Financial Services Compliance Blog - Thistle Initiatives

How to select and supervise your CASS auditor

Written by Thistle Initiatives - Compliance consultancy | Jan 9, 2025 10:30:00 AM

Around 3,100 firms, holding a total of around £175 billion of client money and around £17.4 trillion of custody assets, are subject to the FCA’s CASS rules.

At a time when firms’ interpretation and application of the CASS rules is under FCA scrutiny as never before, it has become apparent that selecting the most suitable CASS auditor and correctly working with the audit firm over an extended period of time is of paramount importance. We provide some thoughts on this below.

Background

The FCA is clear that it does not regulate CASS auditors (the Financial Reporting Council does this – see below) and stresses, addressing CASS firms, that “it is your responsibility to appoint an appropriately qualified auditor and to ensure that they provide the report to us in line with our requirements”.

The onus is clearly on firms to do the work required to select a suitable auditor (and we consider what is meant by “appropriately qualified” further on in this summary) and to ensure that the CASS auditor, which is subject to CASS 3.10, provides the report in the manner and to the timescale required.

CASS report requirements

The requirements on CASS audit firms are clearly stated and are that;

The report should:

  • Be prepared using the template in SUP 3 Annex 1
  • Cover a period of no more than 53 weeks, starting from the last report, or if it is the first one, starting from the time a client assets report was first required
  • Be submitted within 4 months of the period end-date
  • Comply with relevant auditing standards, like the Financial Reporting Council (FRC).
  • Be signed by the person in the audit firm with primary responsibility for it

Auditors must prepare a separate template schedule identifying the Client Assets sourcebook (CASS) rule breaches noted during the period covered by the report.

If any breaches are identified in the auditor’s report, firms are expected to provide comments on actions taken and/or mitigating factors.

Your auditor should submit through our preferred method via Connect. See our user guide for details on how to do this.

Firms should appreciate that non-CASS firms as well as CASS firms are required to have a CASS audit carried out, and that for non-CASS firms this will be a limited assurance audit, carried out to support the firm’s statement that it has not held client money or custody assets during the period reviewed (for CASS firms, the audit engagement is referred to as a reasonable assurance engagement). SUP 3.10.4 and SUP 3.10.4A explain this.

FCA sanctions on auditors

Although the FCA does not regulate audit firms, it can and does enforce sanctions against them in situations where their work for regulated firms is considered to be deficient. The most prominent recent cases have been those involving PWC and Macintyre Hudson, brief details of which are below.

PWC LLP

In 2024, the FCA fined PricewaterhouseCoopers LLP for failing to report to the regulator its belief that London Capital & Finance plc might be involved in fraudulent activity, which was the misleading promotion of mini-bonds. This was the first time the FCA had fined an audit firm.

Macintyre Hudson LLP

In 2024, the FCA also censured Macintyre Hudson LLP for failing to prepare client assets reports to the required standard. The firm failed to notify the FCA of rule breaches by firms it had audited, which could have put customers’ money at risk. It failed to prepare four client assets reports (relating to two firms) to the required standard and failed to report 25 breaches of the rules by firms it had audited. These ranged from failings in documentation, to firms' assets being held alongside client assets.

The Financial Reporting Council (FRC)

In 2015, the FRC produced a report (a “Standard”) entitled Providing Assurance on Client Assets to the Financial Conduct Authority. This Standard establishes requirements and provides guidance for CASS auditors reporting to the FCA in accordance with its SUP (Supervision Manual) rules in respect of engagements that involve evaluating and reporting on a regulated firm’s compliance with the CASS rules and other rules relevant to the holding of client assets.

Since 2015, the FRC has also shown itself willing to take action against audit firms whose CASS work shows significant shortcomings. This has included action against KPMG plc and one of its partners for failure to ensure appropriate training, support and supervision for the 2011 CASS audits of two BNY Mellon group banks and the PWC case previously mentioned (two other audit firms were also involved).

It has become clear more recently that, under pressure from the FCA, which receives all CASS audit reports and is believed to be sceptical in some cases about the standards of work carried out, the FRC is increasing the pressure on CASS auditors to improve the standard of their work.

Other issues

  • Firms need to ensure that their CASS arrangements take account of the Consumer Duty and are aligned with it at all times.
  • Firms need to ensure that their wind-down arrangements take full account of CASS issues and are in line with their CASS Resolution Packs.
  • Firms in the payment services and e-money space need to be aware that the FCA has released its Consultation Paper CP 24/20 on Changes to the safeguarding regime for payments and e-money firms. The FCA is removing ambiguity and aligning safeguarding practices with the robust framework of CASS, moving the guidance-based safeguarding requirements into a new rules-based chapter in the CASS sourcebook, CASS 15. The new rules are characterised by improved records and reconciliations (including a Resolution Pack), enhanced governance, monitoring and reporting (including monthly safeguarding returns), and the implementation of statutory trusts and more robust safeguarding methodologies.

The interim CASS 15 rules are those that will be finalised in the first Policy Statement, expected in H1 2025 and will become effective six months later. Therefore firms will need to be fully compliant with the interim rules before the end of 2025

What CASS firms need to do

We believe that CASS firms must take a proactive approach to selecting, reviewing and supervising their CASS auditors. This may use some or all of the following steps;

  1. Carrying out detailed due diligence work at a predetermined frequency on their CASS auditors, considering in particular the qualifications and experience of the allocated audit team.
  2. Formally reviewing CASS auditor performance, preferably after each audit.
  3. Considering limited assurance reports requirements for non-CASS firms.
  4. Planning fully for all CASS audits.
  5. Ensuring that their rule mapping documents and procedures are up to date.
  6. Ensuring that all breach records are fully documented.
  7. Reviewing the draft report thoroughly and providing detailed commentary on all breaches

Thistle Initiatives’ CASS services are led by our seasoned expert, Keith Maner, whose extensive experience ensures that our clients receive precise, practical, and effective guidance. From health checks to training, our bespoke services empower firms to navigate the complexities of CASS compliance confidently.

To learn more about how we can support your CASS requirements, contact us at 0207 436 0630 or email info@thistleinitiatives.co.uk. Alternatively, reach out to our CASS expert, Keith Maner (keith.maner@thistleinitiatives.co.uk), for tailored advice and solutions.

Related article: Does Your Firm Need Help With Its Client Assets Arrangements?
View full post