Europe: FCA Challenge to UK Fund Service Providers
By: Andrew Massey and Melissa Vance
Fund managers can expect changes to custodian and other fund service provider practices in response to regulator challenge, and should review their due diligence of service providers.
In a letter on 23 March 2022, the FCA instructed the Chief Executive and Boards of third-party custodians, depositories for authorised and non-authorised funds, and third-party administrators to review key risks identified by the FCA, including the following:
- Cyber controls: Having observed significant weakness, the FCA expects fund service providers to invest to ensure critical services are not too heavily reliant on legacy technology. The FCA may seek evidence that investment programmes are sufficient.
- Client money and assets (CASS): CASS will be subject to significant ongoing supervisory engagement by the FCA, who have observed weaknesses in change management, high dependence on legacy/end of life IT infrastructure, and high levels of manual processing and controls. The FCA’s view is that CASS compliance challenges have their root cause in poor governance and oversight, under-investment in systems, a failure to fully consider CASS impacts when managing change, and in some cases, a lack of adequate CASS knowledge.
- Depositary oversight of authorised fund managers (AFMs): The FCA confirms that it continues to observe weaknesses in depositaries’ oversight and often an absence of effective challenge of AFMs. The FCA may seek evidence that depositaries have an appropriate level of access to AFMs’ operations, adequate resourcing, and may ask depositaries to demonstrate their effective challenge of AFMs.
A theme throughout the FCA letter is under-investment in technology and resources. As part of their initial and ongoing due diligence of service providers, fund managers should consider the technology, people and processes that underpin the delivery of critical services, and seek assurances regarding service providers’ investment programmes. Due diligence should specifically consider operational and cyber resilience, and where relevant, CASS controls.