CASS 6 and 7 Update: Common breaches and areas of regulator focus
Read time: 4 mins
If your firm is preparing for a CASS 6 and 7 audit, our regular conversations with the FCA may provide some crucial guidance. In this article, we focus on four common breaches and areas of regulator focus, and make recommendations on how to avoid breaching the rules.
1. Acknowledgement letters
We have seen an increasing number of breaches relating to client money bank account acknowledgement letters. This has always been, and continues to be, one of the FCA’s areas of focus when carrying out inspections.
Breaches include the use of incorrect templates, deleting fixed text from the required template and inadequate bank account details. In addition, some firms are not taking reasonable steps to establish that the person signing on behalf of the bank has the authority to do so.
We encourage firms to carry out a detailed review of their acknowledgement letters which should include the following:
- The required fixed text as set out in the relevant Annex to CASS 7
- The name of the bank account, sort code and account number
- Evidence of the steps taken to verify the authority of the individual countersigning on behalf of the bank.
2. Payment service providers
Increasingly, regulated firms are using payment service providers (PSPs) to receive client balances, particularly from overseas clients.
Almost all CASS 7 firms are required to use the normal approach to client money segregation. This specifies that client money must be received into a central bank, a CRD credit institution, a bank authorised in a third country, or a qualifying money market fund.
However, PSPs do not qualify as client money bank accounts and therefore receipt of client funds in this manner is in breach of the rules.
Firms have sought to address this issue by applying prudent segregation, under CASS 7.13.41R, for example. They calculate the average deposits for the clearing period between receipt into the PSP and transfer into the client money bank account, regularly funding this from the firm’s business account.
The FCA has clearly stated that this practice does not follow the normal approach. Not only is not a sufficient safeguard for client money, there is also a risk that, where clients use the funds immediately after deposit, they are effectively trading with the funds of another client until their own funds have fully cleared.
We recommend firms to cease any such arrangements with PSPs. Firms must ensure that client funds are received directly into approved client money bank accounts.
3. Increases in breaches and failure to address previously reported breaches
The FCA is increasingly concerned that CASS breaches are increasing year on year, and that previous breaches are not being rectified. As a result, an increasing number of firms are receiving requests for clarification and response following their latest CASS audit.
The regulator is particularly concerned about breaches relating to books and records, reconciliations and operational issues, all of which indicate weaknesses in systems and controls.
There are clear organisational requirements under the CASS 6 and 7 rules and firms need to have processes in place to prevent the loss or diminution of client money or custody assets as a result of poor administration, inadequate record keeping or negligence.
We encourage firms to review their policies and procedures for recordkeeping, reconciliations and operations. Sufficient controls should be in place within the CASS environment to prevent an increase in breaches. We also recommend a review of the previous year’s CASS report ahead of the current year end. If any breaches are open at the period end, prompt action should be taken to resolve them.
4. CASS rule mapping and controls document
Previously, it has not been clear whether a breach would be recorded if firms fail to prepare and maintain a detailed rule mapping and controls document. This document sets out all CASS rules applicable to the firm, and the controls in place to ensure compliance.
The requirement is not expressly included in the CASS 6 and CASS 7 rules, hence the confusion. The FCA has now confirmed the need for this document. It should be available to the auditors ahead of planning the current year audit.
The FCA has indicated that failure to have this document in place will be seen as a breach of the firm’s organisational requirements, and therefore will likely be identified as a CASS breach.
We recommend that firms without such a document in place should prepare one ahead of the next year end audit. It should summarise the CASS rules applicable to the firm and the controls in place. There is no set format, however it should include all relevant CASS chapters of the FCA Handbook, not just CASS 6 and CASS 7.
If you would like further guidance on the areas raised in this article, or with CASS 6 and 7 compliance in general, please contact Benny Wong or Oliver Hawes.