CASS 16 and 17: regulating stablecoins and cryptoassets

Confused by UK’s CASS regulations on stablecoins and crypto assets? Murray Campbell from AutoRek shares insights on the updated framework to ensure your financial institution stays compliant and avoids fines.

Digital assets and stablecoins are rapidly maturing as developments across the UK’s financial services unfold. The total value of issued stablecoins has risen to USD 250 billion today – more than double the volume compared to 18 months ago.

Stablecoins offer a practical gateway to crypto markets, providing a bridge between traditional currency and digital assets. They enable efficient 'on and off-ramping' – moving between traditional currency and crypto assets. But for stablecoins to be a safe and effective option, proper infrastructure and regulatory safeguards are essential. 

Without proper safeguards, stablecoins risk being undermined by operational failures, fraud, or inadequate backing of issued tokens.

The UK is addressing this through the extension of its Client Assets Sourcebook (CASS) framework – a mature regulatory regime with over a decade of proven effectiveness in traditional financial services – to stablecoins and crypto assets through CASS 16 and 17. While the Prudential Regulation Authority (PRA) is separately consulting on systemic stablecoins used in payment processing, CASS 16 focuses on stablecoins as a gateway to crypto markets.

CASS 16 & 17

By 2026, stablecoin issuers and crypto asset custodians will come under regulatory scrutiny from the FCA for the first time. For firms in this space, particularly technology-first companies without prior experience in client asset protection, this represents a significant operational and compliance challenge. 

CASS has been the cornerstone of investor protection in UK financial services for over a decade. Since 2014-2015, it has set detailed requirements for how firms must segregate, reconcile, and protect client money and custody assets. Now, the FCA plans to extend this to cover digital assets - reflecting confidence in the framework's effectiveness.

CASS 16 applies to firms issuing stablecoins in the UK. It requires 1:1 backing, meaning every stablecoin must be matched by reserve assets held separately from the firm's own funds. Firms must reconcile these backing assets daily, both internally and against external records, to prove the stablecoins they've issued are fully backed.

CASS 17 covers firms providing custody of crypto assets. These firms need FCA permission and must follow detailed safeguarding rules, including comprehensive reconciliation requirements.

Organisations must understand CASS rules in granular detail: how data flows through systems, where records are stored, how third parties are contracted, and how reconciliations are executed. Those that fall under the scope will have to undergo annual audits by independent external auditors and must provide monthly regulatory returns to the FCA.

Barriers to compliance

For traditional financial services firms already operating under CASS 6 and 7, the extension to crypto represents a technical challenge, but familiar regulatory territory. 

However, for technology-first companies or crypto-native businesses, CASS compliance represents an operational challenge. These firms may have innovative platforms and sophisticated blockchain technology, but limited experience building the robust back-office infrastructure that CASS demands.

A critical technical challenge is precision. Most financial services systems handle numeric values to eight decimal places, but many crypto assets, such as Ethereum, transact to 18 decimal places. If reconciliation systems can only process eight decimal places, values must be rounded, creating discrepancies. Which would not be adequate under the new regulations. 

Not only would these rounding errors be non-compliant, but a firm could also be losing out on funds. For firms managing millions in client assets, even tiny rounding errors can lead to huge inaccuracies. This, therefore, demands purpose-built solutions capable of high-precision calculations.

The always-on nature of crypto markets creates another complexity. CASS requires reconciliations at least once per business day, but what constitutes ‘close of business day’ in a market that never closes? Firms must establish and document their own definitions of business day closures and ensure reconciliation processes align, requiring operational capacity outside of traditional working hours.

Preparing for compliance

Firms entering the UK stablecoin or crypto custody market need to take a comprehensive approach to CASS compliance.

First, understanding the full scope of requirements. For example, if a business handles fiat currency in connection with crypto custody activities, they will also be subject to the CASS 7 client money rules in addition to CASS 17. This significantly expands compliance obligations beyond what many firms may anticipate.

Early technical assessment is crucial. Identifying gaps early and implementing purpose-built solutions should be a priority. Simultaneously, mapping out how money, assets, and data flow through an organisation, while documenting every touchpoint and control, is vital. This forms the foundation for both operations and audit evidence.

Building internal capability is equally important - staff need training on the rules, as well as how to apply them in practice. For firms new to CASS, bringing in expertise from traditional financial services can help embed the necessary compliance culture and operational discipline.

Finally, remembering that CASS compliance is ongoing, not a one-time project. Annual audits, monthly regulatory returns, and continuous monitoring are mandatory requirements that demand permanent operational capacity and budget allocation.

Regulatory look ahead

CASS 16 and 17 signal the UK's commitment to bringing stablecoins and crypto assets within a mature regulatory framework. This creates a higher barrier to entry than some jurisdictions but establishes clear standards that provide a solid foundation for sustainable growth.

For firms already familiar with CASS, the extension is manageable. For new entrants, there are more hurdles, but compliance is achievable with proper planning and investment. 

The firms that succeed will recognise CASS compliance as a foundation for operational resilience and client trust. The UK's approach may be more demanding than others, but it offers legitimacy and trust – essential in a market still building its reputation for safety and reliability. 

About author

Murray has worked at AutoRek for 5 years and is a Principal Product Manager with a remit covering product development, client implementation, and sales and marketing. Prior to AutoRek, Murray spent over 10 years working for investment firms across both compliance and CASS operational management roles. Murray regularly contributes to industry events, providing insights from across his experience covering both regulated roles and from a vendor perspective.

 

 

About AutoRek

AutoRek is a leading provider of automated reconciliation and financial control solutions, trusted by the world's largest financial institutions for over 30 years. The company's SaaS platform automates reconciliations, data management, and reporting across asset management, payments, insurance, and banking sectors. AutoRek is headquartered in Glasgow, Scotland, with offices in New York and London. For more information, visit www.autorek.com.