Stricter scrutiny: Navigating the evolving landscape of FCA authorisation processes

by James Borley, managing director, Cosegic
Financial Conduct Authority

Share this post

What is this article about?

The Financial Conduct Authority’s (FCA) more rigorous authorisation processes, especially in the payments industry, and the resulting challenges and changes.

Why is this important?

It reflects a significant shift in regulatory approach, impacting the financial services industry, particularly new start-ups and the payments sector.

What’s next?

Cleared guidance from the FCA on successful applications, aiming to align its stringent processes with the industry’s needs and potentially increasing approval rates

In 2021, the Financial Conduct Authority (FCA) Business Plan made clear its intent to apply a more intensive assessment with greater scrutiny of financial information and business models. This is being particularly felt in the payments space. Having spent many years managing authorisation teams at the FCA, most notably the Payments Authorisation team, I have a particular insight into where the FCA came from and the possible impacts of where it now seems to have settled.

First, let’s look at the history to set some context. Since the introduction of financial services regulation in 1986, firms have been submitting applications to the appropriate regulator to perform certain financial services. In the early days of Self-Regulatory Organisations and, indeed, the successor Personal Investment Authority (where I entered the fray), the numbers applying for authorisation were manageable. Fast-forward to 2000 and the creation of the Financial Services Authority (FSA) as a single regulator – later to become the FCA – and the size of the task started to grow. Further responsibilities were ‘given’ to the FSA –I always say ‘given’ because, for the most part, the FSA (and subsequently the FCA) didn’t want them – such as for mortgage and insurance intermediaries, payments firms, consumer credit firms, claims management companies and so on.

So, over time, the regulator has seen an exponential rise in its regulated population, now cited at some 45,000 firms, all of whom would have passed through the authorisation ‘gateway’, necessitating a proportionate or risk-based approach, such that not every ‘I’ in an application needed to be dotted, not every ‘t’ crossed. Essentially, if the fundamentals of the relevant threshold conditions could be seen to be met, the FCA didn’t sweat the small stuff. This allowed it to determine thousands of applications each year based on the resource at its disposal: proportionality in action.

Historical context and rising challenges in FCA authorisations

Fast-forward again to 2021, and we see FCA Authorisations teams creaking under the volume of applications and against staff dissatisfaction. Between 2021 and 2023, submitted applications often sat on the (virtual) shelf, gathering dust for months before a case officer could start reviewing them, causing a build-up of applications with little capacity to do much about them. By the time a case officer was allocated, almost half the statutory timeframe had expired. Fortunately, this issue has been addressed, with payments applications (PIs and EMIs) now routinely being allocated within three weeks of receipt.

How did it unblock its pipeline? The obvious answer is usually to throw money at the problem; in this case, the FCA’s CEO Nikhil Rathi can point to an additional 100 colleagues hired in Authorisations. That’s fine, but these were (and continue to be) typically staff that don’t come directly from industry and would likely need training before being fully effective and able to make inroads into allocation and determination times. But it certainly worked in that respect.

The shift to intensive assessment and its industry impact

Previously though, applying a more relaxed approach at the gateway meant that more firms could get through, and relatively quickly. But those days seem to have gone. With the failures of several payment firms (Ipagoo, Supercapital, Premier FX, etc) and the criticisms coming from the Gloster Report, the FCA seems to have decided that it has been too lenient previously with applicant firms and that firms should be able to demonstrate better they are ‘ready, willing and organised’ at the point at which the application is submitted. That’s fine as a principle, but it doesn’t help new start-ups, unable to generate income until authorised, knowing that their application assessment might take up to 12 months.

So, the FCA seemed to be looking to flex its muscles more and, as importantly, to be seen to be doing so. It said, “Our standards will be higher [implicitly accepting that they have been lower] with more intensive assessment and greater scrutiny of firms’ financials and business models”. This has, inevitably, led to more applicants being advised that the FCA is ‘minded to refuse’ its application. The FCA itself said, “We will expect [refusal/withdrawal/rejection rates] to increase initially as we make the gateway more robust.” Of course, it is right that the FCA should refuse firms that fail to demonstrate that they meet, and will continue to meet, the relevant conditions of authorisation/registration. But surely, an approval rate of 8% would more than suggest that the pendulum has swung too far in the wrong direction.

Alongside the more robust gateway, the FCA also overhauled its decision-making process regarding new applications for authorisation. Previously, the independence of the Regulatory Decisions Committee (RDC) as the final arbiter of refusal decisions (although a firm does have the further right to appeal such a refusal to the Upper Tribunal) provided a clear separation from the FCA being judge, jury and executioner. However, such refusal decisions are now taken internally by an ‘Executive Decision Maker’, primarily because such decisions can now be made more quickly ‘in-house’. The need for such rapid decision-making is understandable where consumer harm is identified through an existing firm, but applicant firms are unlikely to create the same urgency.

The road ahead: balancing rigour with industry needs

Whilst a Committee of the FCA Board, the RDC was chaired by and composed of industry practitioners, providing objectivity that an internal FCA committee simply cannot. Indeed, a cynical view might be that because the RDC did not always agree with the FCA’s recommendation, the FCA was keen to de-risk such outcomes.

On the receiving end of the more robust gateway and an assertion that the FCA is minded to refuse the application, it is understandable that some firms have chosen discretion as the better part of valour and taken up the FCA’s ‘invitation’ to withdraw the application. Better to live to fight another day than risk the issue of a Warming Notice.

So, certainly, it’s been a tough time for payments firms seeking authorisation over the past couple of years, but we do get the sense now that things have settled down somewhat. Whilst the approval rates still aren’t great – hovering around 20%, according to the latest intelligence – the FCA is, at least, conscious that it cannot simply apply raised expectations in a vacuum. Thus, we have seen a genuine attempt to provide more detailed guidance to firms when approaching the application process, recognising that its Application Packs are so out of date that they don’t request the information that the FCA says it needs to see to be satisfied that the firm meets the relevant conditions of authorisation!

All that being said, the continued low approval rates seem to point to a disconnect between the messaging from the UK government regarding attracting investment and fintech to these shores and the response applied by the FCA when they get here. Consequently, we have seen tangible examples of firms ‘giving up’ on the UK and restructuring their businesses to be domiciled and regulated in other jurisdictions. Whilst the FCA might technically ‘report’ to HM Treasury, it has traditionally sought to protect its independence from HMT influence. So, I don’t see the situation changing much over the short term. What I hope might shift the dial is better, clearer guidance from the FCA on what a ‘good’ application looks like, such that there can be greater certainty and transparency, leading to a greater proportion of approvals.

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Continue reading

This content is only available to members - please see instructions below!

Become a member to continue reading

Member of The Payments Association? Log in to continue reading

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?