The Financial Conduct Authority (FCA) today warned that some financial technology (fintech) firms present an ‘unacceptable risk of harm’ to customers and to the broader financial system as a result of inadequate safeguarding and risk management practices.
The warning came in a ‘Dear CEO’ letter from Matthew Long, the FCA’s director of payments and digital assets, to the heads of UK payments firms and electronic money (e-money) institutions.
Earlier this year the UK Chancellor, Jeremy Hunt, said he wanted to turn the UK into ‘the world’s next Silicon Valley’. Hunt called out payments firms Monzo and Revolut specifically as ‘shining examples’ of the UK’s ‘world-beating’ fintech sector.
FCA warning follows SVB collapse
The FCA’s warning comes six days after the failure of Silicon Valley bank, which was followed by a bailout by US authorities of all the bank’s depositors, including a large number of US venture capital and fintech firms. Many of these firms had left deposits at the bank far in excess of the $250,000 limit guaranteed by federal deposit insurance.
According to the FCA, the risk of customer harm from fintechs is being heightened by the tightening economic conditions and the cost-of-living crisis.
In today’s letter, the FCA highlighted what it saw as specific problems in fintechs’ safeguarding of client money.
In July 2020, the FCA published new guidance requiring any e-money or payment firm that conducts a regular financial audit also to conduct an annual audit of its safeguarding arrangements.
“We are not being consistently informed of adverse findings”
However, last week I reported that many fintechs were not doing so and the FCA was failing to keep tabs on compliance with its own rules.
“Some firms have not yet appointed [safeguarding] auditors and we are not being consistently informed of adverse findings or the actions being taken to address them,” the FCA said today.
New requirements for fintechs and their auditors
A fintech firm, the FCA said in its new letter, should appropriately document its process to identify safeguarded funds and undertake internal and external reconciliations at least once a day to ensure that those funds are ‘adequate and not excessive’.
It should ensure, the FCA went on, that the accounts in which safeguarded funds are held meet the regulator’s requirements and are supported by the appropriate documentary evidence.
Fintechs should also maintain appropriate records to enable an insolvency practitioner to identify the customer to which the funds it holds relate, the regulator said.
Many fintechs, the FCA said, do not have adequate wind-down plans
Henceforth, the regulator said, fintechs’ auditors and the firms themselves should notify it of any lapses in safeguarding.
“A firm’s auditor is required to tell us if it has become aware in its capacity as an auditor that, in its opinion, there is or has been, may be or may have been, a breach of any requirements imposed by or under the Payment Services Regulations or Electronic Money Regulations that is of material significance to us. This includes a breach of the safeguarding requirements and the organisational arrangements requirement,” the FCA said.
“Firms should notify us in writing without delay if in any material respect they have not complied with or are unable to comply with safeguarding requirements.”
Not ready to wind down
The FCA also sounded a warning about fintechs’ preparedness to go out of business. UK fintechs and banks are supposed to write wind-down plans to document what would happen if they did so.
However, many fintechs, the regulator said, do not have adequate wind-down plans, and those it has received often appear over-optimistic about the time it would take to wind a firm down, contain insufficient detail and fail to consider the appropriate triggers for winding down and the likely costs that would be borne by clients.
The FCA noted that “macroeconomic conditions remain challenging and many firms are unprofitable and reliant on external funding for survival”.
No submission requirement or deadline
However, the FCA did not specify a date by which safeguarding audits should be completed. It also failed to require that firms’ safeguarding audits be filed with it as a matter of course or disclosed to the public.
The central bank set a July 31 2023 deadline for Irish payments and e-money firms to send it a safeguarding audit opinion
This approach contrasts with the approach taken by Ireland’s central bank.
In January, the Central Bank of Ireland published its own ‘Dear CEO’ letter on what it saw as safeguarding deficiencies in many Irish payments and e-money firms.
The central bank set a July 31 2023 deadline for Irish payments and e-money firms to send it a safeguarding audit opinion, along with a board response on the outcome of the audit.
Sign up here for the New Money Review newsletter
Click here for a full list of episodes of the New Money Review podcast: the future of money in 30 minutes
Related content from New Money Review
Revolut blocked large Friday withdrawal, says VC firm
No clarity on Revolut safeguarding
Silicon Valley bank run depegs USDC
