Back in July 2020, the FCA released guidance for firms covered by the Payment Service Regulations (PSR) and Electronic Money Regulations (EMR) indicating they expected regulated institutions to arrange specific annual audits of their compliance in line with the safeguarding requirements of the PSR/EMR.
In 2021, this became a requirement with the FCA expecting firms to perform an independent safeguarding audit on an annual basis. Interestingly, auditors had already had a responsibility to report to the FCA any breaches they found under the PSR or EMR which were of material significance. However, no separate client money (CASS) style audit had been required.
LACK OF CLARITY AND ASSUMPTIONS
When the FCA stipulated the requirement for safeguarding audits, it didn’t give clear guidance on the content of the audit, or the format its report should take. Even now, the FCA has still not provided details of the period the assurance opinion should cover.
The FCA does, however, expect that most firms may wish to align the period with their accounting year-end.
Neither the temporary guidance published in July 2020, nor the consultation in January 2021, set out the timing of the reports – including a deadline for when the reports should be submitted.
Similar to Client Asset (CASS) reports, it may be reasonable to assume the safeguarding audit should be completed within 4 months of the period end date to mirror the CASS regime requirements, with the report itself following a similar format.
IMPLICATIONS FOR FIRMS
In this regard the FCA uses the term ‘audit’, which is usually reserved for statutory audits, or CASS audits where there is a specific audit framework. Saying that, no audit standard has been issued by the FCA.
The FCA guidance simply requires that the firm is to ask the auditor to provide an opinion addressed to the firm on:
- whether the firm has maintained organisational arrangements adequate to enable it to meet the FCA’s expectations of its compliance with the safeguarding provisions of the EMRs/PSRs (as set out in chapter 10 of our Approach Document), throughout the audit period, and
- whether the firm met those expectations as at the audit period end date.
This is very similar wording to a Reasonable Assurance Client Money (CASS) audit. The approach to the engagement has similarities and involves an examination of the various safeguarding provisions during the year, and at the end of the period. This is to ensure the firm has controls in place and has complied with them.
At the end of the engagement, the auditor then provides a letter addressed to the firm covering the points mentioned above.
CAN WE HELP?
Shipleys has been working with many firms affected by this requirement and has a track-record in conducting robust and reliable safeguarding audits to meet the FCA’s requirements. Please get in touch if you would like further information.
Specific advice should be obtained before taking action, or refraining from taking action, in relation to this summary. If you would like advice or further information, please speak to your usual Shipleys contact.
Copyright © Shipleys LLP 2023