Global menu

Our global pages


The FCA's Dear CEO letter to depositaries and custodians, "Our custody and fund services supervision strategy"

  • United Kingdom
  • Financial services


Edwin Schooling Latter, FCA Director of Markets and Wholesale Policy and Wholesale Supervision, has written a Dear CEO letter to depositaries and custodians setting out the FCA’s view of the key causes of harm in the securities services sector.  The FCA’s concerns are wide-ranging.

Four causes of harm

The FCA identifies four principal areas of potential harm to depositary and custodian’s clients and end-consumers, or to market integrity:

  • Disruption to consumers and market participants, or the loss, compromise, or lack of availability of data, due to insufficient operational resilience or weak cyber controls

The ability of a regulated firm to deliver important business services in the face of significant operational disruption is a critical objective of the UK regulators and is a core focus of regulatory scrutiny.  This includes both disruption from within, such as technological failures, and disruption from without, such as cyberattacks and the failure of critical third party services.

The regulators’ expectations and requirements for resilience are set down in the joint FCA/PRA/BoE rules on resilience in Policy Statement 21/3 “Building operational resilience” which come into force on 31 March 2022.  These rules require in scope firms to maintain systems and controls designed to prevent, adapt, respond to and recover from significant disruption events such as IT outages and cyberattacks.  These are critical areas of concern for UK regulators, made more acute by the current environment of enhanced sanctions against Russia (a known sponsor of cybercriminal activity).

A recent Freedom of Information request submitted by Eversheds Sutherland established that over a third of cyberattacks reported to the FCA in 2021 involved ransomware and roughly 75% of reported cases involved technology issues, such as failed IT change projects.  These statistics are indicative of where the FCA is likely to focus its attention as we move beyond March and the Dear CEO letter is a shot across the bows for firms that may be going slow on delivery of the expected levels of resilience.  The FCA will be looking at these firms more closely in 2022 to ascertain their levels of resilience, as well as scrutinising their third party service arrangements for any vulnerabilities.  Acting now to ensure a firm meets those expectations and it has mitigated any vulnerabilities will be critical if it wishes to avoid follow on regulatory action.

  • Sub-standard oversight and control of client money and assets leading to financial losses for investors and/or an inability to recover assets efficiently

Safekeeping of client assets and client money is at the heart of depositary and custody services.  The FCA has had a keen focus on these issues since the last major review of CASS in 2015 and in the past has levied some hefty fines on custodians in the wake of breaches.  We are not aware of any recent such infringements on a large scale leading to client losses but the FCA is still clearly concerned about the level of understanding of the rules and the processes in place.  Firms will need to review their approach to CASS in light of the FCA’s statements.

  • Inadequate depositary oversight of fund managers, and failure to take reasonable care to ensure an authorised Collective Investment Scheme (CIS) is managed in accordance with applicable rules and solely in the interests of the CIS and its unitholders

The FCA’s focus on this harm is perhaps driven by recent fund management scandals and investment breach reports that depositaries have to make to the FCA on a monthly basis.  A depositary has to tread a difficult line with fund managers to ensure they obtain sufficient information and access to carry out their oversight, but without stepping over the line into making investment decisions and second guessing the investment manager.  We regularly see depositaries posing challenges to fund managers, however, managers often take a different view, as depositaries are not investment experts and their role is to oversee the managers, who run the funds.

  • Inadequate oversight of business linked to high risk, illiquid or speculative investment products sold to retail investors, and failures to consider related consumer outcomes

These statements by the FCA very much echo the sentiments expressed in their recent consultation on the new Consumer Duty.  Firms must ensure products are fit for their target market and foreseeable harms which may arise from products are mitigated so that investors obtain good outcomes.  Again securities services firms have a difficult balance to strike.  They are not product regulators or manufacturers, nor indeed dealing with retail clients, so it is perhaps understandable that they have not previously acted in this way.

The FCA warns those depositaries and custodians which are not meeting rules and standards that they must notify the FCA immediately and explain what steps they are taking to remedy any breaches. 

FCA supervisory priorities

Operational resilience and cyber

The FCA may seek assurances and evidence that investment programmes are sufficient to ensure that critical services are not too heavily reliant on legacy technology.  The FCA will question depositaries and custodians on how they have mitigated risks relating to:

  • the levels of interconnectedness between systems
  • lack of internal knowledge on how systems operate
  • ineffective oversight of third party or intra-group service providers

Custodians and other firms that fall within the scope of the regime (e.g. those which are designated as an enhanced SM&CR firm) are expected to prevent, respond to, recover and learn from operational disruptions and to act where weaknesses have been identified, in accordance with the rules on operation resilience set out in Policy Statement 21/3 “Building operational resilience” which come into force on 31 March 2022.

If a firm suffers material technological failures or cyber-attacks, it should contact the FCA promptly in accordance with its responsibilities under Principle 11.  SUP 15.3 sets out additional rules and guidance on when the FCA expects notice of matters relating to a firm.

Protection of Custody Assets and Money (CASS)

The FCA intends to subject CASS requirements to significant ongoing supervisory engagement.  The FCA is concerned about weaknesses it has observed in:

  • change management (operational, regulatory and business)
  • high dependence on legacy/end of life IT infrastructure
  • high levels of manual processing and controls

The FCA thinks that challenges with CASS compliance often have their root causes in:

  • poor governance and oversight
  • under-investment in systems
  • failure fully to consider CASS impacts when managing change
  • a lack of adequate CASS knowledge

It expects firms to address the challenges they face.

The FCA notes that there are risks to the business models of depositaries and custodians which could be caused by disruption from new technology.  It refers to increased use of distributed ledger technology (DLT) as one such risk and to expects firms to plan appropriately.

Depositary oversight

The FCA has the following concerns:

  • continued weaknesses in depositaries’ oversight
  • absence of effective challenge of fund managers
  • insufficient robustness of controls used to oversee fund liquidity, and investment and borrowing limits

When reviewing depositary performance, the FCA may seek evidence that firms have:

  • an appropriate level of access to an AFM’s operations
  • adequate resourcing
  • been able to challenge AFMs effectively in investors’ and unitholders’ interests

Speculative and illiquid investments

The FCA is concerned to ensure that FCA regulated custody and fund services firms do not inadvertently provide increased legitimacy to the marketing of unregulated products, such as mini-bonds.  It warns that promoters of those products may exploit the FCA badge of a regulated entity from which it is procuring services to create false confidence surrounding a product, marketing claims or consumer protections.

The FCA notes that firms engaged in unregulated activity related to speculative and illiquid investments remain subject to relevant regulatory requirements, including specific Principles for Business and must demonstrate that they are satisfying the minimum requirements for authorisation set out in Schedule 6 FSMA.

The FCA intends to examine firms which provide services for speculative and illiquid investments.

Market and regulatory changes

The FCA expects firms to keep abreast of, and adequately prepare for market developments and regulatory change, singling out the example of the Investment Firms Prudential Regime (“IFPR”) which came into force on 1 January 2022.  Although the FCA has only named one such example, firms should be aware that there are other regulatory developments that affect custodians and depositaries, such as the application of the TCFD disclosures for UK firms, rules on outsourcing and the FCA’s Guiding Principles on ESG funds to name a few.  Keeping up with developments in the market and with regulatory changes affecting their clients will be key to custodians and depositaries understanding the wider landscape.

How can Eversheds Sutherland help?

Our in depth understanding of the sector means that we are well placed to advise you on the scope and implications of the Dear CEO letter.  Our team are available to discuss the FCA’s supervisory priorities in detail and to analyse the impact they may have on your business.