Are you a Control Freak? – Managing Outsource Providers
Calling someone a control freak is generally considered impolite. At least, that’s what I always tell people. While telling others what to do is an important management skill, we’re expected to exercise more subtlety and sophistication in getting what we require. When it comes to the relationship between firms and outsource providers of CASS related processes, though, the FCA seems to expect a far more robust exercising of power and control than was previously the norm. In some cases, the level and scale of CASS oversight demanded by the regulator seems to us to beg the question of whether you might as well do it yourself.
Having said that, there are plenty of examples we have seen of outsource provider oversight which come into the category of blind faith and ignorance, with firms who do not understand the processes the provider is following and do not question any proposed changes. We are confident this isn’t what the providers want, let alone the FCA. So it may be worth looking at what the rules say more generally about the management of outsource providers, considering what this means for the oversight of client money and asset rules compliance.
The oversight rules which were handed down from MiFID reside in SYSC 8.1. In summary, these relate to the oversight of operational functions which are critical to the performance of regulated activities, listed activities or ancillary services, so as to ‘avoid undue additional operational risk’. So CASS related activities certainly fall within the scope of this requirement and therefore require reasonable steps to achieve this objective on a ‘continuous and satisfactory basis’.
Looking at each of the key requirements, the translation from generic to CASS requirements might include the following:
> Effective processes to identify, manage, monitor and report risks and internal control mechanisms.
In the context of CASS, this starts with assessing what the risks are. The FCA’s expectation and the more explicit requirements of the new audit standards are that firms should have and maintain a CASS specific risk register. The firm must be able to describe what the key risks are in the operation of the CASS processes provided and what steps it has taken to mitigate these, regardless of whether these are performed by their provider or themselves. Then prove that the mitigation works.
> The service provider’s ability, capacity and authority of it and its staff to perform the functions.
This underlines the need for a potentially difficult discussion to agree remediation actions if the outsource provider’s staff are not meeting the standards you would expect. Consider, for example, whether you have sufficient information to enable you to identify whether the root cause of reconciliation discrepancies is human error. How are the staff trained in CASS requirements and how often is their knowledge refreshed and assessed – and is this evidenced?
> Effective carrying out of the services, with monitoring to assess their standard.
One positive sign would be if service level agreements and KPIs are aligned to regulatory requirements. Does the CF10a and/or the CASS committee have a comprehensive dashboard which enables them to get a clear picture of the service provider’s performance in addition to the firm’s compliance with the CASS rules?
> The obligation of the service provider to properly supervise the carrying out of the outsourced functions, and adequately manage the associated risks.
This requirement is around the provider’s management of the process, which would suggest there is a problem if you pick up any issues before they do. Assessment of discrepancies and their causes should give you comfort that the tasks have been supervised effectively, not just carried out by rote without adequate checking and challenge by the provider. Management of discrepancies should also show that root causes have been identified and addressed.
> Action to address any shortcomings of the provider’s services.
Here’s where we repeat our mantra that, as far as the regulator and auditors are concerned, if you can’t prove it, it didn’t happen. Evidence that anything picked up in the oversight process has been escalated and resolved is essential. More than this, though, it requires the firm to be seen to be exercising real control over the broader issues such as change management or the resolution of systems issues. This can be tough when a small client is using a hefty supplier, but using that as an excuse simply won’t wash.
> Retention of staff expertise within the firm, to carry out supervision and management of risks.
This is an area of significant concern for the regulator, as noted above. It is essential to equip oversight staff with the specific knowledge of the supplier’s processes, but also broader knowledge of the CASS requirements if they are to do their jobs effectively. Keep in mind, too, that relying on Compliance staff to cover gaps in this knowledge will destroy the firm’s three lines of defence model.
> Disclosure by the service provider of any development with a material impact on its ability to perform the delegated functions effectively and in compliance.
If the supplier has a systems issue, how soon do they tell you and how clear is their information? As CASS is such a time critical function, this is a particularly relevant requirement for those needing to get reconciliations and funding completed within tight deadlines each day.
> Arrangements for termination of the outsourcing without detriment to the continuity and quality of its provision of services to clients.
Speaks for itself – but isn’t often adequately covered.
> Business continuity plans are adequate, including periodic testing
Hopefully the first is a standard provision of current contracts, but one of the planning elements to consider also relates to BCP – what will the firm do if the supplier goes out of business?
> Co-operation, including right of access by the firm, its auditors, the FCA and any other relevant competent authority to relevant data, as well as its business premises.
We’ve seen significant changes in this area in recent years; however it can still be tough to get agreement from the supplier to access their ‘shop floor’. Sometimes, though not always, this is justified under the final – and self explanatory – requirement….
> Confidentiality of firm’s and clients’ data
So, the SYSC rules, when read across to CASS oversight, do seem to require an element of control freakishness to be evidenced in the relationship, notwithstanding the fact that productive partnership is often seen to be the optimum solution. The question is, how to balance the need for robust, effective and well evidenced management of your supplier, as required by the regulator, with a good relationship based on partnership and well aligned objectives?
If you’d like to discuss your outsourcer oversight processes with us, we’d be delighted to have a chat. We can review these and/or provide training to boost your staff’s knowledge of the CASS related processes they are overseeing. Please contact us through our Contact page.