Baringa Blogs

Third Party Administrators (TPAs): their CASS compliance, your problem!

Following our March publication regarding challenges the FRC Standards present to the industry, this blog focuses on one in particular - how to manage your Third Party Administrator (TPA).

The FCA fine issued last October reminded the industry that although the responsibility of the TPA should be considered in instances of failure, from the FCA’s perspective it is the outsourcing firm’s responsibility to ensure it has effective oversight in place. 

Although outsourcing appears a cost-effective option for firms, this is brought into question once the rigor required to comply with the FCA rules is applied. While there may be strategic reasons for compromise regarding a TPA’s capability, it is key to ensure due diligence and oversight are proportional. When selecting a TPA, the outsourcing firm should always consider the true-cost equation (cost of outsourcing plus cost of oversight).
Baringa recently launched a CASS Industry Benchmarking survey[1], in which we asked firms about the greatest challenges they encountered when using TPAs. Here we provide examples of challenges and recommended practices that can help address some of these:
Challenge #1: Lack of CASS-specific knowledge within the TPA
Performing pre-launch due diligence and testing of the TPA’s CASS capabilities is a way to address this. This will indicate to a firm whether the TPA has adequate CASS oversight across all areas. It is recommended to focus on the TPA’s own oversight capabilities and their ability to demonstrate their CASS compliance.
Challenge #2: Misaligned expectations on how client assets should be managed
The best way to overcome this is to establish a governance structure with accountable individuals, enabling a firm to:

  • Understand the TPA’s operational and governance structure, gaining assurance of its effectiveness prior to signing an agreement
  • Understand the existing escalation processes to manage issues, proposing changes if they are insufficient
  • If the TPA’s arrangements are insufficient, negotiations should follow to understand how the TPA is willing to adapt.

Conversely, from a TPA’s perspective it can prove difficult to meet specific requirements from outsourcing firms; the Service Level Agreement (SLA) should be aligned with how both parties interpret the CASS rulebook.
Challenge #3: Insufficient management information (MI) to effectively perform oversight of the TPA’s activities.
There are controls that firms can exert on the TPA and these must be documented in the SLA between the two parties. Examples of good practices are:

  • Regular performance reviews of the TPA with defined metrics published in KPI reports
  • Implement detective controls such as:
    • Exception-ageing of client money and asset reconciliations, identifying weaknesses in the TPA’s reconciliation process. This control indicates how diligent the TPA is in managing breaches and ensuring that an improvement process is triggered when a breach occurs
    • Perform annual inspections of the TPA’s governance structure, gaining assurance on employee skills and the robustness of its Three Lines of Defence model
    • Conduct spot audits, testing the effective management of specific processes
  • Establish both reporting by exception and evidence. The format and frequency of CASS MI should be determined, and the content discussed on a regular basis between the two parties.

As firms go through their first audit under the enhanced FRC Standards, it is important to analyse the outputs specific to their TPAs; and ensure potential failures and challenges are self-identified and addressed, and not left for the Auditor to uncover.


[1] If you wish to participate in the survey, please do get in touch with Guy Munton (


Back to July 2017


Blog post currently doesn't have any comments.

Leave comment

 Security code