Modulr FAQs

Pento's job is to make payroll painless - we organise all the moving parts that underpin the payroll process to make our customer's life easier. One of the crucial moving parts of the payroll process is making the payment.

Only organisations that are authorised by a financial regulator are permitted to carry out certain payment services including payment transactions. As Pento is not authorised to process funds, we work with Modulr, a Payment Service Provider (PSP) and an organisation that is authorised to do this part of payroll.

Our specialism is simplifying the overall payroll process. With Pento, the customer only needs to liaise with one point of contact and we deal with the rest. We keep all the various components and stakeholders in the payroll process working together smoothly in the background, so our customer can focus on other things.

A PSP authorised by the Financial Conduct Authority (FCA) as an Authorised Electronic Money Institution to carry out certain payment services including, payment transactions related to payroll.

Modulr contracts with Pento as a partner at integration level to offer the payment services. Modulr provides the Payments as a Service API to the customer and Pento. Pento is appointed as an Authorised User of the customer’s Modulr account.

Only organisations that are authorised by a financial regulator are permitted to carry out certain payment services including payment transactions. Because Pento is not authorised, we work with Modulr (the authorised PSP) to do this part of payroll.

Pento acts as the messenger between our customer and the Modulr. Customers can use our platform to communicate payment instructions to Modulr (like who to pay, how much and when). If there are any issues with Modulr, we'll liaise with them on our customer's behalf. Similarly, if Modulr wishes to communicate with our customer about their account, we'll liaise with our customer. We also collect anti-money laundering information from our customer on Modulr’s behalf.

Pento is the data processor for both our customer and Modulr. We carry out their instructions and keep the relationship working seamlessly. The benefit is that our customer only needs one point of contact rather than having to juggle lots of relationships at once.

Financial regulators require organisations that provide payment services including accounts to have a direct contractual relationship with account holders. This means that our customers have to enter a contract directly with Modulr as well as Pento when they sign up to use Pento Services. Neither the customer nor Pento are under a legal duty to comply with the financial regulator.

Modulr has a legal obligation as an entity authorised by the financial regulator to enter into this agreement, and Pento cannot facilitate the payroll process without an authorised entity.

But don't worry, we've made our sign-up process as simple as possible and once the account is set up, our customer only deals with Pento. Modulr is one of the many moving parts of payroll that Pento keeps running smoothly in the background, to take the pain out of the payroll process.

Modulr’s terms and conditions are embedded into Pento’s terms of service for review and acceptance. The customer formally accepts Modulr’s terms and conditions when it opens an account through completing the Introduced Client Form.

Modulr adopts a non-negotiable stance on their terms and conditions and won’t make any changes to their standard introduced client agreement, unless for reasons of impossibility or incompatibility with their partner’s products.

In the event this became applicable, Modulr would endeavour to provide the best customer service by providing as much notice as possible and the customer would be informed and have the right to object and terminate. As the service Modulr provides is regulated, assignment or subcontracting would only be done where appropriate.

If you do not wish to use Modulr to automate the payment process, we could also set you up with a different payment method. Please feel free to speak with your sales representative (if you are looking at using Pento!) or your customer Success Manager (if you are an existing customer).

As an authorised electronic money institution, Modulr is not permitted to participate in the Financial Services Compensation Scheme (FSCS), as this is only available to banks. However, Modulr has separate safeguarding obligations under the Electronic Money Regulations. Those obligations require Modulr to safeguard an amount equal to all e-money issued on its platform, together with an additional 2% of such amount (using its own corporate funds) by way of a regulatory buffer. In contrast to the FSCS, Modulr are required to safeguard 100% of funds instead of up to £85k per customer. The only way customer funds would be at risk would be in the event of the insolvency of Modulr and where the costs relating to the winding up of Modulr exceeded the mandated 2% regulatory buffer.

Funds paid to and sitting in a customer’s Modulr account are safeguarded for that customer. In line with Modulr’s regulatory requirements, an amount equal to 100% of funds related to the e-money that Modulr FS Ltd has issued are segregated from Modulr’s own funds and are safeguarded with the Bank of England or an authorised credit institution, as required by the regulations. This means that 100% of client funds are protected from any risk associated with Modulr’s solvency.

Bank of England.

Bank of England.

In addition to the safeguarding and further ‘own fund’ requirements, Modulr are also required to prepare orderly wind down planning. These plans include the early identification of a potential insolvency event and the return of your funds before an insolvency process. Modulr must provide these plans to the FCA and they are subject to external audit review. This further reduces the unlikely event of the customer’s funds having to be returned during Modulr’s insolvency. In the unlikely event that Modulr becomes insolvent, the customer’s funds are separate from the funds of Modulr and therefore the creditors of Modulr (other third parties that are owed money from Modulr) are not able to make a claim or have any effect on the customer’s funds.

An independent insolvency professional (referred to as an ‘insolvency practitioner’) will be appointed to return the customer’s funds to them. However, where an insolvency practitioner is unable to take their costs of sending the funds to the customer from elsewhere (for example, the general pot of Modulr funds remaining or from the additional 2% own funds described above) they are entitled to take their costs from the customer’s funds. In this unlikely circumstance, while the customer will likely receive most of their funds they may not receive the total value if costs are deducted. The process of returning customer funds by an insolvency practitioner is likely to take longer than if the customer was making a claim via the FSCS.

Yes, the money is co-mingled with other clients accounts, but Modulr uses safeguarding to protect customer money. This means Modulr ensures that 100% of the funds they receive in exchange for electronic money are safeguarded on receipt, meaning that these are segregated from all other funds that Modulr holds and they cannot be used for any other purpose. This is completely separate from the additional capital resources that Modulr holds to meet its corporate obligations.

Modulr has developed a risk-based transaction monitoring programme across all transaction types. This is achieved through a combination of tools including:Supplier provided automated rules-based monitoringIn-house developed real-time outbound payment velocity controlsCard fraud monitoring softwareManual data and analysisModulr monitors all transaction activity conducted by its clients.

The usual time a bank transfer would take. If done via Faster Payments the funds would appear almost instantly. If done via BACS - the usual length of time a BACS transfer takes (3 working days). 

They can email the Pento support team and ask them to do a fund transfer to their bank account.

The transaction will always show in the customer’s name and won’t ever show as Pento. The account is set up by the customer, and therefore in the customer’s name.

Modulr may ask the customer to make a change or improvement following the completion of an IT Security review where it feels that the customer has a missing control, or a control may not be strong enough. Modulr would work with the customer to define the requirement and agree reasonable timelines for remediation.  An example may be that during a review, Modulr discovers that the customer has security patches missing from their infrastructure that are over 12 months old. Modulr would expect a client to maintain and patch their environment if they are connected to Modulr’s platform services.

Where Modulr stores the data, it is stored on their secure servers in the European Economic Area (EEA) or the United Kingdom, currently AWS Regions Ireland and  London.  Where Modulr shares your information with third parties this may involve transferring it to a country outside the EEA. Where Modulr does this it takes the steps required under the Data Protection Legislation to ensure that your information is appropriately protected.

Details regarding Modulr’s technical and organisational measures are set out further below in the Personal Data Section. In brief, Modulr uses MFA, encryption and carries out vulnerability scanning and Pen Testing.

Modulr holds various security certifications and adheres to several best-practice security regimes, such as:
- Payment Card Industry Data Security Standard (PCI DSS) certification which is subject to annual audit
- Cyber Essentials Plus certification
- Financial Conduct Authority (FCA), SWIFT and others for which Modulr undergoes multiple audits throughout the year
- European Banking Authority Guidance on ICT and Security Risk Management

A data controller is the decision maker when it comes to personal data. It is the organisation that decides, amongst other things, what data is collected and why the personal data is processed (e.g. collected, used, analysed, stored) and exercise professional judgement in the processing of the personal data.

In contrast, a data processor is simply the doer when it comes to personal data. It does not make any decisions about the personal data; it must do as it is told (by the data controller). If a data processor begins to make decisions about why it does something with the personal data, or it does something with the personal data that it has not been told to do under European and UK law, that organisation automatically becomes a data controller and may be subject to sanctions for going beyond the instructions of the data controller in respect of that personal data.

Under European and UK data protection law, there are only 6 reasons that a data controller can legally justify why it is using personal data.

One of these reasons is legal obligation. It is where the data controller must collect, use, store etc the personal data to comply with a law or regulation that the data controller is subject to. Another reason is where the controller needs to process personal data to perform their contract and provide the product or service.

Any organisation that (1) makes decisions about why personal data is used and (2) makes decisions about the lawful basis justifying that decision is automatically a data controller.

Financial regulators require authorised organisations (such as PSPs) to collect, use and store personal data to demonstrate that it uses funds and operates within the law. For example, they must carry out anti-money laundering checks to demonstrate that the funds do not originate from criminal proceeds and they must keep these records for a specified length of time so that they can be audited by the regulator.

Modulr must collect the personal data to comply with a legal obligation it has to its regulators, or as part of the contract it has entered into with the customer to provide the payment services.

Safeguards, such as data protection audits, records of processing activities (ROPA), and data protection impact assessments (DPIAs) for processing activities are in place to ensure they are thinking about data protection in everything that they do. Modulr’s internal policies essentially pin industry standards and procedures to Modulr’s processes. Their policies are reviewed periodically.

Modulr’s Privacy Policy provides information regarding how personal data is processed.  This includes information on the personal data Modulr collects and processes, the purpose, who personal data may be disclosed to, where it is stored, and how long it is retained.  

Technical Measures
- Segregation of duties and least privilege.
- Multi-factor authentication.
- User accounts created with management approval.
- Auditable history of changes.
- Annual review and removal of excess access authorisation.
- Vulnerability management program that deploys appropriate patch controls to information systems.
- Data encryption in transit and at rest, and in respect of processing of personal data on laptops, computers, mobile devices, and removable media.
- Privileged Access Management
- Roles Based Access Control

Organisational Measures
- Retention policies for all reports, logs, audit trails to provide evidence of data privacy and data security.
- Policies documenting consequences for violations.
- Periodic risk assessment process and a process to evaluate new and emerging security risks.
- Security incident response plan.
- Mandatory annual training on privacy, data processing, data protection, data security, encryption, and confidentiality awareness to individuals authorised by Modulr to access Modulr’s information systems or to process personal data.

As Modulr is the data controller, they do not engage sub-processors for the purpose of providing the service to customers.  Any processors engaged by Modulr are engaged in accordance with paragraph 4 of Modulr’s Privacy Policy (for example, payment and card schemes, fraud agencies etc). 

As is often seen with banking partners, the provisions in the Introduced Client Agreement are sufficient to cover what is necessary under UK GDPR and a separate DPA is not required.  The Introduced Client Agreement allows the customer to agree to the appropriate data protection provisions.

Modulr’s Privacy Policy provides information regarding how personal data is processed.  This includes information on the personal data Modulr collects and processes, the purpose, who personal data may be disclosed to, where it is stored, and how long it is retained.  

Whilst this cannot be shared due to being classified as an internal document, Modulr can confirm that DPIAs are carried out in respect of its processing activities across its business. 

As Modulr is an entity regulated by the FCA, they are required to conduct customer due diligence checks when onboarding a new customer and perform ongoing monitoring whilst the account remains active. The checks required are determined by customer type and will include identification, verification and screening of key individuals.

The documentation required when setting up an account will vary based on the customer type. Modulr will require basic information on the customer, for example company name, registered address, registration number and director and shareholder information. There are scenarios where additional documents may be requested within the application form, for example a company structure chart may be required for complex ownership structures.

Following initial due diligence checks conducted using the information provided at the time of application, there are a number of scenarios where additional information may be required to complete the onboard. This may include, but is not limited to, proof of identity and proof of address documentation for verification purposes or source of wealth documentation and additional shareholder information in instances where an application has been identified as requiring enhanced due diligence. During the course of the relationship, Modulr may request additional information to support ongoing monitoring, for example to ensure we hold up to date information on the customer.

Modulr does not provide a customer-facing portal so this will not be applicable for your Modulr account. Pento is required by Modulr to ensure the customer grants Pento permission to access and operate the Modulr account on the customer’s behalf. The customer can only access the Modulr account through the Pento Platform.

The customer needs to satisfy DD procedures before the account is opened.  However, it may then apply on an ongoing basis, depending on any changes within the company structure/ownership etc. Notice is not appropriate given the nature of the circumstances i.e. the customer being in breach of Modulr’s DD requirements.

They do not share information with third parties but do use third party providers to run checks, such as PassFort. Modulr does make use of sub-contractors and where that is the case, any data transfer is subject to applicable transfer mechanisms as relevant and required under relevant data protection legislation.

Modulr’s accounts and company details are available online on Companies House.

All introduced clients that are crypto will be treated as high risk and enhanced due diligence measures will be applied. This means that Modulr would request the source of wealth information, additional information (crypto-specific questions outlined below) and the onboard would need to go through high-risk approval.  As the application goes through the approval process, further questions may emerge and so the list below is not necessarily exhaustive. Such applications have extended timelines due to the level of review and approval required.

Crypto specific questions:
- Does the firm provide Crypto trading services directly or facilitate the exchange of crypto to flat currencies.
- Provide a current version of the firm’s AML Policy.
- Describe the currencies and exchanges which will be used.
- Are these linked to Privacy or Anonymity Coins?
- Describe the first use and availability of specialist tools and capability to manage the risks in relation to the transaction monitoring and ongoing screening of all currencies provided? Please confirm that the tools utilised cover all crypto assets offered.
- Does the firm have the correct level of regulatory approval/registration based on the local country requirements?
- Provide CV’s for those key personnel employed and relevant sector experience (for example, MLRO, Senior Compliance colleagues & Controllers).