What should firms be doing and what can they learn from the FCA's approach to client money enforcement?

Introduction

On 4 July the Financial Conduct Authority published a Dear CEO letter requiring all electronic money institutions (EMIs) and authorised payments institutions (APIs) to review their customer money safeguarding arrangements, to ensure that they fully meet regulatory requirements under the Payment Services Regulation 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs) (the Safeguarding Rules). The letter follows a 6 month review of 11 non-bank payment service providers (PSPs) and EMIs (together, Safeguarding Firms) and how effectively they safeguarded users' funds.

In this briefing we summarise the FCA's key findings and identify what actions firms should consider taking. We also look at the FCA's enforcement against authorised firms that hold money on behalf of clients under the FCA's client money rules (the CASS 7 chapter of the FCA handbook) (the CASS Rules).

Since the basic purpose of both sets of rules is the same – to protect customers where funds are held by firms from firms' creditors and other third party claims in the event of the firm's insolvency – Safeguarding Firms can use the published cases about CASS to inform their reviews of compliance. Indeed some firms, such as those conducting FX transactions, could be subject to both the Safeguarding Rules and CASS 7.

Findings

The FCA highlighted the following key areas of concern in the Dear CEO letter:

Relevant Funds

A number of firms were unable to distinguish which payment services they provided in specific situations, and so were unable to accurately identify Relevant Funds (as defined in the Safeguarding Regulations) for safeguarding. This demonstrates the importance of understanding the regulatory scope in which a firm operates and the FCA have reiterated the importance of this distinction.

Governance and oversight

Management of risk was reviewed during the FCA investigation, with the results showing that some firms considered safeguarding risks on an exceptions basis only, with systems and processes being reviewed only following a breach. The FCA highlighted that safeguarding should be present on the risk register, with frequent review by the Board.

Policies and procedures

Safeguarding Firms should have up to date policies and procedures regarding safeguarding funds, with clearly demonstrable actions specific to the particular firm, rather than just a reproduction of the relevant regulations. The FCA has confirmed the importance of having policies which are at all times appropriately geared to the current needs and practices of the business.

Segregation

Where firms have opted for the segregation method, the obligation on firms begins as soon as they receive Relevant Funds. The FCA highlighted:

• poor understanding of what funds needed to be segregated;
• delays in segregating funds following receipt; and
• failure to check on a sufficiently frequent basis that correct amounts are segregated.

The FCA expects non-relevant funds to be removed as frequently as possible throughout each day and found that some firms did not attempt to segregate Relevant Funds on receipt. It also highlighted that very few firms removed non-relevant funds from segregated accounts more than once a day.

Safeguarding accounts

The FCA found that some firms’ Safeguarding accounts were not clearly designated as such and were instead named according to their operational function. Firms should ensure that no other person/entity has an interest in or rights over the funds in the Safeguarding account and that this is clear from the title of the account. As set out in para 10.40 of the FCA's Approach to Supervision of PSPs and EMIs, firms should also obtain acknowledgement of the status of these accounts from the bank where they are held.

Actions

All Safeguarding Firms must review and update their safeguarding arrangements and submit an attestation of their compliance to the FCA before 31 July 2019. This attestation must be submitted to SafeguardingProject@FCA.org.uk in the prescribed format as published by the FCA. Attestations should only be completed after the Safeguarding Firm has fully reviewed and satisfied itself that it is compliant with the regulations, and some firms may need to prepare a qualified attestation where work is ongoing, or request further time. As with all attestations, firms should also ensure that they document the basis on which they have come to the conclusion that they can make the attestation. Wherever firms identify inadequacies they should begin remedial action and notify the FCA in writing of any "material" non-compliance. The FCA have stated that where they find inadequacies in a firm's safeguarding they will take "appropriate action". This may come in the form of investigation and enforcement, and so firms need to ensure that the attestation is not treated as a routine business measure, but is given appropriate oversight and consideration by senior management.

We suspect that, as firms closely consider their current internal controls, they will notice a number of ambiguities in the Safeguarding Rules and how they apply to their particular payment flows. There may be firms who are unclear whether their arrangements are permitted. For example:

• It can be very difficult to identify which funds should be segregated in the case of mixed remittances.
• Where a firm is issuing e-money there is a need to also identify customer funds which derive from related and unrelated payment services.
• Many firms rely on a few key knowledge-keepers within their organisation, as a result of which documented systems and controls are deficient or not fully recorded.
• In terms of senior management oversight, Safeguarding Firms often rely on manual reconciliation processes and this can mean that good quality MI is hard to generate.

Learnings from the FCA's CASS enforcement

The FCA has been heavily focused on firms' compliance with its client money rules in CASS 7 ever since the financial crisis, when the Lehman Brothers and MF Global collapses revealed shortcomings in those rules and highlighted the importance of proper segregation and reconciliation of customer money. As the PSP and EMI sector grows in size, we are beginning to see the FCA focus more on the equivalent Safeguarding requirements.

The following cases provide some examples of FCA enforcement which highlight points that Safeguarding Firms might review in their own processes:

Alternatives

It is worth noting that segregation is only one of the permitted safeguarding methods allowed by the Safeguarding Rules; firms can also obtain an insurance policy or guarantee that covers the Relevant Funds.  While the market for insurance products has not yet matured, we have known firms concerned about the adequacy of their segregation arrangements to take out guarantees to ensure that they are compliant while they remediate their segregation practices.  Because of their expense guarantees are unlikely to be a long term solution for most firms, but given the risks to the firm and the attester, they may be a useful bridging measure.

Click here to view the full article in PDF: