--- title: "EMI Safeguarding Architecture: How to Build It Right (2026)" slug: emi-safeguarding-architecture publishedAt: 2026-04-26T15:00:00Z author: Finconduit Editorial Team tags: EMD2, PSD2, AMLR canonicalUrl: https://finconduit.com/resources/emi-safeguarding-architecture --- # EMI Safeguarding Architecture: How to Build It Right (2026) EMI and PI safeguarding architecture under EMD2 and PSD2 Article 10 — three permitted methods, structural separation between operating and safeguarding banks, daily reconciliation, quarterly attestation, AMLR overlay, and the design choices that survive supervisory inspection. Safeguarding is the most\-inspected area of **EMI** and **PI** supervision in the EU. The legal obligation under the [Electronic Money Directive](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009L0110) and **PSD2 Article 10** is short — keep client funds segregated and protect them in firm insolvency. The operational reality is that most **EMI**s and **PI**s design for the regulator's minimum, deploy a '**designated account**' label at the operating bank, and discover at first **supervisory inspection** that the bank\-side execution is what supervisors actually examine. By that point, redesigning the **safeguarding architecture** is expensive, slow, and supervisor\-visible.¹[^1] The mature pattern is structural rather than documentary: a dedicated **safeguarding account** at a separate **credit institution** from the operating bank, **daily reconciliation** between the firm's client ledger and the bank's balance, quarterly external attestation to the NCA, and a clear written agreement with the safeguarding institution naming the trust nature of the funds. Each element exists because each is what a supervisor probes. Each is also what survives an operating\-bank termination notice without exposing client funds to the resolution process. This guide covers the **safeguarding architecture** end\-to\-end: the three permitted methods under **EMD2** and **PSD2 Article 10** of the [Payment Services Directive](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366), the structural separation between operating and safeguarding banks, the daily and quarterly operational discipline, the [AMLR](https://eur-lex.europa.eu/eli/reg/2024/1624/oj) overlay from 10 July 2027, the equivalent client\-asset rules for **CASP**s under the [Markets in Crypto\-Assets Regulation](https://eur-lex.europa.eu/eli/reg/2023/1114/oj), the forthcoming [PSD3](https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/payment-services-directive_en) reforms, the most\-cited **supervisory inspection** findings, and the design choices that make safeguarding inspection\-ready from day one rather than two years into operations.²[^2]⁴[^3]⁵[^4]⁶[^5] ## The Three Permitted Safeguarding Methods **EMD2** Article 7 and **PSD2 Article 10** set out three permitted safeguarding methods. [EBA Guidelines on safeguarding](https://www.eba.europa.eu/) refine the operational expectations for each. **EMI**s and **PI**s choose one method \(or a combination\) based on cost, operational complexity, and bank\-side availability — but must apply the chosen method consistently and document the choice in the **AML**/operational programme submitted to the NCA.³[^6] *Table: Three permitted safeguarding methods under EMD2 and PSD2 Article 10.* | Method | Mechanic | Operational reality | | --- | --- | --- | | 1. Segregation in a credit institution | Client funds held in a separate account at a credit institution; account labelled 'client funds' or equivalent | Most\-deployed method. Bank\-side execution is what supervisors inspect; account naming and daily reconciliation are scrutinised | | 2. Segregation in qualifying liquid assets | Client funds invested in safe, liquid investments \(sovereign bonds, deposits with a Tier\-1 EU bank\) | Less common; used by larger EMIs with treasury sophistication; requires daily mark\-to\-market | | 3. Insurance equivalence | Insurance policy or comparable guarantee covering loss of client funds in firm insolvency | Rare; expensive; cover gaps and exclusions are hard to satisfy supervisor | | Combination | EMD2 permits combinations \(e.g. partial segregation \+ partial insurance for buffer\) | Operationally complex; supervisors expect clear allocation methodology | > **Warning:** Method 1 \(segregation in a credit institution\) is the practical default for almost every EMI and PI in 2026. Methods 2 and 3 require either treasury sophistication or insurance pricing that is rarely commercial below very large scale. The harder design question is not which method — it is how Method 1 is operationally executed. ## Structural Separation — Why Operating and Safeguarding Banks Must Be Different The single most\-cited **supervisory inspection** finding for **EMI**s is co\-located safeguarding — the safeguarding 'account' sitting at the same **credit institution** as the **operating account**, distinguished only by a label. Several NCAs have flagged this as inadequate to meet the **segregation** test: when the operating bank issues a termination notice, the **safeguarding account** is caught in the same migration, and during the gap period client funds are exposed to the bank's resolution process. The structural rule: safeguarding sits at a different **credit institution** from operating. Two relationships, two banks, two diligence cycles, two termination scenarios. The cost is approximately double the bank\-relationship overhead — but it is the only architecture that survives an operating\-bank termination event without client\-fund exposure. The same logic extends to multi\-currency operations: USD safeguarding should sit at a different USD\-correspondent relationship from EUR safeguarding, with each **ring\-fenced** from operating cash. ## The Daily Reconciliation Discipline Daily reconciliation between the firm's internal client ledger and the bank\-side **safeguarding account** balance is the operational backbone. **EBA Guidelines on safeguarding** require it; supervisors inspect it; auditors test it. The mechanic is conceptually simple — the firm's ledger says clients hold X total; the safeguarding bank says the account holds Y; X must equal Y at end of day, every day. - Every client deposit triggers a same\-day movement from the **operating account** to the **safeguarding account** \(or direct routing to safeguarding via a virtual **IBAN**\). Safeguarding\-on\-receipt is the cleanest pattern. - Every client withdrawal triggers same\-day or next\-business\-day movement from the **safeguarding account** back to operating for outbound payment. - End\-of\-day reconciliation report compares ledger total to bank balance; out\-of\-tolerance differences flagged within **1 working day**. - Reconciliation breaks documented; root\-cause analysis logged; remediation tracked. Supervisors examine the reconciliation\-break log at inspection. - **5\-year** recordkeeping minimum on all reconciliation records. ## Quarterly Attestation to the NCA Most NCAs \(Bank of **Lithuania**, **CySEC**, **MFSA** explicitly; others by supervisory practice\) require quarterly written attestation to the supervisor confirming that no shortfall existed in the **safeguarding account** during the period. The attestation is signed by the firm's **MLRO** or Compliance Officer, supported by the **daily reconciliation** evidence, and increasingly accompanied by an external auditor's negative\-assurance report on the safeguarding control framework. - Quarterly attestation letter signed by **MLRO** or designated officer. - Daily reconciliation summary appended \(or available on request\). - External auditor's negative\-assurance review on the safeguarding control framework — increasingly expected for larger **EMI**s. - Annual independent audit of the entire **safeguarding architecture**, separately from the financial\-statement audit. ## The Written Agreement With the Safeguarding Institution The trust nature of safeguarded funds depends on documentation. A '**designated account**' label without an explicit written agreement with the safeguarding institution naming the trust character of the funds risks falling short on the **segregation** test if the safeguarding bank itself enters insolvency. The mature pattern is a tripartite\-aware agreement: between the **EMI** / **PI**, the safeguarding bank, and \(in some structures\) a trustee, naming explicitly that the funds are held for the benefit of clients and **ring\-fenced** from the **EMI**'s general creditors. ## The **AMLR** Overlay From July 2027 **AMLR** \(Regulation EU 2024/1624\) applies from 10 July 2027 and codifies harmonised CDD, EDD, beneficial\-ownership, and Travel Rule rules across all 27 member states. The overlay on safeguarding is indirect but real: **AMLR**\-aligned customer risk assessment may push some funds into EDD\-only flows that change daily\-reconciliation cadence; harmonised UBO disclosure changes the CDD evidence behind safeguarded balances; and **AML**A direct supervision of selected **EMI**s from 2028 will require monthly safeguarding data feeds in addition to NCA\-level supervision. ## Most\-Cited Supervisory Inspection Findings - Co\-located safeguarding — **safeguarding account** at the same **credit institution** as the **operating account**. Single most common finding. - Reconciliation breaks not investigated within tolerance window. Out\-of\-tolerance differences sitting unresolved past the next\-business\-day target. - No written tripartite agreement naming trust character. 'Designated account' label without supporting trust documentation. - Quarterly attestation submitted but not externally reviewed for larger institutions. - Multi\-currency safeguarding consolidating across currencies into a single ledger, masking per\-currency exposures. - Recordkeeping below the **5\-year** minimum on reconciliation evidence. ## Design Choices for Inspection\-Ready Safeguarding The architectural decisions that make safeguarding survive **supervisory inspection** cluster on five points: - Two banks minimum — operating \+ safeguarding at separate **credit institution**s. - Safeguarding\-on\-receipt — client funds routed to safeguarding immediately, not transferred end\-of\-day. - Per\-currency safeguarding ledgers — separate sub\-ledgers for EUR, USD, GBP; not consolidated. - Written tripartite\-aware agreement naming trust character. - External auditor's quarterly negative\-assurance on safeguarding controls. ## Frequently Asked Questions ### Can my safeguarding bank be the same as my operating bank if I use a separate account? Mechanically possible, structurally inadequate. Several NCAs — Bank of **Lithuania** and Central Bank of **Ireland** explicitly — have flagged co\-located safeguarding as not meeting the **segregation** test under **EMD2** and **PSD2 Article 10**. The risk is operational: when the operating bank issues a termination notice, the **safeguarding account** is caught in the same migration. Use a separate **credit institution** for safeguarding from day one; reorganising mid\-flight under regulator pressure is materially harder than designing it correctly upfront. ### Does **MiCA Article 75** client\-asset **segregation** work the same way for **CASP**s? Conceptually yes, technically different. **MiCA Article 75** requires **CASP**s holding client crypto\-assets to keep them segregated from **CASP** own assets. The mechanic is on\-chain rather than fiat — separate wallets, separate keys, separate cold/warm/hot architecture for client crypto vs **CASP** proprietary holdings. **EMI**s combining e\-money issuance with **CASP** services hold both: fiat safeguarding under **EMD2** \+ crypto **segregation** under **MiCA Article 75**. The architectures sit beside each other, governed by different rules. ### How often should I run reconciliation? Daily, end\-of\-day, with intraday checks on high\-volume days. **EBA Guidelines on safeguarding** require at least daily; supervisors view intraday monitoring as a maturity indicator. Out\-of\-tolerance differences should be flagged within **1 working day**; resolved within 5 working days; root\-cause analysis documented for any pattern of breaks. The reconciliation\-break log is one of the first documents supervisors ask for at inspection. ### Do I need an external attestation on safeguarding? Increasingly yes, particularly above mid\-tier scale. Quarterly external auditor negative\-assurance on the safeguarding control framework is now expected for **EMI**s above approximately €100M average e\-money outstanding. Below that scale, internal **MLRO** attestation supported by **daily reconciliation** evidence is generally accepted. The trend is toward formalised external review; budget for it as the firm scales. ### What changes when **AMLR** applies in July 2027? Substantively, harmonised CDD/EDD across the EU and harmonised UBO disclosure rules. For **safeguarding architecture** specifically, the bigger change is **AML**A direct supervision of selected **EMI**s from January 2028 — selected entities will face monthly safeguarding data feeds and joint supervisory team inspections in addition to NCA supervision. Plan **AMLR**\-aligned safeguarding documentation during 2026; reactive 2027 work compounds programme cost. ### Can I outsource safeguarding to a BaaS provider? Partially — but the regulated **EMI** / **PI** retains accountability. A BaaS arrangement can route client funds via a sponsor bank and run the **daily reconciliation** infrastructure, but the **segregation** test and the **quarterly attestation** responsibility remain with the **EMI** / **PI**. Outsourcing means you delegate execution, not legal accountability. Document the outsourcing under DORA third\-party register requirements; ensure the BaaS contract includes audit rights and exit plans. > **Call to action:** Building or refreshing your safeguarding architecture? Finconduit reviews EMI and PI safeguarding designs against EMD2, PSD2 Article 10, and EBA Guidelines on safeguarding — and supports the structural separation, daily reconciliation tooling, and quarterly attestation workflow. Get a free safeguarding review. ## Related Guides - [Bank Account for an EMI: Buyer's Playbook](/resources/bank-account-for-emi): The application sequence and document file \(companion guide\) - [EMI vs PSP vs VASP vs CASP](/resources/emi-psp-vasp-licence-comparison): Which financial licence do you actually need? - [Multi\-Bank Treasury Architecture for Regulated Fintechs](/resources/multi-bank-treasury-architecture): The four\-layer model — operating, safeguarding, **EMI** rails, capital - [MiCA Compliance Guide for CASPs](/resources/mica-compliance-guide-casps): Authorisation walkthrough — capital, governance, supplier stack Safeguarding is the most\-inspected area of **EMI** and **PI** supervision because it is the area where regulator\-failure\-protection meets day\-to\-day operational execution. The **EMI**s that survive **supervisory inspection** cleanly are the ones that built the architecture before they needed it — separate banks, **daily reconciliation**, **quarterly attestation**, written trust documentation, **AMLR**\-aligned policies. The cost of doing this well is modest. The cost of doing it badly is supervisory\-letter remediation that runs 12–18 months and a public NCA finding that follows the firm to every subsequent banking and authorisation diligence. - [Three\-Account Segregation: Operating vs Safeguarding vs Reserve](/resources/three-account-segregation-operating-safeguarding-reserve) — the explicit naming\-convention and ledger architecture that prevents commingling. - [Stablecoin Issuer Banking Architecture Under MiCA](/resources/stablecoin-issuer-banking-architecture-emt) — how EMT issuers extend the safeguarding pattern to reserve and redemption rails. - [CSSF Circular 26/906: How EMI / PI Governance Changed in 2026](/resources/cssf-circular-26-906-emi-pi-governance) — what changed in Luxembourg EMI and PI governance under CSSF Circular 26/906 and how to remediate. - [MSB Safeguarding vs EMI Safeguarding: A Trans\-Atlantic Architecture Comparison \(2026\)](/resources/msb-vs-emi-safeguarding-architecture) — side\-by\-side US MSB and EU EMI safeguarding architectures for trans\-Atlantic operators. - [Virtual IBAN & White\-Label IBAN Providers: The Four Architectures and Selection Criteria \(2026\)](/resources/virtual-iban-architecture-selection) — the four virtual\-IBAN architectures and the selection criteria that should drive your choice. - [The Anatomy of a Successful EMI Authorisation: What's Actually in the File](/resources/anatomy-successful-emi-authorisation) — the document\-by\-document file architecture every authorised EMI submits. - [The 90\-Day Pre\-Application File Build for EMI and PI Licences](/resources/90-day-pre-application-emi-pi-build) — the week\-by\-week build sprint that gets the authorisation file submission\-ready. - [The EMI Compliance Programme Architecture: Eight Pillars](/resources/emi-compliance-programme-architecture) — the operating model that runs after the licence is granted. - [The Crypto Card Program Stack: BIN Sponsorship](/resources/crypto-card-program-bin-sponsorship) — the settlement and safeguarding architecture behind a crypto card program and its BIN sponsor. ## Footnotes [^1]: Directive 2009/110/EC \(EMD2\) — Electronic Money Directive; sets safeguarding rules for issuers of electronic money. [^2]: Directive \(EU\) 2015/2366 \(PSD2\) — Article 10 imposes safeguarding obligations on payment institutions. [^3]: Regulation \(EU\) 2023/1114 \(MiCA\) — Article 75 imposes equivalent client\-asset obligations on CASPs holding crypto\-assets. [^4]: Regulation \(EU\) 2024/1624 \(AMLR\) — applicable from 10 July 2027; substantive AML rulebook overlaying EMI / PI / CASP obligations. [^5]: Proposal for a Directive on payment services and electronic money services in the internal market \(PSD3\) — pending; will replace PSD2 \+ EMD2 with strengthened safeguarding rules. [^6]: EBA Guidelines on safeguarding — operational expectations for safeguarding by EMIs and PIs. --- Source: https://finconduit.com/resources/emi-safeguarding-architecture