The COVID-19 pandemic has significant implications for financial services firms and the regulatory framework is working hard to limit its impact.
Paul Staples explains the emerging regulatory risks in relation to the client assets (CASS) regime, which aims to protect customers’ money and investments in the event of a firm’s failure.
Keeping track of emerging risks
For now, forget Business Continuity Plan (BCP) simulations and Financial Conduct Authority (FCA) consultation. We are in the hard reality of operational resilience. Since CASS compliance is a regulatory necessity for many firms, related activities, including those of customer-facing functions, are being prioritised over other operational areas. This extends to resource deployment (as sickness rates increase) and distribution of laptops to facilitate home-working, which is a particular logistical challenge for larger organisations. While firms themselves are best placed to determine which of their people are ‘essential’, recent FCA guidance1 has clarified that staff involved in CASS activities will likely be "key workers". This includes people involved in payment processing, cash distribution, risk management and compliance.
COVID-19 – key CASS considerations
Is CASS compliance explicit in your BCP?
Many firms have already fully or partly invoked their BCP. Maintaining CASS compliance throughout this period will be just one of a number of critical success factors.
Is your CASS committee playing an effective and agile role?
CASS committees should be assessing the emerging risks. This might include the availability of committee members (bearing in mind that senior managers will be stretched and re-assessing their priorities), the quality and timeliness of management information, and ultimately ensuring that CASS compliance isn’t compromised through this period.
What do breach trends tell you?
Firms may be experiencing an uptick in breaches and near-misses caused by working remotely or having stretched resources naturally means less control, coordination and oversight. Remote working may also put pressure on how breach data is captured, which may lead to false assurance. So, you may need to heighten oversight and monitoring across first and second-line functions. Processing delays or failings to meet operational SLAs are unlikely, in isolation, to amount to CASS breaches, unless there are broader implications, such as reconciliation errors or unresolved funding shortfalls.
Could market volatility impact your CASS compliance?
All firms are reliant on the continued stability of banking and payment systems. But market volatility might have CASS implications, such as:
liquidity of the client money pool to meet outflows, for example where unbreakable deposits are used
increasing volumes of reconciliation breaks (eg, for suspended funds) needing greater oversight
an increase in failed trades may result in greater daily funding requirements (eg, where a firm provides contractual settlement)
fluctuations in daily mark-to-market valuations to cover asset shortfalls.
Are you revisiting third-party due diligence?
Conventionally, due diligence is completed periodically, which is acceptable in normal times. Now, firms may want to have a closer eye on the stability of their third parties who hold money and custody on their customers’ behalf. And, firms may even want to increase the frequency of testing for their own CASS resolution pack.
How are your outsourced or offshored functions faring?
With around one-in-five people around the world under lockdown2, operational disruption may extend to your outsourced or off-shore servicing centres, including third-party administrators, or the firm’s own overseas back-office operations. CASS compliance is one of many important factors in assessing the resilience of these critical arrangements.
How are cheques and other postal correspondence being safeguarded and managed?
Depending on the size and complexity of a firm’s operations, the timely handling of cheques and other customer correspondence may become a logistical challenge, particularly where this requires their movement across numerous processing teams. Firms will want to make sure their mailroom is functioning well and, where possible, effectively utilise scanning software to minimise the movement of correspondence across the business.
What are the implications to your annual CASS audit?
There will be no relaxation in the level of audit evidence required3, so firms and their CASS auditor should be discussing the logistical implications of remote-working and any limitations in access to key people. Firms should explore whether their systems are set up to allow auditors to perform their testing and walk-throughs remotely, being mindful of potential constraints (such as GDPR and information security protocols).
Firms and their auditors should pro-actively engage with the FCA if they foresee any implications to the audit opinion, such as failing to meet the reporting deadline or obtaining necessary evidence of compliance.
Are you reinforcing the basics?
In uncertain times, it can be useful to re-assure staff to keep on as normal. For CASS, this means a continued focus on maintaining operational standards and ensuring the accuracy of the firm’s books and records.
Keeping standards high
CASS was designed to protect clients in the event of a firm failing, and so it’s important to ensure the regime is effectively applied in times of uncertainty, particularly under stressed conditions.
If you’d like to discuss any of these challenges, get in touch with Paul Staples.