BACKGROUND
Back in July 2020, the FCA released guidance for firms covered by the Payment Service Regulations (PSR) and Electronic Money Regulations (EMR) indicating they expected regulated institutions to arrange specific annual audits of their compliance in line with the safeguarding requirements of the PSR/EMR.
In 2021, this became a requirement with the FCA expecting firms to perform an independent safeguarding audit on an annual basis. Interestingly, auditors had already had a responsibility to report to the FCA any breaches they found under the PSR or EMR which were of material significance. However, no separate client money (CASS) style audit had been required.
Further changes are afoot following FCA consultations released in 2024 – more on that below.
LACK OF CLARITY AND ASSUMPTIONS
When the FCA stipulated the requirement for safeguarding audits, it didn’t give clear guidance on the content of the audit, or the format its report should take. Even now, the FCA has still not provided details of the period the assurance opinion should cover.
The FCA does, however, expect that most firms may wish to align the period with their accounting year-end.
Neither the temporary guidance published in July 2020, nor the consultation in January 2021, set out the timing of the reports – including a deadline for when the reports should be submitted.
Similar to Client Asset (CASS) reports, it may be reasonable to assume the safeguarding audit should be completed within 4 months of the period end date to mirror the CASS regime requirements, with the report itself following a similar format.
IMPLICATIONS FOR FIRMS
In this regard, the FCA uses the term ‘audit’, which is usually reserved for statutory audits, or CASS audits where there is a specific audit framework. Saying that, no audit standard has been issued by the FCA.
The FCA guidance simply requires that the firm is to ask the auditor to provide an opinion addressed to the firm on:
- whether the firm has maintained organisational arrangements adequate to enable it to meet the FCA’s expectations of its compliance with the safeguarding provisions of the EMRs/PSRs (as set out in chapter 10 of our Approach Document), throughout the audit period, and
- whether the firm met those expectations as at the audit period end date.
This is very similar wording to a Reasonable Assurance Client Money (CASS) audit. The approach to the engagement has similarities and involves an examination of the various safeguarding provisions during the year, and at the end of the period. This is to ensure the firm has controls in place and has complied with them.
The emphasis sits with the auditor to assess the reasonableness and suitability of the procedures in place are in line with the auditor’s interpretation of the safeguarding approach, as recommended by the FCA.
At the end of the engagement, the auditor then provides a letter addressed to the firm covering the points mentioned above.
Changes ahead – CP24/20
In Autumn 2024, the FCA issued new guidance CP24/20, which impacts E-Money Firms. They also launched a safeguarding consultation, which closed in December 2024. The consultation will guide the final safeguarding rules the FCA intends to implement in stages. In doing so, it will work alongside HM Treasury to transition relevant PSRs and EMRs provisions into the FCA Handbook.
It is anticipated these next steps from the FCA are likely and that the outcome of the consultation will be published in Summer 2025:
- Interim rules and a policy statement will be published in the first half of 2025.
- The interim rules will then be implemented over a six-month period.
- The FCA will publish final rules (end state) for which firms will then have 12 months to implement.
For more details see: Changing the safeguarding regime for payments and e-money firms
CAN WE HELP?
Shipleys has been working with many firms affected by this requirement and has a track-record in conducting robust and reliable safeguarding audits to meet the FCA’s requirements. Please get in touch if you would like further information.
Specific advice should be obtained before taking action, or refraining from taking action, in relation to this summary. If you would like advice or further information, please speak to your usual Shipleys contact.
Copyright © Shipleys LLP 2025
Related Resources
