1. Safeguarding: PS21/19 - Changes to the SCA-RTS and Approach Document
- Posted on: 17 December 2021
- Written by: James Borley
There are few surprises here really, given that the nub of the Approach Document updates is consolidating the FCA’s ‘temporary’ Finalised Guidance, published in July 2020, into the master document. Let’s take a look at some of these again.
Safeguarding as a Trust
If it walks like a duck… That was the argument for suggesting that the Safeguarding account was effectively a Trust, driven by the High Court’s findings in the Supercapital case. However, a recent court ruling (or lack thereof) in the Ipagoo case has thrown this into question by finding that the Electronic Money Regulations don’t in fact create a trust over money received by an Electronic Money Institution (EMI) from its customers. As such, acknowledgement letters obtained from credit institutions may be incorrect and, consequently the FCA has removed such reference from its template acknowledgement letter (see below for more of acknowledgement letters). That said, the FCA is appealing the High Court’s judgement in this regard, so there may well be further changes to come here.
The Finalised Guidance clarified the requirement for certain firms to carry out an annual safeguarding audit – all EMIs and those Payment Institutions (PIs) unable to claim the small company audit exemption under the Companies Act – and also intimated it would be ‘best practice’ for all other firms. So far, so good.
In practice, this gave rise to a few questions, which the updated Policy Statement and Approach Document seek to address:
- Annual means annual. Back in July 2020, most readers read the guidance as firms having 12 months from that date of the guidance by when to have commissioned a safeguarding audit. The FCA, in a subsequent industry webinar, expressed surprise that this was the common understanding; what it had meant to convey was that firms should have such an audit as soon as practicable. To date, I’m sure there are a number of firms yet to have their first safeguarding audit.
The FCA has softened its position to say “we expect firms should have made significant progress with their safeguarding audits”. It is not prescriptive as to when this happens and whether it needs to coincide with a firm’s account year end date. But, as they say, you’ve got to start somewhere.
Audit scope – I have heard stories of traditional audit firms being unable to agree terms with their clients because the required scope of the audit hadn’t been made clear by the FCA. In our reading, the safeguarding obligations are set out in Chapter 10 of the Approach Document, and it is therefore these that should form the scope of the audit. The FCA has, helpfully, confirmed that safeguarding audit firms do not need to adopt ISAE (UK) 3000 (International Standard on Assurance Engagements (UK) 3000) audit standards. As such, firms should ask prospective auditors for sight of the audit scope and also their “appropriate specialist skill in auditing compliance with the safeguarding requirements under the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs), taking into account the nature and scale of the institution’s business”.
Additional audits for changes in business model – interestingly, the FCA is requiring sight of such audits before the firm implements the changes being proposed e.g. adding payment services, changing method of safeguarding. Usually, an audit is backward-looking, however the FCA is clear in paragraph 10.75 of the Approach Document that “the opinion to be shared with the FCA a reasonable period in advance of new safeguarding arrangements being adopted.” Interesting again that the FCA uses mixed language here, saying “we expect” but then using the softer “should” rather than “must”. Personally, I would read it as the latter.
Audit cost – the costs quoted in the FCA’s cost benefit analysis (anticipated at between £12,000 for small firms, £100,000 for medium firms and £200,000 for large firms) don’t necessarily reflect the price you pay the auditor, but also the costs in undertaking the audit: answering the auditor’s questions, providing documentation etc. The fee paid to the auditor will undoubtedly influence your choice, along with their relevant skills and experience. Compliancy Services believes it can tick both these boxes, having conducted dozens of safeguarding audits since July 2020.
The experience of our clients using banks elsewhere in the EEA is that it is difficult to get them to provide acknowledgment letters in any form. Such concern was expressed in the consultation feedback. Expecting overseas banks to provide a letter in a template required by the FCA is, unlikely, to be successful. The FCA acknowledges this, seeking in such instance where segregated safeguarding accounts are provided by EEA/OECD credit institutions, that firms obtain explicit confirmation to “demonstrate that the credit institution or custodian has no such interest in, recourse against, or right over the relevant funds or assets in that account”.
In the meantime, if you are looking for a firm to undertake your next safeguarding audit please do get in touch and we’d be happy to discuss how we can be of assistance.