Elkhorn grey on blue

 Practitioners at the heart of the securities industry

Giving the CF10a assurance around the integrity of the CASS reports

Controls include completeness checks and exclusions are authorised

The same, agreed account population is used across the firm

The underlying data used to perform controls is correct

Exceptions are actively reviewed, documented and interpreted to understand and address causes

Recent FCA fines have emphasised the continuing importance of accurate, entity-specific records, correct legal arrangements, and consistent and correct account naming that result in accurate CMAR returns and an adequate

CASS resolution pack.

 

Ensuring that data is accurate and correct is difficult.  Infrastructures are likely to be complex with multiple legal

entities, systems, locations and regulatory regimes and a range of products and services supported by different data, process, control and exception owners on a combination of strategic and legacy systems and processes.

 

The CF10a has responsibilities to both the regulator and their firm.  For the regulator, they must ensure rules are complied with, breaches are identified and reported, and standard reporting is accurate.  For their firm, they are responsible for minimising the risk of fines and reputational damage, identifying potential and actual breaches, and making sure that breaches are addressed.

 

In order to achieve this, they are dependent on the quality of the underlying data.  On a day to day basis this will be monitored by process owners providing assurances that all relevant data sets are complete and correct, that all necessary processes are operating effectively, and that all required exceptions are being identified and addressed.  

This will be supported by audit review and substantive testing.

 

Is this sufficient?  Most firms developed their post-trade processing models before CASS, so processes and controls

were originally designed to meet other objectives: typically operational efficiency and risk management.  The extent to which these controls map to those needed for CASS compliance will vary from firm to firm.

 

Practitioner knowledge is essential to understand the relationships between functions and where issues are likely to arise.  There may be limited understanding of hand-offs and even then, problems are not usually with understanding

the flows for core activities: it is the exceptions that cause issues.

 

Please let us know if you would like further information about our experience in helping firms with CASS control environment review, differences identification, and data and control remediation.  We have extensive experience,

both as practitioners and consultants, in working with firms to address these issues.