article banner
Article

Safeguarding audits for payment and e-money firms

Paul Staples Paul Staples

The FCA requires payment and e-money firms to undertake annual safeguarding audits over customer funds.

With the first audits looming, Paul Staples looks at how to prepare ahead of time.

Consumers and businesses increasingly use payment and e-money firms as their transactional banking provider. Following its recent guidance, the Financial Conduct Authority (FCA) now requires these firms to arrange an annual safeguarding audit to demonstrate they are adequately protecting their customers’ funds.

A recent industry-wide survey by the FCA explored the financial resilience of regulated firms in relation to the COVID-19 situation. Reinforcing the need for safeguarding audits, it found the payments and e-money sector had the lowest proportion of profitable firms, potentially making them more vulnerable to insolvency. Considering the lack of Financial Services Compensation Scheme (FSCS) protection for payment services and e-money customers, and ongoing economic uncertainty, these safeguarding audits will become a vital supervisory tool for the FCA.

So, what should you expect from this audit and how can you best prepare? 

Where should firms start with a safeguarding audit?

In our previous article, we considered some of the initial steps that firms should consider, including:

  • revisiting the requirements in the FCA’s approach document, as well as the Payment Services Regulations 2017 (the PSRs) and the Electronic Money Regulations 2011 (the EMRs)
  • carefully looking at the FCA’s expectations set out in the recent publications and prepare a gap analysis and a remediation plan
  • obtaining an independent review of your arrangements
  • discussing the new safeguarding audit requirement with your auditors and assess their necessary capability
  • ensuring that all actions and plans are documented, approved by senior management and monitored through to resolution
  • preparing to communicate your progress with the FCA if the regulator gets in touch or you identify material weaknesses.

Since the audit will be undertaken on a ‘reasonable assurance' basis, you should expect a robust and thorough review, including detailed tests of related controls.

In forming their methodology, auditors may apply the International Standard on Assurance Engagements (ISAE 3000), which covers non-audit assurance work and similar review of historical financial information. Auditors may then use this in conjunction with the FCA’s approach document and guidance.   

Where do customer funds arise in your business model?

This is a seemingly obvious question, but it is central to demonstrating that customers’ funds are protected wherever and whenever they arise.

In my experience (including under s166 skilled person reviews), firms are not always clear how their business model aligns to regulatory requirements.

For example, it may not be clear-cut whether a firm’s products and services meet the definition of “e-money and related payment services”, or if they should be considered solely as payment services. It's not uncommon for firms to seek an expert legal opinion to confirm their regulatory perimeter.

The mapping of funds flows and related processes can also help here, particularly to clarify where the firm’s safeguarding obligations begin and end, including where the firm forms part of a chain of payment firms.

Document, document, document

The auditor will expect even smaller firms to have a reasonable set of approved policy and procedural documentation in place. If prepared to a good standard, this can be invaluable in providing initial familiarity with your business and clearly articulating the firm’s safeguarding arrangements. Importantly, it will send an early signal of a positive safeguarding culture.

For example, a safeguarding policy would be expected to cover, among other things:

  • an overview of safeguarding arrangements in the context of your business model
  • related processes and controls
  • records and accounts for client funds
  • reconciliation processes and controls
  • banking arrangements (account designations, acknowledgement letters, and periodic reviews)
  • governance arrangements
  • breach management and reporting.

A clear description of relevant systems and controls, alongside the risks they are designed to mitigate, will help firms demonstrate how they meet the safeguarding requirements.

Internal assurance before safeguarding audit

In keeping with a conventional Three Lines of Defence model, and proportionate to their size and complexity, firms may want independent assurance prior to their external safeguarding audit. This may cover safeguarding obligations across operational teams, compliance, risk and internal audit functions.

The effective operation of front-line payment processes and reconciliations are critical. To strengthen the risk management framework, you may benefit from independent monitoring reviews or internal audit in advance of the external safeguarding audit, where possible.

These reviews may uncover additional breaches or areas of concern. However, effective root-cause analysis and pro-active remediation of known weaknesses is preferable to the auditor calling out areas of concern that you have failed to spot previously.

Adopting an insolvency perspective

Compared to the FCA’s more-mature Client Assets (CASS) regime for investment firms, the safeguarding requirements are less detailed, and may be prone to interpretation in certain areas; for example, in the design and operation of internal and external reconciliations. This will inevitably play out over the coming years through contentious audit findings as industry standards and regulatory expectations become clear.

Where rules are not prescriptive, it can be useful to adopt a principles-based perspective. It's important not to lose sight of the premise on which the rules are based; that is, to adopt an insolvency mind-set. On this basis, a cursory look at the Treasury’s recent consultation is helpful.

This will create new insolvency rules for the payments and e-money sector, including a special administration regime (pSAR). The key features of the proposed pSAR bear close similarity to the equivalent regime for CASS firms, including:

  • the total capture of all funds that form the ‘asset pool’ under the safeguarding regime
  • determining customers’ “entitlement to customer funds at the precise point” when the firm entered special administration
  • an explicit objective to return customer funds as soon as reasonably practicable
  • post-administration reconciliation of customer funds
  • rules for the treatment of shortfalls in safeguarding accounts.

Where firms have doubts about their compliance, the above features represent a useful point of reference in meeting the letter as well as the spirit of the safeguarding rules.

If you would like to discuss any of these challenges and how we can help, get in touch with Paul Staples.

Article
Payments and e-money: raising standards in safeguarding Find out more