How can firms avoid falling foul of CASS Requirements…and avoid the potential costs and fines of further action…
The principles of keeping client money safe…
There is a reason that keeping client money and assets safe is one of the eleven ‘principles for businesses‘.
The FCA’s overall objective of ensuring that markets work well, and supporting objectives of protecting the consumer and enhancing the integrity of markets ensure that keeping client money and assets safe is a key priority.
Put yourself in the shoes of the regulator; what would cause more public outcry or detriment to these objectives than clients losing money given to the safekeeping of firms authorised by the regulator?
These are the key drivers for the recent FCA actions and increased focus on this subject. In a little over five years, the CASS team at the FCA has swelled from four individuals to over fifty, and CASS will be a key area in any FCA visit.
The gamut of new rules and regulations, reporting and oversight is driven from the lessons of Lehman (and many other firms) and not one the FCA will forget in a hurry.
CF10As and others responsible for CASS oversight will be aware of the increased FCA scrutiny in this area, and some of the large fines imposed by the FCA where they identified failings.
The levels of fines are eye catching and are unlikely to reduce as long as the FCA (and auditors) continue to identify issues with CASS compliance. Barclays and BNY were recent culprits with fines of £38 million and £126 million respectively.
It is not only large firms who are falling foul of the enforcement team, with Xcap Securities and Aberdeen Asset Management suffering from fines over the last few years (and this is just the tip of the iceberg).
Recent changes and FCA communications
Many of the changes in CASS rules since 2010, from the introduction of the CF10A role, to regular reporting (and improved audit reports) have come about as a direct result of the fallout from Lehman Brothers and MF Global.
The introduction of the CASS Resolution Pack and restriction of holding funds within group entities in 2012, as well as the recent Policy Statement from 2014 are also a product of this and are a reflection of the desire for firms to put their houses in order.
It is not surprising therefore that the FCA CASS team continue to focus heavily on these changes when reviewing firm’s compliance with the regulations. However, despite the number of fines and the extent of FCA focus, firms are still failing to comply with the rules in a number of key areas.
The FCA pinpoint the following themes as key issues in their recent communication to CFD and spread betting firms – although the findings will be of relevance to all firms subject to CASS:
- CASS Resolution Packs: Incomplete with missing core contents requirements and records, inadequate frequency of updates and lack of formal approval by the governing body.
- Internal client money reconciliation: Non-compliant or no internal reconciliation using external bank balances only. Lack of adjustment for un-cleared cheques and unidentified receipts.
- Some firms were giving credit to client accounts before funds had cleared through various payment systems without prefunding. Some firms included negative equity in the client money requirement.
- Acknowledgement letters: Incorrect wording, account names and unsigned letters.
- Client agreements: some terms did not reflect the practice of how the firms were treating clients.
But the FCA also makes the point that this is by no means an exhaustive list of issues that have been identified…and standards are still falling short of expectations.
Expect the next round of visits to produce more concrete action if firms are not up to scratch.
What should you have in place?
The FCA has been clear; they expect senior management to ensure that client money (and assets) are protected.
Whilst the burden of work may well fall on the CF10A and those with CASS oversight roles the FCA require firms to implement appropriate governance and controls which will include (on a proportionate basis):
- identifying how client money or assets come into the business (scoping cash flows, products, accounts used and contractual obligations)
- processes, procedures, policies (from T&Cs through to appropriate trust accounts and due diligence and compliant reconciliations)
- controls (checks, clarity of roles and responsibilities, compliance monitoring, ongoing reviews of issues and importantly, MI)
- board/senior management oversight (ensuring the above is in place and working, competent staff and reviewing MI, reporting lines and support in place)
This appears simple in practice.
However, common failings are caused by a lack of clear internal records, with firms instead relying on using information from bank statements to keep a track of client money and carry out internal reconciliations.
Reconciliations – particularly internal reconciliations – can go awry when firms use data from several sources (internal records, MT4 platforms, excel spreadsheets) and do not ensure that each stage of the client money resource and client money requirement calculation are carefully calibrated to include each step outlined in CASS and identify any shortfall or surplus.
Other issues include pre-funding (allowing clients to use money from the client money account before cleared funds are held) and poorly documented client money buffers.
Firms also underestimate the importance attached to CASS Resolution Packs; the FCA has highlighted this as a key tool in allowing an administrator/insolvency expert to return client money correctly and promptly.
Hence this should be given prominence in the thoughts of the senior management and the CF10A (or those responsible for CASS oversight).
The rules are clear that – as a minimum – a report is provided annually to the governing body to ensure that the CASS Resolution Pack is being produced correctly.
Whilst most firms have ensured that they have applied the simpler rules which came into force in the last year – updating client account trust letters and terms of business and carrying out simple due diligence on banks where client monies are held – they are missing the ‘devil in the detail’ and leaving themselves exposed to the risk of a serious breach of the CASS rules elsewhere.
Most firms are definitively aware of the route client money takes coming into the business, accounts where client money is held, and how and when this is paid out again (and everything in-between).
Firms should therefore be able to produce a ‘client money map’ which demonstrates the various steps of this process.
Once this is completed, it serves as a useful tool in identifying where in this chain the firm can come unstuck when trying to comply with the CASS requirements, highlighting key risks areas which should then be a focus of systems and controls to mitigate these risks.
The controls (and processes) should flow naturally from this, highlighting (for example) when there may be issues with uncleared funds (in or out), unidentified money and monies held with third parties.
Once this is clear, and the reconciliation is aligned with CASS 7.16, thought should be given to management information required.
Those responsible for CASS oversight should ensure that information on reconciliation issues is provided alongside controls (and failings) in areas of higher risk to demonstrate the firm has the appropriate systems and controls in place, and that the key risks identified are being managed.
If they are not – and the MI identified this – there should be a clear plan of action as to how to mitigate these risks even further.
This should be agreed and signed off by senior management. As such there needs to be clear reporting lines, regular MI, and a clear understanding of roles and responsibilities and a record trail of actions taken to ensure compliance with the CASS rules.
Remember the fundamentals do not change; the aim is to ensure that client money is ring fenced and protected at all times.
Clearly this is a brief summary, and any policy and processes in place should be proportionate.
However the FCA has given fair warning of the standards they expect; firms would be wise to consider whether they can demonstrate appropriate governance of client money if there should be a visit by the CASS team or expect the FCA to take significant (and costly) interest.
Complyport can help
Failure to comply with CASS rules can be a key concern – and not only for those with direct ‘CASS oversight’.
With emphasis on the ‘three lines of defence’ model (compliance/risk/audit) and direct responsibility resting on senior management to have appropriate governance in place we understand all parties want reassurance they are following the rules, or assistance in implementing systems and controls.
Complyport is well placed to assist because:
- Our internal expertise comes from former regulators and staff with hands on experience in dealing with CASS issues and relevant accountancy qualifications.
- We have experience of dealing with FSA/FCA Section 166 cases related to CASS issues and understand the regulators expectations.
- We have a flexible approach and can match our service to meet your requirements. Our service can be a deep dive review or we can provide assurance to senior management that they are compliant with the requirements (with practical tips to comply if there are identified gaps).
If you want assistance in meeting the CASS rules or peace of mind that comes from a review from qualified experts, we would be happy to discuss how Complyport can assist.