"Outsource - arrange for work to be done outside one's own company" - Compact Oxford English Dictionary

At first sight, why should outsourcing the work involved in meeting the FSA's Client Assets (CASS) rules be any different to any other outsourcing arrangement? For many firms that hold client money and/or custody assets, compliance with the CASS rules is a major consumer of resources and getting a third party to carry out the CASS administration might be considered by management as a very sensible thing to do. Unfortunately care is needed as some of the normally perceived benefits of outsourcing, such as greater flexibility, reduced need for specialists and reduced operating expenses, may not exist in in quite the same way in a CASS regulated environment.

It is clear that the FCA will continue the strong interest shown by the FSA in a firm's compliance with the CASS rules and particularly in the case where such compliance involves an outsourcing arrangement. Indeed, the FSA became more vocal in its concerns with outsourcing over the last few months of its life, having written to the CEOs of asset managers on 11 December 2012 setting out some of those concerns.

Included in the letter was the following paragraph: " We believe it is the responsibility of firms' Boards to have considered the implications of outsourcing to an external third party supplier having regard to the regulatory requirements that apply. SYSC 8.1.7R requires that firms should be exercising "due skill and care and diligence" when entering into, managing or terminating any outsource arrangement. We believe this, together with the additional requirements in SYSC 8.1.8R(5), (7) and (11) includes having adequate contingency plans in place to deal with either an unexpected or expected termination of an outsourcing contract and/or other service interruption with their outsource provider(s). We therefore believe that it is the responsibility of firms' Boards to ensure that they have in place an adequate resilience plan which enables the firm to carry out regulated activity if a service provider fails."

This latter point is probably a significant step further than many firms considered necessary when they entered into an outsourcing agreement in relation to CASS compliance.

Most firms will have put some form of monitoring in place when they outsourced a CASS requirement but what constitutes adequate oversight of an outsourced CASS operation?

While no one answer will fit all circumstances, the following might be considered as indicators of good practice:

  • Allocating appropriate oversight responsibility for the activities carried out by the third party;
  • Clear lines of communication with the third party;
  • Regular assessment of systems and controls at the third party; and
  • Regular reviews of Service Level Agreements (SLAs) and prompt updates when requirements change.

Other areas worthy of consideration and review by a firm's management, not just at the start of the relationship but on a regular basis, include:

  • Have adequate resources been retained to monitor the arrangements that have been outsourced?
  • Do those resources have the knowledge to effectively challenge the outsource provider where there are areas of concern?
  • Are regular visits being carried out to the outsourcer? While six monthly visits may have been considered adequate in the past, should these now be at least quarterly?
  • Does the fact that the outsourcer has notified you of very few breaches of the CASS rules indicate that (i) they have very good systems, (ii) they are not identifying the breaches that do occur, or (iii) they are not notifying you of all the breaches that occur?
  • While the current regulatory interest appears to be, at least in the terms used, outsourcing to third parties, there are clearly similar risks from 'off-shoring' by a firm to other entities within its group. Have the risks involved been considered?

It is not just the regulator that focuses on the outsourcing of CASS requirements. The regulated firm's CASS Auditor is required to provide a reasonable assurance report on compliance with the CASS rules, including any rules the administration of which has been outsourced by the regulated firm to a third party.

In response to the perceived risks in this area, the Codes and Standards Division of the FRC has recently issued guidance for CASS Auditors on the implications of firms outsourcing CASS compliance. The FRC's Bulletin 3 is a supplement to the Auditing Practices Board's (APB) Bulletin 2011/2 'Providing Assurance on Client Assets to the Financial Services Authority'. Firms can expect their CASS Auditors to take a keen interest in outsourced arrangements and the oversight thereof going forward.

Passing administrative or other burdens to a third party that has the resources and can make economies of scale seems such a good idea. The reduction in management oversight and the possible savings on resources is appealing, as often is the fact that the third party seems to have a good system and a convincing story as to why nothing can go wrong. When it works there are clear advantages. However, when it does not, the costs of putting it right in a CASS regulated environment could potentially outweigh any savings made.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.