On 9 July, the FCA published its finalised ‘temporary’ guidance: “Coronavirus and safeguarding customers’ funds: additional guidance for payments and e-money firms” (the Guidance) along with a “Dear CEO” letter.
In summary: new audit requirement; increased capital / liquidity likely; wind-down plans and new safeguarding controls
Among the new measures, the Guidance provides that firms should arrange specific annual audits of their compliance with the safeguarding requirements under the Payment Services Regulations (PSRs) and the E-money Regulations (EMRs) (if the firm is required to arrange an audit of its annual accounts under the Companies Act 2006). This builds on the current requirement that a firm’s auditor should tell the FCA if it has become aware in its capacity as an auditor, of a breach of any requirements imposed by or under the PSRs or EMRs that is of material significance. The new requirement will give additional confidence to customers of such firms, in the light of the collapse of Wirecard, that their funds are properly safeguarded.
This new Guidance also confirms the FCA’s new position that payments and e-money firms should hold adequate liquidity and capital resources against assessed risk in their business – in contrast to the formulaic approach to regulatory capital employed up to now. As set out in our earlier article, the effect of the FCA’s recent guidance, FG 20/1 “Our framework: assessing adequate financial resources”, published in June 2020, was to introduce new regulatory capital requirements for payments and e-money firms – firms which, up to now, have not had to hold regulatory capital against general risk factors in their business.
The new guidance also establishes a new requirement for wind-down plans as well as the emboldening of safeguarding controls.
Whilst guidance for firms on safeguarding and managing prudential risk is already available in the payment services approach document (Approach Document), the FCA stated that it had found evidence that some firms are not complying with the regulations, hence this new temporary Guidance which clarifies ways that firms can comply with the regulations, and will likely be incorporated into the Approach Document in due course. The Guidance applies to all payments / e-money firms, credit institutions and custodians.
Prudential risk
The Guidance provides that payments and e-money firms should carry out stress testing, appropriate to the nature, size and complexity of the firm’s business and the risks, to analyse their exposure to a range of severe business disruptions, or the failure of one or more of their major counterparties. In particular, they should use these results to inform their decisions around adequate liquidity and capital resources, as well as identifying any changes and improvements to required systems and controls.
A firm’s senior management or governing body should document, review and approve – at least annually – the design and results of a firm’s stress testing. A firm should also carry out stress testing if it is appropriate to do so in the light of substantial changes in the market or in macroeconomic conditions.
Risk-management arrangements
As part of their liquidity risk-management procedures, the Guidance states that it expects firms to consider their own liquid resources and available funding options to meet their liabilities as they fall due, and whether they need access to committed credit lines to manage their exposures.
When firms are assessing whether they have adequate liquidity to ensure that they can meet their liabilities as they fall due, the FCA considers it best practice for payments / e-money firms to exclude any uncommitted intra-group liquidity facilities.
Capital adequacy
The Guidance provides that as part of their stress testing and risk-management procedures, the FCA considers it best practice for firms to deduct any assets representing intra-group receivables from their own funds, to reduce exposure to intra-group risk. Intra-group receivables include amounts owed to the firm by another member of its group, which are included as assets in the firm’s balance sheet. By ‘best practice’, the FCA clarifies that it is the most effective way, but not the only way, of complying with the risk management requirements.
Wind-down plans
The conditions for authorisation or registration require a firm to satisfy the FCA that they have effective procedures to manage any risks to which they might be exposed. The Guidance requires for the first time that payments and e-money firms have a wind-down plan to manage their liquidity, operational and resolution risks. The wind-down plan should consider the winding-down of the firm’s business under different scenarios, including a solvent and insolvent scenario. In particular, the wind-down plan should include/address the following:
- information which would help an administrator or liquidator to quickly identify customer funds and return them as a priority;
- funding to cover the solvent wind-down of the firm, including the return of all customer funds;
- realistic triggers to start a solvent wind-down;
- the need for any counterparties (e.g. merchants) to find alternative providers; and
- realistic triggers to seek advice on entering an insolvency process.
The FCA allows the complexity of firms’ wind-down plans to be proportionate to the size and nature of the firm. Firms should review their wind-down plans at least annually, and when there is a change to a firm’s operations which may materially change the way in which it can wind-down.
Safeguarding
Annual audit of compliance with safeguarding requirements
The Approach Document (paragraph 10.58) sets out that a firm’s auditor is required to tell the FCA if it has become aware in its capacity as an auditor, of a breach of any requirements imposed by or under the PSRs or EMRs that is of material significance. This includes a breach of the safeguarding requirements or the organisational arrangements requirement.
The Guidance states that as part of the requirement to have adequate internal control mechanisms, including sound administrative, risk management and accounting procedures, firms should arrange specific annual audits of its compliance with the safeguarding requirements under the PSRs / EMRs, if it is required to arrange an audit of its annual accounts under the Companies Act 2006.
The FCA expects the auditor to provide an opinion addressed to the firm on:
- whether the firm has maintained organisational arrangements adequate to enable it to meet the FCA’s expectations of its compliance with the safeguarding provisions of the PSRs / EMRs (as set out in chapter 10 of our Approach Document), throughout the audit period; and
- whether the firm met those expectations as at the audit period end date.
The FCA also expects these firms to consider whether they should arrange an additional audit in line with their conditions of authorisation if there are any changes to their business model which materially affect their safeguarding arrangements. For example, an e-money issuer providing payment services unrelated to issuing e-money, or using insurance as a method of safeguarding instead of, or in addition to, account segregation.
Keeping records and accounts and making reconciliations
The Guidance reiterates the requirement to safeguard funds and keep records and accounts necessary to identify what relevant funds the firm holds, at any time and without delay.
The Guidance states that firms should clearly document the reconciliation process and provide an accompanying rationale. The FCA now clarifies that examples of the type of material safe-guarding non-compliance it expects to be notified about are:
- not keeping up to date records of relevant funds and safeguarding accounts; and/or
- where a firm is unable to comply due to the decision by a safeguarding credit institution to close a safeguarding account.
Acknowledgement letters
The FCA clarifies that the safeguarding account name should include the word ‘safeguarding’, ‘customer’, or ‘client’. If the credit institution cannot make the necessary designation evident in the name of the account, the FCA expects the payment / e-money institution to provide evidence, such as a letter from the relevant credit institution or custodian, confirming the appropriate designation.
The Guidance states that the letter from the safeguarding credit institution or custodian stating that it has no interest in (e.g. a charge), recourse against, or right (e.g. a right of set off) over the relevant funds or assets in the safeguarding account should be in the form of a letter set out in Annex 1 of the Guidance (or otherwise be able to demonstrate and document that the safeguarding credit institution or custodian has no such interest in, recourse against, or right over the relevant funds or assets in the safeguarding account).
Selecting, appointing and reviewing third parties
The Guidance states that firms should carry out periodic reviews of their credit institutions, custodians and insurers as often as appropriate and, at least, annually.
When the safeguarding obligation starts
The Guidance states that for EMIs that issue e-money, and allow customers to use that e-money to make payment transactions before the customer’s funds are credited to the EMI’s payment account, or are otherwise made available to it, the EMI should not treat relevant funds it is required to safeguard as being available to meet its commitments to a card scheme or another third party to settle these payment transactions.
Unallocated funds
In cases where a firm may not be able to identify the customer entitled to the funds it has received (e.g. where funds are received with an incorrect unique identifier (e.g. account name/number)), these funds should be safeguarded while firms use reasonable endeavours to identify the customer to whom the funds relate. Pending allocation of the funds to an individual customer, firms should record these funds in their books and records as ‘unallocated customer funds’ and consider whether it would be appropriate to return the money to the person who sent it or to the source from where it was received.
Small Payment Institutions
Small Payment Institutions (SPIs) are not required to safeguard relevant funds under the PSRs or EMRs, but they are subject to Principle 10 of the Principles for Businesses – which requires all firms including SPIs, to arrange adequate protection for clients’ assets when they are responsible for them. The Guidance now adds that, when complying with Principle 10, all firms including SPIs, should keep a record of the customer funds that they hold.
Disclosing information on treatment of funds on insolvency to customers
The Guidance provides that firms should take extra care in relation to the information they give customers. In particular, firms should take care to avoid giving customers misleading impressions about how much protection they will get from safeguarding requirements. Examples include firms implying that customer protections arising from safeguarding extend to a firm’s non-regulated business, or implying that on the firm’s insolvency, the customers’ claims for repayment of their funds would be paid in priority to an insolvency practitioner’s costs of distributing the safeguarded funds.