FCA puts payments firms on notice to improve risk frameworks and wind-down plans
09 July 2025
As the UK payments sector innovates and evolves, the Financial Conduct Authority (FCA) has sharpened its focus on the robustness of firms' risk management frameworks and the adequacy of wind-down plans. In its recent multi-firm review, the FCA identified significant shortcomings in how firms assess, document, and implement these critical processes. The review underscores the regulator’s expectation that payments firms not only comply with existing requirements but also proactively address emerging risks to maintain sustainable growth. The FCA is effectively putting payments firms on notice that they need to up their game or face supervisory action.
This update explores the FCA’s key findings and the practical steps payments firms should prioritise to strengthen their risk management and wind-down planning in light of heightened regulatory scrutiny.
Enterprise-wide risk management frameworks
The framework should support sustainable growth whilst managing current risks
Enterprise-wide risk management frameworks must be fit for purpose to manage risks arising from a firm's current business activities, whist remaining sufficiently flexible and robust to support sustainable growth. Risk management and control frameworks should evolve as the business grows or expands into new activities or customer cohorts. However, firms should not lose sight of their actual size and nature throughout the process of change so that all materials risks are identified, quantified and actively managed at any given time. Payments firms are expected to set risk appetites that consciously align with their strategy and commercial objectives. Disciplined identification of material risks and their drivers is essential to ensure risks are fully understood and appropriately managed. With this clarity, senior management can apply a range of forward-looking tools to control the firm's risk exposure.
Senior management needs to be able to see the big picture
When risk is viewed in isolation, critical interdependencies and emerging risks can be overlooked, weakening the risk management framework. A siloed approach restricts senior management's ability to identify and address risks which span multiple business areas. The FCA found that firms often fail to understand or assess risks associated with new products, services, or business activities adequately. Without comprehensive, up-to-date risk assessments, management cannot accurately evaluate risks, allocate resources, or implement timely controls. Senior management should gather tailored management information tracking risk indicators, maintain robust communication channels, and provide effective challenge to ensure a full understanding of risks. Supported by robust bottom-up risk management, this enables responsive, forward-looking risk management and enhances accountability.
Judgement is not enough – stress testing is a must
The FCA found that several firms relied solely on judgment to determine financial resources, rather than quantitative methods such as stress testing. Whilst judgement and experience offer valuable insight, they should be paired with quantitative methods to verify the suitability of resource levels. Firms should use stress testing to identify unforeseen business vulnerabilities and assess the impacts of a range of relevant scenarios, as well as to calculate and adjust the corresponding risk appetite, risk tolerances, wind-down triggers and financial resources. Firms can use historical data, forecast models, and reasonable assumptions to model scenarios and identify when internal risk thresholds may be breached. For smaller firms, the key is not complexity but consistency; simple but regular stress testing linked to actionable triggers can significantly enhance resilience and support regulatory expectations.
Liquidity Risk Management
Pinpoint and prioritise liquidity risks for resilience
Firms must take a proactive approach to identifying and articulating liquidity risks specific to their business models and operations. The FCA found that firms overlook the unique liquidity challenges posed by their customer bases, transaction flows, and safeguarding arrangements, leading to a superficial understanding of their risk exposure. Firms should map all inflows and outflows across different time horizons, stress test for key disruptions, and model required liquidity buffers to meet regulatory obligations under stress. A well-calibrated liquidity risk management framework should support active monitoring, real-time decision-making, and credible escalation and mitigation, ensuring the firm can meet obligations without disruption, even during periods of operational or market stress.
Stay ahead of the financial curve
Effective liquidity risk management requires more than simply relying on cash reserves or overdraft facilities. A credible liquidity buffer requires not just sufficient quantity, but certainty of access when needed. Firms must maintain realistic, readily accessible risk mitigants that reflect the nature and timing of their exposures. Regular monitoring and control mechanisms are essential to track liquidity positions, considering the potential unavailability of funding sources during stress events, operational constraints, and reliance on third parties. Stress testing should use all available information, including the size of credit facilities extended to customers, to avoid underestimating liquidity needs. By integrating these practices, firms can maintain operational continuity and safeguard both their own stability and that of their customers, even in the face of unexpected market disruptions.
Group Risk Management
Group risk management must be supplemented with entity-specific tools
It is important for groups to have robust group-level risk management frameworks to capture and manage risks which arise across the group collectively. However, simply adopting these group-wide tools without evaluation can leave FCA-regulated subsidiaries exposed to risks that are unique to their business model, customer base, or regulatory environment. It is essential for each FCA-regulated legal entity to rigorously assess whether group risk parameters, modelling techniques and stress scenarios are suitable and sufficiently granular for the entity's business activities, making adjustments where necessary to ensure all material risks are identified, measured, and managed effectively. Ultimately, the regulated entity’s governance committees are accountable for the effectiveness and suitability of the risk management framework, regardless of whether it originates from the broader corporate group or is developed specifically for the entity.
Quick action is key to crisis management
In times of crisis, firms can find themselves hampered by complex group governance structures and ambiguous lines of delegated authority. The FCA found that many firms had multiple layers of group governance and unclear delegation of decision-making responsibilities, impeding the ability to respond swiftly and decisively when crises arise. Firms should proactively develop crisis management processes, clearly delineate who holds decision-making power at each level, and rehearse these arrangements to ensure that, when the pressure is on, the right people can act without delay or confusion.
Financial and operational resilience remain areas of regulatory focus
Many payments firms rely on group entities for critical operational functions, technology platforms, or financial support. While these intra-group arrangements can offer efficiencies and cost savings, they also introduce risks to financial and operational resilience if not properly assessed. Payments firms are subject to the FCA’s operational resilience requirements, including assessing dependencies on group functions and implementing mitigants for identified vulnerabilities. Similar scrutiny is required for financial risks through robust stress testing. Often, the stresses may be correlated across the firm and its group, potentially rendering group-level mitigants ineffective. Firms must ensure that both operational and financial risk assessments reflect their specific risk profile, and that reliance on group support is critically evaluated and supported by credible, standalone contingency measures.
Wind-Down Plans
Triggers need to reflect real-world scenarios
Triggers for initiating a wind-down should be directly aligned with the risks identified in a firm's risk management framework. As a starting point, all material risks should be assessed for their potential to lead to, or accelerate, a wind-down scenario. A firm’s risk appetite and wind-down triggers should be clearly and consistently aligned. The FCA found that several wind-down plans had arbitrary or generic triggers which did not reflect the firms' actual risk appetites or the specific vulnerabilities of their business model. This misalignment can lead to premature or delayed wind-down actions, both of which can result in significant harm to the firm and its customers. Firms should rigorously quantify their triggers, ensuring they are measurable, relevant, and tailored to the unique risk profile of the organisation.
Safeguarding shortfalls require attention
A key oversight identified by the FCA in many wind-down plans is the failure to consider triggers related to safeguarding asset shortages or the lapsing of safeguarding insurance. Safeguarding arrangements should be a key consideration when developing and performing stress testing, from a liquidity and operational perspective. Liquidity risk exposures arising from the timing mismatch between inflows and outflows of safeguarded funds should be carefully modelled during stress testing. As the FCA has identified, firms should explicitly address these risks, as they can result in significant harm to customers. By embedding clear, actionable triggers for safeguarding issues, firms can better protect customer interests and ensure that wind-down plans remain robust and compliant, even in the face of unexpected safeguarding failures.
Wind-down plans need to work in practice
Wind-down plans must be more than theoretical documents; they need to be practical, detailed, and thoroughly stress-tested. The FCA expects plans to function as operational manuals which can be implemented in real time during periods of severe stress. Insufficient detail can render a plan inoperable when it is most needed. Wind-down plans should map the process from initial trigger activation through to orderly closure of the firm, supported by reasonable cost assumptions and realistic timeframes. Firms should model the financial implications of wind-down, including changes to revenue, costs, and liquidity, and test the plan against a range of scenarios including where key risks crystallise after wind-down has commenced. Additionally, firms should avoid undue reliance on group-level plans as they may not address entity-specific challenges which could arise when winding down.
Problem or opportunity?
At the start of this update, we noted that the FCA is putting payments firms on notice that they need to improve their risk management frameworks and wind-down plans, or face supervisory action. This is both a challenge and an opportunity.
The FCA’s review serves as a timely reminder that robust risk management frameworks and credible wind-down plans are not just regulatory requirements, but have the potential to be valuable tools for sustainable growth and resilience across the payments sector. The FCA’s findings highlight the need for firms to move beyond generic, box-ticking approaches and instead embed tailored, forward-looking risk management and wind-down strategies into their operations. By embracing these expectations, payments firms can not only withstand regulatory scrutiny but also build the agility and confidence needed to navigate an increasingly complex landscape, demonstrating that true resilience is achieved through both preparation and proactive adaptation. The firms that succeed in this will likely emerge with a distinct competitive advantage over those that don't.
Other key contact: Stephanie Georgiou, Executive.
