CASS 7: How to avoid breaches when using PSPs & e-money firms

Posted: 14/07/2023 | Read time: 6 minutes


The payments industry has boomed in recent years. Firms in this space are some of the most technologically advanced organisations across financial services.

These innovations mean Payments Services Providers (PSPs) can facilitate client payments in high volumes, so it’s becoming common for investment businesses to use PSPs to transact with their clients. However, investment firms are in scope of the FCA’s client money regime and payment organisations are not, which raises several regulatory challenges.

This blog breaks down some key discussion points in this area and looks at common CASS 7 challenges presented by the relationship between investment firms and PSPs.


Regulatory context: CASS 7 and payments regulation

Firms that receive and hold money on behalf of clients in connection with investment business are subject to the FCA’s client money rules.

CASS 7 rules define the actions firms must take throughout the entire lifecycle of their client’s money – from initially receiving funds, the steps they must take while holding a balance of client money, to the acceptable terms under which they can pay client money out of a business.

Requirements are onerous and the consequences for compliance failures are often severe.

The UK’s regulatory regime for payment services and e-money firms is set out in the Payment Services Regulations 2017 (the PSRs 2017) and the Electronic Money Regulations 2011 (the EMRs). Under the regulation, firms acting as either a Payment Institution (PI) or an Electronic Money Institution (EMI) need to be registered with or authorised by the FCA.

The FCA sets out its supervisory role and what it expects of PIs and EMIs in its approach document. While the approach sets out safeguarding requirements, it is far less comprehensive than the FCA’s CASS rules. Nevertheless, there are many similarities in terms of key principles, especially around segregation and reconciliation requirements.

The FCA confirmed its plan to consult on changes to safeguarding requirements during 2023 in the regulatory initiatives grid, published in February. Many anticipate this refresh will bring the regime more in line with CASS.


Client money and PSP challenges: The FCA’s observations

As the regulator of both investment businesses and payment and e-money firms, the FCA continues to observe the growing use of PSPs to process client money transactions. They recently noted a growing trend in CASS issues from annual audit reports related to the use of PSPs and e-money firms to process client money transactions.


Investment firms should consider these four key things when using PSPs and e-money firms

  1. Understanding transactional flows

CASS-regulated firms must map out transactions to demonstrate a clear understanding of how client money flows in and out of their business. Process flows should determine the points at which client money is received by and transferred out of the business. As such, they are vital for documenting a firm’s CASS footprint.

The use of PSPs adds an additional layer to the transactional flow, which limits a firm’s ability to clearly map out the end-to-end process. The activity flowing through a PSP is opaque to the investment firm, meaning they can’t map out the transactional process from cash leaving a client’s bank account to when it is received by the firm. This creates a period of uncertainty, with firms unsure where client funds are held.

Using PSPs also creates a potential time lag during the transactional process. During this period, funds are no longer held in the client’s bank account and have not yet been deposited into a client money bank account. This raises a potential CASS issue regarding the timeliness of client money receipts.

Firms need to make sure funds have been received before a client is given access to them. Understanding transactional timeliness is crucial for maintaining this compliance.


  1. Balances held at PSPs

Time lags in the payment process raise the question of where funds are held for the intervening period. Depending on the extent of payment timescales, this may give rise to balances of client money being held in PSP accounts – a concern the FCA has already noted.

CASS 7.13.3 R defines where a firm must deposit all client money upon receipt. In most cases, this means depositing the funds into a client money bank account (CRD credit institution as per CASS 7.13.3 R(2)). Funds held in an account at a PSP, or in an e-wallet with an e-money firm, are considered a CASS breach if the firm does not qualify as a CRD credit institution.

If not already prompted by their auditor, CASS firms must review their operational processes and determine if they are incorrectly holding client money balances with PSPs or e-money firms. It’s insufficient to rely on capturing these balances as part of the client money resource to achieve compliance.


  1. Less mature control environments

While PSPs and e-money firms are forward-thinking, there are still concerns that they lack the level of control environment found across more traditional financial sectors. After all, building a mature financial control environment takes time and the right expertise.

This was one concern noted by the FCA in the recent Dear CEO letter issued to the sector:

“…we remain concerned that many payments firms do not have sufficiently robust controls and that as a result some firms present an unacceptable risk of harm to their customers and to financial system integrity.”

This reflects why the FCA does not want investment firms to hold client money balances with payment firms. One of the CASS regime’s priorities is to ensure the swift and orderly return of client money in the event of a firm’s insolvency. Where funds are held with PSPs and e-money firms, returning assets to clients is more problematic. This is because there is no assurance that client money is appropriately always segregated.

Failures in payments firms’ control environments are therefore a risk to security – an area where the FCA expects firms to take action.


  1. Payment of fees

In the course of business, an investment firm will pay fees to the PSP for their services. How fees are paid and collected may give rise to a CASS breach. Investment firms need to be mindful of this and review their current process.

It will constitute a CASS breach if the collection of fees is deducted from the settlement amount due to be paid from the PSP to the investment firm. This was a recurring theme identified from CASS audits conducted in the last year and reported to the FCA.

The PSP should transfer the full client payment to the investment firm, who must ensure the funds are deposited into an account as detailed in CASS 7.13.6 R, as per the normal approach.

Where fees are deducted from the net settlement, investment firms need to make up the shortfall after it receives and allocates the funds to clients. Fee payments should instead be handled as a separate transaction between the investment firm and the PSP without involving client money movements.


CASS compliance, PSPs and e-money: What to expect in the future

The growth of PSP and e-money firms means investment firms will continue to use them. Firms need to review their processes and consider what changes are required to achieve CASS compliance. In some cases, additional controls may be required to ensure the protection of client money. Firms may determine the need to pre-fund client transactions or hold firm money under prudent segregation to address some of the concerns noted in this blog.

It’s clear the FCA is focusing on payment and e-money firms to alleviate concerns. Upcoming changes to safeguarding requirements will likely see the regime brought closer in line with CASS regulations. This could see an additional payments chapter added to the CASS handbook or creation of a separate rulebook.

Both CASS-regulated organisations and payments firms involved in client money transactions should watch these regulatory developments closely.