EMI Safeguarding Audit vs AML Audit: What UK Payment Firms Get Wrong

Walk into most UK payment institutions or electronic money institutions and ask about their audit requirements, and you’ll likely hear: “We do an AML audit every year.” Press further about safeguarding audits, and the response often shifts to uncomfortable silence or confusion. “Isn’t that the same thing?”

This fundamental misunderstanding represents one of the most prevalent compliance failures among e-money institutions and payment service providers. Despite operating under distinct regulatory frameworks—the Electronic Money Regulations 2011 and Payment Services Regulations 2017 for safeguarding, and the Money Laundering Regulations 2017 for AML—many firms incorrectly conflate these separate obligations into a single annual audit exercise.

The consequences extend beyond regulatory paperwork. Safeguarding audits protect customer funds from insolvency risk. AML audits prevent financial crime. Treating them as interchangeable creates critical vulnerabilities in both areas, exposing your customers to fund loss risk while leaving your institution exposed to Financial Conduct Authority enforcement action.

This comprehensive guide clarifies the fundamental differences between EMI safeguarding audits and AML audits, explains what each examination entails, identifies the common mistakes that UK payment firms make, and provides actionable guidance for meeting both obligations effectively.

What is a Safeguarding Audit for EMI and Payment Institutions?

A safeguarding audit verifies that electronic money institutions and payment institutions protect customer funds in accordance with regulatory requirements. Under the Electronic Money Regulations 2011 (EMRs) and Payment Services Regulations 2017 (PSRs), firms holding customer funds must implement specific protections ensuring these monies remain available to customers even if the institution becomes insolvent.

The safeguarding obligation serves a consumer protection purpose fundamentally different from financial crime prevention. When customers load funds onto e-money products or when payment institutions hold customer money during transaction processing, these funds legally belong to customers, not the institution. Safeguarding ensures customers can recover their money if the firm fails.

The Legal Basis for Safeguarding Audits

Regulation 23 of the Electronic Money Regulations 2011 and Regulation 23 of the Payment Services Regulations 2017 establish the safeguarding requirement. These regulations transpose the European Electronic Money Directive (EMD2) and Payment Services Directive 2 (PSD2) into UK law, though post-Brexit the regulatory framework continues under retained EU law.

The FCA’s approach to safeguarding supervision has intensified following several high-profile payment firm failures where customer funds were inadequately protected. The regulator now expects rigorous safeguarding arrangements with robust governance, systematic reconciliation, and independent verification.

HM Treasury has signaled that safeguarding requirements may strengthen further under the forthcoming Financial Services and Markets Act 2023 reforms, potentially introducing even more stringent protections for customer funds held by payment and e-money institutions.

What Safeguarding Actually Means in Practice

Safeguarding requires institutions to protect customer funds through one of two methods permitted under the regulations.

The segregation method requires institutions to deposit customer funds in one or more separate accounts held at an authorized credit institution (typically a bank). These accounts must be clearly designated as safeguarding accounts, with the funds held on trust for customers and protected from the institution’s creditors in insolvency. The funds cannot be used for the institution’s own purposes or commingled with its operational capital.

The insurance or guarantee method allows institutions to hold customer funds in accounts that may include operational funds, provided the customer funds are covered by an insurance policy or comparable guarantee from an authorized insurer or credit institution. This method is less common among UK EMIs due to cost and complexity.

Most UK electronic money institutions and small payment institutions use the segregation method, depositing customer funds in safeguarding accounts at their banking partners. However, many firms misunderstand the operational requirements this creates.

Effective safeguarding requires continuous reconciliation between the amount of customer funds received, the balance in safeguarding accounts, and the institution’s outstanding liability to customers. This daily reconciliation ensures customer funds are properly protected at all times, not merely at month-end when financial statements are prepared.

The Purpose of Independent Safeguarding Audits

The FCA requires electronic money institutions and certain payment institutions to obtain independent audits of their safeguarding arrangements. These audits verify that the institution’s safeguarding procedures comply with regulatory requirements and that customer funds are actually protected as intended.

Safeguarding audits examine whether the firm accurately calculates its safeguarding obligation—the amount of customer funds requiring protection, maintains proper segregation of customer funds from operational funds, conducts timely and accurate reconciliations of safeguarding accounts, has adequate systems and controls to ensure ongoing compliance, and properly documents all safeguarding arrangements and processes.

The audit serves as independent assurance to the FCA and customers that funds are genuinely protected. Unlike AML audits which focus on detecting and preventing financial crime, safeguarding audits focus on protecting customer assets from institutional failure.

What is an AML Audit for Payment Institutions?

An AML audit examines whether a payment institution or electronic money institution has implemented effective anti-money laundering and counter-terrorist financing controls in compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

Unlike safeguarding audits which protect customer funds from business failure, AML audits assess controls preventing criminals from exploiting payment services for money laundering, terrorist financing, or sanctions evasion. The audit evaluates your firm’s financial crime risk management framework across governance, risk assessment, customer due diligence, transaction monitoring, suspicious activity reporting, and staff training.

The Legal Basis for AML Audits

The Money Laundering Regulations 2017 (MLR 2017) establish anti-money laundering obligations for payment institutions and e-money institutions. Regulation 19(1)(g) specifically requires firms to maintain “an independent audit function” to test the effectiveness of their AML systems and controls.

While MLR 2017 doesn’t explicitly mandate annual external audits (the requirement is for an “independent audit function”), the FCA’s supervisory expectations and industry practice have established annual independent AML audits as the standard for payment and e-money institutions. Firms without dedicated internal audit teams typically engage external specialists to fulfill this requirement.

The FCA’s approach to AML supervision intensified following the UK’s 2018 mutual evaluation by the Financial Action Task Force (FATF), which identified deficiencies in the UK’s supervision of money service businesses and payment firms. The regulator now conducts more frequent examinations and expects robust, documented evidence of control effectiveness.

Core Elements of AML Audits for EMIs and Payment Institutions

AML audits for electronic money institutions and payment institutions examine several critical control areas that align with MLR 2017 requirements and FCA supervisory expectations.

Governance and oversight assessment examines whether your board and senior management actively oversee AML compliance, your Money Laundering Reporting Officer (MLRO) has appropriate authority and resources, you have clear accountability across your three lines of defense, and management information on financial crime risks reaches decision-makers effectively.

Business-wide risk assessment review evaluates whether your firm-wide risk assessment comprehensively identifies money laundering and terrorist financing risks specific to your business model, payment products, customer base, and geographic exposure. The audit tests whether this risk assessment is current, drives your control design, and is reviewed and approved by senior management or the board.

Customer due diligence (CDD) testing involves sampling customer files to verify that you’re collecting required identification and verification information, understanding the purpose and nature of business relationships, assessing customer risk profiles appropriately, applying enhanced due diligence where warranted, and maintaining ongoing monitoring proportionate to risk.

Transaction monitoring effectiveness assessment examines whether you have monitoring systems or procedures appropriate to your business scale and risk profile, defined scenarios calibrated to detect relevant money laundering typologies, alert investigation procedures that are thorough and documented, and processes for escalating suspicious activity to your MLRO.

Suspicious Activity Reporting (SAR) quality review evaluates whether staff understand their reporting obligations, your MLRO has defined processes for evaluating internal reports, SARs submitted to the National Crime Agency meet quality standards, you document decisions not to file SARs with clear rationales, and you’re filing SARs at rates consistent with your risk profile.

Sanctions and PEP screening testing verifies that you screen customers and transactions against current UK, UN, and relevant international sanctions lists, maintain screening databases with appropriate update frequencies, investigate and document screening hits properly, and have procedures for freezing assets when required.

Training and awareness evaluation examines whether relevant staff receive AML training appropriate to their roles, training covers your firm’s specific procedures and risks, you test understanding and maintain training records, and you update training when regulations or procedures change.

Record-keeping compliance assessment verifies that you maintain complete records of customer due diligence and transactions for at least five years as required by MLR 2017, records are accessible and properly organized, and you have appropriate data protection and security measures.

For payment institutions and EMIs, AML audits must consider sector-specific risks including rapid customer onboarding through digital channels, cross-border payment flows that facilitate layering of illicit funds, business customers who themselves may be money service businesses, prepaid card programs with anonymity features, and payment services used by e-commerce merchants in high-risk sectors.

Effective AML audits test not just whether policies exist but whether controls operate effectively in practice. This requires sample testing, staff interviews, and data analysis rather than merely reviewing policy documents. You can review our comprehensive AML audit checklist to understand the depth of examination required.

The Fundamental Differences Between Safeguarding and AML Audits

Despite both being regulatory audit requirements for UK payment institutions, safeguarding and AML audits serve entirely different purposes, examine different controls, follow different regulatory frameworks, and require distinct expertise from auditors.

Different Regulatory Objectives

Safeguarding audits serve consumer protection objectives, ensuring customer funds remain available even if the institution fails. The primary concern is protecting customers from losing money due to the firm’s insolvency, fraud by the firm’s management, or operational failures that cause customer funds to be lost or misappropriated.

AML audits serve financial crime prevention objectives, ensuring the institution isn’t exploited by criminals for money laundering, terrorist financing, or sanctions evasion. The primary concern is protecting the financial system and broader society from illicit financial flows rather than protecting individual customer funds from loss.

These distinct objectives mean the audits examine fundamentally different risks and controls. Safeguarding audits ask “are customer funds properly segregated and protected?” while AML audits ask “are we preventing criminals from using our services?”

Different Regulatory Frameworks

Safeguarding requirements derive from the Electronic Money Regulations 2011 and Payment Services Regulations 2017, which transpose the EU’s Electronic Money Directive 2 and Payment Services Directive 2 into UK law. The FCA supervises compliance with these regulations under its payment services regulatory regime.

AML requirements derive from the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which implement the EU’s Fourth and Fifth Anti-Money Laundering Directives into UK law. The FCA supervises AML compliance under its role as the UK’s AML supervisor for payment institutions and e-money institutions.

While both frameworks involve FCA supervision, they operate under different statutory authorities with different enforcement powers, penalty regimes, and regulatory expectations. Breaches of safeguarding requirements can result in actions under the Payment Services Regulations or Electronic Money Regulations, while AML breaches can result in actions under the Money Laundering Regulations with distinct penalty frameworks.

Different Control Areas Examined

Safeguarding audits focus on a narrow, specific set of controls related to customer fund protection. Key examination areas include calculation of the safeguarding requirement (total amount of customer funds to be protected), segregation of customer funds into designated safeguarding accounts, reconciliation procedures ensuring customer funds match safeguarding account balances, systems preventing unauthorized access to or use of customer funds, and documentation evidencing safeguarding compliance.

AML audits examine a much broader control framework spanning the entire organization. Key areas include governance structures and senior management oversight, firm-wide risk assessment methodologies and conclusions, customer onboarding and due diligence procedures, ongoing monitoring of customer activity and transactions, identification and reporting of suspicious activity, sanctions and politically exposed person screening, staff training and awareness programs, and record-keeping and documentation practices.

The technical expertise required differs significantly. Safeguarding audits require deep understanding of payment flows, accounting reconciliation, trust law, and insolvency protection mechanisms. AML audits require expertise in financial crime typologies, customer due diligence methodologies, transaction monitoring technologies, and suspicious activity identification.

Different Audit Methodologies

Safeguarding audits rely heavily on substantive testing of reconciliations, account balances, and mathematical calculations. Auditors examine daily reconciliation records, bank statements for safeguarding accounts, general ledger entries, and system-generated reports to verify that customer funds are properly calculated and segregated. The audit is highly quantitative, focusing on whether numbers reconcile correctly.

AML audits use a more qualitative risk-based approach. While they include quantitative testing (such as sampling customer files or reviewing alert generation rates), substantial focus goes to evaluating risk assessment quality, policy adequacy, governance effectiveness, and staff understanding. AML audits examine whether your approach to financial crime prevention is appropriate for your specific risks rather than merely whether you follow prescribed procedures.

Safeguarding audits can often be conducted more quickly than AML audits because the scope is narrower and testing is more straightforward. A competent auditor can verify safeguarding compliance for a medium-sized EMI in days. Comprehensive AML audits for the same institution might require weeks given the breadth of controls examined and depth of testing required.

Different Reporting Requirements

Safeguarding audit reports must be provided to the FCA as part of your regulatory reporting obligations. The FCA prescribes specific information that must be included in safeguarding audit reports, and these reports follow a relatively standardized format across the industry.

AML audit reports are typically not submitted to the FCA unless specifically requested during supervisory activities or enforcement investigations. Instead, they’re maintained as internal governance documents demonstrating that you’ve fulfilled your regulatory obligation to maintain independent audit functions. However, the FCA expects to see these reports if they conduct an AML inspection or if you’re subject to enforcement action.

The tone and focus of reports differ as well. Safeguarding audit reports tend to be more technical and compliance-focused, essentially certifying whether safeguarding arrangements meet regulatory requirements. AML audit reports tend to be more advisory, identifying areas for improvement in financial crime risk management even when controls are technically compliant with minimum standards.

EMI Safeguarding Audit Requirements: What the FCA Expects

The Financial Conduct Authority’s expectations for safeguarding audits have evolved significantly as payment firm failures have highlighted weaknesses in customer fund protection. Understanding these expectations helps ensure your safeguarding audit meets regulatory standards.

Who Must Conduct Safeguarding Audits

All authorized electronic money institutions (EMIs) regulated by the FCA must conduct annual safeguarding audits. This includes both full EMIs and small EMIs, though the depth and formality may vary based on the institution’s size and complexity.

Authorized payment institutions (APIs) that hold customer funds are also subject to safeguarding audit requirements, though the specific requirements can differ slightly from EMIs depending on whether they operate under Regulation 20 (customer funds held in payment transactions) or Regulation 23 (funds held for payment services) of the Payment Services Regulations.

Small payment institutions (SPIs) holding customer funds must also maintain appropriate safeguarding arrangements, though the regulatory framework provides more flexibility in how compliance is demonstrated. SPIs may not face explicit independent audit requirements but should still verify safeguarding effectiveness through appropriate assurance mechanisms.

Firms using the pass-through model—where customer funds move directly from the customer to the merchant or beneficiary without being held by the payment institution—may not have safeguarding obligations for those transaction flows. However, if you hold any customer funds at any point (even briefly), safeguarding requirements apply to those amounts.

Auditor Independence and Qualifications

The FCA expects safeguarding audits to be conducted by genuinely independent auditors with appropriate qualifications and expertise. Independence means the auditor cannot be involved in designing, implementing, or operating the safeguarding arrangements they’re auditing. Using your finance director or operations manager to “audit” safeguarding doesn’t satisfy the independence requirement.

Most EMIs engage external accounting firms or specialist compliance consultancies to conduct safeguarding audits. The auditor should have understanding of the Electronic Money Regulations or Payment Services Regulations, experience with payment industry reconciliation and accounting practices, knowledge of trust law and client money protection principles, and familiarity with FCA supervisory expectations.

While the auditor doesn’t necessarily need to be a registered auditor under company law, using qualified accountants or firms with regulatory audit experience provides additional credibility and typically ensures more rigorous examination.

Audit Frequency and Timing

The FCA expects annual safeguarding audits for electronic money institutions and authorized payment institutions. Your first safeguarding audit should typically occur within 12 months of receiving authorization or commencing operations if you’ve transitioned from being a registered payment institution to an authorized institution.

Subsequent audits should occur annually, covering your most recent financial year. Many firms align safeguarding audits with their financial year-end to facilitate coordination with annual financial statement preparation, though this isn’t mandatory.

The FCA expects safeguarding audit reports to be completed within a reasonable time after your financial year-end. Delays of many months between year-end and audit completion raise supervisory concerns about whether your safeguarding arrangements are being actively monitored.

Safeguarding Audit Scope and Testing Requirements

Comprehensive safeguarding audits must examine several specific areas to satisfy FCA expectations.

Calculation of the safeguarding requirement involves verifying that you accurately calculate the total amount of customer funds requiring protection. This calculation includes outstanding e-money liability (for EMIs) or customer funds held during payment processing (for payment institutions). Auditors test whether your calculation methodology complies with regulatory requirements, includes all relevant customer balances, and excludes amounts that don’t require protection.

Segregation verification confirms that customer funds are actually deposited in designated safeguarding accounts at authorized credit institutions. Auditors obtain bank confirmation letters, review account opening documentation to verify safeguarding account designation, and test that safeguarding accounts are properly titled and structured to provide insolvency protection.

Reconciliation testing represents a critical audit component. Auditors sample daily, weekly, or monthly reconciliations between your internal customer liability records and safeguarding account balances. Testing examines whether reconciliations are performed timely and at appropriate frequency, discrepancies are identified and investigated promptly, adjustments to safeguarding accounts occur when customer balances change, and reconciliation documentation is complete and retained.

Systems and controls assessment evaluates whether you have adequate procedures governing safeguarding operations, appropriate segregation of duties in safeguarding processes, system controls preventing unauthorized access to or transfer of safeguarding funds, and adequate oversight by management and the board.

Insolvency protection verification confirms that safeguarding arrangements would actually protect customer funds in insolvency. Auditors review account agreements with banking partners to verify funds are held on trust, examine whether safeguarding accounts are properly designated to claim insolvency protection, and assess whether any circumstances might compromise customer fund protection.

Documentation review ensures that you maintain appropriate records demonstrating ongoing safeguarding compliance, policies and procedures governing safeguarding operations, board or senior management approval of safeguarding arrangements, and evidence of periodic senior management review of safeguarding effectiveness.

Safeguarding Audit Report Requirements

The FCA expects safeguarding audit reports to address specific elements and be provided to the regulator when requested. While report formats vary, comprehensive reports should include an executive summary stating whether safeguarding arrangements comply with regulatory requirements, description of the audit scope and methodology employed, detailed findings on each examined area, identification of any deficiencies or areas for improvement, management’s responses to audit findings, and the auditor’s overall conclusion on safeguarding effectiveness.

The auditor must clearly state whether, in their opinion, the electronic money institution or payment institution maintained adequate safeguarding arrangements that comply with the Electronic Money Regulations 2011 or Payment Services Regulations 2017 throughout the period examined.

If the auditor identifies deficiencies, these must be clearly described with severity ratings and recommendations for remediation. Material safeguarding failures may require immediate notification to the FCA under your obligations to report significant compliance breaches.

AML Audit Requirements for UK Payment Institutions

Anti-money laundering audit requirements for payment institutions and electronic money institutions derive from both the Money Laundering Regulations 2017 and FCA supervisory expectations established through guidance and enforcement actions.

Who Must Conduct AML Audits

All electronic money institutions and payment institutions supervised by the FCA for AML purposes must maintain “an independent audit function” under Regulation 19(1)(g) of MLR 2017. This includes authorized payment institutions, small payment institutions, electronic money institutions, and registered payment institutions.

The regulatory language referring to an “audit function” rather than “external audits” technically allows larger firms with dedicated internal audit teams to fulfill this requirement internally, provided the internal auditors are genuinely independent from the business operations they’re auditing. However, most payment institutions and EMIs lack sufficiently resourced internal audit functions and therefore engage external specialists to conduct annual AML audits.

The FCA expects AML audits to occur even for small payment institutions and registered payment institutions, though the depth and formality should be proportionate to the institution’s size, complexity, and risk profile. A small, low-risk payment institution might satisfy the requirement with a more focused review, while larger, higher-risk firms need comprehensive examination.

Auditor Qualifications and Independence

The FCA expects AML auditors to have appropriate expertise in anti-money laundering regulations, payment industry financial crime risks and typologies, customer due diligence methodologies and technologies, transaction monitoring approaches, and FCA supervisory expectations for AML compliance.

Independence is critical. The auditor cannot be involved in operating the AML controls they’re examining. Firms sometimes incorrectly ask their compliance officer or MLRO to conduct the “independent audit,” but this violates the independence requirement since these individuals designed and operate the AML framework.

External audit firms, compliance consultancies, and specialist AML advisors commonly conduct these audits for payment institutions. The key is ensuring the auditor has genuine expertise rather than being a generalist who happens to offer AML services without deep sector knowledge. ComplyFactor’s AML audit services specifically focus on payment sector requirements, ensuring auditors understand the unique risks and regulatory expectations facing EMIs and payment institutions.

AML Audit Frequency

While MLR 2017 doesn’t explicitly specify audit frequency, the FCA expects annual AML audits for authorized payment institutions and EMIs as industry standard practice. This expectation aligns with FCA Handbook requirements for financial services firms and supervisory approach to AML risk management.

Your first AML audit should occur within the first 12 months of operations to establish a baseline assessment of your AML framework. Subsequent audits should occur annually, covering the most recent 12-month period.

In some circumstances, more frequent reviews may be appropriate. If you’ve experienced rapid growth, expanded into higher-risk markets, received adverse FCA feedback, identified significant control deficiencies, or undergone major systems or operational changes, conducting interim AML reviews in addition to annual audits demonstrates good governance.

What AML Audits Must Cover

Comprehensive AML audits for payment institutions and electronic money institutions must examine all key control areas required by MLR 2017 and expected by the FCA.

Governance and oversight assessment includes examining board and senior management involvement in AML compliance, MLRO authority, resources, and effectiveness, clarity of accountability across three lines of defense, management information on financial crime risks, and adequacy of AML resources and budget.

Risk assessment evaluation involves reviewing whether your business-wide risk assessment comprehensively identifies relevant ML/TF risks, uses reliable data and intelligence sources, drives your control framework design, is current and updated when business changes occur, and receives appropriate board or senior management review and approval.

Customer due diligence testing examines a sample of customer files to verify compliance with CDD requirements, including identity verification quality, understanding of business relationship purpose, customer risk assessment appropriateness, enhanced due diligence application where required, and ongoing monitoring execution.

Transaction monitoring assessment evaluates whether you have monitoring appropriate to your scale and risk, defined scenarios calibrated to detect relevant typologies, appropriate alert investigation procedures, processes for escalating suspicious activity to the MLRO, and evidence of periodic monitoring effectiveness review and tuning.

SAR processes and quality review covers staff understanding of reporting obligations, MLRO processes for evaluating internal suspicion reports, quality of SARs submitted to the National Crime Agency, documentation of SAR decisions, and comparison of your SAR volumes to peer firms and risk profile.

Screening effectiveness testing verifies sanctions and PEP screening adequacy, database currency, investigation of screening hits, and procedures for freezing assets when required.

Training and awareness evaluation includes examining training content, delivery, and completion tracking, role-specific training appropriateness, testing of staff understanding, and training updates when regulations or procedures change.

Record-keeping compliance assessment verifies you maintain required records for at least five years, records are accessible and organized, and appropriate data protection measures are in place.

Third-party risk management review examines due diligence on AML service providers, contractual provisions addressing AML responsibilities, and ongoing monitoring of vendor performance.

For payment institutions, AML audits should specifically consider sector risks including digital onboarding with limited face-to-face customer interaction, cross-border payment facilitation, business customers operating as money service businesses, and prepaid payment instruments with anonymity features. Our guide on AML requirements for payment service providers in Canada discusses similar considerations in another jurisdiction that often apply to UK firms as well.

AML Audit Reporting Standards

While the FCA doesn’t prescribe a standard format for AML audit reports, comprehensive reports should include an executive summary with overall assessment, detailed findings across all examined areas, severity ratings for identified deficiencies, specific recommendations for improvement, management responses and remediation plans, and the auditor’s overall opinion on AML framework effectiveness.

Unlike safeguarding audit reports which must be submitted to the FCA, AML audit reports are typically retained internally unless the regulator specifically requests them during supervisory activities or enforcement investigations. However, the FCA expects these reports to exist and be available when needed.

Material AML deficiencies identified through audits may trigger notification obligations to the FCA under your requirement to report significant compliance breaches. Don’t wait for the regulator to discover issues through their own supervision—proactive reporting of problems and remediation efforts demonstrates better governance than concealing deficiencies.

The Critical Mistakes UK Payment Firms Make

Through extensive work with payment institutions and electronic money institutions, certain compliance mistakes around safeguarding and AML audits appear repeatedly. Recognizing these pitfalls helps you avoid them.

Mistake 1: Treating Safeguarding and AML Audits as the Same Requirement

The most fundamental error is conflating these distinct regulatory obligations into a single audit exercise. Firms announce “we had our annual audit” without recognizing they need separate safeguarding and AML examinations covering different regulatory frameworks and control areas.

This mistake often stems from receiving a proposal from an audit firm for a generic “compliance audit” without clearly specifying whether it covers safeguarding, AML, or both. The firm assumes the audit satisfies all requirements, but closer examination reveals it addressed only one obligation or superficially touched on both without adequate depth.

The solution is explicitly scoping your audit requirements. When engaging auditors, clearly specify: “We require an independent safeguarding audit under the Electronic Money Regulations 2011 covering [specific period]” and separately “We require an independent AML audit under the Money Laundering Regulations 2017 covering [specific period].” This ensures both obligations are addressed with appropriate scope and depth.

Mistake 2: Using the Wrong Type of Auditor

Many payment institutions engage their financial statement auditors to conduct safeguarding and AML audits without verifying these auditors have relevant expertise. While accountancy firms conducting statutory audits have financial audit experience, this doesn’t automatically translate to understanding payment regulations, financial crime typologies, or FCA supervisory expectations.

Similarly, some firms engage general compliance consultants who lack payment sector specialization. These consultants may understand MLR 2017 in abstract terms but miss sector-specific risks or fail to apply appropriate testing methodologies for payment business models.

Effective safeguarding audits require auditors who understand payment flows, reconciliation procedures, and insolvency protection mechanisms. Effective AML audits require auditors who understand payment industry money laundering typologies, transaction monitoring technologies, and FCA supervisory approach to payment firms.

Before engaging auditors, verify their experience with payment institutions and electronic money institutions specifically, not merely general financial services experience. Request examples of previous safeguarding and AML audit reports (with client details redacted) to assess quality and comprehensiveness.

Mistake 3: Insufficient Audit Scope

Some firms receive audit proposals covering only high-level policy review without substantive testing of control operations. The “audit” consists of the auditor reading your policies and procedures, conducting brief interviews with the MLRO and a couple of staff members, and issuing a short report concluding controls are “adequate.”

This approach doesn’t satisfy regulatory expectations. Effective audits require substantive testing including sample reviews of customer files to verify CDD practices, examination of reconciliation records to verify safeguarding compliance, testing of transaction monitoring alerts and investigations, review of SAR decisions and documentation, verification of screening effectiveness, and testing of training completion and understanding.

When reviewing audit proposals, examine the proposed methodology. If the proposal doesn’t explicitly mention sample testing, file reviews, and substantive verification procedures, the scope is likely insufficient. Challenge the auditor on how they’ll verify controls operate effectively in practice, not merely whether policies exist on paper.

Mistake 4: Poor Timing and Preparation

Many firms schedule audits at the last minute, often realizing their annual audit is overdue only when the FCA requests evidence of audit completion. The scramble to complete audits quickly leads to inadequate preparation, insufficient auditor time to conduct thorough examination, and missed opportunities to remediate issues before the auditor documents them.

Effective audit programs involve planning audits well in advance, preparing required documentation before auditors arrive, scheduling adequate time for auditor testing and interviews, building in time for management response to draft findings, and allowing time for remediation of identified issues before the next audit cycle.

Leading payment institutions maintain audit calendars scheduling safeguarding and AML audits for specific periods well in advance, ensuring adequate preparation time and avoiding year-end rushes. This approach also demonstrates governance maturity to the FCA.

Mistake 5: Ignoring Audit Findings

Perhaps the most serious mistake is receiving audit reports identifying deficiencies, acknowledging the findings superficially, and then failing to implement meaningful remediation. When the FCA eventually conducts its own examination, the same deficiencies persist despite being identified in previous audits.

The FCA views this pattern as evidence of poor governance and ineffective oversight. Independent audits serve no purpose if management doesn’t act on findings. Comprehensive audit findings registers tracking each deficiency, assigned responsibility for remediation, target completion dates, and actual completion status demonstrate proper governance.

Senior management and boards should receive audit reports, discuss significant findings, approve remediation plans, and monitor completion of agreed actions. Audit findings should be standing agenda items in risk or audit committee meetings until fully resolved.

Mistake 6: Inadequate Safeguarding Reconciliation

Safeguarding audits frequently identify firms that conduct safeguarding reconciliations only monthly or quarterly rather than daily or continuously as expected. Some firms reconcile safeguarding only when preparing financial statements, leaving gaps of weeks or months where customer fund protection cannot be verified.

The Electronic Money Regulations and Payment Services Regulations expect continuous or at minimum daily safeguarding reconciliation to ensure customer funds are protected at all times. Monthly reconciliation is insufficient—if customer funds are inadequately protected for 29 days but corrected on day 30, customers remain at risk during the gap period.

Implement automated reconciliation processes that compare customer liability balances to safeguarding account balances daily or in real-time. Discrepancies should trigger immediate investigation and remediation, not wait until month-end accounting processes.

Mistake 7: Safeguarding Calculation Errors

Many electronic money institutions inaccurately calculate their safeguarding requirement, often understating the amount of customer funds requiring protection. Common errors include excluding certain customer balance categories that should be included, failing to account for float or funds in transit, miscalculating e-money liability in multi-currency environments, and netting customer balances rather than treating each customer’s funds separately.

These calculation errors mean customer funds are inadequately protected, creating both customer risk and regulatory breach. Before your safeguarding audit, engage accounting or compliance specialists to review your safeguarding calculation methodology to verify it complies with regulatory requirements and appropriately captures all customer funds.

Mistake 8: Generic AML Frameworks Not Tailored to Payment Risks

Some payment institutions implement generic AML frameworks copied from templates or borrowed from other financial services sectors without customizing for payment industry risks. Their customer due diligence doesn’t address payment-specific concerns, their transaction monitoring uses bank-focused scenarios irrelevant to payment flows, and their risk assessments discuss generic money laundering risks without addressing payment industry typologies.

Effective AML programs for payment institutions must address risks specific to the sector including digital customer onboarding with limited identity verification, rapid customer growth straining AML resources, cross-border payment facilitation enabling layering, business customers operating as money service businesses, and payment services supporting e-commerce in high-risk sectors.

Your AML audit should assess whether your framework is genuinely tailored to payment industry risks or merely generic compliance infrastructure inadequate for your actual business model. Our comprehensive guide to understanding AML compliance provides sector-specific considerations that payment institutions should incorporate.

Can EMIs Conduct Their Own Safeguarding Audits?

A frequent question from smaller electronic money institutions and payment institutions is whether they can conduct safeguarding or AML audits internally rather than engaging expensive external auditors.

The Independence Requirement

Both safeguarding and AML audit requirements emphasize independence. For safeguarding audits, the FCA expects “independent verification” of safeguarding arrangements. For AML audits, MLR 2017 requires “an independent audit function.”

Independence means the auditor cannot be involved in designing, implementing, or operating the controls they’re examining. Your finance director who manages safeguarding reconciliations cannot audit those same reconciliations. Your MLRO who designed your AML framework cannot audit that framework’s effectiveness.

True independence requires separation between the auditee (the function being audited) and the auditor. This typically manifests in three ways:

Internal audit functions at larger firms can provide independence if they’re properly structured. An internal audit team that reports to the board or audit committee rather than operational management, has no involvement in designing or operating controls, and possesses appropriate expertise can conduct independent audits. However, most payment institutions and EMIs lack sufficiently resourced internal audit functions to satisfy this standard.

Second-line compliance reviews performed by compliance officers don’t typically satisfy independent audit requirements. While compliance officers provide valuable oversight, they’re part of the control framework (second line of defense) rather than independent of it (third line). Their reviews complement but don’t replace independent audits.

External auditors provide the clearest independence since they’re entirely separate from your organization. For most payment institutions and EMIs, engaging external specialists to conduct safeguarding and AML audits represents the most practical approach to satisfying independence requirements.

When Internal Audits Might Be Acceptable

Larger payment institutions or EMIs with dedicated internal audit functions may be able to conduct safeguarding and AML audits internally if certain conditions are met:

The internal audit function must report to the board or audit committee rather than operational management, have appropriate independence safeguards preventing business influence, possess staff with relevant expertise in payment regulations and financial crime, and have adequate resources to conduct thorough examinations.

Even when internal audit can theoretically conduct these audits, many firms choose external auditors for safeguarding and AML examinations to ensure FCA confidence in the audit’s independence and rigor. Internal audit resources can then focus on other operational or control areas where external expertise provides less value.

The Cost-Benefit Calculation

Smaller firms sometimes resist engaging external auditors due to cost concerns. However, consider the relative costs:

External safeguarding and AML audits for a small-to-medium EMI typically cost between £5,000-£25,000 annually depending on complexity. Compare this to the cost of FCA enforcement action for safeguarding or AML breaches, which can result in fines of hundreds of thousands or millions of pounds, public censure damaging your reputation, restrictions on business activities limiting revenue, or even authorization withdrawal ending your business.

The cost of independent audits represents a modest investment in regulatory compliance and risk management compared to potential enforcement consequences. View audit costs as insurance against much larger potential losses rather than merely regulatory overhead.

Alternative Approaches for Very Small Firms

Very small payment institutions or registered payment institutions operating at limited scale might explore proportionate approaches to satisfying audit requirements:

Focused scope reviews examining only the most critical control areas rather than comprehensive examinations can provide reasonable assurance at lower cost. This approach works best for low-risk, simple business models.

Shared audit resources where several small firms collectively engage auditors to review multiple institutions can reduce per-firm costs through efficiency. This requires firms with similar business models and control frameworks to make sharing effective.

Phased audit approaches spreading comprehensive examination across multiple years rather than examining everything annually can reduce annual cost while still providing periodic assurance across all areas over time. However, the FCA may not accept this approach for safeguarding audits where annual examination is expected.

Before implementing alternative approaches, consult with the FCA or seek specialist advice to verify your approach satisfies regulatory expectations. Innovations that save money but don’t provide adequate assurance create false compliance rather than genuine risk management.

Safeguarding Audit Checklist: What Auditors Will Examine

When preparing for a safeguarding audit, understanding what auditors will examine allows you to proactively verify compliance and organize required documentation.

Safeguarding Calculation Verification

Auditors will test whether you accurately calculate the amount of customer funds requiring safeguarding protection. This involves reviewing your methodology for determining total customer liability, verifying that your calculation includes all customer funds requiring protection, examining how you handle multi-currency customer balances, testing whether your calculation properly accounts for funds in transit, and confirming that you exclude amounts legitimately exempt from safeguarding.

The auditor will compare your calculated safeguarding requirement to actual customer balance data from your systems to verify accuracy. Discrepancies between your safeguarding calculation and actual customer balances indicate calculation methodology problems.

For electronic money institutions, the calculation should reflect outstanding e-money liability—the total amount of e-money issued and not yet redeemed. For payment institutions, the calculation should reflect customer funds held during payment transaction processing.

Safeguarding Account Verification

Auditors will verify that customer funds are actually deposited in appropriate safeguarding accounts. Testing includes obtaining bank confirmation letters or statements for all safeguarding accounts, reviewing account opening documentation to verify accounts are properly designated, confirming accounts are held at authorized credit institutions as required by regulations, verifying account agreements include appropriate trust language providing insolvency protection, and testing that safeguarding account balances equal or exceed your calculated safeguarding requirement.

If you use multiple safeguarding accounts (which is common, particularly for multi-currency operations), the auditor will verify the aggregate balance across all accounts meets your total safeguarding requirement.

The auditor may examine your banking partner agreements to verify the bank understands its role in holding safeguarding accounts and that contractual provisions properly establish trust arrangements protecting customer funds from the bank’s creditors should the bank fail.

Reconciliation Testing

Daily or continuous reconciliation of customer balances to safeguarding account balances represents a critical control that safeguarding audits extensively test. Auditors will sample reconciliation records across the audit period, examining whether reconciliations occur at appropriate frequency (daily at minimum), are completed timely rather than with extended delays, identify discrepancies when they exist, trigger prompt investigation and remediation of discrepancies, and are properly documented and retained.

The auditor will test a sample of dates throughout the year, not merely year-end when you’ve likely ensured everything reconciles for financial statement purposes. Reconciliation failures mid-year that weren’t promptly addressed indicate weak ongoing compliance.

When testing reconciliations, auditors examine the completeness and accuracy of source data, proper treatment of timing differences, appropriate investigation of reconciling items, and evidence of senior management review and oversight.

Systems and Controls Assessment

Beyond transactional testing, auditors assess whether your systems and controls appropriately protect customer funds. This includes reviewing policies and procedures governing safeguarding operations, examining segregation of duties in safeguarding processes (ensuring different individuals authorize, execute, and reconcile), testing access controls preventing unauthorized access to safeguarding funds, verifying that systems prevent commingling of customer funds with operational funds, and assessing whether management and board receive appropriate reporting on safeguarding compliance.

The auditor will interview relevant staff to verify they understand safeguarding requirements and their role in maintaining compliance. Lack of staff understanding suggests inadequate training or insufficient management emphasis on safeguarding importance.

Documentation Review

Comprehensive documentation demonstrates ongoing safeguarding compliance and allows auditors to verify control operation. Auditors review board or senior management meeting minutes discussing safeguarding, safeguarding policies and procedures, safeguarding arrangement descriptions in your operational documentation, reconciliation records and discrepancy investigations, bank confirmations and account statements, and correspondence with banking partners regarding safeguarding accounts.

Missing or incomplete documentation makes it difficult for auditors to verify compliance, potentially resulting in qualified audit opinions or findings of inadequate evidence.

Scenario Testing for Insolvency Protection

Leading safeguarding audits go beyond transactional testing to examine whether safeguarding arrangements would actually protect customer funds in insolvency scenarios. This involves reviewing account structures and trust arrangements to verify insolvency protection would be effective, examining whether any circumstances might compromise customer fund protection, assessing whether customers could actually recover funds if the institution failed, and testing whether the firm has appropriate notification procedures to inform customers of safeguarding arrangements.

While this level of testing isn’t always included in basic safeguarding audits, firms operating at higher risk or holding substantial customer funds should ensure their audits address insolvency scenario effectiveness.

AML Audit Preparation: Key Areas to Review

Preparing for an AML audit requires reviewing and strengthening multiple control areas across your organization. This preparation checklist identifies critical areas auditors will examine.

Governance Documentation

Auditors will request extensive governance documentation evidencing senior management and board oversight of AML compliance. Organize board and senior management meeting minutes discussing AML matters for at least the past 12 months, MLRO reports to the board and senior management, organizational charts showing AML reporting lines and accountability, role descriptions for MLRO, compliance staff, and key business personnel with AML responsibilities, and evidence of board approval of your AML risk assessment and framework.

Review your governance documentation to verify it demonstrates substantive engagement with AML matters rather than merely noting that compliance reports were “received.” The FCA and auditors look for evidence of challenge, questioning, and strategic decision-making around financial crime risk.

Risk Assessment Currency and Quality

Your business-wide risk assessment will receive detailed scrutiny. Verify your risk assessment is current and reflects your actual business as of the audit period, comprehensively addresses customer risk, product risk, geographic risk, and delivery channel risk, uses reliable data and intelligence sources to inform risk conclusions, connects identified risks to specific mitigation controls, includes quantification of both inherent risks and residual risks after controls, and has been reviewed and approved by senior management or the board.

If your business has evolved since your last risk assessment update—new products, markets, or customer segments—update the assessment before your audit. Outdated risk assessments create findings and suggest inadequate governance.

Many payment institutions use generic risk assessment templates without customization. Before your audit, critically review whether your risk assessment genuinely reflects your specific business model or merely describes generic payment industry risks. Our guide to key components of an effective AML audit program discusses risk assessment requirements in detail.

Customer Due Diligence File Preparation

Auditors will sample customer files to verify CDD compliance. Before the audit, conduct your own sample file review across different customer risk categories to identify deficient files. Common deficiencies include incomplete identity verification documentation, missing beneficial ownership information for business customers, inadequate understanding of business relationship purpose, standard CDD applied to customers requiring enhanced due diligence, and missing or outdated ongoing monitoring reviews.

Identify deficient files and implement remediation programs. If you discover systemic issues affecting broad customer populations, document your remediation approach and progress for the auditor.

Organize customer files (whether physical or electronic) to ensure auditors can efficiently locate and review sampled files. Disorganized files that auditors struggle to access suggest weak operational controls.

Transaction Monitoring Evidence

Auditors will assess transaction monitoring effectiveness, which requires preparing several types of evidence:

Document your transaction monitoring system or methodology, including scenario descriptions with parameters and thresholds, alert investigation procedures and decision-making criteria, processes for escalating suspicious activity to the MLRO, and evidence of periodic monitoring effectiveness reviews and scenario tuning.

Prepare metrics on monitoring performance including total alerts generated monthly or quarterly, alerts investigated and closed, alerts escalated to the MLRO, SARs filed from monitoring alerts, and false positive rates by scenario.

Organize sample alert investigation records demonstrating thorough analysis rather than superficial dismissals. Auditors will test whether investigations are properly documented and reasoned.

SAR Documentation

Prepare comprehensive SAR documentation including internal suspicious activity reports submitted to the MLRO, MLRO evaluations and decisions on internal reports, SARs submitted to the National Crime Agency, documentation of decisions not to file SARs when suspicious activity was considered, and evidence of staff training on SAR obligations.

The auditor will assess SAR quality and decision-making. If your SAR volumes seem unusually low or high relative to your customer base and risk profile, prepare explanations for the auditor.

Screening Records

Organize evidence of your sanctions and PEP screening program including screening system or database documentation, evidence of screening frequency for customers and transactions, sample screening hits and investigation records, procedures for handling confirmed matches and freezing assets, and evidence of screening database updates as sanctions lists change.

Be prepared to demonstrate that screening covers all required lists (UK, UN, EU, OFSI) and extends to PEP family members and close associates, not merely PEPs themselves.

Training Records

Compile comprehensive training evidence including current training materials and curricula, attendance records or learning management system reports showing completion, evidence of role-specific training for different staff categories, testing or assessments verifying staff understanding, and training updates when regulations or procedures changed.

If training completion is incomplete for some staff, document your escalation process for non-compliance and any disciplinary measures for persistent non-completion.

Previous Audit Reports and Remediation

If you’ve had previous AML audits, organize prior audit reports, management responses to previous findings, remediation plans and completion evidence, and tracking registers showing closure of previous findings.

Auditors will examine whether you took previous findings seriously and implemented effective remediation. Recurring findings indicate inadequate governance and will result in heightened scrutiny.

Coordinating Safeguarding and AML Audits Efficiently

While safeguarding and AML audits are distinct regulatory requirements, coordinating them can achieve efficiency without compromising thoroughness.

Using the Same Audit Firm

Engaging a single audit firm to conduct both safeguarding and AML audits can reduce costs through efficiency, minimize disruption by conducting both audits during the same period, allow the auditor to leverage business understanding across both examinations, and provide coordinated reporting highlighting interactions between different control areas.

However, this approach only works if the audit firm has genuine expertise in both safeguarding and AML requirements. Some firms excel at financial and accounting audits (helpful for safeguarding) but lack deep AML expertise. Others have strong financial crime credentials but limited understanding of payment reconciliation and safeguarding technical requirements.

Before engaging a single firm for both audits, verify they have payment sector specialists for both disciplines. Request sample audit reports (with client details redacted) demonstrating their capability in each area.

Staggering Audit Timing

Some payment institutions conduct safeguarding audits and AML audits at different times—perhaps safeguarding audits in Q1 aligned with financial year-end, and AML audits in Q3. This approach spreads the burden of audit preparation and organizational disruption across the year rather than concentrating it in a single period.

However, staggered timing means staff must prepare for and participate in audit activities twice annually rather than once. For smaller firms with limited compliance resources, this can be more burdensome than conducting both audits concurrently.

Shared Preparation Activities

Certain preparation activities benefit both safeguarding and AML audits even though the audits themselves are distinct:

Organizing compliance documentation and creating document repositories helps both audits. Conducting management and board meetings discussing compliance matters provides governance evidence for both. Training staff on regulatory obligations addresses both safeguarding and AML awareness. Implementing document retention and record-keeping procedures supports both audit requirements.

By recognizing these overlaps, firms can leverage preparation efforts across both audit requirements rather than treating them as entirely separate exercises.

Combined Reporting with Distinct Sections

Some audit firms provide a single audit report with distinct sections addressing safeguarding and AML separately. This approach can work provided each section is comprehensive and could stand alone as a complete audit report for that regulatory requirement.

Be cautious of superficial “combined reports” that merely touch on both areas without adequate depth. The safeguarding section should be as comprehensive as a standalone safeguarding audit report, and the AML section should be as thorough as a standalone AML audit report.

When reviewing combined reports, assess each section independently against the regulatory requirements and supervisory expectations for that specific audit type. If either section seems abbreviated or lacks the detail expected in a standalone report, the combined approach may not adequately satisfy both regulatory obligations.

What Happens After Safeguarding and AML Audits

Understanding post-audit processes and expectations helps you respond appropriately to audit findings and maintain ongoing compliance.

Review and Respond to Draft Findings

Most auditors provide draft reports allowing you to review findings and provide factual corrections or additional context before reports are finalized. Use this opportunity to correct any factual misunderstandings, provide additional evidence the auditor may have missed, explain circumstances relevant to identified findings, and propose specific remediation plans for deficiencies.

However, don’t use the draft review period to argue with findings you simply don’t like. If the auditor has identified a genuine deficiency, acknowledge it and focus on remediation rather than defensiveness.

Implement Remediation Plans

Audit findings require action, not merely acknowledgment. For each identified deficiency, develop specific remediation plans including clear description of the issue and why it matters, specific actions you’ll take to address it, individuals responsible for implementing remediation, target completion dates, and metrics for verifying remediation effectiveness.

Track remediation progress systematically. Maintain findings registers showing each issue, remediation status, and completion evidence. Senior management and boards should receive regular updates on remediation progress.

Material safeguarding or AML deficiencies may require notification to the FCA under your obligations to report significant compliance breaches. Consult with compliance specialists or legal advisors if audit findings are serious to determine whether regulatory notification is required.

Submit Reports to the FCA (Safeguarding)

For safeguarding audits, the FCA expects audit reports to be submitted as part of your regulatory reporting obligations. The specific submission process varies based on your authorization type and the FCA’s current reporting requirements.

Ensure safeguarding audit reports are submitted timely, typically within the period specified in your authorization conditions or regulatory reporting requirements. Delays in submitting safeguarding audit reports may trigger supervisory inquiries about why reports are late.

For AML audits, reports are typically maintained internally rather than proactively submitted to the FCA. However, ensure they’re readily available if the regulator requests them during supervisory activities.

Use Audits to Drive Continuous Improvement

Leading payment institutions view audits not as compliance boxes to check but as opportunities for continuous improvement. Rather than merely fixing specific findings, use audit insights to strengthen your overall control environment.

If audits identify themes—such as inadequate documentation across multiple areas, or staff training gaps—address the root cause rather than merely fixing individual instances. Systematic improvement based on audit insights demonstrates governance maturity and strengthens your control culture.

Share audit findings (in appropriately sanitized form) with relevant staff as training opportunities. Real findings from your actual operations provide more impactful learning than generic compliance training.

Prepare for Next Year’s Audits

Effective firms maintain continuous audit readiness rather than preparing intensively immediately before audits. This includes implementing systematic compliance monitoring tracking control effectiveness, conducting periodic management reviews of safeguarding and AML arrangements, maintaining compliance calendars ensuring required activities occur timely, organizing documentation continuously rather than scrambling before audits, and tracking regulatory developments affecting your obligations.

Continuous compliance monitoring allows you to identify and remediate issues throughout the year rather than discovering them during annual audits. This approach reduces audit findings, demonstrates better governance, and most importantly, better protects customers and your business from actual risks.

Choosing the Right Auditor for Your EMI or Payment Institution

The quality of your safeguarding and AML audits depends significantly on auditor selection. Choosing the right firm requires evaluating several factors beyond merely cost.

Payment Sector Expertise

Verify the audit firm has specific experience with payment institutions and electronic money institutions, not merely general financial services expertise. Payment firms face unique risks and regulatory requirements that differ from banks, insurers, or investment firms.

Ask potential auditors about their payment sector client base, their understanding of Electronic Money Regulations and Payment Services Regulations, their familiarity with FCA supervisory approach to payment firms, their knowledge of payment industry money laundering typologies, and their experience with payment reconciliation and safeguarding technical requirements.

Request client references from other payment institutions or EMIs. Speaking with firms similar to yours who have used the auditor provides valuable insights into their capabilities and approach.

Technical Capabilities

For safeguarding audits, verify the auditor has strong accounting and reconciliation expertise, understanding of trust law and client money protection, knowledge of insolvency and creditor priority rules, and familiarity with payment flows and clearing mechanisms.

For AML audits, verify they have financial crime expertise including ML/TF typologies, customer due diligence methodologies and technologies, transaction monitoring systems and approaches, sanctions and PEP screening requirements, and SAR quality standards and NCA expectations.

Some audit firms have dedicated payment sector practices with specialists in both areas. Others may be strong in one discipline but weaker in the other. Assess capabilities separately for each audit type you need.

Practical Approach and Value-Add

Beyond technical expertise, assess the auditor’s practical approach. Effective auditors balance regulatory compliance with business reality, provide actionable recommendations not merely findings lists, explain rationale behind findings helping you understand issues, benchmark your practices against peers providing context, and add value beyond merely identifying deficiencies.

Less effective auditors take checkbox approaches, generating findings lists without prioritization or context, providing generic recommendations applicable to any firm, focusing on documentation gaps without assessing actual risk, or being inflexible about minor issues while missing material concerns.

During initial discussions, ask potential auditors how they would approach your specific situation. Their responses reveal whether they’ll provide valuable partnership or merely compliance paperwork.

Cost and Efficiency

While cost shouldn’t be the only factor, it matters, particularly for smaller firms. Obtain clear proposals specifying scope of work, number of auditor days or hours, specific deliverables, timeline for completion, and total cost including any additional expenses.

Be wary of proposals that seem significantly cheaper than alternatives. Unusually low-cost audits may indicate insufficient scope, junior staff without adequate expertise, or a checkbox approach rather than thorough examination.

Conversely, the most expensive option isn’t necessarily the best. Assess value—what you’re receiving for the cost—rather than merely comparing prices.

Reputation and Independence

Consider the audit firm’s reputation in the payment sector and with the FCA. Firms known for rigorous, high-quality audits provide more credibility when their reports conclude your controls are effective.

Verify the auditor’s independence. If the audit firm also provides consulting services, ensure there’s no conflict where they’re auditing controls they themselves designed. The FCA expects genuine independence between audit and consulting activities.

For firms seeking comprehensive support, ComplyFactor offers both independent audit services and separate advisory services to help implement improvements, with appropriate safeguards ensuring independence between these functions. Our AML audit services provide rigorous examination while our AML advisory services help firms strengthen frameworks between audit cycles.

Building Long-Term Audit Readiness

Rather than viewing audits as annual compliance burdens, leading payment institutions embed audit readiness into their operational culture through systematic controls, continuous monitoring, and proactive improvement.

Implement Continuous Safeguarding Monitoring

Instead of reconciling safeguarding only when preparing for audits, implement continuous monitoring that daily reconciles customer balances to safeguarding account balances, automatically generates alerts when discrepancies exceed defined thresholds, tracks reconciling items and ensures timely resolution, reports safeguarding metrics to management regularly, and conducts periodic senior management reviews of safeguarding effectiveness.

Modern payment platforms increasingly offer integrated safeguarding reconciliation modules that automate much of this monitoring, reducing manual effort while improving accuracy and timeliness.

Maintain Robust AML Control Testing

Effective firms conduct ongoing AML control testing throughout the year rather than waiting for annual audits. This includes monthly or quarterly sampling of customer files to verify CDD quality, regular reviews of transaction monitoring alert investigations, periodic assessment of SAR quality and decision-making, systematic testing of sanctions and PEP screening effectiveness, and quarterly compliance self-assessments identifying emerging issues.

These ongoing testing activities serve dual purposes—they provide assurance to management that controls are effective, and they identify issues early allowing remediation before annual audits document them as findings.

Invest in Staff Training and Capability

Control effectiveness ultimately depends on staff competence and understanding. Invest in comprehensive training programs that provide role-specific training addressing each group’s responsibilities, incorporate real-world examples and case studies relevant to your business, test understanding rather than merely delivering information, update regularly when regulations or procedures change, and include senior management in appropriate training to ensure governance understanding.

Well-trained staff make fewer errors, identify suspicious activity more effectively, and demonstrate control awareness that impresses auditors and regulators.

Maintain Current Policies and Procedures

Policies and procedures should be living documents that evolve with your business, not static manuals gathering dust. Implement systematic policy review cycles ensuring all policies are reviewed at least annually, updating procedures promptly when operations or regulations change, obtaining appropriate approval for policy changes, communicating updates effectively to relevant staff, and maintaining version control and change histories.

Auditors frequently find policies that don’t reflect actual practice. Keep policies current with operations to avoid this common finding.

Foster Strong Governance Culture

Audit readiness ultimately flows from governance culture. Boards and senior management that genuinely prioritize compliance, provide adequate resources, engage substantively with risk and control matters, and hold individuals accountable for compliance create environments where audit readiness emerges naturally.

Conversely, firms where compliance is viewed as a cost center, business leaders resist compliance “interference,” and corners are cut to maximize short-term profits inevitably struggle with audit preparation and findings.

Conclusion: Two Essential Audits, One Compliance Objective

While EMI safeguarding audits and AML audits represent distinct regulatory requirements examining different control frameworks, they share a common objective—protecting customers and the financial system from harm.

Safeguarding audits verify that customer funds are protected from business failure, ensuring payment institution customers don’t lose money if the firm becomes insolvent. AML audits verify that financial crime controls prevent criminals from exploiting payment services for money laundering or terrorist financing.

The mistakes UK payment firms make—conflating these separate requirements, using inadequate auditors, implementing insufficient scope, or ignoring findings—create vulnerabilities in both areas. Customer funds remain at risk when safeguarding arrangements are inadequate. The financial system remains vulnerable when AML controls are weak.

Leading payment institutions recognize that robust compliance creates competitive advantage. Strong safeguarding protects your reputation and maintains customer confidence. Effective AML controls reduce fraud losses, facilitate banking relationships, and support sustainable growth. Investment in comprehensive, high-quality audits of both areas represents sound business strategy, not merely regulatory obligation.

If your electronic money institution or payment institution needs support with safeguarding audits, AML audits, or building comprehensive compliance frameworks, ComplyFactor’s specialist team provides targeted expertise for payment sector firms. Our services include independent safeguarding audits meeting FCA expectations, comprehensive AML audits examining all critical control areas, gap analyses identifying deficiencies before formal audits, remediation support implementing improvements systematically, and ongoing compliance support maintaining audit readiness year-round.

The regulatory environment for UK payment institutions continues intensifying. The FCA’s supervisory approach grows more sophisticated, enforcement actions become more severe, and expectations for governance maturity increase. Firms that view compliance as strategic infrastructure rather than regulatory burden will increasingly dominate the market.

Don’t wait until the FCA identifies deficiencies through enforcement actions or until audit findings reveal critical gaps putting customers at risk. Contact ComplyFactor to discuss how our team can help your payment institution achieve excellence in both safeguarding and AML compliance, protecting your customers while supporting your business growth.