Electronic money institutions
There is less flexibility with electronic money institutions (which have the added permission of issuing Electronic money). UK firms regulated under the EMRs as an electronic money institution are not entitled to take any exemption from audit, regardless of their size.
As with other payment services firms, there is no requirement for an electronic money institution (that does not undertake any other non-regulated business) to submit its audited financial statements to the FCA. If the firm undertakes other non-regulated activity (and therefore becomes a ‘hybrid business’), the audited financial statements need to be submitted to the FCA when they are submitted to Companies House. As with the PSRs, the EMRs stipulate that the auditor must communicate certain matters to the FCA.
Audits of compliance with safeguarding requirements
For APIs and EMIs that hold customers’ funds, there has historically been no requirement for an audit of compliance with safeguarding requirements. However, in its finalised guidance for payment and e-money firms on safeguarding customers’ funds (issued in July 2020), the FCA has explicitly clarified that it expects these firms to arrange an annual audit of compliance with the safeguarding requirements under the PSRs/EMRs, if its financial statements are audited. These audits are similar in nature to CASS audits, completed in accordance with SUP 3.10. These safeguarding audits must be carried out by an audit firm or other independent external firm or consultant. The FCA expects the auditor to provide an opinion addressed to the firm on:
- whether the firm has maintained organisational arrangements adequate to enable it to meet the FCA’s expectations of its compliance with the safeguarding provisions of the EMRs/PSRs (as set out in chapter 10 of its Approach Document), throughout the audit period, and
- whether the firm met those expectations as at the audit period end date.
In its guidance, the FCA has not stated when firms’ first annual audit of compliance is expected. Therefore, we consider this to come into immediate effect.