Understanding and addressing CASS audit breaches

What is a CASS audit?

A CASS audit assesses whether a firm is complying with the FCA’s Client Assets Sourcebook (CASS) rules, which are designed to protect client money and assets. These rules apply to firms that hold or control client assets, ensuring they are properly safeguarded and not at risk from the firm’s own financial health.

What is a CASS breach?

A CASS breach occurs when an auditor identifies that a firm has not complied with these rules. Breaches can range from human administrative errors to serious failings that put client assets at risk. All breaches are included in the CASS audit report submitted to the FCA, detailing the nature, severity, duration and frequency of each breach. The severity of the breach will determine the effect on audit opinion and whether further regulatory action may follow.

Types of CASS audit breaches

Acknowledgement letters

The wording of client money acknowledgement letters must be in line with the CASS template. Even minor deviations, such as a missing word or altered phrasing, are considered non-compliant.

Failure to update the breaches register

Organisations must maintain an up-to-date breaches register, recording all breaches that occurred during the year along with appropriate rule references in breach, date of occurrence, frequency and resolution measures taken. Failing to do so means key regulatory records are incomplete.

Use of Payment Service Providers (PSPs) for holding client money

PSPs are not recognised as eligible institutions for holding client money under CASS rules. Using them for this purpose puts organisations in breach of regulations.

Incorrect transfers after reconciliation

After performing a client money reconciliation, companies must transfer the correct amounts to or from client accounts. Errors in these transfers can compromise compliance.

Lack of policy for holding 'buffer money'

Organisations holding ‘buffer money’ in client accounts must have a documented policy outlining its purpose and use.

Inadequate bank due diligence

Organisations must assess and document the appropriateness of the banks used to hold client money.

Failure to segregate client money

Client money must be properly segregated from the firm’s own funds at all times. Any lapse, even temporary, violates CASS requirements.

Delays in reconciling client money

CASS rules require companies to perform reconciliations within specified timeframes. Missing deadlines can indicate weaknesses in financial controls.

CASS rules mapping document

Firms must have clear and documented processes and controls for handling client money and assets and how these enable the firm to comply with CASS rules.

Insufficient documentation of controls and procedures

Companies must have clear and documented processes for handling client money and assets. If key controls are undocumented or inadequately described, compliance cannot be properly demonstrated.

The majority of CASS breaches are down to human error rather than deliberate non-compliance, highlighting the importance of robust controls, staff training, and regular reconciliations to detect and correct issues promptly.

In the case of reconciliation breaches, this also provides evidence that the firm’s controls are effective in identifying mistakes.

The breaches register plays a key role, as firms can use it to prepare management responses prior to commencement of the audit and allowing sufficient time for review and approval.

How to mitigate the risk of a CASS Breach

Organisations can take proactive steps to reduce the risk of CASS breaches by strengthening their controls, improving staff awareness, and regularly reviewing their processes. Key measures include:

Ongoing training

Regular training ensures staff understand how reconciliations work, what qualifies as client money, and the importance of keeping it separate from firm money. Training should also cover common breach scenarios and how to prevent them.
CASS mapping exercise

Conducting a CASS mapping exercise helps firms identify which CASS rules apply to them and assess whether their existing processes and controls are sufficient. This structured approach can highlight weaknesses before they lead to a breach.
Regular review of compliance manuals and procedures

Compliance manuals should be read and updated regularly to ensure they remain relevant and effective. Companies should periodically assess their procedures to confirm they align with the latest regulatory requirements and business operations.
Robust reconciliation processes

Ensuring that reconciliations are performed accurately and within the required timeframes reduces the risk of errors. Clear oversight and review mechanisms should be in place to catch and correct discrepancies

What happens when a CASS breach occurs?

Once a breach is identified, auditors will first discuss it with the client. Upon identification of a breach, the breach should be investigated promptly and depending on the severity of the breach, a root cause analysis is completed to prevent recurrence.

Once the breach is confirmed, it is documented in the auditor’s breaches register, which is attached to the CASS audit report. The client is given time to provide comments on the breach, explaining their understanding of the issue and any corrective actions taken.

The breaches register is then submitted to the FCA alongside the audit report. Depending on the severity of the breach, the FCA may follow up with the firm to request further details, ensuring they understand what happened and why.

If the breach relates to a systemic issue, such as weaknesses in the firm’s systems or processes, the FCA may require specific remedial actions and put an agreement in place for how the issue should be addressed going forward.

The following year, auditors will often conduct follow-up procedures to assess whether the breach has been properly resolved. In our experience as auditors, companies that engage openly with the FCA and take swift corrective action tend to achieve better outcomes, as a collaborative approach helps build trust and reduces the risk of further regulatory scrutiny.

How can Price Bailey help?

Our team at Price Bailey can support you with a CASS audit. You will receive a dedicated CASS audit team throughout the audit process who have experience across a range of clients. We identify any breaches early, allowing firms time to prepare their responses to the FCA. If you have any questions about a CASS audit or CASS breaches, you can contact a member of our CASS audit team using the form below.

We always recommend that you seek advice from a suitably qualified adviser before taking any action. The information in this article only serves as a guide and no responsibility for loss occasioned by any person acting or refraining from action as a result of this material can be accepted by the authors or the firm.