Safeguarding client assets should be the top priority for our industry, says BCB’s Oliver Tonkin, and clients should be ready to challenge providers for hard evidence

Safeguarding of client funds has become a hot button issue in the digital assets and payments industry. Regulation is evolving at speed, financial watchdogs are tightening the rules and institutions are asking tougher questions of their service providers – and not before time, says Oliver Tonkin, Chief Executive of BCB Group.

“In 2022-23 we saw a slew of company failures – including cases involving either fraud like FTX or poor risk management practices like Celsius – that has forced the industry to grow up. It’s been a steep learning curve for some and there’s been a shakeout,” Tonkin says.

“Before that difficult period, risk management processes in much of the industry were, at best, immature, as was counterparty risk management. The result in 2022-23 was people losing a lot of money, billions of dollars in fact. Now, I am glad to say, safeguarding and risk management is the big topic and everyone is, or should be, thinking about it.

“It’s important, not just because it is a regulatory requirement but also because it is crucial to confidence. Ensuring proper safeguarding of clients’ money and assets, through regulation and internal procedures is the key to our business and actually to the whole crypto and payments services industry.”

As a regulated payments company, BCB has been subject to tough regulation from its earliest days, so when company failures and scandals were making headlines, it had a good story to tell.

“There was an eruption of questions from clients in that period [2022-23] and we could tell them their funds were segregated and safeguarded in line with Financial Conduct Authority (FCA) regulations – their money was not at risk from an FTX or Celsius-like scenario. We had to educate a lot of clients about those safeguards because they had not been thinking about it before.”

The top line for Tonkin is simple: “If a client wants every penny, cent or coin out of their BCB accounts or wallets today, they can.” But he adds: “Anyone can say that of course, but you should not just take their word for it. Institutions should demand the evidence of those safeguards from any partner they use for payments or digital assets.”

Regulation and dedication – the safe combination

While safeguarding regulations for payment firms and EMIs have a long history, the FCA has put firms’ safeguarding procedures under increased scrutiny in recent years, and is now in the process of tightening the rules further. This enhancement of safeguarding requirements is a response to a number of instances where failed payment firms have been unable to return customer funds on an insolvency – between 2018 and 2023 insolvent payment firms and EMIs have, on average, only returned  65% of customer funds.

The proposed new rules, expected to take effect in May 2026, will align the rules with the existing Client Assets Sourcebook (CASS) which applies to regulated firms handling client assets.

“It’s to the FCA’s credit that they are majoring on this,” says Tonkin. “The new rules significantly raise the bar on what is expected of payment institutions and EMIs.” A final deadline for compliance has yet to be set, but BCB is already at work ensuring it meets the standards.

“We have a crack team working on that and our head of safeguarding [Chizoba Uzowuru] comes from a background where CASS was the standard. I am confident we are going to be well ahead of many other firms,” Tonkin says.

A central plank of the new rules will be the requirement for an independent annual safeguarding audit, with an approved third party. BCB has had such audits in place for two years, provided by one of the top ten accounting firms.

“We passed our most recent safeguarding audit with flying colours,” Tonkin confirms.

The FCA’s safeguarding rules currently extend only to fiat currency, though a whitepaper on similar safeguards for crypto assets has been issued. Currently it is EU regulations that are slightly ahead, with the safeguarding of digital assets included the Markets in Crypto Assets (MiCA) Regulations.

“Our MiCA license application is well advanced, and we have what is needed in place for that in terms of the partners we use, the segregation of client wallets, reconciliations and so on. So, we are very much ahead of the curve on that too,” Tonkin added.

The UK’s FCA and the EU’s MiCA compliance, overseen by one of BCB’s French regulators, the Autorité des Marchés Financiers (AMF), between them combine the strict rules on fiat and crypto.

“In the end, regulation will be comparable across markets, the lyrics might be different, but the tune will be the same, so it’s not about one being better than the other. Right now, though, because we are covered by both the FCA and the AMF our clients get the best of both as the regulations develop.”

“The important thing is we don’t play regulatory arbitrage. If one of our entities in a certain market has to apply certain safeguarding standards, then we apply those across all our entities,” says Tonkin. “So far, we have found that this makes applications for licences in new markets much easier. Details may vary, but a high standard met in one market means you are well prepared, and immediately more reputable, when you apply somewhere else.”

Truly effective safeguarding means going beyond the minimum required by regulation, Tonkin argues. What goes on behind the scenes is also vitally important. 

“Continual internal investment to upgrade systems is really important as is the quality of our partnerships. Our banking partners, who hold fiat currency for our clients, must be recognised financial institutions and we are constantly upgrading those relationships. 

“Our banking partners have always been chosen to meet that standard and as we have grown, we are using more tier one global banks, and our clients can feel very comfortable about the underlying partners we use.”

A safeguarding checklist

Traditional institutions entering the digital assets market can find the process daunting. The types of company providing services and the relevant regulations may not map easily onto the type of counterparties they are used to.

One of the basic questions to ask, says Tonkin, is where an organisation is based and regulated. “If you are going to partner with someone, start by looking for firms based in one of the big credible financial centres. London is clearly one of those. As for the EU, remember that all licences are not the same – MiCA is an EU directive and so is being implemented slightly differently in different countries.

“In Europe the leading centres are France, Germany, the Netherlands and Luxembourg, which all combine robust frameworks with a sensible and sophisticated approach to the industry.”

On choosing a specific partner, Tonkin’s advice is quite simply to demand hard evidence that risk management and safeguarding processes are robust.

“Ask to see their safeguarding audit, their AML audit, their governance audit, risk management policy and relevant certifications. For example, we have an ISO 27001 certificate for our information security. That’s the kind of thing institutions should be asking for and if a company cannot provide those easily, that’s a red flag.

“The world is always turning and these checks on audits and safeguarding need to be constant. Just because a company was tip top three years ago does not mean it still is.”

“I think of it like this: we ask all our partners for this type of evidence as part of our own checks, and we are very comfortable with clients asking the same questions of us.”