CASS systems and controls – what happens when they go wrong

Recently the FCA announced that it had censured Sapia Partners LLP, who were responsible for protecting client money for the clients of its appointed representative firm, WealthTek Limited from 2017 to 2020. WealthTek, which was authorised in its own right from 2020 onwards, was ordered by the FCA to cease operations and was put into special administration in 2023. The FCA is currently pursuing criminal charges against the principal partner of the firm for the alleged misappropriation of customer funds. The FCA acknowledged that Sapia would also have been fined over £7m if not for the fact that it is making a voluntary payment of £19.6m to WealthTek clients who experienced a shortfall in the monies they could claim.

The FCA detailed in its announcement that Sapia admitted that it failed to properly separate key roles within its business relating to client money. This lack of segregation of duties meant that people who could make payments from client money accounts were also responsible for the checks required under the CASS rules.

There is a reason that segregation of duties is so important, because without it, there is a risk of fraud, misuse and error.

As a compliance consultancy firm who advises many clients on the rules and regulations that surround client money and client assets, we see this as a stark reminder of the consequences of not getting your CASS systems and controls right. This goes beyond the day-to-day tasks embedded in the CASS rules, such as internal and external reconciliations, and gets to the heart of the requirement to have “adequate organisational arrangements” to ensure that client funds and assets are protected.

We recommend all firms have a CASS risk register, which sets out all the applicable CASS rules that apply, the risk of not complying with the rule and the systems and controls in place to prevent that from happening. When completed well and kept up to date, it is a key part of the firm’s CASS control framework and means that firms can be confident that all risks are covered. In addition, it is a useful tool for auditors and can make the CASS audit process smoother and easier for all concerned. But the days of a dusty outdated risk register (that was probably drafted when the firm first got its CASS permissions) being good enough are over.

We are seeing an increased audit focus on testing the systems and controls detailed in the risk register. If you say that only 3 members of staff can make changes to client bank account details, but in reality all of your operations team can do it, you suddenly have a potential CASS breach under adequate organisational arrangements that wasn’t there before, even if no harm has arisen. That means the systems and controls as set out in your risk register should be robust enough to ensure that clients funds and assets are protected but should not overstate or embellish the facts. It needs to be up to date and reflective of what you’re actually doing, not what you hope to do or used to do.

This focus on CASS systems and controls is going to be a new consideration for payment service providers with the advent of CASS 15. Many firms in the space might be mistaken for thinking that it is simply business as usual because CASS 15 looks to embed and enhance rules that in part already exist in the Payment Services Regulations 2017. CASS 15 however, also calls for "adequate arrangements” as it relates to safeguarding relevant funds. This means, similarly, that audit firms (and the FCA) will expect those within the scope of CASS 15 to be able to document and prove what those “adequate arrangements” are. As before, we think a CASS risk register is a great place to capture those arrangements, but in any event we would expect firms to be thinking more broadly than the base rules and considering items such as governance, access and control rights and monitoring to make sure they keep the FCA, the auditors and their clients happy!

We are on hand to help with any CASS queries you may have and can help you review your current CASS controls or implement new ones at your firm. Please do get in touch by emailing us at contact@adempi.co.uk or calling us on 0203 925 4761.

If you’re a payment services provider, do keep a look out for our fireside chat with our partner, Lorraine Mouat and Mike Ayres from audit firm, Menzies LLP, where they will be discussing CASS resolution packs, exemptions, diversification, and what ‘reasonable efforts’ looks like in practice.

You can reach us at contact@adempi.co.uk or on 0203 925 4761 

Or to prepare your business for whats next or find out more about our services from the website: Adempi - FCA Compliance Consultants.