Contact sales
concerns across payment sector firms

Safeguarding Reconciliations:

In July 2019, the FCA issued a ‘Dear CEO Letter’ to Non-bank Payment Service Providers (PSPs) outlining the key consumer protection measure within the Electronic Money Regulations (EMRs) and Payment Services Regulations 2017 (PSRs) to protect customer funds in an insolvency situation, to ensure an orderly and timely return of customer funds.

The findings outlined in the letter were multiple, including challenges with segregation, poor understanding of funds requiring segregation and failures to validate and check the correct amounts of segregation were in place, delivered through accurate and timely reconciliations and governance.

Policies were almost certainly immature, leading to organisational arrangements that were not evolved to ensure a robust operating model and control environment and change management was also not fully evidenced with adequate consideration of impacts associated, leaving potential for degradation to the protection activities associated.

The FCA directed an expectation to fully review safeguarding arrangements and attest to the adequacy of the arrangements, with regular refresh of the governance, review and control associated to ensure changes had been appropriately incorporated and provisioned for to maintain compliant solutions and actions – with any remediation activities being identified and acted upon in a reasonable timeframe.

The FCA set out an approach and parameters to help firms respond and comply to the obligations, with both the PSR & EMR aligned:

The PSRs set out, amongst other things:

  • the payment services in scope of the PSRs and a list of exclusions
  • the persons that must be authorised or registered under the PSRs when they provide payment services
  • standards that must be met by PIs for authorisation or registration to be granted
  • capital requirements and safeguarding requirements
  • conduct of business requirements applicable to payment services
  • our powers and functions in relation to supervision and enforcement in this area

The EMRs set out, amongst other things:

  • the definition of e-money and the persons that must be authorised or registered under the EMRs when they issue e-money
  • standards that must be met by EMIs for authorisation or registration to be granted
  • capital requirements and safeguarding requirements for EMIs
  • rules on issuing and redeeming e-money for all e-money issuers
  • our powers and functions in relation to supervision and enforcement in this area

After numerous amendments and clarification, in these and the FCA Handbook on the topic and having come out the other side of Brexit and divergence from associated EU law from the European Supervisory Authorities, such as the European banking Authority, the UK ended up with specific UK focused approaches enshrined to the regulatory framework relevant for FCA firms, but with an expectation that firms with EBA guidelines remain relevant to firms, to continue to apply those alongside.

So, clear as ever, firms need to comply to a raft of regulations and obligations and ensure they understand how this impacts their business activities and touchpoints, then organise themselves to govern, manage and protect consumer interests and segregate the values necessary to ensure capital adequacy and consumer protection in the event of any insolvency type situation – easier said than done in a high volume, complex and fast-moving environment.



The PSRs 2017 establish a class of firms authorised or registered to provide payment services. These are collectively referred to as payment institutions (PIs) and Small PIs based on criteria set out in the PSR, but also includes:

  • Money Remitters
  • E commerce operators offering payment services
  • Non-bank credit card issuers
  • Merchant acquiring firms
  • Payment service providers
  • Account information service provider

The EMRs cover, with certain exceptions, everyone who issues e-money in the UK. Chapter 3a of PERG gives guidance for forms on the scope of activities falling within the EMRs.


Safeguarding Measures & Organisational Arrangements

Firms captured within the safeguarding rules under either or the PSR or EMR regs are required to ensure they have adequate measures and organisational arrangements in place to ensure the safeguarding and protection of applicable funds.

This includes governance arrangements, internal controls and risk management, aligned to the payment services/activity being provided, the nature, scale and complexity of the firms business, the diversity of its operations, volume and size of transactions and the degree of risk associated with each operation.

The description of control mechanisms must include a mapping of the risks identified by the applicant (including the types of risks), and the applicant should provide details of the procedures that it will put in place to assess and prevent such risks.

These risks may include:

  • settlement risk (a settlement of a payment transaction does not take place as expected)
  • operational risk (loss from inadequate or failed internal processes, people or systems)
  • counterparty risk (that the other party to a transaction does not fulfil its obligations)
  • liquidity risk (inadequate cash flow to meet financial obligations)
  • market risk (risk resulting from movement in market prices)
  • financial crime risk (the risk that the applicant or its services might be used for a purpose connected with financial crime)
  • foreign exchange risk (fluctuations in exchange rates)

Firms are expected to be able to demonstrate how they effectively identify, manage, monitor & report on any risks it has identified and to which it may be exposed and demonstrate adequacy of their controls and governance of controls to ensure a resilient and adequate organisational arrangements, including the incorporation of Wind Down Plans and Liquidity & Capitalisation adequacy.

The guidance and the regulation is extensive and there are many critical parts, an example below:

  • 77 Internal controls are the systems, procedures and policies used to safeguard the business from fraud and error, and to ensure accurate financial information. They should include sound administrative and accounting procedures so the applicant can give us financial reports that reflect a true and fair view of its financial position and that will allow them to comply with the requirements of the PSRs 2017 and EMRs in relation to its customers.
  • 78 An applicant’s senior management should ensure that it regularly reviews its systems and controls, including its governance arrangements. It should also ensure that the its governance functions, procedures and controls appropriately reflect the applicant’s business model, its growth and relevant risks.
  • 79 Our assessment of the application will consider if the systems and controls described in the information supplied are adequate and appropriate to the payment services and e-money activities that the applicant intends to carry on.

So, how do you achieve all of those aspects in a real time and automated manner, to enable you to focus on setting triggers, monitoring activity real time and escalating any stakeholder communications accordingly.


Grath GRC Platform enables you to set up your policies and standards, your risks and risk register, key risk indicators, key controls and key control indicators and monitor against those on a daily basis, with trend analysis and insight achievable to future proof your business as you grow and readily demonstrate to the regulator how you govern the critical elements that underpin your safeguarding compliance.

Interested in learning more?

If you’d like to know how Grath’s technology can help future-proof your regulatory compliance and risk management process, then we’d love to talk, get in touch with us.

For regular updates & insights, follow our Linkedin page here.

Discover the future of CASS and Safeguarding reconciliations
Your request has been submitted successfully
We will get in touch with you immediately via email.
Ok, thanks.