On the 4 July 2019, the FCA released a ‘Dear CEO’ letter that addressed both the positive and negative practices of non-bank Payment Service Providers (“PSPs”) as they seek to comply with their obligations to safeguard customers’ funds. The FCA identified a number of failings in the safeguarding processes of the 11 PSPs it reviewed over a six-month period and has set out mandatory actions for PSPs.
The FCA found that a number of PSPs were unable to distinguish which payment services they provided in specific situations, or when they were issuing e-money, and so were unable to accurately identify relevant funds for safeguarding.
This finding demonstrates the importance of understanding the regulatory scope in which your business operates. This can prove difficult as the regulatory permissions are intentionally vague to capture a wide range of PSPs across the industry, so it may not always be immediately apparent which permissions your services fall within scope of. Nonetheless, relevant staff should understand and be able to articulate which payment services are provided in specific situations, or when e-money is issued, in order to accurately identify relevant funds.
Policies and procedures
The FCA emphasized their expectation for PSPs to have up to date safeguarding policies and procedures which should clearly relate the actions of the firm to the provisions in the regulations, and not simply rehash the regulation or guidance.
You should consider when your safeguarding policy and procedures were last updated and whether decisions made at board level or otherwise regarding safeguarding processes are adequately documented. You should also ensure that your procedure is a meaningful document, unique to your business, that drives your actions, rather than a document that simply repeats the legislation and guidance.
The FCA confirmed that they expect PSPs to segregate relevant funds immediately from the point of receipt and to strip out non-relevant funds as frequently as practicable throughout the day. In no circumstances should funds be co-mingled overnight.
The FCA found that some firms did not attempt to segregate relevant funds on receipt and noted that very few firms removed non-relevant funds from segregated accounts more than once a day.
You should consider how often non-relevant funds are swept out of segregated accounts and whether it would be operationally feasible to do this more frequently throughout the day to ensure adequate protection of customers’ funds. PSPs should be clear that in no circumstances is it permissible for funds to be co-mingled overnight.
PSPs that are principals of agents are accountable to the FCA for the actions of their registered agents, and this is true for safeguarding as well. It is a common finding by the FCA that controls around agency arrangements are not robust enough, as was explored in James Borley’s blog earlier this month.
You should ensure that, if you operate using agents, your agents are aware of any safeguarding responsibilities they have, and your safeguarding policy and procedures should document your oversight of your agent’s arrangements.
A PSP’s safeguarding account should be designated in such a way to show it is a safeguarding account. No other person (legal or natural) other than the PSP should have any interest in or right over the funds held in that account.
The FCA found that some PSPs’ safeguarding accounts were not clearly designated as safeguarding accounts and were instead named according to their operational function.
You should review your safeguarding letter from your bank to ensure that it clearly states that no other person has any interest in or rights over the funds. If you do not have a copy of this letter, you should request one from your bank.
Governance and oversight
Risk management was reviewed by the FCA during their onsite visits, and it was found that some PSPs considered safeguarding risks on an exceptional basis and only reviewed their processes after a breach.
You should ensure that failure to comply with safeguarding requirements is included as a risk in your risk register alongside the mitigation measures in place to address such a risk. A review of the systems, processes and persons responsible for safeguarding should be included as a core element of your compliance monitoring plan to ensure ongoing compliance. As a minimum, the safeguarding policy should be submitted to the board for formal review and sign off on an annual basis.
The FCA considers consumer protection a key principle for how it regulates the entire marketplace, not just PSPs. Safeguarding, at its core, exists to protect consumer funds and so the FCA has taken action to ensure PSPs are following the regulation and guidance around safeguarding appropriately.
All PSPs must review and update their safeguarding arrangements and submit an attestation of their compliance to SafeguardingProject@FCA.org.uk before the 31 July 2019. The attestations for e-money institutions and payment institutions can be found by following the links in this blog.
The attestations should only be completed after the PSP has fully reviewed and satisfied itself that it is compliant with the regulations. PSPs should focus on the issues raised by the FCA in their Dear CEO letter.
Additional information can be found in our safeguarding discussion paper for the FCA, where we identify some areas where we consider that the FCA has scope to change or to add to its existing guidance in ways that would be of benefit to the industry:
For further information on the topic of safeguarding, watch the safeguarding webinar below, hosted by fscom and Cashfac:
How we can help
A full review of your safeguarding processes can be a daunting task. Reviewing safeguarding processes is a task that fscom is uniquely suited to assist you with.
We offer several service lines that will help you fulfill your safeguarding obligations and meet with the FCA’s best practice expectations, including:
- a desk-based review of your policies and procedures to provide you with peace of mind that you are complying with your safeguarding obligations, on paper at least; and
- a safeguarding audit entailing a deep dive review of your safeguarding policy and procedures in practice, providing you with external assurance that you are complying with your safeguarding obligations on paper and in practice.