How payment firms can prepare for the FCA’s proposed safeguarding regime

by George Iddenden, Reporter, The Payments Association

Share this post

What is this article about?

The Financial Conduct Authority’s (FCA) proposed reforms to strengthen consumer fund safeguarding in the payments and e-money sectors.

Why is it important?

The reforms aim to address weaknesses in safeguarding practices, reduce consumer fund risks, and enhance regulatory compliance, particularly in preventing fund shortfalls.

What’s next?

Firms must prepare for these changes by improving their internal processes, conducting audits, and adapting to new compliance requirements to ensure seamless implementation of the FCA’s reforms.

The Financial Conduct Authority (FCA) is consulting on new rules and guidance to strengthen the safeguarding of consumer funds in the payments and e-money sectors. These changes are driven by a rise in consumer complaints and insolvencies in the payments sector. They include interim measures to improve compliance with current regulations (EMRs and PSRs) and a shift to a client assets sourcebook (CASS)-style regime where consumer funds are held on trust.

These reforms aim to address weaknesses in the existing approach, reduce the risk of shortfalls, ensure quicker and more cost-effective fund recovery, and improve the FCA’s ability to intervene when firms fail to meet safeguarding standards. The proposals will impact authorised payment institutions, e-money institutions, and other relevant firms, with a broader interest for consumers, insolvency practitioners, and legal professionals.

The significance of this cannot be overstated, as inadequate safeguarding practices have led to considerable harm to consumers in the past, resulting in shortfalls of up to 65% in some cases. The current safeguarding rules are based on the Payment Services Regulations 2017 (PSRs) and E-Money Regulations 2011 (EMRs). However, there are numerous issues due to poor compliance.

Two-pronged approach

The FCA’s CP24/20 outlines a two-stage approach to reforming the safeguarding regime for payment and e-money firms. The first stage, interim rules, focuses on enhancing compliance with existing safeguarding requirements, while the second stage, the end-state rules, introduces more robust measures that will reshape how firms protect consumer funds.

Interim rules:

These are designed to address immediate weaknesses in the current system and improve standards across the sector:

  • Daily reconciliations: Firms must reconcile safeguarded funds daily, ensuring correct amounts are separated from operational funds.
  • Monthly reporting: Payment firms must submit monthly regulatory returns, allowing the FCA to monitor trends and intervene if safeguarding practices fall short.
  • External audits: Mandatory annual audits by qualified, independent auditors will become the norm, aimed at verifying firms’ compliance with safeguarding rules.

End-state rules:

The more transformative phase involves:

  • Statutory trusts: Firms will need to hold consumer funds in statutory trusts, meaning consumers will have clear legal ownership of their funds in the event of firm failure, greatly improving consumer protection.
  • Improved fund segregation: Firms will be required to hold safeguarded funds in designated accounts with authorised institutions from the point of receipt, preventing delays and potential mismanagement.
  • Tighter oversight of third parties: When firms engage third parties to manage safeguarded funds, stricter due diligence and diversification will be required, reducing third-party failure risks.

The FCA has stressed that these reforms are critical to addressing widespread weaknesses in safeguarding practices, which have led to significant consumer harm. With many firms facing supervisory interventions due to poor safeguarding, there is a strong sense of urgency. Firms that do not swiftly adapt to these new requirements risk penalties, reputational damage, and potential insolvency issues as the FCA intensifies its scrutiny and enforcement of safeguarding practices.

Sidley Austin Partner Max Savoie believes the proposals present significant work for payments firms. He says: “There are some substantive changes that are going to affect firms in ways that could create a lot of costs and may result in some firms needing to implement major operational changes based on the current draft of the rules.” 

Savoie emphasises that the increased monitoring, reconciliation, and reporting requirements will be a significant administrative burden for firms, necessitating major operational adjustments. He adds: “These could result in increased supervisory and enforcement action from the FCA, as it will have a lot more data and will likely aim to use this to identify and take action against firms that consistently fail to meet its requirements.

By acting now, firms can mitigate operational disruption, enhance their governance, and ensure they are better equipped to protect consumers in an increasingly complex payment landscape.

Savoie’s views are shared by Thistle Initiatives Manager Alejandra Gorria, who believes the new requirements proposed will be relatively complex and require a significant effort for small and medium firms that are already in the market to implement.

She tells Payments Intelligence: “I feel like the FCA might have gone a bit overboard with the new requirements, and for small and medium firms that are already in the market, they are already working on some of the requirements proposed in the consultation paper, and these are going to be relatively difficult, potentially, to implement. It’s going to be a big effort for them to ensure that they are complying.”

Gorria’s concerns highlights the operational challenges and financial burdens facing small and medium-sized firms in complying with these new rules. Unlike larger firms, which may have more resources to handle the increased reporting, reconciliation, and audit requirements, smaller firms will likely face significant financial and operational challenges, as these reforms will require substantial investments in compliance infrastructure. From hiring external auditors to upgrading financial systems, the compliance burden for smaller firms is expected to be heavier compared to larger, more resource-equipped institutions.

Immediate steps payment firms should take

To effectively prepare for the FCA’s new safeguarding regime, payment firms must take several proactive steps to strengthen their internal processes and ensure compliance. These immediate actions include:

  • Strengthen internal record-keeping: As outlined earlier, firms must strengthen internal record-keeping and reconciliation processes to comply with FCA requirements and reduce safeguarding risks.
  • Implement daily reconciliations: Firms should conduct daily reconciliations to separate client money from operational funds, reducing the risk of discrepancies and safeguarding failures.
  • Prepare for external audits: Annual safeguarding audits will become mandatory, so firms should ensure that their systems and controls are audit-ready by improving internal processes and compliance frameworks.
  • Develop a clear insolvency contingency plan: Having a robust plan in place ensures that, in the event of financial difficulties, safeguarded funds can be quickly identified and returned to consumers, reducing the risk of delays and operational disruptions.

Audit preparation

The FCA’s new requirement for annual external safeguarding audits is a significant measure to ensure firms maintain high standards in protecting consumer funds. Under these rules, payment firms will need to appoint independent, qualified auditors to review and verify their compliance with safeguarding requirements. These audits will assess whether the firm’s systems and controls are adequate to prevent safeguarding failures, which is essential for reducing risks to consumer funds and building trust within the payment sector.

To ensure compliance and pass these audits, firms should focus on selecting the right audit firm—one with proven experience in auditing safeguarding practices within the financial sector. It’s crucial to choose auditors who are familiar with the FCA’s rules and can provide targeted insights into improving safeguarding measures. Firms should also prepare by conducting internal pre-audits or assessments to identify any gaps in their current processes, ensuring they address these before the formal audit takes place.

Gladius Assurance Principal Dennis Cheng tells Payments Intelligence that this presents an opportunity to “systemise”. He says: “What I mean by that is when you have a systematised approach to safeguarding regardless of who comes in, be it auditors, regulators, or potential investors, this is a great way to demonstrate this is the way we design our controls and maintain a robust control environment for payments. That’s a good thing for the business, and it so happens to be a good thing that the auditors are looking for as well.”

Regular communication between the audit firm and internal compliance teams will also help maintain alignment on regulatory expectations, reducing the risk of non-compliance. Finally, payment firms should implement any recommendations made by auditors promptly to strengthen their safeguarding framework and avoid future compliance issues.

Oversight of third-party providers

In addition to audits, another key area that firms must address is the oversight of their third-party providers. This is a vital component of the FCA’s new safeguarding regime, as payment firms often rely on banks, custodians, and insurance providers to hold or protect consumer funds. Conducting thorough due diligence on these third parties is essential to ensure they meet the necessary standards of security and reliability.

Firms must continuously evaluate the financial stability, regulatory compliance, and track record of the institutions they choose to safeguard funds to ensure ongoing reliability, as any failure by these third parties could directly impact consumers. This due diligence process should be continuous, not just at the onboarding stage, to identify any emerging risks or changes in the third party’s risk profile.

Additionally, the FCA advises firms to diversify their third-party risks. Relying on a single institution or custodian to hold all safeguarded funds creates a concentration risk—if that entity faces financial difficulties, it could jeopardise the firm’s ability to return consumer funds swiftly.

Firms should consider spreading their safeguarded funds across multiple institutions to reduce this risk and ensure they are covered by more than one insurance or guarantee provider if applicable. By taking these steps, payment firms can strengthen their safeguarding framework, reduce potential points of failure, and increase resilience against third-party risks.

Preparing for the end-state changes

The introduction of statutory trusts under the FCA’s new safeguarding regime marks a significant shift in how payment firms handle consumer funds. Under this framework, firms will now hold safeguarded funds in trust for the benefit of their customers, ensuring that these funds are legally separated from the firm’s own assets.

This formalises existing protections for customers, providing clearer legal ownership in insolvency situations while maintaining current prioritisation of payment service users over other creditors. Savoie notes that this could make payouts on insolvency simpler as funds held on trust by a firm would generally fall outside the firm’s insolvent estate, and so would not be available to other creditors. However, he notes, “As the existing rules applicable to payment institutions and e-money institutions already prioritise payment services users and e-money holders over other creditors, it’s not yet clear how much of a change these reforms will make in practice”.

Savoie also explains that there will be implications for firms in the ordinary course of safeguarding funds, even if they never enter into insolvency. “What happens if you’re running a payment or e-money institution? You might be tempted to think, ‘Well, why do I really care about this? This is all just stuff that will apply if my business fails, at which point I may be out of the picture.’ But it does have an impact because the statutory trust will come with various ongoing fiduciary duties to customers that may extend beyond what a firm would otherwise have to do in relation to safeguarding.”

The interaction between the new fiduciary duties and the FCA’s Consumer Duty rules could also be difficult for firms to manage. As Savoie points out, “For firms subject to the FCA Consumer Duty, many related and overlapping obligations will apply. This could create a lot of uncertainty for firms, as it will effectively mean having to assess the same decisions relating to customer funds under two different sets of rules. Furthermore, for firms serving business customers that fall outside the scope of the Consumer Duty, the new fiduciary duties will represent an expansion of existing requirements. In both cases, firms will be subject to additional forms of direct liability to their customers for losses, shortfalls and any misuse of funds. In other words, even for people currently running a solvent and profitable firm, the changes will come with real risks.”

In addition to complying with the trust framework, firms must also carefully manage the safeguarding of secure, liquid assets. The FCA allows firms to invest safeguarded funds in secure, liquid assets to generate returns, but these assets must be readily convertible to cash in the event of firm failure or high redemption volumes. To comply, firms should adopt a diversified investment strategy, ensuring that their asset portfolio spreads risk while adhering to liquidity requirements.

Savoie emphasises the importance of conducting thorough due diligence to ensure the firm has the right regulatory permissions to manage liquid assets and carefully evaluate any third-party providers and the rules governing how they hold and manage those assets. He suggests firms pay close attention to the detailed provisions in the draft rules.

He says: “I think the onus will be on doing appropriate due diligence at the start. Firstly, do you have the right regulatory permissions to invest in liquid assets in the manner in which you are planning? If not, you might find you have inadvertently caused your firm to commit a criminal offence because you actually needed additional FCA authorisations to structure the arrangement in the way that you thought made the best sense commercially. There’s a whole other regulatory regime around this under the Financial Services and Markets Act and it’s one that firms will be at peril to ignore.”

“If you’re using a third party, which is more likely, you really need to look into how that third party will be holding those assets, and your recourse to them and ability to monitor and assess how they do this on an ongoing basis. As with other aspects of the proposals, the draft rules are detailed, prescriptive and not always that flexible, so there is a lot to work through here.”

Firms must also regularly monitor the market for any changes that might affect the liquidity or security of these assets. By taking a cautious and compliant approach to asset management, firms can safeguard consumer funds while maintaining operational flexibility, all within the legal boundaries established by the statutory trust framework.

Training and compliance

To successfully navigate the FCA’s new safeguarding regime, payment firms must prioritise staff training and the enhancement of internal controls. Educating employees on the intricacies of the new rules, particularly around statutory trusts, daily reconciliations, and third-party due diligence, is crucial for ensuring firm-wide compliance.

Staff at all levels need to be equipped with the knowledge and skills to implement these changes effectively. Regular training sessions, updates on regulatory changes, and workshops on safeguarding best practices will not only ensure compliance but also foster a culture of responsibility and accountability when handling consumer funds.

Moreover, firms should designate a compliance officer who will be directly responsible for overseeing adherence to safeguarding requirements. This individual will act as the central point of contact for managing audits, monitoring regulatory reporting, and ensuring that safeguarding procedures are followed meticulously.

Having a dedicated compliance officer ensures that safeguarding is treated as a strategic priority and that the firm can respond quickly to any emerging issues. Additionally, this role is key in maintaining open lines of communication with regulators, keeping the firm aligned with FCA expectations, and continuously reviewing internal processes to prevent safeguarding breaches.

According to Alejandra Gorria, firms should prioritise several key internal controls to ensure compliance with the enhanced FCA safeguarding requirements.

Firstly, Gorria emphasises the importance of “Ensure you’re doing sufficient gap mapping. Mapping those gaps and be sure that you remediate ahead of time.” This exercise will help firms identify the areas that need to be addressed to meet the new standards.

She also highlights the need to enhance the reconciliation process, noting that “the reconciliation piece is going to be really detailed. So you probably are going to need to get finance teams in there to help, not just operations and compliance.”

Additionally, Gorria stresses the importance of training, stating that “training is very important, it’s just ensuring that the training is enhanced and aligns with the new requirements.” Keeping staff up-to-date on the intricacies of the new safeguarding rules will be essential.

Finally, Gorria emphasises the need to diversify third-party safeguarding arrangements, as “you don’t want all of your eggs in the same basket. You need to be you need to be cautious of that. Firms should follow best practices, such as enhanced due diligence, to mitigate risks associated with third-party providers.”

Gorria’s views are shared by A&O Shearman Partner Nikki Johnstone, who adds that training is “a crucial aspect” of the proposed safeguarding frameworks. She says: “This is not a topic which should sit solely within Legal or Compliance. If Finance, Ops, Risk and Treasury teams do not understand the fundamental purpose and requirements of the safeguarding regime, then there is a heightened risk that a firm’s day-to-day operational practices risk developing in practice in a manner which falls foul of the rules.

“Having external advisers assist with periodic training makes sense given the complexity of the regime, but this should always be structured as a collaboration with internal stakeholders/subject-matter experts and tailored to the specific business – you otherwise risk a tick box educational process which will not have a meaningful impact on a firm’s ability to demonstrate adherence.”

Mitigating risk and ensuring business continuity

Having an insolvency contingency plan is critical for payment firms under the new FCA safeguarding regime, as it ensures that they are fully prepared to respond quickly and efficiently if they face financial difficulties. Such a plan outlines the steps firms must take to protect consumer funds and maintain business continuity in the event of insolvency. Without a well-structured contingency plan, firms risk being unable to swiftly identify and return safeguarded funds, leading to consumer repayment delays and increased costs related to the insolvency process. Given that consumer claims will take priority under the statutory trust framework, an insolvency contingency plan helps firms minimise operational disruptions, reduce reputational damage, and avoid legal complications by ensuring they are prepared to meet regulatory requirements and consumer expectations.

Savoie suggests this could have implications for insolvency contingency planning, as the fiduciary duties as a trustee may extend beyond what firms would otherwise have to do, especially for business customers outside the Consumer Duty’s scope. This could impact how firms handle customer funds in an insolvency scenario.

He says: “For firms subject to the FCA Consumer Duty dealing with consumers, many related obligations likely apply. These obligations are broader and may include specific trustee responsibilities that wouldn’t typically be required. Furthermore, for firms serving business customers exempt from the Consumer Duty, obligations such as acting in the best interests of those customers wouldn’t typically apply. However, in relation to the funds held, these obligations arguably exceed the firm’s usual requirements, even if one might contend that they align with the FCA’s general principle of business.”

Insurance and guarantees also play a crucial role in the FCA’s safeguarding regime, providing additional protection for consumer funds. By holding appropriate insurance policies or guarantees, payment firms can cover potential shortfalls in safeguarded funds, ensuring that consumers are fully compensated if the firm is unable to return their money in the event of failure.

These financial instruments act as a safety net, reducing the risk of consumer losses even if the firm’s operations become strained. To fully benefit from these protections, firms must ensure that their insurance and guarantee arrangements are well-structured, continuously reviewed, and compliant with FCA standards. This includes clearly understanding the conditions under which the policies would pay out and ensuring that any claims can be processed quickly to avoid delays in returning funds to consumers.

Final takeaways

Cheng suggests that one potential innovation in third-party risk management that could help payment firms better protect consumer funds and comply with the new safeguarding regulations is the concept of “funding from a non-statutory trust account”, as seen in the insurance broking sector operating in the London market where the firm is allowed to make advances of credit to the firm’s clients out of the client money account.

He explains that in the insurance broking industry, when claims need to be paid out before the corresponding [amounts] premiums have been received from insurers, the non-statutory trust account is used to fund those outgoing payments. This allows the system to manage netting, offsets, liquidity mismatches, rather than rigidly requiring a one-to-one relationship between incoming and outgoing funds. Cheng proposes that a similar funding mechanism from a [non-statutory] trust account could be an interesting concept for the payments sector to explore [as it makes the payments ecosystem operate more efficiently.

This type of approach could potentially address some of the liquidity challenges payment firms may face in fully segregating and safeguarding client funds, as required under the new regulations. While not entirely “innovative” in the strictest sense, Cheng believes adopting this insurance broking industry practice, subject to appropriate systems and controls safeguards] could provide a useful solution to help payment firms comply with the safeguarding rules in a more operationally feasible manner.

Adapting to the FCA’s new safeguarding regime is not just about regulatory compliance—it’s about ensuring the long-term stability of payment firms and the protection of consumers’ funds. By embracing these changes, firms can strengthen their internal processes, enhance governance, and build greater trust with their customers. The introduction of statutory trusts, improved record-keeping, and enhanced third-party oversight provide firms with an opportunity to solidify their safeguarding practices, making them more resilient to financial and operational risks.

However, for the time being, now is the time for firms to act. Early preparation for interim and end-state rules will prevent disruptions, penalties, and reputational damage. Firms must take immediate action to align their operations with the FCA’s proposed safeguarding regime. By conducting internal reviews, training staff, and implementing stronger audit and reconciliation processes, firms can minimise disruption, avoid penalties, and build stronger consumer trust. Early compliance will provide a competitive advantage in the evolving regulatory landscape.

LinkedIn
Email
X
WhatsApp

Read more Payments Intelligence

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Continue reading

FCA's proposed reforms target enhanced consumer fund safeguarding in payments, crucial for risk reduction. Join The Payments Association to read the full article.

Become a member to continue reading

Member of The Payments Association? Log in to continue reading

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?