But for the grace of God? BoNY Receives Record Fine for CASS Breaches
On 14 April 2015, the FCA published its final notice fining The Bank of New York Mellon London Branch and the Bank of New York Mellon International Limited (together, “BoNY”) a total of £180 million (reduced to £126 million on account of early settlement) for failure to arrange adequate protection of safe custody assets as required by Principal 10 of its Principles for Business.
BoNY’s fine relates to breaches of the FCA’s Custody Rules in the period from 1 November 2007 to 12 August 2013. It is the largest fine ever levied by the FCA for client money failings, eclipsing the £38 million paid by Barclays in September 2014 and the £33 million enforced against JP Morgan in June 2010.
The Facts and the Fine
The FCA’s analysis of the case does not make for good reading. It regarded BoNY’s compliance with the Custody Rules as “seriously inadequate”, with particular low-lights including failures to safeguard client assets, maintain entity-specific book and records, conduct reconciliations, segregate assets, implement CASS-specific governance arrangements, provide CASS-specific training, or submit an accurate Client Money and Assets Return. Importantly, this is also the first case in which the failure to maintain a CASS Resolution Pack (“CASS RP”) was specifically cited by the FCA as both a breach of the Custody Rules and an aggravating factor in calculating the scale of the fine.
The fine itself was determined as a percentage of BoNY’s average custody asset balance over the relevant period. The exact percentage was a function of the perceived seriousness of the breach, ranging from 0% (in the case of a ‘Level 1’ breach) to 0.8% (in the case of a ‘Level 5’ breach). In concluding that BoNY’s breach was of ‘Level 4’ significance (and so carrying a 0.6% multiplier), the FCA considered the following to be aggravating factors:
- risk of loss or delay in return of assets to clients;
- detrimental impact on CASS RP; and
- widespread weaknesses in systems and controls.
The Role of CASS RP
The maintenance of entity-specific records and accounts is regarded by the FCA as a “fundamental requirement” of the Custody Rules. The failure of BoNY to meet this requirement lay at the heart of its problems, rendering it in breach of CASS 6.5.2R which states that “a firm must maintain its records and accounts in a way that ensures their accuracy, and in particular their correspondence to the safe custody assets held for clients.” As the FCA observed, had BoNY complied with this requirement, in the event of its insolvency, it would have been in a position to provide proper accounts and records to an insolvency practitioner. In turn, this would have enabled an insolvency practitioner to compare those records against other information sources held by BoNY, reducing the time and risk associated with returning assets to customers.
The FCA highlighted that the CASS RP is a key component of its record-keeping requirements. Given the complex and fast-moving nature of insolvency situations, CASS RP is the “comprehensive record” required by an insolvency practitioner in order to effect an efficient wind down of a firm’s operations and the timely return of custody assets to their rightful owners. Certainly, a properly structured CASS RP would have been capable of mitigating all of the aggravating factors identified by the FCA in BoNY’s case. Unfortunately, BoNY’s CASS RP – regarded by the FCA as “inadequate” – was not up to this task.
To regard CASS RP as simply an administrative burden, a regulatory box to be ticked or, worse still, a “smoking gun” to be made available to the FCA, is to ignore its value as a tool through which firms can proactively manage and audit many of the risks associated with the handling of client money and safe custody assets. Almost all CASS processes flow down to the CASS RP, and any firm which has fully embraced the CASS RP regulations will have conducted an in-depth analysis of client lists, account structures, documentation trails, systems and controls. Its CASS RP will be properly designed and capable of monitoring the data flowing into the pack on an ongoing basis. The framework that will have been created will provide near real-time feedback on the existence of weaknesses or problems of the type which beset BoNY, giving the firm the best chance of achieving and maintaining CASS compliance.
Aside from the financial consequences and reputational damage, remediation of the breach by BoNY took over a year and the commitment of “significant resources”. In comparison, the cost associated with implementing a proper CASS RP, with a dual-purpose design as a CASS compliance tool, is minimal. Whilst there is a degree of ‘heavy lifting’ associated with constructing a robust CASS RP, the overall burden and cost of ownership of the underlying data over the medium- and long-term is greatly reduced. More importantly, the prize, in terms of the resulting hindsight, insight and foresight into CASS processes is potentially huge. It is also critical for any firm wishing to control risks of the type which cost BoNY so dearly. The real lesson is that, in the long run and in an environment where CASS RP already casts a bright light on CASS weaknesses, a modest amount invested in the pro-active management of risk is a better strategy than one of living in hope that you will not be next in the FCA’s line of sight. Put simply, the value of a well-constructed CASS RP far exceeds the cost.
If the previous fines levied on the likes of Barclays, JP Morgan BlackRock and Aberdeen were not sufficient, the BoNY fine should be the trigger which spurs firms into action. Certainly, CASS has been top of the FCA’s agenda since its “Dear CEO” letter of 2010 and BoNY’s case clearly indicates that it retains top billing. Non-compliance with the Custody Rules will not be tolerated as the FCA regards this as “a matter entirely within the…control” of firms. Any breach that exposes clients to additional risk of being impacted financially is “unacceptable”. Firms should not assume that this is a bear trap into which they could never fall and would do well to remember that BoNY was ensnared despite the fact that it specialises in the provision of custodial services. In reporting the fine, the FCA neatly summarised the situation thus: “Other firms with responsibility for client assets should take this as a further warning that there is no excuse for failing to safeguard client assets and to ensure that their own processes comply with our rules…Client assets protection continues to be a priority for the FCA and firms who hold client assets should review their processes in line with these findings to ensure full compliance with the Custody Rules.”
Those firms which remain unconvinced of the need for action should consider the FCA’s ‘Senior Managers Regime’ (“SMR”) which comes into force in the UK on 7 March 2016. This will be in addition to the FCA’s existing policy which requires senior management to personally attest to the fact that their firms are in compliance with particular regulatory requirements, and will apply to individuals performing ‘senior management functions’ – of which the ‘Safekeeping and administration of assets of clients’ is one. Amongst other things, the SMR will reverse the traditional burden of proof, enabling senior managers to be held accountable if they are unable to satisfy a regulator that they have taken “reasonable steps” to avoid a rule breach. It will also require senior managers to comply with new conduct rules, which include the positive requirements to:
- act with due skill, care and diligence;
- take reasonable steps to ensure that the business of the firm is controlled effectively; and
- take reasonable steps to ensure that the business of the firm complies with relevant requirements and standards of the regulatory system.
The cost of getting CASS compliance wrong has always outweighed the cost of getting it right. However, it is clear that from next year, the incentives to invest in robust CASS RP processes will become irresistible.
How we can help
DRS specialises in helping firms optimise the efficiency and controls associated with the creation and maintenance of a CASS RP. In doing so, we help to reduce the cost and administrative burden associated with owning and managing CASS related documentation, a benefit which, by extension, applies to CASS audits and FCA visits. Of particular interest to any CF10a, our CASS RP platform generates the insight and audit trail necessary to prove the integrity of underlying data, creates confidence in the robustness of underlying processes and provides a mechanism and the structure through which compliance can be confirmed. Contact us today and take the first step in taking control of your CASS processes.