Contact sales
concerns across payment sector firms

Mandates continue to be an area of perennial FCA and auditor scrutiny during CASS engagements. Firms often focus on priority elements within their CASS footprint in areas such as CASS reconciliations, to ensure they’re maintaining adequate control and oversight of client assets. However, poor assessment, and administration of mandates can easily cause problems and are often highlighted during audits, with challenges in key areas such as record keeping, and evidencing the full lifecycle of a mandate from creation, change, use and to its cancellation within a given period.

If you hold client assets, as you know, the extent of firms’ obligations does not stop at the main chapters. Where CASS 8 arises within firms, it’s imperative to ensure the strength and resilience of detective and preventive controls alongside demonstration of the crucial evidence required to ensure that signed and consented mandates have been recorded and are secure at any time. Getting this right can significantly reduce firms’ exposure across an often overlooked or misunderstood area of the CASS regime.

Firms need to be able to determine and fully evidence when they accept and hold mandates and the purpose for which they hold the mandate, along with any limitations applicable on the intended use. 

From inception of a mandate, firms need to demonstrate control and record the mandate on a log, with evidence of the mandate record, the purpose and the intended use of the mandate fully documented, with the ability to interrogate the source record of the mandate, e.g., a voice recording or direct debit record. Firms also need to ensure mandates are protected, mitigate any risk of misuse or replication, and control the use of mandates for the purpose they are held and in force, showing all change and reasons for change throughout their lifecycle and link and show transactional use of the mandate alongside. Such records must be available for interrogation at all times and without delay.

What constitutes a mandate

A mandate can be in any form and need not state that it is a mandate – it could be given verbally or in writing as part of a contract or as a stand-alone instruction document. 

Broadly this equates to being an authority given to the firm, from the client with their consent and in connection with the firm’s applicable investment business. This is then retained by the firm and results in the client giving the firm the ability to instruct, move, and control monies, with an unrelated third party to the firm, that they would not normally be in a position to do directly without the need for further referral to the beneficial owner/client. Note that limitations may apply, but this does not negate the authority being a mandate and purely sets thresholds for use, which the firm must adhere to for the duration of the mandate.

Readiness to demonstrate

Mandates take many forms and occur in many customer journeys and interactions with firms. It’s therefore crucial to identify all routes for mandates and establish control and evidence provisions on all processes that can result in either; the taking of a new mandate, the execution of a mandate, or change to the mandate held, and display all of this on a purpose-built mandate record log. You should also have the associated evidence linked and retained robustly, for future audit and control purposes. If conditions do exist on mandates, it’s critical to be able to readily demonstrate that transactions have executed in accordance and compliance with the conditions alongside.

Safeguarding and cash processing controls

Client documents that underpin or facilitate mandates, e.g., passports or identity documentation, must also be protected securely and prevented from misuse, theft, fraud, etc.

Normally, we see that firms display adequate controls around general payments/cash processing activities, but in terms of mandate processing, for economies of scale, firms don’t always differentiate outbound payments which are linked to mandates. Instead, they tend to ensure all cash processing is made consistent, to ensure adequate levels of STP. This can mean that CASS mandate administration is not recognised at the functional team level, which may be acceptable operationally, but can impact the mandate rule obligations and firms should ensure they conduct thorough assessment of the risks and specifics of mandate processing and embed additional controls to specific journeys for any nuances or record requirements for mandate compliance and record keeping. 

For expertise and depth, we have seen firms who have specialist CASS expertise aligned to the functions and the ability to identify mandate processing and change controls operating, see less incidents associated. Because of this, we advocate that practical CASS knowledge within operational teams should be considered, to ensure processors recognise the characteristics and specifics of mandate activity with its unique record keeping requirements, which may be in addition to the normal BAU activities they undertake, to prevent potential for failure or degradation to compliance with the CASS rules.

Reducing the likelihood of incidents

Where mandate compliance is embedded within a firm’s existing operational oversight activities that deal with functional control of payments, processing, and approvals, it’s prudent to ensure a regular compliance or thematic mandate assessment activity is performed, aimed at the initial capture of a mandate and for ongoing governance and assessment. This ensures assessment of the strength of the model and a direct correlation to the specific CASS rules and objective oversight focused on the strength of the control environment and consideration of compliance by referral within the CASS team. This can be an effective method, to prevent and reduce challenges and ensure transactional alignment is clear and correlates to the mandate rules and conditions – in turn, this can enable firms to self-identify any weaknesses and so reduce the occurrence of incidents arising across the mandate rules under the client assets sourcebook.

In much the same manner as with governance of the client money and client asset reconciliations, firms should embed strong preventative controls where possible across the following criteria:


  1. Holding and maintaining up-to-date lists of all mandates; 
  2. Recording conditions placed on such instructions by the client; 
  3. Recording mandates received in non – written form; 
  4. Recording the detail of mandate and its purpose; 
  5. Recording how it was obtained; 
  6. Recording the name of the client associated to the mandate; 
  7. Recording the date, it was obtained; 
  8. Recording all transactions connected to the mandate
  9. Maintain internal controls to ensure each transaction under a mandate complies with the conditions placed on the instruction by the client; and
  10. Recording the details of the procedures detailing the provision of instructions under each mandate. 


The key themes here are control, expertise, specific mandate processing journeys, and record keeping (maintaining a log, with clear, complete, and accurate input and records). It’s crucial that evidence of the existence of the mandate and any changes to it or conditions associated is held by the firm, for example a signed document retained and retrievable or a recorded telephone call is available. Where this is not the case there are many touch points which may easily materialise into a CASS impact or breach.

Taking the right approach

Periodic, initial, ongoing and frequent assessment, testing, and records review should help firms to identify any focus areas in their control environment for this purpose. 

This should ideally be automated and conducted using an assurance technology toolkit, to readily evidence firms’ ongoing governance and tracking of any actions and findings to strengthen the maturity of firms’ compliance and evidence control parameters, resulting in good customer outcomes.

Grath suggests that firms consider implementing a risk-based approach and governance actions, the output of which is reported as a standing agenda point for CASS Governance Committees and associated Board reporting to attest formally to the firm’s compliance and audit oversight and outcomes.

Thematic reviews such as this are critical and should be supported by robust mandate test scenarios and sampling techniques, designed to replicate the approach used by auditors when assessing mandate control effectiveness. Such reviews should include a timed delivery of evidence to support the full list of mandates being generated and all transactional based activity available in the period of assessment – upon which the firm then performs substantive audit testing.

Grath can help tighten up your defences

Grath is ready to help you conduct assurance reviews from a mandate perspective and equally help across your wider compliance and audit functions, with a simple but intuitive assurance reporting toolkit and workflow/governance to take your compliance monitoring to the next level.

Grath can enable your teams to manage their ongoing mandate processing and controls robustly, with attestation and associated evidence all stored within a secure document repository and deployed rapidly to enhance your capabilities across all 3 lines of defence. 

The Grath platform will rapidly, and cost effectively automate and revolutionise your evidential provisions. Grath can help you to evolve and enhance your firm’s compliance and audit assurance as well as support you to meet your regulatory obligations with confidence. 

Our technology solutions have been purpose built by a senior team of industry and regulatory practitioners within excess of 70 years’ combined expertise, and we partner with clients to support them in business growth over the long term.

Interested in learning more?

If you’d like to know how Grath’s technology can help with mandates, improve your regulatory compliance and bolster your risk management process, then we’d love to talk.


Get in touch with us at

Discover the future of CASS and Safeguarding reconciliations
Your request has been submitted successfully
We will get in touch with you immediately via email.
Ok, thanks.