Final Notice
FINAL NOTICE
To:
Aviva Pension Trustees UK Limited (“APTUKL”)
Aviva Wrap UK Limited (“AWUKL”)
1.
ACTION
1.1.
For the reasons given in this notice, the Authority imposes on APTUKL and AWUKL
(together, “the Firms”) a financial penalty of £8,246,800.00.
1.2.
The Firms agreed to settle at an early stage of the Authority’s investigation. The
Firms therefore qualified for a 30% (stage 1) discount under the Authority’s
executive settlement procedures. Were it not for this discount, the Authority
would have imposed a financial penalty of £11,781,262.00 on the Firms.
2.
SUMMARY OF REASONS
2.1.
On the basis of the facts and matters described below the Authority finds that
between 1 January 2013 and 2 September 2015 (“the Relevant Period”), the
Firms breached Principle 3 (Management and Control) and Principle 10 (Clients’
Assets) of the Authority’s Principles for Businesses (“the Principles”) and
associated rules in the Client Assets sourcebook (“the CASS Rules”). The Firms
2
also breached a number of rules in Chapter 8 (Outsourcing) of Senior
Management Arrangements, Systems and Controls sourcebook (“SYSC”).
2.2.
During the Relevant Period the Firms breached Principle 3, and a number of CASS
and SYSC Rules, by failing to take reasonable care to ensure that they established
and implemented adequate controls over the Third Party Administrators (“TPAs”)
to which they had outsourced the administration of client money and external
reconciliations in relation to custody assets. In particular, the Firms:
(1)
failed to put in place adequate organisational arrangements for the
safeguarding of client money and safe custody assets or to ensure
effective oversight of outsourced CASS functions (CASS 6.2.2R, CASS
7.12.2R (formerly CASS 7.3.2R) and SYSC 8.1.8R);
(2)
failed to dedicate sufficient resource and technical expertise to enable
them to implement effective CASS oversight arrangements; and
(3)
failed to prioritise sufficiently CASS compliance, resulting in inadequate
oversight of the outsourced CASS functions and their delayed detection
and rectification of CASS risks and compliance issues.
2.3.
During the Relevant Period the Firms also breached Principle 10, and a number of
CASS and SUP Rules, by failing to arrange adequate protection for client money
and safe custody assets for which they were responsible. In particular, the Firms:
(1)
failed to identify and promptly rectify certain issues within their internal
client money reconciliation process which were subsequently identified
and/or confirmed by the Authority, the Skilled Person and the Firms’
external CASS auditors. These issues included the Firms’ under-
segregation of client money, which during the period from 10 February
2014 to 9 February 2015 peaked at £74.4m;
(2)
mislabelled transactions within the Firms’ client money calculations (CASS
7.6.2R and CASS 7.15.3R);
(3)
failed to submit accurate Client Money and Asset Returns (“CMARs”) (SUP
16.14.3(R)(1));
3
(4)
failed to ensure the adequate and accurate segregation of client money;
and
(5)
held inadequate CASS resolution packs (“CASS RPs”) (CASS 10.1.3R).
2.4.
Compliance with the CASS Rules is important to ensure client money and custody
assets are adequately protected at all times. This is particularly important prior
to insolvency to ensure that the wind-down of a firm in the event of insolvency is
carried out in as orderly a manner as possible and in a way that reduces the risk
of loss of clients’ money and safe custody assets. A firm’s compliance can have a
mitigating effect in an insolvency process and is something over which a firm has
ultimate responsibility and control. It is in this context that the Authority views
breaches of the CASS Rules, and a firm’s failure to comply with those rules, as a
particularly serious matter.
2.5.
The Authority considers the Firms’ failings to be serious for the following
(1)
given their responsibility for CASS compliance, it was not appropriate for
the Firms to outsource functions to TPAs without having sufficient
oversight arrangements in place;
(2)
CASS Rules breaches were identified in the Firms’ annual external CASS
audit reports for consecutive years, indicating that the Firms had failed to
implement adequate measures to address these throughout the Relevant
Period; and
(3)
some of the Firms’ failings were drawn to the Firms’ attention by the Firms’
external CASS auditors, the Authority and the Skilled Person, rather than
through
their
own
compliance
monitoring.
During
the
Relevant Period, the Firms’ internal audit reviews were infrequent and
oversight of the outsourced CASS functions was inadequate.
2.6.
The Authority has taken into account that:
(1)
once it was identified that the Firms were not compliant with the CASS
oversight requirements, they committed significant internal and external
resources to investigating and remediating the issues outlined in this
Notice, and in strengthening CASS resource and oversight;
(2)
specifically, the Firms have made significant improvements in the
application of dedicated CASS resource, and in strengthening the oversight
of the TPAs’ work and the associated controls;
(3)
the Firms showed a significant degree of co-operation during the Skilled
Person review and the investigation of the issues by the Authority;
(4)
it has not found that the Firms acted deliberately or recklessly; and
(5)
although client money and safe custody assets were at risk of some loss,
there was no actual loss of any client money or safe custody assets.
2.7.
Ensuring the CASS Rules are adhered to supports the Authority’s operational
objectives of securing an appropriate degree of protection for consumers and
protecting
and
enhancing
the
integrity
of
the
UK
financial
system.
2.8.
The Authority therefore imposes a financial penalty on the Firms in the amount
of £8,246,800.00 pursuant to section 206 of the Act.
3.
DEFINITIONS
3.1.
The definitions below are used in this Decision Notice:
“the Act” means the Financial Services and Markets Act 2000;
“APTUKL” means Aviva Pension Trustees UK Limited;
“the Authority” means the body corporate previously known as the Financial
Services Authority and renamed on 1 April 2013 as the Financial Conduct
Authority;
“AWUKL” means Aviva Wrap UK Limited;
“the CASS Rules” means the rules and guidance set out in the Client Assets
sourcebook chapter of the Authority’s Handbook;
“the CASS Visit” means the Authority’s CASS Department’s supervisory visit to
the Firms between 9 and 11 February 2015;
5
“Client Money Rules” means Chapter 7 of the CASS Rules (as defined above);
“CMAR” means Client Money and Asset Return as defined in the Authority’s
Handbook;
“Custody Rules” means Chapter 6 of the CASS Rules (as defined above);
“DEPP” means the Authority’s Decision Procedure and Penalties Manual;
“EG” means the Enforcement Guide;
“the Firms” means AWUKL and APTUKL together;
“IFAs” means Independent Financial Advisors;
“Policy Statement 14/9” means the Review of the client assets regime for
investment business published by the Authority on 10 June 2014;
“the PRA” means the Prudential Regulation Authority;
“Principles” means the Authority’s Principles for Businesses;
“the Relevant Period” means the period from 1 January 2013 to 2 September
2015 inclusive;
“the Skilled Person” means the firm appointed in August 2015 under section 166
of the Act to provide a report to the Authority on the Firms’ compliance with the
CASS Rules;
“the Skilled Person Report” means the report issued by the Skilled Person on 29
January 2016 consequent to the Authority’s exercise of its power under section
166 of the Act in relation to the Firms;
“SYSC” means the part of the Authority’s Handbook which has the title Senior
Management Arrangements, Systems and Controls;
“the TPAs” means the Third Party Administrators to which the Firms outsourced
their CASS functions during the Relevant Period; and
6
“the Tribunal” means the Upper Tribunal (Tax and Chancery Chamber).
4.
FACTS AND MATTERS
4.1.
The Firms are UK incorporated entities and are both part of the Aviva group of
companies. AWUKL is a wholly owned subsidiary of Aviva Life Holdings UK
Limited, which in turn is a subsidiary of Aviva PLC. APTUKL is a wholly owned
subsidiary of Aviva Life & Pensions UK Limited whose 100% ultimate beneficial
owner is also Aviva PLC.
4.2.
AWUKL’s principal business activity is operating the Aviva Wrap online platform.
Clients can invest via their IFAs in a range of funds, equities and structured
products, with the option of holding their investments in a tax efficient wrapper
(either an ISA account or, in the case of APTUKL, a self-invested personal pension
or ‘SIPP’). APTUKL acts as both operator and trustee of the Aviva Personal
Pension Plan in addition to a number of smaller schemes including a number of
SIPPs.
4.3.
The average daily balance of the client money and custody assets accounts during
the Relevant Period for AWUKL was £64,410,913.00 and £1,409,841,850.00
respectively. The average daily balance of the client money accounts during the
Relevant Period for APTUKL was £189,132,662.00.
4.4.
A number of CASS issues were identified in the Firms’ annual external CASS audit
reports, which should have prompted the Firms to undertake a wider review of
their client money and custody asset compliance:
(1) the 2013 external CASS audit report for AWUKL identified issues with
AWUKL’s internal client money reconciliations and raised concerns
regarding the Firms’ maintenance of accurate safe custody asset records
(CASS 6.5.2R), particularly given the Firms’ outsourcing to a TPA of
external reconciliations in relation to custody assets;
(2) AWUKL’s failure to have adequate organisational arrangements in place in
relation to its reconciliation processes in breach of CASS 6.2.2R. The
auditors noted in the 2012 external CASS audit report for AWUKL that a
7
distribution value of £111.69 was received for an asset which was not on
the Firms’ system which prevented the money being applied to the
appropriate client’s account;
(3) although AWUKL advised the auditors that a revised and strengthened
reconciliation format had been implemented in June 2012, four instances of
AWUKL’s non-compliance with CASS 6.5.10R were identified in the 2013
audit resulting from its failure to promptly identify and correct
discrepancies identified by safe custody asset reconciliations, involving
assets with an approximate aggregate value of £1,000; and
(4) concerning the Firms’ use of a non-standard client money calculation CASS
7.6.8R (currently CASS 7.13.58R), the Authority noted that the Firms’
method of internal client money reconciliation did not provide the degree of
protection provided by the standard method as set out in CASS 7 Annex 1
G. The Authority notes that the Firms’ external auditor confirmed in May
2015 that the Firms’ method of internal client money reconciliation did
provide that degree of protection.
4.5.
The external CASS auditor findings for both AWUKL and APTUKL should have
prompted the Firms to reassess and re-categorise CASS compliance as
potentially high risk.
4.6.
In February 2015, the Authority’s CASS Department visited the Firms. During
the visit the Authority identified the same and similar CASS compliance issues to
those identified by the external auditors. These issues were confirmed to the
Firms in a letter of 10 August 2015, which included the following concerns:
(1) serious deficiencies in the Firms’ governance and oversight of CASS
functions;
(2) the Firms’ lack of individuals with combined CASS and financial experience;
(3) a convoluted committee structure which, in particular, lacked any dedicated
committee
for
overseeing
the
Firms’
outsourced
CASS
functions;
(4) a lack of CASS specific compliance monitoring reports, particularly given
the breadth of the rule changes following Policy Statement 14/9 and the
Firms’ compliance history based on earlier external CASS audit reports;
(5) mislabelling of transactions within the client money calculation, prompting
wider concerns regarding the Firms’ failure to maintain accurate records
and accounts and inadequate organisational arrangements; and
(6) inaccuracies with the Firms’ CMAR submissions given that the Firms had
made
disclosures
which
were
inconsistent
with
SUP
16.14.3.R.
4.7.
Based on the number and gravity of the Firms’ failures to comply with the CASS
Rules identified during the CASS Visit, the Authority required the Firms to
appoint a Skilled Person to conduct an independent review of the Firms under
section 166 of the Act.
The Skilled Person Report
4.8.
In August 2015, the Authority required the Firms to provide a Skilled Person’s
report under section 166 of the Act. On 29 January 2016, the Skilled Person
issued its report, which confirmed issues identified during the CASS Visit and
expanded on the issues previously identified by the Firms’ external CASS audit
reports. The findings included:
(1) inadequacies
with
the
Firms’
organisational
arrangements
for
the
safeguarding of client money and custody assets resulting in the Firms’
inadequate management and oversight of TPAs in respect of outsourced
CASS functions. The Skilled Person confirmed the following specific failings
with the Firms’ oversight and safe custody arrangements:
a)
deficiencies with the Firms’ reconciliation processes resulting in the
over-and under-segregation of client money with the Firms’ under-
segregation having peaked at approximately £74.4m during the
period from 10 February 2014 to 9 February 2015;
b)
inadequate first (business) and second (compliance) lines of
defence in relation to the Firms’ submission of inaccurate CMARs;
c)
inaccuracies/failings with the Firms’ CASS RPs in breach of CASS
10.1.3R;
d)
the inadequacy of the management information (“MI”) provided to
senior management in relation to CASS breaches, particularly in
relation to the Firms’ outsourcing of CASS functions to TPAs; and
e)
concerning the Firms’ use of a non-standard client money
calculation, the Skilled Person confirmed that the Firms’ method of
internal client money reconciliation did not provide the degree of
protection provided by the standard method as set out in CASS 7
Annex 1 G. ((CASS 7.15.18R and 7.6.8R) and Annex 1G).
(2) the Firms’ failure to dedicate sufficient resource and technical expertise to
enable the Firms to implement effective CASS compliance oversight
programs; and
(3) the Firms’ failure to prioritise sufficiently CASS compliance, resulting in the
delayed detection and rectification of CASS risks and compliance issues.
Inadequate organisational arrangements to ensure effective oversight
of outsourced CASS functions
4.9.
Outsourcing arrangements are common in the asset management industry in
relation to purchases and sales of investment fund interests for clients. TPAs
typically perform back office activities such as cash and transaction processing,
settlement, record keeping, reconciliations and similar CASS compliance
functions.
4.10.
In such circumstances, since a firm is one step removed from CASS operations
as a result of its outsourcing arrangements with a TPA, a heightened CASS
compliance risk may arise. A firm is therefore required to ensure that it has
robust controls and oversight systems in place to monitor and identify any
issues arising with the TPA’s performance of the CASS functions for which the
firm remains fully responsible. This also requires that a firm outsourcing CASS
functions ensures that it has adequate CASS skills, expertise and resources to
carry out effective oversight of the TPA.
4.11.
During the Relevant Period, the Firms outsourced to TPAs the administration of
their client money and external reconciliations in relation to custody assets.
However, during the Relevant Period, the Firms failed to ensure effective
oversight of the TPAs.
4.12.
In particular, the Firms failed to put in place dedicated CASS committees to
ensure the prompt identification and remediation of any issues relating to the
TPAs’ performance of outsourced CASS functions. Given the recurrence of CASS
failings identified by their external CASS auditors, the Firms should have been
aware of prevailing issues with their outsourcing of CASS functions and taken
steps to ensure that closer monitoring was undertaken of TPAs. The Firms have
now set up joint governance committees to oversee the CASS outsourcing
arrangements.
4.13.
The Firms’ oversight was also compromised by design limitations detected in the
Firms’ review processes. For example, the checks which the Firms undertook in
relation to their reconciliation processes were informal and lacked consistency. A
number of incidences were identified in which weekly reconciliation checks had
not been completed. There were also delays in the Firms’ identification and
rectification of reconciliation inaccuracies and a more general lack of guidance
on the reconciliation processes. This also resulted in the Firms’ failure to
sufficiently challenge the internal controls, competence and resources of the
TPAs.
4.14.
Similar weaknesses were identified in relation to the Firms’ escalation process
for CASS related issues. The Firms provided no routine CASS updates, with
reports only being made when CASS issues occurred. As a result senior
management did not receive sufficient assurance on the Firms’ CASS compliance
in respect of routine CASS activities.
4.15.
During the Relevant Period, the Firms did not have adequate control frameworks
in place to identify, assess and escalate material information about CASS risks
and compliance to the Firms’ respective Boards. There was insufficient
consideration by senior management of the operational effectiveness of the
Firms’ CASS functions during the Relevant Period. For a substantial part of the
Relevant Period, there was insufficient oversight of CASS compliance by the
Firms’ existing committee structures.
4.16.
Inadequacies with the quality of the Firms’ MI were also identified which further
undermined the efficacy of the Firms’ oversight of outsourced CASS functions.
For example, incomplete MI was provided in relation to the reconciliation of
items which remained outstanding after 30 days. Moreover, the MI provided at
senior management level did not include resolution dates for actions and
thereby hindered the ability of the Firms’ senior management to track the
resolution of CASS issues.
4.17.
In addition, monthly “spot checks” lacked key information such as when each
check was carried out, by whom and the outcomes of each individual check.
This compromised the quality of information being provided to senior
management on CASS compliance issues. On occasion, there was inaccurate
reporting of the outcomes of spot checks by the Firms’ business to the Firms’
senior management. The September 2014 spot check carried out in relation to
the Firms’ internal client money reconciliations confirmed an error within the
Firms’ calculations but the negative outcome of this spot check was not included
in the MI provided to senior management which may have delayed and/or
prevented senior management from detecting possible CASS breaches.
Inadequate reconciliation processes
4.18.
During the Relevant Period, the Firms operated a non-standard internal client
money reconciliation method. However, during the CASS Visit, a number of issues
with the Firms’ internal reconciliation process were identified which had resulted
in the under- and over-segregation of client money.
4.19. Client money relating to trade purchases was removed from clients’ accounts
before trades settled. The Firms also failed to set aside funding for returned
cheques in the reconciliation process which meant that purchases could
potentially be funded using other clients’ money. During the Relevant Period,
these failings in the Firms’ internal reconciliation processes resulted in under-
segregation of client money in amounts ranging from £0.4m to £74.4m during the
period from 10 February 2014 to 9 February 2015.
4.20. There were also a number of weaknesses in the design of the Firms’ oversight of
their reconciliation processes. For example, the spread sheets which the Firms
used to record data in the daily and weekly reconciliation checks did not provide
any guidance or parameters to ensure the consistency of checks conducted.
There was also no record of who was scheduled to conduct the daily and weekly
checks and whether those checks had been conducted and if so, by whom.
4.21. The Skilled Person conducted test sampling on a number of the internal
reconciliations produced by the Firms and the internal controls and checks
conducted on those reconciliations. This sampling identified that for 12 out of 60
reconciliations reviewed no weekly check had been carried out, thereby indicating
that there was insufficient resourcing within the Firms’ oversight team since the
weekly check was required to ensure that the requisite daily checks had been
properly conducted. The test sampling also revealed that even when the daily
and weekly checks had been conducted, the checks could be conducted by any
member of the Firms’ oversight team. This resulted in a lack of consistency in the
checking approach.
4.22. These findings in relation to the Firms’ peer reviews are indicative of the
inadequate resourcing in relation to their reconciliation processes. These
deficiencies were compounded by the absence of any formal CASS training for
staff involved in the Firms’ internal reconciliation processes.
Client Money and Assets Return (“CMAR”)
4.23.
During the Relevant Period, the Firms lacked a formal system or adequate
guidance in relation to the CMAR process and controls, including in respect of the
requirement for the submission of a monthly CMAR. The Firms’ CMAR procedures
did not identify who was responsible for the completion and review of the Firms’
submissions. The Firms also failed to provide proper guidance on the extent of
review required prior to the Firms’ submission of their CMARs to the Authority.
4.24. In addition, the Firms had inadequate processes in place for dealing with CMAR
breaches identified before and after submission to the Authority and the Firms
failed to undertake any formal actions to ensure that CMAR breaches did not re-
occur.
4.25. The Firms relied on summary data provided by the TPAs as input data for the
Firms’ CMAR submissions. The Firms also had inadequate technical expertise to
effectively challenge the accuracy of the external data which resulted in delays in
the Firms’ detection of CMAR inaccuracies.
4.26. A sample of the Firms’ CMARs which included the Firms’ June 2015 CMARs
identified discrepancies between the Firms’ internal reconciliations for 30 June
2015 and the Firms’ client money resource and requirement reported to the
Authority.
4.27. Overall, the failings associated with the Firms’ CMAR submissions indicated a
weak control environment around the preparation, review and submission of the
Firms’ CMARs.
Inaccuracies with the Firms’ CASS RPs
4.28.
The Authority identified that for part of the Relevant Period, the Firms did not
have a formal control process in place to ensure effective prevention, detection
and remediation of breaches in the Firms’ CASS RPs.
4.29.
In addition, during the Relevant Period the Firms lacked formal controls and
formal lines of responsibility regarding the prevention, detection and remediation
of breaches of rules within Chapter 10 (Resolution Packs) of the CASS Rules.
4.30.
In particular, the Authority identified the following failings with the Firms’ CASS
RPs: specific omissions within the Firms’ CASS RPs such as a lack of procedures
for recording and transferring client money and safe custody assets, delays in
the Firms’ updating of the CASS RPs for the opening of new bank accounts and a
lack of a clear timetable for the production of the CASS RPs.
4.31.
During 2015 the Firms took steps to improve the CASS RP process by
implementing a formal CASS RP checklist but the Firms’ review and updating
process remained inadequate.
Inadequacy of CASS resources and technical expertise
4.32.
The Firms’ CASS resources were inadequate which undermined their ability to
conduct effective oversight of the TPAs. The Firms’ lack of CASS technical
expertise brought about the Firms’ overreliance on the TPAs which further
compromised the Firms’ ability to identify, resolve and report CASS breaches
and control weaknesses in a timely manner.
4.33.
During the Relevant Period, there was no formal requirement established within
the Firms for CASS training to be undertaken by members of the Firms’ CASS
team. Nor were there any formal training records maintained of any “ad hoc”
CASS training completed by the CASS team members. The Firms have now
instituted a formal CASS skills and knowledge matrix for CASS team members.
4.34.
In addition, during the Relevant Period the Firms combined the CF10 and CF10a
functions which further constrained the available resource and technical
expertise dedicated to CASS compliance.
4.35.
This lack of technical knowledge and experience rendered the Firms incapable of
effectively challenging the TPAs’ performance of the CASS functions.
Failure to prioritise CASS compliance
4.36.
The Firms understated the high risks associated with CASS non-compliance
which may have prevented and/or delayed the Firms’ escalation of CASS issues.
The Authority identified inconsistencies in the Firms’ risk rating in relation to
CASS oversight. In light of the CASS breaches identified in the Firms’ external
CASS audit reports, the Firms ought to have accorded CASS compliance a higher
risk rating. The fact that additional CASS breaches arose in consecutive annual
external CASS audits should have prompted the Firms to re-categorise CASS
compliance as high risk. The Firms did not appear to have had adequate
systems and controls in place to challenge the basis upon which CASS risks had
been assessed.
5.
FAILINGS
5.1.
The regulatory provisions relevant to this Final Notice are referred to in Annex A.
5.2.
Based on the facts and matters described above, the Authority finds that the
Firms have breached Principle 3 and Principle 10 and associated CASS and SYSC
Rules.
5.3.
Principle 3 requires a firm to take reasonable care to organise and control its
affairs responsibly and effectively, with adequate risk management systems. The
Authority has concluded that the Firms failed to take reasonable care to organise
and control their outsourced CASS functions in a responsible and effective way.
5.4.
In breach of Principle 3, the Firms:
(1)
failed to implement and maintain adequate policies and procedures to
detect and manage the high level of client money and custody assets risks
which arose from the Firms’ outsourcing their CASS functions. In
particular, the Firms failed to carry out adequate and formal compliance
oversight and review exercises of both the performance of the TPAs, and
the quality of the MI provided by the TPAs, in relation to outsourced CASS
functions;
(2)
failed to dedicate sufficient resource and technical expertise to enable
them to implement effective CASS oversight arrangements; and
(3)
failed to prioritise sufficiently CASS compliance, resulting in inadequate
oversight of the outsourced CASS functions and the delayed detection and
rectification of CASS risks and compliance issues.
5.5.
Principle 10 requires a firm to arrange adequate protection for clients’ assets for
which it is responsible. The CASS Rules set out detailed requirements placed on
firms to ensure adequate protection of client money and custody assets. The
Authority has concluded that the Firms failed to arrange such adequate protection
of client money and custody assets for which they were responsible.
5.6.
In breach of Principle 10 the Firms:
(1) failed to identify and promptly rectify issues within their internal client
money reconciliation process resulting in the Firms’ under-segregation of
client money;
(2)
mislabelled transactions within the Firms’ client money calculations (CASS
7.6.2R and CASS 7.15.3R);
(3)
failed to submit accurate CMARs;
(4)
failed to ensure the adequate and accurate segregation of client money;
and
(5)
held inadequate CASS RPs.
5.7.
In addition, by outsourcing these critical CASS functions the Firms remained fully
responsible for discharging all of their obligations under the CASS Rules and all
other regulatory requirements. Despite this, the Firms failed to retain the
necessary expertise to supervise the outsourced functions effectively and to
manage the risks associated with the outsourcing (SYSC 8.1.6R and SYSC
8.1.8(5)R).
5.8.
Having regard to the issues above, the Authority considers it is appropriate and
proportionate in all the circumstances to take disciplinary action against the Firms
for their breaches of Principles 3 and 10 and associated CASS and SYSC Rules
during the Relevant Period.
6.
SANCTION
Financial penalty
6.1.
The Authority’s policy on the imposition of financial penalties is set out in Chapter
6 of DEPP. In determining the financial penalty, the Authority has had regard to
this guidance.
6.2.
In respect of conduct occurring on or after 6 March 2010, the Authority applies a
five-step framework to determine the appropriate level of financial penalty. DEPP
6.5A sets out the details of the five-step framework that applies in respect of
financial penalties imposed on firms.
Step 1: disgorgement
6.3.
Pursuant to DEPP 6.5A.1G, at Step 1 the Authority seeks to deprive a firm of the
financial benefit derived directly from the breach where it is practicable to
quantify this.
6.4.
The Authority has not identified any financial benefit that APTUKL and/or AWUKL
may have derived directly from their breaches.
6.5.
The Step 1 figure is therefore £0.
Step 2: the seriousness of the breach
6.6.
DEPP 6.5A.2G provides that at Step 2 the Authority determines a figure that
reflects the seriousness of the breach. Although DEPP 6.5A.2G(1) indicates that
in many cases the amount of revenue generated by a firm from a particular
product line or business area is indicative of the harm or potential harm that its
breach may cause, it also recognises that revenue may not be an appropriate
indicator of the harm the breach may cause. In those cases the Authority will use
an appropriate alternative.
6.7.
Here, the Authority considers that the revenue generated by the Firms is not an
appropriate indicator of the harm or potential harm caused by their breach in this
case.
6.8.
The Authority considers that the appropriate indicator in this case is the average
value of client money and safe custody assets held over the Relevant Period. The
Authority has therefore used the Firms’ average client money and safe custody
assets balance over the Relevant Period to determine the figure at Step 2.
6.9.
The average daily balance of the client money and safe custody assets accounts
during
the
Relevant
Period
for
AWUKL
was
£64,410,913.00
and
£1,409,841,850.00 respectively and the average daily balance of the client
money accounts during the Relevant Period for APTUKL was £189,132,662.00.
6.10. In deciding on the percentage of the client money and safe custody assets value
that forms the basis of the step 2 figure, the Authority considers the seriousness
of the breach and chooses a percentage that is appropriate to the relevant fixed
level which represents, on a sliding scale of 1 to 5, the seriousness of the breach;
the more serious the breach, the higher the level. The percentage levels that the
Authority applies to cases involving client money and safe custody assets are as
Level 1
0%
0%
Level 2
1%
0.2%
Level 3
2%
0.4%
Level 5
4%
0.8%
6.11. In assessing the seriousness level, the Authority takes into account various
factors which reflect the impact and nature of the breach, and considers whether
the firm committed the breach deliberately or recklessly. DEPP 6.5A.2G(11) lists
factors likely to be considered ‘level 4 factors’ or ‘level 5 factors’. Of these, the
Authority considers the following factors to be relevant:
(1) risk of loss of client money and safe custody assets to clients: the Firms’
breaches meant that had AWUKL and/or APTUKL become insolvent at any
point during the Relevant Period, it is likely that an insolvency practitioner
would have had to seek the resolution of a court before client money
and/or safe custody assets could be distributed to clients. This would have
exposed the Firms’ clients to a potential risk of loss of their money and safe
custody assets over and above that which may otherwise have been
expected in an insolvency situation; and
(2)
serious or systemic weaknesses in the Firms’ systems and controls: the
Firms’ breaches resulted from serious weaknesses in the Firms’ systems
and controls relating to oversight of outsourced CASS functions which
continued for a prolonged period, notwithstanding CASS issues having
been raised by the Firms’ external CASS auditors during the Relevant
Period.
6.12. DEPP 6.5A.2G (12) lists factors likely to be considered ‘level 1, 2 or 3 factors’. Of
these, the Authority considers the following factors to be relevant in this case:
(1) no profits were made or losses avoided as a result of the breach, either
directly or indirectly;
(2) there was no actual or potential effect on the orderliness of, or confidence
in, markets as a result of the breach; and
(3) that the breaches were committed negligently or inadvertently, i.e. not
deliberately.
6.13. The Authority also considers that the following factors are relevant:
(1) detrimental impact on CASS RP: had the Firms complied with the
requirement to maintain and be able to retrieve adequate CASS RPs, they
would have been able to provide a more comprehensive record against
which the insolvency practitioner could compare other information sources
held by the Firms, thereby mitigating any delay in the return of client
money and safe custody assets; and
(2)
the Firms failed to identify and/or remediate breaches of the CASS Rules
(notwithstanding the Firms’ receipt of external audit reports identifying a
number of CASS breaches) until June 2015.
6.14. The Authority has taken these factors into account and considers the overall
seriousness of the breach to be level 3.
6.15. The Step 2 figure is 2% of the Firms’ average client money balances
(£64,410,913.00 for AWUKL and £189,132,662.00 for APTUKL) and 0.4% of the
average client safe custody asset balance for AWUKL (£1,409,841,850.00) during
the Relevant Period which based on a breakdown of the client money and safe
custody asset figures provided by the Firms amounts to £10,710,238.90.
Step 3: mitigating and aggravating factors
6.16. Pursuant to DEPP 6.5A.3G, at Step 3 the Authority may increase or decrease the
amount of the financial penalty arrived at after Step 2, but not including any
amount to be disgorged as set out in Step 1, to take into account factors which
aggravate or mitigate the breach.
6.17. The Authority considers that the following factors aggravate the breach:
(1) the importance of arranging adequate protection for client money and safe
custody assets was well publicised by the Authority during the Relevant
Period, including through previous enforcement actions for breaches of the
CASS Rules, which have drawn firms’ attention to the need for increased
focus on this area (and specifically the importance of protecting client
money and safe custody assets); and
(2)
some of the Firms’ failings were drawn to the Firms’ attention by the
Authority and by the Firms’ external CASS auditors, rather than through
their own CASS compliance monitoring.
6.18. The Authority considers that the following factors mitigate the breach:
(1) once it was identified that the Firms were not compliant with the CASS
oversight requirements, they committed significant internal and external
resources to investigating and remediating the issues outlined in this
Notice, and in strengthening CASS resource and oversight; and
(2) specifically, the Firms have made significant improvements in the
application of dedicated CASS resource, and in strengthening the oversight
of the TPAs’ work and the associated controls.
6.19. The Authority has considered the various aggravating and mitigating factors and
having done so considers that the Step 2 figure should be subject to a 10% uplift
at Step 3.
6.20. The Step 3 figure is therefore £11,781,262.80.
Step 4: adjustment for deterrence
6.21. DEPP 6.5A.4G provides that if the Authority considers the figure arrived at after
Step 3 is insufficient to deter the firm who committed the breach, or others, from
committing further or similar breaches, then the Authority may increase the
penalty.
6.22. The Authority considers that the Step 3 figure of £11,781,262.80 represents a
sufficient deterrent to the Firms and others, and so has not increased the penalty
at Step 4.
6.23. The figure at Step 4 therefore remains £11,781,262.80.
Step 5: settlement discount
6.24. Pursuant to DEPP 6.5A.5G, if the Authority and the firm on whom a penalty is to
be imposed agree the amount of the financial penalty and other terms, DEPP 6.7
provides that the amount of the financial penalty which might otherwise have
been payable will be reduced to reflect the stage at which the Authority and the
firm reached agreement. The settlement discount does not apply to the
disgorgement of any benefit calculated at Step 1.
6.25. The Authority and APTUKL and AWUKL reached agreement at stage 1 and so a
30% discount applies to the Step 4 figure.
6.26. The figure at Step 5, rounded down to the nearest £100, is therefore
Conclusion on financial penalty
6.27. The Authority therefore imposes on the Firms a total financial penalty of
£8,246,800.00 (£11,781,262.80 before stage 1 discount).
7.
PROCEDURAL MATTERS
Decision maker
7.1.
The decision which gave rise to the obligation to give this Notice was made by the
Settlement Decision Makers.
7.2.
This Final Notice is given under, and in accordance with, section 390 of the Act.
Manner of and time for Payment
7.3.
The financial penalty must be paid in full by the Firms to the Authority by no later
than 19 October 2016, 14 days from the date of the Final Notice.
If the financial penalty is not paid
7.4.
If all or any of the financial penalty is outstanding on 20 October 2016, the
Authority may recover the outstanding amount as a debt owed by the Firms and
due to the Authority.
7.5.
Sections 391(4), 391(6) and 391(7) of the Act apply to the publication of
information about the matter to which this notice relates. Under those
provisions, the Authority must publish such information about the matter to which
this notice relates as the Authority considers appropriate. The information may
be published in such manner as the Authority considers appropriate. However,
the Authority may not publish information if such publication would, in the opinion
of the Authority, be unfair to the Firms or prejudicial to the interests of
consumers or detrimental to the stability of the UK financial system.
7.6.
The Authority intends to publish such information about the matter to which this
Final Notice relates as it considers appropriate.
Authority contacts
7.7.
For more information concerning this matter generally, contact Karie Twinem
(direct line: 020 7066 3098/email: karie.twinem@fca.org.uk) of the Enforcement
and Market Oversight Division of the Authority.
Head of Department
Financial Conduct Authority, Enforcement & Market Oversight
1 January 2013 ANNEX A
RELEVANT STATUTORY AND REGULATORY PROVISIONS
1.
Relevant Statutory Provisions
1.1. The Authority’s operational objectives are set out in section 1B (3) of the Act and
include the objective of securing an appropriate degree of protection for
consumers.
1.2. Section 206(1) of the Act provides:
“If the Authority considers that an authorised person has contravened a
requirement imposed on him by or under this Act… it may impose on him a
penalty, in respect of the contravention, of such amount as it considers
appropriate."
2.
Relevant Regulatory Provisions
Principles for Businesses (“Principles”)
2.1. The Principles are a general statement of the fundamental obligations of firms
under the regulatory system and are set out in the Authority’s Handbook. They
derive their authority from the Authority’s rule-making powers set out in the Act.
The relevant Principles are as follows.
2.2. Principle 3 (management and control) states that:
‘A firm must take reasonable care to organise and control its affairs responsibly
and effectively, with adequate risk management systems’
2.3. Principle 10 (client assets) states that:
‘A firm must arrange adequate protection for clients’ assets when it is responsible
for them.’
Client Assets sourcebook (“CASS”)
2.4. CASS is the part of the Authority’s Handbook which sets out the Authority’s
requirements in relation to holding client money and safe custody assets.
2.5. CASS 6.2.1R states that:
‘A firm must, when holding safe custody assets belonging to clients, make
adequate arrangements so as to safeguard clients' ownership rights, especially in
the event of the firm's insolvency, and to prevent the use of safe custody assets
belonging to a client on the firm's own account except with the client's express
consent.’
2.6. CASS 6.5.2R states that:
‘A firm must maintain its records and accounts in a way that ensures their
accuracy, and in particular their correspondence to the safe custody assets held for
clients.’
2.7. CASS 6.5.10R states that:
‘A firm must promptly correct any discrepancies which are revealed in the
reconciliations envisaged by this section, and make good, or provide the equivalent
of, any unreconciled shortfall for which there are reasonable grounds for concluding
that the firm is responsible.’
2.8. CASS 6.6.2R states that:
‘A firm must keep such records and accounts as necessary to enable it at any time
and without delay to distinguish safe custody assets held for one client from safe
custody assets held for any other client, and from the firm's own applicable assets.’
2.9. CASS 7.12.2R (formerly CASS 7.3.2R) states that:
‘A firm must introduce adequate organisational arrangements to minimise the risk
of the loss or diminution of client money, or of rights in connection with client
money, as a result of misuse of client money, fraud, poor administration,
inadequate record-keeping or negligence.’
2.10. CASS 7.15.3R (formerly CASS7.6.2R) states that:
‘A firm must maintain its records and accounts in a way that ensures their
accuracy, and in particular their correspondence to the client money held for
clients.’
2.11. CASS 7.6.8R states that:
‘A firm that does not use the standard method of internal client money
reconciliation must first send a written confirmation to the FCA from the firm's
auditor that the firm has in place systems and controls which are adequate to
enable it to use another method effectively.’
2.12. CASS 7.15.18R (effective from 1 June 2015) states that:
‘(1) Before using a non-standard method of internal client money reconciliation, a
firm must:
(a)
establish and document in writing its reasons for concluding that the
method of internal client money reconciliation it proposes to use will:
(i) (for the normal approach to segregating client money) check whether
the amount of client money recorded in the firm's records as being
segregated in client bank accounts meets the firm's obligation to its
clients under the client money rules on a daily basis; or
(ii) (for the alternative approach to segregating client money) calculate the
amount of client money to be segregated in client bank accounts which
meets the firm's obligations to its clients under the client money rules
on a daily basis;
(b)
notify the FCA of its intentions to use a non-standard method of internal
client money reconciliation; and
(c)
send a written report to the FCA prepared by an independent auditor of
the firm in line with a reasonable assurance engagement and stating the
matters set out in (2).
(2) The written report in (1)(c) must state whether in the auditor's opinion:
(a)
the method of internal client money reconciliation which the firm will use is
suitably designed to enable it to (as applicable):
(i) (for the normal approach to segregating client money) check whether
the amount of client money recorded in the firm's records as being
segregated in client bank accounts meets the firm's obligation to its
clients under the client money rules on a daily basis; or
(ii) (for the alternative approach to segregating client money) calculate the
amount.’
2.13. CASS 7.6.6G (effective until 1 June 2015) states that:
‘(1) Carrying out internal reconciliations of records and accounts of the entitlement
of each client for whom the firm holds client money with the records and accounts
of the client money the firm holds in client bank accounts and client transaction
accounts should be one of the steps a firm takes to satisfy its obligations under
CASS 7.6.2 R, and where relevant SYSC 4.1.1 R and SYSC 6.1.1 R.
(2) A firm should perform such internal reconciliations:
(a) as often as is necessary; and
(b) as soon as reasonably practicable after the date to which the
reconciliation relates;
to ensure the accuracy of the firm's records and accounts.
(3) The standard method of internal client money reconciliation sets out a method
of reconciliation of client money balances that the FSA believes should be one of
the steps that a firm takes when carrying out internal reconciliations of client
money.’
2.14. CASS 7.12.2R (formerly 7.3.2R) states that:
‘A firm must introduce adequate organisational arrangements to minimise the risk
of the loss or diminution of client money, or of rights in connection with client
money, as a result of misuse of client money, fraud, poor administration,
inadequate record-keeping or negligence.’
2.15. CASS 7.13.58R (formerly CASS 7.6.8R) states that:
‘(1) In addition to the requirement under CASS 7.13.57R, before adopting the
alternative approach, a firm must send a written report to the FCA prepared by an
independent auditor of the firm in line with a reasonable assurance engagement,
stating the matters set out in (2).
(2) The written report in (1) must state whether, in the auditor's opinion:
(a) the firm's systems and controls are suitably designed to enable it to
comply with CASS 7.13.62R to CASS 7.13.65R; and
(b) the firm's calculation of its alternative approach mandatory prudent
segregation amount under CASS 7.13.65R is suitably designed to enable
the firm to comply with CASS 7.13.65R.’
2.16. CASS 7.15.14G (effective 1 June 2015) states that:
An internal client money reconciliation should:
(1) be one of the steps a firm takes to arrange adequate protection for clients'
assets when the firm is responsible for them (see Principle 10 (Clients' assets),
as it relates to client money);
(2) be one of the steps a firm takes to satisfy its obligations under CASS 7.12.2R
and CASS 7.15.3R and, where relevant, SYSC 4.1.1R (1) and SYSC 6.1.1R, to
ensure the accuracy of the firm's records and accounts;
(3) for the normal approach to segregating client money (CASS 7.13.6R), check
whether the amount of client money recorded in the firm's records as being
segregated in client bank accounts meets the firm's obligations to its clients
under the client money rules on a daily basis; and
(4) for the alternative approach to segregating client money (CASS 7.13.62R),
calculate the amount of client money to be segregated in client bank accounts
which meets the firm's obligations to its clients under the client money rules on
a daily basis.
2.17. CASS 6.2.2R states that:
‘A firm must introduce adequate organisational arrangements to minimise the risk
of the loss or diminution of clients' safe custody assets, or the rights in connection
with those safe custody assets, as a result of the misuse of the safe custody
assets, fraud, poor administration, inadequate record-keeping or negligence.’
2.18. CASS 10.1.3R states that:
“A firm falling within CASS 10.1.1 R must maintain and be able to retrieve, in the
manner described in this chapter, a CASS resolution pack.”
2.19. SUP 16.14.3R states that:
(4) ‘Subject to (3), a firm must submit a completed CMAR to the FCA within 15
business days of the end of each month.
(5) In this rule month means a calendar month and SUP 16.3.13 R (4) does not
apply.
(6) A firm which changes its 'CASS firm type' and notifies the FCA that it is a CASS
medium firm or a CASS large firm in accordance with CASS 1A.2.9 R is not
required to submit a CMAR in respect of the month in which the change to its
'CASS firm type' takes effect in accordance with CASS 1A.2.12 R, unless it was
a firm to which the requirement in (1) applied immediately prior to that change
taking effect.’
2.20. SYSC 8.1.6R states that:
‘If a firm outsources critical or important operational functions or any relevant
services and activities, it remains fully responsible for discharging all of its
obligations under the regulatory system and must comply, in particular, with the
following conditions:
(1) the outsourcing must not result in the delegation by senior personnel of
their responsibility;
(2) the relationship and obligations of the firm towards its clients under the
regulatory system must not be altered;
(3) the conditions with which the firm must comply in order to be authorised,
and to remain so, must not be undermined; and
(4) none of the other conditions subject to which the firm's authorisation was
granted must be removed or modified.’
2.21. SYSC 8.1.8R states that:
‘A common platform firm must in particular take the necessary steps to ensure that
the following conditions are satisfied:
(1) the service provider must have the ability, capacity, and any authorisation
required by law to perform the outsourced functions, services or activities
reliably and professionally;
(2) the service provider must carry out the outsourced services effectively, and
to this end the firm must establish methods for assessing the standard of
performance of the service provider;
(3) the service provider must properly supervise the carrying out of the
outsourced functions, and adequately manage the risks associated with the
outsourcing;
(4) appropriate action must be taken if it appears that the service provider may
not be carrying out the functions effectively and in compliance with
applicable laws and regulatory requirements; and
(5) the firm must retain the necessary expertise to supervise the outsourced
functions effectively and to manage the risks associated with the
outsourcing, and must supervise those functions and manage those risks’.
Decision Procedure and Penalties Manual (“DEPP”)
2.22. Chapter 6 of DEPP, which forms part of the Authority’s Handbook, sets out the
Authority’s statement of policy with respect to the imposition and amount of
financial penalties under the Act.
The Enforcement Guide
2.23. The Enforcement Guide sets out the Authority’s approach to exercising its main
enforcement powers under the Act.
2.24. Chapter 7 of the Enforcement Guide sets out the Authority’s approach to exercising
its power to impose a financial penalty.