The FCA has fined Aviva, the UK insurance group, £8.2 million for failing to have appropriate controls over its outsourced service providers. According to the FCA’s press release, the fine would have been even larger at £11.8 million but for a 30% discount due to Aviva for agreeing with the FCA to settle at an early stage.
The case related to a number of FCA Handbook breaches between 1 January 2013 and 2 September 2015, including breaches of Principles 3 and 10, the Outsourcing Chapter of SYSC and the Client Assets Sourcebook (CASS)—rules which apply whenever a firm holds or controls client money or has custody assets as part of its business. Two Aviva group companies, Aviva Pension Trustees UK and Aviva Wrap UK had outsourced the administration of client money and external reconciliations in relation custody assets to third party administrators (TPAs). In what is the first CASS case in relation to oversight failures of outsourcing arrangements, the FCA found that the Aviva companies had “failed to put in place appropriate controls over … [the TPAs] … to which they had outsourced the administration of client money and external reconciliations in relation to custody assets … [resulting] in Aviva failing to sufficiently challenge the internal controls, competence and resources of their TPAs.”
The FCA also found that Aviva:
- had failed to “dedicate adequate resource and technical expertise” needed to implement effective CASS oversight arrangements, which included only infrequent internal audit reviews, meaning that detection and rectification of the CASS risks and compliance issues had been delayed;
- had deficiencies within its internal reconciliation process resulting in the under- and over-segregation of client money—a breach of rules designed to ensures that client money and custody assets are ring-fenced in the event of the insolvency of the firm; and
- was unable to meet its CASS Rules obligations such as submitting accurate Client Money and Asset Returns, and maintaining an adequate CASS resolution pack.
Even though there was no actual loss of client money or custody assets, the FCA considered the breaches to be serious—“the rules are designed to be preventative and had Aviva suffered an insolvency event during the period, customers could have suffered loss due to Aviva’s non-compliance…”
As the FCA’s Final Notice dated 5 October 2016 points out, outsourcing arrangements in relation to purchases and sales of investment fund interests for clients are common in the asset management industry, with TPAs performing a range of back office activities such as cash and transaction processing, settlement, record keeping, reconciliations and other CASS compliance functions. And with firms being “one step removed” from CASS operations in such circumstances, it is incumbent on them to ensure that they have “robust controls and oversight systems in place to monitor and identify any issues arising with the TPA’s performance of the CASS functions for which the firm remains fully responsible.” Firms outsourcing CASS functions must also ensure that they have adequate CASS-related skills, expertise and resources as needed to effectively oversee their TPAs.