CBI’s safeguarding expectations of payment and e-money institutions – a timely reminder

As the safeguarding deadline approaches for payment and e-money institutions in Ireland, this blog sets out the main takeaways from fscom’s safeguarding webinar held earlier this year.

With consumers facing a cost-of-living crisis and economic downturn, the Central Bank of Ireland (CBI) has identified protecting consumers as one of its core priorities.

This heightened regulatory focus has impacted on payment and e-money institutions in Ireland with the introduction of new requirements for them around safeguarding customer funds. Among other things, regulated firms are now expected to commission an audit of their safeguarding processes.

How should payment and e-money institutions ensure they are prepared for the deadline of meeting the regulator’s safeguarding expectations? This webinar will help refresh firms’ understanding of the regulatory framework in Ireland, and what an effective and compliant safeguarding process looks like. The session was led by our experts Alison Donnelly and Greg James, and this blog pulls out some of their main takeaways.

What are firms’ safeguarding obligations?

The overarching objective of safeguarding is to protect user funds and ensure that, if a firm becomes insolvent, funds will be returned to the payment service user or e-money holder.

Requirements and guidance for companies in Ireland is collated in the following places:

• The Payment Services Regulations of 2018.
• Guidance released by the CBI in 2011, although now withdrawn.
• A Dear CEO letter from the CBI in December 2021 which outlined supervisory expectations for safeguarding processes and the need for firms to attest to the health of their safeguarding arrangements. Following this, a quarter of firms self-identified deficiencies to the regulator.
• Another Dear CEO letter in January 2023 which clarified the requirement for regulated firms to “obtain a specific audit of their compliance with the safeguarding requirements”. A further communication followed in May.

How should firms approach safeguarding?

The regulations outline two methodologies which firms can use to safeguard client or user funds. The first is segregation, which involves separating these funds in a safeguarded account or using them to purchase a low-risk secure liquid asset which is protected. The second is a bond guarantee, in which funds are insured by a credit institution or insurance broker. Most firms use the former method.

On the surface, safeguarding requirements seem relatively straightforward. But when applied to complex business models with multiple sums sent and received each day, multiple currencies and multiple corridors, it is anything but.

An additional challenge to those implementing the rules in practice is that since there hasn’t been an insolvency in Ireland as yet, thankfully, there is no precedence to learn from as to how the safeguarding rules intersect with the insolvency rules. If a firm is being wound down, will consumers’ funds still be protected from claims by creditors?

10 common findings in audits

One way for firms to overcome these challenges and improve their compliance with safeguarding regulations is to identify and learn from the breaches or issues that tend to crop up in audits of other firms. fscom’s experts have carried out over 100 safeguarding audits in the last couple of years, and they identified 10 areas which often lead to findings:

1. Commingling of user and non-user funds: Auditors will want to see that firms hold their users’ funds in a separate account to the firm’s own funds. Firms that seek to provide a buffer by over-funding a segregated account are therefore still failing to meet regulatory requirements.
2. Under-funded safeguarding accounts: On the other hand, there have been cases where firms do not move the funds into the safeguarded environment quickly enough or remove them too early, which leads to a potential shortfall in user funds.
3. Delays in segregating funds: Many payment and e-money institutions incorrectly assume that funds only need to be safeguarded 24 hours after receipt. In fact, the regulations require funds to be segregated immediately, though they don’t have to go into the ‘special safeguarding account’ until the end of the business day following receipt.
4. Failure to carry out regular reconciliation: Reconciliation (i.e. checking that segregation of funds is being done appropriately) needs to be an ongoing process, and best practice means running both an internal and external reconciliation at least once a day.
5. Lack of control over access to accounts: Audit findings have been made where a firm that is not the regulated entity has access to safeguarding accounts and can move money in and out. In this case, the regulated firm must be able to carefully evidence to the CBI that they maintain control of the accounts.
6. Insufficient oversight of outsourcing: Many payment and e-money institutions outsource functions like reconciliation and segregation to third parties. This is not necessarily a problem, but the CBI expects the regulated entity to be in control and accountable for oversight of safeguarding, which is likely to mean a daily approval of the reconciliations.
7. Incorrectly designated segregated accounts: In some cases, firms have incorrectly named bank accounts where users’ and clients’ funds were being held. This is a problem because, if an insolvency happens, it needs to be clear to those carrying it out who those funds belong to.
8. Lack of senior oversight of safeguarding: The regulators expect safeguarding to be managed at the legal entity level, i.e. by the board or a committee of the board. Firms therefore need clear policies and a process of reviewing and monitoring safeguarding which is led by management. They should also use a risk management framework to assess the firm’s safeguarding compliance.
9. Unclear reporting processes: If a breach of the safeguarding regulations occurs, staff within the firm must be able to identify the breach or issue, and know when and how to report it to the CBI. This requires good training and clear rules which are well communicated within the company.
10. Failure to update processes when there is a material change to the firm: An external event or change in business model can have significant effects on a firm, especially in this sector with so much growth. When such a change happens, the CBI wants to see top-down governance which assesses the impact on safeguarding and adapts accordingly.

To discuss your safeguarding, and how to improve your compliance or prepare for an audit, contact fscom today.

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.