Those who joined our 'Payment Services: Building Operational Resilience' webinar on 29 April 2021 will have an understanding of the work that Payment and E-money Institutions will have to carry out to be ready for the new requirements on business resilience, which will come into effect on 31 March 2022. However, that is not the only new regulatory obligation with that deadline. With increasing Financial Conduct Authority (FCA) scrutiny on the Payment Services and E-Money sector, it is more important than ever that firms are aware of the regulator’s expectations and requirements and take appropriate action to be (and be seen to be) compliant.
The other 31 March 2022 deadline relates to outsourcing, which is of course a significant element in many firms’ business resilience calculations. The FCA updated their webpage on Outsourcing and Operational Resilience on 6 May and firms should make sure that they have read and understood these requirements and factored them into their preparations.
EBA Outsourcing Guidelines state:
“Institutions and payment institutions should complete the documentation of all existing outsourcing arrangements, other than for outsourcing arrangements to cloud service providers, in line with these guidelines following the first renewal date of each existing outsourcing arrangement, but by no later than 31 December 2021.”
While still expecting compliance with these guidelines, the FCA now say that they are not expecting firms to report their progress towards meeting the 31 December 2021 timeline, but that:
“Firms should aim to review any outstanding critical or important outsourcing arrangement at the first appropriate contract renewal following the first renewal date of each existing outsourcing arrangement or revision point. Where arrangements of critical or important outsourcing arrangements have not been finalised by 31 March 2022, firms should inform us.”
The increasing amount and complexity of regulatory expectations on Payment Services and E-money firms is not just a reflection of the FCA’s awareness of the importance of the sector. They are, also, concerned that their previous laissez-faire approach to the sectors supervision has meant that the stability and control of many firms in the payments arena is not what it should be. This can be seen in the focus on liquidity, safeguarding and wind sown planning, and now on the operational resilience of the sector. As with all dealings with the regulator, it will not be enough to assert that you have these things under control; the FCA will require you to be able to provide evidence that this is the case, even in the smallest of firms. The end of March 2022 may seem a long way off, but firms should not underestimate the work involved and should be considering now how they will meet the deadline.
You may have noticed that last month the FCA announced that in the Autumn they will establish a ‘regulatory nursery’ to “keep us in close contact with firms immediately post-authorisation so we can provide support and, where we need to, intervene earlier to steer firms in the right direction.”
While this is not stated as being aimed at the Payment Services sector, it is worth noting that Maha El Dimachki, previously FCA Payments Supervision, Head of Department, is returning from secondment to Pay.UK to lead the setting up of the regulatory nursery. Given the huge number of payments firms currently struggling through the authorisation process, it seems clear that the FCA’s concern about payments firms understanding their regulatory obligations is at least partly driving this initiative.
For those already authorised and who will not benefit from the ‘nursery’ support, understanding what is required and showing that you are complying appropriately is vital.
The Cosegic PSD Audits are designed to provide the management of Payment Services and E-money firms with an independent, external assessment of their compliance with regulatory obligations (including around outsourcing), to enable senior management to show that they are actively seeking to meet those obligations, and taking action where required to address any shortcomings.
If you haven’t undertaken such an audit, how will you prove to the FCA that you are managing your compliance?