Safeguarding audits for payment service firms and electronic money institutions
Read time: 3 mins
Service: Audit & assurance Sector: Payment services
This was part of my webinar presentation, earlier this year on the 14th May, for the Association of UK Payment Institutions on Safeguarding.
PKF works for clients in a number of regulated sectors. One of these is insurance broking. This sector is about 10 years ahead of the payments sector in terms of its history of regulation. Like the payments sector, the insurance broking sector handles client monies. Every insurance broker that manages client monies on a non-risk transfer basis must have an annual external audit that needs to be completed within 4 months of its year-end. At the end of the audit, a report is addressed to the FCA that details the broker’s compliance with the client money regulations and any breaches that may have been identified in the audit process.
I believe that it is only a matter of time that the payments sector will introduce external safeguarding audits so as to strengthen the way they safeguard funds.
Which firms are affected?The firms affected are those that are required to have their financial statements audited under the Companies Act 2006. As such, all electronic money institutions (EMIs) will need to have an annual safeguarding audit. EMIs are ineligible companies under the Companies Act, so regardless of their size, must have their financial statements audited. For Payment Institutions (PI), there is an audit requirement if the firm exceeds at least 2 of the following thresholds: turnover over £10.2 million; gross assets over £5.1 million and more than 50 employees.
Firms may voluntarily have a safeguarding audit, even if they do not need to have a financial statement audit.
When does the requirement to have a safeguarding audit start?The requirement takes place with immediate effect. Firms should familiarise themselves with the FCA guidance as soon as possible and take steps to ensure that their procedures and controls meet with FCA expectations.
The guidance does not specify a date when this safeguarding requirement applies.
Our advice would be that the safeguarding audit period coincides with the financial year end of your company. If the Company’s year-end is, say, 30 September 2020, then the safeguarding audit period should also be for that year. Although, there is nothing to stop you from having a different audit period.
What do you need to consider when appointing a safeguarding auditor?The FCA guidance says the safeguarding audit should be carried out by either an audit firm or another external firm or consultant. The FCA expects firms to exercise due skill, care and diligence in selecting and appointing auditors for this purpose. A firm needs to satisfy itself that its proposed auditor has specialist knowledge in auditing compliance with the safeguarding requirements under the PSRs/EMRs, taking into account the nature and the scale of the business.
Some points to consider in the evaluation process for selecting your safeguarding auditor are:
- Is the audit firm a registered auditor? Registered auditors are subject to annual reviews of their work by external regulators such as the Institute of Chartered Accountants in England and Wales or the Financial Reporting Council. These external reviews provide assurance of the quality of the work of such firms.
- Does the audit firm have other payments/electronic money clients? The more payments sector clients the auditor has, the more likely they are to have developed expertise in the sector.
- Does the audit firm have a dedicated payments/electronic money team? The presence of a specialist team would also indicate sectoral expertise.
- Does the audit firm carry out client money audits in other regulated sectors? Although safeguarding audits are new for payments and electronic money firms, if a potential auditor is carrying out client money audits for other regulated sectors, this provides comfort that a safeguarding audit will be nothing new for them.