Rather than just a tick-the-box compliance exercise, the FCA sees the CASS rules as a key foundation for market integrity: “The protection of client assets is central to confidence in the UK markets and fundamental to consumers’ rights and the trust they place with firms.”
If we step back from the fine print and look at the essence of the CASS rules, there are six key planks:
You need to promptly pay money received from a client into an account that is identifiably separate from your firm’s account. To cover for delays or deficits, you can pay your own money into the account through ‘prudent segregation’. Otherwise, mingling of firm and client funds is prohibited and you cannot use prudent segregation as a just-in-case measure (or buffer), it may only be used for a specific situation.
To ensure that you meet your obligations, you need to compare what you hold in the client account against what you should hold. You should also make sure that your internal records match those of your bank, custodian or other third-party. This opens up a huge number of potential risks ranging from poor data feeds, record-keeping and systems integration, to change of banks, custodians or business strategies.
If the reconciliation reveals a discrepancy, this should be investigated within 10 days setting out how you investigate this, what breach has arisen and the requirement to hold the right amount of money.
4/ Risk management
Risk analysis should be carried out regularly and documented for sharing with your auditor and the FCA. A good starting point is assessing the processes for recording, resolving and reporting breaches and errors. In line with the remediation process, you can then look into why mistakes are being made and how to prevent them. The red lights for deeper problems include regular delays and irregularities in reconciliation.
Responsibility for meeting client asset obligations rests squarely with the board, both through CASS itself and the Senior Managers and Certification Regime (SM&CR). This includes assigning a senior manager to take responsibility for CASS. As a medium or large category firm, you will also need to appoint a single director or senior manager to oversee and report on the operational effectiveness of your CASS systems and controls.
Your auditor needs to assess whether your systems and controls enable you to comply with the CASS rules and whether you were compliant at period-end.
Crossovers and reinforcements
FCA scrutiny of CASS controls has been heightened by the introduction of the new Consumer Duty. The segregation and safeguarding of client assets are clearly central to putting customers first and protecting them from harm under the Consumer Duty. But there are also specific and potentially risky crossovers. A clear case in point is interest paid on client money, which was the focus of a Dear CEO letter in December 2023, due to a number of firms not having operated their payment of interest procedures for some time, and in some cases, ever.
The overlaps with wind-down planning are highlighted by the need to prepare and update a CASS resolution pack. If your firm folds, the key aim of the CASS resolution pack is to help insolvency practitioners retrieve the key information and navigational instructions they need to ensure a timely return of client assets. The FCA focus on these packs is likely to have been heightened by concerns over what it sees as “widespread weakness in wind-down planning”.
Coming down hard
Have FS firms learned the lessons from Lehman’s and strengthened their client asset safeguards? The jury is out.
Fifteen years on from Lehman’s demise and eight since the FCA launched its updated CASS rules, there is an inevitable danger of complacency. Board members might say that “we’re not at risk of failure, so why should we worry?”. The answer to this question is that the inherent risk of a ‘doomsday scenario’ is always there and can come like a bolt from the blue.
Crucially, the FCA has also signalled its readiness to sanction otherwise healthy firms for failure to comply with the CASS rules. Examples include the fine of £8.96 million levied against Charles Schwab UK in 2020. The ‘Final Notice’ followed a string of CASS lapses, including the mingling of firm and client money and failure to prepare a resolution pack. In echoes of the Consumer Duty, the FCA noted that “the customers affected by these breaches were all retail customers and therefore required the greatest level of protection”.
The buck stops at the top
The risks to senior management were highlighted by the £486,600 fine for the CEO of One Call Insurance in 2018 for failing to arrange adequate protection for the firm’s client money. This was in addition to the £684,000 fine for the firm and the restriction on its ability to collect renewals.
So, how can you make sure that you are meeting your CASS obligations? In my experience, three priorities stand out:
1/ Keep checking, challenging and updating
CASS compliance processes need to keep pace with developments in your business, your risk environment and the tools and technology used in record-keeping and reconciliation. Your board should take the lead in regularly re-assessing whether systems and controls are still fit for purpose and how they can be improved.
2/ Build CASS into overall risk, governance and compliance
The overlaps with other regulatory obligations including SM&CR, Consumer Duty and wind-down planning underline the need to build CASS into your enterprise risk management and governance procedures. Again, your board should take the lead in managing the strategic, compliance and reputational risks, ensuring they allocate adequate resources to deliver against their risk appetite.
3/ Seek out independent review and advice
A CASS audit can provide a level of assurance. But by the time the period-end evaluations are carried out, it may be too late. That is why it is so useful to get expert advice upfront, as you look to identify weaknesses and bring systems into line with the latest best practice. Firms should not rely on audits to identify areas of weaknesses or breaches, but audits should confirm the checks that are in place. There will always be breaches arising, for example due to timing differences, and firms need to ensure they are in a position to understand and explain how/why these have arisen.
Don’t wait until it’s too late
In this article, I have looked at why you should not underestimate the CASS risks and what it takes to assure the FCA that your safeguards are up to scratch. The other big takeaway is the need to deal with deficiencies promptly and ensure you have proper systems and controls in place to document the action taken. With your board in the direct firing line, the resulting fallout could include protracted litigation, stiff regulatory penalties and career-threatening reputational damage. But get this right, and CASS can not only bolster your credibility with the FCA as regards the safeguarding of client assets, but it can also enhance your brand.