SUP 3A Payment services and electronic money

1. (1) Subject to (3) and (4), this chapter applies to: 

2.      (a) relevant institutions, which means the following, unless they are exempt in accordance with (2): 

3.           (i) authorised payment institutions that are authorised to carry out payment services other than payment initiation services or account information services; and

4.           (ii) electronic money institutions; and

5.       (b) the external auditors of relevant institutions appointed in accordance with SUP 3A.3.

6. (2) An institution is exempt if it has not been required to safeguard more than £100,000 of relevant funds under the relevant funds regime at any time for a period of at least 53 weeks.

7. (3) SUP 3A.1.3G and SUP 3A.1.4G apply to safeguarding institutions that are not relevant institutions.

8. (4) SUP 3A.8.10G applies to statutory auditors of safeguarding institutions (as defined in regulation 25(6) of the Electronic Money Regulations and regulation 24(6) of the Payment Services Regulations).

This chapter applies to relevant institutions whether they safeguard relevant funds through the segregation method, the insurance or guarantee method or both.

Safeguarding institutions that are not subject to this chapter are still required to have in place adequate arrangements to safeguard relevant funds under CASS 15.2.1R and minimise the risk of their loss or diminution under regulation 24(3) of the Electronic Money Regulations and regulation 23(17) of the Payment Services Regulations. Voluntarily arranging an audit in accordance with this chapter may help ensure they meet these obligations. 

It is the responsibility of a safeguarding institution's senior management to determine, on a continuing basis, whether the safeguarding institution is exempt in accordance with SUP 3A.1.1R(2) and to appoint an auditor if management determines the institution is no longer exempt.

This chapter sets out rules and guidance on the role that auditors play in the FCA's monitoring of relevant institutions' compliance with the requirements and standards in the relevant funds regime.

The Payment Services Regulations and the Electronic Money Regulations, together with other legislation, such as the Companies Acts 2006, provide the statutory framework for relevant institutions' and auditors’ obligations.

1. (1) The rights and duties of auditors are set out in SUP 3A.8 (Rights and duties of auditors) and SUP 3A.9 (Duties of auditors: notification and safeguarding report). SUP 3A.8.10G refers to statutory auditors’ duty to report certain matters to the FCA under regulation 24 of the Payment Services Regulations and regulation 25 of the Electronic Money Regulations.

2. (2) An auditor should bear these rights and duties in mind when carrying out safeguarding report work, including whether anything should be notified to the FCA immediately.

This section requires a relevant institution to appoint an auditor and supply the FCA with information about its auditor. The FCA requires such information to ensure that the relevant institution has an auditor.

A relevant institution must:

1. (1) appoint an external auditor;

2. (2) notify the FCA, without delay, when it is aware that a vacancy in the office of auditor will arise or has arisen, giving the reason for the vacancy. This notification must be submitted by electronic means made available by the FCA;

3. (3) appoint an auditor to fill any vacancy in the office of auditor which has arisen;

4. (4) ensure that the replacement auditor can take up office at the time the vacancy arises or as soon as reasonably practicable after that; and

5. (5) notify the FCA of the appointment of an auditor, the name and business address of the auditor appointed and the date from which the appointment has effect. This notification must be submitted by electronic means made available by the FCA.

SUP 3A.3.2R applies to every relevant institution. That includes a relevant institution which is under an obligation to appoint an auditor under, for example, the Companies Act 2006. The auditor appointed under SUP 3A.3.2R does not have to be (but may be) the same auditor as is appointed to fulfil such an obligation. SUP 3A.3.2R is made under section 137A of the Act (The FCA’s general rules), as applied by the Payment Services Regulations and the Electronic Money Regulations, in relation to such institutions. It is made under section 340(1) (Appointment), as applied by the Payment Services Regulations and the Electronic Money Regulations, in relation to other institutions.

1. (1) This rule does not apply to a relevant institution that is under an obligation to appoint an auditor imposed by an enactment other than the Act.

2. (2) If a relevant institution fails to appoint an auditor within 28 days of being required to do so, the FCA may appoint an auditor for it on the following terms:

3. (a) the auditor is to be remunerated by the institution on the basis agreed between the auditor and institution or, in the absence of agreement, on a reasonable basis; and

4. (b) the auditor is to hold office until they resign, or the institution appoints another auditor.

SUP 3A.3.4R allows, but does not require, the FCA to appoint an auditor if the relevant institution fails to do so within the 28-day period. When it considers whether to use this power, the FCA will take into account the likely delay until the institution can make an appointment and the urgency of any pending duties of the appointed auditor.

A relevant institution must comply with, and is bound by, the terms on which an auditor is appointed by the FCA under SUP 3A.3.4R.

The FCA is concerned to ensure that the auditor of a relevant institution has the necessary skill and experience to audit the business of the institution to which they have been appointed. This section sets out the FCA'srules and guidance aimed at achieving this.

Before a relevant institution appoints an auditor, it must take reasonable steps to ensure that the auditor has the required skill, resources and experience to perform their functions under the regulatory system and that the auditor:

1. (1) is eligible for appointment as an auditor under Chapters 1, 2 and 6 of Part 42 of the Companies Act 2006; 

2. (2) if appointed under an obligation in another enactment, is eligible for appointment as an auditor under that enactment; or

3. (3) in the case of an overseasrelevant institution, is eligible for appointment as an auditor under any applicable equivalent laws of that country or territory.

An auditor which a relevant institution proposes to appoint should have skills, resources and experience commensurate with the nature, scale and complexity of the relevant institution's business and the requirements and standards under the regulatory system to which it is subject. A relevant institution should have regard to whether its proposed auditor has expertise in the relevant requirements and standards (which may involve access to UK expertise) and possesses or has access to appropriate specialist skill. The relevant institution should seek confirmation of this from the auditor concerned as appropriate.

A relevant institution must not appoint as auditor a person who is disqualified under Part 22 of the Act (Auditors and Actuaries), including as applied by the Payment Services Regulations or Electronic Money Regulations, from acting as an auditor either for that institution or for a relevant class of institution or firm.

If it appears to the FCA that an auditor of a relevant institution has failed to comply with a duty imposed on them, it may take disciplinary measures, including disqualification of the auditor, under section 345 of the Act as applied by the Payment Services Regulations and the Electronic Money Regulations. A list of persons who are disqualified may be found on the FCA's website (www.fca.org.uk).

A relevant institution must take reasonable steps to ensure that an auditor, which it is planning to appoint or has appointed, provides information to the FCA about the auditor’s qualifications, skills, experience and independence in accordance with the reasonable requests of the FCA.

To enable it to assess the ability of an auditor to audit a relevant institution, the FCA may seek information about the auditor’s relevant experience and skill. The FCA will normally seek information in writing from an auditor who has not previously audited a relevant institution. The relevant institution should instruct the auditor to provide a full reply (and should not appoint an auditor who does not reply to the FCA). The FCA may also seek further information on a continuing basis from the auditor of a relevant institution (see also the auditor’s duty to cooperate under SUP 3A.8.2R).

To carry out their duties properly, an auditor needs to be independent of the institution they are auditing so they are not subject to conflicts of interest. Many relevant institutions are also subject to requirements under the Companies Act 2006 on auditors’ independence.

A relevant institution must take reasonable steps to ensure that the auditor which it appoints is independent of the institution.

If a relevant institution becomes aware at any time that its auditor is not independent of the institution, it must take reasonable steps to ensure that it has an auditor independent of the institution. The relevant institution must notify the FCA if independence is not achieved within a reasonable time.

The FCA will regard an auditor as independent if their appointment or retention does not breach the ethical guidance in current issue from the auditor’s recognised supervisory body on the appointment of an auditor in circumstances which could give rise to conflicts of interest.

A relevant institution must cooperate with its auditor in the discharge of the auditor’s duties under this chapter.

In complying with SUP 3A.6.1R, a relevant institution should give a right of access at all times to the institution’s accounting and other records, in whatever form they are held, and documents relating to its business. A relevant institution should allow its auditor to copy documents or other material on the premises of the institution and to remove copies or hold them elsewhere, or give its auditor such copies on request.

Section 341 of the Act (Access to books etc.), as applied by the Payment Services Regulations and the Electronic Money Regulations, provides that an auditor of a relevant institution appointed under SUP 3A.3:

1. (1) has a right of access at all times to the relevant institution's books, accounts and vouchers; and

2. (2) is entitled to require from the relevant institution's officers such information and explanations as they reasonably consider necessary for the performance of their duties as auditor.

Sections 499 and 500 of the Companies Act 2006 give similar rights to auditors of companies.

Section 413 (Protected items) of the Act, as applied by the Payment Services Regulations and the Electronic Money Regulations, under which no person may be required to produce, disclose or permit the inspection of protected items, is relevant to SUP 3A.6.1R and SUP 3A.6.3G.

In complying with SUP 3A.6.1R, a relevant institution should take reasonable steps to ensure that each of its agents and distributors gives the institution’s auditor the same rights of access to the books, accounts and vouchers of the agent or distributor and entitlement to information and explanations from the agent's or distributor's officers as are given in respect of the relevant institution by section 341 of the Act, as applied by the Payment Services Regulations and the Electronic Money Regulations.

In complying with SUP 3A.6.1R, a relevant institution should take reasonable steps to ensure that each of its suppliers under a material outsourcing arrangement gives the institution’s auditor the same rights of access to the books, accounts and vouchers of the institution held by the supplier, and entitlement to information and explanations from the supplier’s officers as are given in respect of the relevant institution by section 341 of the Act, as applied by the Payment Services Regulations and the Electronic Money Regulations.

In complying with SUP 3A.6.1R, a relevant institution should take reasonable steps to ensure that all its employees cooperate with its auditor in the discharge of its auditor’s duties under this chapter.

Relevant institutions and their officers, managers and controllers are reminded that, under section 346 of the Act (Provision of false or misleading information to auditor or actuary), as applied by the Payment Services Regulations and the Electronic Money Regulations, knowingly or recklessly giving false information to an auditor appointed under SUP 3A.3 constitutes an offence in certain circumstances, which could render them liable to prosecution. This applies even when an auditor is also appointed under an obligation in another enactment.

A relevant institution should consider whether it should notify the FCA under Principle 11 if it receives a written communication from its auditor commenting on internal controls.

The auditor of a relevant institution has various rights and duties that enable or require them to obtain information from the institution and pass information to the FCA in specified circumstances. This section imposes or gives guidance on those rights and duties.

An auditor of a relevant institution must cooperate with the FCA in the discharge of its functions under the Payment Services Regulations and the Electronic Money Regulations.

The FCA may ask the auditor to attend meetings and to supply it with information about the institution. In complying with SUP 3A.8.2R, the auditor should attend such meetings as the FCA requests and supply it with any information the FCA may reasonably request about the relevant institution to enable the FCA to discharge its functions under the Payment Services Regulations and the Electronic Money Regulations.

An auditor of a relevant institution must give any skilled person appointed by the institution or the FCA all assistance that person reasonably requires (see section 166(7) of the Act (Reports by skilled persons), as applied by the Payment Services Regulations and the Electronic Money Regulations).

An auditor of a relevant institution must be independent of the institution in performing their duties in respect of that institution.

An auditor of a relevant institution must take reasonable steps to satisfy themself that they are free from any conflict of interest in respect of that institution from which bias may reasonably be inferred. An auditor must take appropriate action where this is not the case.

SUP 3A.5.4G explains that an auditor whose appointment does not breach the ethical guidance in current issue from the auditor’s recognised supervisory body will be regarded as independent by the FCA.

SUP 3A.6.1R requires a relevant institution to cooperate with its auditor. SUP 3A.6.3G refers to the rights to information which an auditor is granted by the Act, as applied by the Payment Services Regulations and the Electronic Money Regulations. SUP 3A.6.4G refers to similar rights granted by the Companies Act 2006.

Within the legal constraints that apply, the FCA may pass on to an auditor any information which it considers relevant to the auditor’s function. An auditor is bound by the confidentiality provisions set out in Part XXIII of the Act (Public record, disclosure of information and cooperation), as applied by the Payment Services Regulations and the Electronic Money Regulations, in respect of confidential information received from the FCA. An auditor may not pass on such confidential information without lawful authority – for example, if an exception applies under the Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (SI 2001/2188), as applied by the Payment Services Regulations and the Electronic Money Regulations, or with the consent of the person from whom that information was received and (if different) to whom that information relates.

1. (1) Statutory auditors of safeguarding institutions are subject to regulation 24(3) of the Payment Services Regulations and regulation 25(3) of the Electronic Money Regulations. Those regulations require statutory auditors to communicate matters of material significance to the FCA.

2. (2) A failure to safeguard relevant funds will usually be of material significance, so should be communicated to the FCA. This is especially the case where an institution claims not to be required to safeguard relevant funds at all.

3. (3) Sections 342(3) and 343(3) of the Act, as applied by the Payment Services Regulations and the Electronic Money Regulations, provide that an auditor does not contravene any duty by giving information or expressing an opinion to the FCA, if they are acting in good faith and reasonably believe that the information or opinion is relevant to any functions of the FCA. These provisions continue to have effect after the end of the auditor’s term of appointment.

An auditor must notify the FCA without delay if they:

1. (1) are removed from office by a relevant institution;

2. (2) resign before their term of office expires; or

3. (3) are not reappointed by a relevant institution.

If an auditor ceases to be, or is formally notified that they will cease to be, the auditor of a relevant institution, they must notify the FCA without delay:

1. (1) of any matter connected with the ceasing of their appointment which the auditor thinks ought to be drawn to the FCA's attention; or

2. (2) that there is no such matter.

An external auditor of a relevant institution must prepare a safeguarding report addressed to the FCA which:

1. (1) states the matters set out in SUP 3A.9.2R;

2. (2) specifies the matters to which SUP 3A.9.11R and SUP 3A.9.12R refer; and

3. (3) is prepared in accordance with the terms of a reasonable assurance engagement.

The auditor’s safeguarding report must state whether, in the auditor’s opinion:

1. (1) the relevant institution has maintained systems adequate to enable it to comply with the relevant funds regime throughout the period; and

2. (2) the relevant institution was in compliance with the relevant funds regime at the end of the period covered by the report.

The auditor’s safeguarding report must be:

1. (1) in the form prescribed by SUP 3A Annex 1; and

2. (2) signed on behalf of the audit firm by the individual with primary responsibility for the relevant institution's safeguarding report and in that individual's own name.

SUP 3A.9.1R provides that an auditor must ensure that a safeguarding report is prepared in accordance with the terms of a reasonable assurance engagement. The FCA also expects an auditor to have regard, where relevant, to material published by the Financial Reporting Council that deals specifically with the safeguarding report which the auditor is required to submit to the FCA. In the FCA's view, a safeguarding report that is prepared in accordance with that material is likely to comply with SUP 3A.9.1R and SUP 3A.9.2R where that report is prepared for a relevant institution within the scope of the material in question.

1. (1) An auditor must ensure that the information provided to it by a relevant institution in accordance with SUP 3A.10.1G is included in the safeguarding report.

2. (2) If by the date at which the report is due for submission in accordance with SUP 3A.9.7R an auditor has not received the information referred to in SUP 3A.10.1G it must submit the report without that information, together with an explanation for its absence.

The period covered by an auditor’s safeguarding report must end not more than 53 weeks after the later of:

1. (1) the date the relevant institution first becomes subject to this chapter;

2. (2) the date the relevant institution becomes subject to this chapter after being exempt in accordance with SUP 3A.1.1R(2); or

3. (3) the end of the period covered by the previous report.

The auditor of a relevant institution must deliver their safeguarding report to the FCA within 4 months of the end of the period covered.

1. (1) If an auditor expects that it will fail to comply with SUP 3A.9.7R, it must, no later than the end of the 4-month period in question:

2.      (a) notify the FCA that it expects that it will be unable to deliver a safeguarding report by the end of that period; and

3.      (b) ensure that the notification in (a) is accompanied by a full account of the reasons for its expected failure to comply with SUP 3A.9.7R.

4. (2) If an auditor fails to comply with SUP 3A.9.7R, it must promptly:

5.      (a) notify the FCA of that failure; and

6.      (b) ensure that the notification in (a) is accompanied by a full account of the reasons for its failure to comply with SUP 3A.9.7R.

The rights and duties of auditors are set out in SUP 3A.8 (Rights and duties of auditors) and SUP 3A.9 (Duties of auditors: notification and safeguarding report). An auditor should bear these rights and duties in mind when carrying out safeguarding report work, including whether anything should be notified to the FCA immediately.

An auditor must:

1. (1) provide the relevant institution with a draft of its safeguarding report so it has an adequate period of time to consider the auditor’s findings and provide the auditor with comments of the kind referred to in SUP 3A.10.1G; and

2. (2) deliver a copy of the final report to the relevant institution at the same time as it delivers that report to the FCA in accordance with SUP 3A.9.7R.

If the auditor’s safeguarding report states that one or more of the requirements in SUP 3A.9.2R have not been met, the auditor must specify in the report each of those requirements and the respects in which they have not been met.

1. (1) Whether or not an auditor concludes that one or more of the requirements in SUP 3A.9.2R have been met, the auditor must ensure that the safeguarding report identifies each individual regulation or rule in respect of which a breach has been identified.

2. (2) If an auditor does not identify a breach of any individual regulation or rule, it must include a statement to that effect in the safeguarding report.

For the purpose of SUP 3A.9.11R and SUP 3A.9.12R, an auditor must ensure that the information prescribed under those rules is submitted using, respectively, Part 1 (Auditor’s Opinion) and Part 2 (Breaches Schedule) of SUP 3A Annex 1.

1. (1) The FCA expects that the list of breaches will include every breach of a regulation or rule in the relevant funds regime insofar as that regulation or rule is within the scope of the safeguarding report and is identified in the course of the auditor’s review of the period covered by the report, whether identified by the auditor or disclosed to it by the relevant institution, or by any third party.

2. (2) For the purpose of determining whether to qualify its opinion or express an adverse opinion, the FCA would expect an auditor to exercise its professional judgment as to the significance of a breach of a regulation or rule, as well as to its context, duration and incidence of repetition. The FCA would expect an auditor to consider the aggregate effect of any breaches when judging whether a relevant institution had failed to comply with the requirements in SUP 3A.9.2R.

If an auditor is unable to form an opinion as to whether one or more of the applicable requirements in SUP 3A.9.2R have been met, the auditor must specify in the report under SUP 3A.9.1R those requirements and the reasons why the auditor has been unable to form an opinion.

An auditor of a relevant institution must submit their safeguarding report by electronic means made available by the FCA.

A relevant institution should ensure that:

1. (1) it considers the draft safeguarding report provided to the institution by its auditor in accordance with SUP 3A.9.10R(1) in order to provide an explanation of:

2.     (a) the circumstances that gave rise to each of the breaches identified in the draft report; and

3.     (b) any remedial actions that it has undertaken or plans to undertake to correct those breaches; and

4. (2) the explanation provided in accordance with (1):

5.      (a) is submitted to its auditor in a timely fashion and in any event before the auditor is required to deliver a report to the FCA in accordance with SUP 3A.9.7R; and

6.      (b) is recorded in the relevant field in the draft report submitted to it by its auditor.

A relevant institution must ensure that the final safeguarding report delivered to it in accordance with SUP 3A.9.10R(2) is reported to the institution’s governing body.

The FCA expects a relevant institution to use the safeguarding report as a tool to evaluate the effectiveness of the systems it has in place for the purpose of complying with the requirements in SUP 3A.9.2R. Accordingly, a relevant institution should ensure that the report is integrated into its risk management framework and decision-making.

SUP 3A.4.2R provides that a relevant institution must take reasonable steps to ensure that its auditor has the required skill, resources and experience to perform its functions. The FCA expects a relevant institution to keep under review the adequacy of the skill, resources and experience of its auditor and critically assess the content of the safeguarding report as part of that ongoing review.

Independent auditor’s report on safeguarding to the Financial Conduct Authority in respect of [institution name], firm reference number [number], for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy] 

Part 1: Auditor’s Opinion on Safeguarding 

We report in respect of [institution name] (‘the institution’) on the matters set out below for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy] (‘the period’). 

Our report has been prepared as required by SUP 3A.9.1R and is addressed to the Financial Conduct Authority (‘the FCA’) in its capacity as regulator of payment institutions and electronic money institutions under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. 

Basis of opinion 

We have carried out such procedure as we considered necessary for the purposes of this report in accordance with [specify Standard/Guidance used] issued by the [specify organisation name]. 

This opinion relates only to the period and should not be seen as providing assurance as to any future position, as changes to systems or control procedures may alter the validity of our opinion. 

Opinion

In our opinion: 

[The institution has maintained] [Except for….the institution has maintained] [Because of….the institution did not maintain] systems adequate to enable it to comply with the relevant funds regime throughout the period since [the last date at which a report was made] [the institution was authorised or registered] [the institution became subject to SUP 3A.10 and we, its auditor, became subject to SUP 3A.9].*

[The institution was] [Except for…the institution was] [Because of….the institution was not] in compliance with the relevant funds regime as at the period end date.* 

Other matters 

The report should be read in conjunction with the Breaches Schedule that we have prepared and which is appended to it.

[Signature of the partner/individual with primary responsibility within the audit firm] [Typed name of signing individual] 

For and on behalf of [Name of the audit firm] 

[Registered office] 

[Date of report] 

Part 2: Identified breaches of the relevant funds regime that occurred during the period 

[Institution name], firm reference number [number], for the period started [dd/mm/yyyy] and ended [dd/mm/yyyy] 

In accordance with SUP 3A.9.13R, Columns A to D are to be completed by and are the responsibility of the auditor. In accordance with SUP 3A.10.1G, Column E should be completed by the institution. The auditor has no responsibility for the content of Column E.