Category Archives: Operational Risk Management

Payments Business? Have Your Say! Don’t Miss This

psd2 regulations security measures

Payments Business? Have Your Say! Don’t Miss This!

Get the lowdown on the FCA Strong Customer Authentication (SCA) Consultation Paper plans. Download the free brochure here.

If you have any areas of concern, please call us on 0207 097 1434 or email

Actual Google Review
Actual Google Review

Psd2 Strong Customer Authentication Regulation, Strong Customer Authentication, Strong Customer Authentication (Sca), Strong Customer Authentication (Sca) Requirements, Strong Customer Authentication (Sca) Uk

Why Is Document Version Control So Important?

Why Is Document Version Control So Important?

london compliance specialists regulatory PRA FCA


Why is Version Control Important?

Version control is important when documents are being created, and for any records that undergo a
lot of revision and redrafting or annual reviews. It helps us to track changes and identify when key decisions were
made along the way. It is particularly important for electronic documents that are being reviewed
by a number of different users.

Knowing which version of a document you are looking at is important if you are trying to find out which version of a policy is currently in force, or which version of a policy was in use at a particular time. It forms good records keeping practice which is particularly important in meeting our obligations under the Freedom of Information Act.

The aim of this document is to provide best practice guidance for applying version control to
different types of document at the University of Nottingham. This guidance covers best practice use
1. File Naming conventions
2. Version Numbers
3. Version Control Tables
4. Document control Tables

File Naming Conventions
At the simplest level you can use file naming conventions to identify the version of a document. Use
the file name of the document to determine both the version and status alongside the subject , for

Records Management Policy Draft v0.1

Records Management Policy Draft v0.3


Records Management Policy v1.0

Records Management Policy v1.1 (note: first revision – minor)

Records Management Policy v2.0

Remember to update the version number on the file name as well as the header (or footer) of the
document itself. It is easy to update a document and forget to rename the version number on either
the file name or the document which can lead to confusion.

Unless you don’t need to keep previous versions of the document, always save updated versions as
‘Read-only’ tag to ensure you are forced to create a new version the next time to go to update it.

File naming conventions alone will not tell you who made the change and what the change was. If it
is important to record this information use a version control table.

Version Numbers
Version numbering helps to distinguish one version of a document from another. For some
documents, you may decide that a simple numbering system consisting of consecutive whole
numbers is sufficient to help you keep track of which version you are working on. However,
documents that go numerous stages of development before a final version is reached, and for those
that are developed through input by multiple individuals, you may decide to adopt version numbers
to keep track of both minor and major changes to that document.

Minor Revisions
Minor revisions are small changes made to a document such as spelling or grammar
corrections, and other changes that… Minor revisions to a document are reflected by making
increments to the decimal number.

Major Revisions
Major revisions are changes to a document that require the document to be re-approved
(either by an individual or a group). Major revisions are reflected by incrementing the whole
number by 1.

document control version control

compliance consultants london fca authorisations

document control version control

Remember – when electronically storing documents, it is often best practice to include the date at the front in reverse, as computers store files incrementally. So – 1st March 2021 becomes 20210301.


If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

0207 097 1434 or email

This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

PSD2 Guide To Safeguarding & Wind Down Planning

Compliance consultants london - failure - wind down planning

PSD2 Guide To Safeguarding & Wind Down PlanningCompliance consultants London - PSD2 Safeguarding & Wind Down

Download Our FREE Guide By Completing The Form Below!

    compliance consultants london

    The Back-Office System and Procedures

    The Back-Office System & Procedures

    The Back-Office System & Procedures

    Bringing in clients (New Business) seems to be the most exciting thing there is, right? That’s why there are so many marketing agencies popping up. Content strategy, copywriting, ads… they all are sexy.

    Doing the work is not as fun, but that’s how you get paid — so you give it a pass.

    But the Back-Office is not generally thought of as sexy. It’s a crucial component if you want to take your business to seven plus figures.
    What does Back-Office include?
    This system manages every foundational element that is needed to run a business — other than your New Business and Production teams.
    I’m talking about things such as legal, HR, rent, administrative and operational support, etc.
    Anything that is essentially non-billable and doesn’t directly contribute to your revenue is what I would leave under back-office.
    Effectively Managing The Back-Office.
    Something that I really try to make emphasis on throughout my content is that every system is comprised of people, processes, and tools. And the Back-Office is no exception.
    In the beginning, for many companies, one or two people were in charge of every single aspect of this system (in all systems, really). They are the ones signing contracts, sending invoices, finding contractors, hiring employees, etc.
    They think that they are working on the business. But, over time, things got more complex. They can’t do everything anymore, so they have to start hiring other people and delegating. They need processes and procedures to be the “go to” document to explain what to do when they are not there. It goes without saying, but people are a HUGE determinant factor of your success.
    You can help your people by setting up a process that optimised their efforts and minimises costs. But someone has to design that process. It can either be you or someone from your management team — but it has to be done.
    If you can document step by step the actions of your legal and hiring processes, for example, the business becomes less “You-dependent”.
    How will you generate candidates when there’s an available position at your company? Who will contact them? How many rounds of interviews will they have to go through? Who are the final decision-makers?
    It may seems like you are wasting a couple of hours to get that on a piece of paper. However, trust me: you’ll realise how much quicker and sustainable you can scale and grow after you have every system documented in detail. Note: having clearly defined guidelines will also help you make less emotional decisions.
    Think of tools as any apps, software, and other tech or old-school solutions that make your life easier.
    I’m sure you are already using them in some way: to improve the communication within your team, to onboard employees, to create invoices, etc.
    Automation will help you reduce the number of people your company needs to operate. It can even fully eliminate repetitive tasks from your daily to-do list.
    A couple of examples:
    You could send contracts through DocuSign to your new clients so that you can get that out of the way much faster. And you could automate sending the onboarding material as soon as they sign. Have a recurrent invoice sent at the end of every month. Obviously much easier, faster, and cheaper, right?
    Understanding the Real Cost of Your Back-Office:
    As I said before, the business owner/CEO– will usually manage the whole Back-Office system in the early days. That’s totally normal, but, as you grow, things will change. You’ll have more clients, you’ll expand your business, and you’ll need more employees to fill that need.
    But beware to not run into this issue:
    1. As you scale up, your back-office will also scale up.
    2. And you don’t want to underestimate how much it’s going to cost you.
    Yes, in the very beginning, it will only take time and effort — but not money. Which, obviously, is still a huge expense. But what happens when instead of sending one invoice, you need to send 10? Or you have to hire not one individual, but two or more? You can only service a certain amount of business areas while maintaining your quality standards.  
    Of course, when you have someone in charge of that, these costs have to now be factored into the equation. I’ve seen plenty of business owners that they didn’t plan for this and guess what happened?
    Their profit margins got screwed up and they realised they weren’t charging enough.
    Just as a reminder, this goes like this: revenue – cost to produce everything – everything else.
    Well, everything else will naturally increase over time as your business grows. You’ll want to reduce it as much as you can through automation, processes, and high-performing people, but it will happen.
    As long as you’re not just throwing unnecessary bodies and it comes from a place of growth, the back-office is a price that you should be willing and capable to assume. Just make sure you account for it and doesn’t come as a scary surprise.
    The Back-Office System Summary:
    • The Back-Office System includes anything that is essentially non-billable and doesn’t directly contribute to your revenue. I.e. legal, HR, rent, administration, and operational support.
    • As you grow, you’ll need to find people to take over every element in the system. Use the leverage from well-designed processes and tools to increase your output efficiency.
    • There’s a real cost of managing the Back-Office, especially as you scale. Make sure you factor it into your prices and profit targets.

    If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

    0207 097 1434 or email

    We Accept Crypto
    Ask Us For Details
    This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

    Governance Risk & Compliance Frameworks

    Governance, Risk & Compliance Frameworks

    grc-risk-framework-compliance consultant-compliance consultants-fca compliance consultants

    Why is governance risk and compliance important?

    To ensure that businesses protect their information, have consistent cohesion departmentally, and follow all governmental regulations, a governance, risk and compliance, (GRC) program is important as new regulations can be overwhelming if a company doesn’t have a person or team to ensure updates are in place.

    What is GRC?
    Many people think of a platform when referring to GRC. But GRC refers to a capability that helps an organization achieve its objectives, with responsibility running right across the organization. GRC is a set of processes and practices that runs across departments and functions. GRC might be enabled by a dedicated platform and other tools, although this is not mandatory. While organizations generally don’t need to maintain a separate GRC department, most organizations have a team in place to manage the GRC platform and tools.
    What is the scope of GRC?
    By definition, the scope of GRC doesn’t end with just governance, risk, and compliance management, but also includes assurance and performance management. In practice, however, the scope of a GRC framework is further getting extended to information security management, quality management, ethics and values management, and business continuity management.
    What are the Elements of a GRC Framework?
    • Resources—required to conduct business, including strategies, policies, standards, procedures, organizational structure, roles and responsibilities, people, processes, technology, information, physical, financial and intellectual assets, and third parties (suppliers, vendors and contract employees).
    • Business attributes—the key attributes of a business include:
    • Performance, including goals, targets, outcomes, profitability and SLAs, etc.
    • Risk, including financial risk, credit risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, information security risk, technology risk and compliance risk, etc.
    • Compliance, including regulatory compliance (SOX, PCI/DSS, GDPR), legal compliance (labor laws), organizational compliance (policies and standards), security (human, physical and information security), quality, ethics and values.
    • Governance, management, and operations—governance involves setting directions, optimizing risks and resources, and monitoring performance and compliance to achieve an organization’s objectives. It can be broadly classified into corporate governance, business governance, IT governance and legal governance. Management involves planning, organizing, leading, coordinating, controlling and reporting. Operations includes executing the process and function.
    • Controls—in order to realize value from the business, resources should be utilized efficiently and effectively, and business attributes should optimized. This is only possible when appropriate controls are implemented and executed. The controls can be classified as management controls, process controls, technical controls and physical controls. Controls are applied to the resources as well as the attributes.
    • Assurance—independent assurance is required to ensure that controls are designed and operating effectively, and compliance requirements are met consistently. It is the responsibility of governance to monitor and obtain assurance. Assurance will be primarily through audits. There are several types of audits. Internal and external audits, certification audits, financial audits, IT audits, compliance audits, process audits and security audits, etc.

    A good GRC Framework is reviewed periodically at monthly/quarterly reporting events to provide a complete audit trail of risk identification and awareness, risk management, understanding and mitigation and remedial plans. 

    It should consist of;
    Policies. Procedures and TORs for committees (inc BOD)
    Known Control Exceptions or Financial Crime breaches
    External Audit & Compliance Reports (Compliance Monitoring Plan Results)
    Risk Profiles and Appetite
    Summary of Existing Risks
    The Risk Register

    If you need to create, review or execute your Governance, Risk or Compliance strategy, call us today on 0207 097 1434 or email

    compliance consultants london
    This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

    Enterprise Governance Risk And Compliance, Governance Risk & Compliance (GRC) Tools, Governance Risk & Compliance Services, Governance Risk And Compliance In Banking, Governance Risk Compliance Consulting, Understanding Governance Risk And Compliance

    The Importance of Good Management Information (MI)

    The Importance of Good Management Information (MI)

    good management information

    The significance and requirement of excellent operational detail (volumes, speed, performance indicators, controls, tolerances etc.) are vital to successful management of business. To be able to consistently make efficient decisions, a series of records and measurements is needed, and if they ceased to be accurate or effective can significantly affect the ongoing stability, and profitability of an organisation leading to poor management decisions.

    The information can be found in many different forms depending on the business, cashflow and forecasts are obvious, but sales, staff turnover, sales activity, marketing results, supplier consistency can also be performance indicators needed to demonstrate the efficacy of the business. Many firms also use  elements of worker retention numbers or consumer satisfaction rates. Ultimately though the term suggests anything that can be used to aide in the secret choices that management need to make; nevertheless, that does not imply all details captured provide value, usefulness or are “good”.

    What makes the MI “great”?
    When thinking about whether the details obtained is in fact of a high quality and therefore any use to the business, there are the following 5 key points to consider.
    • Significance: Take into account whether the details you have is actually pertinent to the company, however likewise to the staff member who will be using it.
    • Authentic: To be able to utilise the information to make key decisions, it should really be authentic and precise info.
    • Trigger: If it takes too long to get, or too long to be provided to individuals who need it at the right time, then it would not be of any use, for that reason it is necessary the collection of data to be utilised is set over a specific period; you can’t compare apples with pears.
    • Pursued: For it to be great, then it should have the ability to be acted upon, if not then the time spent gathering was pointless.
    • Documented: If the information gathered has not been examined or analysed, processed and recorded, it will create huge issues for the firm in the future if they try ro reference back to the measure or effectiveness/accuracy of what was provided. Poor records make future decisions impossible to make effectively and this would fail the SMCR “Reasonable Steps” test for SMFs.
    Too much information and an avalanche of “performance indicators” is no use at all. Key Performance Indicators eed to be established and reviewed periodically (to ensure they maintain value). It is in combination of all these factors that comprise “good details”, however it depends on the management to choose which elements are more crucial that others, if there is an urgent requirement for information, then the weighting on the significance of it might eclipse the requirement for it to be documented, however this constantly depends on the environment, both from a business and regulatory perspective.
    Why is good management details crucial to a service?
    When the information utilised is of a high standard, it can allow a business to recognise areas for enhancement, or fine tuning keep track of the quality of operations, boost profits and evaluate strengths and weak points to enable time to be spent on doing what the company does best, and raise the bar on areas or processes where it might be failing.
    In making essential choices, you need supporting evidence to be able to prevent making an ill-informed choice, and evidence that you had the best source of data, external regulatory or legal advice, for business success as well as SMCR reasonable steps. Bad or incomplete  information can force you into making assumptions or even just guesses and this results in planning poorly or not react is adeqaute time to changes in business or the environment. The wrong choice can hold up a business, attract regulatory censure or enable rivals to get a benefit of your company. If you do not have any robust and accurate information at all you are just arrogantly gambling on the chances of your decisions being right and increase the danger of failure within your company.

    If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

    0207 097 1434 or email

    compliance consultants london
    This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.
    Other Posts In This Series

    Compliance Annual Reporting Requirement

    Compliance Annual Reporting

    Compliance Annual Reporting

    Annual Compliance Report
    Providing a written report to your Governing Body in respect of compliance on an at least annual basis is a requirement of the FCA Systems & Controls (SYSC) Handbook.  Areas covered should include your compliance monitoring, policies and procedures and the overall Governance, Risk & Compliance (GRC) risk management processes you have in place.  You might also wish to provide details of any “horizon” or issues whereby compliance monitoring is to be undertaken in the course of the next year.  We normally recommend a quarterly, six and 12-month perspective for this report and MI trends identified.
    Money Laundering Reporting Officer (‘MLRO’) Report
    The firm’s MLRO is required to submit a report to your Governing Body on an at least annual basis in respect of the operation and effectiveness of your firm’s anti-money laundering systems and controls.  We normally recommend a two-month timeframe for this report.

    Don’t forget this includes results of “Reviewing Policies and Procedures”

    Compliance monitoring obligation
    The FCA require firms to regularly assess the adequacy and effectiveness of the measures they have put in place to comply with all applicable FCA rules, through active compliance monitoring. If you have been affected by recent rule changes, this is a suitable time to satisfy yourself that you are complying with the new rules. Firms are encouraged to take a risk-based approach, so there are a number of ways in which Compliance Consultant can really help:
    • Review and update your existing monitoring programme to ensure it is risk focused and fit for purpose.
    • Perform an independent compliance effectiveness review of any internal monitoring that you have conducted. We recommend that this is completed at least every two years.
    • Conduct a monitoring review into one or more specific areas of your compliance arrangements and provide a report on any deficiencies.
    • Provide a fully outsourced compliance monitoring review.
    As the FCA imposes more (and larger) fines on individual board members and senior managers, we feel that compliance monitoring is probably the best investment a firm can make to protect itself and its board.

    If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on

    0207 097 1434 or email

    compliance consultants london

    This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.


    Other Posts In This Series
    Original Source:

    Business Risk Assessment Methodology

    Business Risk Assessment MethodologyBusiness Risk Assessment image

    1. Business risk assessment refers to the assessment of risks and opportunities affecting the achievements of the organisational goals and objectives. Business risk is normally assessed at three levels. Business risk assessment at all three levels is essential to identify the THREATS, OPPORTUNITIES and potential ALTERNATIVES for action to achieve the organisational goal and objectives: Strategically: guidance is typically for a time period of 5 to 10 years, but can be as little as 1 year projected forward in a fluid environment, and assessment is usually performed by senior management and ideally, with some kind of independent facilitator. Strategic assessment is usually limited to assessment i.e. Identification, Measurement and prioritisation of risk.
    2. Project/Program/Process: for current period of organisational or change management activity. Project manager or process owner is responsible for initial assessment and monitoring or may also share with an oversight committee. It is a mixture/blend of risk assessment in the planning phase and risk management in the implementation phase. Operational: in everyday operations like health and safety issues. This is performed by supervisory level or by individuals or work team tasked with a particular management. It is usually focuses on standard workplace risks and hazards have been already identified in strategic process of assessment; the task is to manage risk to get the job done.
    3. Strategic Risk Assessment. Understanding of overall goals and objectives by examining of fundamental documents and classification of indentified goals and objectives into SHORT, MEDIUM and LONG TERMS issues. Choosing of strategic risks that are likely to be of greatest importance:
    • Operational risk is that entity will not meet its operational goals and objectives.
    • Fiscal risk is that deficiencies in expenditure control and revenues will adversely affect agreed-up outcomes or objectives.
    • Reputation risk is that some action by the entity will impair the ability to reach its goals and objectives.
    • Other strategic risk, such as Policy, Regulatory etc.
    4. Definition of various important and relevant external environments and potential impact of uncertainties:
    • Political / Government
    • Technological
    • Legal and Regulatory
    • Competitors
    • Customers, Constituents and stakeholders
    • Physical
    • Markets
    • Suppliers
    • Economic/Financial
    5. Creation of series of matrices such as environments (step 4) X identification based on time (step 1). Using of various creative processes such as brainstorming, imagine scenario of possible threats and opportunities for each cell of matrix. Thinking outside the box as much as possible. Combining of the risk assessment for various goals and objectives for each of the three time horizon to get a composite strategic risk assessment in a quantitative representation, i.e., likelihood x frequency on a SCP basis.
    6. Project Risk Assessment. It uses a different method to identifying risk and opportunity. The method can be one or combination from the following:
    • Exposure analysis based on assets involved
    • Environmental analysis based on study of changes
    • Threats scenario by exploring various narrative scenarios under numbers of different conditions, especially for catastrophic events and frauds.
    7. Observation or/and measurement of risk is a difficult and subjective activity, therefore, risk factors are used that are either observable or measurable characteristics of conditions at risk. A standard set of risk factors and criteria should be established to measure and rank projects according to their perceived risk. Each project, program or process to be formally assessed for risk should be scored by the project initiator with the established risk factors based on understanding of the project, program or process andthe perception of risk as described.
    8. Procedure of Project Risk Assessment 
    Identify Risk: use one or more methods to identify risk i.e. Exposure, Environmental and/or Threat analysis.
    9. Measure Risk/Develop Alternatives: 
    • Read each factor and sub-criteria for familiarisation with aim of each.
    • Consider the project, program or process using each of the factors/criteria.
    • Score each factor for the project, etc. on a scale of 1 to 5 (lowest to highest) based on your subjective assessment of the strength/weakness or presence/absence of the criteria.
    • Total the scores for the each factor and divide by the number of factors to get the average score.
    • High risk score are those with an average of 4.25 or more. Low risk scores are those with an average score less than 2.25. These are starting figures that can be adjusted for experience.
    • Analyse high-risk areas and develop alternatives i.e. controls and other risk management techniques, to deal with each of the high risk components.
    • Price out the alternatives and compare risk and cost.
    10. Control design: choose the most cost-effective controls within reasonable prudential and organisational tolerance for accepting risk. Risk Management: monitor risk and hazards, making adjustments to the project plan as necessary to meet changing conditions.
    11. Operational Risk Management. Operational risk in financial services is normally accepted as “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. This is effectively the risks of employees performing their jobs.  The focus of operational risk is on risk management. Risk assessment usually done by a specialist.

    If you need to create, review or execute your Governance. Risk or Compliance strategy, call us today on 0207 097 1434 or email

    This guide is only an aide memoire and intended for information only for anyone appraising the documentation needed in an audit/compliance check. It is not to be considered as direct advice or intended to replace specific 1 to 1 engagement with your compliance and risk professional.

    Compliance Support Services Explained

    Once your organisation has accomplished authorisation, you’re dedicated to satisfy a variety of on-going FCA compliance responsibilities. Companies either pick our consultancy services to help resolve specific issues or to handle the effect and impact of new policy or we tailor a retainer agreement to satisfy their particular continuous requirements.

    Retainer agreement
    Our extremely skilled group of compliance specialists have market and regulatory backgrounds supplying an unique mix of skillsets and giving you the confidence that your continuous regulatory responsibilities will be satisfied to a high expert requirement.

    With retainer service contracts separately tailored to your organisation we provide an agreed service delivery and schedule. Having operated in your sector, our professionals understand your compliance obstacles and opportunities. They share their backgrounds and understanding to solve issues; so you reap the benefits of a unique sum total of competence.
    Supplying you with budget certainty and on-demand access to an extremely trustworthy compliance partner and a topic expert panel, usually, our retainer contracts include:
    • Compliance management; setting up and your Compliance Monitoring Programme, including automating it if required.
    • Compliance audits; independent bench-mark reviews and health-checks to make certain your systems, controls, policies and regulatory procedures are kept up to date
    • Documents/Governance; such as policies and written processes or procedures
    • Financial promotions including initial reviews and ongoing assessments or critiques, including video and social media marketing
    • Training; e.g., informing personnel on anti-money laundering or assisting senior management create a suitable governance framework
    • Regulatory reporting; consisting of GABRIEL returns and evaluation of prudential requirements
    • For Payment Services companies based on PSD2, we provide distinct service plans particularly created satisfy the increased regulatory needs and responsibilities.
    • And Capital Market companies gain from a specific methodology which permits us to craft a bespoke, flexible assistance package
    • Companies fall into the Asset Management, Broker Dealers & Traders, Corporate Finance, Crowdfunding, FinTech, Infrastructure, Investment Management, P2P Lending, Private Equity, Venture Capital and Wealth Management can all benefit from individual; and tailored packages.

    Contact us today on 0207 097 1434 or email

      Compliance Support, Compliance Support Services, Compliance Support Specialist, Compliance Support Team, Compliance Support Tools, Ifa Compliance Support Services, Regulatory Compliance Support, Regulatory Compliance Support Services

      Safeguarding Accounts – How Well Do You Keep Yours?

      compliance fca regulatory authorisation registration

      In Summer 2019, the FCA Issued A Dear CEO Letter To All Payment Companies Regarding Their Safeguarding Accounts and Their Management of Them.

      Nearly 18 months on, have you changed your safeguarding methods?

      As A Reminder, The Key Findings Were;

      1. How well firms understood which funds are ‘relevant funds’

      The FCA‘s review found that some firms were completely unable to explain which payment services they were providing and some were unable to identify when they were issuing e-money, whilst some others were unclear as to whether they were acting as agent or distributor for another PSP. This meant they could not accurately identify relevant funds, and as such, they did not know if or whether they were safeguarding the correct amount of relevant funds.

      2. Effectiveness of firms’ safeguarding procedures and documentation

      The FCA expects firms to maintain sufficient records to demonstrate compliance with their safeguarding obligations, and to have a documented rationale for every decision they make about their safeguarding process and the systems and controls they have in place.

      The FCA found some firms relied on operational process documents which simply outlined the rules. The FCA considers that this does not sufficiently demonstrate a firm’s compliance with safeguarding obligations or record keeping requirements.

      3. How well firms met the FCA‘s expectations on segregating funds

      The obligation on firms to safeguard starts as soon as they receive relevant funds. The FCA expects firms to segregate relevant funds by receiving them into a separate account. Where, for customer convenience, any other funds are paid into the account, they should be removed as frequently as practicable throughout the day. In no circumstances should such funds be kept together overnight.

      The FCA found that not all firms complied with these requirements, and in particular, some did not attempt to segregate relevant funds on receipt.

      4. How effectively agents and distributors were overseen

      Firms should have arrangements in place to ensure that relevant funds held by agents or distributors are safeguarded as soon as they are received.

      The FCA found that some firms did not take any measures to ensure that they were segregated on receipt. Other firms calculated their safeguarding obligation at the end of the business day on which e-money was issued and transferred funds into a safeguarding account the next business day. This meant that relevant funds were combined with other non-relevant funds overnight.

      5. Designating safeguarding accounts

      Accounts in which relevant funds or assets are placed must be designated in a way that shows it is a safeguarding account. If this is not possible, the FCA expects e-money and payment institutions to provide evidence (such as a letter) confirming the appropriate designation.

      The FCA found the account designations were not clear for several firms. Instead, the accounts were named according to their operational function or after the relevant agent or distributor.

      6. How effectively firms carried out reconciliations

      Firms must carry out internal and external reconciliations as often as necessary, considering the risks to which the business is exposed, and should have a clear explanation for their approach to reconciliations (which must be signed off by their board of directors).

      The FCA highlights that in no circumstances would it be acceptable for a firm to carry reconciliation less than once during each business day.

      The reconciliation should result in the amount of funds or assets safeguarded being:

      • sufficient to cover the amount that the institution would need to safeguard before the next reconciliation; and
      • not excessive – to minimise risks from commingling.

      The FCA found that several firms did not carry out internal and external reconciliations, or did so infrequently, or did not adjust the balance of their safeguarded accounts in a timely way when they identified discrepancies. This resulted in the commingling of funds overnight.

      7. The effectiveness of firms’ governance and oversight arrangements

      Firms must have in place effective risk management procedures, adequate internal control mechanisms and maintain relevant records. Firms should monitor these procedures through robust governance arrangements. In addition, organisational arrangements must be sufficient to minimise the risk of the loss or diminution of relevant funds or assets through fraud, misuse, negligence or poor administration.

      The FCA found some firms considered safeguarding risk only on an exceptions basis and would only revisit their processes if they identified a breach. In some cases, the FCA found controls to identify a safeguarding breach were not fit for purpose. This meant these firms did not adequately consider safeguarding when developing new products, leading to inadequate safeguarding processes.

      Dear CEO Letter and FCA attestation

      The FCA published a Dear CEO Letter on 4th July 2019 requiring all electronic money institutions and authorised payment institutions to review their safeguarding arrangements, to make sure they fully meet the requirements in the EMRs and PSRs (as applicable).

      The FCA has asked firms to:

      • attest to the FCA that they are satisfied that they meet the requirements in regulation 23 of the PSRs or regulation 20 of the EMRs by 31st July 2019. Firms that are un-able to attest by this date should contact the FCA to discuss next steps; or
      • notify the FCA immediately if they are non-compliant in any material respect and take prompt remedial action.

      The FCA will be conducting further work on firms’ safeguarding arrangements, and expects to see that firms have acted to review, and where necessary, remediate their processes. The FCA has said it will take appropriate action against firms with inadequate safeguarding arrangements.


      If you have any concerns about your procedures or want them independently checked, call us today on 0207 097 1434

      Original text from

      Safeguarding Accounts, Safeguarding Your Accounts

      Payment Initiation Services, Payment Intermediary Services, Payment Services Companies, Payment Services Explained, Payment Services Ii Directive, Payment Services Regulations 2017 Guidance, Payment Services Regulations 2019, Payment Services Regulations 2019 Uk

      Current Activity
      Another Happy Client
      Another Happy Client