Assurance, or the use of auditors to search for problems at firms, can be very useful to the regulated community in all manner of ways, especially during the authorisation process or in respect of the EU’s Payment Services Directive.
Providing firms with the necessary assurance
As ever, financial institutions are facing up to the challenge of investing time, money and effort to comply with ever-evolving regulation. There is plenty of evidence of the woes of non-compliance to be seen in regulatory enforcement cases and in the reputational damage that befalls non-compliant firms. Both these things can hamper a financial institution’s growth severely, or even threaten its existence.
In the face of such troubles, it may be that some measure of external review – not the regulator! – can provide firms with the necessary assurance that they are operating in a compliant manner.
What the banks expect from an audit
Despite anecdotal evidence to the contrary, not all banks want to steer away from payment institutions in the PayTech and FinTech area. These firms are often start-ups with no discernible track records upon which banks can rely or from which they can take comfort. A bank might organise an external review or audit as a means of assuring itself that the firm in question meets its criteria for ‘eligibility’ and is an acceptable risk as a customer. An audit or external review may reveal terrible problems but, with an appropriate ‘mitigation action plan’ at the ready, the bank may still be interested in establishing a relationship with the firm.
Banks are not necessarily looking for ‘clean sheets’ at these firms, however preferable they might be. Any problems that an audit identifies should be accompanied by evidence of mitigation or at least by a remedial action plan by which the firm in question hopes to achieve compliance with the relevant law. A compliant firm is clearly a better risk that a non-compliant firm.
In the payments market, every authorised payment institution and electronic money institution has to have a ‘safeguarding’ account with a credit institution before the regulator can authorise it. No safeguarding account, no licence. The firm will not be able to trade without such an account. The European Union’s second Payments Services Directive has introduced a requirement for banks to make such decisions – in respect of the take-on of payments firms – on a ‘proportionate, objective and non-discriminatory’ (‘POND’) basis. POND looks different for each bank and the FCA is at present saying very little about the notifications that it has received from banks that describe the circumstances in which those banks are refusing to open accounts. It would not be unreasonable to assume that some kind of impartial third-party review would be of immense help to a bank in the ‘objective’ part of any assessment.
Firms also need business accounts to function. Here, though, there are more options available, with ‘challenger banks’ entering the market and electronic money institutions offering alternatives to the traditional bank account.
What the Financial Conduct Authority expects from an audit
When a firm applies to the FCA for authorisation, it need not submit an independent compliance audit as part of its application. The FCA looks at the information that the firm itself provides, rather than the content of any audit or review to which the firm has subjected itself. However, a pre-application ‘audit’ is likely to warn the firm itself of any risks or issues that the regulator might pick up as part of its assessment of the information that the firm provides in its application documents, allowing the firm to solve its problems before it submits those documents to the FCA.
More obviously, an audit can help to provide the firm with assurance that, once the regulator has granted authorisation, it is complying with its obligations under the relevant laws. Such a review can be as broad or narrow as the firm desires. Of course, until the firm is authorised and able to process real transactions, the auditors will actually have very little to test because they cannot monitor transactions and must content themselves with policies and procedures.
Firms that operate, or wish to operate, inside the regulatory perimeter must be authorised or registered to do so. If a firm fails to apply to and gain approval from the FCA for a certain business activity, it may cease to be able to carry that business on. This could result in reputational damage and lost investment opportunities, or even the business’ demise. PayTech and FinTech firms are always in a hurry, but they should not be in a rush to submit incomplete applications to the FCA as this will simply delay their applications. If you cannot answer all the questions or provide all the information, don’t submit!
The third line of defence – keeping the regulatory wolf from the door
Once your firm is authorised, however, it will be expected to be compliant with the relevant laws, rules and guidance from then on. In addition to capital requirements and conduct-of-business rules, the firm will also probably have to obey anti-money laundering rules. The FCA deems a firm’s ‘three lines of defence’ to be sufficient for it to meet the relevant conditions of authorisation. The third line of defence is the independent assurance function, which might be an internal audit function and might be supplemented by an external review. This is where the firm can keep the regulatory wolf from the door. The FCA’s regulatory purview (it has to oversee more than 56,000 firms) is so broad that very few smaller firms will ever ‘enjoy’ an actual on-site visit from it. However, in the payments sector, we have seen a new FCA supervision department mobilise this year and actually venture forth into the industry; a significant shift away from the regulator’s previous reactive stance. Firms should therefore realise that regulatory visits are on the cards, typically as part of thematic reviews.
Periodic external support, then, can help to provide a firm with the assurance that it is indeed compliant, and can demonstrate this to both its provider of banking services and (if it so desires) to the FCA. Assurance really does allow a firm to be sure.
If you would like assistance with your audit or indeed any of your regulatory compliance requirements, please do not hesitate to get in touch with us at fscom.