Payments and Electronic Money Institutions – Focus on Safeguarding

The Central Bank of Ireland (CBI) has made safeguarding and the protection of customers' funds a priority, especially with the ongoing revision of the Consumer Protection Code. Safeguarding ensures that if a firm fails, customers’ funds are returned promptly, supporting consumer protection in an increasingly digitalised financial services sector. This is one of the CBI’s 2024 priorities.

The CBI's increased supervision of the payments and e-money sector in recent years has revealed deficiencies in safeguarding practices, leading to more stringent safeguarding requirements. The future introduction of PSD3 will also bring further regulatory changes. Firms must now prioritise understanding these requirements and the developments over recent years. Below, we summarise the most recent safeguarding requirements.

Requirements and Background

Dear CEO Letter: Supervisory Findings and Expectations for Payment and Electronic Money Firms – January 2023

In January 2023, the CBI issued a 'Dear CEO' letter, reaffirming its regulatory and supervisory expectations for payment and e-money firms. Key areas covered included safeguarding, wind-down planning, conduct and culture. The letter included the requirement to obtain an audit of compliance with safeguarding requirements under the Payment Services Regulations (PSR) and E-Money Regulations (EMR). The audits were to be completed by 31 October 2023, with specific details outlined in the CBI's Safeguarding Notice. We summarised this development in our earlier update.

CBI Safeguarding Notice – May 2023

Following the January letter, the CBI issued a safeguarding notice to clarify the nature of the safeguarding audit. This required firms to document their safeguarding organisational arrangements and confirm their compliance with safeguarding regulations under the PSR and EMR.

Firms were then required to engage an audit firm to carry out an ISAE 3000 reasonable assurance engagement, reviewing the arrangements described. The auditor conducted an analysis based on their professional experience and industry knowledge. Both the reasonable assurance and review engagements covered the areas specified in Appendix 2 of the notice. This guidance remains relevant and was recently referenced in the CBI’s Expectations for Authorisation document.

CAI Guidance Technical Release 01/2023 (“CAI Guidance”)

In June 2023, the Chartered Accountants of Ireland (CAI) issued guidance that established auditing standards for the safeguarding reviews mandated by the CBI. This guidance is crucial for auditors engaged by payment and e-money firms to conduct the reviews in compliance with the January 2023 letter and Safeguarding Notice.

Dear CEO Letter: Payment and Electronic Money Firms – December 2021

In December 2021, the CBI issued a 'Dear CEO' letter, outlining its expectations for payment and e-money firms. The letter required firms to have robust, Board-approved safeguarding risk frameworks to ensure client funds are properly identified, managed and protected. Firms were expected to internally assess their compliance with safeguarding requirements throughout 2022.

European Union (Payment Services) Regulations 2018 and European Communities (E-Money) Regulations 2011

The European Union (Payment Services) Regulations 2018 and the E-Money Regulations 2011 introduced significant updates to the regulatory framework for payment services and e-money in Ireland. Both sets of regulations include detailed safeguarding requirements, which all firms must consider.

Newly Authorised Firms

The CBI is making it a condition of authorisation for some newly authorised payment and e-money firms to obtain a safeguarding review under the January 2023 Dear CEO Letter / Safeguarding Notice. Firms that have not previously conducted these reviews are now required to do so.

These reviews evaluate whether the firm has a comprehensive and clearly defined safeguarding framework. The results are submitted to the CBI and contribute to the broader assessment of the payments and e-money industry.

New Regulatory Requirements

PSD3 merges the legal frameworks that apply to e-money and payment firms and will require these firms to seek re-authorisation as payment firms within 24 months of the new rules coming into force. This change will also allow payment firms to issue e-money, and the E-Money Directive will be repealed. Additionally, PSD3 will introduce new regulatory technical standards, including more detailed safeguarding requirements. However, the new rules are not expected to come into force before 2026.

How our safeguarding experts can help

Most payment and e-money firms will have completed the safeguarding reviews mandated by the CBI last year. As safeguarding remains a key focus for the CBI, firms must ensure they maintain robust safeguarding risk management frameworks and promptly address any deficiencies.

At Forvis Mazars, our support services have helped many newly authorised firms onboard and adhere to the necessary safeguarding requirements. Our dedicated, expert team can help accelerate your compliance with these essential requirements.