All firms must understand the circumstances within their business models where breaches of CASS can occur and ensure that they have adequate systems and controls in place to identify non-compliance. All firms retain full responsibility for the compliance of the outsourced operational functions this also includes any breaches that may occur by a third party.
Firms must also ensure that an appropriate level of CASS awareness exists across all levels of staff to support the effective operation of the breach management and escalation processes and foster a culture of reporting of breaches immediately.
Breaches are inevitable and it is expected by the FCA that breaches will be reported, the nature of complying with CASS means that reporting breaches of an unserious nature shows that you are checking that you remain compliant with the regimes.
Materiality Assessment
It is important that firms have a documented method of assessing the materiality of a breach and that this includes both the quantitative and qualitive nature to decide whether to a notification to the FCA is required.
The firm’s considerations should be documented for every breach, which should include:
- the value of client money or assets impacted;
- how many clients the breach impacted and if there was a detrimental effect to them;
- the period over which the breach occurred;
- how quickly it was discovered and resolved; and
- whether there are system control failures.
Corrective Action and Root Cause Analysis
When a breach is identified it should be resolved promptly without delay and any financial impact on clients should be resolved as if the breach did not occur. In order to address breaches a root cause analysis should be performed to prevent reoccurrence. The later could be resolved through staff training or enhancements to the CASS systems and control environment.
Documentation of Breaches
A record of all breaches should be maintained by the firm which need to document the rule reference, the background of the breach, the severity and duration of the breach identified including the number of clients impacted and, where relevant, the frequency with which that breach has occurred.
The breach documentation should also include details of the key dates including: when the breach or breaches occurred, the date of identification, when the client position was rectified and when any procedures to prevent re-occur were implemented.
Finally, it is important that the materiality assessment is documented, including whether this is a notifiable breach. The details of the root cause analysis should also be documented with any actions taken to address the issue.
Reporting Breaches
All breaches will ultimately be reported to the FCA as part of the External Auditor CASS Assurance Report which is undertaken on an annual basis. There may be circumstances where breaches are required to be notified to the FCA when they occur or are identified and these full into either notifiable or reportable CASS breaches.
A notifiable breach is where a material breach has occurred that is outlined in CASS 6.6.57R, CASS 7.15.33R and CASS 10.1.16R, such as:
- internal records and accounts being materially out of date, inaccurate or invalid for the firm to comply with the records and accounts requirements; or
- the firm has been unable to comply with its safekeeping duties in respect of assets held in custody; or
- it has been unable to comply with the required steps for the treatment of shortfalls; or
- is unable to comply with the internal, physical or external reconciliations or record checks.
A reportable CASS breach is where a firm has determined that a CASS breach is material based on their own internal materiality assessment criteria.
Contact Our Experts
