Payment Services Compliance Newsletter October 2024
Welcome to the latest edition of our compliance newsletter aimed at Payments firms, including EMIs, PIs, AISPs, PISPs and prospective applicant firms. This newsletter contains a round-up of our recent regulatory articles that provide the latest insight into compliance issues and developments relevant to the payments industry over the past few months.
What’s the latest?
These past few months really have been red letter days, dominated by the finalisation of the Payment Systems Regulator’s (PSR) reimbursement model for Authorised Push Payment (APP) Fraud on 7 October 2024. Although, in a significant shift from its original proposal, the PSR now requires UK payment service providers (PSPs) to reimburse all in-scope customers who fall victim to APP fraud (with limited exceptions), mandating shared liability on a 50:50 basis between sending and receiving PSPs, up to £85,000 per claim (reduced from £415,000).
We also saw the publication of the FCA’s much anticipated consultation paper on changes to the safeguarding regime for payments firms. Those of you with keen memories will recall us discussing this at our Payments Forum in December last year. Yes, it’s been that long in the making!
As ever, we also reflect on a couple of events that Cosegic hosted/attended in addition to some of the regulatory developments that have caught our eye!
As always, if you have any questions about the content in this newsletter, then please contact us here and we will be happy to help with your enquiry.
sign up to receive our payment services updates
Safeguarding CP
Well, the FCA certainly didn’t disappoint with their long awaiting safeguarding consultation paper, proposing wide-ranging changes to the current safeguarding regime in not one but two parts. My colleague, Ed Vincent, sought to provide a helpful summarisation hot off the press.
Key highlights:
- After failing to convince the Court otherwise, the FCA is now proposing the formal creation of a statutory trust
- Perhaps recognising that ‘segregation’ is too confusing, funds will be expected to be received directly into a designated safeguarding account
- Somewhat hopefully, given the historic challenges in the market, firms may need to diversify (i.e. more than one) safeguarding providers
- Adoption of a ‘CASS-like’ regime, including resolution packs
- More structured safeguarding audits, and mandatory for APIs
We will be looking at these proposals in more detail at our forthcoming webinar on 6 November, where we will be joined by our partners, Max Savoie from Sidley Austin, and Matt Lucas from The Bank of London. Please do register for this important event.
APP Fraud
As we mentioned earlier, the PSR’s APP Fraud reimbursement rules finally kicked in on 7 October. Whilst most of the coverage was centred around the limit to be shared between sending and receiving PSPs, finally reduced from £415,000 to £85,000, there was little discussion around what firms were expected to do to mitigate against the impact of such claims on their capital and liquidity. My colleague, Stefan Babic, produce this helpful article earlier this month, summarising regulatory expectations and the need to develop their own methodology to assess the financial resources they may require for future reimbursement claims. Understanding the size of potential frauds (for example based on the typical transaction sizes for a particular firm’s customer base) and the likelihood of those frauds occurring, will be of critical importance in estimating the financial resources which should be ‘set aside’ to settle potential reimbursements.
Prudential risk management
Speaking of prudential matters for payments firms, Stefan also reminded us, in July, of the importance of payments firms developing their own prudential risk management framework, similar to that required to be performed by MIFID Investment firms – in particular the Internal Capital Adequacy and Risk Assessment Process (‘ICARA’). I tell you, the Payments Internal Capital Adequacy and Risk Assessment Process, or ‘PICARA’ is only a matter of time!
The establishment of a robust prudential risk management frameworks for payments firms will continue to be a focus area for the FCA, as set out in its Portfolio Letter in March 2023, as financial resilience of firms is a key pillar of its approach to reducing harm.
Since the FCA communicated its expectations to firms, it is clear there is still work to be done by the sector, so our key piece of advice to firms is to get ahead of these expectations with regards managing risk, capital and liquidity.
Consumer Duty – the BAU phase
We should never get tired of prefacing or updates regarding Consumer Duty with the FCA expectation that Consumer Duty is not a ‘once and done’ exercise for firms. The watershed moment was, perhaps, the 31 July deadline for firms to complete an attestation as to their progress and compliance with Consumer Duty, embodied within the first annual ‘Board Report’. We understand that approaching such exercises can sometimes be daunting for firms, so we produced a template document to get firms started. If you missed it first time around, please click here. When appropriately adapted, this template will help firms demonstrate and evidence compliance with Consumer Duty rules, setting out a framework to help you document the risks and issues identified in delivering good customer outcomes and the actions the firm has taken to address them.
The FCA expects, though, that the production of this board report is not a simple attestation. It should be a comprehensive internal governance exercise, where firms challenge themselves on whether they are delivering good customer outcomes for each of the three cross-cutting rules and the four Consumer Duty outcomes. The FCA has started to ask a sample of firms for copies of their report, so it can check whether firms are completing it and also assess the quality of the content. The FCA has also publicly commented that it will have no tolerance for late reports. That said, if perhaps you haven’t yet finalised your report, then hopefully you will take the hint.
The FCA is also increasingly focussing on vulnerable customers; how they are assessed as such, and how they are accommodated within the Duty. My colleague Jennifer Cahill produced this helpful article on the subject, which we followed up with a popular webinar on 22 October, a recording of which can be watched here.
HMRC vs FCA
HM Revenue & Customs (‘HMRC’) and the Financial Conduct Authority (‘FCA’) both share responsibility as money laundering supervisors of certain payments firms (under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) in the context of the Payment Services Regulations (PSRs)). This has long been a cause of confusion for firms, especially those applying for registration or authorisation for the first time. For me (and with the benefit of having been at the regulator when this was first introduced) it is pretty straightforward: if you are conducting only money remittance as an SPI or API, then HMRC is your AML supervisor; if you are providing any other payment service, then it will be FCA who is the AML supervisor. Unfortunately, this can get a little bit confusing, so I felt it might be helpful to explain this in a bit more detail.
Compliance Register Awards
Cosegic was delighted to again be a winner at the Compliance Register Platinum Awards and honoured to win the blue riband ‘Best Consultancy Firm’ award, as voted for by industry.
From a personal perspective, I was delighted that Cosegic was also awarded ‘Best Support Firm -Payment Services’, recognising the high standards delivered throughout Cosegic’s Payment Services practice.
Cosegic also won ‘Best Consultancy – Compliance & Regulatory Work’ and that our Senior Consultant, Delphine Chen, was runner up as ‘Compliance Rising Star.’
We are all extremely proud of these achievements which is a testament to the expertise, dedication, and hard work of our amazing team to whom we extend our gratitude. Congratulations to all of the other winners and nominees and thank you to The Compliance Register for hosting such a wonderful evening.
Whistleblowing
Do you believe in coincidences? Well, it was coincidental that an article on the importance of whistleblowing was followed shortly by a furore over FCA Chairman, Ashley Alder, where he was accused of breaching the confidentiality of an internal whistleblower who wrote to him asking for help, and that he forwarded on correspondence in December and March with the complainant’s name, address and concerns unredacted. Following an internal review, Mr Alder was cleared of any wrongdoing. An important reminder that you deal with whistleblowers clearly and safely.
Suspicious Activity Reports
In August, the National Crime Agency (NCA) released its latest SARs Reporter Booklet, which gave a detailed look into how Suspicious Activity Reports (SARs) are leveraged by law enforcement agencies (LEAs) to tackle serious crime. SARs can include critical information such as phone numbers, addresses, and bank details, and are pivotal in identifying and investigating criminal activities. My colleague, Abou Bangoura, took a look at this and summarised the key elements for a suitably robust SAR framework as:
- Ensuring systems and procedures are in place for detecting suspicious activity;
- Having full oversight of suspicious activity alert management, including tracking outstanding alerts, ageing analysis, escalation, quality, and alert closure justifications;
- Obtaining and keeping information concerning the Internal and External SAR volumes;
- Having adequate training and reporting procedures for staff on filing an internal SAR; and
- When weaknesses are found, ensuring the production and oversight of a remediation plan that addresses the weaknesses promptly.
IAMTN Summit
I was privileged to be invited to speak at the International Association of Money Transfer Networks (IAMTN) annual Summit in Dubai earlier this month. In addition to chairing a panel of international regulators, I also gave a presentation on getting authorised in the UK: explaining the FCA’s expectations, the process, and whether an acquisition route might be easier.
If you want to find out more about what I talked about, please do drop me a line.
Operational Resilience
As we mentioned in our last newsletter, Operational Resilience is one of the major key deliverables for payments firms in the next 12 months, and probably the ‘next big thing’ on your compliance calendar. Firms should already have identified their important business services, together with evidence and rationale and have set impact tolerances for when intolerable consumer harm or risk to market integrity is reached, but 31 March 2025 marks the end of the transition period, where firms are expected to be fully operationally resilient.
Firms are also required to identify and document the people (including third parties), processes, technology, facilities, and information necessary to deliver each of their important business services.
Key to readiness and compliance, as is the case with so many aspects of regulation, is robust and regular testing against a range of likely (and unlikely) scenarios that may identify vulnerabilities and risks to your operational resilience and your ability to remain within your set impact tolerances.
Whilst 31 March 2025 is the end of the transition period, where firms are expected to be fully operationally resilient, firms are expected to embed this into their overall enterprise-wide risk frameworks today and for this to be under continual review.
We have also seen a conflation of UK Operational Resilience and DORA (the EU’s Digital and Operational Resilience Act), without much consideration as to what distinguishes one from the other. In simple terms, Operational Resilience concerns your UK license and operations, but DORA will also apply to UK-based entities that undertake any of the broad range of financial services activities performed in the EU captured by the Act. This will necessitate the need for robust ICT risk management frameworks, incident reporting mechanisms, and digital operational resilience testing.
As DORA comes into force in January 2025, we are looking to hold a webinar on this, and the read-across to UK Operational Resilience, soon.
Annual Payments Forum
Just a little heads up that we expect to hold our annual forum in central London in the new year, reverting to the original format of a single event, rather than spreading over two separate events. There should be little surprise as to the likely ‘hot topics’ for discussion, given anticipated implementation dates and regulatory importance e.g. Operational Resilience, Safeguarding, Consumer Duty. However, if there is a burning topic that you think needs to be covered, then please do let us know and we will see if we can incorporate it into the event.
Final thoughts
As ever, if you would like to discuss Payment Services, or any other aspect of your compliance, then please contact any member of the team. Additionally, if there is any topic you would like us to cover in future editions of the newsletter, then please let me know.
Cosegically yours,
James
