There appears to be a plethora of headlines so far this year with a common theme – 2018 is the year of regtech, fintech, the year of digitisation and technological revamp. According to the Chinese calendar, it is in fact the year of the Dog. The Chinese Horoscope for 2018 predicts that this year, of the Brown Earth Dog, is going to be a good year in all respects, but it will also be an exhausting year. You will be happy, yet frustrated, rested, yet tired, cheerful, yet dull.
This may just about sum up how many feel about the continued focus on the Client Assets Sourcebook (CASS). 2018 will see the ten year anniversary of the collapse of Lehman Brothers, and let’s remember that the Financial Conduct Authority (FCA) used reference to Lehman Brothers in PS14/9 (Review of the client assets regime for investment business) when putting into context its increased focus on client asset protection. This included the creation of the Client Assets Unit at the FCA, enhancing auditor reporting and creating the CF10A function.
So what really has changed and what challenges can firms expect to face in 2018?
A good place to start is the CASS audit. The Financial Reporting Council’s (FRC) enhanced assurance standard will continue to be a focus, as the intention of CASS auditors this year is to increase scrutiny in the area of IT and systems controls, with some suggestion that this scrutiny will extend down to the level of code itself. Indeed, the approach being taken by auditors in assessing CASS compliance is still considered to be a moving target as their approaches evolve.
Costs vs. benefits
Some firms feel that the costs incurred from the enhanced audit regime has outweighed tangible benefits, and that the ongoing cost of the CASS audit is not sustainable. This appears somewhat contradictory to what the FCA and FRC are trying to achieve. The FCA’s aim is to drive up client protection, ensure better record keeping and retention, so that firms can prove that they are in control. The FRC recognise the importance of effective safekeeping of custody assets and client monies, and the associated significant public interest. Have additional costs and resources been applied in the right direction to satisfy audit requirements? Would that time, money and effort have been better spent by firms on business as usual activities such as strengthening procedures, mitigating risks, eradicating spreadsheets and manual processes, so that data integrity and robust CASS control regimes prevail?
Aside from costs versus benefits, there still appears to be some levels of discomfort that auditors themselves do not necessarily have the operational or industry experience to be able to conduct the enhanced CASS audit. Best left for firms and auditors alike to ponder that thought on their own.
What we do know
The fallout of the first round of CASS audits from 2017 will see firms undertaking remedial work to ensure a return to an unqualified audit opinion. Will the FCA start visiting firms who had qualified or adverse opinions last year? Only time will tell, but the continuation of less than favourable audit opinions are more likely to pique the FCA’s interest.
Senior managers and certification regime
Ten years on from the Lehman Brothers collapse, and the question remains as to what is really going to make the difference and truly drive up client protection once and for all? The CASS rule book has been rewritten, CASS audits have been toughened up, and so will the Senior Managers and Certification Regime (SMCR) seal the deal? Or is the SMCR setting out what should have always been in place – in essence a culture of responsibility and accountability?
The SMCR was introduced in the banking sector in 2016 to address misconduct, which saw fines and redress costs of £35bn in the UK alone since 2009. Headlines continue, and less than two weeks into January 2018 the FCA have already raised areas of serious concern after carrying out a review of the contracts for difference (CFD) market.
The extension of the SMCR to cover all Financial Services and Markets Act 2000 (FSMA) authorised firms to hold individuals responsible for CASS failings.
There is no time to delay with the SMCR, even though it is now not expected to come into force until 2019. It is about truly understanding your business, the needs of your business and your customers, and making sure you have the right people in the right roles with the necessary skills and qualifications to ensure you are in control and truly protecting clients’ assets.
What do firms need to achieve
Firms do now appear to be embracing the need for automation in the CASS space. Having the ability to integrate reconciliations to errors and breaches logs and to rules and control mappings, is one area that can have significant benefit in identifying where internal controls are not working as expected or are not working at all. Longer term remediation, which was previously precluded due to a myriad of manual processes, can be now identified in a more timely manner to mitigate the risk of breaches occurring.
As the wealth management sector groans under the weight of regulatory challenges, it is worth mentioning that the insurance sector remains unscathed from a re-write of CASS 5 (Client money: insurance mediation activity). CP12/20 (Review of the client money rules for insurance) was put to bed by the FCA almost 18 months ago. However, SMCR is expected to be brought into force in late 2018 ahead of investment firms. Insurance firms are also subject to the FRC’s enhanced audit regime, and have to have well documented internal controls in place that can be shown to be working effectively. Perhaps they have not come off quite as lightly as first thought.
2019: The year of the pig
Is there light at the end of the tunnel? 2019 will be the year of the Pig, a joyous year, with an atmosphere of relaxation and where well-considered actions will be rewarded. Perhaps all that hard work will finally pay off!