The past 12 months has seen unprecedented Financial Conduct Authority (FCA) supervisory activity in the payments sector. Payment firms ignore this increased regulatory threat at their peril. A high proportion of firms have faced intense scrutiny and, in many cases worse still, enforcement actions that have included suspending a firm’s regulated activities. So, what can payment service providers do to mitigate this increased regulatory risk?
After 10 years of ‘token’ supervision, consisting of a review of firms’ regulatory returns, customer complaints to the contact centre and the occasional thematic dipping of the supervisory toe into the water, the FCA has used PSD2 as the catalyst to execute its supervisory obligations with a vengeance.
It’s worth remembering that how a competent authority discharges its supervisory obligation is not specified in the directive. The fact is that the UK is home to more payment service providers than any other EU Member State, so perhaps the FCA faces greater challenges than its erstwhile EU counterparts.
Some would say increased scrutiny is unfair, especially when already-authorised firms were required in 2018 to submit new applications to become re-authorised or re-registered to carry on providing payment services. Others would argue that the sector has had almost 10 years of grace to get prepared for the scrutiny that many have financial sectors have faced.
Regardless, the FCA shows no sign of taking its foot off the gas, as evidenced by a number of recent enforcement actions taken against payment firms. And this momentum seems to have continued even through the COVID-19 lock-down.
So, how can a payment institution, e-money institution, account information service provider or payment initiation service provider prepare for the almost inevitable call from the FCA?
Here ares four key areas the FCA seem to focus on above others and that we would strongly urge payment firms to consider now, before you get that FCA call.
1) Safeguarding
When the first Payment Services Directive was being negotiated, the question of what capital a payment institution was required to hold was key to the survival of many players within the sector, for whom a high capital requirement would be disastrous. Instead, it was acknowledged that given the nature of payments, back when the prevalent model was money remittance, a better solution would be for firms to account for any customer monies which it had not disbursed by the next day. So, safeguarding was introduced, with guidance issued as to what, when, how and who with.
PSD2 was an opportunity to reinforce and clarify the FCA’s expectations, which it did in its ‘Approach Document’. Given this, the FCA’s expectation was that firms were following the guidance and safeguarding correctly.
Unfortunately, focused visits to a number of payment and e-money institutions suggested otherwise. Among other things, firms were failing to identify the relevant funds to be safeguarded, segregate relevant funds upon receipt, reconcile safeguarded balances, and lodge relevant funds in a designated account with an EEA credit institution.
The FCA’s general findings were shared with the industry, together with a request that firms ‘attest’ to their compliance with the safeguarding obligations. The FCA is now following up on those attestations.
2) Governance
The FCA has always been keen on the ‘mind and management’ of a firm being in the UK. Sometimes firms from a global group or with an overseas parent look to establish in the UK with a minimal presence. Whilst this is understandable, it doesn’t necessarily lend itself to demonstrating good governance within the firm.
The FCA is looking for the board and senior management to be fully sighted on the risks posed to the firm, ensuring that management information is fed up the line and decisions cascaded back down, and that this can be evidenced. If it isn’t written down, it didn’t happen!
The Senior Managers & Certification Regime (SMCR) prescribes clear responsibilities and functions expected within a firm. Whilst SMCR does not (yet) apply to payments firms not additionally authorised under the Financial Services and Markets Act (FSMA), the principles can be usefully applied by payments to enhance governance.
3) Capital and liquidity
Certainly a focus of the regulator’s mind in light of Brexit (and something that has come to the fore in recent weeks with COVID-19), is the ability of firms to withstand ‘shocks’ to their business. The FCA is increasingly expecting firms to stress test their ability to continue to meet their capital requirements and to have have a plan detailing the steps to be taken to ensure an orderly wind down of the business, if this was necessary.
4) Financial Crime
To increase its understanding of arrangements in place across the sector, the FCA’s Financial Crime Supervision team has conducted a number of telephone interviews with payments firms. Whilst individual action is not envisaged, that is not to say that the FCA will not follow up where not satisfied with the responses provided.
To guard against the FCA knocking on your door in relation to any of the above topics, Compliancy Services can help you in a number of ways, from discrete review projects focussing on a specific area (e.g. safeguarding), through to a complete programme of support via a retainer package, covering the range of your compliance needs and tailored according to your individual needs and budget.
If you have had a call from the FCA or would just like advice, guidance or support in these or other regulatory compliance areas then please do get in touch.
Related resources
All resourcesIdentifying the weaknesses in firms’ transaction reporting governance and control frameworks
Bitesize webinar: Establishing a robust prudential monitoring framework
Operational Resilience: regulatory guidelines for critical third parties aim to avoid systemic disruption
Press Release: Cosegic launches new Consumer Duty audit.