The FCA has fined Aviva Pension Trustees UK Limited and Aviva Wrap UK Limited for failings in its oversight of providers in relation to the protection of client assets (i.e. breaching Principles 3 and 10 as well as CASS, SUP and SYSC rules). There was no actual loss of client money or custody assets.
What do we learn from this?
“… firms with similar outsourcing arrangements should take this as a warning that there is no excuse for not having robust controls and oversight systems in place … when CASS functions are outsourced. This is the first CASS case in relation to oversight failures of outsourcing arrangements and we will continue to take action against firms that fall short of our CASS Rules.”
This Final Notice can be used as a basic quick reference guide for areas to look at in a rudimentary review of outsourced arrangements and CASS compliance standards.
In summary, the FCA wants firms to:
- place appropriate controls on their third party outsourcing providers;
- sufficiently challenge the controls, competence and resources of outsourcing providers – firms should delegate, rather than abrogate, responsibility;
- dedicate adequate resource and technical expertise to implement effective CASS oversight arrangements to ensure prompt detection and rectification of CASS risks and compliance shortfalls;
- embed proper internal reconciliations processes to eliminate mis-segregation of client assets;
- adopt a sensible approach to governance. Firms should reduce convoluted committee structures, ensure staff have adequate knowledge and expertise for their job roles, generate useful management and monitoring information, keep suitable and accurate records, and audit and spot check.
A notable point is that the CASS failings were identified in the firms’ annual external CASS audit report for a number of years but still were drawn to the attention of the firms’ by the FCA and a skilled person rather than through their own compliance monitoring or before remedial work was started. The importance of CASS compliance had been highlighted by the FCA both generally and through previous enforcement actions. The FCA cites these as aggravating factors that resulted in a 10% uplift being applied to the financial penalty amount (which, in this case, only reflected the FCA’s perceptions of the seriousness of the breach as there was no disgorgement since clients / the firms made no loss or profit from the non-compliance). The FCA fine was £8,246,800, following a 30% stage 1 discount. Without the discount, the fine could have been nearer £11.8m.
As the regulators have recently reminded us, the accountability regime is now in place and steps are in place to widen this across the industry. The number of individuals subject to sanction has also increased recently. It is in individuals’ as well as firms’ interests to take the FCA’s warning on board.