The FCA censured CACEIS UK and secured a 31.7 million pound payout after weak financial crime controls let WealthTek hold assets it was never permitted to hold.
Table of contents
The Financial Conduct Authority censured CACEIS UK on 25 June 2026 for weak financial crime controls that let the collapsed wealth manager WealthTek hold client assets it was never permitted to hold. The asset servicing bank avoided a 33 million pound fine but agreed a 31.7 million pound voluntary payment to affected clients.
- CACEIS UK received a public censure, not a fine, but agreed a voluntary payment of 31,714,068 pounds for WealthTek clients.
- The FCA found CACEIS UK breached Principle 2 by failing to act on three Financial Services Register checks showing WealthTek lacked the right permissions.
- A legacy monitoring system flagged 16 alerts over two years on accounts that took in more than 314 million pounds, and none were properly resolved.
- The FCA has now recovered more than 57 million pounds for WealthTek clients across CACEIS UK, Sapia Partners and Barclays Bank UK.
- The case shows that holding client data and assets without acting on what it tells you is itself a financial crime control failure.
What did the FCA find at CACEIS UK?
CACEIS UK was WealthTek's sub-custodian, the firm responsible for safeguarding client assets. The FCA found that its financial crime controls failed to act on clear warnings. The Final Notice is dated 19 June 2026, and the public censure was published on 25 June 2026, with a 31.7 million pound voluntary payment accepted instead of a penalty. The conduct ran across the Relevant Period from late 2020 to early 2023.
WealthTek, formerly named Vertus Asset Management LLP, became a CACEIS UK client in October 2020 and was renamed in March 2021. The regulator's joint executive director of enforcement and market oversight, Therese Chambers, was direct about the stakes: "Strong financial crime controls keep clients' assets safe." Were it not for full cooperation and the voluntary payment, the FCA states it would have imposed a financial penalty of 32,988,540 pounds, which the Final Notice records as 23,091,900 pounds once the standard 30 percent settlement discount is applied.
| Item | Figure | Source |
|---|---|---|
| Voluntary payment by CACEIS UK | 31,714,068 pounds | FCA Final Notice, ref 622691 |
| Penalty avoided (pre-discount) | 32,988,540 pounds | FCA Final Notice |
| Penalty avoided (post 30% discount) | 23,091,900 pounds | FCA Final Notice |
| Credits into WealthTek client accounts | over 314 million pounds | FCA Final Notice |
| Monitoring alerts left unresolved | 16, over two years | FCA Final Notice |
How did the financial crime controls fail?
The failures were not exotic. CACEIS UK had the right information three separate times and did not act on it. The breakdown sat in onboarding checks, permission verification and ongoing transaction monitoring, the same controls every regulated custodian is expected to run.
Before its 2020 merger with KAS Bank, CACEIS UK checked the Financial Services Register and saw that WealthTek lacked the "safeguarding and administering investments" permission needed to hold client assets on its platform. It resolved to recheck before migration, then migrated the accounts without doing so. After WealthTek's March 2021 rename, a second Register check again showed the permission was missing, yet CACEIS UK kept opening accounts. A third check in December 2022 produced the same result and the same inaction. The bank also missed a restriction on WealthTek's authorisation that barred it from holding client money. On top of that, a legacy transaction monitoring system generated a first alert and 15 more, and CACEIS UK did not record steps to resolve any of them over a period exceeding two years.
What does this mean for your obligations?
This censure maps directly to customer due diligence and ongoing monitoring duties under the Money Laundering Regulations and the FCA's systems and controls rules. The Final Notice cites SYSC 6.1.1R, 6.3.1R and 6.3.3R and regulations 18, 27 and 28 of the Money Laundering Regulations, then grounds the failure in Principle 2, conducting business with due skill, care and diligence.
For customer due diligence under regulation 27, the lesson is that establishing a client's identity and permissions is not a one-off box-tick. CACEIS UK confirmed the relevant fact three times and still onboarded; verification that does not change behaviour is not verification. For ongoing monitoring under regulation 28, the 16 unresolved alerts show that generating a transaction monitoring alert is worthless without a documented disposition. Examiners will now expect an evidenced rationale recorded against every alert, not a queue that is cleared without notes. For firms acting as custodian or sub-custodian, the case extends these duties to client-of-client oversight: you must verify that the authorised firm you serve actually holds the permissions for the assets and money it places with you, and re-verify when its status or name changes. Record-keeping under regulation 28 also carries weight here, because the absence of a recorded basis for closing an alert was itself part of the finding.
What is still uncertain and where are the risks?
The censure resolves CACEIS UK's regulatory position, but several questions remain open. The most consequential is precedent. By accepting a voluntary payment and waiving the fine, the FCA signals that early cooperation and client redress can convert a multi-million-pound penalty into a censure. That is a sensible incentive, yet it leaves firms guessing where the line sits between a fine and a reprimand for comparable financial crime controls failures.
The underlying fraud is also unresolved. WealthTek's former principal partner, John Dance, was charged in December 2024 with offences including fraud and money laundering, with a trial listed for September 2027 at Southwark Crown Court. Those charges are unproven, and the custodian's censure does not determine them. Client recovery is a further risk: the voluntary payments are distributed through the Joint Special Administrators, and whether every investor is made whole depends on the size of the shortfall against the pooled funds. Finally, there is a deterrence question. A censure with no fine may read to some boards as a cost of doing business rather than a reason to re-engineer monitoring, especially where remediation spend would exceed any expected penalty.
How does this compare with other AML enforcement?
The CACEIS UK outcome is best understood inside the wider WealthTek action, where the FCA has now secured more than 57 million pounds for clients in just over a year. Set against recent European cases, the figures are modest in headline terms but notable for the no-fine structure, which is becoming a recognisable tool for cooperative firms that fund redress directly.
| Firm | Role in WealthTek | FCA outcome | Client redress |
|---|---|---|---|
| CACEIS UK | Sub-custodian | Public censure, no fine | 31,714,068 pounds voluntary |
| Sapia Partners LLP | Principal, appointed WealthTek as AR | Public censure, no fine | 19,637,950 pounds voluntary |
| Barclays Bank UK | Client money account provider | Fine of 3,093,600 pounds | 6,281,757 pounds voluntary |
The contrast with the largest current European matters is stark on scale. Danish prosecutors are pursuing a far larger AML penalty against Nordea over historical correspondent-banking failures, and Sweden recently fined Ikano Bank 140 million Swedish kronor for risk-assessment gaps. In the United States, Canaccord's 80 million dollar FinCEN penalty shows how a broker-dealer monitoring failure is priced once redress is not on the table. The WealthTek actions sit lower on the scale precisely because the firms paid clients directly and cooperated early.
How should compliance teams respond?
Start by treating every authoritative data check as a trigger for action, not a record. Map each control that can surface a red flag, the Financial Services Register, sanctions and PEP screening, transaction monitoring, to a named owner and a required next step, and test that an unresolved finding cannot sit idle. Re-run customer due diligence when a client changes name, status or permissions, and require an evidenced disposition for every monitoring alert before it is closed. For custodians, add a recurring check that the firms you serve hold the permissions for the assets and money they place with you.
Decentralised, data-minimising KYC reduces the surface area where these failures hide. Zyphe shards verified identity data across a network so no single party holds a complete record, while still surfacing a clean, current verification result and an exportable audit trail to the firms that need it. Pairing reusable credentials with continuous AML monitoring means a status change reaches every relying party, rather than waiting for a manual recheck that, as this case shows, may never come. To see how that works against custody and onboarding controls, book a demo.
The bottom line
For teams running KYC and AML, this case is a reminder that controls are judged on what you do with what they tell you. CACEIS UK held the right information repeatedly and failed to act, and the cost was a 31.7 million pound payout and a public censure on its financial crime controls. The cheapest version of compliance is a process that cannot let a confirmed red flag sit unresolved, whether the trigger is a register check, a permission restriction or a monitoring alert.
Cited sources
Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.