Isle of Man FSA Thematic Feedback on Clients' Assets Reports

Version 1.0 Issued: March 2019 Clients’ Assets Reports Thematic Feedback For Licenceholders and Auditors March 2019

Isle of Man Financial Services Authority Version 1.0 Page 2 of 10 Issued: March 2019 Contents

1. Introduction .......................................................................................................................3
2. Overview ............................................................................................................................4 2.1. Scope ...........................................................................................................................4 2.1.1. Nature of Testing .................................................................................................4 2.1.2. Trust Bank Account Testing .................................................................................5 2.1.3. Type of Auditor Testing........................................................................................5 2.1.4. Indirect Testing ....................................................................................................5 2.2. Use of Client Money Accounts....................................................................................6 2.3. Breaches of the Rule Book (trends)...........................................................................6
3. Findings..............................................................................................................................8 3.1. Good Practice ..............................................................................................................8 3.1.1. Auditors’ Best Practice Recommendations .........................................................8 3.1.2. Comprehensive Remedial Action, including Staff Training .................................8 3.1.3. Availability of Relevant Internal Procedures and Board Reporting (on request) 8 3.1.4. Provision of Full Account Titles............................................................................9 3.1.5. Clarity of Testing ..................................................................................................9 3.2. Areas for improvement...............................................................................................9 3.2.1. Completion of Incorrect Procedures ...................................................................9 3.2.2. Inconsistency of Approach to Sample Sizes.........................................................9 3.2.3. Number of Trust Bank Accounts........................................................................10 3.2.4. Money held in Client Account for Prospective or Former Clients.....................10 3.2.5. Reconciliation Testing........................................................................................10 3.2.6. Other Issues that may be identified during the course of Testing ....................10

Isle of Man Financial Services Authority Version 1.0 Page 3 of 10 Issued: March 2019

1. Introduction One of the Authority’s regulatory objectives is the “securing of an appropriate degree of protection for… the customers of persons carrying on a regulated activity” and, as part of this, the protection of client money and client assets is considered a key element of meeting this objective. It is therefore essential that licenceholders make adequate arrangements to separate clients’ assets from their own, and establish and maintain appropriate policies and procedures to limit the risk of potential for loss to clients by theft and/or misappropriation of funds. In addition, two of our Key Principles as outlined in the recently published Strategic Plan 2018- 2021, are:  We seek to understand the business of and risks posed by regulated entities: this allows us to prioritise our work, focus on what truly matters and take actions proportionate to the benefit received; and  Regulated entities are responsible for managing the risks within their business. Our job is to design and advance a regulatory framework that promotes effective controls, good risk management and suitable disclosure; this is how we contribute to the soundness of our industry. The aim of the Clients’ Assets Reporting regime is: a) To improve the consistency and provide transparency regarding the scope of testing on clients’ assets; b) To adequately support and challenge licenceholders to test their compliance in the protection of clients’ assets in accordance with the Rule Book; c) To support the objectives of the Authority regarding the effective safekeeping of clients’ assets; and d) To manage the expectations of the Authority and the responsible officers of those licenceholders holding clients’ assets, as to the scope of the clients’ assets testing. In addition, the results of the compliance testing performed by undertaking the Clients’ Assets Report and Procedures (“CARP”): a) Provides the Authority with industry trends (risk areas, breaches); and b) Enables the Authority to make regulatory interventions in relation to client assets on a timely, firm-specific or thematic basis.

Isle of Man Financial Services Authority Version 1.0 Page 4 of 10 Issued: March 2019 2. Overview Clients’ Assets are held by, among others, regulated Investment Businesses, Fund Service providers, Trust and Corporate Service Providers, and Money Service providers. For financial years ending on or after 1 January 2017 to 31 December 2017, being the first financial year to which the new reporting regime related, the Authority received and considered the results of 125 Clients’ Assets Reports prepared by licenceholders, which were independently tested by auditors or accountants. The Authority has been pleased with both the standard and the results of submissions received to date. No significant regulatory intervention has been required and the overall results of the Year 1 Clients’ Assets Reports has shown a good level of overall compliance with the parts of the Rule Book tested. From the remedial action identified and provided to the Authority to date, it is noted that changes are being made licenceholders as an outcome from the testing, to improve their systems and controls around segregation, record keeping and reconciliations. Further, since the launch of the framework, the Authority has welcomed constructive feedback from licenceholders which helped formulate the "frequently asked questions", and also resulted in a number of updates being made to the Clients’ Assets Report and Procedures document. We hope that completion of the Clients’ Assets Report has provided licenceholders with a useful opportunity to review the specific client assets risks within their business. 2.1. Scope 2.1.1. Nature of Testing The scope of the Clients’ Assets Report remains appropriate in terms of focus on reconciliations and transactions testing, as these are considered key risk areas for auditor review. This is highlighted by the fact that, through undertaking the testing now required, licenceholders identified cases where reconciliations had not taken place as required, and as a result such breaches had not been previously identified (and notified1 ) to the Authority. Improvements to strengthen controls in these areas are being made as a result.

1 In accordance with rule 3.12(2)(h) for client bank accounts, rule 3.34(2)(f) for trust bank accounts or rule 3.40(5)(a) for segregated accounts.

Isle of Man Financial Services Authority Version 1.0 Page 5 of 10 Issued: March 2019 2.1.2. Trust Bank Account Testing There was some confusion identified early in the process as to whether transactions testing is required in relation to trust bank accounts. Some early Clients’ Assets Reports omitted this area of testing, however, the Clients’ Assets Report and Procedures document was updated by the Authority in September 2017 to clarify the requirements. Transactions testing must be completed in relation to any trust bank accounts going forward. 2.1.3. Type of Auditor Testing The method of auditor testing agreed at the outset was “re-performance”, with the auditor independently testing a proportion, of no less than 20%, of the sample testing originally performed by the licenceholder. It is considered that “re-performance” remains the most appropriate method for testing under the Authority’s current Risk-Based Approach (for auditor frequency of review). Of the 125 submissions received during the first round of Client Asset Reports which were all subject to audit testing, the risk based approach resulted in the following audit testing frequency:-  Annually 22%  Every two years 52%  Every three years 23%  Not applicable (e.g. surrendered) 3% Auditors identified exceptions in 16% of cases (in addition to those identified by licenceholders’ own testing2 ). 2.1.4. Indirect Testing The performing of the Clients’ Assets Report indirectly tests clients’ assets procedures and related training. It is a licenceholder’s responsibility to ensure that its procedures and training sessions are tailored to its business requirements and clients’ assets arrangements (including types and values of clients’ assets held). This should then link to a licenceholder’s risk management framework and risk appetite.

2 Licenceholders identified exceptions in 54% of the first round of submissions.

Isle of Man Financial Services Authority Version 1.0 Page 6 of 10 Issued: March 2019 2.2. Use of Client Money Accounts The Clients’ Assets Reports provided to the Authority indicate that 90% of the licenceholders that submitted a Clients’ Assets Report utilise pooled Client Money Accounts. However, there was a wide diversity between, and within, the different sectors in the following areas:-  the number of individual client banks accounts and trust bank accounts;  policies around the use of certain types of account; and  transaction volumes. 2.3. Breaches of the Rule Book (trends) It is important that compliance with Part 3 and/or Part 4 of the Rule Book is examined and reported in a way that will identify non-compliance on the part of licenceholders. Outlined below are the key rules where remedial action has been required by licenceholders, along with examples of the type of remedial action undertaken: Rule Book Reference Details of Breach (together with details of which sub-paragraph of the Rule, if relevant) Type of remedial action undertaken by licenceholders (“l/h”) 1. Rule 3.9 - Operation of client bank account  Sub-paragraph (1) Titling of client bank accounts.  Sub-paragraph (5) Overdrawn accounts.  Sub-paragraph (7) Timing issues in terms of transferring out non￾clients’ money.  Account retitled  More regular monitoring of clients’ accounts.  Updated and enhanced l/h procedures in place. 2. Rule 3.10 - Records to be kept by licenceholder  Descriptions of transactions inadequate.  Provision of staff training for all those involved in the process (inputter and 4-eyes checker) and reconciliation.  Updated and enhanced l/h procedures in place.

Isle of Man Financial Services Authority Version 1.0 Page 7 of 10 Issued: March 2019 3. Rules 3.11 (client bank account) and 3.33 (trust bank account) - Accounting for and use of client/ trust money  Sub-paragraph (1) and (2)(a) Money held in client accounts on behalf of potential clients (for a prolonged period for two or more years in certain cases).  Sub-paragraph (1) and (2)(a) Money held in client accounts on behalf of ex-clients that have dissolved or transferred out.  Returned funds.  New prompts (for example, in a ‘closure checklist’) to ensure Client’s Money is not held when making a declaration of dissolution.  More regular monitoring of clients’ accounts.  Updated and enhanced l/h procedures in place. 4. Rules 3.12 (client bank account), 3.34 (trust bank account) and 3.40 (segregated account) - Reconciliation  Sub-paragraph (1) Inactive accounts overlooked.  Sub-paragraph (1) No trustee minute (minutes of meeting or a blanket trust minute that relates to a number of trusts) in place to support the frequency of trust reconciliations on a 12 monthly basis instead of ‘not more than 25 business days apart’.  Sub-paragraph (2) Lack of evidence of 4-eyes checks.  Sub-paragraph (2) Untimely reconciliations and controls not always sufficient to promptly identify oversight and notify the Authority accordingly.  Sub-paragraph (1) Trust accounts not fully reconciled as required by the rule.  Enhancements to the Compliance Monitoring Programme in place.  Compliance Reviews undertaken to ensure all trust accounts have resolutions in place.  Introduction of 4-eyes checking stamps.  Implementation of new control logs and centrally stored reconciliations.  New workflow management tool.  Provision of staff training.  Updated and enhanced l/h procedures in place. 5. Rule 4.7 - Reconciliation of investments and title documents  Sub-paragraphs (1) and (2) Lack of documentation to support that the frequency of custody reconciliations reflects the licenceholder’s assessment (which must be reviewed annually) of the risks to which the safe custody assets are exposed, such as the nature, volume and complexity of the business.  Updated and enhanced l/h controls and procedures in place, covering the need for an annual review and monitoring to ensure that the review takes place.

Isle of Man Financial Services Authority Version 1.0 Page 8 of 10 Issued: March 2019 3. Findings The Clients’ Assets Report marks a significant improvement to the reporting on clients’ assets and we remain satisfied that it meets its four aims, as outlined above under Section 1. Nevertheless, as anticipated, there remains work to be done to continue to embed the Clients’ Assets Report as an additional licenceholder reporting mechanism. Detailed below are examples of good practice and areas for improvement: 3.1. Good Practice 3.1.1. Auditors’ Best Practice Recommendations It is noted that auditors have on occasion provided best practice recommendations (not simply breach reporting), particularly in relation to record keeping, in the Appendix D2 Auditor’s Sample and Exception Log. It is noted that this exception log is a useful tool for auditors to communicate best practice standards to improve internal controls in respect of the handling of clients’ assets across industry. 3.1.2. Comprehensive Remedial Action, including Staff Training A wide variety of remedial action and/or improvements to internal controls has been undertaken by licenceholders following completion of their first Clients’ Assets Report. It is pleasing to note that a number of licenceholders have reviewed their staff training procedures, and provided additional staff training to improve the handling of clients’ assets. 3.1.3. Availability of Relevant Internal Procedures and Board Reporting (on request) A number of Compliance departments have provided information sheets to the Authority to show their approach to sample testing and reporting to the Board. Whilst not required to be submitted to the Authority, Compliance departments should be in a position to provide this information on request and should be sharing it with their auditor.

Isle of Man Financial Services Authority Version 1.0 Page 9 of 10 Issued: March 2019 3.1.4. Provision of Full Account Titles A number of licenceholders provided full titles of accounts in Appendix C2 Details of Reconciliations. This is important as it improves transparency as to the type of accounts tested. It also avoids questions if it appears to the Authority that Rule Book requirements for titling accounts have not been met. 3.1.5. Clarity of Testing A number of licenceholders and auditors provided a good level of detail in Appendices C2 Details of Reconciliations and D2 Auditor’s Sample and Exception Log in respect of provision of full details of the testing carried out in the style set out in the Example provided by the Authority. This is important, as it helps to demonstrate that the required minimum sample testing has been carried out in respect of number of accounts, reconciliations and transactions tested. It also helps to clearly demonstrate that the minimum 20% sample testing (of a licenceholder’s sample) has been completed by the auditor. This is helpful to the Authority and will result in fewer queries and requests for further information. 3.2. Areas for improvement 3.2.1. Completion of Incorrect Procedures It was identified in a number of reports that more care should be taken in respect of the sections of the Clients’ Assets Report completed. For example, a significant number of licenceholders incorrectly completed the procedures in relation to “Segregated Accounts” when they do not hold a Class 8 financial services licence, and therefore cannot operate Segregated Accounts. 3.2.2. Inconsistency of Approach to Sample Sizes Inconsistencies were identified in terms of selected sample sizes and it was not clear whether different approaches were identified as an issue by the relevant auditors. Consideration will be given by the Authority as to how it can improve its guidance to assist licenceholders and their auditors and to improve consistency of approach.

Isle of Man Financial Services Authority Version 1.0 Page 10 of 10 Issued: March 2019 3.2.3. Number of Trust Bank Accounts The total number of trusts administered has been used as the total population, instead of the number of trust bank accounts; this approach skews the sample size to be tested and should therefore be avoided. 3.2.4. Money held in Client Account for Prospective or Former Clients Procedure 1, sub-procedure 2 (rules 3.11(2)(b) and 3.33(2)(b)) requires that if any money relates to prospective or former clients this should be identified in the exception log as it is not “client money”, and should therefore be removed from the client account without undue delay. When considering what, if any, remedial action is required, attention should be given to matters such as the adequacy of policies and procedures, and timescales involved. Where the client entity has dissolved, it should be considered whether client monies were in the client account when a declaration of dissolution was made. 3.2.5. Reconciliation Testing Whilst section 23 of the Clients’ Assets Report requires that one of the samples should be the last reconciliation in the period, it was noted by the Authority that this approach was not always apparent from the Appendix C2 Details of Reconciliations provided. On the other hand,some licenceholders appeared to interpret that only the last reconciliation was required to be tested. The CARP covers the full financial period not just the last reconciliation of the period. The number of additional reconciliations sampled from each account is at the licenceholder’s discretion (Footnote 11 of the Clients’ Assets Report). 3.2.6. Other Issues that may be identified during the course of Testing Although only indirectly tested, we have identified errors in account titles and at least one instance of a corporate trustee bank account in operation that had not been identified by either the licenceholder, or the auditor during the course of testing.