In July 2019, the FCA issued a ‘Dear CEO Letter’ to Non-bank Payment Service Providers (PSPs) outlining the key consumer protection measure within the Electronic Money Regulations (EMRs) and Payment Services Regulations 2017 (PSRs) to protect customer funds in an insolvency situation, to ensure an orderly and timely return of customer funds.
The findings outlined in the letter were multiple, including challenges with segregation, poor understanding of funds requiring segregation and failures to validate and check the correct amounts of segregation were in place, delivered through accurate and timely reconciliations and governance.
Policies were almost certainly immature, leading to organisational arrangements that were not evolved to ensure a robust operating model and control environment and change management was also not fully evidenced with adequate consideration of impacts associated, leaving potential for degradation to the protection activities associated.
The FCA directed an expectation to fully review safeguarding arrangements and attest to the adequacy of the arrangements, with regular refresh of the governance, review and control associated to ensure changes had been appropriately incorporated and provisioned for to maintain compliant solutions and actions – with any remediation activities being identified and acted upon in a reasonable timeframe.
The FCA set out an approach and parameters to help firms respond and comply to the obligations, with both the PSR & EMR aligned:
The PSRs set out, amongst other things:
The EMRs set out, amongst other things:
After numerous amendments and clarification, in these and the FCA Handbook on the topic and having come out the other side of Brexit and divergence from associated EU law from the European Supervisory Authorities, such as the European banking Authority, the UK ended up with specific UK focused approaches enshrined to the regulatory framework relevant for FCA firms, but with an expectation that firms with EBA guidelines remain relevant to firms, to continue to apply those alongside.
So, clear as ever, firms need to comply to a raft of regulations and obligations and ensure they understand how this impacts their business activities and touchpoints, then organise themselves to govern, manage and protect consumer interests and segregate the values necessary to ensure capital adequacy and consumer protection in the event of any insolvency type situation – easier said than done in a high volume, complex and fast-moving environment.
The PSRs 2017 establish a class of firms authorised or registered to provide payment services. These are collectively referred to as payment institutions (PIs) and Small PIs based on criteria set out in the PSR, but also includes:
The EMRs cover, with certain exceptions, everyone who issues e-money in the UK. Chapter 3a of PERG gives guidance for forms on the scope of activities falling within the EMRs.
Firms captured within the safeguarding rules under either or the PSR or EMR regs are required to ensure they have adequate measures and organisational arrangements in place to ensure the safeguarding and protection of applicable funds.
This includes governance arrangements, internal controls and risk management, aligned to the payment services/activity being provided, the nature, scale and complexity of the firms business, the diversity of its operations, volume and size of transactions and the degree of risk associated with each operation.
The description of control mechanisms must include a mapping of the risks identified by the applicant (including the types of risks), and the applicant should provide details of the procedures that it will put in place to assess and prevent such risks.
These risks may include:
Firms are expected to be able to demonstrate how they effectively identify, manage, monitor & report on any risks it has identified and to which it may be exposed and demonstrate adequacy of their controls and governance of controls to ensure a resilient and adequate organisational arrangements, including the incorporation of Wind Down Plans and Liquidity & Capitalisation adequacy.
The guidance and the regulation is extensive and there are many critical parts, an example below:
So, how do you achieve all of those aspects in a real time and automated manner, to enable you to focus on setting triggers, monitoring activity real time and escalating any stakeholder communications accordingly.
Grath GRC Platform enables you to set up your policies and standards, your risks and risk register, key risk indicators, key controls and key control indicators and monitor against those on a daily basis, with trend analysis and insight achievable to future proof your business as you grow and readily demonstrate to the regulator how you govern the critical elements that underpin your safeguarding compliance.
If you’d like to know how Grath’s technology can help future-proof your regulatory compliance and risk management process, then we’d love to talk, get in touch with us.
For regular updates & insights, follow our Linkedin page here.