Key considerations
The safeguarding section of the regulation has been significantly bolstered, raising the compliance bar and detailing regulator expectations. This includes requirements related to reconciliations, policies, transfers, audit and notification requirements, responsible persons, and credit institutions.
FIs should ensure compliance with the new requirements immediately, as the full extent of the new rule came into force on 15 December 2024. For some institutions, achieving compliance may necessitate changes in systems, processes and operations and this may also impact the level of human resources or automation required. Here are the most critical aspects:
1. Safeguarding account
FIs must safeguard client funds in EU credit institutions or branches of third-country credit institutions in Malta. This may be challenging for organisations based outside Europe (e.g., UK) using non-EU credit institutions. FIs should review their arrangements to ensure compliance and notify the MFSA of any changes.
2. Reconciliations
The regulator mandates that financial institutions (FIs) regularly perform reconciliations between the balance of clients’ funds recorded in their internal systems and the actual balance held in safeguarding accounts with third parties.
In determining the frequency of these reconciliations Fis should consider several factors. This includes the risks faced by the FI, the size and complexity of its business, and the outcomes of periodic reviews performed on the credit institutions used for safeguarding purposes. Risks are generally considered to be greater, where the FIs invest client funds and/or permit merchants to transact in multiple currencies.
Additionally, the regulation mandates that any reconciliation discrepancies (shortfall/surplus) are corrected as soon as practicable and by no later than the same business day.
In meeting the above regulatory expectations, we have noted that the FIs are facing certain challenges as follows:
- Multiple currency payments: Processing transactions in multiple currencies may increase the complexity of the reconciliation process particularly when the exchange rates applying to incoming and outgoing flows vary.
- Safeguarding method: Using an indirect method to safeguard client funds adds a layer of complexity to the reconciliation process.
- Man-power: The reconciliation process can be, a rather labour-intensive activity, particularly when these are complex and the use of automation is limited. This presents a greater challenge when these reconciliations are expected to be performed frequently.
- Relevant funds identification: It may be technically challenging for FIs to distinguish between relevant funds and funds that are still in transit unless their systems are configured to support it.
3. Policies and procedures
FIs must demonstrate they have adequate internal control mechanisms to minimise the risk of loss of relevant funds through fraud, misuse, or negligence. This includes a well-documented and Board-approved safeguarding policy detailing the safeguarding methodology, governance arrangements, critical systems, third-party assessments, and reconciliation methodology.
Additionally, FIs should have a dedicated reconciliation procedure that is detailed and clear, covering data sources, the controls to ensure the accuracy, completeness and integrity of the data used in the reconciliation, actions for reconciliation breaks, and rationale for reconciliation frequencies. FIs must ensure that their policies and procedures accurately reflect current practices.
4. Notification, reporting and audit requirements
The regulator has introduced several mechanisms for ongoing monitoring of FIs safeguarding arrangements:
- FIs must notify the regulator ahead of changes in safeguarding arrangements.
- FIs must submit the FI return within 30 days after each quarter, including a section on safeguarding.
- An annual safeguarding audit must be conducted by an independent auditor with the necessary skills and experience.
- Internal audit functions must promptly inform the authority of any potential breaches of safeguarding requirements.