FCA censures CACEIS UK over WealthTek: a financial crime controls reckoning for UK custodians

Last updated: June 2026

A custodian opened accounts for another FCA-authorised firm, checked the Financial Services Register on multiple occasions, saw each time that the firm lacked the permission it needed to hold those assets, and carried on anyway. Over two and a half years more than GBP 314 million flowed through those accounts while transaction-monitoring alerts sat unresolved. That is the conduct the Financial Conduct Authority set out in its 25 June 2026 enforcement outcome and press release regarding CACEIS Bank UK Branch, a pointed lesson in FCA financial crime controls for any UK firm that sub-custodies assets for regulated clients.

CACEIS UK was publicly censured and agreed a voluntary GBP 31,714,068 payment for clients of WealthTek, the wealth manager that collapsed into special administration in April 2023. The FCA made no finding in this notice that CACEIS UK’s accounts were used for money laundering. The breach was narrower: the firm failed to conduct its business with due skill, care and diligence, in breach of Principle 2, because it did not act on what it knew.

Related reading: the FCA’s June 2026 financial crime priorities for UK regulated firms.

What the FCA found about CACEIS UK’s financial crime controls

The FCA announced the public censure on 25 June 2026 under section 205 of the Financial Services and Markets Act 2000. The firm is CACEIS Bank UK Branch, reference number 622691, part of the CACEIS asset-servicing group of Credit Agricole. The relevant period runs from 1 October 2020 to 4 April 2023.

It began with a merger. In October 2020, CACEIS UK was preparing to merge with KAS Bank, and a firm then named Vertus Asset Management became its client. The FCA found that CACEIS UK identified on multiple occasions that WealthTek did not hold the necessary permissions to undertake certain activities but failed to act on those findings. CACEIS UK resolved to verify first, did not, and made the accounts available anyway. A further check, after Vertus had changed its name to WealthTek in January 2021, showed the same gap, and a later review the same result, each followed by inaction. CACEIS UK also missed a restriction on WealthTek’s Part 4A authorisation barring it from holding client money, which was visible on the Register.

Monitoring was the other failure. WealthTek accounts ran through a legacy transaction-monitoring system, since retired. The first alert flagged deficiencies in the know-your-customer information held. A reviewer logged the concern, and then nothing sufficient was done about it or the alerts that followed, for over two years.

The legal basis, and what Principle 2 is doing here

The censure rests on a single Principle. Principle 2 of the FCA’s Principles for Businesses requires a firm to conduct its business with due skill, care and diligence. The FCA alleged no offence under the Proceeds of Crime Act 2002 or the Terrorism Act 2000, the statutes behind the money-laundering and terrorist-financing offences, and criticised no person other than CACEIS UK. The enforceable duties it applied live in the Handbook and the Money Laundering Regulations.

The FCA assessed the conduct against its Principles for Businesses and relevant systems and controls obligations in SYSC and the Money Laundering Regulations 2017.

That the finding is a breach of Principle 2 rather than a single rule breach matters. The policies on paper were broadly right; the failure was that the controls existed and were not run. That gap is also what the FCA tests through individual accountability under the UK Senior Managers and Certification Regime. A clean policy library is no defence when the file shows the firm knew and did not act.

The pooled client account trap

CACEIS UK was sub-custodying for a regulated firm, holding what the JMLSG Guidance calls a pooled client account: an account a customer opens to administer money belonging to its own underlying clients. Annex 5-V treats these as a specific risk, both of the customer’s clients misusing the account and of the customer being complicit.

This is where teams holding accounts for other authorised firms misjudge the risk. A regulated counterparty feels low risk, and the Guidance does permit simplified due diligence on a pooled account assessed as low risk, even to the point of not identifying the underlying clients. The baseline is to take reasonable measures to establish and document the account’s purpose and, where needed, information such as the types of clients whose funds sit in it, the level of assets deposited and the size of transactions undertaken. A regulated counterparty status does not, by itself, document that PCA purpose or risk assessment.

Checking the Register is not the control

The FCA found that CACEIS UK checked the Financial Services Register on multiple occasions and failed to act on the information identified. The gap was an absence of any step that turned each check into a decision, a hold on the account, or a documented escalation.

For a UK custodian onboarding another regulated firm, the FS Register permission screen should sit in the file as a dated record and the account should remain blocked until the permission question is closed in writing. A check that produces no action and no audit trail is invisible to a supervisor reading the file two years later. Understanding a customer’s permissions means acting on what the check returns and being able to show what you did with it. Opening accounts where permissions are not verified creates regulatory exposure for custodians, on both the financial-crime control and the client-asset perimeter.

Why open alerts cost more than missing ones

The monitoring backlog was one of the core control failures in the enforcement outcome. CACEIS UK generated alerts, a reviewer recorded a genuine KYC concern on the first one, and failed to adequately resolve transaction monitoring alerts over an extended period.

On the monitoring side, a UK custodian should close an alert only with a written rationale in the case record, because unresolved alerts were one of the control gaps the FCA relied on when censuring CACEIS UK and accepting the voluntary GBP 31.7 million client payment. JMLSG paragraph 5.7.3 sets the bar plainly: flag the activity, have the right person review it promptly, and record the action taken. A backlog is the heavier failing: the firm documented that it saw the issue, then had nothing to show for the years that followed. Other supervisors price the same failure in comparable terms, as the run of AUSTRAC AML enforcement shows.

A censure with a price tag, and where the money went

The FCA chose censure over a penalty because of the firm’s cooperation and the voluntary payment. The ex-gratia GBP 31,714,068 reaches WealthTek’s clients through the Joint Special Administrators’ distribution plan; the payment will be distributed to WealthTek clients via the administrators and FSCS arrangements. More widely, the FCA says it has secured over GBP 57 million for WealthTek clients in just over a year, through action against CACEIS UK, Sapia Partners and Barclays Bank UK.

Frequently Asked Questions

Did the FCA fine CACEIS UK?

No. The FCA imposed a public censure under section 205 of FSMA 2000 and decided against a penalty, citing the firm’s cooperation and its voluntary payment. Absent those factors, it states it would have imposed GBP 32,988,540, reduced to GBP 23,091,900 after the 30 percent settlement discount.

Which rules did CACEIS UK actually breach?

The FCA’s primary finding was a breach of Principle 2, conducting business with due skill, care and diligence. The FCA assessed the conduct against its systems and controls obligations in SYSC and the Money Laundering Regulations 2017, but the censure itself rests on Principle 2.

Was money actually laundered through the accounts?

The FCA’s enforcement outcome makes no such finding. The breach is that CACEIS UK failed to take sufficient steps to mitigate the risk of misappropriation or money laundering.

We onboard other FCA-authorised firms. What does this mean for our FS Register checks?

A check alone does not discharge the obligation. The case turned on CACEIS UK identifying a permission gap on multiple occasions and not acting. Record each check, gate the account on the correct Part 4A permissions, capture any authorisation restriction, and document the decision.

How should we treat transaction-monitoring alerts after this?

As a supervised control. The reviewer flagged a real KYC concern on the first alert, and alerts went unresolved over an extended period. JMLSG paragraph 5.7.3 expects prompt review and recorded action, so an open or undocumented alert is the exposure.

Related Articles

Key Takeaways

  • CACEIS Bank UK Branch was publicly censured on 25 June 2026 and agreed a voluntary GBP 31,714,068 payment for WealthTek clients; the relevant period ran from 1 October 2020 to 4 April 2023.
  • The FCA’s primary finding was a breach of Principle 2, assessed against SYSC and the Money Laundering Regulations 2017. No laundering was found.
  • The FCA found that CACEIS UK identified on multiple occasions that WealthTek did not hold the necessary permissions but failed to act on those findings; the Register also carried a restriction barring it from holding client money.
  • The firm failed to adequately resolve transaction monitoring alerts over an extended period; the FCA treated the backlog and missing closure rationale as a core control failure.
  • Pooled client accounts under JMLSG Annex 5-V need a documented purpose before any simplified due diligence; regulated status does not remove that baseline.
  • Cooperation converted a would-be GBP 23,091,900 penalty into a censure plus redress; the FCA has secured over GBP 57 million for WealthTek clients across three firms.

Sources and References

The control file a UK custodian needs after CACEIS UK

The lesson is a higher evidential bar on obligations that already existed. A firm that holds or sub-custodies assets for other regulated clients should be able to show, on any account, the FS Register check and the action it triggered, the permission and restriction position gating the account, the documented purpose of any pooled client account, and a closed-out rationale for every monitoring alert. CACEIS UK had the rules and the systems. What it could not produce was the file showing it had used them, and that gap carried a GBP 31.7 million price.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts