fscom’s safeguarding experts created a guide which sets out specific requirements for firms together with common safeguarding deficiencies identified by the Central Bank.
A robust safeguarding framework is not just good governance, it’s essential for regulatory compliance. Payments and e-money firms operating in Ireland are under increasing scrutiny from the Central Bank of Ireland (Central Bank), particularly regarding how they safeguard customer funds. The expectations are clearly laid out, but many firms continue to fall short.
So, what exactly does the Central Bank expect from regulated firms when it comes to safeguarding? This blog introduces our structured guide to help firms understand and meet the regulatory requirements and avoid the common pitfalls.
Why safeguarding matters, and why the regulator is paying close attention
Safeguarding is the cornerstone of customer protection in the payments and e-money sector. It ensures that customer funds are ring-fenced and returned to users before any other creditors are paid.
As the Central Bank sharpens its focus on firm level compliance, it’s clear that safeguarding is not just a technical requirement; it’s a regulatory priority.
Who needs to comply?
- Authorised payment institutions (PIs).
- Authorised e-money institutions (EMIs).
- Small e-money institutions.
These firms must identify and properly safeguard “user funds”: money received for payment execution or in exchange for e-money.
Understanding the regulations: two routes, one objective
The safeguarding obligations come from two key regulations:
- Electronic Money Regulations 2011 (EMRs) for EMIs; and
- Payment Services Regulations 2018 (PSRs) for PIs.
Firms must choose between two safeguarding methods:
- The segregation method: Physically separating user funds into safeguarded accounts.
- The insurance method: More costly and less commonly used.
Regardless of the method chosen, the rules are clear: funds must be segregated upon receipt and safeguarded by the end of the next business day.
Daily reconciliations: a non-negotiable expectation
The Central Bank expects firms to conduct both:
- Internal reconciliation – what should be safeguarded (customer liabilities vs. user funds received); and
- External reconciliation – what is actually safeguarded (ledger vs. safeguarded bank accounts).
Both reconciliations must be carried out daily, correctly documented, and signed off by a senior manager.
Safeguarding frameworks: what the Central Bank wants to see
The Central Bank’s December 2021 and January 2023 ‘Dear CEO’ letters laid out its expectations clearly. Here are the key components of an effective safeguarding framework:
- Governance and oversight
- A board approved safeguarding risk management framework.
- A regular review of safeguarding arrangements.
- Ongoing board assurance over reconciliations and safeguarding calculations.
- Audit and assurance
- Independent audit opinion on whether safeguarding arrangements meet regulatory standards (required as of July 2023).
- Safeguarding notice (May 2023) mandates a three-part audit deliverable:
- A documented description of arrangements;
- A board-approved attestation of effectiveness; and
- A reasonable assurance attestation from an auditor.
What good looks like: policies, procedures and monitoring
The Central Bank expects firms to maintain clear and detailed documentation, including:
- Safeguarding policy – board approved, updated annually, covering fund flows, responsibilities, reconciliation frequency, breach handling, and more;
- Reconciliation procedure – step-by-step format with sign-off and escalation routes;
- Acknowledgement letters – from authorised credit institutions confirming safeguarded account status;
- Training programme – onboarding and annual safeguarding training for all staff;
- Risk register – detailing inherent risks, mitigation measures, and residual risks;
- Bank counterparty assessments – annual suitability reviews of institutions holding safeguarded funds; and
- Board evidence – safeguarding should be a regular agenda item with documented minutes.
Firms must also maintain clear lines of defence:
- First line: Responsible for safeguarding operations;
- Second line: Compliance monitoring plans with specific testing; and
- Third line: Independent internal or external audit functions.
Where firms are getting it wrong: common safeguarding deficiencies
The Central Bank has highlighted widespread issues in safeguarding frameworks. One in four PSPs self-identified weaknesses in 2023.
Key failings include:
- Delays in segregating user funds;
- Commingling of user and non-user funds;
- Infrequent or inaccurate reconciliations;
- Use of incorrectly designated safeguarding accounts;
- Weak oversight from second and third lines; and
- Poor risk assessment of operational changes.
These deficiencies expose customer funds and leave firms vulnerable to regulatory enforcement.
Conclusion: safeguarding isn’t a one-off compliance task
Safeguarding must be embedded across all levels of your firm’s governance and risk management. Regulatory expectations have evolved, and the Central Bank has made it clear: safeguarding is a continuous obligation, not a check-box exercise.
Download our Safeguarding Guide for practical insights into building a compliant safeguarding framework. If you need support evaluating or enhancing your existing arrangements, get in touch with our team of safeguarding specialists.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
