.svg)
The Financial Conduct Authority (FCA) has been applauded for listening to the payments industry’s feedback on its proposed safeguarding rule overhaul, but experts warn that challenges still lie ahead for firms.
Changes to the UK’s safeguarding rules have long been anticipated, given the FCA’s concerns over safeguarding practices, as voiced in interventions such as its “Dear CEO” letters to the payments industry.
Legal uncertainty has also been an issue since the insolvency of e-money institution Ipagoo LLP.
With the final rules now unveiled, the payments industry has expressed relief that the FCA has chosen not to implement the so-called end-state rules proposed in its 2024 consultation.
“The FCA engaged in a really constructive way, listened, realised it was more complicated than they had thought and changed its approach,” said Omar Salem, partner at Fox Williams.
Salem speculated that “there is a diminishing chance that the FCA will introduce end-state rules, as most of the benefits are probably from the supplementary rules, but that is a debate for another day now.”
“The most controversial elements were in the proposed end-state rules, which attracted a lot of critical industry feedback,” said Max Savoie, partner at Ashurst.
“The FCA has said it will consult further on these, but only after the first audit period for the new rules. That's the biggest change to the proposals on which the FCA consulted and will be a welcome relief to many firms and trade associations. The issues haven’t gone away, but at least the FCA is considering them further and there will be another opportunity for consultation.”
Martin Dowdall, partner at Taylor Wessing, agreed, describing those rules as “more onerous”.
“Firms will likely be breathing a sigh of relief because the associated time and cost of working with both third parties and internal teams to accommodate these changes would have been significant,” he told Vixio.
Compliance challenges
Although the new framework, known as the Supplementary Regime, is less severe than the rules originally proposed, payment firms still face a significant compliance effort.
Under the framework, payment and e-money institutions authorised by the FCA will be required to:
- Conduct daily reconciliations, excluding weekends and public holidays, to ensure the correct amount of customer funds is being safeguarded.
- Arrange annual safeguarding audits carried out by qualified auditors, unless the firm holds less than £100,000 in customer funds.
- Submit monthly safeguarding reports to the FCA.
- Develop and maintain resolution packs to facilitate a faster return of customer funds in insolvency events.
- Undertake due diligence on third parties managing or holding customer funds.
- Ensure safeguarding insurance or guarantees are free from payout restrictions.
- Implement contingency plans at least three months before any insurance policy expiry date, defaulting to segregation of funds if needed.
The implementation date for the Supplementary Regime is May 7, 2026.
“This is not far away and there will be a lot for firms to do,” said Dowdall.
“Payments and e-money firms will need to build systems and controls and ensure staff are trained, and may even need to hire additional headcount to ensure they are compliant with the new rules.”
Significant work ahead
According to Olivia Murphy, managing associate at Linklaters, although the framework is largely as expected, it introduces new requirements that will demand additional effort and resources from payment firms.
“Reconciliation processes will need updating, and the FCA will require monthly safeguarding reports,” she said.
Murphy also noted that firms will need to appoint a senior manager responsible for safeguarding.
“While these individuals are not being pulled into a full-style Senior Managers regime, there is a possibility this could be treated in a quasi-SMCR way. It’s a significant new role and certainly something different for firms.”
Overall, Salem said that firms will need to accelerate their implementation plans to “close the gap between where they are now and where they need to be.”
“They will need to test their systems and technology, and onboard the necessary support to ensure they have the resources required. The expectation is that statutory audits will be to a higher standard than currently is the case, so firms will want to make sure their processes are robust before being subject to them,” he said.
Salem suggested that the “timeline is achievable, but it’s not a long one”.
“Most firms have not started preparing, as they were waiting for the final rules, so many will have to begin now and have a plan in place immediately. Compliance with the audit, daily reconciliation and safeguarding requirements will all require significant work,” he said.
“It is less clear what firms can practically do on diversification, with limited safeguarding bank account providers in the market.”
The question of audits
Some key details of the new regulation will make audits particularly challenging.
For example, payments and e-money firms must appoint an auditor eligible under the Companies Act.
As Dowdall pointed out, this means “fewer auditors will therefore be eligible for appointment”.
“There is a real risk that this will lead to higher costs for firms and the lack of competition also risks creating a bit of an echo chamber when it comes to the approach to such audits, which could mean conservative interpretations of the rules become entrenched,” he added.
Savoie said that, although they may appear unremarkable, the record-keeping requirements under the new rules obligate firms to maintain an extensive set of documents that are continuously updated and readily accessible.
“Firms need to keep continually updated and readily accessible records of intra-group and third-party support, key individuals involved in safeguarding processes, customer terms and the latest reconciliation records. They need to get their ducks in a row, with a robust system that others can easily pick up,” he said.
He added that diversification requirements mean firms must regularly consider whether they should safeguard funds with a broader range of banks or under additional insurance policies or comparable guarantees.
Although existing FCA guidance already addresses diversification, the transition from guidance to detailed formal rules may signal that auditors and the FCA could require firms to open safeguarding accounts with multiple banks or implement additional insurance or guarantee arrangements.
“That could be the most expensive and operationally challenging aspect of the new rules,” Savoie said.
“Although banks are required to provide non-discriminatory access to e-money and payment institutions, setting up safeguarding accounts with new banks is not always easy or cheap."
Next steps
After the deadline, firms will prepare to submit their audit reports and closely observe the FCA’s response to the first round of submissions.
The regulator may find that firms have adapted well and are adequately prepared for the audits, or it may be disappointed by their performance.
“The FCA clearly recognises that compliance with the Supplementary Regime alone will require significant amounts of work,” said Ayrton Tritton-Hopkins, associate at Taylor Wessing.
As a consequence, the regulator has extended the implementation period for the Supplemental Regime from six months to nine months.
“We expect that the FCA will have very little patience for non-compliance with the Supplemental Regime because firms will have had more time to build their systems and controls and work with their auditors to get it right,” he said.
“We may well see more enforcement in this area.”
