The FCA's Consultation Paper marks a significant shift towards strengthening the governance and oversight of safeguarding practices within the Payment and E-money sector. Often cited in FCA enforcement action notices as the root cause of pervasive client asset failings, inadequate governance and oversight can have a substantial impact on the wider control environment and compliance.
Leveraging the established principles of the Client Asset Sourcebook (CASS), the FCA aims to foster a culture of proactive risk management and robust oversight within Payment and E-money firms, ultimately enhancing the protection of clients’ relevant funds.
While this consultation paper does not prescribe specific governance or organisational arrangements, valuable insights can be gleaned from standards expected by the FCA and auditors of existing CASS firms and the expectations outlined within the FRC CASS Audit Standard.
The FCA takes a very serious view on firms failing to comply with the CASS rules and proactively uses the enforcement tools at its disposal. Many of the Section 166 notices issued cite a lack of strong governance as one of the root causes.
The Critical Role of Culture and "Tone from the Top" in CASS Governance
While structural elements like policies, procedures, and assigned responsibilities are essential for CASS compliance, they are insufficient without a supportive culture and strong "tone from the top." The FCA heavily scrutinises a firm's culture and the conduct of its senior leaders when assessing CASS governance. The FRC CASS audit standard, specifically clause 81, mandates that CASS auditors assess a firm's CASS culture while evaluating the control environment. This assessment focuses on determining whether a culture of honesty and ethical conduct prevails, particularly regarding the treatment of beneficial owners of client assets.
Inadequate culture and "tone from the top" can contribute to CASS failings in a number of ways including:
1. Lack of focus on Safeguarding as a framework:
- Profit Prioritised Over Protection: A culture that prioritises profit generation over the safeguarding of client relevant funds and assets can lead to shortcuts and compromises in CASS controls.
- Underinvestment in People: A reluctance to invest in a sufficiently resourced and experienced team dedicated to relevant funds/assets handling can lead to critical errors due to lack of expertise or overwhelming workloads.
- Inadequate Systems: Trying to force-fit safeguarding processes into systems not designed for CASS compliance creates a minefield of manual workarounds and increased risk. This short-sighted approach prioritises cost-saving over compliance, leaving the firm vulnerable to breaches and financial losses.
- Haphazard Policies and Procedures: Failing to establish clear, comprehensive policies and procedures for relevant funds/assets handling is akin to navigating a complex maze without a map. This lack of guidance increases the likelihood of inconsistent practices, misunderstandings, and ultimately, regulatory breaches.
- Client Money Seen as "Low Risk": Dismissing CASS/Safeguarding risks as minimal breeds complacency and undermines the vigilance required to identify and mitigate potential threats. A robust risk management approach, like the rule-by-rule risk assessment expected by the FRC CASS audit standard, is essential. Whilst it is not explicitly required within the FCA’s proposed rules, this is an implicit requirement to maintain adequate organisational arrangements as clarified for existing CASS firms by the FRC CASS audit standard. This involves:
- Regularly assessing the inherent risks to relevant funds/assets within the firm's specific business model.
- Implementing controls designed to mitigate those risks effectively.
- Continuously monitoring and testing those controls to ensure their ongoing effectiveness.
2. Weak Tone from the Top:
- Inconsistent Messaging: Senior leaders may publicly champion CASS compliance but fail to demonstrate this commitment through their actions and decisions.
- Tolerance of Non-Compliance: A culture where CASS breaches are overlooked or tolerated can create an environment where more serious violations are more likely to occur.
- Lack of Accountability: The absence of clear accountability for CASS compliance at all levels of the organisation can foster a culture of blame-shifting and hinder efforts to address root causes of failings.
3. Ineffective Communication and Training:
- CASS Messaging Not Embedded: Communication about CASS rules and expectations is not integrated into regular staff training and communications, leading to a lack of awareness, and understanding.
- "Tick-Box" Approach to Training: CASS training is treated as a compliance formality rather than an opportunity to reinforce the importance of client asset protection.
Proactive Steps to Mitigate Risks: Inadequate Governance and Oversight of CASS Compliance
Ensuring a strong culture of compliance and robust CASS governance and oversight can be hard. To avoid falling into any of the abovementioned pitfalls, firms should take the following proactive steps:
1. Enhance Board and Senior Management Oversight:
- Implementation of a Dedicated "CASS Committee": Elevate client asset protection by establishing a dedicated "CASS Committee" as a sub-committee of the board or audit committee. This committee would provide laser focus and robust oversight on all aspects of CASS compliance and risk management, ensuring accountability at the highest level.
- Dedicated CASS Agenda Items: Include dedicated CASS discussions as standing items on board and relevant committee meeting agendas, ensuring sufficient time for in-depth review and proactive risk management.
- Robust Challenge and Scrutiny: Implement a framework for the board and senior management to effectively challenge and scrutinise CASS reporting from the business, including key performance indicators (KPIs) and incident reporting.
- Comprehensive CASS Training: Provide mandatory CASS training to all board members and senior managers, ensuring they understand the rules, their firm's obligations, and their oversight responsibilities.
2. Allocate Sufficient Resources to CASS:
- Adequate Staffing and Expertise: Ensure sufficient staffing levels for CASS operations with individuals possessing the necessary skills, experience, and qualifications. Conduct periodic skills gap analyses and provide targeted training to address any deficiencies.
- Comprehensive and Ongoing Training: Implement a comprehensive CASS training program for all staff involved in CASS operations, covering relevant rules, procedures, and risk management. Provide regular refresher training to keep knowledge up to date.
- Invest in Appropriate Systems: Invest in and maintain appropriate systems and technology to support CASS compliance, automating manual processes, improving data accuracy, and enhancing efficiency.
3. Strengthen Independent Assurance over CASS Processes:
- Incorporate CASS into your Second and Third Lines of Defence: Establish a dedicated internal audit or compliance function with the expertise and independence to provide comprehensive assurance over CASS processes.
- Enhance Assurance Activities: Ensure internal audit or compliance reviews of CASS operations are risk-based, appropriately scoped, appropriately frequent, and effectively challenge the design and effectiveness of controls.
- Timely Management Action on Findings: Implement a robust process for tracking, addressing, and reporting on findings and recommendations from internal and external audits related to CASS compliance. This includes establishing clear timelines for remediation and escalation procedures for any delays.
How Can We Help?
Navigating the complexities of CASS compliance and establishing robust governance arrangements can be challenging. Deloitte's team of experienced and specialised professionals can provide invaluable support to your business in this area. We offer tailored solutions, including CASS health checks, development of policies and procedures, implementation of robust systems and controls, and training programs for staff at all levels.
We can also present to your board on the importance and impact of these upcoming regulations. Our goal is to partner with you to ensure your CASS framework is not only compliant but also strengthens your operational resilience and protects your firm's reputation. Contact us today to learn more about how we can help you navigate the evolving landscape of CASS compliance.
Our team at Deloitte are here to support and help navigate these upcoming changes. Please contact Kiran Thaliwal, Thomas McLean, Ed McNamara, Gian Thoresson, Phil Ackroyd or Stephen Pryor to discuss on how we can assist you in this area of CASS compliance.