The FCA Focus on Payment Firms Continues Download The FCA’s Business Plan 2020/21 highlights that payment services are an FCA priority for supervision and, more significantly, for intervention. In the light of the FCA’s review and reprioritisation of risks to its stated Objectives in the light of the Coronavirus, it has identified significant risks in relation to Payment Services Providers (including Payment Institutions and E-money institutions) and has issued a short consultation proposing additional temporary guidance to strengthen payment firms’ prudential risk management and arrangements for safeguarding customers’ funds. Download Topics Board Matters Internal Audit and Corporate Governance IT Management, Applications and Transformation Risk Management and Regulatory Compliance Business Performance Why is this being done now? The short timeframe for the consultation indicates the level of FCA concern around the arrangements in place at payments firms to protect customers from the impact of a payment firm’s insolvency. The FCA has noted that there is evidence from supervision reviews that “some firms have not implemented the Electronic Money Regulations 2011 or the Payment Services Regulations 2017 as we expect”. This would indicate concerns over several weaknesses in controls and shortcomings in the governance and control frameworks. What are the next steps? While this is additional temporary guidance the FCA intends to publish a letter to CEOs of Payment Service Providers which will include the additional guidance in its finalised form. There will also be a full consultation later in the year on changes to the Payment Services Approach Document which will likely incorporate this temporary guidance. What is the proposed guidance? The proposed additional guidance relates to three key areas where the FCA has concerns: Safeguarding | Prudential risk management | Wind down plans 1st Area of concern: Safeguarding Key areas Temporary guidance Keeping records and accounts and making reconciliations Reminder to keep records and accounts necessary to enable the firm to identify what relevant funds the firm holds, any time, and without delay and distinguish between client funds and firm funds. Perform and clearly document reconciliations as often as is practicable (and at least once every business day). Reconciliations should include the results of break investigations. Requirement to notify the FCA, without delay, if in any material respect, the firm cannot comply with the safeguarding requirements or if reconciling discrepancies cannot be resolved. Safeguarding accounts and acknowledgement letters The safeguarding account name should include the words “safeguarding” or “client” and the firm must provide evidence (e.g. letters) confirming the appropriate denomination. Firms must have acknowledgement in the form of a letter from the safeguarding credit institution or custodian stating that they have no interest, recourse against, or right over the funds in the safeguarding account and that funds are held as trustee. Only relevant client funds should be held in the safeguarding account as mixing funds for other purposes risks delaying funds to customers. Selecting, appointing, and reviewing third parties Firms should exercise due skill, care and diligence when appointing and periodically reviewing credit institutions, custodians and insurers and should do so as often as appropriate (e.g. with any material change in circumstances) but at least once a year. Start of safeguarding obligations Some EMIs issue e-money and use that e-money to make payment transactions before the customer funds are credited to their account. In these cases, the EMI must not treat relevant funds it is required to safeguard as being available to meet the commitments it has to a card scheme or another third party to settle these payment transactions. Unallocated funds Unallocated funds are not relevant funds to be safeguarded in the safeguarding account but should be protected according to Principle 10 (segregated from own funds and relevant funds and placed in a separate account). Firms should try to identify the customer to whom the funds relate and either return to the customer or treat as relevant funds. Where the firm issues e-money on low value pre-paid gift cards, where the identity of the ultimate card holder is not known, the funds are relevant funds even though the identity of the e-money holder might not be known. Annual audit of compliance with safeguarding requirements Firms which are expected to have an annual safeguarding audit must arrange specific annual audits of their safeguarding and also when there are any changes to the business model which may materially affect their safeguarding arrangements. Firms must assess whether their proposed auditor has sufficient skills, resources and expertise in auditing compliance with the safeguarding requirements. Small payments institutions Small Payment Institutions should keep a record of funds received from customers and any accounts held by the SPI into which those funds are paid. SPIs are encouraged to consider safeguarding their customers money voluntarily. Information disclosures to customers Firms need to be careful to avoid giving customers misleading impressions about how much protection they will get from safeguarding requirements – and avoid suggesting that funds are protected by the Financial Services Compensation Scheme where this is not the case. 2nd Area of concern: Prudential risk management Key areas Temporary guidance Governance and controls APIs and EMIs should have robust governance arrangements, effective procedures and adequate internal control mechanisms. These should be regularly reviewed to ensure they appropriately reflect the firm’s business model, growth and relevant risks. Capital adequacy Firms must accurately calculate their capital requirements and resources on an ongoing basis. Senior management should ensure that the firm’s capital resources are reviewed regularly. It is best practice for firms to deduct any assets representing intra-group receivables from their own funds. Liquidity and stress testing Firms should carry out liquidity and stress testing to analyse their exposure to severe business disruptions and assess their potential impact, using internal and/or external data and scenario analysis. Risk management arrangements Firms should consider their own liquid resources and available funding options to meet their liabilities as they fall due. It is best practice for firms not to include any uncommitted intra-group liquidity facilities when assessing whether they have adequate resources in place to cover liquidity risk. 3rd Area of concern: Wind down plans Key area Temporary guidance Wind down planning Firms must have a wind-down plan to manage their liquidity and resolution risks. The plan should consider the winding down of the firm’s business under different scenarios, including a solvent and insolvent scenario. What payment firms need to do now? Protiviti’s Risk and Compliance solution specialiser in helping financial institutions satisfy their regulatory obligations and meet regulatory expectations using a combination of our in-depth knowledge and experience of governance, risk and compliance , control enhancements and change capability to deliver effective compliance frameworks. Our team of safe guarding and compliance specialists assist organisations with understanding the detailed requirements, interpreting those in how they impact their business models and make sure they meet current regulatory requirements. Protiviti Health Check for Payment Firms Protiviti can assist your organisation with assessing the risk of not complying with regulations and expectations. Our team of safeguarding and Compliance experts can assist with identifying where potential weakness in your control framework exists and support you in designing and enhancing systems and controls. This is a proactive and therefore cost-effective way of identifying where there may be emerging risks, where there are gaps in meeting existing requirements and where there are efficiencies to be gained in the control environment. Whilst our deliverables are tailored to your requirements, at a minimum you will receive a report of key findings and pragmatic actions that align to your business. Leadership Bernadine Reese Bernadine is a Managing Director within our Financial Services Industry (FSI) Regulatory practice in the UK. Prior to joining Protiviti ten years ago, Bernadine was a Director in KPMG’s Regulatory Services practice. A chartered accountant by training, Bernadine has over ... Learn more