Home Knowledge Central Bank Safeguarding Notice to PI/EMI Firms on audit requirements

Central Bank Safeguarding Notice to PI/EMI Firms on audit requirements

On 25 May 2023, the Central Bank of Ireland (Central Bank) issued a Safeguarding Notice (the Safeguarding Notice) to Payment Institutions (PIs) and Electronic Money Institutions (EMIs) on safeguarding audit requirements under the Payment Services Regulations (PSR)/Electronic Money Regulations (EMR).



The Central Bank first flagged the safeguarding audit requirements for PIs and EMIs authorised in Ireland in a Dear CEO letter dated 20 January 2023 (the Dear CEO Letter).

Please see our briefing here for further information on the Dear CEO Letter, which highlighted weaknesses and risks within PIs and EMIs and specified that an audit of compliance with the safeguarding requirements under the PSR/EMR (as appropriate) should be carried out by an audit firm.

The Dear CEO Letter also provided that safeguarding audit reports must capture whether the firm maintains adequate organisational arrangements to meet safeguarding requirements under PSR/EMR on an ongoing basis and cover specific areas of review and assurance set out therein.

The Safeguarding Notice

The Safeguarding Notice was published following discussions between the Central Bank and Chartered Accountants Ireland (CAI) on the appropriate engagement and format for safeguarding audits. The CAI will issue guidance to their members on this topic in due course.

The Safeguarding Notice provides more detailed guidance for firms in relation to the description of aspects of their organisational arrangements (the Description) in place on 31 December 2022 to secure their compliance with the relevant safeguarding requirements under the PSR/EMR.

The Description should include details of processes and controls in place around the governance and oversight of compliance with safeguarding rules including:

  • A detailed description of the firm’s safeguarding framework, including oversight arrangements by the Board of Directors, details of reporting lines, and implementation of the three lines of defence.
  • The process implemented by a firm to identify which of its services could potentially give rise to the firm holding “user funds”.
  • Details of the IT systems used to meet safeguarding obligations.
  • The processes and controls:
    • to consistently identify (i) which funds are “user funds” which must be safeguarded and (ii) when such funds cease to be “user funds”;
    • to appoint an appropriate third-party bank for safeguarding, including initial and ongoing due diligence, terms and conditions to ensure that the accounts are appropriately segregated from the assets of the regulated firm and third party bank;
    • to (i) limit access to safeguarding accounts, (ii) prevent co-mingling, and (iii) ensure daily reconciliations are performed and reviewed;
    • to identify potential or actual breaches of safeguarding requirements;
    • for insurance policy/comparable guarantee;
    • to ensure the liquidity of safeguarding arrangements facilitates redemption of e-money at any time and the timely execution of payment transactions;
    • to ensure that user funds are not invested in liquid asses with Central Bank approval to do so.

Assertion by the Board of Directors

A firm’s assertion, approved by its Board of Directors, should state that in all material respects:

  • the Description is fairly presented.
  • the controls and processes included in the Description were operating as described at the reference date.

Auditor Assurance and Attestation

The auditor must perform a reasonable assurance attestation engagement (conducted per ISAE 3000 requirements) concerning the firm’s assertion.

This review engagement by the auditor will include consideration of:

  • the firm’s description of relevant arrangements,
  • analysis of information provided by the firm,
  • meetings with management and
  • consideration of any gaps or deficiencies identified by the firm or the auditor based on their professional experience and judgment.

The auditor must prepare a report describing the work performed and their professional view of the relevant arrangements.  The Safeguarding Notice provides that the auditors should express their conclusion in a positive form as to whether, in their opinion, the description prepared by the firm is fairly presented based on the same criteria used by directors to make the assertion set out above and whether the processes and controls as set out in the description at the reference date are fairly presented.

However, this engagement with an auditor will not provide assurance on whether the arrangements are appropriately designed to comply with the safeguarding requirements of the PSR/EMR.

Gaps in processes and controls identified

The firm should consider and formally document any gaps identified in its processes and controls relating to organisational arrangements in place at the reference date that could impact compliance with the safeguarding requirements of PSR/EMR.


Each firm should submit a report to the Central Bank by 31 October 2023 (which is an extension of the original deadline of 31 July 2023 as set out in the Dear CEO letter).

How can William Fry assist you?

William Fry has experience in guiding firms in relation to the regulatory landscape relating to safeguarding of user funds, and our team is available to support you in a review and assessment of compliance of safeguarding arrangements with respect to the PSR/EMR.