Does my payments firm need a safeguarding audit?
17 May 2023 • Audit for Business • Corporate Audit • Corporate Finance • Financial Services • Internal Audit and Third Party Assurance • Safeguarding Audits
With new regulatory changes for safeguarding requirements announced in CP24/20, we investigate how the current rules will be affected and what firms need to do to prepare.
Following the launch of the Financial Conduct Authority's (FCA's) consultation (CP24/20) into the safeguarding regime, the following types of firms should be considering arrangements for their annual safeguarding audits:
Authorised payment institutions (‘APIs’)
E-money institutions (‘EMIs’)
With new rules incoming, firms will need to understand what this means for their current position and what they will need to do now in order to comply with the new rules. To support this, we have summarised key differences between current guidance and the new rules.
The new rules
In the table below we have highlighted the key impacts that the changes will have on the safeguarding audit regime for APIs and EMIs.
Which regulated firms require a safeguarding audit? | Currently, the guidance is set out in version 6 of the Approach Document (last updated November 2024) in which the regulator states that it expects APIs and EMIs holding relevant funds to arrange a specific annual audit of compliance with the safeguarding requirements under the PSRs and EMRs, if the firm is required to arrange an audit of its annual accounts under the Companies Act 2006. | The regulator will codify the requirement for a safeguarding audit in its rules, and extend it to all payments firms (other than payment initiation service providers, small payment institutions (‘SPIs’) and credit unions that issue e-money, for which this will be guidance only). NB even if the firm (with the above exception) was not required to safeguard relevant funds during the period, it will still require a ‘Limited assurance’ safeguarding audit. |
Who can perform a safeguarding audit? | The audit can be performed by an audit firm or another independent external firm or consultant with the appropriate specialist skillset. | The audit must be performed by an independent, qualified external auditor. |
What auditing framework is followed by the auditor? | There is no specific framework. | Auditors will be required to follow the audit standard to be produced by the Financial Reporting Council. |
What should the audit report include? | The auditor provides a ‘reasonable assurance opinion’ on: - Whether the institution has maintained organisational arrangements adequate to enable it to meet the FCA’s expectations of its compliance with the safeguarding provisions of the EMRs/PSRs 2017 (as set out in chapter 10 of the approach document) throughout the audit period; and - Whether the institution met those expectations as at the audit period end date. | An annual audit report, prepared in a prescribed format, confirming: - Whether the institution has maintained systems adequate to comply with the applicable safeguarding requirements; - Whether the firm was in compliance with those requirements at the end of the audit period; - Details of any breaches; and - The remedial actions taken (if any) by the firm and the circumstances that gave rise to the breach. |
Who is the report sent to? | The report is addressed to the institution. | The auditor must submit the report to the FCA. |
What is the audit period? | Not mandatorily determined, however the FCA expects ‘some firms may wish to align the audit period with their account year end’. | No change. |
What is the deadline? | There is no confirmed deadline. The FCA expects the report to be submitted to the firm’s management within 4 months of the audit period end date. | The report must be submitted to the FCA within 4 months of the audit period end date. |
When will I need a safeguarding audit?
The regulator now plans to publish final interim rules with an accompanying policy statement by the end of Q3 2025. Firms will then have a transition period of 9 months to implement the changes in the interim rules. We recommend firms start planning for these changes and the new audit requirements now!
How we can help
If you are an API or EMI and would like to discuss your safeguarding audit needs, please get in touch via the below form and a member of our specialist team will contact you.