The Financial Conduct Authority (FCA) announced on 9 July 2020 that they require all E-Money Institutions, and any Payments Institution that is required to arrange an audit of its annual accounts under the Companies Act 2006, to audit their safeguarding arrangements at least once annually. In theory firms have up to 12 months to satisfy this requirement, but there are many good reasons why firms should not delay their audit and why we would recommend all firms commission a safeguarding audit.
The message within the FCA’s ‘Coronavirus and safeguarding customers’ funds: additional guidance for payment and e-money firms’ was loud and clear. Payment and e-money institutions ought to be preparing for the strong possibility of an FCA enquiry, as they step up supervisory activity or, as they put it themselves, “We will continue to proactively test firms’ safeguarding arrangements. Where we find inadequacies, we will take action to prevent customer harm.”
Firms need to consider whether their current safeguarding arrangements really do meet the updated regulatory requirements, and honestly ask themselves how confident they are that they have the evidence of compliance to survive detailed scrutiny by the FCA’s Payments Supervision team.
Why are the FCA so concerned?
It is worth taking a step back and examining the reasons why the FCA is so concerned about this area.
Safeguarding is aimed at protecting customers’ money if an API or EMI becomes insolvent. However, the nature of the Directives and the UK implementing legislation mean that it will only be effective if all the requirements are met. The key provisions of Regulation 23 in the Payment Services Regulations are that relevant funds must be kept segregated from any other funds that the payment institution holds, and that the safeguarding account must only be used to hold relevant funds (or assets). If the payment institution cannot show that this is the case, the protection offered by the regulations is open to challenge by other creditors. This could mean customers losing their money, or long delays in payout while challenges are fought through the courts. Given the FCA’s consumer protection remit, it is clear why this is high up their priorities list.
Complex and varied business models
What became clear during the FCA’s safeguarding attestation process last year is that in the many and varied business models in the payments industry, it is not always as straightforward as the legislators thought it would be to identify what are relevant funds in any particular case.
It is vital that firms set out in their policies and procedures how they identify relevant funds, and why that meets the definition in the Payment Services Regulations and/or E-Money Regulations for their particular business model. Where the business model is novel or complex, it may be advisable to obtain specialist advice. To borrow a term from the Senior Managers regime, which is also relevant in payment services, the FCA expect senior management to take “all reasonable steps” to comply with regulatory requirements, and taking advice from a suitably qualified external source can evidence that the firm has done this.
Having identified relevant funds, firms must be able to reconcile the sums held in safeguarding accounts to its own records, enabling the firm and any relevant third party to distinguish relevant funds from the firm’s own money and relevant funds held for one customer against those held for another. It is noteworthy that the finalised guidance says that the FCA “expect firms to clearly document this reconciliation process and to provide an accompanying rationale.” Again, this means that the firm must look at its own business model and set out, not only how it carries out its reconciliations, but why that is appropriate for its business. External verification of that justification may be sensible to show that management have taken all reasonable steps to be compliant.
Evidencing your compliance
Firms that fall within the latest FCA guidance will have to ask a suitably qualified and experienced independent firm to audit safeguarding arrangements at least once annually. An independent audit is an excellent way of evidencing compliance with the regulations and to identify areas for improvement or remediation. A document you could show to the FCA to demonstrate how seriously you take your responsibilities. Hence, why we are strongly recommending firms look toward an audit at the earliest opportunity.
All firms are required, as a condition of authorisation, to satisfy the FCA that they have adequate internal control mechanisms including sound administrative, risk management and accounting procedures and that they have taken adequate measures to safeguard customer funds.
It is difficult to see how a firm can do this without undertaking an audit of some sort, to evidence that senior management have taken all reasonable steps to be compliant. For APIs, EMIs and SPIs which choose to safeguard that are exempt from having to audit their accounts, under the Companies Act 2006, undertaking an independent safeguarding audit is not mandatory. But we would suggest that in the current environment these firms should seriously consider commissioning an independent safeguarding audit to check and evidence their compliance. Just because they are smaller firms will not make them any less interesting to the FCA. In fact, there could be compelling arguments for them being equally in the spotlight, especially those firms of a size close to the exemption limits.
Related resourcesAll resources
Payment Services Regulatory Compliance Forum 2023
Payments Newsletter - November 2023
A guide to effective fraud management – for Payment and E-money Firms
Proposed changes to HNW and sophisticated investors’ financial promotions exemptions watered down