The Financial Conduct Authority has issued a dear CEO letter to payment firms

What you need to know

• The Financial Conduct Authority has issued a dear CEO letter to all payment firms, including all firms subject to the Payment Services Regulations 2017 and the Electronic Money Regulations 2011.
• The letter seeks to address the FCA's concerns that payments firms do not have sufficiently robust controls which may result in some firms presenting an unacceptable level of harm to customers and risk to the integrity of the wider financial system.
• It is the first step in prioritising a much-needed wake up call when it comes to operational resilience, financial resilience, and safeguarding of client funds for payments firms? We think so!

What you need to do

• Firms must address key priorities outlined by the FCA and focus on three outcomes which are vital while there are tightening economic conditions.
• The outcomes firms are required to focus on include ensuring customers' money is safe, not compromising financial system integrity and ensuring that customers' needs are met through high quality products and services (implementation of Consumer Duty).
• Firms will be expected to be able to respond to any requests from the FCA to illustrate how they are addressing the outcomes included in the letter.

On 16 March 2023 the Financial Conduct Authority published a Dear CEO letter to all Payment Firms, which includes all firms subject to the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (EMRs).

It is no surprise that the FCA issued a Dear CEO letter titled 'FCA Priorities for Payment Firms' following the near collapse of Silicon Valley Bank in the UK, who as we all know, is a banking provider to many technology firms including FCA regulated platforms, Electronic Money firms and Payment firms.

The letter sets out key priorities for payment firms and draws focus on three outcomes the FCA expects firms to address which are key whilst there are heightening concerns around the factors that led to the collapse of SVB and tightening economic conditions.

Interestingly the outcomes based letter, draws attention to the interconnectedness between operational resilience, financial resilience and operational risk. Drawing these themes together, the letter seeks to address the FCA's concerns that payments firms do not have sufficiently robust controls which may result in some firms presenting an unacceptable level of harm to customers and risk to the integrity of the wider financial system.

Outcome One: Ensure that customers' money is safe

Payments firms must ensure customers money is safe through three priorities: safeguarding, prudential risk management, and wind down planning.

A. Safeguarding: Firms should have processes and controls in place to ensure customer funds are safe, and the FCA Approach document outlines guidance for firms to ensure appropriate organisational arrangements are in place to do this.

These obligations apply when a firm is a going concern to minimise loss to clients, with firms expected to:

• have processes in place to identify which funds are relevant funds for the purposes of safeguarding;
• to have identified, assessed and mitigated the risks of their operating model on the segregation of safeguarded funds with an insolvency mindset, including settlement and other operational risks,;
• to undertake daily reconciliations as defined by the guidance, identifying and addressing any discrepancies accordingly
• to ensure that accounts in which relevant funds are held meet the FCA's requirements and, importantly are diversified; and
• to ensure appropriate records are maintained to ensure funds can be returned quickly and efficiently in the event of insolvency.

B. The FCA has encouraged regular reviews of prudential risk management arrangements and firms must meet their regulatory capital requirement at all times. This cannot just be a documentation exercise and firms must forecast their likely financial performance in a range of plausible scenarios, and consider holding additional capital where necessary. Financial resilience is in a new era whereby qualitative operational risk factors must be carefully considered with quantitative measures.

C. Wind down plans should be maintained and include clear triggers to indicate commencement of reactions in a stress situation including the orderly, solvent winding down of a business. The plan has been addressed by most firms as a desk top exercise however, the most important consideration is that these plans should be operable and cover a play book of both decision points and actions.

Outcome Two: Firms should not compromise financial system integrity

It is no surprise that criminals have sought out ways to expose the recent rise of payment firms which typically sit in the middle of a transaction. With increasing financial crime amongst payment firms, firms must consider (1) money laundering and sanctions obligations and (2) fraud prevention requirements.

Common failures identified by the FCA include:

• Failure to regularly review and refresh risk assessments and control frameworks in an evolving threat landscape and in line with business growth (including developing robust methodologies to do so, and reviewing risk appetite statements);
• Due diligence weaknesses including failure to carry out KYC, failure to carry out EDD using a risk based approach; and
• Failure to ensure screening solutions are fit for purpose for unique business needs.

A cost of living crisis facilitates the perfect storm for fraudulent activity. With that in mind, payments firms are directed to review their customer fraud education processes, enhance fraud prevention systems and controls, engage with industry bodies on information sharing, and remediate any consumer fraud reporting backlogs.

Outcome Three: Ensure that customers' needs are met through high quality products and services (implementation of Consumer Duty)

Customer needs must be met through implementation of the FCA's consumer duty. This messaging is no surprise but what it means to payment firms must be well understood. The FCA's expectations for implementing these expectations can be found here.

The FCA identified three cross cutting principles to underpin the outcomes already discussed. These principles are Governance and Leadership, Operational Resilience and Regulatory Reporting.

Firms must have appropriate governance arrangements, risk procedures and controls in place. They must ensure their agents and distributors are registered with the FCA and comply with regulations. Important business services should be identified, with impact tolerances set and plans in place to remain within these tolerances.

Firms must provide accurate information in a timely manner, failure to do so will result in an administrative charge or, in severe cases, enforcement.

It is believed that taking this multi-layered, outcomes based approach will drive positive change in the industry and facilitate the FCA's strategy towards minimising customer harm, minimising risk to the integrity of the wider financial system, and various ESG outcomes.

Authors: Nisha Sanghani, Partner, Regulatory, Governance, Operational Risk & Resilience and Change; Stuart Campbell, Executive , Regulatory, Governance, Operational Risk & Resilience and Change; Abigail Yardley, Executive Regulatory, Governance, Operational Risk & Resilience and Change; Meg Whelan, Specialist Regulatory, Governance, Operational Risk & Resilience and Change

This publication is from Ashurst Risk Advisory LLP which is a limited liability partnership registered in England and Wales under number OC442883. It provides services under the Ashurst Risk Advisory brand and is part of the Ashurst Group. Ashurst Risk Advisory services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Risk Advisory is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services. For more information about the Ashurst Group and the services offered, please visit www.ashurst.com. The term "partner" in relation to Ashurst Risk Advisory is used to refer to a member of Ashurst Risk Advisory or to an employee or consultant with equivalent standing and qualifications.