“Dear CEO” letters issued by the UK’s Financial Conduct Authority (FCA) rarely make for enjoyable reading – as the asset management industry can surely attest – having been on the receiving end of several brusque missives over the last few years. In late March 2022, it became the turn of the custody and fund services sector to face the FCA’s opprobrium in one of the regulator’s latest communique. The FCA outlined four principal challenges facing fund servicers – all of which could have serious downstream consequences for asset managers and asset owner clients.
Cyber controls in need of improvement
Chief among the FCA’s priorities were operational resilience and cyber-security, which the regulator identified as being areas of weakness at some firms. “The levels of interconnectedness between systems, lack of internal knowledge on how the systems operate, and ineffective oversight of third party or intra-group service providers can all threaten resilience. These are areas where you can expect questioning on how risks have been mitigated,” according to the FCA’s letter.
The FCA reiterates that asset servicers hold sensitive investor data, stressing this information should be safeguarded by robust security measures. The FCA also highlights that asset servicers, where controls have been found wanting, are currently being subjected to heightened technology reviews.
Protection of Client Assets and Money
Although the FCA notes that providers have invested heavily into facilitating CASS (Client Assets Sourcebook) compliance, it says there are deficiencies at firms in terms of their change management; dependency on legacy or end of life IT infrastructure; and high levels of manual processing.
“We think that challenges with CASS compliance often have their root causes in poor governance and oversight, under-investment in systems, and a failure to fully consider CASS impacts when managing change. We have seen cases where the root causes also include a lack of adequate CASS knowledge,” says the FCA.
Depositary oversight requires remediation
Entrusted with overseeing asset managers’ operations (i.e. cash flow monitoring, compliance with investment mandates, service provider oversight etc.), depositaries are a vital investor protection tool. Despite these critical responsibilities, the FCA criticised depositaries for having inadequate oversight processes in place and failing to properly challenge fund managers when needed.
“This can lead to potential harm to unitholders and investors. We also have concerns about the robustness of controls used to oversee fund liquidity, and investment and borrowing limits. We have seen examples of a lack of holistic judgements in these areas, including – for example – a narrow interpretation of the applicable COLL rule requiring a ‘prudent spread of risk’ and the lack of policies or procedures related to it,” adds the letter.
Be wary of speculative and illiquid investments
Although the FCA said it was not presently aware of any fund services providers manufacturing or promoting speculative or illiquid products (i.e. mini-bonds), the regulator warns “firms in this sector may contract with and provide services to the issuers or promoters of these products, such as trustee, safekeeping and administrative services. In some cases, FCA regulated custody and fund services firms may inadvertently provide increased legitimacy to the marketing of unregulated products. Promoters of these products may exploit the FCA badge of a regulated entity from which it is procuring services, to create false confidence surrounding a product, marketing claims or consumer protections,” it says.
The FCA warns there have been instances of providers displaying “a disregard for consumer outcomes in their activities and inadequate due diligence on parties with which they have contracted”, adding it will take action against organisations when serious misconduct is suspected.
Why fund managers should care
Although this “Dear CEO” letter does not apply to fund managers directly but rather to their asset servicers, the industry should take note of its contents. Engaging with poor quality providers (i.e. a depositary who does not flag problems or an administrator with lax cyber hygiene policies) can have adverse consequences for fund managers together with their investors. In addition, boutiques – including IIMI members – should be wary of being locked into asset servicer relationships– where higher service costs do not necessarily reflect a reinvestment in systems and security processes.