Many UK investment firms that hold and/or control client money and assets are required by the Financial Conduct Authority (FCA) to undergo an annual CASS audit. Demonstrating your firm’s compliance to an auditor is more important than ever in light of the regulator’s broader push for companies to better protect consumers and safeguard client assets.
Julie Tuffrey, Senior Manager in the Investments Team at fscom, is a senior CASS executive with over 30 years of experience in this critical area. She recently held a webinar to help firms to prepare for a CASS Audit. In this blog, we identify the key steps investment firms should take to perform well in an audit, and to improve their overall confidence in safeguarding client money and assets.
What you need to know about a CASS Audit
CASS (or Client Asset Sourcebook) audits are conducted annually. They are retrospective and assess, firstly, whether the firm maintained adequate systems and controls to comply with the relevant regulations throughout the period; Secondly, they examine whether the firm complied with the rules by the end of the period.
Under CASS, investment firms are expected to comply with Principle 10 of the FCA’s Principles for Businesses and provide adequate protection for client money and assets while they are responsible for them. This is part of the regulator’s agenda for firms to improve their safeguarding of client assets, and to put consumer protection at the heart of their activities – a trend we expect to continue in the coming years.
How to prepare for a CASS audit
Auditors will want to see evidence of firms’ protection of client money and assets in several key areas, including:
- Understanding of CASS’ application to their activities: Companies need to understand and document their CASS footprint, i.e., the areas where CASS is relevant across the customer journey and the business’ operations. Additionally, auditors will want to see that firms have documented their rationale for why CASS does or does not apply to each area.
- Skilled employees: Staff in an investment firm whose activities could relate to CASS need to be aware of the requirements. Providing adequate training can help with compliance here.
- Strong controls: The auditor will look across the business at how CASS has been applied and what controls have been put in place to ensure client money and assets are segregated and protected. If third parties are involved in the safeguarding process, the investment firm should be able to demonstrate that the right governance and controls are in place to manage them.
- Reporting and record-keeping: The auditor will expect to see detailed reporting on CASS touchpoints and any reconciliations that have been carried out. This necessitates thorough record-keeping of all incidents and breaches that have been logged and managed, and documentation of how processes were then strengthened to prevent the issue recurring. Long-standing breaches or problems will be judged harshly by an auditor.
As so often in compliance, regulators demand that firms undertake an assessment of their CASS impact and risks on an ongoing basis. It is best practice to carry out regular risk assessments on the company’s potential CASS impacts.
8 recurring themes in CASS audits
Learning from other firms’ past audits is a good way for investment firms to improve their CASS compliance, and fscom experts possess an unrivalled insight from their experience in preparing firms for their CASS audits We have highlighted eight areas where auditors regularly make findings, which firms should consider:
- Acknowledgement letters: Auditors often find issues with letters from firms, such as incorrect naming, missing contact details, or typographical errors.
- Reconciliations: Many firms struggle to provide firm evidence that action was taken to correct an issue, such as providing dates for when the reconciliation was carried out. Without this evidence, the auditor will simply assume it did not happen.
- Total capture of data: Auditors expect a complete account of client money and assets for reconciliations, governance and record keeping. This is a particular challenge when firms have automated this process, and they should be able to clearly explain the underlying code to auditors.
- Change management: Firms need to be able to show that they can manage change from a CASS perspective.
- Controls and governance: Auditors often make findings about a firm’s ability to address failures and breaches relating to CASS, which comes back to limitations in their controls and governance.
- Policies: Issues have arisen around the accuracy and validity of policies, procedures and customers’ terms.
- Third parties: When firms engage third parties whose activities relate to their CASS obligations, auditors want to see that they were assessed as competent, fit and proper to align with the CASS rules.
- CASS record-keeping: Auditors have regularly found that data is missing which would prove a firm’s CASS activity. Gaps are most likely to appear in exceptional processes, rather than business-as-usual activities.
Create a positive CASS culture through training and communication
Ultimately, an auditor will look at the effectiveness of a firm’s governance from a CASS perspective. Our advice is therefore to create a positive, open culture around CASS (and risk management in general) across the company. This lets colleagues feel empowered to raise their hands and ask questions even if this something that is already been dealt with, rather than staying silent out of fear of a blame culture when things go wrong.
Firms should assess the capabilities and awareness of CASS across their staff, especially those whose remits could interact with CASS areas of client asset safeguarding. If your employees can identify CASS touchpoints and know what good looks like in terms of designing controls, this will help your CASS compliance and overall protection of client assets.
Training is therefore an important enabler of a positive culture. Firms have seen good results after sending staff to industry events and webinars, or when they have set up sessions led by an external trainer which allows staff the time and space to engage critically with CASS outside of their normal day.
Taking these steps to improve your CASS preparedness will not only help your performance in an audit, but it will demonstrate your commitment to protecting your customers and their money and assets.
How we can help
Our team of pragmatic experts help firms in preparing for their CASS audit through mitigating audit risks (following audit outcomes) and responding appropriately to management points. We ensure actions are structured into tangible work packages with appropriate governance, ownership and completion to address any focus areas. Key services we provide include CASS healthcheck and gap analysis, pre audit assessment and assurance report, remediation package, best practice structures and core controls framework and bespoke training.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
If you would like to discuss preparation for your next CASS audit or any element of your CASS framework, contact us today: