Safeguarding of Client Funds Under Financial Institution Rules Chapter 3 (FIR/03)

It is no longer sufficient for regulated financial institutions to demonstrate that safeguarding policies exist. The expectation under Financial Institution Rules Chapter 3 (FIR/03) is that firms are able to evidence, in practice, that client funds are protected through a controlled and independently overseen framework. Recent supervisory engagement has made this position increasingly clear. The deficiencies identified by the regulator are rarely attributable to a complete absence of documentation; rather, they tend to arise from a disconnect between what is set out in policy and what is actually taking place operationally within the institution. 

One of the most consistent weaknesses identified in Phase 2 reviews relate to safeguarding account control. FIR/03 requires institutions to implement adequate internal control mechanisms, maintain accurate records and ensure that reconciliations are subject to a four-eyes process. In its thematic work, the Malta Financial Services Authority has gone further, indicating that it is not appropriate for ultimate beneficial owners or single individuals to exercise effective unilateral control over safeguarding accounts. In practical terms, this reflects a clear supervisory expectation that no single individual should be able to move client funds without independent counter-control. Dual signatory arrangements are therefore not merely operational safeguards; they are indicative of whether the institution has implemented a defensible and credible control environment. 

Another recurring issue concerns the independence of second and third line functions. Under FIR/03, R3-2.7.33 requires the establishment of a permanent and effective compliance function operating independently, while R3-2.7.34 further requires that such function is afforded the necessary authority, resources and access, and is not involved in the activities it is intended to monitor. In safeguarding frameworks, however, this distinction is often blurred. Firms frequently involve compliance in safeguarding processes without clearly separating oversight from execution. Where compliance becomes embedded in the day-to-day operational handling of safeguarding accounts, its independence is inevitably undermined. The same applies, more critically, to internal audit, which must remain structurally and functionally separate. From a supervisory perspective, the issue is straightforward: a control function cannot effectively challenge a process of which it forms part. 

A more nuanced issue arises in relation to the role of the MLRO and the compliance function. There is often a tendency to assume that, given the sensitivity of safeguarding, these roles should be granted direct control or signatory authority over safeguarding accounts. However, such an approach risks undermining the very independence that FIR/03 seeks to preserve. A more robust interpretation of the framework is that compliance and MLRO functions must have full visibility and access to safeguarding information, and must be in a position to monitor, challenge and escalate matters independently, without being embedded in the transactional control chain. The distinction between access and control is therefore critical. Effective oversight requires visibility and authority to challenge, but not operational involvement in the execution of transactions. 

Further issues arise in the context of safeguarding acknowledgement letters. While many institutions have such letters in place, they often fail to meet the substantive requirements under FIR/03, particularly those set out in R3-2.9.13. The acknowledgement must clearly confirm that client funds are segregated and held solely for clients, that clients retain ownership rights, and that no third party including the institution itself or the safeguarding bank has any claim over those funds. In practice, generic or poorly drafted acknowledgement letters create a false sense of compliance. The issue is not whether such a document exists, but whether it achieves the legal insulation of client funds in a manner that is consistent with regulatory expectations. 

FIR/03 also places emphasis on the assessment and periodic review of third parties involved in safeguarding arrangements. In this respect, the MFSA has identified a recurring issue where institutions rely on a single safeguarding arrangement, thereby creating concentration risk. As a matter of best practice, institutions are expected to consider diversification of safeguarding providers where appropriate. This reflects a broader regulatory principle: safeguarding is not solely concerned with segregation of funds, but also with the resilience of the safeguarding structure as a whole. 

Across Phase 2 reviews, a consistent pattern emerges. Institutions will typically have a safeguarding policy, a designated safeguarding account and a reconciliation process in place. What is often missing, however, is the integration of these elements into a coherent governance framework. In particular, firms struggle to demonstrate, in a clear and defensible manner, who holds authority over safeguarding accounts, how access rights are structured and controlled, how reconciliations are independently reviewed, how discrepancies are identified and escalated, how control functions operate with genuine independence and how the board exercises effective and informed oversight. In the absence of such integration, safeguarding arrangements tend to become fragmented and, as a result, difficult to defend in a supervisory context. 

From the perspective of BDO Malta, safeguarding issues rarely arise due to a lack of awareness of FIR/03. More often, they arise because frameworks have developed organically over time, without being systematically tested against regulatory expectations. Our role is to bridge that gap. This involves reviewing safeguarding frameworks on an end-to-end basis, assessing signatory structures and access controls to eliminate concentration risk, ensuring the independence of compliance, MLRO and internal audit functions, strengthening safeguarding methodologies and reconciliation processes, reviewing and, aligning governance structures and board reporting with MFSA expectations. The focus is not on producing documentation for its own sake, but on ensuring that the safeguarding framework operates effectively in practice and is capable of withstanding regulatory scrutiny. 

Ultimately, the MFSA’s position is clear. Safeguarding is no longer a technical compliance requirement; it is a core governance standard. Institutions that treat it as a documentation exercise are likely to encounter difficulty. Those that approach it as an integrated, controlled and independently overseen framework are significantly better positioned to meet supervisory expectations and to protect both their clients and their own regulatory standing. 

Reach out to the BDO Malta Legal Team to learn more about your safeguarding requirements.