In December 2024, the FCA issued a series of Dear CEO letters, including one titled “Our Custody and Fund Services Supervision Strategy.” The letter is aimed at the custody and fund services sector, which as it provides oversight to around £14.6tr of assets under custody, is an understandable focus for the FCA. The sector plays an integral part in maintaining trust and credibility to the financial services system, contributing to market stability. Custody and fund service firms provide outsourced and third party services to many other regulated firms and for that reason, they play a crucial role across the financial services industry. Whilst these firms are the focus of the letter, firms in other sectors particularly asset and wealth managers, can gain useful insights into FCA supervisory priorities from the letter.
So what are the supervisory priorities detailed in the letter?
Operational Resilience
Operational resilience is a key priority because so many firms in the sector provide critical infrastructure to other firms and have high levels of operational risk. Many firms in the sector face operational challenges for a variety of reasons.
For firms in scope, the rules and guidance on operational resilience set out in PS21/3 provide a clear path to follow with the mapping and testing of impact tolerances for each important business service needed by 31 March 2025 with regular reviews thereafter. For firms not in scope, the requirements in PS21/3 give useful insight into best practice, particularly with respect to expectations for governance, oversight and incident management.
Cyber Resilience
Cyber risk is an area that continues to evolve rapidly, presenting an ever-changing challenge for firms. For this reason, it continues to be a supervisory priority for the FCA. Firms need to be able to show that they are managing vulnerabilities, identifying threats and responding effectively to cyber threats. This will need to include the use of threat intelligence-led penetration testing at regular intervals. The firm’s governing body will need to make sure that it receives MI that gives insight into the threats faced by the firm as well as informing on the effectiveness of the controls in place.
Third-Party Management
The FCA has drawn this out as an issue separate to and distinct from operational resilience, which reflects that their focus on third party arrangements is wider than operational resilience and should be of interest to all firms, not just those in scope of PS 21/3. Effective third-party risk management is crucial to ensure that external dependencies are appropriately handled. We’ve seen cases of third-party issues impacting regulated firms, including the CrowdStrike outage in July 2024. The FCA letter makes clear that firms need to have effective oversight arrangements in place to manage third-party risk. This should include mapping third-party relationships and having clear processes for assessing whether third-party arrangements constitute outsourcing. Firms should have clear, documented exit plans for all service providers, including contingency arrangements and alternative providers, where appropriate. Risk management arrangements should include processes to identify, manage, monitor, and report on third-party risks, including consideration of concentration risk and whether there’s an over-reliance on a particular external provider.
Change Management
Change is inevitable, particularly when we consider the pace of technological and operational innovation. The key for firms is to have defined change management processes in place that enable them to manage change in a way that includes assessment and management of risks to clients and operations.
Market Integrity
We’re seeing a continuing use of sanctions as a means of responding to geopolitical events, bringing additional complexity for firms in managing sanctions risk. The FCA letter highlights their plan to do focused work to review the effectiveness of firm’s systems and controls, governance and resources in respect of sanctions compliance. Alongside this, firms should think about whether their wider financial crime control framework is sufficient to detect, prevent and deter financial crime.
Senior management need to take clear responsibility for managing financial crime risks and be actively engaged doing so. Robust second- and third-line testing of financial crime systems and controls should form an integral part of the financial crime framework.
Depositary Oversight
The FCA letter highlights a gap in expectations between the FCA and market participants in the role of depositaries,. The FCA see the depositaries as playing a critical role in oversight of fund managers and safekeeping of assets. They are expected to act independently, honestly, fairly, professionally and solely in the interest of the relevant fund and its investors. In practice, the FCA has seen depositaries being less proactive with respect to oversight, risk identification and escalation processes than expected. The FCA is using DP23/2 to identify opportunities to clarify the rules and expectations for depositaries but has also used this letter to clarify that it expects depositaries to be able to demonstrate independent oversight fund managers, their operations and their compliance with FCA rules. Depositaries need to ensure that they have access to the right information to enable them to be able to do this.
Protection of Client Assets (CASS)
Protection of client assets remains a key regulatory priority and something that isn’t going away any time soon. The FCA continue to see weaknesses in firms with varying causes, but the root cause in all cases is poor governance and oversight, an under investment in systems and a failure to fully consider the CASS impacts when managing change. The FCA will continue to proactively supervise firms in this area, so firms should continue to expect contact from the FCA following audit and breach reports and in some cases, supervisory visits. Firms need to review their processes and systems and take action on any issues identified. Firms also need to keep on the front foot with respect to future developments, in particular with respect to distributed ledger technology and the regime for cryptoassets.
Next Steps
Throughout the letter, we see the FCA highlight the role a firm’s senior management play in risk management and the need to ensure that an appropriate governing body is in place with access to the right information to understand what risks are faced and how they are managed,
If you are a recipient of the letter, you need to discuss the letter with your governing body and executive committee. You need to take proactive action to consider the focus areas detailed and consider how well the firm is aligned with the regulator’s expectations. You should keep records of any work you do in response to this letter, so that you can communicate effectively with the FCA on it, if needed.
If you haven’t received the letter directly, you should consider which topics discussed are relevant to you and what action, if any, might be appropriate.
How Square 4 can help
At Square 4, we have deep expertise supporting firms to help them achieve compliance and meet regulatory expectations. We have deep expertise on CASS, third party management, operational resilience and change management. Our work includes helping firms assess existing control frameworks against regulatory expectations to identify any control gaps or areas for improvement. We’re working with firms on Operational Resilience, mapping relationships and risk, supporting scenario testing and providing input on change projects. We also regularly work with firms on financial crime compliance, helping them to implement and maintain processes and controls that are appropriate in the context of the financial crime risks the business faces. Our CASS team has worked with investment firms and depositaries to help them maintain CASS control frameworks that meet regulatory requirements, regulator expectations and industry best practice. If you need support in any of these areas, email us at hello@square4.com.