Audit Risk and Compliance Committee
Draft
This is a draft awaiting review. Please check the content before approving.
2026-07-07
Audit Risk and Compliance Committee
2026-07-07 10:21
0
Alex Dymock, Geoff Tostevin, James's Notetaker (Otter.ai), Debbie Allen, Victoria Ingram, Colin Moody, None

[DRAFT GENERATION FAILED — Raw notes below]

#### Overview

  • Questa Wealth governance agreed to sit outside ASL — treated as a third-party service provider under UAP, not folded into ASL board or ARCC packs, with a service level agreement and HR review of staff contracts needed
  • deVere / Mauritius DFM relationship recommended for ratification — existing ~400 PSG-inherited offshore schemes put in a better position via a single DFM relationship than by doing nothing or forcing exits; new business appetite still unresolved
  • Alex to circulate a one-page board paper on separating onshore and offshore into distinct operating models by Friday, July 3rd or early the following week
  • CASS audit is 97% complete on fieldwork; management letter expected within a couple of weeks — breach 7 (internal reconciliation) remains open and needs automation to close properly
  • Risk Management Framework kicked off as a formal workstream — Colin to help form a working group, significant progress expected by the next quarterly meeting
  • Annual accounts audit on track for a clean report in time for the board meeting next week (July 9th)
  • Cyber Essentials Plus lost after the cyber incident — currently at Essentials only, with Focus on a 6-week timeline to restore Plus status; insurance is in place and aware
  • FCA voluntary written progress update due August 2026; evidence pack prep for potential October 2026 revisit starts November 2026

#### Safeguarded benefits transfer case

  • The transfer in question is under £30k, which exempts it from the advice requirement under pension rules, but Alltrust never saw the advice report at the point of transfer
  • An Onvesta report was done — Onvesta is predominantly associated with deVere offshore work, and Victoria notes over 95% of their reports came out as "do not transfer," with clients then becoming insistent and signing away benefits
  • The risk of future liability for the DB-to-DC transfer sits with PSG pre-acquisition, not Alltrust — but accepting a further contribution from the seeding scheme could pull Alltrust into responsibility for the whole position
  • Alex and Victoria agreed the stronger position is to decline, and Alex suggested taking it to "Lizzie" for a legal view

#### Outstanding March actions

  • US sanctions legal advice is in draft — Liz and Alex have reviewed it; the US nexus question is resolved (Alltrust has none), and the focus is now on the Metro Bank meeting to unfreeze the account
  • Brite cash position is closed — all Brite money distributed except two clients being traced; FCA was advised of this position
  • Questa completion is done — Questa is now owned by UAP; Form As for James and Alex as SMFs are in progress, and a meeting with the former Questa group is set for Monday, July 6th
  • DWF workshop on the advice proposition regulatory landscape is scheduled for next week — open to attendees except Debbie (on holiday); Alex will share the presentation afterwards
  • Targeted support consultation was submitted and a follow-up pre-application support meeting was held — the FCA felt Alltrust wasn't going far enough over the advice line, so the question is now whether a variation of permissions at ASL level or the new advice business makes the targeted support route unnecessary; action closed but issue remains live
  • Product launch playbook left open — covered later in the pack under product governance
  • FCA notification on Metalogic / cyber was not made beyond the initial notification; no follow-up from the FCA
  • ICO cyber incident report: initial notification submitted, no follow-up received from the ICO; Colin and Alex agreed to collate reports from the specialist firm and Focus into a committee paper with an action plan and ongoing status updates
  • Whistleblowing champion appointment not progressed — left open on Alex's list
  • CMAR submissions are current and being independently verified by the CASS auditor; errors on the first submission have been corrected
  • EBOL Trustees acquisition DD is more comprehensive than previous attempts but an acquisition playbook hasn't been developed — left open

#### Fallon / Gleeson sanctions and Metro Bank

  • Alltrust has received legal counsel confirming no US nexus — neither Alltrust nor, on their view, Metro Bank has one, so OFAC sanctions don't apply
  • A SAR was submitted and the NCA was notified; the NCA did not grant a DAML to close the account, and when Alltrust applied for a DAML to transact and maintain assets, the NCA effectively deferred back to the sanctions question without a yes or no
  • Linda Gleeson (co-owner of the SIPP asset, not on the sanctions list) has been diagnosed with cancer and is asking for her benefits — Alex flagged this as a difficult situation given the frozen account
  • HSBC released funds to Fallon's accounts without a US nexus issue, which Alex noted as relevant context for the Metro Bank approach
  • A meeting with Metro Bank's sanctions team has been requested — getting the legal opinion to them is the critical path to unfreezing the account
  • Fallon has an outstanding complaint about fees taken from the account; these are believed refunded but being verified with ops, and a final response letter is being prepared

#### Cyber incident wrap-up and Cyber Essentials Plus

  • Cyber Essentials Plus was lost following the incident — Alltrust currently holds Essentials only, with Focus on a predicted 6-week timeline from this week to restore Plus status
  • Cyber insurance has been renewed and the insurer is aware of the current Essentials-only position; Alex flagged that the previous policy had Cyber Essentials Plus as a condition and asked whether the renewed policy does too
  • Alex asked that the cyber insurance contract be sent to the committee to be held on file as approved outside a meeting, and added to a review cycle
  • Four months of dark web monitoring have shown no data loss
  • The committee agreed to reframe the ICO action as a committee paper covering lessons learned, an action plan, and status updates until the plan is complete — rather than a standalone ICO report submission

#### CASS reconciliation and breach 7

  • The CASS audit is 97% complete on fieldwork and planning; the auditor is expected to issue a management letter within a couple of weeks, which will go to this committee and the board
  • Breach 7 (daily internal client-money reconciliation) remains open — the auditor accepts that two independent processes exist but requires that their totals be compared to each other before going to the external bank reconciliation, which isn't currently happening
  • The current process relies on copying and pasting from Emargo and Metropolis rather than automated data extraction and comparison — Alex is clear this needs to be automated, not manual
  • New breaches around cash checks will also appear in the audit report; Caroline has already flagged these internally
  • The FCA is aware of breach 7 from previous conversations and has made no follow-up; Alex expects to notify them again when the audit completes
  • Victoria flagged a couple of recent developments that may affect the reconciliation approach — Alex to follow up with her after his call with Caroline on July 2nd

#### Risk Management Framework kick-off

  • The committee agreed to kick off the Risk Management Framework review as a formal workstream — Colin to help identify the right people for a working group
  • The current draft (v1.0) uses two lines of defence with no internal audit function; the committee agreed internal audit isn't warranted at this stage and should be reviewed annually
  • Geoff wants to understand the thresholds that would make internal audit compulsory; Alex noted there's no hard regulatory number — it's based on complexity and management distance from operations, and both Geoff and Colin agreed management is still close enough to the business
  • The workstream goal is a risk taxonomy, appetite statements with tolerances, and a KRI dashboard that the business owns in the first line — with significant progress expected before the next quarterly meeting
  • The risk register will be produced by this committee and recommended to the board for approval, not handed down to the business

#### CRCC inaugural report

  • The CRCC held its inaugural meeting on 4 June 2026 — Debbie set homework for members to map existing MI and identify what good MI would look like for the committee
  • The lines between first and second line are currently blurred — a separate session will be held to define them collectively rather than Debbie dictating the split
  • Vulnerable customer champions are down to 3 following leavers — the consensus is the model works but needs more volunteers, refresher training, and a reformatted monthly forum
  • The CRCC's initial focus is service delays and communication, pending MI being in place

#### FCA implementation plan and comms SLAs

  • The FCA tracker was rebased: 10 actions complete, 7 in progress, 0 not started as at July 2026 — the previous read of RED was caused by a month-by-month tab last updated 27 February 2026 that hadn't been refreshed
  • Key upcoming dates: voluntary 6-month written progress update to the FCA in August 2026; evidence pack prep for a potential 12-month FCA revisit starts November 2026 (treating October 2026 as the earliest possible revisit)
  • AI phone system (ref 3.b): new phone system is live and providing transcripts and MI for the first time in 7 months; AI features phase just kicked off, with a first workshop proposed for Thursday, July 9th (board meeting day — dates may need to move)
  • Backdated charges (ref 4.b) is not about backdating — Alex confirmed it refers to recoverable fees not yet taken, mainly from PSG and Brite; Geoff clarified Brite clients were billed at existing fee card rates from 1 January 2026 and will move to the ASL fee card at their next anniversary post 31 December 2026
  • Alex suggested folding the fee recovery question into the fair value assessment review rather than tracking it as a standalone action; Colin confirmed Andrew is doing the initial FVA analysis and will loop Debbie in earlier
  • On comms SLAs: Colin confirmed formal client communications have a documented review and sign-off process, and reactive adjustments have been made based on FOS feedback and complaints — but proactive client feedback on comms quality hasn't been sought yet
  • Alex raised whether SLAs may be too generous — if complaints aren't falling as SLAs start to be met, the committee should question whether the SLAs themselves are tight enough, and whether a 48-hour first-response standard would change complaint volumes
  • Colin committed to raising the alarm at the next quarterly meeting if operational performance isn't materially better by then

#### Questa Wealth governance structure

  • Geoff's view is that Questa should be treated as a third-party service provider to ASL — like Focus or L25 — not folded into ASL governance packs, given it sits under UAP not ASL; Colin agreed
  • Questa can adopt Alltrust's compliance framework, but ASL governance work on Questa would be unwarranted additional overhead
  • If ASL staff are used to do work for Questa, Geoff thinks HR needs to be involved (possible contract modifications), and a service level agreement between ASL and Questa is needed — a papering exercise but necessary
  • Alex agreed to remove Questa from the ASL ARCC pack going forward

#### deVere / Mauritius DFM and onshore-offshore model

  • Alltrust inherited approximately 400 offshore schemes managed by the deVere group via the PSG acquisition
  • The recommended approach is to proceed with deVere Investments Limited (DVIL) via the Mauritius structure as the approved international DFM — structured as a DFM relationship, not an advice relationship, which is the key regulatory distinction
  • The rationale: forcing clients out carries litigation risk (Nigel has indicated this), complex enhanced DD on transfers out, and moral risk around what happens to clients afterwards; the DVIL route puts existing clients in a better position than doing nothing or forcing exits
  • Guardrails include: low-cost investment solution via Pacific Asset Management models, no structured products, a senior account management contact at deVere to manage conduct issues, and jurisdictional red lines where the model can't operate
  • New business via the deVere / offshore route is still unresolved — Rob is not fully convinced, James is more open; not decided at this meeting
  • Titan Global was reviewed separately and recommended against — their license is an adviser license marketing itself as a global license, not a discretionary management license, so Alltrust is declining or about to decline terms of business with them; Geoff declared a very minor shareholding in Titan (inherited via Ravenscroft)
  • The committee agreed to recommend the board commission a short options paper on formally separating onshore and offshore into distinct operating models — covering perimeter, entity structure, conduct and CASS implications, and resourcing; Alex to circulate a one-pager to the group by Friday, July 3rd or early the following week
  • Victoria noted the offshore book is predominantly PSG-derived — there aren't many UK-located offshore clients

#### Annual accounts audit

  • The ASL accounts audit is progressing and Geoff expects a clean report with signed accounts ready for the board meeting next week (July 9th)
  • Geoff clarified this is technically an independent review rather than a full statutory audit — ASL isn't currently obliged to have one, but Geoff commissioned it to be treated as a full audit so the groundwork is done before it becomes mandatory
  • The committee's current involvement in the audit process is limited — Alex noted that without an independent non-exec chairing the ARCC, the committee can't play a traditional audit committee role; Lyndon Trot was raised as a potential independent chair but making him a non-exec of ASL may have UK tax residency implications for him
  • Alex suggested management accounts and budget review could be a useful future role for this committee as the business grows

Processing…