CASS 7 breaches: Rising to the challenge

Posted: 16/06/2022 | Read time: 5 minutes

What are CASS breaches?

CASS breaches occur when a firm’s processes fall short of regulatory requirements laid out by the FCA.

While they should be kept to a minimum, CASS breaches are an inevitable consequence of performing investment business. After all, even though firms adopt processes and controls to limit the frequency and scale of breaches, they still happen whenever accounting records fail to meet CASS regulations.

But effectively recording, monitoring, remediating and learning from such incidents is a hallmark of a mature organisation. Every breach is an opportunity to further improve processes, adapt controls and enhance future compliance.


CASS breaches and the FCA

The FCA places great significance on recorded breaches, expecting firms to meet requirements of the rulebook. Failure to do so will gain their attention. And how a firm responds to a breach is critical.

We know that CASS rules touch every part of an investment organisation. This means that the source of breaches can be spread across the full spectrum of a firm and the processes it carries out. That’s why, in this blog, we break down CASS 7 and how common pitfalls in client money reconciliations can lead to breaches.


Notification requirements

The FCA specifies certain matters of which they expect to be immediately notified. In respect of client money reconciliations, this can be found under 7.15.33 R. Here, the FCA defines scenarios where it expects notification from the firm without delay. In each scenario, there is the concept of “materiality”:  where a firm “materially” fails to perform an internal reconciliation, for example.

Firms must perform an analysis to judge whether the matter at hand is sufficiently material to require immediate notification. It is crucial for firms to define their materiality in a policy or standard and apply this as part of breach assessments. This will include quantifying key indicators (monetary value, length of time open or undetected, and the number of clients impacted).

While important, it is essential for firms not to be solely tied to the definition of material within their policy. Breaches can fall below the indicators for material and still be considered immediately reportable. This must be managed on a case-by-case basis to ensure the firm is reporting to the FCA where appropriate. This should also be considered as part of the firm’s annual review of materiality policy.

Good sense says that firms should err on the side of caution when considering whether to immediately report breaches – it will always be easier to explain to the regulator why a breach was reported that did not meet a policy’s materiality requirements than to explain why a breach was not reported that did!


CASS audits

Breaches identified and reported by a firm’s auditor are subject to the FCA’s scrutiny. Audit firms provide the FCA with eyes into regulated organisations. Clearly articulated breaches are essential for the FCA to understand the circumstances and potential harm caused to clients.

The significance of CASS breaches is exemplified by the client money and assets report submitted annually by audit firms to the FCA. The breaches schedule details all CASS breaches identified during the year, providing the FCA with awareness of issues affecting firms and the security of client assets. In response to each breach recorded, regulated firms must provide a summary of the circumstances and remedial actions taken to correct the incident, reinforcing the importance of early identification and resolution.

For many firms, reporting every breach (irrespective of value or significance) feels like overkill. Many argue that such reporting dilutes the focus placed on the most concerning breaches – not to mention the increased workload for firms, auditors, and the FCA.

In this respect, greater attention could be spent on those more material items. However, in the absence of a materiality threshold, all items must still be reported as part of the annual CASS audit submission.


CASS governance and culture

A positive organisational culture promotes openness and creates an environment where individuals feel comfortable to raise issues when they occur. Finding this balance can be a challenge, as firms should also promote compliance with the rules and the importance of avoiding breaches. While following defined processes and procedures is of course essential, early identification and resolution of breaches is equally critical for the protection of client assets.

Understanding root causes and failed controls allows a firm to identify business areas requiring development. A strong governance model ensures that each incident is recorded, enabling a firm to quantify the scale and impact of breaches. Firms should also record the actions required to resolve the incident and, perhaps more importantly, to prevent reoccurrence.

Strategic tasks must clearly articulate the underlying action required, the individual owner and the target date for resolution to allow tracking, and reporting through governance channels. This is the minimum expected both by auditors and the FCA.


Common CASS 7 reconciliation breaches

CASS 7 requires in-scope firms to complete both internal and external client money reconciliations. Firms will no doubt be aware that the internal client money reconciliation is often the most complex and challenging to get right.

The Handbook provides an example of how to perform internal client money reconciliations using the individual client balance method (CASS 7.16.22 E). However, with varied business models and systems in place, it remains an ongoing challenge for firms to achieve compliance.

Below, we summarise some common issues.


  • Use of external data for the internal reconciliation

As the name suggests, the internal client money reconciliation should be a reconciliation of the firms’ internal records. The FCA clarifies this requirement in CASS 7.15.13 R, stating that “a firm must use the values contained in its internal records and ledgers […] rather than the values contained in the records it has obtained from banks and other third parties.”

Data used to form any element of the internal reconciliation must come from the firm’s own books and records. While this may sound simple, it often presents a challenge for firms depending on the structure of their internal systems.

Using bank statements to inform the value of the firm’s client money resource is therefore in breach of rules. Instead, the value of what a firm believes to be held in a client money account should be taken from an internal record of those accounts.

A further common issue occurs where firms rely on completing external processes before using the output to inform the current day’s internal reconciliation. One example here is the use of breaks information from today’s external reconciliation to inform values within the internal reconciliation. Unallocated and unidentified client money are two common examples of where this can occur.

It is important for firms to review their internal reconciliation and to determine the source of each data point and validate that only internal records are used.


  • Incorrect inclusion of items in CM requirement

When performing the internal reconciliation there are specific items which must be reflected, such as when calculating the total of individual client balances. Equally important is ensuring only those items that should be included are included.

The internal reconciliation is performed to identify an excess or shortfall in the client money bank account. The process will often result in a real-world banking movement between firm and client money bank accounts to correct the position.

It is imperative that firms ensure the internal reconciliation is not also used as a vehicle for driving funding movements between the firm and client bank accounts. This can sometimes be the case where firms complete a daily funding process and then reflect this value in their client money requirement to facilitate a funding payment.

One such example is custody asset shortfalls. The rules of CASS 6 require firms to segregate firm money or assets to cover the value of an asset shortfall. Each day, firms will calculate the value of shortfalls and cover the amount with firm assets.

Where firms use cash to cover this value, it can feel sensible to include this amount in the client money requirement, driving funding movement from the firm. While this may facilitate a single calculation and generate a single shortfall or excess amount, it is not compliant with prescribed rules.

As the process of identifying custody asset shortfalls is completed on the same day as the internal reconciliation, the value should not be reflected in the client money requirement in this manner. This is a funding process that should sit outside completion of the internal reconciliation, as it does not strictly form part of the firm’s internal records at the close of the previous business day (CASS 7.15.15R (1) (a)).

To add further complexity, the values funded from the previous days’ custody asset shortfall process should be reflected in today’s internal reconciliation. These entries would form part of the firm’s internal records at the close of the previous business day.


  • Internal reconciliation discrepancies

When following the normal approach to client money segregation, the internal reconciliation should check whether the amount of money the firm believes is segregated in client money bank accounts (resource) is sufficient to meet the firm’s obligations to its clients (requirement). Where this is not the case, the firm must take action to address either the shortfall or excess identified by the process.

Addressing a shortfall in the client money bank account with firm cash, or removing an excess, is an important aspect to protect client money. Of course, failure to do so constitutes a CASS breach.

The rules also state that a firm must “determine the reason for the discrepancy” (CASS 7.15.29 R), which is one aspect commonly overlooked by firms. Importantly, the FCA expects firms to identify the cause of a shortfall or excess and consider whether this is the result of a breach of client money segregation requirements (CASS 7.15.29A R). Where this is the case, preventative action must be taken.

As such, it is not sufficient to only take action to address the shortfall or excess – firms must also be able to explain the cause of discrepancies.


  • Use of a non-standard method without prior approval

Where any of the above breaches are identified, auditors can view the firm’s internal client money reconciliation as being non-standard. In other words, it fails to meet the requirements of a standard method of performing internal client money reconciliations.

Unfortunately for firms, this will also result in a breach of requirements outlined in CASS 7.15.18 R, which details the various actions firms must take before using a non-standard method of internal reconciliation. This is an automatic consequence where the firm had considered their process to be following a standard method, but is later found to not be.

Nevertheless, if the auditor deems internal reconciliations to be non-standard, they will then expect firms to meet the non-standard method requirements. These include documenting reasons for using this method, notifying the FCA of intention to use a non-standard method and providing an auditor report to the FCA detailing whether the firm’s systems and controls are suitable for performing the chosen method.

These steps will of course not have been taken where the firm believed they were performing a standard method of internal reconciliation. They will therefore be recorded as a breach where this is deemed not to be the case.


The bottom line

CASS breaches will remain an ongoing challenge for firms. However, self-identifying and remediating a breach is a far better outcome than it being identified by an auditor or the regulator. Some important actions firms can take in respect of breaches include:

  • Ensure there is a culture that promotes early escalation of incidents when they occur – i.e. a no-blame culture
  • Breaches must be recorded with clear details of the circumstances, as well as impact and actions required to remediate
  • Use breaches as an important source of information for identifying development areas in your organisation
  • Where breaches are the result of overly complex processes with many manual touch points, make a plan for automation to increase control
  • Review your internal client money reconciliation and the data used within the process to ensure compliance with the rules