Dangers of complacency: Are your Client Asset Sourcebook (CASS) controls really as watertight as they should be? How financial services firms can gain confidence in CASS compliance

Dangers of complacency: Are your Client Asset Sourcebook (CASS) controls really as watertight as they should be?

How financial services firms can gain confidence in CASS compliance

By Dina Devalia, Managing Director, Quantuma


If your business goes down, failure to segregate clients’ assets could leave clients/consumers seriously out of pocket. But poor systems, oversight and control, combined with a lack of proper documentation, mean that many financial services (FS) firms are falling short of their CASS obligations and leaving their senior management team at risk of severe regulatory sanctions.

Dina Devalia, Managing Director at Quantuma, looks at why CASS should be front and centre of the boardroom agenda and how to gain real confidence that your client money safeguards are fit for purpose.

The collapse of Lehman Brothers may have been more than 15 years ago, and we all have an indelible image of shellshocked staff leaving their offices, cardboard boxes in hand. And even after all this time, the administration has yet to be fully wound up.

Of the many breakdowns in governance that led to Lehman’s fall, the failure to register custody assets appropriately and keep client money separate and safe, stands out. Some client assets had been diverted abroad and could not be repatriated when the bank went under. Others had not been identified as belonging to clients and were therefore not segregated in a separate account. As a result, the firm did not have enough accessible funds to return the money it had been holding on clients’ behalf.


Legal limbo

Once in administration, the clients with assets that Lehman Brothers had failed to segregate were forced to join a long queue of unsecured creditors, rather than having any proprietary or preferential rights over their own funds. The risk of falling into this legal limbo is one of the main reasons why it is so important to ensure that client asset safeguards are right first time.

The bulk of the client assets were eventually returned, but only after lengthy legal wrangling that culminated in the 2012 UK Supreme Ruling. In the Justices’ summary, they concluded:

“In an ideal world, the flawless operation of the scheme created by the CASS 7 rules would ensure that, upon a firm’s insolvency, the clients would receive back their money in full, free from the claims of the firm’s creditors. In the imperfect and highly complex real world occupied by LBIE [Lehman Brothers International Europe] and its numerous clients, there has been a falling short in the achievement of these objectives on a truly spectacular scale.”


FCA tightens up rules

To help prevent the lapses highlighted by Lehman’s collapse, the FCA tightened up its CASS rules in 2015.


Summary of CASS obligations

‘Client assets’ include financial instruments held for clients, such as shares, bonds or fund units (custody assets) and money held for clients in connection with investment business (client money).

As one of the some 1,500 FCA regulated firms that carry out investment business, you must follow rules set out in the Client Assets Sourcebook (CASS) whenever you hold client assets as part of your business. This is to keep client money and assets safe if your firm fails and needs to exit the market.

To reduce the risk of financial loss, you should:

  • identify risks
  • assess risks
  • manage risks as mitigation

Firms holding or controlling client assets must report the value of their assets. This includes:

  • brokers
  • investment banks
  • custodians


CASS classification

Your CASS firm type (small, medium or large) is based on the size of your client money or custody asset holdings (or both). Your firm must make an annual notification about the money and assets you hold to identify whether your firm is small, medium or large. This will enable you to see what your firm’s classification will be (see CASS 1A.2).




CASS firm types

CASS Classification Questionnaire

You must complete the CASS classification questionnaire every year within 15 working days of
31 December. The FCA will email this questionnaire in December to your firm’s:

  • Director or senior manager responsible for CASS, or on RegData system.

If you reported a zero balance in the previous calendar year, you must still complete the questionnaire. CASS small firms don’t need to complete a Client Money and Asset Return (CMAR).

What CASS medium or large firms must do:

  • Complete a client money and asset return CMAR
  • Make a director or senior manager responsible for CASS

Complete a monthly Client Money and Asset Return (CMAR)

You must complete a CMAR via RegData every month. This gives the FCA an overview of your client money and safe custody assets.

Source: FCA Handbook


Rather than just a tick-the-box compliance exercise, the FCA sees the CASS rules as a key foundation for market integrity: “The protection of client assets is central to confidence in the UK markets and fundamental to consumers’ rights and the trust they place with firms.”

If we step back from the fine print and look at the essence of the CASS rules, there are six key planks:


1/ Segregation

You need to promptly pay money received from a client into an account that is identifiably separate from your firm’s account. To cover for delays or deficits, you can pay your own money into the account through ‘prudent segregation’. Otherwise, mingling of firm and client funds is prohibited and you cannot use prudent segregation as a just-in-case measure (or buffer), it may only be used for a specific situation.


2/ Reconciliation

To ensure that you meet your obligations, you need to compare what you hold in the client account against what you should hold. You should also make sure that your internal records match those of your bank, custodian or other third-party. This opens up a huge number of potential risks ranging from poor data feeds, record-keeping and systems integration, to change of banks, custodians or business strategies.


3/ Remediation

If the reconciliation reveals a discrepancy, this should be investigated within 10 days setting out how you investigate this, what breach has arisen and the requirement to hold the right amount of money.


4/ Risk management 

Risk analysis should be carried out regularly and documented for sharing with your auditor and the FCA. A good starting point is assessing the processes for recording, resolving and reporting breaches and errors. In line with the remediation process, you can then look into why mistakes are being made and how to prevent them. The red lights for deeper problems include regular delays and irregularities in reconciliation.


5/ Leadership

Responsibility for meeting client asset obligations rests squarely with the board, both through CASS itself and the Senior Managers and Certification Regime (SM&CR). This includes assigning a senior manager to take responsibility for CASS. As a medium or large category firm, you will also need to appoint a single director or senior manager to oversee and report on the operational effectiveness of your CASS systems and controls.


6/ Audit

Your auditor needs to assess whether your systems and controls enable you to comply with the CASS rules and whether you were compliant at period-end.


Crossovers and reinforcements

FCA scrutiny of CASS controls has been heightened by the introduction of the new Consumer Duty. The segregation and safeguarding of client assets are clearly central to putting customers first and protecting them from harm under the Consumer Duty. But there are also specific and potentially risky crossovers. A clear case in point is interest paid on client money, which was the focus of a Dear CEO letter in December 2023, due to a number of firms not having operated their payment of interest procedures for some time, and in some cases, ever.

The overlaps with wind-down planning are highlighted by the need to prepare and update a CASS resolution pack. If your firm folds, the key aim of the CASS resolution pack is to help insolvency practitioners retrieve the key information and navigational instructions they need to ensure a timely return of client assets. The FCA focus on these packs is likely to have been heightened by concerns over what it sees as “widespread weakness in wind-down planning”.


Coming down hard

Have FS firms learned the lessons from Lehman’s and strengthened their client asset safeguards? The jury is out.

Fifteen years on from Lehman’s demise and eight since the FCA launched its updated CASS rules, there is an inevitable danger of complacency. Board members might say that “we’re not at risk of failure, so why should we worry?”. The answer to this question is that the inherent risk of a ‘doomsday scenario’ is always there and can come like a bolt from the blue.

Crucially, the FCA has also signalled its readiness to sanction otherwise healthy firms for failure to comply with the CASS rules. Examples include the fine of £8.96 million levied against Charles Schwab UK in 2020. The ‘Final Notice’ followed a string of CASS lapses, including the mingling of firm and client money and failure to prepare a resolution pack. In echoes of the Consumer Duty, the FCA noted that “the customers affected by these breaches were all retail customers and therefore required the greatest level of protection”.


The buck stops at the top

The risks to senior management were highlighted by the £486,600 fine for the CEO of One Call Insurance in 2018 for failing to arrange adequate protection for the firm’s client money. This was in addition to the £684,000 fine for the firm and the restriction on its ability to collect renewals.


Taking control

So, how can you make sure that you are meeting your CASS obligations? In my experience, three priorities stand out:

1/ Keep checking, challenging and updating

CASS compliance processes need to keep pace with developments in your business, your risk environment and the tools and technology used in record-keeping and reconciliation. Your board should take the lead in regularly re-assessing whether systems and controls are still fit for purpose and how they can be improved.


2/ Build CASS into overall risk, governance and compliance

The overlaps with other regulatory obligations including SM&CR, Consumer Duty and wind-down planning underline the need to build CASS into your enterprise risk management and governance procedures. Again, your board should take the lead in managing the strategic, compliance and reputational risks, ensuring they allocate adequate resources to deliver against their risk appetite.


3/ Seek out independent review and advice

A CASS audit can provide a level of assurance. But by the time the period-end evaluations are carried out, it may be too late. That is why it is so useful to get expert advice upfront, as you look to identify weaknesses and bring systems into line with the latest best practice. Firms should not rely on audits to identify areas of weaknesses or breaches, but audits should confirm the checks that are in place. There will always be breaches arising, for example due to timing differences, and firms need to ensure they are in a position to understand and explain how/why these have arisen.


Don’t wait until it’s too late

In this article, I have looked at why you should not underestimate the CASS risks and what it takes to assure the FCA that your safeguards are up to scratch. The other big takeaway is the need to deal with deficiencies promptly and ensure you have proper systems and controls in place to document the action taken. With your board in the direct firing line, the resulting fallout could include protracted litigation, stiff regulatory penalties and career-threatening reputational damage. But get this right, and CASS can not only bolster your credibility with the FCA as regards the safeguarding of client assets, but it can also enhance your brand.


Here to help

If you would like to know more about CASS controls or how we can help, please get in touch.

Dina Devalia, Managing Director, Quantuma