Appropriate CASS governance and oversight arrangement helps regulated firms identify and manage CASS risks. A firm’s governance and oversight arrangement directly speaks to the firm’s risk culture, its attitude to managing risks and their obligation to keep customer assets safe.

Although there are no direct and specific requirements relating to CASS governance requirements, there are high-level principles laid out in the CASS rules, for example:

• Payments and E-money sector – CASS 15.2.1 R – “A safeguarding institution must, when holding relevant funds, maintain adequate arrangements to safeguard the client’s rights and prevent the use of relevant funds for its own account.”
• Custody – CASS 6.2.2 R – “A firm must introduce adequate organisational arrangements to minimise the risk of the loss or diminution of client’s safe custody assets, or the rights in connection with those safe custody assets, as a result of the misuse of the safe custody assets, fraud, poor administration, inadequate record-keeping or negligence.”
• Investment Firm Client Money – CASS 7.12.2 R – “A firm must introduce adequate organisational arrangements to minimise the risk of the loss or diminution of client money, or of rights in connection with client money, as a result of misuse of client money, fraud, poor administration, inadequate record-keeping or negligence.”

Lessons from FCA Fines with respect to CASS Governance

The FCA expects firms to have CASS governance in place, for example in a CASS fine, the FCA cited the failures across the three lines of defence:

“The Firms failed to implement CASS-specific governance arrangements…for example:

• there were no committees that dealt specifically with CASS issues…
• there were no accountability matrices for CASS roles and responsibilities throughout the Relevant Period or job descriptions referring to CASS roles and responsibilities…
• Compliance did not perform a sufficiently proactive CASS role throughout the Relevant Period; and
• there was no CASS-specific remit for the Firms’ internal audit function…”

This is just one example, and there are other similar examples in other CASS fines. As the FCA has emphasised in various public engagement, it will take decisive actions against firms where there is risk of consumer harm.

CASS Governance Framework

The three lines of defence model is a framework often adopted by firms and is considered good practice by the FCA, and CASS auditors. An example of how it can be applied in the context of CASS is depicted below. The extent to which each of the elements are relevant for a firm to have will depend on the size and complexity of the firm, taken together with the risks to consumer harm.

CASS Risk and Control Matrix

The risk assessment and identification of internal controls to mitigate CASS risks is an important element of a firm’s CASS governance. This links directly to the assignment of accountability for CASS roles and responsibilities, e.g. who is responsible for ensuring CASS reconciliations are performed daily, in accordance with the CASS rules and ensuring sufficient funds are segregated?

The CASS risk and control matrix is a critical document for firms to demonstrate and evidence how it manages its CASS risk. The format of the CASS risk and control matrix typically consist of:

• Obligations mapping – identification of the CASS rules that applies to the firm where it is assessed on a rule-by-rule basis.
• Risk assessment – risk ranking or scoring to allow the firm to monitor CASS risk exposure, and identification of areas that poses the greatest (or least) CASS risks, i.e. where consumer harm may arise.
• Controls mapping – identification of controls operated by the firm that relate to each of the CASS risks and obligation that it is required to comply with.
• Control effectiveness – An assessment of the effectiveness of the CASS controls. This may be a combination of first-line self assessment and independent assessment by internal audit.

The CASS risk and control matrix, while not a direct requirement under CASS, is a key document for demonstrating the firm’s level of compliance with the CASS rules. Both the FCA and the CASS auditor will look for this document as a means of assessing the firm’s adherence to those rules.

CASS Committee

The CASS committee plays a crucial role in safeguarding customer assets. While it operates much like other governance committees, its authority is usually delegated by the Board and defined through a formal terms of reference.

For some firms, depending on size, complexity, and risk profile, CASS responsibilities may sit within a broader risk committee. However, most firms choose to establish a dedicated CASS committee because client asset protection deserves focused time, attention, and commitment. A standalone committee ensures regulatory obligations are met and that governance remains robust.

In short, having a separate CASS committee isn’t just best practice, it’s a clear signal of a firm’s commitment to compliance and client trust.

CASS Management Information

As with any well-run committee, the CASS committee should receive and review appropriate management information (MI) during its meetings. This MI should provide a comprehensive view of CASS-related risks and include key metrics, trend analysis, and any emerging issues.

By reviewing a spread of relevant data, the CASS committee can assess the overall health of the firm’s CASS control environment, identify potential weaknesses, and ensure timely corrective actions. High-quality MI not only supports effective oversight but also enables informed decision-making and reinforces the firm’s commitment to safeguarding client assets.

Examples of information the CASS MI should cover are (not exhaustive):

• CASS risk dashboard or matrix – i.e. a summary of key risks identified from CASS risk and control matrix.
• CASS resolution pack compliance and testing
• Monitoring of agents and distributors (payments and e-money firms)
• Regulatory horizon scanning
• FCA correspondence and updates
• Business change and special projects / initiatives impacting CASS
• Amount of client money / relevant funds held at third parties
• Diversification considerations
• Number of new third-party relationships and accounts
• Monitoring of third party, due diligence and credit worthiness
• Reconciliation breaks and trend analysis
• Monthly CMAR / Safeguarding return
• Breaches trends, root-cause analysis and any reportable items to the FCA
• Near misses and lessons learnt
• Result of audit findings and remediation progress

Five Key Actions for Firms

Assess the CASS Control Environment and Governance Arrangements
Consider whether the current CASS control environment and governance structure are fit for purpose and capable of withstanding scrutiny from both the FCA and the CASS auditor.

Clarify Roles and Responsibilities
Ensure there is a clear allocation of roles and responsibilities, and that the escalation and reporting chains are well understood by all relevant personnel.

Resource and Capability Planning
Confirm that sufficient resources, skills, and training are in place to enable the firm to operate an effective CASS control and governance framework.

Maintain Robust Documentation
Ensure appropriate documentation and records are maintained, such as meeting minutes, policies and procedures, the CASS risk and control matrix, and the CASS resolution pack.

Embed CASS Governance into Business-as-Usual
CASS remains a key FCA priority. The firm’s CASS governance and control framework must be fully embedded into day-to-day operations rather than treated as a standalone compliance exercise.