| UK & Europe | Articles
When setting up controls or reviewing those already in place, e-money and payments firms need to put their insolvency hat on to meet the FCA’s recently imposed safeguarding requirements.
The safeguarding rules, focused on reducing consumer harm, are intended to make sure that in the event of insolvency, the firm’s clients have appropriate protection and recourse to recover their funds.
Whether you’re looking at your safeguarding arrangements for the first time or reviewing measures already in place, there are various layers of detail you’ll need to consider:
Start from the basics. What should you be safeguarding?
“Relevant funds” are subject to safeguarding requirements under the E-Money Regulations (EMR) and the Payment Services Regulations (PSRs). Understanding what constitutes a relevant fund and being able to identify how and when they will arise is essential.
There are nuances around what constitute relevant funds but at a high level, under the EMR, relevant funds are funds that have been received in exchange for e-money that has been issued. Under the PSRs, relevant funds include sums received from or for the benefit of a payment service user (or on behalf of one) for the execution of a payment transaction. In both cases, relevant funds can also be received from third-parties, such as clients of the payment service user, and will also need to be considered.
If you’re doing business outside the UK, you’ll need to review whether you’re holding relevant funds. If both the payer and payee’s payment service providers are outside the UK, the funds will be outside the scope of the safeguarding provisions, even if they’re routed through a correspondent in the UK.
For firms doing designated investment business as well as payment services or e-money business, it’s important to note that client money will need to be dealt with separately under the CASS rules to relevant funds, which fall under the safeguarding requirements set out by the FCA. We’ve seen cases where the FCA has acted where they suspect that this isn’t the case.
The proceeds of an insurance policy or a guarantee over safeguarded funds where the proceeds are received by the firm will also need to be safeguarded. This happens where the insurance or comparable guarantee method is used, and funds are paid out.
The steps you will need to take to comply with the safeguarding rules will depend on the size and type of institution you are.
Small payment institutions:
If you are a small payment institution (PI), you would be registered rather than authorised, so you don’t have to meet the safeguarding requirements. However, you can opt in to do so voluntarily. If you make this choice, you need to inform the FCA upon the application for registration and in the following annual reporting returns.
We see more and more firms opt into the safeguarding requirements due to their ambition for future growth and eventually being authorised payment or e-money institutions. Having had the safeguarding control environment in place and having experience in operating this environment would give firms an edge when applying for an authorised status.
If you choose to opt in, you will need to arrange adequate protection of relevant funds from the moment you are responsible for them and comply with the safeguarding requirements fully.
Authorised Payment Institutions and E-Money Institutions:
All large PIs and all authorised e-money institutions (EMIs), regardless of their size, have to comply with the safeguarding requirements in full when dealing with relevant funds.
There are two ways to approach this:
As the name implies, relevant funds safeguarded under this method need to be held separately from all other funds the firm holds. If these are still held at the end of the day, you need to deposit them in a segregated account held with an authorised bank or the Bank of England. Alternatively, you can invest them in FCA approved secure, liquid assets held with an authorised custodian. Many firms find it easier from an operational perspective to deposit the funds rather than invest them into liquid assets.
Insurance or comparable guarantee method
In this method, you need to arrange for relevant funds to be covered by an insurance policy with an authorised insurer or a guarantee with an authorised credit institution. This method is less commonly used due to the prohibitive cost associated with it, and is best used in cases where it may be operationally difficult to follow the wider requirements of the segregation method
A combination of methods can be used. The tricky thing to get right is being clear enough in your records on which funds are subject to segregation and which are subject to the insurance or comparable guarantee. If you intend to change the method used, you need to notify the FCA of your decision and they may ask for further information around how you continue to manage risk to relevant funds.
You can either segregate relevant funds with an authorised credit institution or invest them into liquid assets held with an authorised custodian. In each instance, you need to perform due diligence before appointing the third party and on a periodic basis thereafter. The due diligence is intended to assess the risk the third party might bring to the safeguarded funds, insurance or guarantee. This ensures the third party has the financial resilience, expertise and market reputation to reliably provide the service.
One of things that firms often overlook is having an acknowledgement letter countersigned by the relevant third party in place. The purpose of these acknowledgement letters is to evidence that third parties you segregate relevant funds with to recognise the trust you have over your clients’ relevant funds and is something the FCA will expect to see. If you are unable to obtain such a letter, you need to perform additional steps to demonstrate that the third party has no interest in, recourse against or right over the relevant funds or assets in the safeguarding account. In each case, accounts opened at third parties need to reflect that they relate to clients’ assets or relevant funds, and their naming convention needs to include “client”, “safeguarding” or “customer”.
So, you’ve received relevant funds, chosen your method of safeguarding, have arrangements in place with your third parties and accounts opened, you’ll need to ensure adequate controls and practices are in place, in the following areas:
- Organisational arrangements: You need to have and maintain adequate and comprehensive internal controls. This includes risk management procedures, exception escalation lines and effective accounting procedures, to mention just some.
- Audits: Arrange an annual audit, specifically relating to the compliance with safeguarding requirements. You will need to ensure the audit is carried out by someone with the required knowledge, skill and expertise.
- Oversight: Appoint an appropriate individual with sufficient experience and knowledge to oversee controls and ensure compliance with the safeguarding requirements.
- Due diligence: Perform periodic due diligence on third parties involved in safeguarding arrangements.
- Reconciliations: Internal and external reconciliations need to be performed to verify that the amount of funds or assets safeguarded matches your internal records. These need to reflect the amount of relevant funds held and clearly show that excess money is not held, which would give rise to potential commingling.
You need to perform two types of reconciliations – internal and external. Firms tend to struggle with these and the FCA guidance is quite high level, making this a challenging area.
Reconciliations need to be proportionate to the complexity of the business, volume and value of transactions undertaken, bearing in mind the overall risk your firm is exposed to.
You’ll need to select an appropriate frequency with which to run your reconciliations. If the potential for discrepancies exists, you should perform them on each business day. We sometimes see firms’ operating systems that result in records being updated live throughout the day with reconciliations being run in real-time alongside. Whilst this is difficult to run compliantly in a CASS environment, it can work in the more agile and technologically developed infrastructure PSPs and EMIs operate in.
Many firms use manual spreadsheets to document their risk and control framework. While this can be a good starting point, there are several drawbacks:
- Highly manual and requires a consistently high time-investment to maintain.
- Not sufficiently dynamic and robust, making real-time impact assessments more challenging.
- Increased risk of inconsistencies and duplications, which can skew the MI you can access.
- As regulation changes, they may not be reflected within your control environment promptly, risking non-compliance.
- Higher risk of gaps within the control environment that are harder to identify.
Automated solutions can help firms address these issues by allowing all relevant regulations to be mapped to controls and processes. Our partnership with Grath helps firms manage compliance with CASS and safeguarding regulations, providing an automated system to manage safeguarding rules, risks and controls in a time and cost-effective manner.
You will need to have documentation in place to demonstrate that the control environment ensures compliance with the safeguarding requirements.
This will include documenting:
- How and when relevant funds arise in your business – including transaction flows.
- The method of safeguarding you have chosen and if relevant, the method of segregation you will be using.
- The due diligence process for third parties which include authorised credit institutions, custodians or insurance providers.
- Frequency and methods of internal and external reconciliations.
For additional assurance, we can conduct readiness reviews and testing by not only doing a deep-dive into the overall policy and governance arrangements, but also the operational ability to meet regulatory expectations.