How to prepare for safeguarding audits: A guide for payments firms

Posted: 09/11/2023 | Read time: 4 minutes


Annual safeguarding audits reassure customers – and the FCA – that their funds are protected. And with the regulator coming down hard on firms that don’t comply, preparing for audits is key.

However, while the UK regulator is clear about what they require from you, they don’t set out how you should implement requirements.

So, to give you a bit of clarity and help you prepare for audits, this blog answers some frequently asked questions. We set out who needs audits, what they cover, and eight steps you must take to prepare.


What’s a safeguarding audit?

A safeguarding audit is an independent assessment conducted by auditors. It verifies that you have the appropriate systems and controls to safeguard customer funds.

The primary aim is to make sure you’re meeting the regulatory requirements.


Which firms have to undergo safeguarding audits?

E-money issuing firms must undergo safeguarding audits. Also known as Electronic Money Institutions (EMI), these firms provide services that allow customers to store funds electronically and use them for transactions.

Payments firms also have to undergo audits. Regulated by the Payments System Regulator (PSR), they provide systems for transferring funds between accounts.


What does a safeguarding audit cover?

You can expect audits to cover areas like

  • the segregation of customer funds;
  • accounting and record-keeping practices;
  • internal controls and risk management processes;
  • technology infrastructure;
  • compliance with requirements; and third-party relationships.


How often should you conduct safeguarding audits?

The FCA doesn’t specify an exact period for an assurance opinion. However, most firms align their audits with their accounting year-end practices.

How many audits you undergo will vary based on your regulatory requirements and risk profile. But they’re typically carried out annually.


What are the common challenges?

You’ll likely encounter these four main operational challenges:

  1. Demonstrating proper segregation of funds
  2. Maintaining secure technology and infrastructure
  3. Managing third-party relationships effectively
  4. Interpreting regulatory guidelines or finding auditors with specialised expertise


What happens when you fail an audit?

A failed safeguarding audit will likely result in regulatory penalties, reputational damage and/or loss of customer trust.

You’ll have to take remedial actions to address identified issues before achieving compliance.


How to prepare for a safeguarding audit in 8 steps?

To prepare for an audit, you should first understand the regulatory framework.

Using these guidelines, you should then take the following eight steps:

  1. Establish robust internal policies and procedures
  2. Ensure customer funds are segregated at all times
  3. Appoint a dedicated safeguarding officer
  4. Conduct regular risk assessments
  5. Maintain detailed records of safeguarding activities
  6. Provide regular employee training on safeguarding measures
  7. Stay informed about the latest regulatory updates
  8. Obtain an independent review of safeguarding arrangements


Three tips to help you prepare for an audit

  1. Understand the flow of customer funds

Before ensuring funds are safeguarded, you should understand where customer funds arise in your business model.

A clear description of systems and controls – and the risks they mitigate – will help you meet the requirements.


  1. Documentation is key

Auditors expect you to have approved policy and procedural documentation in place, which clearly articulates the following:

  • Safeguarding arrangements in the context of a firm’s business model
  • Related processes and controls
  • Records and accounts for safeguarded funds
  • Reconciliation processes and financial controls
  • Banking arrangements
  • Governance arrangements
  • Breach monitoring and reporting

This documentation promotes a positive safeguarding culture and demonstrates your commitment to protecting customer funds.


  1. Get internal assurance

Getting internal assurance before a safeguarding audit will help you identify potential weaknesses and areas of concern. It’s good practice to address known weaknesses proactively. And strengthening your risk management framework is essential.


The bottom line

Payment and e-money issuing firms in the UK must prepare for safeguarding audits. They not only ensure you’re compliant, but they also protect customer funds and maintain trust with regulators and customers.

Much like CASS, safeguarding regulations will no doubt mature and become more prescriptive as audit findings influence guidelines.

Until then, all in-scope firms should prioritise understanding the regulatory framework and implementing robust safeguarding measures.


If you have any questions about complying with safeguarding regulations, you can chat with a member of our team. Get in touch here.

Or learn more about our first-to-market safeguarding solution. It automates key safeguarding processes to improve efficiency and simplify meeting safeguarding requirements.