FCA Payments and E-Money safeguarding consultation
contexts and potential consequencesThe Financial Conduct Authority (FCA) is consulting on proposals to strengthen the safeguarding rules for payment and e-money firms, to introduce CASS-like measures to increase protection for customer funds when firms become insolvent. These range from record keeping and monitoring requirements, to protections around safeguarded funds (extending to trusts), and governance duties.
The FCA's consultation closes on 17 December 2024, with the FCA expecting to publish its final interim rules and accompanying policy statement in the first half of 2025. For firms to which the proposals set out in the FCA's consultation apply it would be prudent to consider the potential impact on your business and provide responses to the FCA by 17 December.
This note sets out the background to a rationale for the consultation, as this is central to understanding the proposals the FCA makes. It summarises its implications for firms in-scope in the medium and long-term, and a summary of next steps.
Market Context
Legislation and regulatory activity over the past 15 years or so has opened up competition in the payments sector and improved choice for consumers. The FCA has been focussing on the increase in non-bank payment providers that are not covered by the Financial Services Compensation Scheme in the event of insolvency, in the context of customer risk if and when these firms fail.
Many authorised payment institutions (APIs), e-money institutions (EMIs, and credit unions who issue e-money (collectively Payment Firms) are currently operating within the United Kingdom. The FCA’s Financial Lives 2022 Survey shows a five-fold increase in the use of accounts with EMIs between 2017 and 2022, while a 2022 report from Transparency UK points to authorised EMIs making more than GBP500 billion worth of transactions in 2020/21. The FCA reports that the latest regulatory returns suggest that APIs process GBP919 billion in payments through 12 billion transactions annually.
In recent years, the sector has been subject to high profile shocks, such as the administration of ipagoo LLP (an EMI), the special administration of Xpress Money Services Limited (an API), and the liquidations of Allied Walled Limited (an EMI) and Premier FX Limited (an API that was later publicly censured by the FCA for seriously misleading its customers about the services it was authorised to provide and how it held customers' money). According to the FCA, of the 12 Payment Firms that became insolvent between Q1 2018 and Q2 2023, there was an average shortfall of 65% between the funds owed to customers and the funds safeguarded – for the EMIs alone, the average shortfall was 80%. More starkly, in 8 of those 12 instances there were shortfalls of greater than GBP1 million, and in 2 instances there was a shortfall of more than GBP20 million. Where there were funds available to be distributed to customers, it took an average of 2.3 years for these to be paid. At least there was payment in those cases – the FCA notes that there has been a distribution in only 1 of the 6 insolvencies that have occurred since 2021.
Current Regime
The current safeguarding regime is set out in the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs). This is intended to protect customers where funds are held by an institution - if the funds are safeguarded in accordance with the rules, they will be available to customers in the event that the institution becomes insolvent. All APIs are required to comply with the safeguarding requirements in regulation 23 of the PSRs and all authorised EMIs are required by regulation 20 of the EMRs to safeguard funds received in exchange for issued e-money. Small EMIs and credit unions that issue e-money but also provide unrelated payment services can choose to comply with the safeguarding requirements in the PSRs for funds received for payment services - this is to offer the same protection over customer funds as authorised EMIs and authorised APIs must provide. Small payment institutions can opt-in to comply with safeguarding requirements on a voluntary basis. Where there is no safeguarding requirement, firms are still required to arrange adequate protection of those clients’ assets for which they are responsible in accordance with the FCA's Principles for Businesses.
One of the ways in which customer funds can be safeguarded is to keep them separate from other funds that the firm holds, including its own assets. The FCA notes that this method is used by more than 95% of firms. Firms can also safeguard funds by protecting them under an insurance policy or guarantee, with the pay-out on insolvency intended to cover the relevant funds.
Legal uncertainty was created around the status of safeguarded funds as a result of the case Baker and another v Financial Conduct Authority (Re Ipagoo LLP) [2022] EWCA Civ 302. Ipagoo LLP was an EMI regulated by the FCA that went into administration without having safeguarded sufficient relevant funds to repay customers, and its administration resulted in the FCA arguing to the Court of Appeal that funds from e-money holders were subject to a statutory trust as soon as they were received. The Court of Appeal disagreed and ruled that the EMRs do not impose a statutory trust over those funds. The court did decide that when there is a shortfall in the customer “asset pool” of an insolvent EMI, that pool should be topped up to include customer funds that were not safeguarded under the EMRs but should have been.
A special administration regime for insolvent APIs and EMIs was introduced through the Payment and Electronic Money Institution Insolvency Regulations 2021. This establishes three objectives for a special administration, one of which is to ensure the return of customer funds as soon as is reasonably practicable. The legislation also includes provisions in relation to shortfalls in the asset pool. The FCA notes in its consultation paper, the special administration regime does not affect pre-insolvency safeguarding practices.
The FCA's Concerns
The FCA's Approach Document has a long-standing role in setting out compliance expectations for PSRs and EMRs. However, according to the consultation paper, there remain poor practices across the industry due to failures in implementation.
The FCA's concerns about risk to consumers in the event of insolvencies led to the FCA issuing a “Dear CEO” letter to Payment Firms in March 2023. Some outcomes set for the Payment Firms within the letter included: (1) ensure that your customers' money is safe; and (2) ensure that your firm does not compromise financial system integrity. Notwithstanding this, the FCA notes that, in 2023, it opened supervisory cases dealing with safeguarding concerns in relation to around 15% of firms that safeguard.
The FCA is proposing to revise the safeguarding regime in order to maximise the money returned to consumers if a Payment Firm fails, to ensure that customers receive their money as quickly as possible, and to strengthen the FCA's ability to identify and intervene where Payment Firms are failing to comply with safeguarding requirements.
The Consultation
The FCA has set out in its consultation paper (CP24/20: Changes to the safeguarding regime for payments and e-money firms) that it proposes to bring in new safeguarding obligations in 2 stages with the aim of minimising disruption to firms:
- an interim state, intended to improve compliance with the current requirements; and
- an end state that will see a move to a new client assets regime where consumer funds are held on trust. The end-state rules will build on the improved measures contained in the interim state.
Interim state
The FCA proposes this would come into force 6 months after the new rules and guidance are published. The key proposals are to:
- improve books and records – this will involve:
- more detailed record-keeping and reconciliation requirements for safeguarding, building on existing guidance and similar to existing requirements set out in CASS 7 for investment firms; and
- the requirement to maintain a resolution pack, including requirements on the types of documents and records to be included,
- enhance monitoring and reporting – this will involve:
- completing a new monthly regulatory return to be submitted to the FCA covering safeguarded funds and safeguarding arrangements;
- having compliance with safeguarding requirements audited annually, with the audit submitted to the FCA; and
- allocating oversight of compliance with the safeguarding requirements to an individual in the Payment Firm,
- strengthen elements of safeguarding practices – this will involve:
- additional safeguards where Payment Firms invest relevant funds in secure liquid assets (as opposed to ringfencing);
- requirements to consider diversification of third parties with which Payment Firms hold, deposit, insure or guarantee relevant funds that it is required to safeguard and due diligence requirements; and
- additional safeguards and more detailed requirements on how Payment Firms can safeguard relevant funds by insurance or comparable guarantee.
End state
The key features of the proposals for the end state, which would be subject to a 12-month transition period, are to:
- strengthen elements of safeguarding practices – this will involve:
- more robust requirements on how Payment Firms must segregate and handle relevant funds. This will include receiving relevant funds directly into an appropriately designated account at an approved bank, except where funds are received through an acquirer or an account used to participate in a payment system; and
- the principle that agents and distributors cannot receive relevant funds unless their principal Payment Firm safeguards sufficient funds in designated safeguarding accounts to cover the funds expected to be received and held by their agents or distributors,
- require that funds are held under a statutory trust (to address the uncertainty following the Ipagoo case) – this will involve:
- the imposition of a statutory trust over: relevant funds held by a Payment Firm; secure liquid assets in which relevant funds are invested; the rights under and proceeds of any insurance policies and guarantees bought to safeguard relevant funds; and cheques and other payable instruments received for the execution of a payment transaction or purchase of electronic money. The consultation sets out the terms on which assets would be held on trust; and
- additional detail around when the safeguarding obligation starts and funds become subject to the trust.
Other end-state proposals include that a firm will be allowed to pay its own funds into a designated safeguarding account to prevent a shortfall in relevant funds.
Implications for Firms and Insolvency Practitioners (IPs)
Should the new regime come into force, Payment Firms will experience a great shift in terms of how their relevant funds are safeguarded and the expectations in terms of operational and governance controls. Implementation will happen whilst firms continue usual operation.
The FCA proposes to give Payment Firms a transition period of 6 months from when the final regime is published to carry out the changes from the interim rules. Final end-state rules will be published once the safeguarding requirements in the EMRs and PSRs are revoked. Firms will have another 12 months to implement these additional changes.
While more established Payment Firms will have sophisticated systems in place already to address safeguarding which can be adapted, many firms will not yet have the expansive systems and controls in place to adequately accommodate the changes proposed. As seen when the FCA's CASS rules were introduced the administrative and governance changes that may be required in order to ensure compliance could be significant. Further, this should not simply be viewed as "just another" operational change. Given the implication of customer protection and the repercussions of failing to comply with the letter and spirit of these proposed rules, senior management will need to have constant oversight and sign off on the adequacy of measures introduced. The scrutiny of management responsibility must be emphasised. Firms should also consider the potential costs of implementation – from "topping up" funds, to safeguarding within a trust structure.
IPs will be keen to observe the final end state rules which will include new rules for when Payment Firms fail or where third parties that are used for safeguarding purposes fail. In theory the new rules proposed in the consultation should assist IP's in identifying relevant safeguarded assets and isolating them from other assets of the insolvent business. However, in practice only time will tell in this respect – insolvencies are rarely straightforward and as we've seen already, often poor record keeping is an issue.
An industry under the spotlight
The consultation comes at a time when the UK payments industry is facing increased scrutiny by regulators and enhanced consumer protection requirements.
The FCA recently published the findings from its multi-firm review of how Payment Firms have implemented the Consumer Duty requirements (Payments Consumer Duty multi-firm review). The findings include examples of good and bad practice, which the FCA makes clear should be used by firms as a way of identifying and addressing any shortfalls in current practices. The FCA highlighted that it will take action to ensure that firms are meeting the standards and that it will be asking Boards for the results of their annual review of whether the firm is delivering good customer outcomes consistent with the Consumer Duty. In its current consultation, the FCA points out that a good customer outcome includes keeping consumer money safe.
From 7 October 2024, victims of Faster Payments Authorised Push Payment scams are now able to recover up to GBP85,000 from Payment Service Providers (PSPs), which we reported here. The Payment Systems Regulator pointed out in a press release that this will give firms “strong financial incentives” to continue improving their fraud prevention controls. This can only continue to be an area of focus, with alarm bells being rung about the potential fraud risks of AI – in particular, the potential for AI-generated deepfakes to fool KYC procedures.
Firms will have to be aware also of the changes to the Payment Services Regulations 2017 (through the Payment Services (Amendment) Regulations 2024 (SI 2024/1013)), which came into force on 30 October 2024 and will allow a payer's PSP to delay making a payment where it has reasonable grounds to suspect fraud or dishonesty. The FCA has consulted on changes to its existing guidance to support PSPs in implementing these changes while minimising the impact on legitimate payments. It is expected to issue an updated approach document by the end of 2024.
Consumer protection in this sector is not just a priority in the UK. In April 2024, the Central Bank of Ireland published its “Expectations for Authorisation of Payment and E-Money Institutions”, which reflects the Central Bank's focus on customer protection and states plainly that the bank “has no tolerance for weaknesses in safeguarding arrangements”. In the EU, the European Commission has published proposals for the Payment Services Regulation (PSR), part of the new measures to strengthen consumer protection and improve competition in electronic payments that include an update to the Revised Payment Services Directive (PSD2). International firms should map national variances that are emerging around this topic, post-Brexit and within the EU.
Next steps
The FCA's consultation closes on 17 December 2024, with the FCA expecting to publish its final interim rules and accompanying policy statement in the first half of 2025.
If you would like to discuss any of the points raised in this article or the implications for your organisation, please contact a member of our team.