The FCA’s Client assets sourcebook (CASS) is among the most demanding and consequential for financial services firms. Only so much regulatory responsibility can be outsourced in this area and firms will need in-house expertise
by Paul Bryant
The FCA’s Client Assets sourcebook (CASS) guides and regulates FCA registered firms that hold or control client money or custody assets (such as company shares or bonds). Primarily, the sourcebook is to ensure that client assets can be quickly and accurately returned to clients if the firm fails, but also to ensure they are adequately protected against risks, such as fraud or theft.
Many CISI members will fall into the ambit of this regulation. According to Karen Bond, Chartered MCSI, director at Walbrook Partners, a CASS regulatory support consultancy and training provider: “CASS is unique in that it is so prescriptive in terms of the actions required, such as spelling out exactly how client money needs to be segregated. It is also demanding in terms of breach reporting. The FCA is quite ‘interventionist’ (site visits are fairly common) and very detailed in its approach and the fines for breaches can be huge.” On top of this, she says, consultants and auditors can differ quite a lot in their opinions of what is and isn’t adequate. So, says Karen, firms need to build a deep understanding of CASS in-house.
CASS’s journey
According to Paul Staples, associate director, financial services advisory at Grant Thornton, the financial-crisis-era insolvency of UK-incorporated Lehman Brothers International (Europe) in 2008 was the ‘trigger event’ that led to a fundamental rewriting of CASS rules. Lehman’s failure exposed major inadequacies in the existing rules at the time.
'Spectacular failure’ to ensure the protection mandated for client money by MiFID
Law firm Slaughter and May’s 2010 briefing paper, titled Client money protection after the Lehman case: testing the limits and limitations of the FSA’s rules, details the “huge discrepancy” between client money claims on Lehman following the firm’s insolvency and that actually held by the firm (over US$3bn from just one of the multiple areas of dispute). The briefing paper reports: “On any view of the matter, Mr Justice Briggs (of the High Court of Justice, which was hearing one of the legal claims at the time) was surely correct when he characterised this state of affairs as a ‘spectacular failure’ to ensure the protection mandated for client money by [Markets in Financial Instruments Directive] MiFID, as implemented by the FSA’s client money rules.”
Today, under the rewritten CASS rules for investment firms, which came into force in 2014 and 2015, and because of the additional vigour applied to enforcement by the FCA, the situation is entirely different. It could easily be argued that Paul’s comment that “firms and their auditors have been forced to pull their socks up” is an understatement.
When CASS applies
Simply put, firms that carry out specified regulated activities (see CASS 1.2.2 for the full list, which includes many activities, such as advising on, arranging, managing or dealing in investments, or arranging contracts of insurance or mortgages) must follow CASS rules whenever they hold or control client money or safe custody assets.
According to Karen, some advisers and financial planners may fall outside of the scope of CASS, if for example, they always arrange for client money to be paid directly to a fund manager and never have any control over it. However, she says, firms need to be especially careful, because it is not just a simple test of whether client money “touches a bank account controlled by a firm”.
Within CASS, different ‘rulebooks’ exist for different activities, for example: CASS 5 relates to client money: insurance distribution activity; CASS 6 relates to custody rules; CASS 7 relates to client money rules; and CASS 8 relates to mandates.
A financial adviser might not fall under the scope of CASS 7, which applies “to a firm that receives money from or holds money for, or on behalf of, a client in the course of, or in connection with … designated investment business”. But they may fall under CASS 8, which “applies to a firm when it has a mandate in the course of, or in connection with, the firm’s … designated investment business”. Just having a mandate to instruct another firm to do something with client money, say execute a trade, brings that advisory firm into the CASS regime.
Size does not come into play when deciding if a firm falls within the CASS regime, but the exact requirements of CASS do differ by size of firm. Firms will be classified as large if they hold more than £1bn of client money or £100bn of safe custody assets; as medium if they hold between £1m and £1bn of client money or between £10m and £100bn of safe custody assets; and small if client money held is less than £1m and safe custody assets less than £10m.
All firms are reassessed for size classification every year, but only medium and large firms have to complete a monthly Client Money and Assets Return (CMAR), with small firms being exempt. The CMAR provides the FCA with an overview of a firm’s client money and safe custody assets, and according to the FCA, “enables us to make regulatory interventions in relation to client assets on a timely, firm-specific or thematic basis.”
The resolution pack
The FCA states that to reduce the risk of financial loss to clients, firms need to be running a risk management process that includes identifying, assessing, and mitigating risks.
The rules give specific examples of some of the risks that need to be considered. CASS 7.12.2 identifies the need to put “organisational arrangements” in place to reduce the risks arising from misuse of client money, fraud, poor administration, inadequate record-keeping or negligence. These risks are of course present and need to be mitigated at all times, not just in the event of a firm failing, but, says Paul Staples, the CASS rules have primarily been written with a firm’s failure in mind. When a firm holding client money or assets fails, a ‘primary pooling event’ occurs, with CASS 7A.2 detailing the regulatory framework that has to be followed to ensure money is returned to clients.
Paul says: “It’s a difficult thing to do, because firms don’t go about their business thinking they are going to fail, but they need to adopt an ‘insolvency mindset’, and think through exactly what might happen if the doors were to close tomorrow, and exactly how clients will get their money back. And that needs to be codified in a ‘master document’ (or repository) as part of the firm’s CASS resolution pack (fully detailed in CASS 10, which contains a list of specific minimum requirements).”
"Firms need to adopt an ‘insolvency mindset’, and think through exactly what might happen if the doors were to close tomorrow"
He says a good way to think about the resolution pack is for firms to ask the question: “How do we write a set of rules that ensure that if our firm were to fail, the client money pool would remain fully intact and the insolvency practitioner can come in and redistribute that money to customers accurately and quickly?” Those expectations will then need to be implemented into a raft of day-to-day operational procedures and controls. He says: “That’s about things like segregating client assets from the firm’s own assets, sound record-keeping and timely and robust reconciliations.”
When client money cannot be returned accurately and quickly, the consequences can be deeply unpleasant, as highlighted by the situation following the insolvency of Beaufort Securities in 2018. What came as a surprise to many clients of Beaufort, who had assumed their money was safe and would quickly be returned in full, is that the law specifically makes provision for insolvency costs to be taken from their funds. And in this case, the complexity of the situation – including possible legal action in the USA – resulted in eye-wateringly high costs. Insolvency practitioners from PwC announced their initial estimate to be £100m (later reduced to £55m), which led to angry clashes with Beaufort clients. (Eventually, an agreement was reached whereby the Financial Services Compensation Scheme would pay the bulk of the costs.)
Karen believes this could, and should, have been avoided. “What this tells us in terms of lessons learnt is that prompt and accurate record-keeping is just as important as protecting client money,” she says. “If an insolvency practitioner needs to spend a lot unravelling and tidying up records, that comes out of client money. Since this case, the regulator, auditors and firms have had a much tighter focus on prompt and accurate record-keeping and on the resolution pack. Not that it was loose before, but it’s even tighter now.”
Outsourcing functions
In the investing world, outsourcing some functions relating to client money and safe custody assets is common. For example, think of the widespread use of platforms, third-party administration companies that manage the transactional side of many investments, or custodians.
But outsourcing doesn’t lessen the regulatory burden on firms. Somewhat tongue-in-cheek, Karen wrote in a Walbrook Partners blog post in March 2017, “the level and scale of CASS oversight demanded by the regulator seems to us to beg the question of whether you might as well do it (the outsourced function) yourself”.
For example, when firms decide to deposit safe custody assets held on behalf of clients into a third-party account, CASS 6.3 requires firms to “exercise all due skill, care and diligence in the selection, appointment and periodic review of the third party and of the arrangements for the holding and safekeeping of those safe custody assets”.
It then outlines more specific requirements, such as requiring firms to consider: the specific arrangements that the third party has in place for holding and safeguarding the safe custody assets and how this compares to sector standards; the capital or financial resources of the third party; and the creditworthiness of the third party.
Karen highlights that to comply with oversight requirements, firms need a minimum level of skill and expertise in-house. They must be able to understand how a provider operates and if the provider is meeting the standards required. Her “you might as well do it yourself” comment was made to stress the importance of not underestimating the overhead and skill requirements needed to manage outsourced functions.
Learn about CASS through our Client Money and Assets exam – a unit within our level 3 Investment Operations Certificate
CASS breaches
Mike Ayres, senior manager at accountancy firm Menzies, which specialises in CASS, says breaches can be a particularly tricky area for firms: “They are required (SUP 15.3.1) to report any significant breach immediately, but the rules don’t really go on to explain what a significant breach is.”
He says if someone receives £100 into the company’s bank account instead of the client account and three days later, they identify the mistake and transfer it over, no one is going to think that is too significant. But if it’s millions of pounds that isn’t identified for a month, then it clearly would be significant. “Unfortunately, there isn’t a clear line on this. Generally, firms would rely on a compliance consultant to guide them in this area,” says Mike.
"It is very important that a firm is recording all breaches"
But he does have some pointers to stay on the right side of the regulator. He says: “There is a difference between what you report immediately and what you record. It is very important that a firm is recording all breaches (and there may very well be quite a few), and including them in their annual client asset report.” This report includes a breaches schedule prepared by the firm’s auditors.
Mike says that if a firm isn’t recording any breaches at all, then that would be a red flag to auditors and the FCA, as there are bound to be some during the course of a year: “Recording no incidents at all would probably trigger further investigation by the FCA.”
Karen adds a final point, saying: “The FCA looks for a ‘feedback loop’. Firms need to spell out the difference between what actually happened (details of the breach), why it happened, and what should have happened. ‘What should have happened’ then needs to loop back into better processes and controls.”
Senior management oversight
CASS 1A.3 specifies that medium and large firms must allocate responsibility to a single director or senior manager (in the language of the Senior Managers and Certification Regime, the person with ‘prescribed responsibility’) for: oversight of the operational effectiveness of systems and controls designed to achieve CASS compliance; reporting to the firm’s governing body (usually the board of directors) in respect of that oversight; and completing and submitting a CMAR to the FCA. CASS small firms have slightly reduced requirements. A single director or senior manager must also be allocated responsibility, but only for operational compliance with CASS and reporting on that oversight to the firm’s governing body.
Karen says there is “no right answer” on how to structure organisational roles for CASS oversight: “The most important thing is to maintain strong communication with the board. In some firms the senior manager responsible is present at board meetings and in others the communication is done via a report.”
Karen continues: “The exact nature of the reporting line is less important than the board being given information at an appropriate level of detail. Not War and Peace but also not a bland assurance that everything is going well.” She says that ‘best practice’ firms have a culture of receiving real challenge at board level, recording that challenge and acting upon it.
Below board level, Paul says any firm of a reasonable size – as a rule of thumb, CASS medium and large firms – would be expected to have a CASS committee that would coordinate oversight and control across the firm. He says members would typically include the senior individual responsible for CASS oversight and a broad collection of other relevant people across the business, such as internal audit and compliance. This committee would then report to the board or to a board risk committee.
He concludes: “In reality, CASS permeates through nearly every aspect of an investment firm. Organisationally, from the board all the way down, and operationally, across many control frameworks and day-to-day processes and controls. And because the consequences of CASS failures can be so high – the loss of client assets – it is definitely one of those regulatory areas worth paying high attention to, especially during turbulent times.”
Seen a blog, news story or discussion online that you think might interest CISI members? Email bethan.rees@wardour.co.uk.