A safeguarding audit is an independent assessment conducted by auditors to verify that a payment or e-money issuing firm has appropriate systems and controls to safeguard customer funds. The audit is designed to:
- Ensure compliance with regulatory requirements, and
- Assure customers and regulators that their funds are protected.
In particular, the audit assesses whether proper segregation and safeguarding of customer funds comply with the latest regulations. This in turn helps to build trust among customers, regulators, and other stakeholders.
Common questions asked by firms
1. Which firms have to have a safeguarding audit?
Payment and e-money issuing firms have to undertake a safeguarding audit.
An e-money issuing firm is one that provides electronic money services. These allow customers to store funds electronically and use them for various transactions, such as cashless online purchases or money transfers. E-money providers are also known as Electronic Money Institutions (EMI) and differ from banks in their regulation and operations.
Payment firms are those regulated by the Payment Systems Regulator (PSR). These firms provide systems that enable the transfer of funds between accounts, for example, when people withdraw money from a cash machine, bank a cheque, pay a deposit on a house or have their salary paid into their account.
2. What key areas are covered in a safeguarding audit for payment and e-money issuing firms?
In making the safeguarding stipulation, the FCA used the term ‘audit’ which is usually reserved for statutory audits, or CASS audits where there is a specific audit framework in place. Interestingly, the FCA has not yet issued an audit standard for this.
Currently, its guidance merely states that the firm is to ask the auditor to provide an opinion addressed to the firm on:
- whether the firm has maintained organisational arrangements adequate to enable it to meet the FCA’s expectations of its compliance with the safeguarding provisions of the EMRs/PSRs (as set out in chapter 10 of our Approach Document), throughout the audit period, and
- whether the firm met those expectations as at the audit period end date.
The safeguarding audit typically covers areas such as the:
- segregation of customer funds
- accounting and record-keeping practices
- internal controls
- risk management processes
- technology infrastructure
- compliance with regulatory requirements, and
- third-party relationships.
3. How often should a safeguarding audit be conducted and is there a fixed deadline?
While the FCA has still not provided details of the period the assurance opinion should cover, it expects that most firms may wish to align the period with their accounting year-end.
Neither the temporary guidance published in July 2020 nor the consultation in January 2021 set out the timing of the reports – including a deadline for when the reports should be submitted.
Similar to Client Asset (CASS) reports, it may be reasonable to assume the safeguarding audit should be completed within 4 months of the period end date to mirror the CASS regime requirements, with the report itself following a similar format.
The frequency of safeguarding audits may vary based on regulatory requirements and the size of the payment and e-money issuing firm. Typically, a safeguarding audit is conducted on an annual basis. They may, however, be required more frequently depending on the jurisdiction and the firm’s risk profile.
4. Can an e-money issuing firm conduct its own safeguarding audit?
No, a payment or e-money issuing firm cannot conduct its own safeguarding audit. This is because the audit requires independent verification by external auditors to ensure objectivity and provide assurance to the firm’s customers and regulators.
5. What challenges do payment and e-money issuing firms face during safeguarding audits?
The regulatory requirements surrounding safeguarding audits are complex. It’s vital that firms demonstrate proper segregation of funds, and have and maintain secure technology and infrastructure in their operations.
The audit also has to assess how the business manages its third-party relationships. This needs an experienced and objective viewpoint, but finding auditors with specialised expertise can sometimes be challenging. Once appointed though, these specialists can ensure the business adheres to the accurate reporting and documentation needed to comply with the safeguarding audit.
6. What can payment and e-money issuing firms do to prepare and help the audit run smoothly?
It’s important that firms prioritise understanding the regulatory framework concerning their safeguarding obligations in the UK. A specialist adviser can help. In particular it is important to:
- Establish robust internal policies and procedures.
- Ensure segregation of your customer funds.
- Appoint a safeguarding officer for the business.
- Conduct regular risk assessments.
- Keep detailed records of all your safeguarding activities.
- Conduct regular training with employees to strengthen their awareness of safeguarding measures.
- Monitor any latest regulatory changes
7. What happens if a payment or e-money issuing firm fails a safeguarding audit?
If an e-money issuing firm fails a safeguarding audit, it may face regulatory penalties. As a result of this, it may also face reputational damage and potential loss of customer trust. Remedial actions will be necessary to address the identified deficiencies and bring the firm into compliance.
Can we help?
It’s important for payment and e-money issuing firms to consult with legal and regulatory experts to ensure they comprehensively understand the specific requirements and obligations related to safeguarding audits in their jurisdiction.
At Shipleys, we’ve been helping many payment and e-money issuing businesses comply with the latest regulations. For further information, contact one of our specialists shown on this page.
Specific advice should be obtained before taking action, or refraining from taking action, in relation to this summary. If you would like advice or further information, please speak to your usual Shipleys contact.
Copyright © Shipleys LLP 2023