Payment Services Newsletter - March 2025

Posted on: 28 March 2025

Written by: Edward Vincent

Payment Services Compliance Newsletter March 2025

Welcome to the latest edition of our compliance newsletter aimed at Payments firms, including EMIs, PIs, AISPs, PISPs and prospective applicant firms. This newsletter contains a round-up of our recent regulatory articles that provide the latest insight into compliance issues and developments relevant to the payments industry over the past few months.

Introducing Alan Hadley: Our new Director of Payment Services

To kick the newsletter off, we’re excited to introduce Alan Hadley as the new Director of our Payment Services team. With 35 years of experience in financial services, including 15 years in compliance, risk management, and anti-financial crime, Alan brings a wealth of knowledge to Cosegic. His background spans investment management, stockbroking, international banking, and fintech, with expertise in UK and EU regulatory regimes. Previously authorised as an SMF16 Compliance Officer and SMF17 MLRO, Alan is a valuable addition to our team.

To get in touch with Alan, please click here.

What’s the latest?

Time and the FCA wait for no one and it’s certainly been a busy period since our last newsletter in October.

We’ve had a new Dear CEO Letter, guidance on controllers, DORA has come into effect and overhanging it all the ongoing debate around the new safeguarding proposals. So, without further ado let’s dive right in.

As always, if you have any questions about the content in this newsletter, then please contact us here and we will be happy to help with your enquiry.

Dear CEO Letter

The FCA released its Dear CEO letter earlier this month. Whilst much of the content should be familiar to firms, picking up directly from the previous letter issued in March 2023, there is still a lot to digest, including its stance on risk tolerance, the upcoming changes to safeguarding rules, and its growing emphasis on APP fraud.

Also, in highlighting to firms those areas where improvements still need to be made, the letter provides helpful context regarding the FCA’s role in supporting the National Payments Vision, and how compliant and well-run firms are key to that.

However, beyond this there’s another key aspect that may have slipped under the radar, the FCA’s reminder on head office requirements for UK-authorised PIs and EMIs. This is an issue we run up against quite a lot with clients looking for authorisation and can be a source of consternation.

Nonetheless, the bottom line is that The CEO and key decision-makers should be primarily based in the UK, Board meetings must be held in the UK and operational decisions must be made within the UK.

None of this is new to be fair — the principles date back to the Post-BCCI Directive. (Remember BCCI? Those of us working at the Bank of England at the time certainly do!)

Given this we published a couple of articles, one talking about the letter in general and one specifically setting out the importance of a firm demonstrating compliance with the mind and management expectations.

Cosegic publishes its response to CP24/20

The FCA’s Safeguarding Consultation Paper continues to loom large in the industry’s collective consciousness and here at Cosegic we hope we have - through our webinar on the subject, discussion at our forum and in our articles - helped to stimulate thought and discussion on the proposals. We have also provided feedback to the FCA on the proposals as we see them and now wait to see what the FCA will make of our, and the doubtless avalanche, of responses that will have been forthcoming from the industry.

If you want to read our formal response then you can do so here.

The Consumer Duty multi-firm findings

In January 2024, the FCA reviewed 23 payment firms to assess their Consumer Duty implementation. In October they revealed their findings: a mix of successes and areas for, shall we say, improvement.

With the findings showing that while over half of the firms met expectations, others fell behind in crucial areas like fair value, consumer understanding, and support for vulnerable customers, it’s clear no one can be complacent.

With this in mind in November Jaspreet Kaur, Senior Consultant in our Payment Services team, published a follow up article breaking down the FCA's findings, providing actionable insights for firms striving to meet regulatory standards and deliver stronger customer outcome and that article can be found here.

Key takeaways from the observations included the need for more targeted product markets, better price justification, robust consumer communication testing, and enhanced support for all customer groups, particularly those with vulnerabilities.

So perhaps this is an opportune time to remind readers that Cosegic offers a Consumer Duty Assurance review which helps firms by providing an in-depth, customised assessment to identify any compliance gaps and offers clear recommendations for improvement, helping to reduce the risk of non-compliance and penalties. Please get in touch if this of potential interest to you.

APP Fraud

Late last year the FCA issued finalised guidance for the Payment Services (Amendment) Regulations 2024, empowering payment service providers (PSPs) to delay outbound Authorised Push Payments (APP) where there are reasonable grounds to suspect fraud. This new measure provides PSPs up to four business days to conduct thorough checks, aiming to prevent fraudulent transactions while ensuring compliance with legal obligations and prompt customer communication.

Abou Bangoura, Senior Consultant in our Payment Services team, has written an article highlighting the importance of balancing these new powers with existing anti-financial crime obligations. He notes that the FCA also emphasises the need for PSPs to monitor customer outcomes under Consumer Duty, tracking metrics like delay durations and support for vulnerable customers.

Operational resilience and exploring DORA

Operational Resilience is an area that has seen a lot of attention lately. The final deadline for full implementation and readiness of the FCA’s requirements by payments firms is just days away but if you are still looking for guidance, Cosegic hosted a panel discussion to revisit the expectations on firms, and direct you to what else you might need to do.

The discussion also covered the potential impact of the EU’s Digital Operational Resilience Act (DORA) Digital Operational Resilience Act (DORA) which while it is an EU regulation, aimed at EU firms, will catch UK firms if also operating in the EU.

Additionally, John Burns, Senior Advisor at Cosegic, has shared key insights and practical guidance on DORA specifically on a webinar held in partnership with Clear Junction. A recording can be found here.

Partially related to this on 12th November 2024, the FCA, Bank of England, and Prudential Regulatory Authority introduced a long-awaited policy statement outlining the oversight regime for critical third parties (CTPs) in the UK financial sector. With incidents involving third parties on the rise, these new rules - effective 1st January 2025 - aim to enhance governance, cyber resilience, risk management, and more, safeguarding the stability and confidence of the UK’s financial system.

We’ve unpacked the key requirements for CTPs and offered some thoughts on how firms can navigate these changes in this article.

Controllers

As many of you will be aware the FCA has introduced new requirements upon controllers and beneficial owners making applications for authorisation, registration, or a change in control: such individuals must now obtain criminal background checks. This requirement, effective from 17 January 2025, aligns with the Financial Action Task Force (FATF)’s recommendations and applies to UK checks via the Disclosure and Barring Service (DBS) or international equivalents.

We had previously highlighted some of the issues in an article “Change in Control – FCA licences are not for sale”. A key takeaway is the increasing focus on CiC notifications as a perceived shortcut to authorisation. While this route might seem faster, the FCA’s scrutiny of these applications—coupled with new requirements like criminal record checks—reinforces its stance against regulatory arbitrage.

Competition

On 17 January 2025, the FCA published its response to a letter from the Prime Minister which was sent along with the Chancellor’s recommendations on growth. The FCA set out a number of reforms under three headings: unlocking capital investment and liquidity; accelerating digital innovation; and, reducing the regulatory burden.

As part of this growth agenda the FCA has outlined specific plans to reshape the UK payments landscape, including introducing variable recurring payments, exploring the removal of the £100 contactless limit, and increasing support for fintech start-ups. These changes aim to boost competition, innovation, and consumer choice while streamlining regulation.

The FCA is also removing the requirement for a Consumer Duty Champion. While from a purely Payment Services perspective, given the findings of the multi firm survey referenced might be seen as a surprising (or even as Sir Humphrey Appleby might have put it a “courageous”) decision it is important to remember the FCA is looking across the broader range of financial services companies. Presumably the FCA now believes the role of Consumer Duty Champion has served its purposes. However, no one should labour under the misapprehension that the regulator does not remain anything but closely focused on firms’ compliance with the Duty.

John Burns, Senior Advisor, Payments Services has broken down these proposals and their potential impact on the payments industry giving his expert insights shed light on what they could mean for businesses navigating the evolving regulatory environment and for consumers seeking greater transparency in financial services. You can read it here.

Annual Payments Forum

On the 29 January 2025, we welcomed members of the Payments industry to discuss the latest compliance trends and issues, sharing knowledge and ideas with an audience made up of payments compliance professionals.

Judging by the feedback I think it’s fair to say that the event was a great success. In a busy afternoon of panel sessions and presentations we covered the hot topics for the industry many of which I’ve outlined above.

In addition, we provided attendees with the opportunity to network with peers and industry experts throughout the afternoon and later over drinks and canapes following the event's conclusion.

If you weren’t able to make it, then please check out the video on our website. You’ll get all of the content but unfortunately not the drinks and canapes.

Risky Business

I’ve put out a couple of articles that may be of interest. One on Reputational Risk and another on the difference between ERM and ORM and how to manage the interplay between the two.

Additionally, as a sort of companion piece to the article on Whistleblowing published in September, and again driven by my conviction that robust policies and procedures underpin good business practice and are more generally a sign of good governance, I’ve written about gifts and hospitality and the importance of having a policy and procedure.

Upcoming Webinar - Ensuring fair treatment: Vulnerable Customers and the Vulnerability Registration Service

Join us for an insightful Vulnerable Customers Webinar on April 8th at 10.00am, featuring our Consumer Duty Lead, Jennifer Cahill, and Helen Lord, CEO of the Vulnerability Registration Service. Don't miss this opportunity to gain expert insights on supporting vulnerable customers.

To register for this webinar, please click the link here.

Vixio Partnership Webinar

We recently participated on Vixio Regulatory Intelligence’s webinar, which was held on the 19th March. Our team members, Jaspreet Kaur and Abou Bangoura, joined experts from Feedzai and Vixio to discuss the rising threat of APP fraud. The discussion covered the latest APP fraud trends, how global regulations are shaping the response, and strategies for payments firms to mitigate risks and protect consumers. To watch the webinar, please click here.

PAY360 2025

We were thrilled to attend this year’s PAY360 event! It was great to connect with so many of you earlier this week to discuss payments, financial crime, and prudential compliance. If we didn’t get a chance to speak with you, please get in touch, we’d love to hear from you.

Final thoughts

I hope you enjoyed this brisk canter through the regulatory landscape. As ever, if you would like to discuss Payment Services, or any other aspect of your compliance, then please contact any member of the team. Additionally, if there is any topic you would like us to cover in future editions of the newsletter, then please let me or one of the team know.

Thanks for reading, stay safe and stay compliant!