CASS 6 and CASS 7 place prescriptive demands on firms responsible for holding custody assets or client money. With over 500 rules, guidance points and evidential provisions across the two chapters, it’s fair to say the devil is in the detail. And two rules in particular, while potentially somewhat innocuous, set lofty expectations – ‘adequate organisational arrangements’.
Within this blog, Principal Product Manager Murray Campbell explores the requirement to introduce adequate organisational arrangements and what this really means in practice.
What is meant by ‘organisational arrangements’?
Principal 10 of the FCA’s Principals for Businesses sets the fundamental obligation for firms to arrange adequate protection for client assets. The CASS rules then define the strict set of requirements that firms must follow to achieve this.
Building on principal 10, the rules within CASS 6 and CASS 7 demand that firms have adequate organisational arrangements in place to protect custody assets and client money.
As CASS 7.12.2 R states:
“A firm must introduce adequate organisational arrangements to minimise the risk of the loss or diminution of client money, or of rights in connection with client money, as a result of misuse of client money, fraud, poor administration, inadequate record-keeping or negligence.”
This single rule therefore places significant demands on a firm to ensure their organisational arrangements are sufficient to help mitigate a wide range of risks. This is supplementary to the detailed rules which follow across the rest of CASS 7.
The requirement for adequate organisational arrangements acts much like a high-level principal. The exact requirements to achieve adequacy are not defined, and a failure to do so is very hard to argue against. Firms must be mindful of this and consider what arrangements would be considered essential.
For audit firms, the requirement for organisational arrangements provides an umbrella provision to label a firm’s CASS shortcomings in the absence of a suitable alternative rule to breach. Alternatively, breach of a specific CASS 7 rule may also indicate the lack of adequate organisational arrangements, therefore also resulting in a breach of CASS 7.12.2 R.
Importantly, the absence of adequate organisational arrangements will be considered a CASS breach irrespective of any outcome, or lack thereof, which impacts client assets.
The Financial Reporting Council’s guidance on Providing Assurance on Client Assets makes clear that a firm’s arrangements can be deemed inadequate despite there being no breaches identified:
“A firm could have inadequate systems but through a combination of circumstances have avoided any reportable breaches; however, the requirements within CASS 6.2 and CASS 7.12 require firms to have adequate arrangements, organisational arrangements and robust systems in place”.
Compliance through luck more than design is therefore insufficient to avoid a breach of organisational arrangements.
Failings in organisational arrangements
Failing to introduce adequate organisational arrangements can indicate a systemic level of risk within a firms’ CASS environment. In the eyes of the regulator this can reflect notable non-compliance with the fundamental objective of CASS and the requirement to protect customers.
In a recent public censure notice issued by the FCA, the findings focused on the firm’s failure to introduce adequate organisational arrangements. The root cause of this failing centred upon the lack of segregated duties between key operational roles. As a result, client money was put at increased risk.
While the CASS rules define many of the actions and activities a firm must undertake, the requirement to introduce adequate organisational arrangements also demands a material level of control and governance around a firm’s CASS environment.
As noted by the FCA when releasing details of the censure:
“People who could make payments from client money accounts also carried out the checks of those accounts required by FCA rules. This lack of separation increased the risk that client money could be lost because of, for example, misuse or poor management”.
No client money was lost as a result of this activity, however as noted above, the firm’s lack of adequate organisational arrangements had placed the client money at undue risk.
Non-negotiables: the organisational arrangements firms need to have in place
A firm’s approach to organisational arrangements must focus on their business model and the potential CASS risks that may arise within that structure. Accordingly, firms must consider the potential risks referenced in the rule – misuse, fraud, poor administration, inadequate record-keeping or negligence. This wide-ranging scope of risk therefore must be reflected in a suitably robust set of organisational arrangements.
The following summary demonstrates the breadth of arrangements that a firm is likely to require to help meet their obligations.
- CASS governance arrangements – firms are expected to have a dedicated CASS committee which deals specifically with CASS issues. CASS subject matter experts should also be represented on other committees of the firm. Key roles and responsibilities in respect of CASS must be clearly defined.
- CASS operational framework – CASS is the responsibility of everyone in the organisation. This should be reflected in the firm’s approach to achieving compliance. A three lines of defence model is considered best practice, covering front-line operations, second line compliance support and third line internal audit. Very often a CASS oversight function will sit between the first and second line for additional SME support.
- Segregation of duties – as noted in the above regulatory censure, appropriate segregation of duties between key roles is essential for minimising the risk to client assets. The FCA’s Senior Management Arrangements, Systems and Controls handbook (SYSC) sets out a firm’s obligations in this respect (SYSC 5.1.6 R).
- Risk and control mapping – a firm must document the risks they face in respect of client money and custody assets. Only by doing so can they also document the controls they have in place to mitigate those risks. Risks and controls will change over time therefore firms must regularly review and maintain these matrices to ensure they remain current.
- CASS policies – the CASS rules make several references to the need for firms to document their approach within a policy (e.g. reconciliation frequency, treatment of shortfalls, prudent segregation). Policies must be clearly documented, reviewed and approved to make the firm’s position absolutely clear to auditors and the FCA.
- Operational procedures – a firm’s obligation to maintain procedures is defined in SYSC 6.1.1 R and is referenced in both CASS 6 and CASS 7. Operational procedures must reflect the process carried out and the associated key roles and responsibilities.
- Breach reporting – firms must drive quality in their breach reporting. This should document what went wrong, the controls which failed, the impact to clients and the actions required to resolve and prevent future reoccurrence. It is essential that firms identify and learn from breach incidents.
- CASS training – training must be delivered across all areas of the business, covering operational staff and Executive level.
- Change management – all changes within the business must be considered from a CASS-perspective. Large transformations will follow change governance procedures but it’s equally important not to lose sight of smaller changes which can also have unintended CASS impacts.
The bottom line
The CASS rules place onerous requirements on firms to protect client assets. It is essential that firms have adequate organisational arrangements in place to mitigate the potential risks posed to client money and custody assets. It is recommended that firms consider the contents of the recent FCA censure in respect of their own organisation and determine whether any changes or enhancements are required.
If you would like to talk to our experts to understand more about our automated CASS solutions and electronic governance platform please book a demo today.