With immediate effect from 9 July 2020, payment institutions and electronic money institutions that require having their financial statements audited must now also undertake an annual audit of their compliance with the safeguarding requirements under the Payment Service Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs).
What to expect from the safeguarding audit process?
The audit process is divided into three parts: planning, fieldwork and completion.
The planning phase has the objectives of gaining an understanding of the business, the safeguarding process and the key risks within the safeguarding process.
The auditor needs to be provided with a safeguarding systems and controls manual by firms to gain an understanding of the safeguarding process. The FCA states that it expects firms to maintain sufficient records to show and explain their compliance with all aspects of their safeguarding obligations. Firms should have a documented rationale for every decision they make about their safeguarding process and the systems and controls they have in place.
Safeguarding systems and controls manual
The FCA has found that firms that document their rationale for safeguarding decisions are more likely to be safeguarding appropriately.
Most safeguarding policies and procedures manuals that we come across are generic, often just a copy and paste of the relevant sections of the FCA sector approach guide. The manual should be specific to a firm’s circumstances. The overall aim of the manual is that it is sufficiently comprehensive to enable someone unfamiliar with the firm to operate the safeguarding function without being provided with any additional guidance and serving as a reference source. It should always be a live document, consistently updated as the business develops new products and changes the way it operates.
A good safeguarding policies and procedures manual should include:
The name of the person who has responsibility for the company’s safeguarding process as well their deputy.
Only relevant funds require safeguarding. The funds considered to be relevant funds should be defined in the manual together with the firm’s services that generate relevant funds.
The firm should document when its obligation to safeguard funds both begins and ends.
Details of the reconciliations that need to be performed. An appendix should include example reconciliations. Explanations should be provided for each line of the standard reconciliations. The daily reconciliations that are required are: firstly, a reconciliation between the amounts due to e-money holders/payment service beneficiaries and amounts held in segregated/safeguarding bank accounts and secondly, bank reconciliations in relation to all segregated/ safeguarding bank accounts.
Reconciliations are required to be carried out at least daily. To enable sensible execution of this requirement, the close of business should be defined. This would be a point in time (say 5PM) when the reconciliations are carried out following which any transfers for fees or FX profit is made out of the safeguarding account, so that there is no overnight mingling of funds.
Details of persons responsible for preparing and reviewing the reconciliations should be noted.
Details of how approval of the daily safeguarding reconciliations should be evidenced.
An explanation of the circumstances when reconciliation differences are escalated to senior management within the firm.
The internal process followed when there are unresolved reconciliation differences.
An explanation of how the breaches register is updated to note breaches that have occurred in relation to compliance with the safeguarding regulations under the PSRs/EMRs and in relation to Chapter 10 of the FCA’s approach document.
A description of the information provided to the Board of Directors regarding the performance of the safeguarding process.
A schedule setting out which accounts are considered to be segregated and which are safeguarding should be included
Details of the process the company goes through to select a bank to safeguard relevant funds and the criteria that need to be satisfied in terms of assessing the stability and financial security of the bank on an initial and an annual basis.
Proof that your safeguarding bank accounts are indeed safeguarding accounts should be included within the document. The best form of this verification is through a letter from your bank, which confirms that the accounts are held for the purposes of safeguarding under either Regulation 23 of the Payment Services Regulations or Regulation 20 of the Electronic Money Regulations and that the bank does not have any right of set-off or counterclaim in respect of any money owed to it.
The circumstances in which the safeguarding systems and controls manual should be updated. This should be at least annually or before that if there are changes to your safeguarding systems and controls or changes to the business through the introduction of new products and services that may fall within the definition of relevant funds.
The details of the provisions for any internal or external audit of the safeguarding process.
The details of the criteria that should be used to select an external auditor.
If you would like to talk through your options, please do get in touch.