Download Guide
Compliant and effective safeguarding measures are a pre-requisite for being granted and retaining an authorisation for the provision of payment and e-money services. A portfolio Letter issued by the FCA in March 2023, had safeguarding as priority number one and specifically called out several problems the FCA was seeing, including: ensuring financial integrity was not compromised; meeting customers’ needs; and, of course, keeping customer money safe.
To help firms in the Payments Sector, we wanted to share our ‘top ten’ tips, based on our experience and knowledge of conducting hundreds of safeguarding audits, to help achieve good safeguarding practice. However, before we get there, let’s go back to the beginning to understand the first principles of safeguarding.
First safeguarding principles
The Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs) impose safeguarding requirements to protect customers where funds are held by an institution. The obligation to safeguard starts immediately on receipt of funds, which includes receipt of funds by agents and/or e-money distributors.
Safeguarding is achieved by either:
- Segregating funds (from a firm’s own funds) and depositing them in a safeguarding account with an authorised credit institution or investing them in secure, liquid assets held with an authorised custodian; or
- Protecting funds with an insurance policy or guarantee, issued by an authorised insurer or credit institution.
If a firm enters insolvency, adequate safeguarding arrangements should mean the claims of e-money holders or payment service users, are paid in a timely manner from the asset pool formed from these funds in priority to all other creditors (other than in respect of the costs of distributing the asset pool).
If customer funds are not adequately safeguarded, their return to customers could be delayed and/or customers may not get all their money back. Given this, it is crucial that a firm has adequate organisational arrangements for ensuring relevant funds are safeguarded on receipt and until the safeguarding obligation has been extinguished.
So, what steps can firms take to ensure that they establish and maintain their safeguarding obligations correctly..?
Top ten steps
1. Have a robust safeguarding policy
It sounds pretty obvious, however, in our experience, firms’ policies and procedures vary greatly in quality.
A good safeguarding policy should be comprehensive and comprehensible. Importantly, it should have a clear definition of relevant funds that is consistent with the regulations (this is an issue that the FCA called out in its portfolio letter). However, it is also important that the policy documents the process as well, for: the segregation of relevant funds and/or for monitoring that the insurance policy or guarantee, if used, is appropriate; the reconciliation process; the allocation of responsibilities (including who has access rights over the accounts); and the escalation process. Finally, while processes are important, so is the rationale behind them. The policy should also address why the firm’s method of safeguarding and reconciliation processes are appropriate for its business model.
2. Ensure regular board engagement
The ongoing engagement and oversight of the board is paramount and this needs to be evidenced. Annual approval of the policy and of the safeguarding provider is a non-negotiable, as is regular reconciliation reporting.
We often get asked what regular reconciliation reporting at a board level looks like. Should firms present lots of data or a summary? In our view, the latter. The material presented to the board should be proportionate and digestible and allow a board member to easily understand the success (or otherwise) of the process over a period of time. It might be as simple as an attestation from the responsible executive that reconciliation has been successfully conducted over a certain period.
However, if there is a failure then the reasons should be set out along with the remedial measures required and whether it was material enough to require reporting to the FCA. We suggest that reconciliation reporting should be a standing item on board agendas and occur not less than every quarter, perhaps as part of the CFO’s report.
3. Make sure non-relevant funds are kept apart from relevant funds
Have a robust segregation method in place and do not commingle relevant and non-relevant funds. If the process is such that relevant and non-relevant funds are received together, systems must be in place to separate them as soon as reasonably possible.
Failure to effectively segregate (deliberately or not) is, without doubt, something that could lead the FCA to withdraw permissions or impose a restriction on business.
4. Conduct daily reconciliations in a timely manner
The FCA requires reconciliation to happen “as often as necessary and as soon as practicable after the date to which the reconciliation relates” to ensure accuracy and avoid commingling of relevant and non-relevant funds. Certainly, reconciliation – against both the firm’s internal record of relevant funds and externally against the balance held at the bank - should happen at least once a day. Record at what time you expect the reconciliation to be completed in your Safeguarding Policy and by whom. Among other things, beware of time differences if any element of the process is offshored. Again, it is worth emphasising that the portfolio letter specifically mentions inadequate reconciliation processes as one of the FCA’s key concerns.
5. Complete (and document) annual reviews
Firms should review their safeguarding bank account provider or insurance provider annually against a set of risk-based criteria (in other words the assessment is not just about cost or availability). Relating back to point 2, if a firm uses the estimation method, then it should review the methodology of estimation annually and update if necessary. This process ensures that the arrangements remain appropriate and is particularly important for firms that are growing at pace. Also, ensure good version control and evidence of sign off from the board.
6. Have clear lines of responsibility
The policy should have a responsible individual(s) named and the daily reconciliation should show evidence of four-eyes scrutiny and sign off. An automated process is not enough on its own. Whilst the payments industry is not (currently) subject to SM&CR, accountability is an issue that is high on the FCA’s agenda more generally, so we advise that responsibility should be clear and unambiguous.
7. Document bank account providers properly
Designate the safeguarding bank accounts properly (i.e. call them safeguarding accounts) and use the template letter in Annex 6 of the FCA’s Approach Document to obtain confirmation from the bank that the requirements of the regulations are being met. If you are an EMI and you provide unrelated payment services, then you need to have a separate and appropriately labelled safeguarding account for relevant funds arising from these services.
8. Fix problems and report when necessary
Accidents can happen, so fix problems quickly and inform the FCA. As paragraph 10.88 of the approach document explains, firms should notify the FCA “in writing without delay if in any material respect they have not complied with, or are unable to comply with, the requirements in regulation 20 of the EMRs or regulation 23 of the PSRs 2017”, or if they cannot resolve any reconciliation discrepancies. (The FCA does not specify or quantify what is meant by ‘material’, so it is up to the firm to determine this, but evidence how it has come to that decision). Ideally, the notification to the FCA should include details of the steps taken to rectify the issue and the controls being put in place to avoid any recurrence.
9. Report changes in arrangements
Report changes in methods of safeguarding to the FCA (as required in Approach Document para 4.19). For example, and it is easy to forget this one, if you change your bank account provider (or indeed add a provider), inform the FCA in advance.
10. Get an annual safeguarding audit
A safeguarding audit should happen annually and although the FCA is not explicit, the expectation is that audits should be back-to-back. Since 2020, all payment firms that are required to have their financial statements audited under the Companies Act 2006 must also have a safeguarding audit. As such, all electronic money institutions (EMIs) must have an annual safeguarding audit. If a firm is exempt from an annual audit, they should consider doing it anyway.
And not forgetting...
- Evidence: Accurate documentation is crucial and the result of your annual safeguarding audit will be based on evidence, not assertion. If the FCA pays a visit, then it will want to see evidence to support a firm’s assessment of its safeguarding practice.
- Preparation: go back to first principles and put yourself in the shoes of the regulator and ask yourself if the reconciliation process has been performed in a way that a third party (e.g., insolvency practitioner) would be able to quickly identify and agree the correct level of relevant funds needing to be re-distributed to the firm’s customers? If you are not confident that you can answer this question with a resounding yes, then identify the reasons why and fix them.
- Consistency: for PIs and EMIs a key focus of the wind-down plan is to ensure the quick and efficient distribution of safeguarded funds in the event of the insolvency of the firm. It is therefore important that the safeguarding policy and procedures are consistent with the provisions of the firm’s wind-down plan.
What are the consequences of getting it wrong?
The FCA has said on several occasions, perhaps most pertinently in its latest strategy document (2022/25), that it will act earlier and more assertively when dealing with problem firms. It expects a firm and a firm’s auditor to tell it if there is, or has been, may be or may have been, a breach of any requirements imposed by or under the PSRs/EMRs that is of material significance: this includes a breach of the safeguarding requirements.
Transparency really is the best approach when it comes to dealing with the regulator and the FCA is likely to be somewhat more sympathetic to firms that admit to shortcomings and have a plan to fix them.
Finally, there really is an element of collective responsibility in all this. Several payment firms failing in a short space of time, where safeguarding arrangements prove inadequate, will be bad for the industry’s reputation. Moreover, it could lead the FCA to take a more punitive – and for the payment firms’ industry more costly in compliance terms – approach to regulating the industry.
We have summarised the top 10 safeguarding tips listed above into a downloadable brochure. Please click the button below to receive a copy of this for you to refer to and hand out.
Download Guide
If you would like to discuss your safeguarding arrangements with a member of our experienced Payment Services consultancy team, please do get in touch below.
CONTACT US
Related resources
All resourcesPayment Services Regulatory Compliance Forum 2025
Managing reputational risk
FCA issues guidance on Payment Services Regulations 2024
Identifying the weaknesses in firms’ transaction reporting governance and control frameworks