EMI Safeguarding Architecture: How to Build It Right (2026)

Safeguarding is the most-inspected area of EMI and PI supervision in the EU. The legal obligation under the Electronic Money Directive and PSD2 Article 10 is short — keep client funds segregated and protect them in firm insolvency. The operational reality is that most EMIs and PIs design for the regulator's minimum, deploy a 'designated account' label at the operating bank, and discover at first supervisory inspection that the bank-side execution is what supervisors actually examine. By that point, redesigning the safeguarding architecture is expensive, slow, and supervisor-visible.¹^[1]

The mature pattern is structural rather than documentary: a dedicated safeguarding account at a separate credit institution from the operating bank, daily reconciliation between the firm's client ledger and the bank's balance, quarterly external attestation to the NCA, and a clear written agreement with the safeguarding institution naming the trust nature of the funds. Each element exists because each is what a supervisor probes. Each is also what survives an operating-bank termination notice without exposing client funds to the resolution process.

This guide covers the safeguarding architecture end-to-end: the three permitted methods under EMD2 and PSD2 Article 10 of the Payment Services Directive, the structural separation between operating and safeguarding banks, the daily and quarterly operational discipline, the AMLR overlay from 10 July 2027, the equivalent client-asset rules for CASPs under the Markets in Crypto-Assets Regulation, the forthcoming PSD3 reforms, the most-cited supervisory inspection findings, and the design choices that make safeguarding inspection-ready from day one rather than two years into operations.²^[2]⁴^[3]⁵^[4]⁶^[5]

EMD2 Article 7 and PSD2 Article 10 set out three permitted safeguarding methods. EBA Guidelines on safeguarding refine the operational expectations for each. EMIs and PIs choose one method (or a combination) based on cost, operational complexity, and bank-side availability — but must apply the chosen method consistently and document the choice in the AML/operational programme submitted to the NCA.³^[6]

The single most-cited supervisory inspection finding for EMIs is co-located safeguarding — the safeguarding 'account' sitting at the same credit institution as the operating account, distinguished only by a label. Several NCAs have flagged this as inadequate to meet the segregation test: when the operating bank issues a termination notice, the safeguarding account is caught in the same migration, and during the gap period client funds are exposed to the bank's resolution process.

The structural rule: safeguarding sits at a different credit institution from operating. Two relationships, two banks, two diligence cycles, two termination scenarios. The cost is approximately double the bank-relationship overhead — but it is the only architecture that survives an operating-bank termination event without client-fund exposure. The same logic extends to multi-currency operations: USD safeguarding should sit at a different USD-correspondent relationship from EUR safeguarding, with each ring-fenced from operating cash.

Daily reconciliation between the firm's internal client ledger and the bank-side safeguarding account balance is the operational backbone. EBA Guidelines on safeguarding require it; supervisors inspect it; auditors test it. The mechanic is conceptually simple — the firm's ledger says clients hold X total; the safeguarding bank says the account holds Y; X must equal Y at end of day, every day.

• Every client deposit triggers a same-day movement from the operating account to the safeguarding account (or direct routing to safeguarding via a virtual IBAN). Safeguarding-on-receipt is the cleanest pattern.

• Every client withdrawal triggers same-day or next-business-day movement from the safeguarding account back to operating for outbound payment.

• End-of-day reconciliation report compares ledger total to bank balance; out-of-tolerance differences flagged within 1 working day.

• Reconciliation breaks documented; root-cause analysis logged; remediation tracked. Supervisors examine the reconciliation-break log at inspection.

• 5-year recordkeeping minimum on all reconciliation records.

Most NCAs (Bank of Lithuania, CySEC, MFSA explicitly; others by supervisory practice) require quarterly written attestation to the supervisor confirming that no shortfall existed in the safeguarding account during the period. The attestation is signed by the firm's MLRO or Compliance Officer, supported by the daily reconciliation evidence, and increasingly accompanied by an external auditor's negative-assurance report on the safeguarding control framework.

• Quarterly attestation letter signed by MLRO or designated officer.

• Daily reconciliation summary appended (or available on request).

• External auditor's negative-assurance review on the safeguarding control framework — increasingly expected for larger EMIs.

• Annual independent audit of the entire safeguarding architecture, separately from the financial-statement audit.

The trust nature of safeguarded funds depends on documentation. A 'designated account' label without an explicit written agreement with the safeguarding institution naming the trust character of the funds risks falling short on the segregation test if the safeguarding bank itself enters insolvency. The mature pattern is a tripartite-aware agreement: between the EMI / PI, the safeguarding bank, and (in some structures) a trustee, naming explicitly that the funds are held for the benefit of clients and ring-fenced from the EMI's general creditors.

AMLR (Regulation EU 2024/1624) applies from 10 July 2027 and codifies harmonised CDD, EDD, beneficial-ownership, and Travel Rule rules across all 27 member states. The overlay on safeguarding is indirect but real: AMLR-aligned customer risk assessment may push some funds into EDD-only flows that change daily-reconciliation cadence; harmonised UBO disclosure changes the CDD evidence behind safeguarded balances; and AMLA direct supervision of selected EMIs from 2028 will require monthly safeguarding data feeds in addition to NCA-level supervision.

• Co-located safeguarding — safeguarding account at the same credit institution as the operating account. Single most common finding.

• Reconciliation breaks not investigated within tolerance window. Out-of-tolerance differences sitting unresolved past the next-business-day target.

• No written tripartite agreement naming trust character. 'Designated account' label without supporting trust documentation.

• Quarterly attestation submitted but not externally reviewed for larger institutions.

• Multi-currency safeguarding consolidating across currencies into a single ledger, masking per-currency exposures.

• Recordkeeping below the 5-year minimum on reconciliation evidence.

The architectural decisions that make safeguarding survive supervisory inspection cluster on five points:

• Two banks minimum — operating + safeguarding at separate credit institutions.

• Safeguarding-on-receipt — client funds routed to safeguarding immediately, not transferred end-of-day.

• Per-currency safeguarding ledgers — separate sub-ledgers for EUR, USD, GBP; not consolidated.

• Written tripartite-aware agreement naming trust character.

• External auditor's quarterly negative-assurance on safeguarding controls.

Mechanically possible, structurally inadequate. Several NCAs — Bank of Lithuania and Central Bank of Ireland explicitly — have flagged co-located safeguarding as not meeting the segregation test under EMD2 and PSD2 Article 10. The risk is operational: when the operating bank issues a termination notice, the safeguarding account is caught in the same migration. Use a separate credit institution for safeguarding from day one; reorganising mid-flight under regulator pressure is materially harder than designing it correctly upfront.

Conceptually yes, technically different. MiCA Article 75 requires CASPs holding client crypto-assets to keep them segregated from CASP own assets. The mechanic is on-chain rather than fiat — separate wallets, separate keys, separate cold/warm/hot architecture for client crypto vs CASP proprietary holdings. EMIs combining e-money issuance with CASP services hold both: fiat safeguarding under EMD2 + crypto segregation under MiCA Article 75. The architectures sit beside each other, governed by different rules.

Daily, end-of-day, with intraday checks on high-volume days. EBA Guidelines on safeguarding require at least daily; supervisors view intraday monitoring as a maturity indicator. Out-of-tolerance differences should be flagged within 1 working day; resolved within 5 working days; root-cause analysis documented for any pattern of breaks. The reconciliation-break log is one of the first documents supervisors ask for at inspection.

Increasingly yes, particularly above mid-tier scale. Quarterly external auditor negative-assurance on the safeguarding control framework is now expected for EMIs above approximately €100M average e-money outstanding. Below that scale, internal MLRO attestation supported by daily reconciliation evidence is generally accepted. The trend is toward formalised external review; budget for it as the firm scales.

Substantively, harmonised CDD/EDD across the EU and harmonised UBO disclosure rules. For safeguarding architecture specifically, the bigger change is AMLA direct supervision of selected EMIs from January 2028 — selected entities will face monthly safeguarding data feeds and joint supervisory team inspections in addition to NCA supervision. Plan AMLR-aligned safeguarding documentation during 2026; reactive 2027 work compounds programme cost.

Partially — but the regulated EMI / PI retains accountability. A BaaS arrangement can route client funds via a sponsor bank and run the daily reconciliation infrastructure, but the segregation test and the quarterly attestation responsibility remain with the EMI / PI. Outsourcing means you delegate execution, not legal accountability. Document the outsourcing under DORA third-party register requirements; ensure the BaaS contract includes audit rights and exit plans.

• Bank Account for an EMI: Buyer's Playbook: The application sequence and document file (companion guide)

• EMI vs PSP vs VASP vs CASP: Which financial licence do you actually need?

• Multi-Bank Treasury Architecture for Regulated Fintechs: The four-layer model — operating, safeguarding, EMI rails, capital

• MiCA Compliance Guide for CASPs: Authorisation walkthrough — capital, governance, supplier stack

Safeguarding is the most-inspected area of EMI and PI supervision because it is the area where regulator-failure-protection meets day-to-day operational execution. The EMIs that survive supervisory inspection cleanly are the ones that built the architecture before they needed it — separate banks, daily reconciliation, quarterly attestation, written trust documentation, AMLR-aligned policies. The cost of doing this well is modest. The cost of doing it badly is supervisory-letter remediation that runs 12–18 months and a public NCA finding that follows the firm to every subsequent banking and authorisation diligence.