Each year in April the Financial Conduct Authority (FCA) publishes its annual business plan and it usually garners much interest. This year it seems to have gone below the radar as firms deal with operational and other challenges posed by the COVID-19 crisis. But it's particularly important that regulated payment firms take notice of this plan.
The FCA’s annual business plan gives details of its key priorities and the planned specific activities for the next year. As it publishes this year’s plan, the FCA openly acknowledges the challenges that COVID-19 is causing. Whilst this crisis may delay some of its work, it will not deter the FCA from dealing with the five priorities set out for the next one to three years.
Number four on that list of five priorities is ‘Making payments safe and accessible’. This sends a clear message to regulated payment firms that the FCA Payment Supervision team’s recent high activity level is actually the ‘new normal’ and, if anything, could be set to increase further.
Operational and security risk assessment (REP-018 return)
A closer look at this priority shows that the FCA has identified three outcomes to achieve this. One of these is that ‘Consumers transact safely with payment firms’ and refers specifically to firms minimising the impact of fraud and operational outages.
The Operational and Security Risk Assessment carried out to complete the REP-018 return is important here. It shows that the payment firm has properly considered the risks and appropriate mitigations.
We have seen many examples of the FCA writing to firms who submitted a nil REP-018 return at the end of March. The FCA pointed out that the firms had submitted four consecutive nil returns and are, therefore, in breach of the requirement to do the assessment each calendar year. This might suggest that the firms do not have sufficient systems and controls, an area of specific concern for the regulator and one that firms should be looking at closely.
In our experience, many firms, especially smaller ones, have informal arrangements in place. While they are possibly considering the correct issues, and probably coming to the correct decision, there is no audit trail in place to prove that it happened. Should the FCA come asking, which they are ever more likely to do, in the absence of evidence they will assume that the checks didn’t happen – leaving the firm at the risk of regulatory action.
Meeting and monitoring prudential requirements
The second outcome to achieve the payment sector priority is that ‘Payment firms meet their regulatory responsibilities while competing on quality and value’. In its annual business plan the FCA is clearly concerned that the COVID-19 crisis will "impact payment firms’ financial strength and consumers’ ability to access cash and payment services.”
Safeguarding has been at the forefront of recent supervisory action and, if at all possible, it seems it will come into even sharper focus, where the FCA is concerned that firms may become insolvent. The potential for firms to misuse customer funds for working capital when liquidity is tight is a real concern, and the FCA says that it “will act swiftly where firms fail to meet safeguarding and other regulatory requirements” This indicates a willingness to move quickly to regulatory action if firms can’t show that they are safeguarding properly. Clear identification of 'relevant funds' and proper reconciliation are absolutely key.
This focus on financial strength means that the FCA is likely to be asking for details of how firms meet and monitor their ongoing prudential requirements. It is important to remember that the Principles for Businesses now apply to payment services firms. If a firm identifies that it is having difficulties in meeting its capital requirements it is important that it lets the FCA know. Failure to do so is likely to be seen as a breach of the Principle 11 transparency requirement, which could have negative consequences for both the firm and the PSD or EMD individuals.
Consumers and SMEs having access to a variety of payments services
The FCA says it is concerned that, as firms’ business models change, they may stop providing services to some groups. The coronavirus emergency, as well as the difficulty of obtaining banking for cash-based services, has meant that many firms have moved away from ‘bricks and mortar’ to online services. This may disadvantage those sectors of the population which use cash. It will be interesting to see how, and to what extent, the FCA uses its powers to address this.
Being a payment institution or e-money institution now brings with it a significant regulatory burden and oversight. The more reactive regulatory approach of the past has been replaced by a more proactive and aggressive one. Firms which don’t recognise this and prepare properly may find themselves in difficulty.
Related resourcesAll resources
Payment Services Regulatory Compliance Forum 2023
Are you carrying out your new Consumer Duty obligations correctly?
Payments Newsletter - November 2023
A guide to effective fraud management – for Payment and E-money Firms