On September 25, the Financial Conduct Authority (FCA) published the long-awaited consultation paper CP24/20, introducing proposed amendments to the rules governing the safeguarding of customer funds that are applicable to payments and e-money firms.
The proposed rules send a clear message to payments firms: consumer protection remains a key area of concern – even where they’ve already secured their authorised payments institution (API) or electronic money institution (EMI) permissions. This message was reinforced by a recent precedent where the FCA terminated the licence of a firm failing to demonstrate adequate safeguarding arrangements, among other failings.
The proposals also signal the FCA’s intention to remain agile and flexible, and to shape its supervisory and regulatory approach according to the subject matter and the risks it perceives to consumer protection.
The draft rules are likely to trigger profound changes to operational processes of licensed firms.
There is a small deviation from the FCA’s 2022-25 strategy, which reinforced the commitment to address the risk of failure by firms at the authorisation gateway and, where appropriate, through early oversight. This may suggest that some API and EMIs may not have reached a business-as-usual stage where the bulk of concerns were successfully addressed at authorisation stages.
There is also a change of course from a regulatory standpoint: while most of the proposed rules are inherently prescriptive, other topics in payments which are to be targeted by future regulatory activity (such as strong customer authentication) are expected to shift from prescriptive to an outcomes-based regime. This does not appear to be the case for safeguarding. The expectations and must-dos are clear.
What is being proposed for payments safeguarding
CP24/20 fundamentally proposes the introduction of new rules to be implemented across two phases: interim, to minimise disruption in preparation and transitioning; and end-state.
The interim phase sets out essentially prescriptive obligations. There are two particularly interesting points. The first details the requirement for monthly safeguarding reporting requirements. The other requires them to produce resolution packs, containing all the information needed to enable swift return of relevant funds to consumers.
More frequent reporting can help the regulator with faster detection of risks. On the other hand, firms’ internal controls in respect of data checks and validation are likely to be impacted, at least during preparation stages.
There’s a logical interplay between the new resolution pack requirement and existing regulatory expectations around wind-down planning. According to the Approach Document guidance, wind-down plans must have details about identification of customer funds, for whom they are held, and how to promptly return such funds. This only reinforces that a holistic approach to compliance in payments is always needed.
The end-state phase ultimately aims to evolve the current safeguarding requirements to a ‘quasi-CASS’ regime, where safeguarded funds are formally considered as held on a statutory trust, combined with the enhancement of certain elements of safeguarding practices.
The rules will change the UK courts’ decision that client funds held by APIs and EMIs do not form a statutory trust. In reviewing this position (critical in instances of firm insolvency), the FCA expects to minimise delays from insolvency practitioners with identifying and returning funds to customers, regardless of claims from other secured creditors.
The proposal to exempt firms from the obligation to receive relevant funds directly into a safeguarding account in instances of funds received through an acquirer, requires careful consideration. In such scenarios, it is being proposed to require the deposit of relevant funds to take place by the end of the business day after the day they were received (D+1).
Our experience supporting a range of clients in respect of their safeguarding arrangements has given us visibility on a multitude of payments flows from initiation until the arrival of funds at a safeguarding account. This includes scenarios where a regulated merchant acquirer transacts with another regulated acquirer acting in the capacity of a ‘master merchant’ (this not being the acquirer of record from a card scheme perspective).
The proposed D+1 combined with the statutory trust would benefit from being considered in the context of such scenarios by consultation stakeholders. This is because although the ‘master merchant’ funds are being safeguarded by the acquirer of record (to whom a statutory trust is also formed), in the event of insolvency of that acquirer of record, it is unclear how merchants of record would have rapid access to their D+1 funds.
How we can help
KPMG’s payments regulatory team has significant experience helping firms to understand and adhere to safeguarding rules and to run safeguarding audits. Please do not hesitate to contact us for help with better understanding how your firm’s existing arrangements align with the current and future state of payments regulation.
This article was written by Michelle Plevey, Stuart Taylor and Andre Mendes.