London is a hotbed of financial innovation and has seen a growth in fintech, payment institutions and e-money firms.
These are non-banks which will take your money and allow you to make payments elsewhere. The pandemic saw customers rush to these firms as many banks struggled to open personal and business bank accounts.
- E-money firms - They take funds that have been received in exchange for issued e-money, Electronic Money Regulations 2011 (EMR)
- Payment institutions - relevant funds are sums received from, or for the benefit of, a payment service user for the execution of a payment transaction, and sums received from a payment service provider for the execution of a payment transaction on behalf of a payment service user. Payment Service regulation (2017).
However, the events around Wirecard AG showed what could happen in the event of a payment firm insolvency where customer funds were not appropriately safeguarded.
To stop this happening again regulators have stepped in. The UK’s FCA has brought in a regime that is very similar to the one around client assets (CASS). CASS has had a long history, with time for the framework to mature and for guidance to be developed around managing client assets, but also around the assurance framework to assess whether regulated firms are complying with the rules.
Similarly, regulated payment institutions and e-money firms must be able to show that relevant funds are appropriately identified, managed on a day-to-day basis but also undertake an audit of the firms’ safeguarding practices. The finalised guidance for Coronavirus and safeguarding customers’ funds: additional guidance for payment an e-money firms – 9 July 2020 states: “we expect the firm to arrange specific annual audits of its compliance with the safeguarding requirements under the PSRs/EMRs.”
They will need to look at:
- Are firms holding appropriate safeguarding accounts?
- Are they able to evidence appropriate account designation?
- Are they able to demonstrate through an acknowledgement or otherwise, that the authorised credit institution or authorised custodian has no rights (e.g. a right of set off) or interest (e.g. a charge) over funds or assets in that account unless permitted by reg 23 PSRs/reg 21/24 EMRs?
- Is the frequency of reconciliations adequate to remove own funds and address safeguarding discrepancies?
- Are there clear records to evidence the relevant funds held and that appropriate reconciliations have been undertaken to check this amount?
Through our feedback to the FCA we have discussed six important questions around these audits:
1. What is the right Auditing Standard to apply to such an assurance report?
As noted above there is a specific Assurance standard published by the FRC to look at client assets but there is not yet something similar for payment and e-money firms. So, in the absence of such a specific assurance standard the most appropriate professional standard is probably ISAE 3000. The International Standard on Assurance Engagements (ISAE 3000) looks at assurance engagements other than audits or reviews of historical financial information and can be applied to EMR and PSR guidance.
2. What is the right reporting date for the first reports and how quickly should the reports be submitted to management?
The new rules around an audit are recent and were published on 9 July 2020. We might therefore expect to see reporting dates within 12 months of that inception date and the reports submitted within 4 months of that date to mirror the CASS regime requirements. These firms were asked to provide an attestation that they meet the rules in 2019 so should have developed documented controls some time ago.
3. What will be the nature of opinion of the audit report – will it cover a period or a point in time?
As above, regulated firms should have already attested in 2019 that they have or have not met regulatory expectations. Therefore, the regulator is likely to seek a continuation of an ongoing assurance that their rules are being met. We would expect to see Type 2 reports emerge, covering compliance over a period and not reports on controls at a particular date (Type 1). In rare cases it may be the case that a regulated firm can make the argument that a Type 1 report is warranted.
4. Will ‘Independence’ rules act to restrict the firms that can undertake these assurance reports?
To preserve their ‘independence’ there is a limit on the assurance work that a statutory auditor can provide. However, where the assurance report is required by regulations the statutory auditor could be permitted to do the work. Regulators (FCA and FRC) will need to think about how their rules impact the number of firms that can undertake these reports with due skill and diligence.
5. What exactly is meant by an assurance report against ‘regulatory expectations’?
Over time the FCA’s expectations have emerged in several forms; an Approach Document, a Dear CEO letter and guidance issued through their website. For clarity, it would be useful for the FCA to definitively define its expectations and this would help to support consistent audit reports by different firms.
6. How should one interpret the grey areas of the PSR / EMR and FCA Approach Document requirements?
We have identified a few areas which are open to interpretations in the requirements. To assist consistency of interpretation and application in each assurance report, it would be useful for the regulator to add clarity where possible. Realistically, this is likely to be a process that may take time.