It is a year since the FCA first aired its expectation that payment firms which are required to be audited should arrange specific annual audits of their compliance with the safeguarding requirements under the PSRs and EMRs (see FCA coronavirus consultation). Pursuant to the temporary guidance which later confirmed this expectation, we anticipate that many payment firms will have recently been, or will shortly be, faced with the question of whether they have a clean bill of health on this front.
The temporary FCA guidance includes an expectation that the auditor provide an opinion addressed to the firm on:
- whether the firm has maintained organisational arrangements adequate to enable it to meet the FCA's expectations of its compliance with the safeguarding provisions of the EMRs/PSRs throughout the audit period, and
- whether the firm met those expectations as at the audit period end date.
We note that a firm’s auditor is required to tell the FCA if it has become aware in its capacity as an auditor, of a breach of any requirements imposed by or under the PSRs or EMRs that is of material significance to the FCA (see regulation 25 of the EMRs and regulation 24 of the PSRs). It also goes without saying that a firm would have disclosure obligations in accordance with FCA Principle 11 in respect of any non-compliance.
The FCA recently consulted on making its temporary guidance in relation to safeguarding requirements permanent as part of a larger package of changes to the FCA's ‘Payment Services and Electronic Money – Our Approach’ document. The feedback from this consultation and an updated policy statement is expected in autumn 2021 However, given the FCA's continued focus on safeguarding requirements (see also the FCA's 2019 multi-firm review and Dear CEO Letter), we don't anticipate the FCA stepping away from its current position.