Custodians audit third-party subcustodian relationships through structured risk-based programs that combine documentary review, on-site assessments, and continuous monitoring. The goal is to verify that legal protections, operational controls, and asset segregation in the subcustodian chain meet fiduciary and regulatory expectations. The Committee on Payments and Market Infrastructures and International Organization of Securities Commissions set out principles that emphasize governance, operational risk management, and contractual clarity, which custodians use to shape audit scope.
Risk assessment and due diligence
Initial audits begin with risk assessment that evaluates jurisdictional law, market structure, and the subcustodian’s business model. Due diligence covers legal title, reconciliation processes, disaster recovery, and anti-money-laundering controls. The European Securities and Markets Authority highlights that local legal frameworks and market practices materially affect custody risk, so custodians must adapt procedures by territory. In emerging markets, for example, reliance on local registries and different settlement cycles often requires deeper legal opinion work and more frequent verification than in developed markets.
Ongoing monitoring and control testing
After contracting, custodians perform periodic control testing including reconciliation sampling, confirmation of segregated accounts, and examination of trustee arrangements. Audits incorporate service-level agreement adherence and operational key performance indicators. Technology-enabled surveillance now supplements traditional audits: automated reconciliation exceptions, real-time SWIFT message monitoring, and regular penetration testing of electronic access reduce exposure to operational and cyber risks.
Regulatory guidance, client expectations, and reputational exposure drive custodians to escalate findings into remediation plans and, when necessary, replace subcustodians. This has consequences beyond finance: settlement failures or custody breakdowns can trigger cross-border legal disputes, affect local market liquidity, and erode investor confidence in jurisdictions that rely heavily on international asset flows. Cultural practices, such as preference for long-term personal relationships in certain markets, may complicate objective assessments, requiring auditors to balance respect for local norms with the need for strict compliance.
Independent external audits and attestation reports further reinforce assurance. Many custodians rely on external auditors and forensic specialists to validate complex matters like beneficial ownership and missing securities chains, aligning internal findings with external opinion. The combined approach — structured risk assessment, jurisdiction-aware due diligence, continuous monitoring, and independent validation — forms the backbone of how custodians audit their third-party subcustodian relationships.