The SMF18 oversight role: governance over CASS in practice

The SMF18 oversight role: governance over CASS in practice

SMF18 — the Other Overall Responsibility function under the FCA’s Senior Managers and Certification Regime — is the catch-all senior manager designation that captures significant areas of a firm’s activity not allocated to one of the named SMF functions. At many FCA-regulated investment firms, CASS compliance sits under SMF18. The individual holding this designation is therefore personally accountable to the FCA for the adequacy of the firm’s client assets framework — its policies, its reconciliation processes, its audit arrangements, and the escalation of any material breaches.

Understanding what CASS governance through the SMF18 lens actually requires in day-to-day practice — as opposed to the theoretical accountability framework — is essential both for individuals holding the function and for the compliance officers who support them.

What SMF18 accountability for CASS means in practice

The SMCR’s accountability framework requires the SMF18 to have a clear understanding of the area of the firm’s business for which they are responsible, to receive adequate management information to exercise meaningful oversight, and to take reasonable steps to ensure the firm’s compliance with FCA rules in their area. For CASS, this translates into a specific and demanding set of practical obligations.

The SMF18 does not need to perform the reconciliations or manage the custody relationships directly. What they must do is maintain a governance framework that gives them reasonable confidence that those processes are functioning correctly, that deviations are identified and escalated promptly, and that material issues are reported to the FCA within the required timeframes. This is governance through oversight, not operational management — but the oversight must be substantive and documented.

The FCA’s assessment of whether an SMF18 has met their personal obligation in the event of a CASS failure focuses on three questions: did they have adequate information to identify the problem; did they take reasonable steps to address it when information was available; and did they escalate appropriately when issues exceeded their ability to resolve internally. An SMF18 who cannot demonstrate that they received regular structured CASS reporting and engaged with its content is exposed to personal regulatory risk regardless of whether they caused the underlying breach.

The governance framework an SMF18 needs for CASS

The minimum governance framework for an SMF18 overseeing CASS should comprise four elements: a written statement of responsibilities that accurately describes their CASS governance role, a structured reporting process that delivers timely and actionable MI, a documented escalation protocol, and a defined process for engaging with the annual CASS audit.

Written statement of responsibilities. The SMF18’s statement of responsibilities — the document submitted to the FCA as part of their senior manager approval — should specifically describe their CASS accountability. Where a firm has allocated CASS to SMF18, the statement should confirm that the individual is accountable for the firm’s compliance with CASS 6, CASS 7, and any other applicable CASS chapters, and for the governance processes that support that compliance. A statement that describes CASS responsibility in vague terms, or that omits it entirely, creates a gap between the firm’s actual allocation of accountability and its formal regulatory documentation.

Structured monthly MI. The SMF18 should receive a monthly CASS management information pack prepared by the compliance or operations function. The pack should contain at a minimum: the reconciliation status for the period (number of reconciliations performed, number completed on time, any breaks and their current status), a breach and near-miss log for the period, a summary of any open audit findings and their remediation status, any changes to the firm’s client money account structure or custody arrangements, and any changes in client asset volumes that may affect the firm’s CASS tier classification. This MI pack provides the evidential basis for the SMF18’s oversight — without it, the claim to have exercised oversight is unsustainable.

Escalation protocol. The SMF18 should have in place — and should have reviewed and approved — a documented protocol describing the circumstances in which CASS issues are escalated to them directly, and the circumstances in which they are required to make a notification to the FCA. Under FCA rules, material CASS breaches that result in a client money shortfall must be notified to the FCA promptly — within three business days in most cases. The SMF18’s escalation protocol must define what constitutes a material breach, who is responsible for initial identification, the escalation route to the SMF18, and the SMF18’s decision-making process for FCA notification. This protocol should be tested periodically — not merely documented and filed.

Reconciliation oversight — what the SMF18 needs to understand

The SMF18 does not need to perform or review individual reconciliations. They do need to understand the reconciliation framework sufficiently to assess whether the MI they receive is telling them what they need to know.

The relevant questions for an SMF18 reviewing their monthly CASS MI pack: Are reconciliations being performed at the required frequency? Are breaks being identified and resolved within a reasonable timeframe? Is the volume of breaks increasing over time, and if so why? Are breaks being formally logged and their resolution documented? Has the compliance officer identified any systemic issues — for example, consistent breaks with a specific counterparty, or reconciliation failures concentrated at month-end when volumes are highest?

An SMF18 who reviews the MI pack, asks questions about anything that is unclear or concerning, and maintains a record of their review and any actions taken is an SMF18 who has exercised the oversight the FCA expects. An SMF18 who receives the pack, does not engage with its content, and cannot recall its substance if questioned by the FCA has not met the standard — regardless of whether the underlying CASS processes were compliant during the period.

Oversight of the CASS audit process

The annual CASS audit is the most significant external quality check on the firm’s CASS framework. The SMF18’s governance responsibilities extend to the audit process itself — not to the conduct of the audit, which is the auditor’s domain, but to ensuring that the firm is prepared for and engages substantively with the audit, and that the audit findings are addressed appropriately.

Before the audit, the SMF18 should confirm that the firm has provided the auditor with complete and accurate documentation of its CASS policies and procedures, that the reconciliation records requested for testing are available and complete, and that the compliance officer has briefed relevant operational staff on the audit process. Firms that arrive at the annual CASS audit with incomplete documentation or operational staff who are unfamiliar with their own CASS procedures create an avoidable risk of qualified audit findings.

After the audit, the SMF18 should receive and review the draft and final audit report, engage with the compliance officer on each finding, confirm that a remediation plan exists for any deficiencies identified, and track the completion of that remediation. Where the audit report is qualified, the SMF18 must assess whether FCA notification is required and make that assessment promptly. An SMF18 who receives a qualified CASS audit report and does not take immediate steps to understand and address the qualification has failed to meet their personal governance obligation.

Third-party and custody arrangements — the SMF18’s oversight obligation

Where the firm’s client assets are held at or through third parties — custodians, sub-custodians, prime brokers, clearing firms — the SMF18 must maintain oversight of those arrangements and of any changes to them. The practical obligation includes: awareness of which institutions hold the firm’s client assets; confirmation that appropriate bank acknowledgement letters or custody agreements are in place; oversight of any new arrangements entered into during the year; and monitoring of the financial strength and operational reliability of key custodians.

The SMF18 does not need to conduct their own due diligence on custodians — the firm’s operations and compliance functions do this. What the SMF18 needs is confirmation, through their regular MI pack, that the appropriate arrangements are in place and that the relevant teams are monitoring them. Where a significant custodian relationship changes — through the appointment of a new custodian, the termination of an existing arrangement, or a change in the terms of an existing relationship — the SMF18 should be specifically notified and should confirm their approval.

Documentation — the SMF18’s personal record

The FCA’s individual accountability framework requires the SMF18 to be able to demonstrate the steps they took to discharge their governance obligations. In a CASS context, this means maintaining a personal record of: the MI packs received and the questions or actions arising from each review; the escalations received and the decisions made; any FCA notifications made and the basis on which they were made; the audit reports reviewed and the actions confirmed; and any approvals given for changes to CASS arrangements.

This documentation is not primarily for the firm’s benefit — it is for the SMF18’s personal protection in the event of an FCA investigation into a CASS failure. An SMF18 who can demonstrate a complete and contemporaneous record of their governance engagement, even in circumstances where the underlying failure occurred in operational processes they did not directly control, is in a materially better position than one who cannot.

FD Capital places compliance professionals and SMF function holders at FCA-regulated investment firms where CASS is a material compliance obligation. Understanding the governance architecture around SMF18 accountability is a specific assessment criterion in the recruitment process for senior compliance roles at firms with significant client assets.

Related Services

• Compliance Recruitment
• SMCR Compliance Recruitment
• Recruitment for FCA Regulated Firms
• Investment Firm CFO Recruitment

Related Guides

• CASS Audits in 2026: What FRC Standards Now Require
• SMF18 — Other Overall Responsibility Guide
• SMF16 — Compliance Oversight Function Guide
• CASS: A Complete Guide for FCA-Regulated Firms
• SMCR: A Complete UK Guide