⚠
This is a draft awaiting review. Please check the content before approving.
[DRAFT GENERATION FAILED — Raw notes below]
#### Overview
- Questa Wealth governance agreed to sit outside ASL — treated as a third-party service provider under UAP, not folded into ASL board or ARCC packs, with a service level agreement and HR review of staff contracts needed
- deVere / Mauritius DFM relationship recommended for ratification — existing ~400 PSG-inherited offshore schemes put in a better position via a single DFM relationship than by doing nothing or forcing exits; new business appetite still unresolved
- Alex to circulate a one-page board paper on separating onshore and offshore into distinct operating models by Friday, July 3rd or early the following week
- CASS audit is 97% complete on fieldwork; management letter expected within a couple of weeks — breach 7 (internal reconciliation) remains open and needs automation to close properly
- Risk Management Framework kicked off as a formal workstream — Colin to help form a working group, significant progress expected by the next quarterly meeting
- Annual accounts audit on track for a clean report in time for the board meeting next week (July 9th)
- Cyber Essentials Plus lost after the cyber incident — currently at Essentials only, with Focus on a 6-week timeline to restore Plus status; insurance is in place and aware
- FCA voluntary written progress update due August 2026; evidence pack prep for potential October 2026 revisit starts November 2026
#### Safeguarded benefits transfer case
- The transfer in question is under £30k, which exempts it from the advice requirement under pension rules, but Alltrust never saw the advice report at the point of transfer
- An Onvesta report was done — Onvesta is predominantly associated with deVere offshore work, and Victoria notes over 95% of their reports came out as "do not transfer," with clients then becoming insistent and signing away benefits
- The risk of future liability for the DB-to-DC transfer sits with PSG pre-acquisition, not Alltrust — but accepting a further contribution from the seeding scheme could pull Alltrust into responsibility for the whole position
- Alex and Victoria agreed the stronger position is to decline, and Alex suggested taking it to "Lizzie" for a legal view
#### Outstanding March actions
- US sanctions legal advice is in draft — Liz and Alex have reviewed it; the US nexus question is resolved (Alltrust has none), and the focus is now on the Metro Bank meeting to unfreeze the account
- Brite cash position is closed — all Brite money distributed except two clients being traced; FCA was advised of this position
- Questa completion is done — Questa is now owned by UAP; Form As for James and Alex as SMFs are in progress, and a meeting with the former Questa group is set for Monday, July 6th
- DWF workshop on the advice proposition regulatory landscape is scheduled for next week — open to attendees except Debbie (on holiday); Alex will share the presentation afterwards
- Targeted support consultation was submitted and a follow-up pre-application support meeting was held — the FCA felt Alltrust wasn't going far enough over the advice line, so the question is now whether a variation of permissions at ASL level or the new advice business makes the targeted support route unnecessary; action closed but issue remains live
- Product launch playbook left open — covered later in the pack under product governance
- FCA notification on Metalogic / cyber was not made beyond the initial notification; no follow-up from the FCA
- ICO cyber incident report: initial notification submitted, no follow-up received from the ICO; Colin and Alex agreed to collate reports from the specialist firm and Focus into a committee paper with an action plan and ongoing status updates
- Whistleblowing champion appointment not progressed — left open on Alex's list
- CMAR submissions are current and being independently verified by the CASS auditor; errors on the first submission have been corrected
- EBOL Trustees acquisition DD is more comprehensive than previous attempts but an acquisition playbook hasn't been developed — left open
#### Fallon / Gleeson sanctions and Metro Bank
- Alltrust has received legal counsel confirming no US nexus — neither Alltrust nor, on their view, Metro Bank has one, so OFAC sanctions don't apply
- A SAR was submitted and the NCA was notified; the NCA did not grant a DAML to close the account, and when Alltrust applied for a DAML to transact and maintain assets, the NCA effectively deferred back to the sanctions question without a yes or no
- Linda Gleeson (co-owner of the SIPP asset, not on the sanctions list) has been diagnosed with cancer and is asking for her benefits — Alex flagged this as a difficult situation given the frozen account
- HSBC released funds to Fallon's accounts without a US nexus issue, which Alex noted as relevant context for the Metro Bank approach
- A meeting with Metro Bank's sanctions team has been requested — getting the legal opinion to them is the critical path to unfreezing the account
- Fallon has an outstanding complaint about fees taken from the account; these are believed refunded but being verified with ops, and a final response letter is being prepared
#### Cyber incident wrap-up and Cyber Essentials Plus
- Cyber Essentials Plus was lost following the incident — Alltrust currently holds Essentials only, with Focus on a predicted 6-week timeline from this week to restore Plus status
- Cyber insurance has been renewed and the insurer is aware of the current Essentials-only position; Alex flagged that the previous policy had Cyber Essentials Plus as a condition and asked whether the renewed policy does too
- Alex asked that the cyber insurance contract be sent to the committee to be held on file as approved outside a meeting, and added to a review cycle
- Four months of dark web monitoring have shown no data loss
- The committee agreed to reframe the ICO action as a committee paper covering lessons learned, an action plan, and status updates until the plan is complete — rather than a standalone ICO report submission
#### CASS reconciliation and breach 7
- The CASS audit is 97% complete on fieldwork and planning; the auditor is expected to issue a management letter within a couple of weeks, which will go to this committee and the board
- Breach 7 (daily internal client-money reconciliation) remains open — the auditor accepts that two independent processes exist but requires that their totals be compared to each other before going to the external bank reconciliation, which isn't currently happening
- The current process relies on copying and pasting from Emargo and Metropolis rather than automated data extraction and comparison — Alex is clear this needs to be automated, not manual
- New breaches around cash checks will also appear in the audit report; Caroline has already flagged these internally
- The FCA is aware of breach 7 from previous conversations and has made no follow-up; Alex expects to notify them again when the audit completes
- Victoria flagged a couple of recent developments that may affect the reconciliation approach — Alex to follow up with her after his call with Caroline on July 2nd
#### Risk Management Framework kick-off
- The committee agreed to kick off the Risk Management Framework review as a formal workstream — Colin to help identify the right people for a working group
- The current draft (v1.0) uses two lines of defence with no internal audit function; the committee agreed internal audit isn't warranted at this stage and should be reviewed annually
- Geoff wants to understand the thresholds that would make internal audit compulsory; Alex noted there's no hard regulatory number — it's based on complexity and management distance from operations, and both Geoff and Colin agreed management is still close enough to the business
- The workstream goal is a risk taxonomy, appetite statements with tolerances, and a KRI dashboard that the business owns in the first line — with significant progress expected before the next quarterly meeting
- The risk register will be produced by this committee and recommended to the board for approval, not handed down to the business
#### CRCC inaugural report
- The CRCC held its inaugural meeting on 4 June 2026 — Debbie set homework for members to map existing MI and identify what good MI would look like for the committee
- The lines between first and second line are currently blurred — a separate session will be held to define them collectively rather than Debbie dictating the split
- Vulnerable customer champions are down to 3 following leavers — the consensus is the model works but needs more volunteers, refresher training, and a reformatted monthly forum
- The CRCC's initial focus is service delays and communication, pending MI being in place
#### FCA implementation plan and comms SLAs
- The FCA tracker was rebased: 10 actions complete, 7 in progress, 0 not started as at July 2026 — the previous read of RED was caused by a month-by-month tab last updated 27 February 2026 that hadn't been refreshed
- Key upcoming dates: voluntary 6-month written progress update to the FCA in August 2026; evidence pack prep for a potential 12-month FCA revisit starts November 2026 (treating October 2026 as the earliest possible revisit)
- AI phone system (ref 3.b): new phone system is live and providing transcripts and MI for the first time in 7 months; AI features phase just kicked off, with a first workshop proposed for Thursday, July 9th (board meeting day — dates may need to move)
- Backdated charges (ref 4.b) is not about backdating — Alex confirmed it refers to recoverable fees not yet taken, mainly from PSG and Brite; Geoff clarified Brite clients were billed at existing fee card rates from 1 January 2026 and will move to the ASL fee card at their next anniversary post 31 December 2026
- Alex suggested folding the fee recovery question into the fair value assessment review rather than tracking it as a standalone action; Colin confirmed Andrew is doing the initial FVA analysis and will loop Debbie in earlier
- On comms SLAs: Colin confirmed formal client communications have a documented review and sign-off process, and reactive adjustments have been made based on FOS feedback and complaints — but proactive client feedback on comms quality hasn't been sought yet
- Alex raised whether SLAs may be too generous — if complaints aren't falling as SLAs start to be met, the committee should question whether the SLAs themselves are tight enough, and whether a 48-hour first-response standard would change complaint volumes
- Colin committed to raising the alarm at the next quarterly meeting if operational performance isn't materially better by then
#### Questa Wealth governance structure
- Geoff's view is that Questa should be treated as a third-party service provider to ASL — like Focus or L25 — not folded into ASL governance packs, given it sits under UAP not ASL; Colin agreed
- Questa can adopt Alltrust's compliance framework, but ASL governance work on Questa would be unwarranted additional overhead
- If ASL staff are used to do work for Questa, Geoff thinks HR needs to be involved (possible contract modifications), and a service level agreement between ASL and Questa is needed — a papering exercise but necessary
- Alex agreed to remove Questa from the ASL ARCC pack going forward
#### deVere / Mauritius DFM and onshore-offshore model
- Alltrust inherited approximately 400 offshore schemes managed by the deVere group via the PSG acquisition
- The recommended approach is to proceed with deVere Investments Limited (DVIL) via the Mauritius structure as the approved international DFM — structured as a DFM relationship, not an advice relationship, which is the key regulatory distinction
- The rationale: forcing clients out carries litigation risk (Nigel has indicated this), complex enhanced DD on transfers out, and moral risk around what happens to clients afterwards; the DVIL route puts existing clients in a better position than doing nothing or forcing exits
- Guardrails include: low-cost investment solution via Pacific Asset Management models, no structured products, a senior account management contact at deVere to manage conduct issues, and jurisdictional red lines where the model can't operate
- New business via the deVere / offshore route is still unresolved — Rob is not fully convinced, James is more open; not decided at this meeting
- Titan Global was reviewed separately and recommended against — their license is an adviser license marketing itself as a global license, not a discretionary management license, so Alltrust is declining or about to decline terms of business with them; Geoff declared a very minor shareholding in Titan (inherited via Ravenscroft)
- The committee agreed to recommend the board commission a short options paper on formally separating onshore and offshore into distinct operating models — covering perimeter, entity structure, conduct and CASS implications, and resourcing; Alex to circulate a one-pager to the group by Friday, July 3rd or early the following week
- Victoria noted the offshore book is predominantly PSG-derived — there aren't many UK-located offshore clients
#### Annual accounts audit
- The ASL accounts audit is progressing and Geoff expects a clean report with signed accounts ready for the board meeting next week (July 9th)
- Geoff clarified this is technically an independent review rather than a full statutory audit — ASL isn't currently obliged to have one, but Geoff commissioned it to be treated as a full audit so the groundwork is done before it becomes mandatory
- The committee's current involvement in the audit process is limited — Alex noted that without an independent non-exec chairing the ARCC, the committee can't play a traditional audit committee role; Lyndon Trot was raised as a potential independent chair but making him a non-exec of ASL may have UK tax residency implications for him
- Alex suggested management accounts and budget review could be a useful future role for this committee as the business grows
