CASS Compliance: How has it evolved and what has caused the uptick in requests for CASS training?
In this article, Peter Haines discusses the evolution of CASS (Client Money and Assets) Compliance, how it was perceived then vs how it is perceived now, and what might be leading firms to spend more resources on CASS training.
“Client Assets rules are dull, complex, difficult to comply with and nobody cares about them.”
This was said to me by a Senior Compliance Officer many years ago. At the time, their words contained more than a ring of truth but today, that is no longer the case.
Regulators have a duty to protect the interests of consumers and that duty often exists as either a statutory or published objective of the regulator in question.
The protection of clients’ money and investments held by a firm must, therefore, be central to that regulatory objective.
So why have there been few CASS fines from the regulators in the last few years, and why have we seen a recent uptick in requests for CASS training?
The two issues might strangely be linked.
Whilst much of this article may appear to be UK-centric (most of the CASS activity over the past twenty years outside of the US has happened in the UK), it isn’t just relevant for firms regulated by the UK’s FCA. The Dubai FSA also has rules governing clients’ assets and many of the principles underlying them are broadly similar.
The evolution of CASS Compliance
We need to go back into recent history to understand how CASS Compliance has evolved.
Prior to the 2008 financial crisis, a few of the CASS rules became the subject of widespread non-compliance. Some larger firms took a rather complacent view that they were “too big to fail”, so CASS was not important (as it is designed to protect clients’ assets in the event of a firm’s default).
This is simplistic and inaccurate, not least for two reasons:
- very few regulators will admit that “too big to fail” is a valid concept – even if there are circumstances where it appears to have been the case;
- secondly, CASS rules are designed to protect assets along the chain when they are passed between firms – a fact which was highlighted following the Barings crisis.
A defining, post-crisis moment came in May 2010, when JP Morgan Securities Ltd was fined over £33m for CASS breaches. This came as a surprise (and a cause of sympathy in the Compliance community) at the time, as the issue was self-reported and involved money held between two regulated entities within the JP Morgan Group.
Even more surprisingly, this was the highest ever fine imposed by the Financial Services Authority, dwarfing the previous fine of £17 million imposed on Shell. This fine was followed by one of £1.4 million imposed by the accountancy regulator on PWC (JP Morgan’s auditors) in January 2012. This emphasised the importance of conducting a thoroughly professional CASS audit.
My first experience of a CASS audit came when I was a Head of Compliance. I was approached on the last day of the audit and asked whether we had experienced any CASS breaches. I responded that we had not. The next question was whether we had a correspondence file with the regulator. My response was that we had, but it contained no correspondence relating to CASS, as we had not experienced any breaches. The auditor reviewed the file for (at most) 15 minutes and that was the extent of the CASS audit.
Nowadays it is very different. The financial reporting council published its “Standard for Providing Assurance on Client Assets to the Financial Conduct Authority” in 2015 and revised it in 2019.
Not many people outside of the auditing profession will have read it, but it is a very comprehensive and impressive document. I have trained audit firms on the Standard and I know from that experience that external auditors are much better informed about CASS nowadays and are expected by their own regulator to perform far more intrusive audits.
During May 2023-April 2024, 23% of CASS audit reports received by the FCA were either qualified or adverse.
Combined with this has been the growth of the regulator’s own CASS unit. It is well staffed with people who have extensive knowledge of the rules and how they should be applied in practice. Any firm which has experienced a CASS visit will attest to this.
The approved persons regime and SMCR have contributed to improved accountability within firms for CASS.
Prior to the creation of the CF10A and the CASS Operational Oversight Function (“COOF”), very few people outside of the Compliance department in most firms focused on CASS - the topic was rarely raised in senior management meetings, let alone at the board.
With the combination of the Compliance Officer, the COOF, the CASS prescribed responsibility and in larger firms the SMF24, we now have up to four senior people (usually fewer, as at least two of these roles are often given to the same person) who are accountable in some way for CASS compliance.
The need for CASS training
With these improvements in regulation, audit and senior management accountability, perhaps it is not surprising that firms are significantly incentivised to spend resources on ensuring that they comply with the CASS rules.
We have seen a rise in the number of firms seeking CASS training over the past year, and have conducted many sessions training Boards, Senior Management, front office, Compliance and Operations on the importance of CASS. Training external auditors has also been a constructive experience.
Often, greater regulatory supervision and external audit focus lead to increased disciplinary actions. Perhaps greater accountability taken by firms, less complacency around CASS, and regulators understanding that CASS rules are complex (and no firm will ultimately achieve 100% CASS compliance) all add up to a cleaner bill of CASS health for the industry.
Our CASS courses are designed to provide firms with a comprehensive overview of the FCA’s CASS rules, explore the specific governance requirements the regulator places on CASS firms, and delve into why this aspect of regulation has become such a focus for the FCA, including examples of action taken by the regulator when firms have breached the rules.
To find out more about our in-house, tutor-led CASS training at CCL Academy, or to see a demonstration of our CASS eLearning module, get in touch.
Related courses
About the Author
Peter has over 35 years’ experience in the field of regulation and compliance. A chartered accountant, Peter spent 6 years working with the UK’s SFA (now the FCA) and has headed up regional and global compliance functions at Paribas, UBS Investment Bank and Bank of America.
Since 2006, Peter has specialised in training, focusing on boards, senior management and assisting the next generation of compliance officers. His coverage includes most areas of compliance and financial crime, corporate governance and risk management. His style is inclusive, interactive and based on practicalities, not just rules.
As Director of GRC Training, he works closely with our clients to ensure that our programmes are tailored to their exact needs and meet, or surpass, their expectations.
