CASS Contingency
Covering the Essentials
As we adjust to what we expect will be a prolonged period of new working practices, this may be a good time to reflect on the adequacy of CASS arrangements in firms whose staff is largely working from home.
The Good News – Mostly
While the current situation is not at all what was envisaged by the rules, there is some good news. As a starting position, firms’ CASS Resolution Packs should give a good head start on the arrangements for access to data and procedures. Although one would expect an insolvency practitioner to be able to access the firm’s offices, in practice most firms have designed the content of these packs to be accessible remotely – and this includes many essential BAU items, such as the latest reconciliations and key contact details.
Of course, the access only works if links are still valid. We find that this is not always the case, as filing locations can change or link addresses fail to work, for example because file or directory names have changed. Permissions and authorised signature / reviewer lists may also need updating, to enable staff to perform new tasks or access this data who might not normally need to do so – particularly to allow remote access or if they are covering for a role other than their usual one, perhaps because colleagues are unwell. Other elements may not be accessible remotely at all, ranging from the obvious inaccessibility of physical records or assets to such items as client agreements, where it may not be considered a BAU requirement to access them remotely.
The unfortunate truth is that not all firms will survive the economic impacts of this period. The less good news is that the effort of keeping the Resolution Pack updated and functional is more important than ever, in these uncertain times. So, when firms identify gaps, we believe they should seek to address them with the same urgency as would normally be applicable, including material changes to procedure documents (which have probably been adjusted a fair amount) within five business days.
Kevin!
The question here is, recalling that moment of horror in ‘Home Alone’, have we left our (office) home and forgotten something we really need?
A few of the activities that may come into this heading:
- Picking up and banking cheques within regulatory deadlines- even if these are sent to your premises in error, rather than to your outsource provider
- Physical asset reconciliations, requiring a count of assets held in the safe
- Regulatory reporting, if the access to the system is available only from the office
There are few CASS requirements which cannot be fulfilled remotely. However, where staff would go to your offices, there is a risk that needs to be managed.
There may be a degree of regulatory leniency from the regulator – there are discussions taking place with the FCA which we hope will result in a reasonably pragmatic outcome, Whether or not this is the case, the risk must be considered against the duty of care which the firm owes to its staff and may lead it to conclude that certain breaches may be preferable to placing staff at risk. We have a few observations:
- The clock starts ticking, for prompt banking of cheques, when the firm actually receives the cheque or payable order. While this applies to any of the firm’s premises, or that of its outsource provider, there are firms whose post is currently being held for collection at postal depots. Provided the timeframes are realistic, we think that it is reasonable to take the delivery to the firm as having taken place only when the post is collected.
- The position with potential breaches, such as the inability to reconcile physical assets, merits consideration of the controls that the firm has around these items. If there is a breach of the requirement, we suggest that the firm should at least document consideration of the risks and the effectiveness of those controls which would mitigate the impact of such a breach. After all, the risk of misappropriation of the assets must be extremely small in an office which has been locked down.
- The fact that a breach is considered to be unavoidable does not stop it from being a breach. Any failure to meet the regulatory requirements should still be recorded as a breach, with the appropriate explanations and mitigations documented against it.
Flexibility and Upskilling
You may be in the fortunate position of having a large team, capable of covering one another’s roles if required. If so, you are in the minority, as most firms have limited numbers of individuals with the appropriate skills and knowledge to perform CASS specific roles, whether that is completing reconciliations or managing outsource providers. If you have outsourced, you will also be keenly aware that some critical tasks will also be dependent on resources in other countries, whose situation may be worse than in the UK. Resource planning to cover absences is particularly difficult in the CASS space, as it is a distinctly specialist area.
In order to train people in new tasks, you may need to get creative, as ‘sitting next to Nellie’ is not an option. Video conferencing with screen sharing may help, to walk staff through processes with which they are less familiar. However, one thing which will really help is well written procedures, which make it clear, not just how to perform the task but also:
- What the CASS requirements are, which are to be met by this procedure
- How the procedure fits in with other processes in the chain
In our experience, procedures are often unclear and outdated. This would be a good time to give them an overhaul, if you can.
If you are part of a larger group, with more than one CASS regulated entity, you might consider using their staff to support any gaps in resourcing as we weather the storm. If that is the case, we recommend that you put into place an agreement which covers this, as it is an outsource arrangement, and have appropriate management of that arrangement (commensurate with the fact that this is an intra-group arrangement).
There are also courses and refreshers available online, to increase the skills of staff and introducing them to the key requirements. These may be from your own training package or external sources, such as the CISI or TISA. We are happy, too, to offer support by answering specific questions, free of charge, as explained below.
The New Normal
While there may be breaches that are considered to be unavoidable in the short term it would not be safe to assume that breaches will continue to be forgiven if the situation persists. We have all been given indications that life will not return to ‘normal’ for a few months yet, so planning starts here, albeit in the face of uncertainty.
Firms should be working to adjust processes to accommodate all of the CASS requirements as far as possible. For example, can physical assets or systems which are currently held in Central London be moved to a lower risk location, which would reduce the risks for staff travelling to perform the task? Can staff from other areas of the business be trained to cover appropriate tasks, where their own roles are now less busy? Is it the right time to train more people to cover the key requirements – and have you identified what these are?
In the longer term, we are hopeful that the flexibility, skills and resilience of the industry will ensure it is able to rise to these challenging times. There is a lot to tackle, but as we help one another by sharing knowledge and skills, the protection of client assets will remain robust.
If you’d like to talk to us about how we can support you through this period, or would like us to answer a CASS question, do get in contact through our contacts page or email enquiries@walbrookpartners.co.uk. We will do our best, based on our extensive knowledge of CASS and any information you provide.