Last month, the FCA released final guidance and a Dear CEO letter for payment services firms, following a short consultation. Steven Clews summarises the new FCA guidance and looks at what firms should do now.
The FCA has continued to press payment services firms, including authorised payment institutions (APIs) and emoney institutions (EMIs), to improve their safeguarding arrangements. Despite previous calls to action over the past year, the FCA remains concerned, and this has been heightened by financial resilience worries due to the COVID-19 situation.
The FCA’s final guidance and the Dear CEO letter must be read together to tally regulatory expectations and establish next steps. Firms should consider the following actions:
Revisit the requirements in the FCA’s approach document, as well as the Payment Services Regulations 2017 (the PSRs) and the Electronic Money Regulations 2011 (the EMRs), as appropriate
Carefully study the FCA’s expectations set out in the recent publications and prepare a gap analysis and a remediation plan
Consider obtaining an independent view of your arrangements
Discuss the new safeguarding audit requirement with your auditors and assess the necessary capability
Ensure that all actions and plans are documented, approved by senior management and monitored continuously through to resolution
Be prepared to communicate your progress with the FCA if the regulator gets in touch or you identify material weaknesses
Safeguarding is an ongoing concern
Concerns over safeguarding have been in the public eye lately, following the failure of several firms last year. In June, the FCA temporarily suspended Wirecard from undertaking regulated activities in the UK, lifting this suspension three days later. While the FCA considered this a necessary step to protect consumer funds, it resulted in disruption for payment services firms using Wirecard as a card services provider and some customers were unable to access their money during the intervening weekend.
In May, the FCA opened a short consultation on temporary guidance to strengthen and clarify its requirements set out in the approach document, ahead of a wider consultation later this year. The temporary guidance focused on safeguarding and prudential risk management. The final version is largely unchanged from the proposal, and the accompanying Dear CEO letter reiterates regulatory expectations and consequences of inaction.
A closer look at the Dear CEO letter
The Dear CEO letter sets out six areas (summarised below) where non-compliance by APIs and EMIs could cause potential harm to consumers. The areas reiterate current guidance in the approach document and highlight key updates, so it is important to read this letter in the wider regulatory context.
The letter emphasises some of the guidance changes including the new audit requirements, and the need to regularly review and remediate safeguarding arrangements.
Prudential risk management
Firms are directed to the additional guidance, but the letter does not detail specific requirements for stress testing and wind-down plans.
The FCA notes shortcomings in financial crime arrangements although there is no revised guidance. As financial crime is a concern in the current macro-economic environment, firms should review chapter 19 of the approach document.
Firms are reminded that all financial promotions and communications must be clear, fair and not misleading. Again, there are no new requirements in the guidance, but firms should make sure they are familiar and compliant with the conduct of business obligations from chapter eight of the approach document.
Governance and oversight
The FCA emphasises the importance of strong governance and oversight to reduce regulatory issues, and making sure governance processes are of an appropriate scale and in line with their growth and risk profile. Head offices and decision-making processes must be UK-based.
Records management and reporting
The FCA does not add additional requirements, but reiterates existing expectations, particularly around regulatory reporting and demonstrating compliance through adequate record keeping.
The letter also asks firms to prepare for Brexit and to make arrangements for customers based in the EEA to avoid poor outcomes by ceasing service unexpectedly.
Reviewing the final guidance
Looking beyond the Dear CEO letter, the final guidance contains three key themes of safeguarding, prudential risk management and wind-down planning.
The FCA is focused on safeguarding customers using payment services firms. The final safeguarding guidance covers the five operational areas outlined below.
Separate notes are provided for small payment institutions (SPI) that are not required to safeguard relevant funds, but are still required to arrange protection for customers’ funds. The FCA notes that SPIs may choose to opt into the safeguarding regulations and encourages these firms to do so voluntarily, acknowledging that this will improve protection.
Firms must clearly document reconciliation processes, with appropriate rationale, to assist in distribution of funds in the event of insolvency, although no strict format is provided. Clear documentation reduces subjectivity about whether the reconciliation fulfils its intended purpose. The FCA also clarifies when issues of material non-compliance with reconciliations should be provided.
The FCA has included safeguarding guidance on acknowledgement letters and provided a template. To distinguish accounts in which money is held for clients from the firm’s own money, the name of the firm’s safeguarding account must include the word ‘safeguarding’, ‘customer’ or ‘client’.
Firms must obtain an acknowledgement letter or provide a written agreement to demonstrate that the safeguarding institution or custodian has no rights over the relevant funds. UK banks or UK branches of EU credit institutions are familiar with the process, as similar format letters are used under the FCA’s client money regime for investment firms.
We expect the FCA to have zero tolerance for any amendments to the template that would prevent an insolvency practitioner recovering client funds. Using the template will therefore be important for firms.
The FCA has clarified third-party due diligence expectations, including minimum review periods. Firms should track changes in circumstances and document resulting decisions.
The guidance also clarifies when safeguarding obligations start. This is important for EMIs allowing customers to access money before their funds have been credited to the safeguarding account.
The final guidance here diverges from the proposals in the original consultation paper. Unallocated funds should be safeguarded as part of relevant funds, and shown in books and records as unallocated customer funds. Notably, physical segregation from own funds and safeguarded funds is no longer necessary. Firms must amend their policies and procedures accordingly, documenting any changes.
New audit requirements are probably the biggest change for firms, who should discuss it with their auditor. Firms providing audited annual accounts under the Companies Act, must now arrange an audit of their compliance with the safeguarding requirements under the PSRs/EMRs, as appropriate. This is to satisfy the FCA on the adequacy of internal control mechanisms, sound procedures and safeguarding arrangements. The requirements are similar in outline to those for investment firms holding clients’ monies.
Under PSRs/EMRs, an audit firm or other independent firm or consultant must conduct the audit. Firms must exercise due skill, care and diligence in selecting auditors for this purpose. Auditing safeguarding compliance under the PSRs and EMRs is a specialist skill, and the firm must make sure they have selected appropriately.
The FCA will review these audit reports, following up with both the auditor and the regulated firm as needed. An unqualified ‘clean’ audit report may be met with a degree of scepticism, so an inexpensive, cursory audit may be a false economy. The FCA is looking for a ‘reasonable assurance’ opinion. An explanation of this is available in the consultation feedback statement, but additional guidance on the audit framework is still needed. While the FCA has not given a date for when the first audits are due, early discussions are encouraged to allow for prompt remediation of any issues.
2 Prudential risk
The final guidance on prudential risk covers governance and controls, liquidity and capital stress testing, risk management arrangements and capital adequacy. As with safeguarding, not all matters will be relevant for SPIs.
Governance and controls
The guidance emphasises statements made in the Dear CEO letter. In our experience, weak governance and controls are a common root cause of many failings within a firm. Smaller organisations may have less experience in meeting and demonstrating the FCA’s expectations. Governance arrangements must be well documented, including results of board and committee deliberations.
Firms should undertake stress testing to analyse the impact of severe business disruptions, including failure of a major counterparty, and results should form part of the own funds assessment. Stress testing must be appropriate to the nature, size and complexity of the firm’s business and its risks. Senior management should document, approve and review, at least annually or at times of substantial changes, the design and results of the stress testing.
Some events are suggested for stress-testing scenarios, which should be conducted on a solo-firm basis, taking account of any risks posed by the larger group.
Firms must have liquidity risk management arrangements in place, including consideration of their liquid resources and funding options to meet liabilities. The FCA emphasises that exclusion of uncommitted intra-group liquidity facilities from liquidity management and capital adequacy calculations is best practice.
Firms dependent on intra-group facilities should ensure legally enforceable netting arrangements are in place. Such firms will be expected to explain to the FCA how they are managing liquidity and group risk.
The FCA will probably follow up on their coronavirus resilience surveys covering liquidity and capital, so management should be prepared for further information requests.
3 Wind-down plans
The third strand in the final guidance looks at the new requirement for wind-down planning. This aims to manage liquidity, operational and resolution risks, and assess how the firm would wind down its business on both a solvent and insolvent basis.
The FCA provides examples of matters to be addressed in a wind-down scenario and stresses the need for proportionate plans, in line with the nature of the firm’s activities and its size. These plans, should be subject to a minimum annual review and should be drawn up on a solo-firm basis. This section does not apply to SPIs.
The final guidance and the Dear CEO letter provide a number of calls to action at a time when firms may already be managing stress to their business model. Firms should act quickly to identify and resolve problems. The FCA has stated that it will take prompt action to remedy failings in these areas.
For help understanding the new FCA expectations, contact Steven Clews.