Payments Newsletter - June 2024

Payment Services Compliance Newsletter June 2024

Welcome to the latest edition of our compliance newsletter aimed at Payments firms, including EMIs, PIs, AISPs, PISPs and prospective applicant firms. This newsletter contains a round-up of regulatory articles that provide the latest insight into compliance issues and developments relevant to the payments industry over the past few months.

SIGN UP TO OUR PAYMENT SERVICES UPDATES

What’s the latest?

Surprising most of us, Rishi Sunak has called the general election for July, rather than October that many of us were  expecting. The subsequent dissolution of Parliament, has put paid to a number of legislative changes that will likely not see the light of day again (at least not in their original), such as the Data Protection and Digital Information Bill.

Still dominating conversation since our previous newsletter, is the Payment Systems Regulator’s (PSR) reimbursement model for Authorised Push Payment (APP) Fraud. As you will recall, from 7 October 2024, the PSR will require UK payment service providers (PSPs) to reimburse all in-scope customers who fall victim to APP fraud (with limited exceptions), However, that policy has, in recent weeks, come in for increasingly heavy criticism from politicians and trade bodies alike. Indeed, the Payments Association submitted a proposal that the reimbursement limit should be reduced to £30,000. The early election date may well have taken the impetus out of such efforts to ‘negotiate’ the limit down, but, as is so often the case, we will just have to wait and see.

For the second year, Cosegic was delighted to be an exhibitor at the Payments Association’s new, improved Pay360. Similarly, our stand was bigger and better than last year’s and saw a great many quality conversations. If you were there, but didn’t get to say hello or ask that one burning question, please feel free to do so now! We’ve already confirmed our attendance at next year’s event, so look forward to doing it all again next March at the ExCel.

We also sponsored the International Compliance Association Future of FinCrime & Compliance Summit. Corinna Venturi, Director of Financial Crime, shared insights on navigating the ever-evolving fraud landscape. Meanwhile, David Rodriguez, Associate Director of Payment Services, talked about the future of cryptocurrencies, along with an esteemed panel of experts in the field. I myself was left to mind our exhibitor stand in the meantime, with other colleagues! As you would expect, the stand was a hub of activity, where we had many insightful conversations with individuals throughout the day. A huge thank you to everyone who joined us.

In this issue, we reflect on a couple more events that Cosegic hosted/attended in addition to some of the regulatory developments that have caught our eye! As always, if you have any questions about the content, then please contact us here and we will be happy to help with your enquiry. 

Consumer Duty – the latest chapter

As the FCA has repeatedly said, Consumer Duty is not a ‘once and done’ exercise for firms. My colleague, Jennifer Cahill, recently hosted a webinar in April – joined by Tim Hogg, from Fairer Finance – where we explored the current Consumer Duty priorities and offered insights into achieving comprehensive customer understanding. The webinar held a particular focus on the board report, the FCA's review on vulnerable customers, and what firms need to do to ensure readiness.

As discussed during the webinar, Cosegic have produced a Consumer Duty board report template for firms to use as a guide when writing their own. When appropriately adapted, this template will help firms demonstrate and evidence compliance with Consumer Duty rules, setting out a framework to help you document the risks and issues identified in delivering good customer outcomes and the actions the firm has taken, or will take, to address them.

To download a copy or watch a recording of the webinar, please click here. Please note, the FCA expects that the production of this board report is not a simple attestation. It should be a comprehensive internal governance exercise where firms challenge themselves on whether they are delivering good customer outcomes for each of the three cross-cutting rules and the four Consumer Duty outcomes.

If you would like guidance or assistance in adopting, adapting and bespoking the template to suit your business, or support relative to the types of management information and data your firm can use to evidence delivery of good customer outcomes, please contact Jennifer Cahill our Consumer Duty Lead, or your usual Payments team contact, to learn more about our various different support offerings, including a more holistic review of your Consumer Duty arrangements through an external ‘Consumer Duty Audit’.

Payments Forum Part 2

The second part of our ‘Annual Payments Regulatory Forum’, focussing on financial crime, was held, at Sofitel, London, St James, on 7 March. We were delighted to be joined by Ben Woodside, Policy Manager at the PSR, who reiterated the need for the PSR to take action to tackle APP Fraud, and its subsequent expectations on Payments firms in respect of reimbursing clients that have suffered loss as a result. This was followed by a lively panel session discussion.

We were also joined by De Quincey Bailey, HMRC’s Money Service Business (MSB) expert, with expertise in ‘underground banking’ and the criminal exploitation of alternative payment systems, whose presentation on Alternative Banking Platforms Money Laundering, and Tax Fraud Typologies was incredibly illuminating (and frightening!) and ensured there was a queue to speak with him over drinks.

We also had a panel session with representatives from Barclays, Clear Bank and iFast Global, clarifying the pitfalls to avoid when submitting an application for banking services (typically, a safeguarding account) and how to try to avoid any de-risking conversations.

Finally, in celebration of International Women’s Day, there was an insightful Panel session, led by Corinna Venturi, our Financial Crime Director, exploring and debating the challenges inherent in being the ‘Female MLRO’. We were extremely grateful to our panellists for their openness and insights in sharing their personal experiences.

If you missed the event, or wish to catch up on the content, please click here.

FCA proposes updates to the Financial Crime Guide

In April, the FCA issued a consultation paper, CP24-9 (‘the Consultation’), proposing updates to its Financial Crime Guide (FCG). The proposed updates are aimed at enhancing firms’ understanding of the FCA’s expectations regarding financial crime controls, as well as reflecting the FCA’s most relevant and recent findings. The FCA's objective is also to assist firms in evaluating the sufficiency of their financial crime systems and controls and resolving any shortcomings.

Key areas include:

1. Sanctions
2. Proliferation financing
3. Transaction Monitoring
4. Cryptoassets
5. Consumer Duty

The FCA is seeking feedback from industry professionals to the proposed updates to the FCG, which are designed to make the UK's financial services sector more resilient against crimes that threaten its integrity and stability. For firms, staying ahead of these changes and preparing for their implications will be crucial in maintaining compliance and safeguarding their operations against potential financial crime risks.

See Corinna Venturi’s more detailed analysis here..

HFM Award

Cosegic was delighted to again be a winner at the With Intelligence, HFM European Services Awards in April, and honoured to win the coveted ‘Best advisory firm - regulation and compliance’ award.

We are extremely proud of this achievement which is a testament to the expertise, dedication, and hard work of our amazing team to whom we extend our gratitude. Congratulations to all of the other winners and nominees and thank you to With Intelligence for hosting such a wonderful evening.

In the words of our CEO, Philip Naughton, "Today I’m a very proud CEO with Cosegic last night having won the best advisory firm - regulation and compliance award. This award recognises our relentless focus on client service, technical excellence and being market leading in the hedge fund space."

Although primarily associated with the Hedge Fund sector, this award is testament to the depth of knowledge and experience across the entirety of Cosegic’s business. Closer to home, Cosegic has also been shortlisted for the prestigious ICA Compliance Awards 2024, in the category ‘Compliance Consultancy Firm of the Year’. Our case study involved assisting a client challenge the FCA’s threat of regulatory action through our in-depth knowledge of the rules and regulations relating to payments and AML.

All change at the Payment Systems Regulator

Rumours were abound at the end of May that Chris Hemsley, the Managing Director of the PSR would be stepping down from his role. These rumours were confirmed on 3 June, with an official statement from the PSR saying Hemsley would indeed be stepping down from 7 June, to take up a role at the regulatory consultancy Fingleton.

To say this has come as a shock, would be an understatement. As we have commented ourselves on many occasions, 2024 is the year of the PSR’s controversial reimbursement policy, due to take effect on October, which would see PSPs required to share refunds of up to £415,000 to customers who have been victims of APP Fraud. This was never a popular policy with PSPs, with many critics across the industry and, more recently, the government itself. That the Prime Minister had called an early general election, it was suspected that this debate would be picked up again post-July, likely with a completely new government.

Rather than wait, it seems that Hemsley has chosen instead to seek an early exit from these ‘discussions’. The lack of any meaningful notice period is also interesting, with the assumed three-month period being waived. I suspect, having served notice, the PSR would rather focus on getting in a replacement as soon as possible to steady the ship. And ‘Hey Presto’ the PSR has moved swiftly to appoint the FCA’s David Geale as interim Managing Director. He has good firm-based knowledge and understanding of payments and, to me, seems a great choice. I look forward to seeing quite what his first statements will be regarding the future of the reimbursement policy.

Multi-factor authentication for FCA systems

You may have seen a message on the FCA’s website at the end of May, informing firms of its intention to introduce multi-factor authentication (MFA) to its core systems.

This needs little additional commentary from me, other than to highlight the key systems affected:

• Connect
• Reg Data
• Online Invoicing (Fees Portal)

From mid-June, if you need to contact the FCA’s Supervision Hub (Firm Contact Centre) you will also be subject to MFA, with a one-time passcode being sent by SMS text message. Helpfully, there are a number of guidance tabs on the FCA’s page, which should anticipate most questions, including how to add your consultant as an authorised user for your firm. What could possibly go wrong?!

OFSI issues general licence for “Personal Remittances”

On 28 May 2024, the Office for Financial Sanctions Implementation (OFSI) issued General Licence INT/2024/4761108 (the General Licence), impacting what it calls “Personal Remittances”. The General Licence issues clear and specific conditions for payments made to, from, or via a credit or financial institution designated under the Russia (Sanctions) (EU Exit) Regulations 2019 (“the Russia Regulations”), providing a significant relief for firms dealing with the impact of UK-imposed sanctions on Russia.

Essentially, this allows relief for payments made or received intended for the personal use of individuals not otherwise subject to the Russia Sanctions, subject to certain conditions, as set out by my colleague Abou Bangoura, in his recent article here.

Safeguarding

Since my last newsletter, we continue to wait (im)patiently waiting for the much-vaunted FCA Consultation Paper (‘CP’) on Safeguarding, now quoted as ‘Summer’ 2024. As I said in my last newsletter, this is likely to be a standing item on subsequent newsletters, even after the CP is issued, and should remain on senior management/board meeting agendas.

There are, of course, rumours of what might be included in the CP, such as the establishment of a statutory trust, a CASS-style regime, and clarification of the scope for a safeguarding audit (recognising different firm sizes and business models). On the subject of safeguarding audits, I also expect the FCA to make these mandatory for APIs as well as EMIs (as is currently the case). If you’ve yet to perform a safeguarding audit yourself (whether obliged to do so or not), or are considering a fresh approach, please do get in touch with me to explain our process and methodology in more detail.

Change in Control

You may have seen my article in May, giving my thoughts on the approach to acquiring an already regulated firm as, potentially, a quicker and easier route to gaining a UK payments licence. As with most things though, the devil is most definitely in the details.

The first and, arguably, most important consideration is choosing the right firm to acquire. Whilst this may seem obvious, I am always surprised by enquirers expressing a desire to become a sophisticated payments provider, looking to acquire a firm with a limited permission profile.

Then, you need to do proper due diligence; not just financially, but also from a regulatory perspective; in addition to the permission profile, what is the firm’s regulatory history, and is it on the FCA’s ‘radar’. You don’t want to be sold a pup! To read more about what is at the core of a successful s178 notice, click here.

Artificial Intelligence

The FCA is currently taking a pragmatic approach to the regulation of artificial intelligence (AI) by applying and adapting existing rules and principles to manage AI-related risks. This strategy aims to ensure effective governance of AI technologies while fostering innovation in financial services, without the need to develop a separate regulatory framework exclusively for AI.

The FCA has interpreted the government's five pro-innovation principles for AI and issued a preliminary framework for firms to follow in its "Approach to AI" document. My colleague, Rabih Zeitouny, wrote a helpful article in May, summarising the FCA’s recommendations and considerations for integrating AI into existing regulations. This creates a provisional framework for firms, to ensure compliance and the adoption of best practice, which may yet evolve as AI technologies and their applications grow.

Operational Resilience

As we mentioned in our horizon-scanning webinar in January, Operational Resilience is one of the known key deliverables for payments firms in the next 12 months. Indeed, the FCA has this week issued a reminder to firms of what they need to do, and by when. In reality, firms should already have identified their important business services, together with evidence and rationale, and set impact tolerances for when intolerable consumer harm or risk to market integrity is reached.

Firms are also required to identify and document the people (including third parties), processes, technology, facilities, and information necessary to deliver each of their important business services.

Key to readiness and compliance, as is the case with so many aspects of regulation, is robust and regular testing, against a range of likely (and unlikely) scenarios that may give identify vulnerabilities and risks to your operational resilience and your ability to remain within your set impact tolerances.

Whilst 31 March 2025 is the end of the transition period, where firms are expected to be fully operationally resilient, firms are expected to embed this into their overall enterprise-wide risk frameworks today and for this to be under continual. We will be looking to hold a webinar on this topic shortly. In the meantime, John Burns has produced a helpful article on the topic.

Final thoughts

As ever, if you would like to discuss Payment services, or any other aspect of your compliance, then please contact any member of the team. Additionally, if there is any topic you would like us to cover in future editions of the newsletter, then please let me know.

Cosegically yours,
James