Safeguarding: How to meet the FCA’s Dear CEO requirements

by Nick Botha, global payments sales manager, AutoRek

Share this post

AutoRek’s Nick Botha discusses how the FCA is taking payments safeguarding very seriously and firms should be able to demonstrate robust governance and control frameworks to avoid unwanted consequence.

The Financial Conduct Authority (FCA) issued a Dear CEO letter on 16 March to payments and e-money organisations. The regulator raised concern over the lack of “sufficiently robust controls” for safeguarding payments, which is causing firms to “present an unacceptable risk of harm to their customers and to financial system integrity”.

The regulator also outlined a consultation on strengthening safeguarding requirements in its sixth edition of the Financial Services Regulatory Initiatives Grid, published in February. This would use its increased rule-making powers as part of the Future Regulatory Framework Review.

Set to be published in H1, final rules and feedback are due in early 2024.

The latest Dear CEO letter and consultation outline show just how seriously the regulator is taking safeguarding. It gives a stark warning to firms that don’t demonstrate robust governance and control frameworks.

To help you meet the FCA’s safeguarding requirements, as outlined in the Dear CEO letter, we’ve put together a short guide. It explains the following:

  • The FCA’s top three requirements;
  • Best practices to meet these requirements; and
  • How to meet reconciliation requirements for compliance.

What are the FCA’s top 3 safeguarding requirements?

The regulator highlighted three requirements in its letter:

  1. Ensure customer money is safe – The regulator expects firms to ensure adequate safeguarding arrangements, improve prudential risk management, and maintain detailed wind-down places with appropriate triggers and requirements.
  2. Ensure operations don’t compromise the broader financial system’s integrity – This requires systems and controls to assess, monitor and manage money laundering risk. It also includes sanctions exposure, risk, and the need to address weaknesses in systems and controls to prevent fraud.
  3. Meet customer needs through high-quality products and services, competition, innovation and robust implementation of the Consumer Duty rules.

Best practices: How to meet the safeguarding requirements

Meeting the above payments and e-money safeguarding requirements requires a robust approach to safeguarding. This means you should be able to demonstrate the following:

  • All relevant funds are identified, including those held on behalf of clients, money received for transactions, fees and charges;
  • All client funds are segregated from your funds and held in separate accounts, preventing their use for other purposes;
  • Effective systems and controls managing the risks of holding relevant funds are established and maintained; and
  • Regular internal and external reconciliations of safeguarding flows are conducted to ensure they’re accurately accounted for.

Achieving good governance

The FCA expects you to maintain records that demonstrate and explain how you comply with every aspect of safeguarding obligations.

This should include a documented rationale for every decision made regarding safeguarding processes and the systems and controls your organisation has in place. In addition, an appropriate individual should have oversight of all regulatory procedures to ensure each aspect of those procedures comply.

Mitigate third-party risk

Your firm should exercise all due diligence in selecting, appointing and periodically reviewing credit institutions, custodians and insurers involved in safeguarding arrangements.

This review should include the following:

  • The need to diversify risk;
  • The capital and credit risk of the third party;
  • The amount of relevant funds or assets placed, guaranteed or insured as a proportion of a third party’s capital and, in the case of credit institutions, deposits; and
  • The level of risk in the investment and loan activities undertaken by the third party and its affiliates.

Keep appropriate documentation

You must keep records of any relevant funds segregated, relevant funds placed in an account with an authorised credit institution, and any assets placed in a custody account. It should always be clear what funds have been segregated and via what method.

Records must also distinguish what relevant funds and assets are held from one e-money holder or payment service user from another. They should be easily distinguishable from your own, and you should be able to explain any transactions.

How to meet reconciliation requirements for safeguarding

Reconciliations are a critical dimension of safeguarding compliance. You must conduct reconciliations between:

  • Records and accounts of the entitlement of e-money holders/payments service users; and
  • Relevant funds and assets with the records and accounts of amounts safeguarded.

These need to be completed as often as necessary and as soon as reasonable. Records must show and explain the internal reconciliation method and its adequacy.

You must also perform reconciliations between internal accounts and records and those of third parties safeguarding relevant funds or assets. Again, perform this as regularly and as soon as possible to ensure accuracy.

To determine how often you need to perform reconciliations, consider the risks your firm is exposed to. These may relate to your business’s nature, volume and complexity, and where and with whom the relevant funds are held.


Nick Botha is global payments sales manager at AutoRek.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?