In the years since the Lehmann collapse there is no doubt that firms have been heavily focussed on CASS compliance, particularly on operational detail and accuracy.But this week's record CASS fine is a reminder of the critical need to understand, assess and verify the legal and contractual architecture underpinning those processes; and to develop and maintain strong

Many firms across the industry have invested significantly in resourcing their operations around the FCA's Client Money and Assets (CASS) rules on systems and controls. There has been a focus on the sophistication and modernity of operational technology, the rigour, accuracy and interconnectivity of operational processes, and the granularity and reliability of record-keeping. That work has helped firms to ensure that reconciliations of client money and assets can be completed accurately and on time, and that discrepancies can be identified and addressed.

It is easy to lose sight of the legal analysis with the accretion and globalisation of business models through the growing size and complexity of a business; through changes to group structure and management; and not least through the complexity and opacity of some of the CASS rules.The risks for firms of not applying a legal lens to certain aspects of CASS can be serious: existing embedded errors might not be identified, and the December 2014 and forthcoming June 2015 changes to the CASS rules (including on contractual terms) might not be implemented correctly, comprehensively or on time. The impact of these risks materialising is intensified for those individuals at firms affected by the forthcoming Senior Managers Regime and the ensuing presumption of responsibility against senior managers with responsibility for CASS.

This briefing aims to provide some practical insights into the legal and contractual issues identified by the Final Notice published on 15 April 2015 against two subsidiaries of Bank of New York Mellon Group (which subsidiaries will be referred to in this briefing as the Firms). We also set out some steps you can take to begin to health-check compliance in these areas.

  1. Lessons from the Final Notice

Yesterday's FCA fine against the Firms addressed three core areas of client asset (as opposed to money) compliance within CASS 6:

Legal entity identification

It appears from the Final Notice that the wider custodian Group had consolidated records of assets held for customers, butthose records did not state which legal entity (i.e., the specific company incorporated within the Group) held the assets on behalf of the customer. Whilst assets may in fact have been held with the correct legal entity, there was insufficient internal andexternal record keeping about this. This structure may have been adopted because the wider group organised itself along product and services lines on a global basis, and the Final Notice observed that there was insufficient focus on the UK's CASS requirements as distinct from those of other regulators.There are compliance, risk, customer service and other business efficiencies in working along these business lines: but CASS compliance mandates a legal entity analysis.

CASS 6.5.6R (and indeed, the rest of CASS 6.5, which deals with firms' records and reconciliations of assets held for clients), requires that internal reconciliations be undertaken on a "firm" basis:A firm must conduct on a regular basis, reconciliations between its internal accounts and records and those of any third parties by whom those safe custody assets are held.

"Firm" is defined in the FCA Glossary as "an authorised person" – meaning a natural person, legal person or partnership. For relevant purposes therefore, the CASS rules apply to the individual legal entity permitted to hold client money and assets (the Firm as set out in the rules), and it is not sufficient to record custody of assets for customers on an overall business unit or group level.

CASS 6.5 does not expressly state that the firm must divide up its reconciliations into those assets held by it as opposed to other group entities whose business is conducted alongside the firm.A legal analysis alongside a purposive interpretation of the rules helps to provide clarity that the text may lack: the fundamental purpose of the asset rules is to ensure that where an individual legal entity becomes insolvent, it is clear what assets are held by that specific entity and on behalf of whom, since insolvency procedures apply on a legal entity basis. In order to achieve that clarity, the reconciliations must be able to distinguish which legal entity holds each asset.

This legal entity oversight led to the following other issues highlighted in the Final Notice:

  • external reconciliations (with sub-custodians and other third parties as well as group affiliates) were not conducted on an entity-specific basis, focussing instead on reconciling assets held on behalf of clients by the Group as a whole;
  • there was no entity-specific process in place prior to July 2012 to identify external reconciliation discrepancies and which individual legal entity was responsible for them. As a result, the Firms did not demonstrate compliance with the requirement in CASS 6.5.10R for the individual Firm to correct such discrepancies;
  • the CASS resolution pack and Client Money and Assets Return were also consequently inaccurate.

Customer contracts

In a complex trading environment in which intermediaries such as market makers as well as general market demand can impact on the timing of delivery and settlement of different types of stock, an omnibus account system can give rise to what is often known as "cross-funding" of client assets. This can arise, for example, where sale trades on behalf of customers are settled or netted off using other client's assets, perhaps because ownership in the asset has not yet passed to the seller.

In these circumstances, firms must have express prior consent (usually in the form of a contract clause or side letter) from each client whose assets are affected, permitting the use of their custody assets for these purposes and setting out the terms of such use. For some clients in respect of whose assets cross-funding occurred, the Firms did not have contractual terms in place permitting such use.

Governance and oversight

CASS 6.2.2R contains a general obligation on firms to put in place adequate organisational arrangements to oversee safe custody asset arrangements. The FCA criticised the Firms for having no committees specifically dealing with CASS issues prior to June 2011, and for not having "accountability matrices" for CASS roles during the Relevant Period and job descriptions referring to CASS responsibilities prior to 2011.There is also a general criticism in the Final Notice that the second line of defence aspects of CASS oversight were not sufficiently proactive; and that the third line of defence did not have a CASS- specific remit.

Finally, the Final Notice observed that the Firms did not ensure that employees with operational or oversight responsibility received CASS-specific training prior to March 2012.

Although there are no detailed governance requirements set out in the CASS rules, the Final Notice is an example of how FCA's enforcement actions (and its monitoring of firms) have recently become more focussed on the level of detail and effectiveness of CASS governance arrangements in line with general SYSC governance expectations - including committee oversight, MI and training.

  1. The Senior Managers Regime

It is timely for the senior management of firms to reflect on whether their CASS systems and controls could be inadvertently making these, or similar, matters to go undetected: not just because the FCA considered the Firms' failure to self-identify the issues to be an aggravating factor in the size of the fine, but also because in March 2016, the Senior Managers Regime will come into force for banks.Under the regime, the CF10a controlled function (whereby an individual at the firm takes responsibility for CASS compliance) will be replaced by the requirement for a Senior Manager to take responsibility for "the safekeeping and administration of assets of clients" (which the FCA draft guidance at SUP10C Annex 1R confirms includes CASS oversight).The CF10a responsibility will remain in place for firms not subject to the Senior Managers Regime.

Senior Managers will be subject to increased exposure to enforcement action because the legislation underpinning the Senior Managers Regime imposes a presumption of responsibility on the part of a Senior Manager for failings in a business area for which he or she is responsible, where the FCA brings a successful enforcement action (or settlement) against a firm. In these circumstances the relevant Senior Manager will be deemed personally guilty of misconduct, unless he or she can show theytook reasonable steps to avoid the firm's breach. In the case of CASS breaches, the FCA may focus enforcement on the Senior Manager with CASS oversight – but might also choose to consider an investigation against those with related responsibilities, such as overall compliance oversight.

The SMR burden generally, and FCA's expectations around CASS governance, have two key incentivising effects for firms and their future Senior Managers:

  • To put in place strong strategies, processes and record keeping to demonstrate what steps they take to supervise, delegate, and monitor effectively CASS compliance; and
  • To identify and resolve any pre-existing CASS weaknesses early into their tenure as a Senior Manager.
  1. What steps can be taken to verify compliance with these legal requirements?

The CASS rules continue to present challenges to firms seeking to apply their general provisions into operational practice. The rules can, in places, be vague and how to implement them in practice can be unclear.We have set out below just some of the steps that can be taken to test and manage compliance with the elements of CASS compliance that require a legal and contractual analysis. They might help firms and individuals to begin to evidence that reasonable steps are being taken in respect of these aspects of CASS compliance.

Legal structure

From the highest level down, it is essential that records and reconciliations record assets and client money to the correct legal entity which has contracted with the client.Firms should consider demonstrating consideration and verification on:

  • Which legal entities interact with customers; which have contractual relationships with them; and which hold their assets;
  • How a record of which entity holds each asset can be made, and the impact on this of having sub-custodians.
  • How the chain of custody, and the records of which customers assets are held for, is affected by the use of sub-custodians.

Contractual terms

Consider:

  • At the highest level, does the contractual relationship with each customer match which entity custodies the assets?
  • Is there a robust repapering arrangement and an accurate record of which terms of business govern which client relationships?
  • Could terms of business be enhanced to afford better protection for the firm and clearer information to customers?
  • For institutional clients, are there controls to ensure that bespoke negotiated changes to terms of business do not inadvertently infringe CASS requirements?
  • What is the legal impact of any lien clauses in agreements in favour of sub-custodians and do they meet the permitted exemptions in the CASS rules?
  • Can you evidence comprehensive implementation of the latest CASS rules Policy Statement amendments on the contents of contractual documentation or consents from clients?

CASS governance and oversight

  • Consider a dedicated committee; its terms of reference, agenda and the content of minutes.Are they granular?Do they show challenge, progress and closing of issues? Do they demonstrate follow up?
  • Is there a map of CASS responsibility and delegation, including a responsibility matrix?Does it match role profiles and job descriptions?
  • Can oversight demonstrate delegation?
  • Are CASS policies reviewed regularly?
  • Is there a regular CASS training programme for both front line and compliance staff?

These lists provide a starting point for reviewing those aspects of CASS compliance in the legal and governance areas highlighted by recent FCA fines.No doubt the FCA will continue to be vigilant on CASS compliance, and the March 2016 commencement of the Senior Managers Regime will raise the stakes for senior individuals. In managing these risks it is worth giving consideration to how to utilise internal and external legal resource to provide (legally privileged) advice with a fresh look and critical eye on some of the trickier legal, contractual and governance issues associated with CASS.