Proposed enhancements to safeguarding for payments and e-money firms

Client asset protection

The long-awaited consultation paper (CP) 24/20 aims to strengthen the safeguarding regime in two stages. The FCA has proposed to give firms six months for the interim rules and a further 12 months for the end-state rules.

Interim rules will address immediate priorities for the FCA, and the end-state rules will replace the safeguarding requirements of the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs) with a new chapter within the CASS regime applicable to payment services.

The consultation ends on 17 December 2024 and the FCA plans to publish its policy statement within the first half of 2025.

Who do the rules apply to?

The FCA’s proposed rules apply to:

  • authorised payment institutions (APIs)
  • authorised e-money institutions (AEMIs)
  • small e-money institutions (SEMIs) who will be able to opt-in to the safeguarding requirements for unrelated payment services (these services are not usually subject to safeguarding obligations)
  • credit unions issuing e-money in the UK under the PSRs and EMRs
  • European Economic Area (EEA) firms in supervised run-off (SRO) under the financial services contracts regime (FSCR)

As with the current safeguarding regime, small payment institutions (SPIs) will still be able to opt-in to the safeguarding requirements under the new rules.

The FCA has focused on safeguarding due to the poor practices observed in the sector, coupled with tougher economic conditions and firm failures that are both high-volume and high-profile. The intent behind the proposed enhancements is to improve safeguarding practices, which fits in with the FCA’s broader objectives around consumer protection.

What are the proposed rules and how does this impact the payments sector?

The new rules will be implemented through the Financial Services and Markets Act 2023. They will replace the current safeguarding rules with a new chapter within the CASS regime.

This will be a significant change for the sector which will require firms to invest further in their safeguarding compliance. The proposed rules state that a director or senior manager of a payments firm will be required to have oversight of a firm’s safeguarding compliance. They will also need to report their oversight to the firm’s governing body as part of meeting the new and enhanced requirements for adequate organisational arrangements. In the absence of SM&CR for payments firms, the person assuming this responsibility is likely to be considered a PSD/EMD Individual and will need to register as such if they have not already done so.

Accuracy of books and records

Client-specific records and reconciliations

It comes as no surprise that this is a key focus of the consultation and where a lot of the rule changes will be taking place. Due to the lack of prescriptive guidance by the FCA prior to the consultation paper, we have seen firms struggle to create an appropriate client-level record or an internal bank ledger. Instead, firms have tended to use external data via APIs to effectively build their own internal records. We know from the CASS world that this falls short of FCA expectations.

Some firms do not understand the need for internal as well as external reconciliations, and as such may not meet the current safeguarding requirements. Furthermore, relying on external reconciliations to maintain adequate books and records increases the intra-day risk such, which means that if a firm fails, the insolvency practitioner (IP) would experience more difficulties ascertaining the position and entitlements at the point of failure. This could then lead to delays and reduce the amount of money returned to customers.

The new rules will build on the FCA’s existing guidance and set more detailed record-keeping and reconciliation requirements for the end-state regulation, similar to requirements already set out in CASS 7 for investment firms. Therefore, firms will be expected to have a clear split between internal and external reconciliations and build their control environment in a way that promptly identifies and resolves shortfalls in relevant funds.

Resolution pack

Firms will be required to maintain a resolution pack, which should capture their main safeguarding arrangements, including how their books and records are built, updated and maintained accurately. The resolution pack should be retrievable within 48 hours to enable an IP to achieve a timely return of relevant funds to consumers. As such, firms need to both prepare this resolution pack and also build controls around ensuring its ongoing accuracy and retrievability to meet regulatory deadlines. It will be the document that firms hope never to use but need to get right.

Enhanced monitoring and reporting

Safeguarding return

The FCA has identified that it has limited data of and lacks timely visibility in relation to safeguarded funds. It has also noted that a large compliance gap with safeguarding requirements exists across payments firms. As such, the FCA has proposed to introduce a monthly comprehensive safeguarding return. The regulator expects to use this to proactively target its supervisory activity and focus its oversight in key areas. This will also allow the FCA to have visibility over the amount of safeguarded funds and where these are held, or the ‘chain’ of funds. In turn, this will enable the FCA to ascertain the level of risk in the event of firm insolvencies, including the systemic impact of such events.

Annual safeguarding audits

The FCA has also extended the requirement for all payment firms to be subject to an annual external safeguarding audit, except for SPIs, payment initiation services providers that aren’t authorised for any other payment services, and credit unions. Reports from these audits will need to be submitted to the FCA within 4 months of the end of the period to which it relates.

Further onus is placed on auditor selection. Auditors appointed need to have the appropriate skills, knowledge, expertise and independence to opine on whether the firm has maintained systems adequate to comply with the safeguarding requirements, report on any breaches, the circumstances leading to these, and any remedial actions taken by the firm.

The main change would be that the audit standards for these safeguarding audits will be further codified in order to set appropriate expectations and ensure a common standard across audit firms.

Strengthening elements of safeguarding practices

Where funds should be received and held

The current rules allow firms to hold relevant funds for a period of time in segregated accounts which are not designated safeguarding accounts. When firms continue to hold relevant funds at the end of the business day after receipt, they must place this into a designated safeguarding account with an authorised credit institution, the Bank of England or invest them in secure, liquid assets.

However, we are increasingly seeing firms depositing relevant funds with other payments firms. The sector is already more prone to firm failure, especially when there is of a chain of payments firms involved, due to these firms not having to meet the same capital requirements as banks. As such, the FCA has deemed this practice to be high risk and proposes that firms move away from it. This practice also would increase the difficulty for an IP to disentangle which relevant funds belong to customers of the failed firm, and as such it makes the process of reuniting customers with their funds more cumbersome.

Firms will be required to have additional oversight of how they manage their third-party risks in relation to their safeguarding processes. This includes exercising due skill, care and diligence when appointing third parties involved in holding relevant funds or assets, periodically reviewing third parties and considering whether to diversify their use of them. We see that firms oftentimes fail to consider all safeguarding-specific aspects when performing their due diligence and as such fall short of FCA requirements and expectations.

The FCA also requires firms to clearly identify funds not held in designated accounts and to ensure they promptly allocate relevant funds to individual consumers. Further, the relationship with these third parties and the account structure at the end-state would be governed by an acknowledgement letter, which would impose a trust structure upon safeguarded funds, and as such provide better protection for consumers in the event of firm failure.

Ultimately, the FCA will require most payments firms that safeguard using the segregation method to receive funds directly into a designated safeguarding account with an approved bank or the Bank of England.

The FCA has also proposed to create a single asset pool which will simplify operations and reduce costs for EMIs who provide payment services that are not connected to issuing e-money (unrelated payment services). The single asset pool will mean that EMIs will no longer need to open separate accounts for relevant funds and unrelated payment services, which has been difficult due to a lack of appetite by banks and credit institutions. Under the new rules, EMIs can place both types of funds into one single bank account, subject to diversification requirements.

Investment in secure liquid assets

Additional safeguards are proposed where payments firms opt to invest relevant funds in secure, liquid assets. These include ensuring that there is a suitable spread of investments and that investments are made in line with an appropriate liquidity strategy. This would enable the firm to promptly act upon client request and move funds appropriately. The consultation paper points to firms that safeguard using this particular method would require additional permissions at the end state, in order to allow them to hold assets on behalf of their consumers and apply CASS 6  (segregating custody assets) in relation to these assets, or appoint a custodian to do so on their behalf.

Insurance or comparable guarantee method

The FCA has also proposed stricter rules around how firms can safeguard relevant funds by insurance or comparable guarantee. No conditions or restrictions should be in place to trigger paying out the insurance or guarantee other than the certification of an insolvency event. Firms will also need to ensure that the insurance policy or comparable guarantee is extended at least 3 months before it expires so that relevant funds are covered continuously.

Lastly, the FCA proposes that the rights under and proceeds of the insurance policy or guarantee should be included in the statutory trust and that the amount of the cover should always exceed the amount of funds the firm would have needed to protect at all times. As such, firms using this method will still need to have robust internal records and have controls in place to compare these with the level of cover available.

Agents and distributors

The FCA’s consultation has outlined concerns in the payments sector around poor agent and distributor oversight which extends out to inadequate assurance over agents’ and distributors’ segregation of relevant funds. These are driven by the lack of ongoing oversight over the adequacy of safeguarding arrangements at agents and distributors. Where the chain of agents and distributors used is complex, this will increase the risk to clients both from failure of the payment firm as well as failure of the agent or distributor.

In the end-state rules, the regulator is proposing that agents or distributors cannot receive relevant funds and that payment firms will have to receive funds directly into their designated safeguarding account. Payments firms can only allow their agents and distributors to receive relevant funds if agent and distributor segregation model is in place, which would involve the principal firm segregating sufficient funds into a designated safeguarding account to cover the funds expected to be received and held by their agents or distributors.

Holding funds under a statutory trust

The imposition of a statutory trust will result in better protection for consumers, as firms will have a fiduciary duty to act in consumers’ best interest. The FCA proposes that this is introduced for relevant funds held by a payment firm, relevant assets, insurance policies/guarantees and cheques. The FCA expects this to address risks posed by the Ipagoo judgement, especially in the context the 65% average shortfall in funds owed to clients in insolvency cases between 2018 and 2023.

To legally establish a statutory trust, firms would need to sign acknowledgement letters with third party banks covering all safeguarding accounts. The FCA has proposed a standardised template, to ensure that the appropriate statutory trust protections apply to the funds. This letter will put the banks on notice that payment firms are under an obligation to keep moneys within these accounts separate from other moneys and to acknowledge that banks do not have any interest or right against moneys in these accounts.

How can Bovill Newgate help payments firms prepare for these safeguarding regulatory changes?

The FCA’s message to payments firms is that they should be expecting enhanced scrutiny from the regulator as part of its strategy. From our experience, we expect that the FCA will undertake proactive work with firms in the sector to support the implementation of its policy, which means firms should be on notice that the FCA expects them to be safeguarding correctly.

We regularly support firms with their safeguarding and CASS arrangements through:

  • building processes and controls to meet the rules and requirements as well as the spirit they were written in
  • conducting readiness reviews and testing by doing a deep dive into firms’ overall policy and governance arrangements
  • ensuring that firms’ operational ability meets regulatory standards.

Reach out to our team for support on authorisation, readiness reviews, policy and controls creation, health checks, or audits of your safeguarding arrangements.