Safeguarding requirements: more detail on audit of compliance by e-money firms/payment institutions
The January 2023 ‘Dear CEO’ letter from the Central Bank to payment institutions and e-money firms was particularly focused on safeguarding. In that letter, the Central Bank asked all payment institutions and e-money firms who are subject to the safeguarding requirements in the Payment Services Regulations / E-Money Regulations (as appropriate) to commission an audit of their compliance with those requirements from an audit firm which has the necessary specialist skill to audit compliance in this area.
Each in-scope firm was asked to provide that audit opinion, together with a response from its board to the outcome of that audit, to the Central Bank by 31 July 2023. The Central Bank subsequently extended that deadline to 31 October 2023 to give Chartered Accountants Ireland (CAI) sufficient time to develop guidance for their members on how to carry out that exercise.
The Central Bank has now confirmed (in a Safeguarding Notice) that an acceptable format for engagements between in-scope firms and their auditors has been agreed, and that CAI will be issuing guidance to its members shortly.
In-scope firms must prepare a detailed document (the Description) describing the organisational arrangements that they had in place on 31 December 2022 (the Reference Date). The Description must describe the processes and controls for:
- The governance and oversight of compliance with the safeguarding rules.
- How the ‘safeguarding universe’ is established (i.e. how the firm identifies which of its services could give rise to it holding ‘users’ funds’).
- Consistently identifying which funds are ’users’ funds’ as which require safeguarding, and when those funds cease to be ‘users’ funds’.
- Designating safeguarding accounts (if the segregation method is used) and the opening of any new safeguarding accounts.
- Limiting access to the safeguarding to authorised individuals.
- Preventing the co-mingling of ‘users’ funds’ with non-‘users’ funds’ in the safeguarding accounts (and how non-‘users’ funds’ are identified and removed from safeguarding accounts in a timely manner).
- Ensuring that appropriate daily reconciliations of safeguarding accounts are performed and reviewed.
- Meeting the insurance policy/comparable guarantee requirement.
- Identifying any potential or actual breaches of the safeguarding requirements including escalation to the board of directors/relevant committee and communication to the Central Bank if necessary.
- Maintaining an inventory of all outsourced services in connection with safeguarding requirements including details of ongoing monitoring and due diligence undertaken.
- Ensuring that the liquidity of safeguarding arrangements facilitates the redemption of e-money at any time and at par value or the timely execution of payment transaction requests.
- Ensuring that users’ funds are not invested in liquid assets (other than cash) without prior approval from the Central Bank.
- Where ‘user’s funds’ are invested in assets designated or approved by the Central Bank as secure, liquid and low risk assets: how the value of investments held is obtained on an ongoing basis, how the market risk associated with those investments is managed, and how those investments are liquidated.
The document must also include details of the various systems that the in-scope firm uses in the processes to meet its safeguarding obligations, a list of IT dependences between those systems, details of any outsourcing arrangements (and how those are monitored and supervised) and details of IT controls over these systems.
Once the in-scope firm has prepared the above description, the Central Bank expects it to formally document any identified gaps that could adversely impact the firm’s ability to comply with the safeguarding requirements.
In-scope firms must then prepare an assertion (the Assertion), approved by the board of directors, stating that in all material respects, the Description is fairly presented (by reference to the criteria set out in the May 2023 Safeguarding Notice), and that the processes and controls included in the Description operate as described as of the Reference Date.
Reasonable Assurance Attestation Engagement (Auditor)
The statutory auditor (or other audit firm) will perform a reasonable assurance attestation engagement in relation to the Assertion.
This will address whether:
- the Description is, in the auditor’s opinion, fairly presented based on the same criteria used by directors to make the Assertion, and
- whether the processes and controls set out in the Description as of the Reference Date are fairly presented.
The Central Bank has confirmed that the auditors will not be giving an assurance that the arrangements set out in the description are appropriate for the purposes of complying with the safeguarding requirements of the Payment Services Regulations or the E-Money Regulations.
Review Engagement (Auditor)
The auditor must also carry out a review engagement in which they consider the Description, together with information provided by the firm, discussions at meetings with the firm’s management and any gaps or deficiencies identified by the firm or by the auditor.
The auditor will then “prepare a narrative or long form report setting out the work performed and their professional view of the relevant arrangements. The review engagement will not involve the provision of an assurance opinion.”
The reports must then be submitted to the Central Bank by each in-scope firm by 31 October 2023.
The Central Bank’s continuing emphasis on safeguarding makes sense given the very significant impact on customers if a firm’s safeguarding arrangements fail. It is clear that the Central Bank expects a firm’s board to take ultimately responsibility for this issue. Our previous updates on this topic are here:
Please get in touch with Robert Cain, Richard Willis or your usual contact in our Financial Regulation Group or our Financial Regulation: Investigation and Enforcement Group to discuss any of the issues raised by the Central Bank in more detail.