The FCA has recently released an amended edition of its 'Our Approach' document (AD) and the accompanying policy statement (PS21/19). This represents the latest milestone in a journey to make the payments sector more resilient and strengthen consumer protection.
While uncertainty remains over exactly how firms should approach their obligations, the AD provides helpful clarifications around safeguarding and protecting consumer funds. This is essential reading for all firms operating in the payments and e-money sector.
The payments landscape continues to expand and evolve at pace. While the pandemic is not fully behind us, it has undoubtedly prompted an acceleration of changes in consumer behaviour and business models. Such change is not without risk.
The FCA recognises that there is significant scope for consumer harm from poor safeguarding and prudential risk management. Indeed, between 2018 and 2020, the failure of five payment firms, in aggregate, resulted in a £40 million shortfall in funds owed to customers. The safeguarding requirements - imposed by the Payment Services Regulations (PSRs) 2017 and E-Money Regulations (EMRs) 2011 - aim to protect customer funds, including on the insolvency of a firm, by keeping them separate from the firm’s own working capital and other funds. The aim is seemingly straightforward and yet, in practice, ensuring full compliance is decidedly more challenging.
Following the FCA’s various forms of temporary guidance in 2020 and proposals in its Consultation Paper 21/3 in January 2021, the updated AD (chapter 10) consolidates this guidance and latest regulatory expectations. This now provides a single point of reference for firms.
Adoption of this guidance represents a safe harbour for firms when implementing their various safeguarding arrangements. As such, the AD illustrates ways in which firms may comply with the relevant regulations and rules. Departure from the guidance may be appropriate in certain circumstances, although such instances may be contentious and so should be clearly documented and carefully considered by firms.
Against a backdrop of varying business models and bespoke control frameworks, the PSRs and EMRs lack practical specificity. So, the need to demonstrate compliance puts a significant burden of proof on firms, particularly for the purpose of the newly mandated annual safeguarding audit requirement.
The level of engagement with the earlier consultation process – approximately 90 responses - shows that this challenge is quite rightly recognised by the industry. This is also reflected in the FCA’s revised cost benefit analysis (CBA) that has increased its estimate for safeguarding audit costs for the industry by around 70%, from £9.7 million to £16.6 million per year.
This re-estimate reflects the amount of work that audit firms are now experiencing to provide a ‘reasonable assurance’ opinion on compliance through the audit period and as at the audit period end date, with a necessary focus on the key controls that underpin a firm’s safeguarding arrangements.
In presenting its CBA, the FCA draws a more eye-catching comparison to its Client Assets (CASS) regime and, in doing so, estimates annual safeguarding audit costs to be approximately £100,000 for 'medium' firms – those holding more than £1 million in customer funds - and up to £200,000 for the largest firms.
Despite this significant uplift from previous estimates, it’s clear there's still a great deal of variation in audit fees and a need for firms to ensure the audit approach is well-tailored to their business and its relative complexity, including that of its controls environment.
Early and proactive engagement with your safeguarding auditor (that may be different to your statutory auditor) will inevitably make for a smoother and more efficient process. The FCA has made it clear that it expects firms to have made “significant progress” with their safeguarding audits. This latest messaging, coupled with the attestation required of firms back in 2019, means that firms will be hard-pressed to justify apparent inaction in this important area. The AD goes further by suggesting a four-month timeframe to complete the annual audit - after the audit period end date (again, a direct comparison to CASS), but falls short of confirming this to be a strict requirement.
The comparison to the CASS regime does not stop here. As the FCA alludes to in PS21/19, there remains a credible argument for a more comprehensive review of the safeguarding requirements in the future, potentially with a view to a more prescriptive set of requirements similar to CASS. For example, detailed guidance around reconciliations and the treatment of shortfalls in relevant funds is still notable by its absence.
Such developments would need to be subject to further FCA consultation. However, the likelihood of such a trajectory will inevitably depend on the outcomes that the FCA observes through its supervisory and monitoring activities. The annual safeguarding audit is clearly an important tool for the FCA to make this assessment and to follow-up on specific risk events at individual firms.
Similarly, the FCA has not ruled out the development of a more bespoke audit standard for the payments sector in future which, inevitably, firms would need to prepare for in a similar fashion to CASS firms now operating under an enhanced FRC Assurance Standard.
While there may be an intuitive and convenient inclination to draw comparisons to the more mature and developed CASS regime, some contention remains. Most notably, a recent High Court judgment – Ipagoo - and its conclusions on safeguarded funds determined that the EMRs “do not create a trust ” over money received by an e-money institution from its customers; a notion well-established within CASS.
This divisive ruling runs counter to the case of Supercapital and seemingly strikes a significant blow to a central tenet of the safeguarding regime, undermining its very purpose and indeed the effectiveness of the new insolvency regulations recently introduced by the government.
Despite the FCA’s new-found willingness to take more legal risk, where its actions are intended to “prevent imminent consumer harm”, the stakes will be especially high when it appeals this particular judgment because of the wider implications to this high-priority sector.
Despite the uncertainty, the AD does bring useful clarifications. For example, it provides examples of firms’ FCA notification requirements such as a failing in reconciliation processes, and a decision by a firm’s third-party to close a safeguarding account. Additionally, it communicates further guidance for firms currently operating under the Temporary Permissions Regime, following the end of the Brexit transition period.
Overall, the revised AD certainly represents a positive step forward in developing a more robust and practicable safeguarding regime, but this regulatory story is far from over.
If you would like to discuss any of the challenges for payments and e-money firms and how we can help, get in touch with Paul Staples.