How e-money firms can ensure safeguarding audit readiness

In September 2024, the Financial Conduct Authority (FCA) launched a consultation on changes to the safeguarding regime for payments and e-money firms. The proposal was to fundamentally reshape the regime in light of systemic vulnerabilities exposed by high-profile insolvencies like Ipagoo LLP and Allied Wallet Ltd.

The consultation closed in December 2024, with interim rules expected to take effect within six months aiming to improve compliance with existing rules by the end of 2025. The FCA also plans to introduce a new set of rules under CASS 15 to take effect by the end of 2026.

There are many small technology-enabled firms in the payments and e-money sector, and while they have a smaller market share (95% of electronic money institutions hold just over 20% of outstanding e-money) they process approximately 50% of all transactions. These smaller firms will need to consider the regulatory changes and might find they have considerable work to do in preparing a robust CASS 15 framework to comply

Key areas of focus to ensure CASS 15 readiness

Increasing rigour of compliance oversight

The safeguarding regime is set to move from a largely principle-based approach with lenient oversight to a rules-based environment with regular scrutiny from the auditor and regulator. It will be expected that the new rules are understood, assessed, compliance ensured and monitored across the relevant business areas. Firms will need to identify, record, analyse and report breaches and incidents in line with the mandatory reporting requirements in the Client Money and Assets Return (CMAR). Under the CASS 15 framework, firms will also need to attach a schedule of breach to their audit report.

In addition to CASS 15, firms will need to comply with responsibilities noted in proposed new FCA Supervision Manual (SUP) Chapter (including CMAR reporting) and CASS 10A.

All of the above would require a shift towards compliance mindset and increasing rigour in the current compliance activities.

Assessing the roles, responsibilities and skills needed

Typically in regulated firms such as investment managers and insurance brokers that comply with CASS, related roles and responsibilities sit across various parts of the business, from a dedicated CASS office, to operations, compliance and finance teams. Generally, the larger and more complex an organisation, the more widespread CASS compliance and governance frameworks are. But for smaller firms, the burden falls on smaller teams with fewer experts to ensure compliance.

During the readiness phase, smaller payment services and electronic money firms will need to methodically assess the additional and enhanced expectations and requirements under the proposed regime to identify any skills or resource gaps. This assessment should review existing roles, responsibilities and skills against the new requirements and determine how to address any gaps uncovered, whether through rearrangement of existing resources or securing additional support.

Technology is often a cornerstone of these businesses, and firms should consider whether their existing technology can assist with compliance. There is a particular challenge and possible opportunity around how investment analysis could be conducted to comply with the investment of relevant assets rules under CASS 15.

Reassessing records, accounts and reconciliations

This is the most important part of CASS 15 and is based upon fundamental principles of the FCA’s overall CASS Regime. Not surprisingly, there is a high degree of consistency between the proposed CASS 15 rules and existing CASS 7 provisions.

While consistency has its benefits, it also brings challenges already faced under CASS 7, such as the need for:

• Separation between record and accounts maintenance activity and reconciliations.
• Identification and documentation of data sources.
• Independence of internal and external reconciliation processes, audit trail and evidencing.

Crucially, there is an expectation that the internal and external reconciliations are separate processes.

The majority of firms in the payment and e-money sector operate using single data point/source which could lead to significant challenges in implementing some, if not all, of the areas noted above. In building readiness for CASS 15 compliance, firms will need to refine their understanding of record keeping and internal and external safeguarding reconciliations, and assess whether their current processes, practices and documentation meet the proposed requirements.

Preparing for a safeguarding audit

Firms falling into the criteria for a CASS 15 safeguarding audit will need to undergo an annual audit and the FCA has proposed to codify this requirement in SUP rules. Audit is the main means of enforcing the FCA’s enhanced supervision of this sector. The FCA would like to receive the audit reports directly from the firm’s auditor within four months of a firm’s financial period end. The FCA has also proposed to codify the requirements and responsibilities surrounding auditor appointment, qualification and reporting arrangements. The auditor is also expected to comply with quality and assurance standards to be introduced by the Financial Reporting Council.

From a regulatory scrutiny perspective, these requirements are a significant step up and a major change compared to current safeguarding review practice. While the delivery of a Safeguarding Audit Report meeting the quality standards is the auditor’s responsibility, firms are expected to become audit-ready. Firms will need to demonstrate that they maintain adequate systems to enable compliance with the Relevant Fund rules and evidence actual compliance.

Our experience of performing CASS 5,6,7 audits tells us that for smaller firms, becoming audit-ready would require significant planning and preparation, with particular attention paid to maintaining adequate documentation and an audit trail, something they may not have needed to do in quite as much detail under previous rules.

To find out how we can help payments firms navigate this complex new regulatory landscape, please contact Nav Sarai.