The FCA has written to CEOs at custodians, fund depositaries and third-party administrators to highlight key risks which those firms need to manage.
One concern is compliance with the FCA’s CASS rules on protecting custody assets and client money. According to the letter, challenges with CASS compliance often have their root causes in poor governance and oversight, under-investment in systems, and failure to fully consider CASS when managing operational, regulatory and business change. The FCA warns that firms will be subject to significant ongoing supervisory engagement on CASS.
Another major concern is the threat of operational disruption and cyber attack. The FCA says it may seek assurances and evidence from firms that their investment in operational resilience is sufficient. Firms can expect to be quizzed about the levels of interconnectedness between systems, including oversight of third-party providers. New rules on operational resilience start to take effect on 31 March 2022.
Business models in this sector rely heavily on technology. The FCA expects firms to prepare for risks to their business model that could be caused by distributed ledger technology (DLT).
The letter also calls on depositaries to improve their oversight of fund managers. According to the FCA, depositaries should be able to show effective challenge of the fund manager in the interest of investors and unitholders. Inadequate oversight of business linked to high risk investment products is also flagged as a key area of potential harm to customers. Responding to this will be particularly important in the context of the Consumer Duty.
Looking ahead, firms can expect the FCA to ask about what they have done in response to this letter.