Skip to main content
|

Add a bookmark to get started

Bookmarks info
  • Home
  • Insights
  • FCA sets out supervisory expectations for fund service providers in new 'Dear CEO' letter
Curved_Buildings_P_0607
10 February 20256 minute read

FCA sets out supervisory expectations for fund service providers in new 'Dear CEO' letter

Written by:Karen Butler
Introduction

On 13 December 2024, the Financial Conduct Authority (the FCA) published a “Dear CEO” letter related to the FCA’s “Custody and Fund Services Supervision Strategy.” The letter sets out the FCA’s expectations of an UK authorised firm that act as a custodian, depository of authorised and unauthorised funds, and a third party administrator (providing fund accounting and transfer agency services) (the Sector Firms).

 

Areas of supervisory focus

Key areas of supervisory focus include:

  • Operational resilience: the FCA expects strong ownership of operational resilience by governing bodies and senior management for Sector Firms that fall within the scope of the new operational resilience rules (or have voluntarily opted to comply). Such firms should review and approve annual operational resilience self-assessments as outlined in the FCA policy statement, PS21/3, and complete their mapping and testing to provide assurance that they are able to remain within impact tolerances by 31 March 2025. The FCA expects firms to:
    • evidence prompt deployment of incident management plans;
    • prioritise important business services to reduce operational and client impact;
    • maintain detailed mapping of delegation arrangements to ensure there is a clear understanding of underlying exposures; and
    • implement processes to facilitate clear communication with the FCA, where required.

    Sector Firms should expect active engagement with the FCA as they intend to undertake focused assessments on “how firms have coordinated with clients and third parties to drive cross sector resilience”.

    The FCA is considering whether to extend the scope of the operational resilience rules to a broader category of firms, therefore, firms that currently fall outside of scope of PS21/3 should treat the rules and guidance as examples of best practice;
  • Cyber security resilience: the FCA notes that sub-optimal cyber security and resilience procedures pose a serious threat to the funds' sector. The FCA expects Sector Firms to evaluate the challenge holistically, focus on strengthening their operational and cyber defence environment and make effective use of intelligence led penetration testing. The FCA states that governing bodies of Sector Firms are expected to receive reports on the effectiveness of their cyber security controls and an assessment of their cyber security risks. The FCA will continue to monitor how effectively such firms manage:
    • critical vulnerabilities;
    • threat detection;
    • business recovery;
    • stakeholder communication; and
    • remediation efforts to build resilience.
  • Third-party management: the FCA is concerned that operational incidents involving third parties remain too frequent. In accordance with FCA rules, the FCA expects firms to have effective processes in place to identify, manage, monitor, and report third-party risks, and to perform an assessment on, and mapping of, third-party providers. The FCA plans to undertake an assessment of Sector Firm oversight of delegates and delegates of delegates. This will include key material supplier relationships and management, testing firms understanding of the level of outsourcing, key vulnerabilities, concentration risk, exit and contingency plans;
  • Change management: the FCA letter states that it plans to assess the change management frameworks in a selection of firms (including assessing the overall approach and methodology, testing to understand how client and consumer outcomes have been considered as a critical aspect of the change management framework). Firms are advised to consider best practices identified in its implementing technology change multi-firm review;
  • Market integrity: the FCA states that the size, scale, and complexity of the international sanctions regime has increased the risk of firms' sanctions policies, procedures and controls failing to keep up with the requirements. The FCA states that it expects that Sector Firms should have effective procedures in place to detect, prevent, and deter financial crime, which should be appropriate and proportionate. Senior management is expected to take responsibility for managing such risks. Firms should also have robust internal audit and compliance processes that test the firm’s defences against specific financial crime threats. The FCA plans to review the effectiveness of firm's process and controls in this area and where material deficiencies are identified, the FCA has indicated that it will take appropriate action;
  • Depositary oversight: the FCA notes the important role played by depositories in overseeing the activities of fund managers, safekeeping fund assets and cashflow monitoring. However, it has indicated that there are gaps in expectations over their role with some depositories being less proactive in their approach with respect to their oversight, risk identification, and escalation processes and duties. The FCA confirms that in line with its statement in DP23/2, it will clarify the rules and expectations of depositaries in due course; and
  • Protection of client assets: the FCA letter states that firm's compliance with the rules in CASS remains a high priority for the FCA (as was previously outlined in its 2024/2025 business plan). The FCA states that it has observed weaknesses in firms books and records, change management and dependency on legacy or end of life IT infrastructure with high levels of manual processing and controls. The FCA will continue to monitor firms and take enforcement action, where necessary.

 

Next Steps

Sector Firms should expect the FCA to contact then during the course of 2025 asking them to provide evidence of steps that they have taken to mitigate the risks identified in the FCA letter.

Fund managers should review their due diligence policies and processes to ensure that the issues and risk outlined in the FCA letter are taken into account prior to the appointment of services providers. Please let us know if you have any questions.

Key contacts

Karen Butler
Karen Butler
Partner
tony_katz_personality_web_crop
Tony Katz
Partner
sophie_lessar_personality_web_crop
Sophie Lessar
Partner
Stuart Murdoch
Stuart Murdoch
Partner
puesan_lam_personality_web_crop
Puesan Lam
Legal Director
Shabaz Ahmed
Shabaz Ahmed
Senior Associate
siffat_khan_personality_web_crop
Siffat Khan
Senior Associate
katie_ohara_personality_web_crop
Katie O'Hara
Senior Associate
Pragesh_Sivaguru_personality_web_crop
Pragesh Sivaguru
Senior Associate
Print

Related capabilities

Financial ServicesFinancial Services RegulatoryFinance
Legal noticesPrivacy policyCookie policyModern slaveryFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper