With the first audits looming, Paul Staples looks at how to prepare ahead of time.
Consumers and businesses increasingly use payment and e-money firms as their transactional banking provider. Following its recent guidance, the Financial Conduct Authority (FCA) now requires these firms to arrange an annual safeguarding audit to demonstrate they are adequately protecting their customers’ funds.
A recent industry-wide survey by the FCA explored the financial resilience of regulated firms in relation to the COVID-19 situation. Reinforcing the need for safeguarding audits, it found the payments and e-money sector had the lowest proportion of profitable firms, potentially making them more vulnerable to insolvency. Considering the lack of Financial Services Compensation Scheme (FSCS) protection for payment services and e-money customers, and ongoing economic uncertainty, these safeguarding audits will become a vital supervisory tool for the FCA.
So, what should you expect from this audit and how can you best prepare?
In our previous article, we considered some of the initial steps that firms should consider, including:
Since the audit will be undertaken on a ‘reasonable assurance' basis, you should expect a robust and thorough review, including detailed tests of related controls.
In forming their methodology, auditors may apply the International Standard on Assurance Engagements (ISAE 3000), which covers non-audit assurance work and similar review of historical financial information. Auditors may then use this in conjunction with the FCA’s approach document and guidance.
This is a seemingly obvious question, but it is central to demonstrating that customers’ funds are protected wherever and whenever they arise.
In my experience (including under s166 skilled person reviews), firms are not always clear how their business model aligns to regulatory requirements.
For example, it may not be clear-cut whether a firm’s products and services meet the definition of “e-money and related payment services”, or if they should be considered solely as payment services. It's not uncommon for firms to seek an expert legal opinion to confirm their regulatory perimeter.
The mapping of funds flows and related processes can also help here, particularly to clarify where the firm’s safeguarding obligations begin and end, including where the firm forms part of a chain of payment firms.
The auditor will expect even smaller firms to have a reasonable set of approved policy and procedural documentation in place. If prepared to a good standard, this can be invaluable in providing initial familiarity with your business and clearly articulating the firm’s safeguarding arrangements. Importantly, it will send an early signal of a positive safeguarding culture.
For example, a safeguarding policy would be expected to cover, among other things:
A clear description of relevant systems and controls, alongside the risks they are designed to mitigate, will help firms demonstrate how they meet the safeguarding requirements.
In keeping with a conventional Three Lines of Defence model, and proportionate to their size and complexity, firms may want independent assurance prior to their external safeguarding audit. This may cover safeguarding obligations across operational teams, compliance, risk and internal audit functions.
The effective operation of front-line payment processes and reconciliations are critical. To strengthen the risk management framework, you may benefit from independent monitoring reviews or internal audit in advance of the external safeguarding audit, where possible.
These reviews may uncover additional breaches or areas of concern. However, effective root-cause analysis and pro-active remediation of known weaknesses is preferable to the auditor calling out areas of concern that you have failed to spot previously.
Compared to the FCA’s more-mature Client Assets (CASS) regime for investment firms, the safeguarding requirements are less detailed, and may be prone to interpretation in certain areas; for example, in the design and operation of internal and external reconciliations. This will inevitably play out over the coming years through contentious audit findings as industry standards and regulatory expectations become clear.
Where rules are not prescriptive, it can be useful to adopt a principles-based perspective. It's important not to lose sight of the premise on which the rules are based; that is, to adopt an insolvency mind-set. On this basis, a cursory look at the Treasury’s recent consultation is helpful.
This will create new insolvency rules for the payments and e-money sector, including a special administration regime (pSAR). The key features of the proposed pSAR bear close similarity to the equivalent regime for CASS firms, including:
Where firms have doubts about their compliance, the above features represent a useful point of reference in meeting the letter as well as the spirit of the safeguarding rules.
If you would like to discuss any of these challenges and how we can help, get in touch with Paul Staples.