Do you get that sinking feeling when the CASS audit is approaching? Are you uneasy about loose ends? Do you think ‘oh no not again’?
Here we are 10 years on from the financial crisis, the subsequent collapse of Lehman Brothers and the focus on CASS has not waned – in fact it remains high on the regulatory agenda.
Why is this the case? Why is CASS not perceived to be a well embedded regulation and why does it continue to draw attention? If it was well embedded, surely PS14/9 and the FRC’s enhanced assurance standard would not have materialised.
Perhaps in an attempt to answer the question, we need to think what CASS really means. One word that could be chosen to sum up the regulatory requirements is ‘control’. CASS requires firms to be in control and truly protecting their clients’ assets, closely followed by two more words – ‘data integrity’ which lends itself to the FCA’s desire for firms to have better record keeping and record retention.
Why then do firms still rely on manual processes and spreadsheets to fulfil their CASS obligations?
Control and data integrity
To put this into context, and as an avid pilot, let us consider an aviation analogy. Picture the Airbus A380 aircraft which has a list price of approximately £325m. Picture now the flight deck of the A380 which has a vast array of data, displays and systems all of which have to be integrated, as well as being fully understood and continually monitored by highly trained pilots. The complexity required to keep this aircraft in flight and all those on board safe is a somewhat overwhelming situation. A key aspect to achieving safe flight is that data is managed and controlled in an extremely efficient and effective manner to ensure that a well-controlled environment ensues. Should adverse conditions arise, the pilots have the necessary information to decide on what corrective action is needed in order to return to stable flight in a timely manner. The A380 fleet makes over 300 flights per day, with an aircraft taking off or landing somewhere in the world every two minutes - quite staggering statistics. In summary, there is a very good reason the A380 relies on state of the art technology to allow pilots to focus on the salient risks at any point during a flight.
Think now of a medium CASS firm which holds upwards of £1m client money and/or upwards of £10m safe custody assets, or indeed a large CASS firm which holds over £1bn client money and/or £100bn safe custody assets. The same data principles need to apply – data needs to be managed and controlled in an effective and efficient manner to ensure that client assets are kept safe. Should operational issues arise, data of sufficient quality and granularity needs to be readily available in order to make the correct decision to avert a near miss or a breach. In the UK alone, investment businesses hold more than £100bn of client money and £11trn of custody assets.
Following the analogy, it would stand to reason that the data functionality and capabilities within the investment management industry should be state of the art. Continually having to manually process millions upon millions of pounds worth of client assets, relying on spreadsheet data and manual reconciliations does not stack up. The requirement to protect client assets has not changed over the last 10 years – it was in place when Lehman Brothers collapsed and remains today.
It goes without saying that data is fundamental to a business, and many firms are now being forced to take a long hard look at their data management processes in an attempt to alleviate their perceived CASS burden. There are countless headlines and articles on innovation in respect of processing, managing and working with data, and many firms are now considering or already embracing the use of technology.
Strong signals are also coming from the FCA in terms of the development of potential solutions to meet regulatory requirements, this has been highlighted via the FCA’s Tech Sprints which are held by their RegTech team.
The Tech Sprints are a meeting of minds between financial service providers, technology providers and SMEs, and the intention is to discuss and develop potential solutions to solve regulatory challenges. The RegTech team’s latest call for input ‘using technology to achieve smarter regulatory reporting’ is still open for comment, but the title alone highlights the FCA’s intentions. To date there have been 4 Tech Sprints, with the most recent considering the potential for machine-executable reporting regulations. It is also worth mentioning that one of the events saw approximately 100 developers from across 30 organisations taking part. Looking ahead to the next Tech Sprint, it is going to be on anti-money laundering and financial crime, and the most salient point to note is that it is expected to include participation from international regulators. This strongly signals that regulators are committed to the use of technology.
The way forward
Banishing spreadsheets from your CASS framework must be the way forward – spreadsheets are not auditable, they are wide open to manual intervention and human error, have volume limitations and are prone to versioning and multi-user issues.
Tougher CASS audits are here to stay, with a focus on controls and systems. Data quality, with granular, transaction level reporting capabilities is a must to ensure you are in control and truly protecting client assets. Without this, data quality issues are typically masked as they are hidden in aggregations and so control is instantly lost.
The Senior Managers and Certification Regime (SMCR) is less than a year away for the investment management industry lending further credence to the unavoidable truth. You have to understand your business, the needs of your business and your customers and how the CASS rules apply. You have to make sure you have the right people in the right roles with the required skills to meet the regulatory requirements, otherwise you as an individual within a firm could be held responsible for CASS failings. Fundamental to this is having the right tools in place – the right data management processes and controls.
Looking back over the last 10 years, the CASS rule book has been re-written, CASS audits have been tightened and so will the SMCR seal the deal? Or is the SMCR setting out what should always have been in place – a culture of accountability and responsibility?
Only time will tell, but the more control and better data integrity you have in respect of CASS, the better position your firm will be in. The choice is clear, an Airbus A380 or a paper aeroplane - no comparison.