In this Insight, we explore the CASS audit and reporting requirements for certain FCA-regulated firms that hold client money and/or custody assets.

What is the requirement?

Designated Investment Firms (DIFs) that hold client money and/or custody assets in relation to their regulated activities require a CASS audit. In accordance with rule SUP3.10.5R in the FCA Handbook, the CASS auditor must prepare a report giving two opinions: 

• whether the firm maintained systems adequate to enable it to comply with the relevant rules throughout the period; and

• whether the firm was in compliance with those rules as at the end of the period.  

These are “reasonable assurance” opinions: positive opinions that the firm is complying with the CASS requirements.

If, however, the firm holds client money but does not hold custody assets, a hybrid report is prepared by the CASS auditor, in which the auditor gives the above opinions in relation to the client money rules (CASS 7) and  a “limited assurance” opinion on the custody asset rules (CASS 6).

“Limited assurance” is giving a ‘negative’ opinion that confirms that, based on review procedures performed, nothing came to the auditor’s attention that led them to believe that (in this case) custody assets were held during the period.

The firm’s specific permissions will determine the type of report required.

What if I do not hold client money or custody assets?

DIFs that do not hold client money and/or custody assets in relation to their regulated activities still require a CASS audit if they have a statutory audit. A CASS audit report must be submitted to the FCA by the CASS auditor, which includes a “limited assurance” opinion, as described above. 

Do other FCA-regulated firms fall within the CASS regime?

CASS also applies to several other types of firms where they hold client money. Buzzacott can provide CASS audit services to the following:

• Firms operating a peer-to-peer lending platform (CASS 7)

• Mortgage and General Insurance firms (CASS 5)

• Debt management firms (CASS 11)

• Claims management firms (CASS 13)

What is the deadline?

The CASS auditor must deliver their report to the FCA within four months of the end of the period covered (this can be up to 53 weeks but, most commonly, the period covered is the calendar year ending when the firm’s accounting year ends). The CASS audit is often completed at the same time as the financial statements audit, but it is a separate exercise from that audit, and there is no requirement for the CASS auditor and the financial statements auditor to be the same.

What are the applicable standards?

The UK’s Financial Reporting Council has issued an Assurance Standard which outlines the work CASS auditors need to perform in order to provide the assurance opinions above, and which emphasises the need for the CASS auditor to apply an insolvency mindset when completing these procedures. It also makes it clear that CASS auditors cannot apply a level of materiality to their work, unlike with financial statements audits. Therefore, any rule breach identified that relates to the period (whether identified by the firm or the CASS auditor), no matter how small, must be included in a Breaches Schedule which is appended to the report that is submitted to the FCA. In advance of the report being submitted to the FCA, the CASS auditor must deliver a draft copy to the firm so that the firm can provide its comments on the rule breaches included in the Breaches Schedule. The CASS auditor has no responsibility in respect of the firm’s comments.

What about payment services firms and EMIs?

These firms are not caught by the CASS regime, but the FCA  does expect firms to have an annual audit of compliance with the requirements relating to safeguarding of customer funds.