ICAEW recently responded to FCA's consultation on changes to the safeguarding regime for payments and e-money firms that was due 17 December 2024.

More detailed record-keeping and enhanced monitoring and reporting are among the measures being proposed by the FCA as it looks to beef up the protections in place for funds issued by payment institutions, e-money institutions and credit unions

Following the collapse of Lehman Brothers and the 2007/08 financial crises, new rules were introduced in the UK designed to keep customers' money and assets safe in the event of a regulated financial firm going under. Essentially, the Client Assets Sourcebook (CASS) rules state that the customers’ money and assets should be sufficiently segregated from the firm’s assets at all times, in case of insolvency.

Safeguarding – what is it?

Broadly speaking, safeguarding aims to do something similar, but for payment institutions, e-money institutions and credit unions that issue e-money.

Current safeguarding requirements are set out in the Payment Services Regulations 2017 (PSRs) and E-Money Regulations 2011 (EMRs), but the FCA has flagged up sub-standard practices across the industry due to poor implementation of the regulatory framework.

FCA supervision teams have seen an increase in the number of firms with safeguarding issues. The regulator says that for firms that became insolvent between Q1 2018 and Q2 2023, there was an average shortfall of 65% in funds owed to clients – that is, the difference between funds owed and funds safeguarded.

The current consultation is on changes to the existing safeguarding regime to make it more effective by establishing additional rules and guidance for safeguarding obligations for payments and e-money firms.

A summary of the key proposals can be found here.

ICAEW’s response

ICAEW, together with the help of its members specialising in safeguarding and CASS rules have identified the following key observations and recommendations regarding proposals for safeguarding audits, focusing on clarity, proportionality, and operational feasibility to support effective compliance.

1. Definition of “Auditor” and who can perform these audits:

• Proportionality in expectations for small Electronic Money Institutions (EMIs) is critical.
• Requirements should enable smaller audit firms, potentially better suited to small EMIs, to participate without undue barriers.

2. Safeguarding Audit Submission Deadlines:

• Recommend extending the deadline beyond 4-months, increasing overlap with the financial statement audit period. This prevents resource strain, particularly for specialists also conducting Client Asset Sourcebook (CASS) audits.

3. Cost-Benefit Analysis (CBA):

• Methodological transparency and updated cost metrics are needed. Current assumptions underestimate ongoing costs and the complexity of safeguarding audits as they appear driven by old metrics based on 3, 6, 7, 8 CASS engagements. They are a very mature control environments, and well understood assurance engagements and does not reflect the nature of a safeguarding audit
• Consideration of costs for limited assurance audits is insufficient.
• Some regulated firms carry out both payment services business that will be subject to CASS 15 and investment business that is subject to CASS 6/7. This will mean that such firms will require two audits: one for each regime. Introduction of opt-in for payment services money to CASS 7 rules would prevent regulated firms from being audited under two regimes and would therefore reduce the incremental costs associated with the audit, notwithstanding consideration of any potential legal and regulatory framework challenges.

4. Limited Assurance Scope:

• We observe that limited assurance is less understood in the payment sector.
• Clear guidance on interim approaches (eg, using the CASS Assurance Standard) is necessary, especially before the Financial Reporting Council (FRC) publishes a safeguarding standard.

5. Appropriate Assurance Standards:

• Interim guidance is required for safeguarding audits under current and forthcoming rules.
• Clarity is needed on whether sections of Chapter 10 of 'Payment Services and Electronic Money – Our Approach the FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011' remain subject to audit in the interim period alongside the new CASS 15 rules.

6. Recordkeeping and Reconciliation Requirements:

• It is unclear if the FCA envisages the “reconciliation point” referred to in CASS 15.12.16 as being the most up to date records.

7. Regulatory Permissions:

• Guidance on additional permissions required for firms using alternative investments for segregation (eg, investment management permissions) is essential. Consideration of the applicability of CASS 6 rules is also requested.

8. Expectation re: rule-by-rule risk assessments:

• Learning from the implementation of the CASS regime, if the FCA expects safeguarding firms to produce a risk assessment on a safeguarding rule-by-rule basis, that should be made explicit in the CASS 15 rules.

9. Determination of relevant funds:

•  A more precise definition and illustrative examples are required to delineate the scope of safeguarding obligations for cross-border transactions, with particular reference to the jurisdiction of the regulated firm, PSP, payer and payee.
• Clarity is also required in terms of scoping with reference to origination and processing of the payment transactions, linked to jurisdiction.
• Clarity is also required in terms of scoping with reference to origination and processing of the payment transactions, linked to jurisdiction.

ICAEW’s full response can be found here.