In late 2024, the United Kingdom’s Financial Conduct Authority (FCA) published a “Dear CEO” letter related to the FCA’s “Custody and Fund Services Supervision Strategy.” The letter shares the FCA’s expectations of UK FCA-authorised firms that act as custodians, depositories, and administrators in the funds sector. Importantly the letter also highlights some of the regulatory risks and topics fund managers should be reviewing as part of their due diligence before selecting service providers for their funds, irrespective of whether the service provider is an FCA-authorised firm in the UK or is domiciled offshore.

The overwhelming message from the FCA, is that fund service providers must have processes and procedures in place to identify risks and implement rules related to the areas of concern detailed below. The FCA will use its powers where necessary and conduct assessments on “a selection of firms” to ensure that firms comply with the requests made in the FCA’s letter. The FCA has also provided a reminder to in-scope firms that they must have performed mapping and testing to provide assurance that they are able to remain within impact tolerances by 31 March 2025.

The FCA has focussed on the following risks in the funds sector, which service providers must be identifying and mitigating.
 

In the Dear CEO letter, the FCA state that they will focus on monitoring funds service providers’ compliance with, and implementation of, existing rules and guidance on building operational resilience. According to existing FCA requirements, authorised fund service providers must have performed mapping and testing by 31 March 2025 to provide assurance that they can remain within impact tolerances for each important business service in severe but plausible scenarios.

Within authorised fund service providers, the FCA is looking for evidence of prompt deployment of incident management plans; prioritisation of important business services to reduce operational and client impact; detailed mapping of delegation by fund service providers in order to understand underlying exposures to the same providers; and processes in place for clear communication with the FCA where required. 
 

The FCA states that some funds service provider’s sub-optimal cyber resilience and security measures pose risks in the funds sector. The FCA notes that that it will continue to focus on this as a threat, including (i) how effectively firms manage critical vulnerabilities; (ii) threat detection; (iii) business recovery; (iv) stakeholder communication; and (v) remediation efforts to build resilience.

The letter is clear that fund service providers should ensure that their governing bodies are provided not only with a report of effectiveness of controls, but also with an assessment of the cyber risks present.
 

Fund service providers naturally (due to the levels of relevant expertise required) delegate specific roles to third parties. In its letter, the FCA has expressed concern that operational incidents involving third parties remain frequent. Where there is inadequate oversight, the likelihood of such incidents increases.

The FCA plans to assess fund service providers’ oversight, not only of their delegates, but also of those delegates’ delegates, including key material supplier relationships and management.

The FCA expects firms to have effective processes in place to identify, manage, monitor, and report third-party risks, and to perform an assessment on, and mapping of, third-party providers.
 

In its letter, the FCA has noted that with advances in technology (such as automation, artificial intelligence, and distributed ledger technology) and regulatory developments (such as settlement cycle changes), fund service providers must ensure that they are managing changes appropriately in order to maintain market integrity.

The FCA will assess a selection of fund service providers to review their change management frameworks, which involves looking at their overall approach and methodology, including testing, to understand how client and consumer outcomes have been considered.

The FCA has published guidance detailing key areas that contribute to successful change management. In addition, if any major firm initiatives or strategy changes are contemplated, fund service providers are encouraged to engage in early dialogue with the FCA.
 

In light of the increased use of sanctions and related complexity, the FCA has stated that it will review the effectiveness of select fund service providers’ systems and controls, governance processes, and resource sufficiency in connection with sanctions regime compliance.

The FCA expects that fund services providers should have effective procedures in place to detect, prevent, and deter financial crime, which should be appropriate and proportionate. Senior management at providers should take clear responsibility for managing and addressing these risks. Firms should have robust internal audit and compliance processes that test the firm’s defences against specific financial crime threats.
 

The FCA has identified a gap in expectations over the role of depositaries and has noted that, in its view, depositaries “have often demonstrated a less than proactive approach” to their oversight, risk identification, and escalation processes in relation to funds and AIFMs. The FCA will be clarifying its rules for, and expectations of, depositaries.

In its letter, the FCA notes that it expects depositaries to act more proactively in the interests of fund investors. They should provide effective, independent oversight of AIFMs’ operations and funds’ adherence to FCA rules. The FCA also reminds depositaries that they are expected to have processes in place to ensure that they receive the information needed to perform their duties.
 

Protection of client assets is a regulatory priority set out in the FCA’s 2024/5 Business Plan. The FCA has identified weaknesses in important areas within fund service providers, including books and records and dependency on legacy IT infrastructure, which is at its end of life and includes high levels of manual processing and controls. The FCA has noted that it will continue to identify weaknesses and use formal intervention powers if necessary.

Takeaways

The FCA’s “Dear CEO” letter to fund service providers is both a warning and a plea for fund service providers to do all that they can to mitigate the risks identified by the FCA.
FCA authorised fund service providers must expect the FCA to write to them later in 2025 seeking their own evaluation of their progress in mitigating the risks identified by the FCA in the FCA’s letter.

Importantly, fund managers should, as part of their due diligence in relation to the appointment of fund service providers (irrespective of whether the service provider is in the UK or is based offshore), be exploring how the risks identified by the FCA are being mitigated.