E-money and payment institutions are obligated to notify the Financial Conduct Authority (FCA) if they fail to safeguard properly. Yet how can we ensure safeguarding is done properly and what are the implications of getting it wrong? Alison Donnelly, Director at FSCom, looks at the lessons to be learnt from the recent client money breach enforcement case.
There is one question I am asked more frequently than any other: ‘How does everyone else safeguard?’
The intricacies of the safeguarding provisions (when do the funds have to be segregated; when does the safeguarding requirement come to an end; should margin be safeguarded; are funds sent outside of the EEA relevant; and, of course, how do we get a safeguarding account) are pored over.
Unfortunately, there is very limited guidance from the FCA on these issues. There aren’t even any examples of how it works – or indeed hasn’t worked - when a payment or e-money institution is insolvent. Instead, firms themselves are left to judge what is both justifiable and achievable.
Due to the lack of enforcement cases for safeguarding breaches, it’s important to analyse the recent enforcement action taken against Towergate Underwriting Group Limited (TUGL) and its finance director, Timothy Philip. This action resulted in fines of £2.6m and £60,000 respectively because of failings in the protection of client money. So, let’s look at what happened and see what lessons can be drawn from this case.
Breach of Client Money Rules
TUGL reported to the FCA in October 2013 that it had found a shortfall of £9.04m in its client and insurer money accounts. A few weeks later, a further shortfall of £3.6m was identified. The problem had originally come to light in May of that year but the firm didn’t inform the FCA, nor make good the shortfall, until October. While the FCA acknowledged, in its Final Notice, that the firm had self-reported, it failed to meet its obligation to cover the shortfall on the same business day and notify the FCA without delay. 3 key errors contributed to TUGL’s failure:
- No one noticed that interest was being paid into the client money account
- No one looked at the reconciliation of client money accounts holistically
- No one considered the implications of overriding established procedures on the reconciliation process.
Mr Philip was found to have failed in his responsibility to oversee the firm’s central finance department. He repeatedly flouted established process when it came to the money that should have been protected and he disregarded his financial services regulatory compliance obligations. As the most senior individual and the main decision-maker in the failings, Mr. Philip was the only senior manager at TUGL to be personally fined – despite the fact other individuals were also at fault.
While the client money rules (known as the CASS regime) and the safeguarding regime differ, there are some lessons to be learnt for e-money and payment institutions.
Crucial Lessons for E-money and Payment Institutions
Ensure you Document your Safeguarding Rationale
Proving that consideration went into interpreting the safeguarding rules as well as the assessment and mitigation of the identified risks is essential. It will also be invaluable in any future discussion of proposed changes to the established procedure because they will have to be justified in the light of the original intention and the firm’s understanding of the rules.
Allocate a Member of Staff to Safeguarding and its Oversight
In TUGL’s case, the FCA found that responsibility had not been clearly allocated for a number of procedures and that the remit of the firm’s second and third line of risk control (compliance and internal audit) did not extend to certain centralised processes.
Report Any Breach and Put it Right Immediately
E-money and payment institutions have an obligation to notify the FCA of any breach without undue delay and certainly within 28 days of becoming aware of it. Any shortfall or overfunding should be corrected as soon as possible. If it’s not possible to determine which record is correct then the firm should assume the greater sum is correct until they are able to resolve the discrepancy.
Take into Account What the FCA Says
It seems obvious, but the FCA repeatedly point out that firms should take into account the outcome of thematic reviews and enforcement decisions to inform their risk considerations. In this case, the FSA, as it was in January 2010, had written a ‘Dear CEO’ letter to alert firms to the importance the FSA was placing on getting the protection of client money right. Indeed, the firm signed a declaration that it had understood the communication and that their systems were in order.
There is no doubt the FCA is focusing its attention on these obligation issues and we expect the regulator to publish its report on safeguarding practices imminently.
The report will include a summary of the good and poor practices identified during the thematic review conducted with a number of e-money and payment institutions late last year and will, hopefully, address the key questions noted above.
Firms must take this as a warning and prepare now to justify their systems and controls to the FCA. If you are in any doubt that your system is not good enough, seek our advice on how to improve. However, be aware that you will have to self-report to the FCA and if your system is deficient you may have to face the consequence of a hefty fine that is designed to reflect the seriousness of the breach and deter others from making the same mistake.
If you would like any further information on the issues raised, please contact: