Handling your customers’ money is a big responsibility. Whether you’re a fintech that’s offering digital wallets, facilitating payments, or setting up any kind of digital marketplace, the onus is on you to make sure your customers’ funds are protected.
In the UK, this responsibility is enshrined at the heart of financial regulation. Most fintechs are regulated either as electronic money institutions (EMIs) or payment institutions (PIs), and so are required to safeguard their customers’ funds.
An authorised electronic money institution (EMI) in the UK has a licence from the Financial Conduct Authority (FCA) to issue e-money and provide payment services. Wise and Monese are examples of EMIs. These businesses are not authorised to offer credit, hold deposits, or run investment services.
A payment institution (PI) is a type of financial institution that is only authorised to provide payment services e.g. direct debits and money transfers. This kind of business cannot issue e-money or hold customer funds without a payment instruction. Fire and Banking Circle are examples of PIs in the UK.
So what exactly is safeguarding and why does this requirement often pose a challenge for early stage fintechs? In this blog, we break down safeguarding requirements, the pitfalls you may encounter, and what you should look out for when opening a safeguarding account.
What is safeguarding?
If you are operating in the UK as an EMI or a PI , you are required to ensure that your customers won’t lose the majority of the money they’ve entrusted to you in the event that you go out of business. The FCA is clear that all “relevant” funds must be safeguarded. This means any money you hold on behalf of your customer, such as the balance of their digital wallet or money due to be paid out to fulfil a transaction. The regulations are also clear that this safeguarding duty begins at the point of receiving these funds and continues until the funds have been transferred.
Insurance vs. safeguarding accounts
To satisfy this regulatory requirement, EMIs and PIs have two options:
- Safeguarding accounts - A safeguarding account is a special bank account that is ring fenced from all other accounts of a company. This means your customers’ money is held separately from your own funds and never mixes with your operating budget.
- Insurance policies - If you want to hold some or all of your customer money alongside your operational funds, you can buy an insurance policy to cover all relevant funds and ensure they are transferred to a separate bank account in the event of insolvency.
In practice, safeguarding via an insurance policy is impractical and costly for small companies. Most fintechs aim to scale and as they do the value of customer funds increases frequently, making it harder for an insurance company to provide adequate cover. Insurance companies are unwilling to take on the risk of a fund that fluctuates materially on a daily basis, and mostly avoid offering this service. It’s also capital intensive, and early stage fintechs rarely have the balance sheet to support this as their primary method of safeguarding.
The FCA has strict provisions that the policy (or a comparable guarantee) must be provided by a UK authorised insurer or credit institution. Also, the guarantor (i.e. the insurance company) has primary liability for all relevant funds and is responsible for payments in the case of insolvency.
The challenges of traditional safeguarding accounts
While getting a safeguarding account is the most common way EMIs and PIs prefer to meet their regulatory requirements, the process isn’t without its own headaches.
The chicken-and-egg problem: To get regulated as an EMI or PI, you typically need to show that you have arrangements in place to safeguard your future customers’ funds. But most banks won’t actually grant you a safeguarding account unless you are already regulated. Some banks may provide a letter of intent to facilitate the process of registering with the FCA, but the timeline for this letter is uncertain and varies from one institution to the other. The FCA may hold your application while you try to obtain a safeguarding account or letter of intent - but it is possible for the deadline to go by before you obtain either, meaning you have to begin the process again from scratch.
The black box problem: When your fintech comes along with a big chunk of customer money to deposit in a safeguarding account, this poses a problem for the bank. Who does this money belong to, where does it come from, and what is it being used for? The bank has limited visibility of your end customers, which means completing a full risk assessment of your business is going to take some time. The bank will conduct a lengthy review of your financial crime prevention controls and policies to assure themselves that you’re running all the correct identity and verification (ID&V), anti-money laundering, counter-terrorist financing, and anti-fraud checks. This review process can take months and banks will typically charge a hefty upfront fee to cover their costs - with no guarantee that they will grant you a safeguarding account at the end of it.
The pooled account problem: EMIs and PIs have to carry out reconciliation according to FCA standards. Funds shown on customer balances must be moved to the safeguarding account no later than one business day after the first transfer has been deposited, and customer balances on the balance sheet should match the amount in the safeguarded account excluding the fees collected. But when all your customer funds are sitting in one pooled safeguarding account - which is what is typically offered by most banks - it can be difficult to see whose money is where.
The FCA expects that your records will show compliance with all safeguarding provisions at all times. In practice, this means most fintechs have to build or buy a separate ledger to track all customer transactions in and out of the pooled safeguarding account. This is a time-consuming, expensive and often imperfect solution - as things can still get out of sync, exposing your company to risk.
Choosing the right safeguarding account provider
Safeguarding is a cornerstone of UK financial regulation and essential for protecting customers. But that doesn’t mean safeguarding requirements should be a barrier to entry for early-stage fintechs trying to bring innovative new products to market.
At Griffin, we believe safeguarding accounts should help solve some of the common pain points new fintechs encounter when trying to meet regulatory requirements. When our application to become a bank is approved by the FCA and Prudential Regulation Authority (PRA), we’ll offer safeguarding accounts as part of our API-first Banking as a Service (BaaS) platform. However, whichever provider you choose, there are a few things that are essential to consider when seeking the best bank for safeguarding accounts.
- Speed to open. Opening a safeguarding account with a traditional bank can take up to six months (or more) - that’s a long time for a start-up with limited runway! This is typically due to the need for banks to manually review your financial crime prevention controls and run spot checks on cross-sections of your customer base. Banks that automate this process are able to carry out these reviews faster and assess your risk profile far quicker than the more legacy approach taken by incumbent banks (at the very least, they’ll give you a quicker “no” if they decide you fall outside their risk appetite). Plus, increased visibility reduces risk for everyone.
- Segregated customer accounts and an integrated ledger. Most banks will offer you one big pooled safeguarding account for all your customer funds - which puts the burden of tracking those funds squarely on you. Banks that offer real named bank accounts for each of your customers go a long way towards solving this problem by significantly reducing windows of error where your records are out of sync with the actual location of the funds. Dedicated account numbers also reduce payment errors and create a better experience for the end user. It can be very expensive to layer your own ledger technology on top of a pooled safeguarding account. Built-in ledger technology is enabled by segregated customer accounts, where every transaction is written to an immutable ledger in real-time replacing error-ridden manual processes typically done via spreadsheets and easing your reconciliation burdens.
- Decision logging and audit trail. The golden rule of compliance is that you have to be able to show your work. If you didn’t record it, it didn’t happen as far as the regulator is concerned. EMIs and PIs are required, at minimum, to perform an annual audit to show the rationale behind all safeguarding decisions and that funds are being safeguarded properly. A safeguarding provider that can provide a robust audit trail and help you automate your reporting is key to meeting this regulatory requirement.
- A banking partner that understands your business. Banking is a famously risk-averse business and most established players are wary of small, tech-enabled outfits trying to innovate in the financial services space. A banking partner with a deep understanding of the fintech space - and a vested interest in seeing it grow - would be a more long-term and stable safeguarding provider for fintechs.
Want to see how Griffin’s platform will approach safeguarding accounts? Try it out in our sandbox.