Earlier this year, we hosted a webinar to discuss the FCA’s prudential requirements focus areas for the payments sector. Attendees were asked whether in response to the portfolio letter issued in Q1 of 2023, they had implemented their own firm specific process for assessing additional financial resources requirements. The results showed that over 70% of firms in attendance either did not have a process in place, or were unsure if one existed indicating that there is work for the sector to do to ensure that processes for managing risk, capital and liquidity, have been established and are embedded across their organisations.
Robust prudential risk management frameworks are vital for firms to ensure they have sufficient financial resources to remain viable, mitigate potential harms they might cause and, when all else fails, enable an orderly wind down. Therefore this article outlines the key steps payments firms can take to ensure they are meeting evolving FCA expectations in respect of prudential risk management and financial resilience.
The challenge
The FCA’s portfolio letter, FCA Priorities for Payments Firms published in March 2023, set out two priorities, related to financial resilience:
- to support the outcome of protecting customers; and,
- reducing harm.
As part of these priorities the FCA noted that many firms in the sector remain unprofitable and reliant on external funding during their scaling up phase. This increases the risk of firms falling into financial difficulty and highlights the need for robust prudential risk management processes.
However, many of these concepts are not fully articulated within the rules currently applicable to payments firms, with the FCA pointing to historic guidance related to assessing adequate financial resources. This has resulted in the sector facing challenges in implementing adequate processes to meet these evolving expectations.
The solution: a prudential risk management framework
Whilst there are no explicit rules for payments firms to refer to in developing their approaches to prudential risk management, the guidance historically provided by the FCA remains a useful starting point for firms. In particular FG20/1 Assessing Adequate Financial Resources provides the framework which firms should use in developing their approach to prudential risk management. Further, the FCA’s priorities for payments firms can be seen as analogous to the prudential requirements for MIFID Investment firms – in particular the Internal Capital Adequacy and Risk Assessment Process (‘ICARA’).
Using the available guidance as above and the actions the FCA expects firms to take (per the FCA’s portfolio letter) we’ve set out the key steps to developing a robust prudential risk management framework:
Understand your business model and the risks you run
When it comes to risk management there is no one size fits all output. Your approach to managing financial resources and ensuring your firm maintains sufficient capital and liquidity to mitigate harm, will be dependent on the risk profile of your firm. As such, the starting point will always need to be an analysis of your business model e.g. what services do you provide to clients and how do you provide them?
A great tool we’ve seen some firms employ is process mapping – particularly in respect of the customer journey. Charting a customer’s lifecycle (from marketing/promotion of services, onboarding, day-to-day service provision and finally offboarding) is a useful tool to understand the potential for ‘something’ to go wrong and, as such, the potential for your organisation to cause harm.
Assess and quantify your risks
Where your controls and other processes cannot completely mitigate a potential harm, you need to consider what level of financial resources might be needed to make a client ‘good’ and absorb any losses which might result from that harm occurring. Quantifying harms will help you understand whether you need to hold additional resources above your regulatory minimums.
More complex firms will tend towards using more complex methodologies, for example through the use of statistical analysis and operational risk models. However, this type of approach can become a ‘black box’ for smaller less complex firms and may not always be appropriate.
Many firms have opted for more subjective methodologies, such as developing scenarios to assess the impact of a particular risk/harm occurring at a ‘once in a career’ level severity (which enable them to set clearly defined assumptions to support the quantification of potential harms). By developing specific scenarios for their key risks, firms are able to exercise greater review and governance around the assumptions that drive their requirements.
Treat liquidity and capital with equal importance
Currently, payments firms are only subject to formal capital requirements. However, the FCA is increasingly focussed on the liquidity adequacy of regulated businesses. When setting additional requirements, developing wind-down plans or stress testing, a capital and liquidity lens should be applied. The risks in respect of capital and liquidity may be different, and as such your requirements between the two are likely to diverge.
Prepare forecasts – and stress test!
It’s of vital importance you understand not only your firm’s financial resource position today, but where you expect to be over the medium to long term. Typically, firms apply a forecasting horizon of between 3-5 years. Regularly re-cutting these forecasts to reflect your actuals and the changing outlook of your business will give you the forewarning you need to take recovery actions, if your business is facing a downturn.
Overlaying stresses on these forecasts which reflect the idiosyncratic and macroeconomic risks to which your firm is exposed, will also enable you to assess your firm’s resilience. Further, understanding the potential stresses which could impact your business will enable you to develop fit for purpose recovery plans, enabling your senior management to have clear sight on the ‘levers’ they could pull to maintain the viability of your business.
Develop credible wind-down plans
Where recovery actions cannot be implemented and a firm’s business model is fundamentally ‘broken,’ the only remaining option for firms is initiating their wind-down plan. The FCA has provided detailed guidance on wind-down planning for firms, both in the Wind Down Planning Guide and in TR22/1.
Wind-down planning is not only an assessment of the costs involved in winding-down, but (as the name suggests) the operable plan which you will execute to ensure the orderly winding-down of your business, the return of customer funds and the removal of your permissions. This should be granular enough that, once the decision to wind-down is taken, you could begin executing your wind-down, with little to no amendment/enhancement.
Set risk appetites and KRIs
Firms need to understand their own risk appetites. The FCA has made it clear to all firms that they need to set quantified/measurable risk appetites not only in respect of capital and liquidity, but for all of the risks they run. Aligning these with a suite of Key Risk Indicators (KRIs), enables firms to monitor their exposure on a continuous basis and understand whether they are trending towards outside of their stated appetite.
Monitor/report in real time
Unless you’re monitoring KRIs or your capital and liquidity position versus your requirements, then all of the good work you’ve undertaken to establish these metrics is going to waste. Formalising monitoring and reporting of financial and risk management information (MI) is key, as is defining your escalation routes when these metrics indicate your business may be in trouble.
Responsibilities
All parts of this process need to be mapped to individuals within your organisation, with a clear distinction between those operating your prudential risk management processes and those providing oversight.
Ultimate responsibility for providing oversight should sit with your board. As such, they need to be aware of their responsibilities and understand the end-to-end approach for management risk, capital and liquidity to enable effective oversight. Consider incorporating this into their annual training plans.
Conclusion
The establishment of a robust prudential risk management frameworks for payments firms will continue to be a focus area for the FCA, as financial resilience of firms is a key pillar of the regulators approach to reducing harm.
Over a year has passed since the FCA communicated its expectations to firms and its clear there is still work to be done by the sector, so our key piece of advice to firms is to get ahead of these expectations. Where firms have been asked to provide evidence of their approach to managing risk, capital and liquidity the FCA has historically set timelines of one to two weeks. We highlight that the establishment, documentation and embedding of these processes in that timeline just isn’t possible. The grace period for firms to meet these expectations is over, so we urge firms to act now.
Related resources
All resourcesWebinar: Vulnerable Customers: What you need to know
Prudential considerations for Payment Service Providers: Navigating the impact of the new APP Fraud Policy
Capital Markets Newsletter - October 2024
HMRC vs FCA: as money laundering supervisors of payments firms