Governance and Oversight of delegated CASS activities: practical considerations
04 March 2019
In December, we blogged about the delegation of Governance and oversight of CASS activities where we took a look at the key requirements and challenges faced by firms who outsource CASS activities 1
Below we highlight some of the more detailed common observations from our interactions with firms in relation to outsourcing or offshoring to other parties.
Common observations in the market:
- Outsourcing is often arranged at the line of business level to provide services to multiple regulated legal entities within a group. This creates challenges for each regulated entity to demonstrate appropriate monitoring and oversight of the outsourced arrangements (e.g. contracts and service level agreements - ‘SLAs’) and the service delivery for that entity.
- Firms treat their internal/external service providers differently and often perform a more rigorous oversight and monitoring over external parties than intra group arrangements. The contracts or SLAs with internal providers are often incomplete or even non-existent.
- Key CASS clauses are sometimes missing from agreements. These initial omissions then go unnoticed when agreements are filed away and forgotten, without regular reviews/updates to ensure that all the clauses are included (e.g. missing contingency clause, access rights for auditors, clauses relating to the CASS activities that the services being carried out, updates that are not made relate to new systems, new regulations or firm policies).
- The FCA often considers service providers to be an extension of the firm (with compliance remaining fully with the firm). It is therefore important that the provider aligns with the firm’s core culture, has appropriate training and is held accountable to the same standards. To make sure the right level of oversight can be demonstrated it is important to include these activities in regular inspection programmes by management, compliance and internal audit but often this isn’t the case.
- SLA clauses within these arrangements sometimes do not align with the individual firm’s interpretation of the CASS rules. This can lead to incidents not being logged with the firm which would then be reported as breaches of the CASS rules. Establishing clear views on what constitutes an incident in order for the firm to be able to form a view on whether that leads to a breach can be detailed and complex exercise in practice, particularly where service providers are performing similar services for multiple clients or where offshoring centres provide similar services to multiple locations with different rule sets.
- The CF10a cannot always demonstrate an appropriate understanding of the outsourced/offshored arrangements and the firm’s oversight of these.
Focussing on the areas above will go a long way to resolving many of the practical issues that we see in practice.