The message from the FCA was clear at fscom’s Payments Regulatory Outlook, as it has been for the previous number of years: keep the money safe. In this blog, we consider the safeguarding regime and in other blogs, we cover prudential risk management and wind-down planning.
The FCA’s view of the safeguarding regime is that it is not working well. Over the last couple of years, seven of the 12 payments and e-money firms that have failed have had shortfalls of over 50% in terms of the customer funds that are available for distribution. Indeed, the administrator’s report of 11 January 2024, in respect of the payment institution Rational FX, indicates a shortfall in safeguarded funds was self-reported to the FCA ahead of appointment of the insolvency practitioners.
Another concern for the FCA, and the industry, is how long it takes to get the money back to customers. Of the six cases where funds have now been distributed to customers, it’s taken over two years on average for a first distribution to be made.
Why does it take so long?
The high-level answer is the lack of clarity in the rules and their application in practice.
As we have pointed out on many occasions, the rules in the legislation are very brief given the wide range of business models to which they are intended to apply. Over the years, the FCA has added guidance, increasing chapter 10 of the approach document from 31 paragraphs to 92.
But there’s still lack of clarity and certainty over what is expected from payment and e-money institutions and when funds are relevant for safeguarding and when they are not. The FCA intends to remedy this through amending the safeguarding rules by aligning with those in the Client Asset Sourcebook (CASS).
What is CASS?
CASS is the shortened name of the Client Asset Sourcebook. It applies to various firm-types regulated under the Financial Services and Markets Act 2000 (FSMA) and aims to keep client money and assets safe if firms fail and exit the market. The rules require firms to reduce the risk of financial loss by identifying, assessing and mitigating risks. Many of the specific requirements will not be alien to payment and e-money institutions because they are in keeping with the guidance provided by the FCA in the approach document, but there will be two major impacts for payment and e-money institutions:
- the FCA is likely to determine, on a more granular level, when funds should be safeguarded (think of this as the boundary of the regime); and
- the risk management controls will be more prescriptive.
Agreeing the boundary: the when of safeguarding
Non-bank payment service providers do payments very well because they connect with multiple partners, including multiple payment systems, to move money efficiently and cost-effectively in multiple currencies. The spectrum of providers caters for high value/low volume to low value/high volume and every combination in between.
Moving money through partners, including the card schemes, for instance, means…to state the obvious…the money has to move to and through the partners in order to arrive with the beneficiary. This causes a problem for policy-makers that want the payment or e-money institution to protect the funds until received by the beneficiary’s payment service provider.
Either the funds must be duplicated, which is enormously expensive, or the risk has to be covered by some form of insurance or guarantee. However, the insurance and guarantees are not widely available meaning the most-used method of safeguarding is holding funds in an account with a credit institution. The reason why the government’s own guarantee scheme, FSCS, has not been extended to payment and e-money institutions is because, it is believed, it would be enormously expensive.
Policy-makers must, therefore, choose between:
- Super-charging the protection of the funds at all points from receipt to being placed into the control of the beneficiary’s PSP, which means payment and e-money institutions have to guarantee for all other players in the payments ecosystem and is likely to result in some business models and some providers becoming unviable; or
- Maintaining the UK’s competitive, choice-filled sector by recognising the dynamic nature of payments and the role and responsibilities of the various players involved in moving funds (accept the risk in favour of the benefit of choice) but minimise the risks as far as possible.
Managing the risks
There are 27 words in the legislation[1] dedicated to the systems and controls that the payment or e-money institution must have to protect the funds.
…must maintain organisational arrangements sufficient to minimise the risk of the loss or diminution of relevant funds or relevant assets through fraud, misuse, negligence or poor administration.
I expect that the majority of the new rules that will be proposed by the FCA will elaborate on their expectations of these organisational arrangements.
fscom has undertaken safeguarding compliance audits on a broad range of payment and e-money institutions in the UK and Ireland and we have encountered examples of: unwritten policies; policies that have been over-ruled with no process; audit findings that have been overlooked by the Board; EMIs/PIs that haven’t had an audit even some years after the expectation was set out by the FCA in 2020; and gaps in internal and external reconciliations.
This is about the maturity of the sector and more detailed rules and expectations will be welcomed by the many players who already have invested heavily in robust systems and controls as this will serve to level the playing field. But only if the expectations are enforced. The requirement to have an audit of safeguarding arrangements served to bring these issues before the Board which drove improvements in many cases. I expect that mandatory submission of the reports will be on the cards to give the FCA insight on where the risks lie in the supervised population, in much the same way that , the baseline financial resilience regulatory return, flags where the weaknesses are.
Conclusion
Following many months of delay, we now hear the FCA’s consultation will be published in April. The intention is to make the regime clearer on the edge cases and to bring the rules and guidance into one place. It is hoped this will increase the protection for customers’ funds and also create clarity for insolvency practitioners which should reduce their costs and the length of time it takes to return the funds.
fscom continues to engage with the FCA on the safeguarding regime on behalf of the sector directly and through the trade associations of which we are members. We hope that the clarity sought will serve customers well in protecting their funds but not at the expense of limiting their options for moving their funds.
If you would like to speak to any of our safeguarding experts about managing and reducing safeguarding risks, please get in touch.
[1] Regulation 23 (17) of the Payment Services Regulations 2017 and regulation 24 (3) of the Electronic Money Regulations 2011.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.