Learn more about the latest security and privacy threats
Back

FCA censures CACEIS UK over weak financial crime controls in the WealthTek collapse

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Published June 30, 2026 Reviewed by Charlene Wang
Editorial illustration for the article "FCA censures CACEIS UK over weak financial crime controls in the WealthTek collapse".

The FCA censured CACEIS UK and secured a 31.7 million pound payout after weak financial crime controls let WealthTek hold assets it was never permitted to hold.

Table of contents

The Financial Conduct Authority censured CACEIS UK on 25 June 2026 for weak financial crime controls that let the collapsed wealth manager WealthTek hold client assets it was never permitted to hold. The asset servicing bank avoided a 33 million pound fine but agreed a 31.7 million pound voluntary payment to affected clients.

  • CACEIS UK received a public censure, not a fine, but agreed a voluntary payment of 31,714,068 pounds for WealthTek clients.
  • The FCA found CACEIS UK breached Principle 2 by failing to act on three Financial Services Register checks showing WealthTek lacked the right permissions.
  • A legacy monitoring system flagged 16 alerts over two years on accounts that took in more than 314 million pounds, and none were properly resolved.
  • The FCA has now recovered more than 57 million pounds for WealthTek clients across CACEIS UK, Sapia Partners and Barclays Bank UK.
  • The case shows that holding client data and assets without acting on what it tells you is itself a financial crime control failure.

What did the FCA find at CACEIS UK?

CACEIS UK was WealthTek's sub-custodian, the firm responsible for safeguarding client assets. The FCA found that its financial crime controls failed to act on clear warnings. The Final Notice is dated 19 June 2026, and the public censure was published on 25 June 2026, with a 31.7 million pound voluntary payment accepted instead of a penalty. The conduct ran across the Relevant Period from late 2020 to early 2023.

WealthTek, formerly named Vertus Asset Management LLP, became a CACEIS UK client in October 2020 and was renamed in March 2021. The regulator's joint executive director of enforcement and market oversight, Therese Chambers, was direct about the stakes: "Strong financial crime controls keep clients' assets safe." Were it not for full cooperation and the voluntary payment, the FCA states it would have imposed a financial penalty of 32,988,540 pounds, which the Final Notice records as 23,091,900 pounds once the standard 30 percent settlement discount is applied.

ItemFigureSource
Voluntary payment by CACEIS UK31,714,068 poundsFCA Final Notice, ref 622691
Penalty avoided (pre-discount)32,988,540 poundsFCA Final Notice
Penalty avoided (post 30% discount)23,091,900 poundsFCA Final Notice
Credits into WealthTek client accountsover 314 million poundsFCA Final Notice
Monitoring alerts left unresolved16, over two yearsFCA Final Notice

How did the financial crime controls fail?

The failures were not exotic. CACEIS UK had the right information three separate times and did not act on it. The breakdown sat in onboarding checks, permission verification and ongoing transaction monitoring, the same controls every regulated custodian is expected to run.

Before its 2020 merger with KAS Bank, CACEIS UK checked the Financial Services Register and saw that WealthTek lacked the "safeguarding and administering investments" permission needed to hold client assets on its platform. It resolved to recheck before migration, then migrated the accounts without doing so. After WealthTek's March 2021 rename, a second Register check again showed the permission was missing, yet CACEIS UK kept opening accounts. A third check in December 2022 produced the same result and the same inaction. The bank also missed a restriction on WealthTek's authorisation that barred it from holding client money. On top of that, a legacy transaction monitoring system generated a first alert and 15 more, and CACEIS UK did not record steps to resolve any of them over a period exceeding two years.

What does this mean for your obligations?

This censure maps directly to customer due diligence and ongoing monitoring duties under the Money Laundering Regulations and the FCA's systems and controls rules. The Final Notice cites SYSC 6.1.1R, 6.3.1R and 6.3.3R and regulations 18, 27 and 28 of the Money Laundering Regulations, then grounds the failure in Principle 2, conducting business with due skill, care and diligence.

For customer due diligence under regulation 27, the lesson is that establishing a client's identity and permissions is not a one-off box-tick. CACEIS UK confirmed the relevant fact three times and still onboarded; verification that does not change behaviour is not verification. For ongoing monitoring under regulation 28, the 16 unresolved alerts show that generating a transaction monitoring alert is worthless without a documented disposition. Examiners will now expect an evidenced rationale recorded against every alert, not a queue that is cleared without notes. For firms acting as custodian or sub-custodian, the case extends these duties to client-of-client oversight: you must verify that the authorised firm you serve actually holds the permissions for the assets and money it places with you, and re-verify when its status or name changes. Record-keeping under regulation 28 also carries weight here, because the absence of a recorded basis for closing an alert was itself part of the finding.

What is still uncertain and where are the risks?

The censure resolves CACEIS UK's regulatory position, but several questions remain open. The most consequential is precedent. By accepting a voluntary payment and waiving the fine, the FCA signals that early cooperation and client redress can convert a multi-million-pound penalty into a censure. That is a sensible incentive, yet it leaves firms guessing where the line sits between a fine and a reprimand for comparable financial crime controls failures.

The underlying fraud is also unresolved. WealthTek's former principal partner, John Dance, was charged in December 2024 with offences including fraud and money laundering, with a trial listed for September 2027 at Southwark Crown Court. Those charges are unproven, and the custodian's censure does not determine them. Client recovery is a further risk: the voluntary payments are distributed through the Joint Special Administrators, and whether every investor is made whole depends on the size of the shortfall against the pooled funds. Finally, there is a deterrence question. A censure with no fine may read to some boards as a cost of doing business rather than a reason to re-engineer monitoring, especially where remediation spend would exceed any expected penalty.

How does this compare with other AML enforcement?

The CACEIS UK outcome is best understood inside the wider WealthTek action, where the FCA has now secured more than 57 million pounds for clients in just over a year. Set against recent European cases, the figures are modest in headline terms but notable for the no-fine structure, which is becoming a recognisable tool for cooperative firms that fund redress directly.

FirmRole in WealthTekFCA outcomeClient redress
CACEIS UKSub-custodianPublic censure, no fine31,714,068 pounds voluntary
Sapia Partners LLPPrincipal, appointed WealthTek as ARPublic censure, no fine19,637,950 pounds voluntary
Barclays Bank UKClient money account providerFine of 3,093,600 pounds6,281,757 pounds voluntary

The contrast with the largest current European matters is stark on scale. Danish prosecutors are pursuing a far larger AML penalty against Nordea over historical correspondent-banking failures, and Sweden recently fined Ikano Bank 140 million Swedish kronor for risk-assessment gaps. In the United States, Canaccord's 80 million dollar FinCEN penalty shows how a broker-dealer monitoring failure is priced once redress is not on the table. The WealthTek actions sit lower on the scale precisely because the firms paid clients directly and cooperated early.

How should compliance teams respond?

Start by treating every authoritative data check as a trigger for action, not a record. Map each control that can surface a red flag, the Financial Services Register, sanctions and PEP screening, transaction monitoring, to a named owner and a required next step, and test that an unresolved finding cannot sit idle. Re-run customer due diligence when a client changes name, status or permissions, and require an evidenced disposition for every monitoring alert before it is closed. For custodians, add a recurring check that the firms you serve hold the permissions for the assets and money they place with you.

Decentralised, data-minimising KYC reduces the surface area where these failures hide. Zyphe shards verified identity data across a network so no single party holds a complete record, while still surfacing a clean, current verification result and an exportable audit trail to the firms that need it. Pairing reusable credentials with continuous AML monitoring means a status change reaches every relying party, rather than waiting for a manual recheck that, as this case shows, may never come. To see how that works against custody and onboarding controls, book a demo.

The bottom line

For teams running KYC and AML, this case is a reminder that controls are judged on what you do with what they tell you. CACEIS UK held the right information repeatedly and failed to act, and the cost was a 31.7 million pound payout and a public censure on its financial crime controls. The cheapest version of compliance is a process that cannot let a confirmed red flag sit unresolved, whether the trigger is a register check, a permission restriction or a monitoring alert.

Cited sources

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

The FCA decided a public censure was the appropriate sanction because CACEIS UK gave full and significant cooperation from the start of the investigation, accepted the failings, and agreed a voluntary ex-gratia payment of 31,714,068 pounds for WealthTek clients. The Final Notice states that without those factors it would have imposed a 23,091,900 pound penalty after a 30 percent settlement discount.

CACEIS UK checked the Financial Services Register three times and each time saw that WealthTek lacked the permission needed to hold certain client assets, but it continued to onboard and operate the accounts. It also missed a restriction barring WealthTek from holding client money, and it left 16 transaction monitoring alerts unresolved over more than two years.

The Final Notice grounds the failure in Principle 2, conducting business with due skill, care and diligence. It references SYSC 6.1.1R, 6.3.1R and 6.3.3R and regulations 18, 27 and 28 of the Money Laundering Regulations, which cover policies and procedures, customer due diligence and ongoing monitoring.

Credits into WealthTek's client accounts at CACEIS UK totalled more than 314 million pounds during the Relevant Period. The FCA has since secured more than 57 million pounds in total redress for WealthTek clients across CACEIS UK, Sapia Partners and Barclays Bank UK.

No. WealthTek's former principal partner, John Dance, was charged in December 2024 with offences including fraud and money laundering, and a trial is scheduled for September 2027 at Southwark Crown Court. Those charges are unproven, and the CACEIS UK censure does not determine them.

See privacy-first KYC in action

Verify identity without storing a single document. Reusable credentials, an exportable audit trail, and a 15-minute integration.

Book a demo