Background
On 25th June 2020 Wirecard (a German payment processor offering electronic payment transaction services) filed for insolvency after it was revealed that €1.9 billion was ‘missing’. The following day in the UK its subsidiary, Wirecard Card Solutions Ltd (WCS), was ordered by the FCA to freeze its regulated activities. The impact was that thousands of consumers who were using their services via third parties (such as Curve, Pockit and Anna) were unable to access their funds, most of whom had no idea that they were using WCS’s services. The following week consumers were able to access their money again when the FCA lifted their freeze.
The UK entity is authorised as an Electronic Money Institution (EMI) or e-money firm.
Part of the reason for the freeze was that the FCA could not be sure that the client money held by WCS was protected. As it happens it was not far off publishing updated guidance to EMI firms to strengthen its confidence in these authorised firms systems and controls for safeguarding the funds it holds on behalf of clients.
Safeguarding and changes
EMIs have long been required to ‘safeguard’ the funds they held on behalf of their clients, including segregating or insuring these funds and having detailed systems and controls in place to ensure that these funds could be quickly re-united with their owners in the event of an issue. However there was not a clear obligation for an external review beyond the requirement of a statutory auditor to ‘report to the FCA if, during the course of their work, they believed there were any breaches of the safeguarding requirements.’
This changed on the 9th July 2020 when the FCA published guidance for its strengthened protection of client money.
This guidance was billed as temporary and in response to the global pandemic, though the FCA subsequently updated their approach document in November 2021 to incorporate this.
What are the key points to be aware of?
Firstly, this guidance is not just for EMI firms, as with the original version of this approach guidance in 2017, it applies to Electronic Money firms (following the Electronic Money Regulations) 2011 and Payment Services firms (following the Payment Services Regulations 2017).
Firms must be able to demonstrate every decision they make regarding the safeguarding process and the systems and controls they have in place, to be reviewed annually. (10.78 para 1)
Firms must safeguard all relevant funds.
- This includes maintaining records and accounts necessary to identify what funds a firm holds at any time and without delay. (10.78 para 5)
- These records should enable a firm (or a third party such as the FCA) to distinguish between relevant funds and the firm’s own money and also between funds held for one client or another. (10.78 para 6)
Firms must have clearly documented systems and processes including:
- Their process for carrying out reconciliations between the balance held in their client bank account and the balance showing on their records. (10.79 – 10.87)
- The flow of client money from the time it is requested from or sent by the client, through the firm’s systems to the time it is paid out. (10.28 – 10.31)
Firms must notify the FCA if they are unable to comply with any of the safeguarding requirements. (10.88)
Firms must hold an acknowledgement letter from the institution holding the client funds (e.g. the bank) that these client funds are held on behalf of clients and are not considered to be the funds of the firm themselves. (10.78 para 3)
- The account must include a designation in the account name, for example ‘client’ that makes it clear these are not the firm’s funds.
- An example letter is included in Annex 6 to the FCA’s approach (page 282 onwards)
- An annual review must also be carried out, and documented, to confirm that the institution being used is still appropriate.
Firms that are required to have a statutory audit under the Companies Act will also be required to obtain a specific annual audit confirming their compliance with the safeguarding requirements.
- The auditor must provide an opinion, addressed to the firm, to confirm that the firm
- Has maintained organisational arrangement adequate to enable it to meet the FCA’s expectations of its compliance with these safeguarding provisions; and
- Whether the firm met those expectations as at the audit period end date.
What needs to be done?
Whilst the safeguarding report is not required to be aligned with the accounting year, it is expected that this will generally be the case. Whenever the period end is, the FCA expect the report be completed and signed within 4 months of this date and provided to the firm. It is not required to be submitted to the FCA, but should be available to be provided upon request. (10.73)
With regards to the form this should take, we expect to see some significant differences in the quality of the specific audit work carried out. Firms that are currently audited by an auditor with no experience providing this kind of report, may find the approaches taken differing substantially, as their auditors attempt to interpret the requirements.
The guidance specifies that it is the authorised firm’s responsibility to ‘satisfy itself that its proposed auditor has, or has access to, appropriate specialist skill in auditing compliance with the safeguarding requirements under the PSRs/EMRs’ so consideration should be taken as to whether their current statutory auditor also has the skills to complete this specific audit.
In our opinion, a review and report that broadly reflects what is required under the CASS rules would be a good proxy for what should be expected here. As such an auditor with experience auditing CASS firms would likely be considered to have the ‘appropriate specialist skill’.
Next steps
- Review the FCA’s approach document (and the applicable regulations) and record for each requirement whether it applies to your firm and how it is being met.
- In CASS circles this is often referred to as a rule mapping document.
- It should be reviewed annually to confirm it reflects any updates to the rules and changes in the business.
- Ensure a letter has been arranged with your bank in line with the guidance.
- The reason it has been decided to use this bank should be documented, for example in the minutes of a board meeting where this decision was discussed and approved.
- The decision to continue using this bank should then appear on the board meeting agenda each year to be re-approved.
- Obtain comfort from your statutory auditor to establish that they have the ‘appropriate specialist skill’ to carry out the safeguarding audit.
- If you are unable to assure yourself that they hold the relevant expertise, speak to other audit firms who may be in a position to provide the report.
It should be noted that there would be no requirement to move any other services (including the statutory audit) to a newly appointed ‘safeguarding auditor’.
The above is a summary of the safeguarding requirements and does not cover all areas of the regulations, to ensure compliance it is important that the full detail is considered and how it applies to your firm. Please always ensure the appropriate professional advice is obtained to ensure compliance. This information is correct as at 23 May 2022.