Payment and e-money providers – safeguarding audits, a timely reminder
19 December 2023
In July 2020 the Financial Conduct Authority (FCA) finalised guidance on safeguarding customer funds, which included the requirement that payment services and electronic money institutions, whose accounts required a statutory audit, would also be required to undertake an annual audit of their compliance with the safeguarding requirements under the Payment Service Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs).
The expectation is that the FCA will soon issue a consultation paper that will align the safeguarding requirements more closely with the Client Assets sourcebook (CASS) rules.
Here is a timely reminder of the existing requirements of a safeguarding audit.
What is the safeguarding audit requirement?
Section 1.20 states that firms are required to obtain an opinion from an auditor on:
- whether the firm has maintained organisational arrangements adequate to enable it to meet the FCA’s expectations of its compliance with the safeguarding provisions of the EMRs/ PSRs throughout the period; and
- whether the firm met those expectations as at the period end date.
What assets are to be safeguarded?
The requirement to safeguard applies to "relevant funds" in both the PSRs 2017 and EMRs 2011. Authorised e-money firms must also separately safeguard relevant funds received in relation to unrelated payment services (such as money remittance).
The PSRs define “relevant funds” as:
- sums received from, or for the benefit of, a payment service user for the execution of a payment transaction; and
- sums received from a payment service provider for the execution of a payment transaction on behalf of a payment service user.
In the EMRs, “relevant funds” are defined as funds that have been received in exchange for electronic money that has been issued.
What areas will the audit look at and what kinds of testing will be performed?
Our fieldwork program comprises of a suite of tests designed to ensure adequate coverage to allow us to opine as required by the FCA, as well as to add value to our clients. The testing considers the design and implementation, as well as the operating effectiveness of a firm’s key controls and processes identified in relation to safeguarding.
The key areas of testing that we expect to conduct in a safeguarding audit include:
- Desktop review of key documents.
- Review of treatment of mixed funds and co-mingling.
- Review and testing of segregation of funds.
- Review and testing of both internal and external reconciliations.
- Review of safeguarding bank accounts.
- Review of Systems and Controls and Governance in relation to safeguarding.
For clients where we also act as statutory auditor, the safeguarding audit takes the form of a separate engagement adjacent to the statutory audit and includes planning, fieldwork, and completion stages, as is common with statutory and CASS audits. Where we deliver both a statutory audit and a safeguarding audit, we seek to leverage efficiencies wherever possible.
How we can help
Our dedicated Financial Services Audit and Assurance team have a blend of skills and experience that make them ideally positioned to deliver these audits. Our experience extends to acting for FinTech businesses, including payment services and e-money issuers in this area, as well as in relation to providing statutory audit and CASS audits. We also have extensive experience in delivering CASS audits for investment businesses and insurance brokers.
At the time, many commentators considered the July 2020 safeguarding rules to look “like CASS did 10 or so years ago”. We have been on the “CASS journey” with a number of clients and this experience serves us well in relation to safeguarding.
If your firm is required to obtain a safeguarding audit opinion, please do not hesitate to get in touch with myself or a member of our Financial Services team to discuss how we can assist.
View a webinar on safeguarding - hosted on 5 March 2024, alongside Burness Paull.
