FCA Censures CACEIS UK as Custody Control Failures Expose Clients to Financial Crime Risk

The UK Financial Conduct Authority has censured CACEIS UK and secured a £31.7 million voluntary payment for affected clients after finding serious weaknesses in the firm’s financial crime controls.

CACEIS UK, an asset servicing bank within the Crédit Agricole group, was criticised for failing to act on information that exposed clients to financial crime risk. The FCA said the firm did not respond adequately to warning signs and failed to properly monitor accounts after opening them.

The regulator did not impose a financial penalty because CACEIS UK cooperated extensively and agreed to make a substantial voluntary payment. According to the FCA, a fine of £23.1 million would otherwise have been imposed after settlement discount.

What the FCA Found

The case centres on custody and account-control failings. CACEIS UK acted as a sub-custodian from November 2020, meaning it had responsibility for safeguarding client assets.

The FCA said the firm checked the Financial Services Register on three occasions and saw information showing that the relevant client firm was not authorised to hold certain client assets. Despite this, CACEIS UK did not take sufficient action.

The regulator also found that the firm failed to identify that the client firm was not permitted to hold client money. It then opened client accounts and did not properly monitor them, including by failing to promptly review and resolve alerts generated by its systems.

This is the heart of the enforcement action. The FCA’s concern was not merely that something went wrong elsewhere. It was that CACEIS UK had information available to it, had systems generating alerts, and still failed to act with the level of control expected from an asset servicing bank.

Why Custody Controls Matter

Custody and asset servicing functions are sometimes viewed as operational infrastructure rather than front-line financial crime controls. This case shows why that view is dangerous.

Firms that hold, safeguard or service client assets occupy a critical position in the financial system. They may not be making investment decisions, but they can still become part of the control environment that protects clients from misuse of assets, unauthorised activity and fraud.

Where a custodian or asset servicing provider opens accounts without fully understanding authorisation limits, or fails to react to alerts, the risk can move quickly from procedural weakness to client harm.

That is why the FCA linked the case directly to financial crime controls. Strong controls do not only involve suspicious transaction reports or sanctions screening. They also involve understanding whether a client is authorised to do what it is doing, whether account activity matches that authorisation, and whether alerts are investigated properly.

Voluntary Payment Instead of Fine

The FCA’s decision not to impose a fine is also important. CACEIS UK agreed to make a voluntary payment of £31.7 million for the benefit of affected clients. The regulator said this cooperation and payment were the reason it chose a public censure rather than a financial penalty.

This approach reflects an enforcement trend in which remediation and client compensation can materially affect the outcome. The FCA still publicly censured the firm, but it gave credit for cooperation and for action that directly benefits clients.

For the market, the message is mixed but clear. Cooperation can reduce enforcement severity, but it does not erase the finding of serious control failures. A public censure still carries reputational consequences, especially for a financial institution operating in custody and asset servicing.

A Wider Enforcement Pattern

The FCA also noted that it has now secured more than £57 million in total for affected clients through action involving CACEIS UK, Sapia Partners and Barclays Bank UK.

This wider pattern shows that the FCA is not limiting its attention to the firm at the centre of the original failure. It is also examining banks, custodians and other service providers that formed part of the surrounding financial infrastructure.

That matters for the wider financial sector. Firms can face enforcement exposure where they provide services to another regulated entity but fail to understand the risk profile, authorisation status or suspicious activity connected to that relationship.

The lesson is that third-party financial crime risk is not only about onboarding. It must be monitored throughout the relationship.

Lessons for Banks and Asset Servicers

The CACEIS UK case offers several practical lessons for banks, custodians and asset servicing firms.

First, checks of the Financial Services Register must lead to action. A register check is not a box-ticking exercise. If it reveals that a client lacks permission for relevant activities, the firm must investigate, escalate and document its response.

Second, account opening controls must be connected to authorisation analysis. A firm should not open or operate accounts for purposes that appear inconsistent with the client’s regulatory permissions.

Third, monitoring alerts must be resolved promptly. Systems are only useful if alerts are reviewed, understood and escalated where necessary.

Fourth, custody firms should treat safeguarding obligations as part of financial crime risk management. Protecting assets is not separate from preventing misuse, fraud or unauthorised activity.

The FCA’s Message Is Direct

The FCA’s enforcement action is a reminder that financial crime controls extend beyond traditional banking, payments and AML teams. Asset servicing firms, custodians and infrastructure providers can all be held accountable when their failures expose clients to risk.

The case also shows that the FCA is moving faster in enforcement. The regulator highlighted that it concluded its investigation in 13 months, presenting the case as an example of its efforts to improve the pace of investigations.

For firms, that means control failures may be identified and resolved more quickly than in the past. It also means remediation strategy matters from the beginning of an investigation.

CACEIS UK avoided a financial penalty, but it did not avoid public criticism. The FCA’s message is clear: firms that safeguard client assets must act when information, permissions or account activity indicate financial crime risk. Failing to do so can lead to enforcement, compensation and serious reputational damage.

By fLEXI tEAM