What should firms be doing and what can they learn from the FCA's approach to client money enforcement?
Introduction
On 4 July the Financial Conduct Authority published a Dear CEO letter requiring all electronic money institutions (EMIs) and authorised payments institutions (APIs) to review their customer money safeguarding arrangements, to ensure that they fully meet regulatory requirements under the Payment Services Regulation 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs) (the Safeguarding Rules). The letter follows a 6 month review of 11 non-bank payment service providers (PSPs) and EMIs (together, Safeguarding Firms) and how effectively they safeguarded users' funds.
In this briefing we summarise the FCA's key findings and identify what actions firms should consider taking. We also look at the FCA's enforcement against authorised firms that hold money on behalf of clients under the FCA's client money rules (the CASS 7 chapter of the FCA handbook) (the CASS Rules).
Since the basic purpose of both sets of rules is the same – to protect customers where funds are held by firms from firms' creditors and other third party claims in the event of the firm's insolvency – Safeguarding Firms can use the published cases about CASS to inform their reviews of compliance. Indeed some firms, such as those conducting FX transactions, could be subject to both the Safeguarding Rules and CASS 7.
Findings
The FCA highlighted the following key areas of concern in the Dear CEO letter:
Relevant Funds
A number of firms were unable to distinguish which payment services they provided in specific situations, and so were unable to accurately identify Relevant Funds (as defined in the Safeguarding Regulations) for safeguarding. This demonstrates the importance of understanding the regulatory scope in which a firm operates and the FCA have reiterated the importance of this distinction.
Governance and oversight
Management of risk was reviewed during the FCA investigation, with the results showing that some firms considered safeguarding risks on an exceptions basis only, with systems and processes being reviewed only following a breach. The FCA highlighted that safeguarding should be present on the risk register, with frequent review by the Board.
Policies and procedures
Safeguarding Firms should have up to date policies and procedures regarding safeguarding funds, with clearly demonstrable actions specific to the particular firm, rather than just a reproduction of the relevant regulations. The FCA has confirmed the importance of having policies which are at all times appropriately geared to the current needs and practices of the business.
Segregation
Where firms have opted for the segregation method, the obligation on firms begins as soon as they receive Relevant Funds. The FCA highlighted:
- poor understanding of what funds needed to be segregated;
- delays in segregating funds following receipt; and
- failure to check on a sufficiently frequent basis that correct amounts are segregated.
The FCA expects non-relevant funds to be removed as frequently as possible throughout each day and found that some firms did not attempt to segregate Relevant Funds on receipt. It also highlighted that very few firms removed non-relevant funds from segregated accounts more than once a day.
Safeguarding accounts
The FCA found that some firms’ Safeguarding accounts were not clearly designated as such and were instead named according to their operational function. Firms should ensure that no other person/entity has an interest in or rights over the funds in the Safeguarding account and that this is clear from the title of the account. As set out in para 10.40 of the FCA's Approach to Supervision of PSPs and EMIs, firms should also obtain acknowledgement of the status of these accounts from the bank where they are held.
Actions
All Safeguarding Firms must review and update their safeguarding arrangements and submit an attestation of their compliance to the FCA before 31 July 2019. This attestation must be submitted to SafeguardingProject@FCA.org.uk in the prescribed format as published by the FCA. Attestations should only be completed after the Safeguarding Firm has fully reviewed and satisfied itself that it is compliant with the regulations, and some firms may need to prepare a qualified attestation where work is ongoing, or request further time. As with all attestations, firms should also ensure that they document the basis on which they have come to the conclusion that they can make the attestation. Wherever firms identify inadequacies they should begin remedial action and notify the FCA in writing of any "material" non-compliance. The FCA have stated that where they find inadequacies in a firm's safeguarding they will take "appropriate action". This may come in the form of investigation and enforcement, and so firms need to ensure that the attestation is not treated as a routine business measure, but is given appropriate oversight and consideration by senior management.
We suspect that, as firms closely consider their current internal controls, they will notice a number of ambiguities in the Safeguarding Rules and how they apply to their particular payment flows. There may be firms who are unclear whether their arrangements are permitted. For example:
- It can be very difficult to identify which funds should be segregated in the case of mixed remittances.
- Where a firm is issuing e-money there is a need to also identify customer funds which derive from related and unrelated payment services.
- Many firms rely on a few key knowledge-keepers within their organisation, as a result of which documented systems and controls are deficient or not fully recorded.
- In terms of senior management oversight, Safeguarding Firms often rely on manual reconciliation processes and this can mean that good quality MI is hard to generate.
Learnings from the FCA's CASS enforcement
The FCA has been heavily focused on firms' compliance with its client money rules in CASS 7 ever since the financial crisis, when the Lehman Brothers and MF Global collapses revealed shortcomings in those rules and highlighted the importance of proper segregation and reconciliation of customer money. As the PSP and EMI sector grows in size, we are beginning to see the FCA focus more on the equivalent Safeguarding requirements.
The following cases provide some examples of FCA enforcement which highlight points that Safeguarding Firms might review in their own processes:
Issue |
Example |
Learning |
Reconciliations – correcting discrepancies |
A retail investment platform was fined £3.5m for errors in its reconciliations and for not "topping up" its segregated client account where it had identified shortfalls in the account. |
Differences between the amount actually in the safeguarding account and the amount that the firm believes should be there need to be corrected, unless the Safeguarding Rules allow them to be ignored (for example, at 10.65 of its Approach document the FCA talks about differences due to timing differences between internal and external accounting systems). |
Automatic account sweeping |
An investment firm was fined £1.12m for client money failings where it properly segregated client money at close of day and overnight, but had in place an auto-sweep rule that pushed the client money back into an unsegregated account during the day. |
Automated processes can help to minimise manual error, but firms can still fall victim to errors - including sweep programming that un-segregates previously properly segregated funds. An audit of auto-sweep rules can help to confirm that this type of error does not arise.
|
Identifying protected funds |
A global securities institution was fined £33m by the FCA for inadvertently ceasing to keep customer funds protected. A project to streamline its accounts did not identify that one account held client money, and so it moved the customer money into a larger account of mixed funds. |
In the Safeguarding chapter (10) of the FCA's Approach document, it notes that funds held in connection with other types of business, such as foreign exchange or telecoms, need to be held separately because they are not protected by the Safeguarding Rules. This is particularly complex in circumstances where it is not always clear what constitutes a payment service. In a mixed business offering, it is important to consider not just isolating the funds held in connection with services covered by the Safeguarding Rules in the first place, but also to make sure that no subsequent rationalisation of accounts and treasury arrangements undermines that segregation. |
Legal entity vs business lines |
Two global banks were fined when the FCA determined that their reconciliation processes did not sufficiently identify which legal entity within their group was holding their client assets. |
For businesses that use a number of legal entities it is important to remember the core principle of Safeguarding is segregation in the event of insolvency. Since insolvency occurs on an individual legal entity basis, reconciliations should be specific to bank accounts held by the correct legal entity.
The FCA Approach document payments at para 10.41 comments that a corporate group cannot pool its respective Relevant Funds in a single account – each legal entity must have its own Safeguarding account. |
Holding the funds as assets |
An asset manager was fined £8m by the FCA because they held client money in money market deposits without clearly labelling them as being held for customers. |
Where Safeguarding Firms choose to hold Relevant Funds in secure, liquid assets (within the list permitted by the FCA) they should be held in a separate account with the custodian and identified as a Safeguarding account in the custodian's records. |
Alternatives
It is worth noting that segregation is only one of the permitted safeguarding methods allowed by the Safeguarding Rules; firms can also obtain an insurance policy or guarantee that covers the Relevant Funds. While the market for insurance products has not yet matured, we have known firms concerned about the adequacy of their segregation arrangements to take out guarantees to ensure that they are compliant while they remediate their segregation practices. Because of their expense guarantees are unlikely to be a long term solution for most firms, but given the risks to the firm and the attester, they may be a useful bridging measure.