Payment Firms Under Scrutiny
Practical Steps To Address the Regulator’s Priorities
January 19, 2024DownloadsDownload Article
The payment services landscape has evolved significantly over the past few years, with consumers and businesses increasingly using payment firms (“PFs”) and electronic money firms to engage in activities traditionally undertaken by banks. There is now even more focus on PIs and e-money firms to mitigate harm to customers and financial system integrity.
On March 16, the Financial Conduct Authority (“FCA”) issued a “Dear CEO” letter to payment firms (“PFs”). In the letter, the regulator outlines its concern that PFs “do not have sufficiently robust controls” and are therefore presenting “an unacceptable risk of harm to their customers and to  financial system integrity”1 This risk is only exacerbated by tightening economic conditions and the cost-of-living crisis.
What's the Issue?
Despite welcoming the increased competition and innovation in the payments sector, the FCA is still concerned that many payment and e-money firms do not have sufficiently robust controls, putting their customers and the integrity of the financial system at risk of harm.
Governance: The FCA describes inadequate governance and oversight as a “root cause” of many of the regulatory issues in the payments portfolio, allowing control issues and consumer harm to perpetuate.
Safeguarding: The FCA has pinpointed numerous deficiencies in the safeguarding arrangements of firms. These include insufficient due diligence of credit institutions providing safeguarding accounts as well as inconsistent adherence to the guidelines for annual safeguarding audits.
Wind-down planning: The FCA’s supervisory work has identified a prevalent issue of firms lacking practical and detailed wind-down plans, increasing the risk of unorderly collapses.
Financial crime: The FCA observes that payment and e-money firms are increasingly becoming targets for illicit activities due to their bank-like features, openness to high-risk clients and vulnerabilities in their internal systems and controls. There is a notable increase in fraud within some of these firms, and with the rising cost of living, a fear of escalated exploitation of financial crime systems, akin to what was witnessed during the COVID-19 pandemic. Common shortcomings in financial crime systems include poor companywide anti-money laundering assessments, ineffective client risk evaluations, insufficient due diligence for high-risk customers and inadequate oversight of agents.
Customer outcomes: Despite some PFs innovating positively, like in the case of open banking, there remain instances where products and services fail to consistently benefit customers or align with their best interests.
What Is the FCA’s Approach to These Issues?
In light of the cost-of-living crisis and the objective to protect consumers, the FCA identified three outcomes that payments firms should deliver:
- Ensure that customers’ money is safe.
- Ensure that firms do not compromise financial system integrity.
- Meet the needs of customers through high-quality products, innovation and implementation of the Consumer Duty.
Outcome one is centred on reducing the impacts of a firm’s collapse, a concern amplified by the recent instability in the banking sector. The regulator emphasises the need to address weaknesses in governance, specifically in safeguarding, managing prudential risks and planning for orderly wind downs.
Outcome two focuses on the vulnerabilities of PFs and electronic money institutions (“EMIs”) in combating financial crime. The FCA highlights the need for these entities to strengthen their defences against money laundering, sanctions violations and fraud, acknowledging that their current practices may be less robust compared to traditional banks.
Outcome three reaffirms the regulator’s dedication to supervising adherence to the Consumer Duty, ensuring that firms prioritise consumer interests and protection.
The FCA has clearly outlined the actions it expects firms to undertake following its advisory letter, indicating a move towards more rigorous supervision. The FCA’s recent communications to PIs and EMIs signal a shift towards supervising and enforcing the obligations placed on PIs and EMIs. In this context, FTI Consulting has observed an increased use of Skilled Person Reviews, together with the FCA imposing restrictions on business activities through Voluntary Requirement ("VREQ") agreements.
What Can PFs Do To Effectively Navigate the UK’s Regulatory Landscape?
With the payments and e-money industries firmly in the FCA’s crosshairs, firms should take steps to align their systems and controls with the expectations set out by the regulator in these latest letters and be prepared to explain those actions to the regulator. However, this needs to be done in a way that appropriately balances meeting regulatory obligations with cost, efficiency and resource requirements.
Applying proportionate financial crime controls to address increased risk.
A firm must have anti-money laundering and sanctions controls in place that are effective and proportionate to the nature, type and scale of its business. A review of the Office of Financial Sanctions Implementation’s fines from 2021 and 20222 highlights that too often PFs rely on other regulated institutions’ sanctions and payment screening and do not independently screen inbound transactions. When establishing their sanctions controls, PFs must ensure that their systems and measures can effectively identify and manage the specific sanctions exposure and risks associated with their customers and business activities.
Equally, the FCA is concerned that the current cost-of-living crisis will lead to an increase in fraudulent activities, similar to those seen during the COVID-19 pandemic. As such, the regulator expects firms to reassess fraud risks and address these through adequate risk appetite statements, policies and procedures, and appropriate due diligence and monitoring measures that prevent fraudulent transactions.
For more information, see FTI Consulting’s recent article: “Payment Firms Under the Microscope — Do Your Financial Crime Controls Stand Up to Regulatory Scrutiny?”
How we can help: Our dedicated Financial Crime Compliance specialists support firms to enhance and uplift their anti-money laundering and fraud controls and processes.
Embedding New Control Frameworks Implemented in Response to the Consumer Duty.
The narrow implementation window for the Consumer Duty, combined with the scale and volume of policy requirements, has left many firms facing tough prioritisation decisions. Few large organisations can claim total compliance, and it is universally recognised that there is more to do.
Many firms have rightly focused resources on products and processes where there is the greatest risk of customer harm as well as on enhancing relevant frameworks and policies. Where firms are fixing identified customer harms as part of “business as usual” activity, it is crucial that firms establish a robust tracking mechanism to ensure that solutions for each identified customer harm are effectively implemented, integrated and evidenced.
Additionally, the newly implemented control frameworks require additional time and practical application to be fully embedded. For instance, improved product review processes will need more effort to gather necessary data and management information for thorough assessments. It’s important to use customer outcomes testing and monitoring to verify the effectiveness of new systems and controls and to assess any improvements in the quality of customer outcomes.
How we can help: Our dedicated Financial Services team supports firms to enhance their customer outcomes testing and monitoring and to review their off-sale products ahead of the 2024 compliance deadline.
Demonstrating Compliance With the Safeguarding Requirements.
“Relevant funds” are subject to safeguarding requirements under the E-Money Regulations and the Payment Services Regulations. Understanding what constitutes a relevant fund and identifying how it will arise, as well as mapping the fund’s flows, is essential to clarifying where the firm’s safeguarding obligations begin and end, including where the firm forms part of a chain of PFs.
Compared to the FCA’s more mature Client Assets Sourcebook for investment firms, the safeguarding requirements are less detailed and may be prone to interpretation in certain areas. Having a reasonable set of approved policy and procedural documentation can be invaluable in providing a clear description of relevant systems and controls in order to mitigate risk and help firms demonstrate how safeguarding requirements are met.
Firms can either segregate relevant funds with an authorised credit institution or invest them in liquid assets through an authorised custodian. This necessitates thorough due diligence before and periodically after appointing a third party, assessing potential risks to the safeguarded funds, and ensuring the third party’s financial stability, expertise and reputation.
The effective operation of front-line payment processes and reconciliations is critical. Reconciliations need to be proportionate to the complexity of the business and the volume and value of transactions undertaken, bearing in mind the overall risk a firm is exposed to. Firms should determine the frequency of these reconciliations, performing them on a daily or even intra-day basis if the potential for discrepancies exists.
To bolster risk management frameworks and identify additional areas of concern, firms may find it beneficial to conduct independent monitoring reviews or internal audits prior to the external safeguarding audit. However, it’s preferable to perform effective root cause analysis and proactively remediate known weaknesses, rather than wait for an auditor to identify missed issues.
Taking a Forward-Looking Approach to Prudential Risk Management.
A firm should regularly review its prudential risk management arrangements and ensure its regulatory capital requirement is met at all times; consider the particular financial risks it faces, based on the business model it operates; consider how those risks may be heightened by macroeconomic conditions; and plan well ahead to ensure it has adequate financial resources on an ongoing basis. Relevant executive and board committees should frequently monitor the capital and liquidity positions to maintain a forward-looking financial plan that aligns with business growth.
Additionally, the FCA requires firms to carry out both capital and liquidity stress testing to analyse exposures to business disruptions and their impacts. Stress scenario assumptions development should involve all relevant first-line business areas and be driven by the risk function, enabling firms to consider relevant macroeconomic variables and firm-specific factors as stress test inputs aligning to key risks. An assessment of how scenarios materialise should be documented with references to variables associated with the key risk drivers, together with justification based on historical data or expert judgement.
A firm should ensure it has an appropriate wind-down plan in place that is reviewed regularly and kept up to date to meet the FCA’s expectations. This should include clear triggers to commence an orderly solvent wind down, detailed steps for winding down and an analysis of the costs and cash requirements. A wind-down plan should be actively useful in a situation when a trigger is met and a wind down — either solvent or insolvent — is required. Despite not specifically applying to PIs or EMIs, firms should refer to the FCA’s Wind-down Planning Guide3 and the findings of its April 2022 thematic review of wind-down plans TR22/14 as good practice and for information about what to consider when preparing wind-down plans.
How we can help: Our dedicated Regulatory Risk Management team supports firms to conduct independent safeguarding reviews, enhance and develop prudential risk frameworks (including scenario analysis and stress testing), and review and enhance wind-down plans.
Firms should work through the FCA’s expectations and confirm which of the areas covered by the “Dear CEO” letter apply. Documenting the subsequent work undertaken and decisions to make or not make any operational changes will be key in demonstrating adherence to regulation.
This letter is thorough and covers many regulatory topics, presenting a clear warning to firms. Should an issue arise in the future, a failure to have acted on the contents of this letter could be seen as an aggravating factor by the FCA. The regulator says it will take “swift and assertive” action and is also intending to “act earlier and more assertively” when problems arise.5
Looking ahead, the FCA is planning to consult on strengthening the requirements for safeguarding funds, using enhanced rule-making powers to be conferred on it as part of the Future Regulatory Framework Review. The FCA aims to publish final rules around the end of this year or in early 2024.
To find out more about our governance, risk and compliance capabilities and how we may assist your firm in enhancing controls and processes to meet the regulator’s priorities, please get in touch.
Most Popular Insights
- 10 Global Cybersecurity Predictions for 2024
- Global CFO Survey 2024
- Bridging the Gap Between Artificial Intelligence Implementation, Governance, and Democracy: An Operational and Regulatory Perspective
- The Power of Positive Paranoia: A Key Trait for Every CEO and General Counsel in 2024
- A Targeted Approach is Key to Implementing AI