Operational resilience in the UK: the FCA’s strategy for custody and fund services
With new regulations having come into force in the UK on 31 March 2022, the regulatory focus on operational resilience and risk management has been put in the spotlight even more firmly, with consequences for the whole financial services sector.
In fact, a week before the new rules came into force, the Financial Conduct Authority (FCA) has outlined its strategy for custody and fund services and the requirements they set out are broadly aligned with the requirements that all financial services and capital markets players now have to comply with.
In its letter outlining their requirements for the ‘’the key risks that custody and fund services firms need to manage in order to protect investors and the integrity of the markets in which they operate’’, the regulatory body has laid out the following five supervisory priorities:
Operational resilience and cyber security
Recognising that operational resilience and cyber security are key risk factors for the financial services industry, which relies heavily on technology to deliver its critical services, the FCA will be seeking assurances from custody and fund services providers in those areas, namely, to ensure that their IT investment is being used to reduce the dependence of critical business services on legacy technology.
Additionally, and in line with the new regulations that have come into effect in March 2022, the FCA expects custody and fund services providers to demonstrate how they are mitigating risks deriving from interdependent technology, lack of visibility into IT systems or of third-party dependencies. Like with all other financial services institutions, the FCA expects these firms to identify their important business services, set out impact tolerances and have robust testing programmes in place, ensuring they have performed all the mapping and testing necessary to stay within those impact tolerances by no later than 31 March 2025.
When it comes to cybersecurity, the FCA requires custody and fund services firms to ensure that their services are underpinned by robust security measures that protect them and their clients from data loss, theft, misuse, alteration or destruction. The firms identified by the regulator as posing a greater cyber risk are also subject to proactive technology reviews and additional firms can be chosen for ad-hoc reviews at the FCA’s discretion.
All incidents related to operational resilience or cybersecurity failures need to be reported to the FCA in accordance with the principles set out in the FCA Handbook.
Protection of custody assets and money
Financial institutions that hold or control client money or custody assets are required to follow the rules established in the Client Assets Sourcebook (CASS), which are aimed at ensuring that clients’ safe custody assets and money are protected if a financial firm fails.
Although the FCA recognises the investment made in CASS compliance by financial institutions in the sector, they have also observed persistent issues in the areas of operational, regulatory and business change management, overreliance on legacy IT systems and persistently high levels of manual processing.
Custody and funds services firms are expected to take steps to deal with those issues not only by complying with existing regulations but also by preparing for significant technological change, which will enable them to mitigate the risks posed by digital disruption.
It is the depositaries’ responsibility to oversee the activities of fund managers and act in the best interest of fund investors. However, the FCA has continually observed weaknesses in effective oversight and has found evidence of a lack of robust controls to oversee fund liquidity, as well as investment and borrowing limits.
To mitigate the customer-facing and systemic risk posed by these weaknesses, the FCA reserves the right to ask custody and funds services firms to prove that they have appropriate access to fund managers’ operations and adequate resources to oversee and challenge them effectively, hence protecting the interests of investors and unitholders.
Speculative and illiquid investments
Speculative and illiquid investments often pose a high level of risk and are potentially unsuitable for most retail investors. These types of investments, such as mini-bonds, are not usually regulated under the Financial Services Compensation Scheme, meaning that the possibility of scams and promises of unrealistic returns are a lot higher than with other financial products.
Although custody and fund services providers have not been found to offer or promote these products directly, they may provide services or have contracts in place with their providers, inadvertently legitimising these unregulated activities.
To tackle the small number of instances where firms in the custody and fund services sector have been found to act with disregard for consumer outcomes and a lack of due diligence when dealing with third-party providers, the FCA will examine firms that provide services for speculative and illiquid investments, as well as the firms they have dealings with.
If evidence of serious misconduct is found, disciplinary action may be taken against a financial institution or an individual to protect the interests of investors.
Market and regulation changes
Frequent market developments and regulatory changes are to be expected when operating in the financial services sector.
The FCA expects custody and funds services providers to be aware and prepare for such changes, namely by complying with the recent Firms Prudential Regime (IFPR), which came into effect on 1 January 2022. The recent regime places renewed focus on managing potential risk for consumers and markets.
As firms in the sector typically rely on complex technological infrastructures to provide their services, they need to understand how future technology development may affect them, identify the risks brought by technological disruption and plan accordingly.
The FCA’s supervisory priorities for the custody and funds services not only reflect the regulator’s increased focus on operational resilience and risk management but also their commitment to ensuring that financial firms are prepared for constant technological change while safeguarding the interests of consumers and the integrity of the market as a whole.