Chapter 6: Risk Management 

General

  1. The Central Bank expects an investment firm to have an appropriate client asset risk management framework in place to identify risks to the investment firm’s objectives, policies and processes in respect of holding client assets.
  2. While the risk management framework for client assets is distinct, it may be incorporated as part of an investment firm’s broader risk management framework.
  3. Investment firms should consider how each of the seven core principles of client asset protection are considered and adopted within the investment firm’s client asset risk framework.
  4. Investment firms should pay particular attention to the findings and good practices identified by the Central Bank as part of its thematic review of the ‘Risk Management’ principle, as set out in the letter to industry dated 20 April 2017.
  5. An investment firm should facilitate regular reporting to the board, and relevant committees within the investment firm, regarding quantitative and qualitative client asset metrics. The frequency of such reporting should be determined by the investment firm and the basis on which such frequency was determined should be documented in the Client Asset Management Plan (CAMP).
  6. Key judgements and decisions made by the board and/or senior management in relation to client asset protection should be documented in the CAMP along with the basis for that judgement and the information used to support it at that time. At a minimum, this should include judgements in relation to:
    • Materiality thresholds;
    • Concluding whether a product or service is regulated or unregulated;
    • Determining whether a product or service is in scope of the Client Asset Requirements (CAR) and MiFID II safeguarding of client asset rules;
    • Approving new products;
    • Appointing new third parties; and
    • Managing concentration risk (client and counterparty).

This is not an exhaustive list. In the event that circumstances change, consideration should be given to the impact of such changes on key client asset related judgements and necessary documentation should be updated.

Head of client asset oversight

  1. In accordance with Regulation 71 of the CAR and paragraph 6 of Schedule 3 to the MiFID Regulations, an investment firm that holds client assets is required to appoint an individual to the role of Head of Client Asset Oversight (HCAO).
  2. The HCAO is a Pre-Approval Controlled Function (PCF), specifically PCF-45, and accordingly is required to comply with the Central Bank’s Fitness and Probity Standards and obtain Central Bank pre-approval prior to appointment.

Role of the board

  1. The board of an investment firm is ultimately accountable and responsible for ensuring that an investment firm has effective arrangements in place to safeguard client assets. The requirement to appoint a HCAO does not detract from this.
  2. It is the board’s responsibility to ensure that the HCAO role is allocated to an individual with adequate authority, training, resources and expertise. The board should note that the individual proposed for the HCAO role is subject to pre-approval by the Central Bank and is required to comply with the Fitness and Probity Standards on an ongoing basis thereafter.
  3. The board should ensure that sufficient due diligence has been undertaken to support the nomination of the individual to the HCAO, and provide an appropriate level of resources for the HCAO to carry out the role effectively.

Nomination to HCAO

  1. Where an investment firm proposes to appoint an individual as HCAO, the individual should be a senior manager at the investment firm who has direct access to the board in respect of that function.
  2. Investment firms should document in the CAMP the criteria used by the investment firm in selecting, assessing and appointing an individual to the role of HCAO. As part of this assessment, consideration should be given to any potential conflicts of interest the proposed HCAO may have.
  3. A periodic re-assessment of HCAO resourcing requirements should be undertaken and documented by the investment firm. The responsibilities of the HCAO should be tailored to the business model of the investment firm.
  4. An investment firm should document clear and distinct reporting obligations for the HCAO in the CAMP. Where the HCAO holds other roles within the investment firm and has more than one reporting line, this should be clearly called out.

Stakeholders, support staff and cover

  1. Building and maintaining relationships with key stakeholders is essential to ensuring the HCAO role is effectively discharged. The HCAO has a significant role to play in ensuring that relevant stakeholders have adequate knowledge regarding the investment firm’s obligations to safeguard client assets and that there is a forum for regular discussion of client asset matters among stakeholders. A client asset specific forum or other existing fora (e.g. Risk Committee) should be used to facilitate open consultation and information sharing on client asset matters among relevant stakeholders within the investment firm.
  2. Depending on the nature, scale and complexity of an investment firm’s client asset arrangement, the HCAO may require staff to support delivery of their responsibilities. The reporting lines, roles and responsibilities of those individuals should be clearly documented.
  3. It is expected that the HCAO role be filled at all times. Where the HCAO is absent from the investment firm (e.g. annual leave), the board and the HCAO should ensure that a person with the appropriate seniority and client asset expertise provides coverage and performs the usual duties of the HCAO in their absence. In the same way as the HCAO carries out their role, this individual should be available as a point of contact for all client asset matters, both to staff within the investment firm, and externally (e.g. to make submissions to the Central Bank). The name, role title and contact details for this individual should be documented in the CAMP.

Training

  1. The board of an investment firm should ensure that the HCAO has access to any relevant training as required to fulfil their duties.
  2. The HCAO should deliver periodic on-going training to the individual that provides cover and performs the usual duties of the HCAO in their absence and this should be evidenced.
  3. The HCAO should provide on-going training to employees of the investment firm, including board members, in order to increase knowledge and awareness of client asset arrangements and obligations, and to promote a culture of engagement and challenge.
  4. Topics to be covered as part of client asset training may include the following:
    • The key obligations of the firm relating to safeguarding of client assets under the CAR and the MiFID II safeguarding of client asset rules;
    • The various touchpoints throughout the client asset life cycle within the investment firm to help employees understand where client asset obligations arise in their day-to-day activities (e.g. in the context of client on-boarding, training should be provided in relation to the relevant disclosures that are provided to clients in relation to client assets); and
    • The materiality thresholds, reporting process and timeframe for escalating client asset related issues within the investment firm.

Conflicts of interest

  1. The board of an investment firm should ensure that the individual undertaking the HCAO role can demonstrate that they are free from any conflicts of interest in this area. In this regard, the HCAO should be sufficiently removed from the performance of the day-to-day operational functions relating to the safeguarding and administration of client assets.
  2. Independence from day-to-day operational client asset processes is important for the HCAO role to be effective. Where a conflict of interest is unavoidable, it should be identified and adequately managed. Investment firms should capture in the CAMP the measures in place to manage any potential conflicts of interest that may arise from the performance of the HCAO role.

Oversight and reporting

  1. The HCAO should introduce a tailored approach to oversight in order to monitor and challenge the way in which client asset responsibilities are discharged within the investment firm. This should comprise a combination of daily and other less frequent monitoring activities, as deemed appropriate.
  2. The HCAO should facilitate the regular reporting of client asset information to the board and relevant committees.
  3. Where the reviews required under Regulations 57(8) and 58(11) of CAR are performed by an individual other than the HCAO, the HCAO should review the output from client asset calculations and reconciliations on a sample basis. The HCAO should also review any adjustments made to internal records as part of these processes, on a sample basis.
  4. The HCAO should undertake periodic reviews of the investment firm’s client asset obligations and formally report the findings to the board and/or relevant committees. The frequency of such reviews, which should be based on the nature, scale and complexity of an investment firm’s client asset arrangements, should be documented in the CAMP.
  5. It is important that the HCAO considers how oversight and challenge is exercised in relation to any outsourcing arrangement relevant to client assets. Investment firms should establish an oversight framework in order to ensure the on-going robustness of outsourcing arrangements as they relate to client asset functions. This framework should include a process to ensure that the HCAO independently reviews and challenges, on an ongoing basis, the management information received from outsourced service providers in the context of client asset protection. This oversight framework should be documented formally and included in the CAMP.
  6. The HCAO should maintain open engagement with the investment firm’s client asset external auditors.

Client asset management plan

  1. The CAMP is a fundamental feature of an investment firm’s client asset risk management framework and is essential to ensuring client asset risks are effectively managed.
  2. The CAMP should be regarded by investment firms as a “master” document for the purpose of documenting client asset arrangements, risks and mitigating controls.
  3. Investment firms should consider engaging external skilled persons with the requisite client asset regulatory expertise during the initial drafting or enhancement of the CAMP.

Purpose of the CAMP

  1. The purpose of the CAMP is to:
    • Document an investment firm’s business model and related risks in respect of the safeguarding of client assets and the controls in place to mitigate those risks;
    • Demonstrate how an investment firm’s systems and controls meet the principles of the client assets regime;
    • Enable the board to monitor, challenge and approve material changes to an investment firm’s business model, its client asset processes, controls and understand the associated risks to safeguarding client assets; and
    • Make information readily available to assist in the prompt distribution of client assets, particularly in the event of the investment firm’s insolvency.

Reviewing the CAMP

  1. While Regulation 72 provides that the CAMP should be reviewed and updated at least on an annual basis, this does not detract from the fact that the CAMP should be considered a “living” document. It must be continually re-assessed to ensure it remains current and reflective of an investment firm’s evolving business model, client asset risks and mitigating controls.
  2. In addition to, or as part of the requirement in Regulation 71(2)(e), the HCAO should oversee regular sample testing of the CAMP to ensure:
    1. Documents or other supporting information can be retrieved immediately (where locations/hyperlinks to folders and/or documents are provided in the CAMP); and
    2. Information is up-to-date, such as access rights, key internal and external contacts and organisational structure.
  3. An investment firm should ensure that the external auditor, responsible for performing the client asset examination (CAE) and preparing the assurance report, reviews any processes undertaken by the investment firm to assess the on-going appropriateness of the CAMP, including evidence of any steps taken by the investment firm to test and maintain the CAMP (e.g. periodic testing of hyperlinks in the insolvency section).

Changes to the CAMP

  1. An investment firm’s CAMP should be updated in a timely manner in order to reflect material changes to the investment firm’s business model or a change in circumstances that affect how the investment firm safeguards client assets, to ensure the CAMP remains current and up-to-date.
  2. Material changes to the CAMP may be triggered in many ways, such as through errors, omissions or control weaknesses highlighted during regular internal monitoring, or through findings from the client asset examination conducted by the investment firm’s external auditor.
  3. Material changes to the CAMP will likely be required where there are significant changes to an investment firm’s business model which may impact on the content of the client asset applicability matrix and the client asset risk matrix (e.g. a significant project, acquisition or migration affecting client assets should be promptly and appropriately reflected in the CAMP).
  4. Material changes to the CAMP should be notified to, discussed with and approved by, the investment firm’s board. All other changes (i.e. those considered non-material) to the CAMP should be documented and reported to the board as deemed necessary by the HCAO.

Structure of the CAMP

  1. An investment firm should ensure that the CAMP is well structured. It may choose to do so under the following key headings:
    • Business model and risk assessment (including Client Asset Applicability Matrix and Client Asset Risk Matrix);
    • Operational structures;
    • Governance and outsourcing arrangements;
    • Processes, procedures and records;
    • Information to facilitate the distribution of client assets (insolvency plan); and
    • Additional information pertinent to the investment firm.

Content of the CAMP

  1. The following guidance on the content of the CAMP is non-exhaustive and does not specifically address each of the individual requirements in Regulation 72(4).
  2. An investment firms should document in its CAMP matters relevant to its business model and related risks to safeguarding client assets. The content of the CAMP should appropriately reflect the nature, scale and complexity of the investment firm’s business model and associated client asset arrangements.
  3. An investment firm’s CAMP should be of sufficient detail to enable an independent reader to understand the investment firm’s business model, the resulting risks to safeguarding client assets and the controls in place to mitigate those risks. Independent readers would include the Central Bank, an insolvency practitioner and an external auditor.
  4. To avoid duplication of information, the CAMP may guide the reader, where applicable, through hyperlinks or other such pathways to the location of relevant internal documents. Supporting access details should be provided to ensure information pertaining to client assets is readily available. Investment firms should continually monitor hyperlinks or other such pathways that have been included in the CAMP, to ensure that they continue to operate effectively and that the information contained in the linked documentation is up to date at all times.

A. Business model and risk assessment (including Client Asset Applicability Matrix and Client Asset Risk Matrix)

Business model

  1. An investment firm’s CAMP should clearly explain how client asset obligations arise in the context of the investments firm’s business model and describe how the investment firm is able to differentiate, monitor and control the client assets subject to the CAR and the MiFID II safeguarding of client asset rules as distinct from other assets.

Client asset applicability matrix

  1. The purpose of the Client Asset Applicability Matrix (CAAM) is to ensure that an investment firm has carried out a robust assessment of where client assets arise across its business lines and services. The CAAM should provide an independent reader with a clear and succinct overview of the products and services/activities that are in or out of scope of the client asset regime, so that it is readily understood where and how client assets arise within each business line of an investment firm.
  2. The CAAM should set out a clear rationale as to why a product or service/activity is in or out of scope of the applicable client asset provisions (e.g. where an investment firm enters into TTCAs with clients in one business line, the CAAM should indicate that full transfer of title to client assets may arise in this business line, and provide this as a rationale for circumstances under which assets are not considered client assets).
  3. In developing and maintaining the CAAM, investment firms should conduct initial and ongoing assessments of their business lines and associated product and service offerings, including any new product or service offerings/activities.
  4. The CAAM should include:
    • A reference to all business lines within the investment firm;
    • A list of the products and services/activities offered by the investment firm, and in each case an indication of whether they are in or outside the scope of the CAR, supported by a clear rationale. Investment firms may wish to reference the investment services and activities listed in Part 1 of Schedule 1 to the MiFID Regulation for this purpose;
    • A list of the types of client financial instruments held by the investment firm.Investment firms may wish to reference the financial instruments listed in Part 3 of Schedule 1 to the MiFID Regulation for this purpose; and
    • The investment firm’s rationale and judgement where there has been ambiguity on concluding whether a product or a service/activity is or is not subject to the client asset regime. This should include reference to any advice (e.g. legal) obtained and relied upon in making this determination.
  5. The CAAM should be clearly structured, easy to follow and may be set out in tabular format.

Table 1: Extract from sample CAAM

 

Business Line Service/activity Type of financial instrument (if relevant) In scope of the CAR Rationale for determination Additional information

Wealth management

Reception and transmission of orders in relation to one or more financial instruments.

Transferable securities

Yes

Client funds

The money received from clients relates exclusively to an investment firm activity that is a regulated financial service.

Client financial instruments

The firm has been entrusted with these transferable securities on account of a client and holds them on behalf of the client.

Client asset risk matrix

  1. In order to embed the CAMP effectively in an investment firm’s overall risk management framework, it is necessary to incorporate a comprehensive risk identification process into the maintenance of the CAMP that captures and evaluates emerging investment firm-specific risks. Accurate risk identification is necessary in order to effectively evaluate the adequacy of controls in mitigating risk as new risks relating to the safeguarding of client assets emerge.
  2. Investment firms should develop and maintain a client asset risk matrix in the CAMP, which can be readily understood by an independent reader, to promote a greater level of oversight and challenge in evaluating the effectiveness of an investment firm’s client asset control framework.
  3. The client asset risk matrix should reflect fully the risks to safeguarding client assets, including those specific to the investment firm’s business model and operational arrangements. The client asset risk matrix should also set out the processes and controls in place to mitigate these risks to the safeguarding of client assets and include an evaluation of how those controls mitigate the risks.
  4. An investment firm may use the client asset risk matrix for the purpose of presenting the information required under Regulation 72(4)(d) and (e) of the CAR.
  5. For the purpose of Regulation 72(4)(d) and/or as part of the client asset risk matrix, an investment firm should capture all relevant risks to the safeguarding of client assets in the CAMP, which may include:
    • Counterparty risk including jurisdiction and associated legal risks;
    • Concentration risk;
    • Contagion risk;
    • Operational risk including risk of fraud;
    • Complexity of assets;
    • Non-compliance with client instructions;
    • Outsourcing risk, including those risks relating to service continuity where there is a material reliance on the outsourced service provider;
    • Over reliance on group arrangements;
    • Emerging risks;
    • Risk of loss or misplacement of physical client financial instruments;
    • Key person risk;
    • IT risk;
    • Market risk; and
    • Regulatory risk.
  6. For the purpose of Regulation 72(4)(e) and/or as part of the client asset risk matrix, an investment firm should include descriptions of the processes and controls which mitigate the risks to the safeguarding of client assets in the CAMP, which should include, where relevant:
    • The controls associated with the registration of client financial instruments, taking into account the nature of the financial instruments, the relevant counterparty and jurisdiction, as well as any outsourcing arrangements;
    • The controls relating to the removal of money that is not client funds from a third party client asset account;
    • The controls in place to safeguard physical client financial instruments (e.g., access rights to a fire-proof safe);
    • The approach to be taken in circumstances where an investment firm is unable to identify the client on whose behalf client funds were deposited into a third party client asset account, including where the investment firm has incomplete documentation on hand to set up a client on the investment firm’s internal client ledger;
    • The controls in place to ensure that any amendments to the list of third parties where client funds and client financial instruments are deposited are made only following approval by senior management;
    • The controls in place to mitigate counterparty risk;
    • The processes and controls applied by the investment firm when maintaining and updating relevant legal agreements (including fund facilities and financial instruments facilities agreements) associated with the holding of client assets;
    • The systems and controls in relation to the production of information on client assets and submission of such information to other parties;
    • The internal and external IT systems and controls which validate the data obtained from the IT systems that form part of an investment firm’s client asset arrangements. This should include sufficient information to demonstrate how these systems and controls meet the principles of the client asset regime; and
    • Details of the continuous evidenced-based evaluation of the risk of fraud, both internal and external, and the adequacy of controls in mitigating this risk.
  7. The Central Bank expects an investment firm to have appropriate segregation of duties to ensure documented controls are reviewed by independent, appropriately qualified and knowledgeable staff.

B. Operational structures

  1. An investment firm should provide details of the operational structure that supports the investment firm’s client asset arrangements, including key committees and support functions, in the CAMP.

C. Governance and outsourcing arrangements

Governance

  1. The CAMP should contain an organisational chart detailing the various roles involved in the monitoring and oversight of client asset related processes and controls and any relevant reporting lines.
  2. The CAMP should document details of the management information provided to the board of the investment firm and any relevant governance forums for the purpose of monitoring the risks and mitigating controls associated with the safeguarding of client assets, including details of the recipients of this information. The CAMP should record where such management information is located.
  3. The CAMP should document the particular responsibilities of the HCAO and how those responsibilities are implemented in practice.

Oversight of outsourced functions

  1. Where an investment firm outsources to another party, (regardless of whether that other party is in the same group as the investment firm or is independent) the performance of any function related to the safeguarding of client assets, the arrangement should be clearly documented in the CAMP.This should include the following details:
    • The name of the outsourced service provider;
    • Its jurisdiction of incorporation;
    • A description of the client asset functions it undertakes on behalf of the investment firm;
    • The rationale for the outsourcing arrangement;
    • An explanation as to where the arrangement fits into the overall client asset control framework; and
    • Any function(s) which is specifically excluded from the outsourcing arrangement.
  2. For the avoidance of doubt, the requirement under Regulation 72(4)(k) applies to outsourced service providers as opposed to those third parties with whom client assets are deposited.

  3. The investment firm should have adequate and effective oversight over the outsourced service provider to ensure that the appropriate processes, systems and controls are in place to support the continued performance of the outsourced function. This would also apply where the outsourced service provider is part of the same group as the investment firm. The investment firm should maintain a record to evidence the oversight of the process.
  4. An investment firm should document in the CAMP how the HCAO reviews and challenges management information received from outsourced service providers. This should include details of the frequency and format (e.g. discussion at client asset fora) of such reviews.

D. Processes, procedures and records

  1. Investment firms should include an overview of how client asset reconciliation and calculation processes are performed, the frequency at which these processes are performed, and the approach to investigating, identifying the cause of and remediating client asset differences or discrepancies identified through the performance of these processes. A hyperlink (or other such pathway) to the underlying procedural document(s) in respect of these processes may also be included.

E. Information to facilitate the distribution of client assets

  1. The insolvency information must form a stand-alone section in the CAMP and operate as an effective ‘road-map’ for an independent third party, such as an insolvency practitioner.
  2. An investment firm should ensure there is sufficient information available to enable the distribution of client assets to take place as efficiently and effectively as possible, with minimum cost to clients in the event of the investment firm’s insolvency. This information could also be required in the event that an investment firm is required to facilitate an orderly transfer of assets to another investment firm.
  3. Insolvency information may be contained in the CAMP or it may guide the reader, where applicable, through hyperlinks or other such pathways to the location of relevant information. Supporting access details should be provided to ensure information to facilitate the distribution of client assets is readily available.
  4. Investment firms should conduct regular reviews of the content in the insolvency section of the CAMP and continually monitor hyperlinks or other such pathways to ensure that they continue to operate effectively and that the information contained in the linked documentation is up to date at all times and is accessible to an independent party, such as an insolvency practitioner.
  5. An investment firm should consider the following information for inclusion in the insolvency section of the CAMP:
    • A list of all third parties where client funds and client financial instruments are deposited, including account numbers, whether third party client asset accounts are omnibus accounts, and details of the persons authorised to conduct transactions on third party client asset accounts;
    • A list of agreements between the investment firm and any third party, and any amendments to such agreements. This should include fund facilities and financial instruments facilities agreements in place with third parties, along with details of any arrangements with sub-custodians;
    • A list of any agreements with relevant parties;
    • A list of any agreements between an investment firm and any nominee which holds client assets on behalf of the investment firm, as well as information on associated accounts;
    • A list of any agreements with outsourced service providers relating to the outsourcing of any critical or important function related to the safeguarding of client assets;
    • A record of the location of the books and records that the investment firm maintains pursuant to the requirements in CAR, along with instructions for access. This should include any relevant books and records held by other parties on behalf of the investment firm;
    • Details of the relevant client asset accounts on the general ledger system(s) used by the investment firm for recording client asset transactions, including instructions for accessing all relevant books and records and generating any relevant reports from the general ledger system(s) and details of all staff with access to the general ledger system(s);
    • A description of any key reports used to monitor client assets with instructions on how to generate such reports;
    • A record of the location where the most recent client funds calculation and client financial instrument calculation is stored and details of how to access previous calculations;
    • A record of the location where the most recent client funds and client financial instrument reconciliations are stored and details of how to access previous reconciliations; and
    • Details of any applicable investor compensation or deposit guarantee schemes in jurisdictions where an investment firm has deposited client assets with third parties.
  6. More generally, the CAMP should be sufficiently detailed to enable an insolvency practitioner to understand the business model and controls for safeguarding client assets. It is important that the CAMP provides a sufficient level of detail for an insolvency practitioner to understand the type of client assets held by the investment firm and where they are deposited.

F. Additional information

IT systems and controls

  1. The CAMP should include an explanation of all internal and external IT systems used by the investment firm in respect of client asset processes and the controls which validate the data obtained from these IT systems.
  2. An investment firm’s CAMP should document how access is controlled and monitored for key IT systems. It is also important that an independent reader can understand the interactions and dependencies between key IT systems, relevant to client asset processes.
  3. An investment firm should outline in the CAMP, the arrangements that it has in place to ensure that critical systems relating to the safeguarding of client assets remain accessible and operational, particularly in the event of an investment firm’s insolvency. Such arrangements should form part of the investment firm’s business continuity planning.

Investment and settlement cycle

  1. The CAMP should document the general flows of client assets in and out of third party client asset accounts. This should include, where applicable, the use of margin and collateral accounts associated with client financial instruments.
  2. An investment firm should document the risks associated with the investment and settlement cycle in relation to client assets. This should, at a minimum, include a description of the mechanisms and control processes in place throughout the investment cycle, including:
    • The initial receipt of client funds and/or client financial instruments;
    • Any subsequent investment and re-investment where applicable;
    • The processing of coupons, dividends and maturity proceeds; and
    • Disbursements to the client.
  3. The overview of the investment and settlement cycle should include, but not be limited to, flowcharts or illustrative diagrams showing critical manual interventions involved in the processing of client assets.

Materiality

  1. An investment firm should identify and regularly re-assess its client asset materiality thresholds, to ensure that there is regular and meaningful escalation and reporting of client asset matters. The materiality thresholds for escalating matters within the investment firm, including to the board and/or reporting to the Central Bank should be documented in the CAMP. An investment firm may have different materiality thresholds and triggers for different processes and controls. Materiality in the context of reconciliation differences is discussed in more detail in the Guidance on Reconciliation Requirements chapter of this Guidance Note. 
  2. Materiality thresholds should be calibrated so as to identify issues in an investment firm’s controls, processes and procedures for safeguarding client assets. These thresholds and related triggers should be approved by the board and take into account both quantitative and qualitative criteria.
  3. An investment firm should specify and document in the CAMP a quantitative level of materiality (e.g. the level of client assets) which would trigger escalation within the investment firm and/or reporting to the Central Bank, along with the basis for this judgement. This should take into account the amount of client assets held and also consider the investment firm’s own net assets.
  4. Investment firms should also consider qualitative criteria which may trigger reporting or escalation within the business (e.g. the complexity of client assets, the type of clients, and prior history of incidents and breaches relating to client assets). An incident may be quantitatively immaterial but have other features which may pose a risk to effectively safeguarding client assets (e.g. where an investment firm is contemplating the use of non-standard practices in order to facilitate a client, even if this does not relate to a material quantum of client assets, this should trigger an immediate escalation within the investment firm as it may expose the investment firm to increased operational risks, with potential for adverse consequences).
  5. Investment firms should document in the CAMP the qualitative criteria which may trigger escalation within the investment firm and/or reporting to the Central Bank, along with the basis for this judgement.
  6. An investment firm should monitor its materiality threshold levels on an on-going basis, to ensure they are fit for purpose and appropriately calibrated to the investment firm’s evolving business model and client asset transaction cycle. Where there is a change to its business model, the environment or the level of client assets held, an investment firm should amend the materiality threshold level as appropriate. Any changes to client asset materiality threshold levels should be approved by the board and clearly communicated to the investment firm’s staff, as appropriate.
  7. Staff within the investment firm that are assigned tasks relating to obligations under the CAR should be sufficiently qualified, knowledgeable and experienced to identify when both qualitative and quantitative materiality thresholds are met.

Breach and incident log

  1. The Central Bank is of the view that information relating to client asset breaches and incidents, regardless of materiality, should be readily accessible by an independent third party, in particular the Central Bank and the investment firm’s external auditor (as part of the preparation of the assurance report required under Regulation 73(1) of the CAR). It may also serve as a helpful resource to the investment firm itself as part of regular staff training on client assets and/or in evaluating materiality thresholds. This does not detract from the requirement for an investment firm to report any breach of the CAR, in accordance with Regulation 76(1)(f) of the CAR.
  2. The location of the client asset breach and incident log should be referenced in the CAMP by hyperlink or other such pathway.
  3. The client asset breach and incident log should list all client asset breaches/ incidents, and in each case contain the below information (at a minimum):
    • Indicate the relevant provision(s) in the CAR and/or the MiFID II safeguarding of client asset rules that apply;
    • Provide an overview of the breach/incident;
    • Outline the process for remediation of the breach/incident;
    • In the case of an incident, indicate whether it is deemed material;
    • Indicate whether the breach/incident has been reported to the board of the investment firm and/or the Central Bank; and
    • The status of the breach/incident (e.g. open/under investigation/closed).

Issued: 4 July 2023

Last revision: 4 July 2023