Safeguarding of client funds continues to be a high priority in the payments markets globally and the new RPAA rules require all Canadian Payment Service Provides to have a written Fund Safeguarding Framework describing their systems and controls; policies and procedures; monitoring and oversight; and other relevant documentation to ensure end user finds are protected.

So, how should firms ensure they have an adequate framework?

Safeguarding Review

Payments firms should be ready for a regular in-depth review of their safeguarding policies, governance, oversight and operations.  Below, we have provided a brief overview of some of the expectations for firms with respect to Safeguarding.   If you are worried you might be out of date on the requirements or would like more information or help, contact us – our team will be happy to talk to you.

Elements of the Safeguarding Framework

1. Identification of Funds

You must have documentation covering how and when relevant funds arise in your business including transaction flows.  This includes ensuring you have:

  • Properly accounted for when your safeguarding obligation starts and ends with respect to different funds
  • Properly segregated different funds including those that require safeguarding from those that do not, for example from unrelated activities.
  • Properly accounted for exchange rates and exchange rate risks including determining which foreign exchange funds need to be safeguarded
  • Set appropriate reconciliation frequencies

You need to undertake regular reviews to ensure that all relevant funds are safeguarded and that you are properly managing the risks of commingling.

If you have networks of agents or distributors, you need to evidence that you have adequate processes to ensure appropriate oversight and that relevant funds are segregated on receipt.

2. Method of Safeguarding

You should have documentation within your policy covering the method of safeguarding you have chosen.  If you have changed the method you use, you may need to evidence the decision-making process and the relevant notifications.

The RPAA sets out the means a PSP can use to safeguard end-user funds. A PSP may:

  • hold the end-user funds in trust in a trust account that is not used for any other purpose
  • hold the end-user funds in an account that is not used for any other purpose and hold insurance or a guarantee on the funds. The insurance or guarantee amount must be equal to or greater than the amount held in the safeguarding account.

You may choose a combination of means to safeguard end-user funds by:

  • safeguarding a portion of end-user funds in trust in a trust account and protect the other portion of the funds using insurance or a guarantee

3. Risk Assessment

You should ensure that your framework includes thorough risk assessment of the various aspects of safeguarding, including internal risks, the choice of safeguarding method and safeguarding partner (for example, the creditworthiness of the authorised credit institution), internal risk factors and other risks, for example exchange risks or additional risks from the use of agents and distributors.

The due diligence process for third parties, which include authorised credit institutions, custodians or insurance providers, needs to be available and evidenced.  Risk assessments and due diligence of third parties should be reviewed regularly based on your safeguarding policy.

Additional risks that you should consider include:

Key questions and considerations

  • What legal and operational risks could hinder you from meeting the framework’s objectives? What approaches have you identified to mitigate those risks?
  • Have you considered risks that could arise as a result of:
  • the jurisdictions in which you are located, and those of your end users, your account providers in
  • which end-user funds are held, and if applicable, those of your insurance or guarantee providers
  • the identity of your account providers and, if applicable, insurance and guarantee providers
  • the terms of your trust arrangements with end users, if applicable
  • the terms of your insurance policies or guarantees, if applicable?
  • What mechanisms are in place to mitigate those risks?
  • Are these risks and mitigants documented as part of the framework?

4. Internal and External Reconciliations

Firms need to perform internal and external reconciliations to verify that the amount of funds or assets safeguarded matches their internal records. These need to reflect the amount of relevant funds held and clearly show that excess money is not held, which would give rise to potential commingling.

Reconciliations need to take in to account the overall risk your firm is exposed to and should be proportionate to the complexity of the business, volume and value of transactions undertaken.  Your justification for the frequency of reconciliations, along with other factors, should be included within your risk assessments.

Reconciliations must be undertaken at least once a day.  The frequency and methods of internal and external reconciliations need to be documented within your policies and procedures and you should be able to evidence them operationally.

You should also document your processes for handling discrepancies found in reconciliations; i.e. identification of the reason for the discrepancy, introduction or removal of funds to eliminate the discrepancy and record keeping in respect of the discrepancy.

5. Record Keeping – Ledger of end-user funds

You must keep a ledger that serves as an accurate record of the amount of funds you hold on behalf of each end user. The ledger must:

  • include the name and contact information of each end user whose funds are held,
  • track the amount of funds belonging to each of those end users, and
  • record whether such funds are held in the safeguarding account or in another account.

You should ensure that you have adequate policies and processes in place for keeping a ledger that accurately records the amount of funds held on behalf of each end user.  This should include:

  • funds held in a safeguarding account and funds yet to be placed in a safeguarding account.
  • the total amount of end-user funds held, end-user funds safeguarded and end-user funds to be safeguarded

The ledger should be updated at least daily and include the name and contact information of each end user whose funds are held, so you must ensure processes and systems are in place to update these as necessary.

Your ledger should be classified as an asset, as part of your operational risk management and incident response framework

6. Governance

You should have documented policies and supporting operational evidence to show your governance of safeguarding procedures and framework.  This should include:

  • What mechanisms are used for oversight of your policy including systems and management / Board oversight
  • How regularly are each of these performed
  • Who is responsible
  • What management information is provided
  • What records are kept
  • How you ensure consistent safeguarding for new products and business adaptations
  • How you ensure your safeguarding framework adapts to changes in the external and internal business environment

It is also good practice to include your rationale for the above along with details of review processes for your Governance procedures.

7. Insolvency Packs

You should maintain a pack to provide all the necessary information and documentation that would be needed by an administrator, insolvency practitioner or similar in returning relevant client funds. This should include a master document detailing the contents of the pack as well as how to access all the other documentation and information.

The pack needs to include details on how to:

  • access all relevant records, ledgers and documentation in relation to end-user funds
  • contact end users as soon as feasible
  • identify any errors or deficiencies in the payment service provider’s ledger of end-user funds and address any shortfall in the funds to be returned to each end user

The pack should include detailed procedures to be followed to return funds to end users, including the role of any agents, mandataries or third-party service providers of the payment service provider as well as relevant third-party contracts.

Any systems needed by the insolvency practitioner, including those needed to provide the pack documentation, should be accessible after insolvency and arrangements must be in place to ensure this access.

8. Personnel and Training

Relevant personnel should be trained appropriately to ensure they understand what is expected of them and the firm in respect of safeguarding.  It is good practice for firms to maintain records of safeguarding training for inspection.

Senior management training is particularly beneficial as Senior management must take an interest in and understand the processes and risks involved in safeguarding, and be able to challenge those presenting new data, policies or frameworks which may not comply.

Personnel involved in safeguarding procedures may be interviewed during an audit to review their activities and their understanding.

9. Third party reviews and audits

You should arrange for audits of safeguarding arrangements to ensure compliance. These are required at least once every three years, but firms also have an obligation to review their safeguarding framework annually.

Independent audits or reviews can help firms ensure they are remaining compliant and also help to show a commitment to safeguarding and good practice with respect to relevant client funds.

How Neopay Global can help

Neopay offers a range of cost-effective services to assist payment firms in ensuring their safeguarding measures remain compliant.  We can help with gap analysis, formal independent audits, workshops and training, as well as regular advice and review through our Virtual Compliance Service.

Contact our team today to find out more about how our tailored solutions can support your business.