What should CASS mean to the second and third lines of defence for investment firms?

08 August 2017

Changes in the Client Money and Assets (CASS) regulatory landscape, such as the Financial Reporting Council (FRC) Assurance Standard and MiFID II, have created more business risk and therefore more challenges for Risk, Compliance and Internal Audit functions as they work to meet business needs and manage stakeholder expectations.

The ‘Three Lines of Defence’ model explains the relationship between a firm’s key risk functions. The first line includes functions that own and manage the firm’s risk e.g. Operations. The second line includes functions that oversee the implementation of risk management e.g. Compliance. And the third line, includes functions that provide senior management with independent assurance that risk management is working effectively within the firm e.g. Internal Audit.

While this model can allow firms to monitor and manage their risk management framework with respect to CASS, it is the relationship between the three lines that ultimately determines how effective this model can be for firms. An effective three lines of defence model requires the functions to work together to understand where the CASS risks within the firm lie.

There are a number of areas that we recommend the second and third lines of defence consider when focusing on CASS. We have outlined some of the areas below

  • Review of reconciliation breaks
  • Design and operating effectiveness assessment of key CASS controls
  • Assessment of CASS Management Information
  • Review of Client Money and Assets Return (CMAR) data and sign-off
  • Depth of attestations from control owners
  • Remediation of CASS audit findings
  • Monitoring of Third Party Administrator (TPA) and oversight controls
  • Monitoring of internal functions performed offshore or by different legal entities within the group
  • Assessment of legal agreements for CASS compliance
  • CASS Resolution Pack reviews
  • Exclusion rules within client money applications
  • Internal System Evaluation Method (ISEM) policy/process review
  • Senior Managers Regime (SMR) – delegation of CASS roles and responsibilities
  • Change programnes related to CASS e.g. MiFID II

It is vital that the three lines work collaboratively with each other to plan and evaluate their work and take into account the specific areas of focus identified by their external auditors and/or the regulator. Planning should also focus on utilising the strengths represented within each individual function. This ensures that reviews are conducted efficiently and independently across the three lines without duplicating testing and reviews.

With regulatory areas such as CASS, it is becoming increasingly common to utilise third parties to perform the testing of the identified ‘riskier’ areas and to supplement their CASS technical expertise. We are seeing an uptick in assisting and supporting our clients by:

  • Providing co-sourced/outsourced CASS internal audits
  • Developing a monitoring/audit plan tailored to their specific CASS processes and operating model.
  • Working in partnership with our clients and their auditors to remediate issues identified from internal CASS reviews and their CASS audits.

The risk culture of a firm stems from its leadership. If senior management is to understand, define, and actively manage the firm’s CASS risk, it needs a strong sense of risk awareness combined with a sharp focus on three effective lines of defence. With this in mind, how are you addressing CASS in your second and third lines of defence?

Brandy Rosel | Senior Manager
Profile | +44 (0)20 7213 4677
Follow @RoselBrandy

Irfan Elias | Manager
Profile | +44 (0)20 7212 3934



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.