That’s a good question. This impacts all firms authorised or registered under the Payment Services Regulations 2017 (“PSRs”) and the Electronic Money Regulations 2011 (“EMRs”) such as Payment Institutions (“PIs”), Electronic Money Institutions (“EMIs”) and Registered Account Information Service Providers (“RAISPs)”.
First and foremost, concerns have been raised with the lack of robust control environments which are critical to manage risks and protect consumers. If firms lack effective and established controls, the FCA will rightly be concerned for the risk this poses to keeping consumer money safe, and the integrity of the wider financial system.
The FCA has taken the opportunity to remind firms of the incoming Consumer Duty Principle and the need for firms to implement this well, ensuring firms recognise and fulfil their responsibilities as a business towards its customers.
Keeping customer money safe
The FCA continues to reinforce this message, reiterating the need for firms to perform safeguarding reconciliations ensuring the correct relevant sums are safeguarded accurately and on a timely basis, that appropriate procedures are in place, and ensuring due diligence is performed upon credit institutions that provide safeguarding accounts.
It was also identified some firms have not yet appointed auditors to undertake safeguarding engagements, with adverse findings arising from such audits not always communicated to the FCA.
Grath says:
The regulator expects firms to make prompt notifications of any material outage where they have not complied with, or are unable to comply with the safeguarding requirements. Firms must consider how they can capture, effectively treat and make notifications of material incidents when they occur. For firms with high exception and error rates, total capture is key with the ability to track back to underlying cause in order to perform root-cause analysis.
The FCA highlighted the need for prudential risk management with inadequate liquidity management and unprofitable firms relying on external funding as persisting concerns. Firms must identify, manage and mitigate liquidity risks, maintaining capital adequacy with realistic scenario planning and stress testing.
Grath says:
Proactive risk management is crucial in the context of the markets in which firms operate, with consideration to external conditions and significant risk events necessary to ensure ongoing viability.
Continuing on from guidance issued during the pandemic, the FCA have reminded firms on the necessity to maintain accurate wind down plans that include adequate triggers and practical procedures to wind down business to an orderly exit.
Grath says:
Such triggers require active monitoring with prompt escalation to senior managers at the point of thresholds being approached and being exceeded to either support intervention or trigger wind down proceedings.
Maintain the integrity of the financial system
The FCA has seen rising evidence that shows PIs and EMIs remain attractive targets for criminals and a general rise in financial crime across the payments sector. To protect against financial crime, payment firms are expected to maintain robust compliance and risk management systems, including anti-money laundering (AML) and know-your-customer (KYC) procedures.
Grath says:
Firms are encouraged to perform business wide risk assessments, supported by systemic and defined methodology to regularly refresh risk and control frameworks in ever-changing environments.
As a consequence of the cost of living crisis, fraud rates are rising and are a risk which firms are expected to mitigate with continual revision and internal challenge of risk appetite statements, policies and procedures. A regular review of fraud prevention controls is crucial, to ensure that they remain effective and measurable.
Grath says:
A combination of technology, data analysis, and human expertise is required to review and assess fraud risk and protect customers from financial losses.
Consumer Duty
The FCA has maintained its momentum with the new principle, aimed at raising standards across consumer outcomes. Payment firms are typically at the forefront of product innovation, and have therefore been reminded about researching and developing products and services to deliver good customer outcomes.
Grath says:
Firms must ensure that their products comply with all relevant regulations and standards to ensure the appropriateness and effectiveness of the products.
Cross-cutting priorities
The FCA identified three priorities that support the outcomes above:
1. Inadequate governance and oversight has been identified as a root cause of issues faced by firms in the payment portfolio. Levels of staff competence and inexperience in positions across key areas such as compliance and the MLRO function continue to be a significant area of concern with a noted lack of appropriate board oversight.
Grath says:
Firms must perform initial and ongoing reviews of directors and significant individuals to ensure they are competent and that they pass fit and proper assessments. Training programmes must, where feasible, be role-based driven, ensuring the appropriate level of training and support is provided, relative to the level of regulatory risk within each role or function.
2. The UK financial sector must, as a priority, remain resilient with firms required to identify their important business services and set impact tolerances in order to better manage operational disruptions.
Grath says:
Firms are required to perform process mapping and control testing for all important business services so that they are able to remain within impact tolerances. Outsourced critical services must be monitored continuously with the flexibility to switch providers when required.
3. The FCA initiative to become more data-led through regulatory reporting continues to ramp, with non-compliance punishable with administration charges and where ongoing failure occurs, enforcement with a cancellation of permissions is possible.
Grath says:
Leveraging obligation and attestation software ensures reminders and prompts are scheduled so that submissions are not delayed or missed, mitigating possible regulator intervention.
Other things to consider
Applications for authorisation, registration and variation of permissions are receiving ever more scrutiny with firms expected to be ready and capable of operation at the point of application. Applications must be well documented, comprehensive and backed up by suitably experienced and knowledgeable individuals.
Grath says:
Firms should consider the level of detail and substance within submitted risk and control frameworks. Even at a pre-application stage firms need to consider how controls can be demonstrably evidenced, owned and monitored for effectiveness.
If you’d like further guidance on how Grath’s technology can help future-proof your regulatory compliance and risk management process, then we’d love to talk.
Get in touch with us at grath.com/contact