SfE Security Policy
As a Small Payment Institution (SPI) registered with the FCA and supervised by HMRC, the Company takes security very seriously and has worked to develop systems and procedures that minimise the risk of fraud, money laundering and the financing of crime and terrorism.
Our Service is tailored to specific circumstances that fall into three categories of Transaction:
- Under the Party Wall etc. Act 1996
- Under a Licence
- Under a Building Contract
In most cases funds are held as security and then returned to the same bank account from which they were received with no payment to a third party. This is not a Payment Transaction for the purposes of The Payment Services Regulations 2017 and such Transactions are not to be included in the Company’s annual FSA057 (Payment Services Directive Transactions) report to the FCA.
Definitions: A list of definitions of terms used in this policy statement and other Company documents can be found in our Terms & Conditions.
1 Identification of Risk
1.1 The level of risk varies according to the type of Transaction.
1.2 CDD for every Transaction comprises:
a) Checking the relationship between the PGS and the Owner required to give Security
b) Bank sort code and account number validation
c) Making a token transaction with the recipient’s bank account
d) Checking company details at Companies House
1.3 CDD for any Transaction may also include:
a) Checking the registered title at HMLR
b) Verifying the identity of individuals directed to receive payment out of the Security Sum
c) Identifying the beneficial owners of recipient organisations
d) Confirmation of identity or other details by a third party supervised by one of the professional bodies listed in Schedule 1 of the Regulations
1.4 The Managing Director is the person responsible for the Company’s compliance with the Regulations and for setting the level of CDD to be applied in each case.
2 Transactions under the Party Wall etc. Act 1996
2.1 In most cases release of the Security Sum will be directed or awarded by Surveyors in their role as a statutory tribunal established under the Act.
2.2 Most Transactions under the Act are Risk-free Transactions (RFT).
2.3 Risk may arise in any of the following circumstances:
a) Where the PGS is not one of the Parties. (For example, a managing agent, project manager, developer or contractor.)
b) Where Security is agreed and directed by the Parties without the involvement of Surveyors.
c) Where the title is not registered at HMLR.
d) Where the Security Sum is to be disbursed to the Adjoining Owner or to an Adjoining Occupier.
e) Where one of the Parties or an Adjoining Occupier is a politically exposed person.
2.4 In the case of 2.3 d) above risk is further enhanced where:
a) The Adjoining Owner’s title is not registered at HMLR.
b) The Adjoining Owner or Occupier is an organisation.
c) A direction is received for payment into a bank account not in the name of the other Owner or Adjoining Occupier.
2.5 In any of the circumstances arising in paragraphs 2.3 and 2.4 above the case will be referred to the Directors for further assessment.
2.6 It may be decided that, notwithstanding any risk identified in paragraphs 2.3 and 2.4 above, when a Transaction is controlled and directed by a Statutory Tribunal of surveyors further CDD is unwarranted.
3 Transactions under a Licence
3.1 Transactions under a Licence are identical to Transactions under the Party Wall etc. Act 1996 with the exception that surveyors acting for the parties do not have statutory authority.
3.2 Paragraphs 2.2 to 2.5 above apply to Transactions under a Licence.
4 Transactions under a Building Contract
4.1 Transactions under a building contract will always involve Payment Transactions required to be included the Company’s annual FSA057 report to the FCA so CDD will be undertaken in setting up the account.
4.2 Documentary evidence will be required to establish the identities of the parties and confirm that the contract is for a bona fide building project.
4.3 Documents required will include:
a) Details of the Employer
b) Details of the Contractor or Sub-Contractor
c) Details of the Contract Administrator (CA)
d) Copy of the signed Form of Contract
e) Copy of Planning Consent or Certificate of Lawful Development
f) Copy of Building Regulations Approval or Building Notice
g) HMLR extract for the Site
h) Bank details for the Employer
i) Bank Details for the Contractor or Sub-Contractor
j) Anticipated payment schedule
5 IT Security Measures
5.1 Data is kept on the Company’s server located in Sweden.
5.2 Electronic communication is made over a secure VPN connection.
5.3 Data is backed up overnight to a secure OneDrive server hosted by Microsoft. Weekly and monthly backups are made on site in Sweden.
5.4 Data can be accessed remotely by the Company’s Executive Management Board when necessary.
5.5 Data input by customers on our website is automatically forwarded to our server over an encrypted connection and deleted from the website host server.
6 Physical Security Measures
6.1 Data and records are not kept on the premises at the Company’s Head Office.
7 Payment Process
7.1 All Transactions are by direct bank transfer between United Kingdom bank accounts. Under no circumstances will cash deposits be accepted or cash payments made.
7.2 We obtain confirmation from the Company’s bank that funds received into the Company’s account originated from the account advised to us by the PGS.
7.3 If funds are transferred by BACS, CHAPS or another banking intermediary service and the Company’s bank cannot confirm the originating account we require evidence from the PGS that funds were remitted from the confirmed account.
7.4 Payments are made only by a member of the Company’s Executive Management Board. No automated payments are made from the Company’s client account.
7.5 Payments are made into accounts that have been confirmed only after CDD has been completed.
7.6 On receiving instructions to make a payment an initial payment of £10 will be made into the confirmed payee account. When the payee confirms safe receipt of the initial payment the balance will be transferred.
7.7 Barclays Online Banking Faster payment service is subject to the following restrictions:
a) The maximum single payment that can be made is £50,000.
b) The total amount that can be paid in a single day is £100,000.
7.8 Payments will usually be made using Barclays.NET where the enhanced security requirements remove those restrictions. Payments above £50,000 require authorisation by a second member of the Executive Management Board.
8 Transaction Analysis
8.1 Each Transaction is controlled at every stage by one of the Executive Management Board. It is checked against the Transaction Schedule to ensure that payments are made only in accordance with the procedures applicable and to the parties identified in the Schedule
8.2 Any circumstances arising in the course of a Transaction or an application to the Company for a Transaction falling outside the normal conditions outlined in this Policy Statement shall be immediately communicated to a Director who will assess the implications and, if required, update this Policy Statement accordingly.
8.3 All major incidents will be reported within four hours of being detected to the FCA under Regulation 99 of the Payment Services Regulations 2017 in line with the European Banking Authority Guidelines on Operational and Security Risks under PSD2 on incident reporting.
8.4 To comply with HMRC requirements, details of all Transactions will be kept for a minimum period of six years after the Transaction is closed.
9 Staff Training
9.1 The Executive Management Board and staff will meet no less than once each year to review and discuss cases that have arisen in the previous year.