Skip Navigation
How A2CO Can Support PI and EMI Safeguarding
We support PIs, EMIs and applicants with practical safeguarding advice, reviews and assurance support.
Our work can include:
- safeguarding framework, policy and procedure reviews;
- reviews of safeguarding account structures, operational flows and reconciliation controls;
- annual safeguarding audit readiness and support;
- safeguarding reviews as part of wider Internal Audit engagements;
- third-party provider due diligence and concentration risk assessments;
- PSD3-related safeguarding gap assessments;
- Board reporting, management information and escalation enhancements; and
- winding-up and safeguarded funds return planning.
Our focus is practical: helping firms assess whether their safeguarding arrangements are properly designed, clearly documented and operating effectively in practice.
PI and EMI Safeguarding Requirements and Support in Malta
PI and EMI safeguarding requires client funds to be properly identified, protected, reconciled and capable of being returned when required. For Payment Institutions and Electronic Money Institutions, safeguarding is not simply a finance process or a year-end audit item. It is a key part of the regulatory model and supports regulatory compliance, sound governance, operational discipline and client trust.
PI and EMI Safeguarding at a Glance
A2CO supports Payment Institutions and Electronic Money Institutions with the review of safeguarding frameworks, policies, account structures, reconciliation controls and third-party arrangements.
Our support can also cover annual safeguarding audit readiness, Internal Audit engagements, PSD3 gap assessments and safeguarded funds return planning.
Why Safeguarding Matters for Payment Institutions and EMIs
Unlike banks, PIs and EMIs do not take deposits. Instead, the protection of client funds is achieved through safeguarding arrangements.
This means firms need clear processes to identify client funds, segregate them from their own funds, maintain accurate records, perform effective reconciliations, monitor safeguarding providers and escalate issues where needed.
In practice, safeguarding can become more complex as firms grow. Multiple products, payment flows, currencies, settlement chains, agents, distributors, merchant acquiring arrangements, refunds, chargebacks and outsourced providers can all affect how safeguarding controls operate.
The question is not only whether a safeguarding account exists. The key question is whether the firm can evidence that its safeguarding arrangements work effectively in practice.
Malta Safeguarding Requirements for PIs and EMIs
For Malta-authorised PIs and EMIs, safeguarding requirements are already in force under the Financial Institutions Act framework, the Financial Institutions Act (Safeguarding of Funds) Regulations and FIR/03.
FIR/03 sets out detailed expectations around areas such as:
- identification of client funds subject to safeguarding;
- when safeguarding starts and ceases;
- safeguarding account structures;
- safeguarding policies and procedures;
- acknowledgement letters;
- internal controls and records;
- appointment of a safeguarding responsible person;
- third-party due diligence and periodic review;
- reconciliation processes; and
- annual safeguarding audits.
These requirements already form part of the ongoing compliance framework for PIs and EMIs.
The forthcoming PSD3 and PSR package is expected to reinforce supervisory focus on safeguarding, particularly in areas relating to safeguarding timing, user disclosures, concentration risk and winding-up planning.
Safeguarding Framework, Policy and Procedure Reviews
A safeguarding framework should reflect the institution’s actual business model, payment flows, safeguarding method and operating structure.
We can assist firms with reviewing whether their safeguarding policies and procedures clearly address areas such as:
- the identification of client funds;
- safeguarding account arrangements;
- roles and responsibilities;
- reconciliation processes;
- exception management;
- escalation procedures;
- provider oversight;
- management information; and
- Board reporting.
The review can consider both the design of the safeguarding controls and whether they are being implemented effectively in practice.
Safeguarding Reconciliations and Client Fund Records
Effective safeguarding depends on complete and accurate client fund records and reliable reconciliation controls.
Reconciliations may need to account for:
- settlement timing differences;
- funds in transit;
- multiple currencies;
- refunds and chargebacks;
- fees and deductions;
- agent or distributor balances;
- merchant acquiring flows; and
- balances held across different safeguarding providers.
Where differences arise, firms should have clear processes for investigation, escalation and correction.
The appropriate reconciliation approach will depend on the institution’s business model, safeguarding method, account structure and operational flows.
PI and EMI Safeguarding at a Glance
A2CO supports Payment Institutions and Electronic Money Institutions with the review of safeguarding frameworks, policies, account structures, reconciliation controls and third-party arrangements.
Our support can also cover annual safeguarding audit readiness, Internal Audit engagements, PSD3 gap assessments and safeguarded funds return planning.
Why Safeguarding Matters for Payment Institutions and EMIs
Unlike banks, PIs and EMIs do not take deposits. Instead, the protection of client funds is achieved through safeguarding arrangements.
This means firms need clear processes to identify client funds, segregate them from their own funds, maintain accurate records, perform effective reconciliations, monitor safeguarding providers and escalate issues where needed.
In practice, safeguarding can become more complex as firms grow. Multiple products, payment flows, currencies, settlement chains, agents, distributors, merchant acquiring arrangements, refunds, chargebacks and outsourced providers can all affect how safeguarding controls operate.
The question is not only whether a safeguarding account exists. The key question is whether the firm can evidence that its safeguarding arrangements work effectively in practice.
Malta Safeguarding Requirements for PIs and EMIs
For Malta-authorised PIs and EMIs, safeguarding requirements are already in force under the Financial Institutions Act framework, the Financial Institutions Act (Safeguarding of Funds) Regulations and FIR/03.
FIR/03 sets out detailed expectations around areas such as:
- identification of client funds subject to safeguarding;
- when safeguarding starts and ceases;
- safeguarding account structures;
- safeguarding policies and procedures;
- acknowledgement letters;
- internal controls and records;
- appointment of a safeguarding responsible person;
- third-party due diligence and periodic review;
- reconciliation processes; and
- annual safeguarding audits.
These requirements already form part of the ongoing compliance framework for PIs and EMIs.
The forthcoming PSD3 and PSR package is expected to reinforce supervisory focus on safeguarding, particularly in areas relating to safeguarding timing, user disclosures, concentration risk and winding-up planning.
Safeguarding Framework, Policy and Procedure Reviews
A safeguarding framework should reflect the institution’s actual business model, payment flows, safeguarding method and operating structure.
We can assist firms with reviewing whether their safeguarding policies and procedures clearly address areas such as:
- the identification of client funds;
- safeguarding account arrangements;
- roles and responsibilities;
- reconciliation processes;
- exception management;
- escalation procedures;
- provider oversight;
- management information; and
- Board reporting.
The review can consider both the design of the safeguarding controls and whether they are being implemented effectively in practice.
Safeguarding Reconciliations and Client Fund Records
Effective safeguarding depends on complete and accurate client fund records and reliable reconciliation controls.
Reconciliations may need to account for:
- settlement timing differences;
- funds in transit;
- multiple currencies;
- refunds and chargebacks;
- fees and deductions;
- agent or distributor balances;
- merchant acquiring flows; and
- balances held across different safeguarding providers.
Where differences arise, firms should have clear processes for investigation, escalation and correction.
The appropriate reconciliation approach will depend on the institution’s business model, safeguarding method, account structure and operational flows.
Annual Safeguarding Audit Support
FIR/03 requires safeguarding arrangements to be subject to annual audit. Firms should therefore prepare well before the audit cycle starts.
We help institutions assess safeguarding audit readiness, identify potential gaps, review supporting documentation and test the controls that underpin safeguarding.
This can include reviewing:
- safeguarding reconciliations;
- client fund records;
- safeguarding account documentation;
- escalation procedures;
- third-party arrangements;
- policies and procedures; and
- evidence supporting the operation of key controls.
Early preparation can help reduce last-minute pressure and support a smoother annual safeguarding audit process.
PI and EMI Safeguarding Internal Audit, Provider Risk and PSD3 Readiness
Safeguarding Internal Audit Support
Safeguarding can also be reviewed as part of a wider Internal Audit plan.
We can assist with Internal Audit engagements focused on safeguarding, including testing both the design and operating effectiveness of controls.
This may be particularly useful where:
- safeguarding is a material risk area;
- product or payment flows have changed;
- a new safeguarding provider has been appointed;
- recurring reconciliation exceptions have been identified;
- weaknesses have been raised during an external audit; or
- the firm wants independent assurance before an external audit or regulatory review.
The review can cover governance, reconciliations, provider oversight, policy implementation, exception management and reporting to the Board or Audit Committee.
Safeguarding Provider Due Diligence and Concentration Risk
The appointment of a safeguarding provider should not be treated as a one-time exercise.
Firms may need to assess and periodically review factors such as:
- the provider’s financial and operational resilience;
- safeguarding account terms;
- acknowledgement documentation;
- geographic exposure;
- operational dependency;
- concentration risk;
- contingency arrangements; and
- the availability of alternative providers.
Concentration risk may not always be capable of being eliminated. However, it should be identified, assessed, monitored and managed as part of the wider safeguarding framework.
PSD3 and PSR Safeguarding Readiness
Safeguarding obligations already apply today. However, the evolving EU payments framework means firms should also consider whether their arrangements remain suitable for the next phase of regulation.
The forthcoming PSD3/PSR package is expected to reinforce supervisory focus on safeguarding, with PSD3 in particular introducing or sharpening expectations around; :
- safeguarding timing;
- transparency and disclosures to users;
- concentration risk;
- winding-up planning; and
- the return of safeguarded funds.
For existing PIs and EMIs, this makes safeguarding an important part of broader regulatory readiness.
We help firms assess these developments in a practical way and identify where existing policies, procedures, disclosures, reconciliations, provider arrangements or Board reporting may need to be enhanced.
Wind-Down and Safeguarded Funds Return Planning
A firm should be able to identify and return safeguarded funds if it enters wind-down or experiences serious operational or financial stress.
Effective planning may need to consider:
- ownership and responsibility;
- access to accurate client fund records;
- reconciliation at the point of wind-down;
- operational access to safeguarding accounts;
- cooperation from safeguarding providers;
- communication arrangements;
- the sequencing of fund returns; and
- supporting documentation.
The precise approach will depend on the institution’s business model, operating structure and safeguarding arrangements.
Safeguarding Internal Audit Support
Safeguarding can also be reviewed as part of a wider Internal Audit plan.
We can assist with Internal Audit engagements focused on safeguarding, including testing both the design and operating effectiveness of controls.
This may be particularly useful where:
- safeguarding is a material risk area;
- product or payment flows have changed;
- a new safeguarding provider has been appointed;
- recurring reconciliation exceptions have been identified;
- weaknesses have been raised during an external audit; or
- the firm wants independent assurance before an external audit or regulatory review.
The review can cover governance, reconciliations, provider oversight, policy implementation, exception management and reporting to the Board or Audit Committee.
Safeguarding Provider Due Diligence and Concentration Risk
The appointment of a safeguarding provider should not be treated as a one-time exercise.
Firms may need to assess and periodically review factors such as:
- the provider’s financial and operational resilience;
- safeguarding account terms;
- acknowledgement documentation;
- geographic exposure;
- operational dependency;
- concentration risk;
- contingency arrangements; and
- the availability of alternative providers.
Concentration risk may not always be capable of being eliminated. However, it should be identified, assessed, monitored and managed as part of the wider safeguarding framework.
PSD3 and PSR Safeguarding Readiness
Safeguarding obligations already apply today. However, the evolving EU payments framework means firms should also consider whether their arrangements remain suitable for the next phase of regulation.
The forthcoming PSD3/PSR package is expected to reinforce supervisory focus on safeguarding, with PSD3 in particular introducing or sharpening expectations around; :
- safeguarding timing;
- transparency and disclosures to users;
- concentration risk;
- winding-up planning; and
- the return of safeguarded funds.
For existing PIs and EMIs, this makes safeguarding an important part of broader regulatory readiness.
We help firms assess these developments in a practical way and identify where existing policies, procedures, disclosures, reconciliations, provider arrangements or Board reporting may need to be enhanced.
Wind-Down and Safeguarded Funds Return Planning
A firm should be able to identify and return safeguarded funds if it enters wind-down or experiences serious operational or financial stress.
Effective planning may need to consider:
- ownership and responsibility;
- access to accurate client fund records;
- reconciliation at the point of wind-down;
- operational access to safeguarding accounts;
- cooperation from safeguarding providers;
- communication arrangements;
- the sequencing of fund returns; and
- supporting documentation.
The precise approach will depend on the institution’s business model, operating structure and safeguarding arrangements.
Who We Support
We work with:
- authorised Payment Institutions;
- authorised Electronic Money Institutions;
- applicants preparing for authorisation;
- firms preparing for annual safeguarding audits;
- firms undergoing regulatory or Internal Audit reviews;
- firms updating their safeguarding arrangements;
- Boards and senior management;
- compliance teams;
- finance teams;
- risk teams; and
- Internal Audit functions.
Who We Support
We work with:
- authorised Payment Institutions;
- authorised Electronic Money Institutions;
- applicants preparing for authorisation;
- firms preparing for annual safeguarding audits;
- firms undergoing regulatory or Internal Audit reviews;
- firms updating their safeguarding arrangements;
- Boards and senior management;
- compliance teams;
- finance teams;
- risk teams; and
- Internal Audit functions.
Our Approach
We combine regulatory knowledge with practical control testing.
Our reviews are tailored to the firm’s business model, product flows, safeguarding method, account structure, operating structure and risk profile.
We focus on what matters in practice: whether client funds are properly identified, segregated, reconciled, monitored and capable of being returned.
Frequently Asked Questions
Safeguarding is the framework through which a PI or EMI identifies, protects and monitors relevant client funds. It includes appropriate account arrangements, accurate records, reconciliation controls, provider oversight, governance and processes for returning funds when required.
Yes. Safeguarding can be reviewed through an Internal Audit engagement that tests the design and operating effectiveness of the institution’s controls, governance, reconciliations, provider oversight and issue-escalation processes.
Safeguarding requirements apply under the relevant regulatory framework. The precise treatment of funds can depend on the institution’s activities, business model, payment flows and the nature of the funds involved.
Existing safeguarding obligations already apply. The forthcoming PSD3/PSR package is expected to reinforce focus on safeguarding, with PSD3 in particular addressing areas such as safeguarding timing, user disclosures, concentration risk and winding-up planning, subject to the final framework.
An annual safeguarding audit is an independent assessment of the institution’s safeguarding arrangements against the applicable requirements. Firms should prepare by reviewing their policies, records, reconciliations, provider arrangements and evidence of control operation.
Preparation can include reviewing safeguarding policies, account documentation, client fund records, reconciliations, exception handling, provider due diligence and evidence that key controls have operated effectively throughout the relevant period.
The reconciliation process should reflect the institution’s business model, safeguarding method and account structure. It may need to address settlement timing differences, funds in transit, fees, refunds, chargebacks, foreign exchange and balances held through agents or distributors.
Speak to A2CO About PI and EMI Safeguarding
Partner
Partner
"*" indicates required fields