Process objective
Ensure assets are protected and records are valid and not corrupted

Process requirements
Service providers should have a rigorous approach to security and access to ensure that only properly authorized explicit instructions are accepted and processed for the transfer, release or movement of securities and cash.

Periodically, the service provider's internal audit group should conduct thorough and comprehensive reviews of the risks (to service provider and its clients) and of the control objectives and procedures in place.  All issues raised must be resolved promptly.  External auditors should review risks, controls and procedures to provide assurance that the controls are efficient and operating effectively and to make associated recommendations (in accordance with SAS70/FRAG21 "Reports on the Processing of Transactions by Service Organizations").  Access should be given to a client's auditors on request.

A frequent audit of physical securities should be conducted by each sub-custodian.  The service provider should regularly carry out reconciliation of its records with those of the sub-custodians and its client.

Service providers should have rigorous plans for business continuity and disaster recovery.  These should be tested regularly.  The service provider should ensure that the same applies to sub-custodians and depositories.  The long-term viability of the service provider's business should be assessed.  The institution's long-term credit rating may provide an indication - but if there are other lines of business, the credit rating for the institution as a whole may mask the circumstances of the custody line of business.  The client should obtain information and evidence on the institution's commitment to custody and should watch for danger signals such as significant loss of clients or absence of new clients, poor controls or fees which cannot sustain long-term investment in systems and high-calibre management and staff.

Insurance cover should be maintained by the service provider and each of its sub-custodians to protect both the custodians and the service provider's client against loss arising from fraud, theft, fire, flood, negligence and other risks.  The level of cover should be subject to regular review to ensure that it is sufficient as asset values rise.

Defining risks
Risks must be clearly defined.  The key risks include: loss of securities; loss of cash; missed corporate actions, income and tax relief; business interruption; failure of controls; securities lending risks (counterparty default, inadequate collateral and operational errors and omissions) and consequential losses.  The impact of the location of the risk should be considered - whether at the service provider, any of its branches or group companies, a third-party sub-custodian or a depository.  It is critical that controls, indemnities and insurance provide adequate protection from the risks and that responsibility for risks is made clear in all legal agreements.

View the service offerings of leading providers:

Service Matrix