As with all-things CASS, one of the greatest challenges is co-ordination people across multiple departments. Everyone has their business-as-usual job which may touch on CASS to some extent and the full end-to-end client money workflow usually crosses three or more functions.
An automated system will need a way to pass content to and from individuals in different teams and stitch the whole thing together into the resolution pack proper. A good fit for web-based logins to a central portal and email notifications when it’s time to check and submit the pack info.
The whole pack is usually given an attestation at board-level at some frequency such as every 3, 6 or 12 months but individual entries or sections within the pack will need to be reviewed more often (on an ‘ongoing basis’ according to CASS 10.1.11). What is means will vary by firm and the type of information so reasonable frequencies can be anything from daily to annually and everything in between.
Firms want to minimise the overhead of maintaining the pack of course so frequently ‘polling’ the pack content to see if anything has changed would need to be done a minimum of every 5 business days to stay compliant, and that assumes the information could be corrected instantly.
More effective is to ‘wire up’ a notification system to the core content that tells the responsible person when the related info changes. If the process that requests a new bank account or the process that enters new contact details to your supplier database can notify the person responsible for the pack that this has happened then you’ll get the 5 business days in hand to make the change rather than being caught at the end of the period with a looming breach.
It is tempting at first to structure the pack around the ‘core content’ requirements of the rules (CASS 10.2) which looks like an easy way to demonstrate compliance. Unfortunately this may not be the most logical grouping for your firm’s content.
A common preference is to group all the information related to a third-party under a heading for that third-party (contacts, executed agreements, transfer procedures, etc.) rather than split out the information by type as it is stated in the rules.
Increasingly firms have bespoke software platforms or other complex components that demand a dedicated section of the pack to address. This tends to work against the one-size-fits-all approach. The pack structure should be sufficiently standard to show tick-back compliance with the rules but flexible enough to accommodate firm-specific content.
From various chats with auditors and firms about the CASS 10 visit we know that a favourite demand is to see the pack as it was on a certain date in the past. Not that hard to do with traditional IT solutions but we found there were certainly benefits in taking a database approach such as the ability to automatically generate a change log with each change attributable to an individual, date and time.
There is a certain confidence that comes from the system telling you what was changed rather than relying on a hand-written list of changes on page-one which is often the approach with manual pack maintenance.
As we know, the pack is designed as a master record but it can point to the content rather than having to contain all the content within it. This raises the question of how best to do the pointing.
That depends on 2 factors: what is the format and where is it stored. Our clients tend to have documents in Microsoft Office formats, so that makes things fairly easy to manage. Location tends to be a trickier challenge as documents usually exist on the company internal network but this doesn’t necessarily comply with CASS 10.1.7 which deals with retrieval.
There is no guarantee that the company network would be accessible after an insolvency event which would defeat the object of the pack. To deal with this we’ve worked on strategies that involve automatically scooping up the extended pack content from the network, archiving it and storing it on a secure cloud platform outside the company. Not in line with every firm’s IT policy but it is interesting that PS 14/09 has caused some fairly fundamental shifts in the way firms manage the back-office to copy with the letter of the rules.
We’ve seen resolution packs ranging from two lightweight pages to many dozens of pages and the degree of compliance does seem to vary a lot. One wonders how much the FCA (and firms in consultation) can foresee the operational implications of the rules when policy is formed… The RP has certainly given our software engineers some interesting challenges as we help minimise the risk of a breach.