Contact sales
Contact sales
Blog
All categories
Risk & Compliance

The New CASS Chapter 15: Enhanced Safeguarding Rules and Notification Requirements for Payment Firms

Chapter 15 safeguarding notification requirements
The FCA’s new Chapter 15 introduces enhanced safeguarding rules and stricter notification requirements for payment firms. This article outlines key obligations, including breach notifications, reconciliation discrepancies, and new escalation management processes to ensure compliance and consumer protection.
Paul Wood
Chief Operating Officer
Last updated on: October 25, 2024
Chapter 15 safeguarding notification requirements
Table of contents
    Recommended for you
    CASS Compliance 🚀 FCA CP24/20 Consultation Paper

    The FCA’s new Chapter 15 introduces enhanced safeguarding rules and stricter notification requirements for payment firms. This article outlines key obligations, including breach notifications, reconciliation discrepancies, and new escalation management processes to ensure compliance and consumer protection.

    Under the proposed revisions to the Safeguarding Rules, CP24/20 creates more detailed and prescriptive rules for payment firms, setting out how such firms are required to protect the funds they hold for consumers.

    We continue to consider these expectations in anticipation of the existing guidance within the Payment Service and E-Money regulations being retired and replaced with the new Chapter 15 within the Client Asset Sourcebook.

    In this paper, notifications and the communication of incidents and breaches to the FCA is discussed.

    Within 10.88 of the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (“Payment Services and Electronic Money – Our Approach”), the FCA provides the following guidance:

    “Institutions should notify us in writing without delay if in any material respect they have not complied with or are unable to comply with the requirements in regulation 20 of the EMRs or regulation 23 of the PSRs 2017. Examples of the matters we expect to be notified about include the following:

    • failure to keep up-to-date records of relevant funds and safeguarding accounts,
    • inability to resolve any reconciliation discrepancies in the way described in paragraph 10.88
    • the decision by an authorised credit institution or authorised custodian to close a safeguarding account
    • failure to carry out reconciliation as frequently as appropriate“

     The proposed regulation proposed under CASS 15.12.59R for both interim and end-state rules are more prescriptive in nature, drawing parallels to equivalent notification requirements found within CASS 7.15.33R and to some degree, those referenced within CASS 6.6.57.

    The intention of the Chapter 15 regulation is clear, moving firms from the guidance approach detailed above to a more structured rule adherence approach when notifying the FCA. Firms will be required to inform the regulator in writing and without delay if:

    • Internal records are materially out of date, inaccurate or invalid
    • Unable to perform an internal or external reconciliation
    • Unable to remedy a discrepancy in its reconciliations
    • At any time in the previous year there was a material difference between the amount of relevant funds safeguarded and the amount that should have been safeguarded

    The FCA has framed its notification requirements in CASS that require Firms to make a distinction between:

    1. All breaches of CASS that a firm, under PRIN 3, SYSC and CASS, must have system and controls in place to identify, record, investigate and remediate to prevent or mitigate the risk of a further reoccurrence of the breach; and
    2. Those breaches of CASS in respect of which the FCA requires notice without delay.

    By extension, under Chapter 15 these requirements are now conveyed to Payment Service and E-Money Firms.

    Under incident and breach escalation management, Payment Service and E-Money firms should consider how these immediately notifiable breaches of Chapter 15 can be identified, escalated and, subject to internal thresholds, notified to the regulator.

    Likewise, other CASS breaches, alongside those that breach the new regulations but are not deemed to exceed internal thresholds must also be captured, reported and impact assessed against existing and proposed controls.

    Grath offers integrated incident management capabilities against your obligation mapping framework, inclusive of the proposed Chapter 15 rules, risk registers and control environment.

    Whether an issue is a stand-alone breach, requiring the necessary notification disclosures to the FCA or part of a wider review of systems and control adequacy observations that must be reported under a safeguarding audit, Grath’s GRC solutions support the full management of such issues and when they occur, offering full root cause analysis, remediation, ownership and reporting for senior management. 

    In respect of all breaches or expected beaches of CASS, firms should evidence their conclusions for all incidents, consider its mitigating control environment and provide a rationale for any subsequent action taken, or rationale for ceasing any further steps, whether the breach is notifiable or not.

     

    Paul Wood
    Chief Operating Officer
    With over 20 years experience in regulated markets Paul has been responsible for leading regulatory change and transformation projects across investment banking, securities, wealth and asset management.
    Discover the future of CASS and Safeguarding reconciliations
    Explore platform Talk to sales
    Your request has been submitted successfully
    We will get in touch with you immediately via email.
    Ok, thanks.