building operational resilience, and comes into force on 31 March 2022.
This means that by 31 March 2022, in scope firms must have identified their important business services, set impact tolerances for maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so.
Firms must also have identified any vulnerabilities in their operational resilience. As soon as practicable after March 2022, and no later than 31 March 2025, in scope firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service, and must have made the necessary investments to enable them to operate consistently within impact tolerances.
Additionally, the FCA stated that if a firm suffers material technological failures or cyber-attacks, they are expected to contact the FCA promptly as part of their responsibilities under Principle 11.
Whilst the FCA acknowledged that there has been investment in CASS compliance by firms, they have observed weaknesses in change management (operational, regulatory and business), high dependence on legacy/end of life IT infrastructure and high levels of manual processing and controls in some cases.
The FCA have also seen instances where the root causes of issues stem from a lack of adequate CASS knowledge.
Overall, the FCA believe that the challenges with CASS compliance often have their root causes in poor governance and oversight, under-investment in systems, and failure fully to consider CASS impacts when managing change.
The FCA expect firms to take steps to deal with these challenges. Should the FCA witness firms falling below expectations, they have stated that they are prepared to use the full range of regulatory tools, including enforcement action where we identify serious misconduct.
The FCA have also stated that they expect firms to have considered and to be appropriately prepared for technological developments, such as potentially increasing use of distributed ledger technology (DLT).
In the letter, the FCA stated that they continue to observe weaknesses in depositaries’ oversight and often an absence of effective challenge of the fund manager. When this occurs, it can lead to potential harm to unitholders and investors.
They FCA also have concerns about the robustness of controls used to oversee fund liquidity, and investment and borrowing limits. Examples include a lack of holistic judgement, including a narrow interpretation of the applicable COLL rule requiring a ‘prudent spread of risk’ and the lack of policies or procedures related to it.
In order to address the above concerns regarding depositary oversight, the FCA expect firms to ensure that they are undertaking the oversight function effectively.
In order to ensure firms are meeting their oversight requirements, the FCA may seek evidence that firms have an appropriate level of access to an AFM’s operations, adequate resourcing and ask firms to demonstrate that they have been able to challenge AFMs effectively in investors’ and unitholders’ interests.
Speculative and illiquid investments, such as mini-bonds, are often very high risk and are unlikely to be suitable for most retail investors. These securities are not normally covered by protections under the Financial Services Compensation Scheme, may be unregulated, can have a high instance of scams and may offer unrealistic returns.
Firms in the sector may contract with and provide services to the issuers or promoters of these products, such as trustee, safekeeping and administrative services. In some cases, FCA regulated custody and fund services firms may inadvertently provide increased legitimacy to the marketing of unregulated products. Promoters of these products may exploit the FCA badge of a regulated entity from which it is procuring services, to create false confidence surrounding a product, marketing claims or consumer protections.
The FCA have observed a small number of instances where firms have displayed a disregard for consumer outcomes in their activities and inadequate due diligence on parties with which they have contracted.
The FCA has issued a reminder that where firms are engaged in unregulated activity related to speculative and illiquid investments, they are still subject to certain relevant regulatory requirements, including specific Principles for Business. They need always to demonstrate that they are satisfying the minimum requirements for authorisation as set out in Schedule 6 FSMA.
Firms not keeping abreast of, and adequately preparing for market developments and regulatory change.
The FCA expects firms to keep abreast of, and adequately prepare for market developments and regulatory change. One recent change in regulatory requirements is the Investment Firms Prudential Regime (IFPR). IFPR came into force on 1 January 2022. It refocuses prudential requirements and expectations away from a sole focus on the risks firms face, to also consider and look to ensure adequate capital to manage the potential harm firms can pose to consumers and markets.