EMI Safeguarding: a PSD2 Article 10 Checklist for Estonian EMIs

Why safeguarding is a first-principle control, not paperwork

When an EMI fails, the supervisor can only return what is provably segregated. That is the customer-protection logic behind PSD2 Article 10, not the compliance logic. Wirecard and a decade of resolution practice all land on the same point: safeguarding is an operational reality tested daily, not a clause in a policy document.

The EBA's 2019 Guidelines on safeguarding arrangements set the supervisory expectation. Segregation must be real, reconciled daily, and documented in a way that a third-party administrator could act on within hours. Estonian EMIs that anchor their operational evidence to that standard — rather than to a narrow reading of Article 10 — tend not to be surprised when Finantsinspektsioon opens an inspection.

Method 1 or method 2

PSD2 Article 10 gives the EMI a choice. Method 1 is a segregated account at a credit institution, or low-risk, liquid assets approved by the competent authority. Method 2 is an insurance policy or comparable guarantee from an insurer or credit institution that is not part of the EMI's own group. Most Estonian EMIs pick method 1: it is simpler, cheaper, and the operational evidence is easier to produce.

Method 2 is not free. The insurer is a counterparty, the premium is ongoing, and the "not part of the same group" rule means the guarantee has to be genuinely external. Larger card programmes with float across several currencies sometimes run hybrid arrangements — some pools segregated, others under insurance — but the supervisor expects each pool to be unambiguously tagged.

What "daily reconciliation" actually looks like

Daily reconciliation is the cadence, not the method. The EMI reconciles the safeguarded balance against the sum of outstanding e-money liabilities and client-ordered executions still in transit. Breaks open and close within a defined window. The reconciliation log is the primary audit artefact, and the EBA guidelines say so in plain language.

Recurring operational issues: weekend and public-holiday cut-offs that hide intraday exposure; FX float for multi-currency card programmes where the safeguarded pool and the liability sit in different ledgers; pre-funded card programmes where the liability is to the cardholder but the funds route through a scheme settlement account. Each needs a named treatment in the policy.

The audit-ready checklist

A written safeguarding mandate with board sign-off. A segregation policy naming the credit institutions and the product-level pools. A daily reconciliation procedure with a named owner and an escalation path. An exceptions-and-breaks report with aging. Evidence that the safeguarding bank is genuinely independent — not a group entity. A contractual arrangement confirming the funds are held for the benefit of payment-service users. A quarterly attestation from the accountable executive. Monthly or quarterly balance statements. Audit-committee minutes that show breaks were reviewed. Training records for the treasury team. That is the bundle we assemble for Finantsinspektsioon.

Common Finantsinspektsioon findings

Three failure modes recur. Commingling after month-end true-ups, where a receivable from the operational account to the safeguarding pool is accrued rather than funded. Missing safeguard for pre-funded card programmes, where the firm treats scheme settlement as a transit item exempt from segregation. Weak reconciliation for cross-border FX float, where the safeguarded ledger and the liability ledger are denominated differently and the revaluation cadence drifts.

Each of these is documentary first, systemic second — which means each is fixable before the next audit if it is caught early. That is exactly what the checklist above is for.