The FCA’s approach to payment and e-money institution authorisations: your key questions answered!

Share this post

The impact of Brexit is a frequent – and often contested – topic of debate in virtually every industry. But the impact on payment and e-money firms based in the European Economic Area is clear: they can no longer establish a UK presence or carry out certain activities there without becoming authorised by the Financial Conduct Authority (FCA).

 

The FCA set up a temporary permissions regime to allow institutions to continue to operate in the UK for a certain period while they sought full authorisation. But with the time limit on this initiative running out, we recently held a webinar to guide firms through the authorisation process. Our specialists Alison DonnellyDipesh Patel and Dane Pedro tackled the most common questions that come up in their daily work with clients who are seeking authorisation.

 

  1. How long does the authorisation process take?
 

This is the question that crops up most often, and the answer is not straightforward. Recent delays mean that it can take up to nine months for a case worker even to be allocated to a firm’s application. This is because of the workload the FCA is dealing with – nearly 390 payments applications are open, and 15 more applications arrive each week. More generally, the FCA’s authorisations department are receiving more applications because of the applications from firms in the temporary permissions regime and the crypto-asset firms.

 

  1. Where do I start?
 

It would be a mistake for firms to see those long lead times and decide to file their application immediately and worry about the details later. The FCA expects firms to be ready, willing and able to run their business in compliance with the regulations from the moment they are authorised. This means that, before applying, firms must have in place:

 

  • A business plan which clearly articulates what you are trying to achieve, what services you are offering, who your target market is, what will make your services and products a success, and how will you measure that success.
  • An operational plan for how the business plan will work in practice and what permissions are needed to carry out these services. Firms should define, monitor, measure and mitigate their risks. You can’t eliminate all risks, but the FCA will want to see that you know where they are and who has responsibility for managing them.
  1. What staff do I need?
 

Cost-conscious applicants want to know how many staff they need, especially if they are able to keep many back-office functions in their parent company outside the UK. Firms should staff their UK entity accordingly but be prepared to demonstrate the following to the FCA:

  • Mind and management. Institutions must have a physical presence in the UK and generally be a UK-incorporated entity. Their directors, and central management and controls, should be situated in the UK.
  • “Three lines of defence” – while the FCA has not made this a focus of authorisation, it is a best practice approach which institutions should still adopt.
  • Fit and proper individuals with the relevant skills, knowledge, and experience, especially where a senior manager is performing dual functions like CEO and CFO.
  • Good corporate governance in place, especially around oversight and independent assurance.
  • A clear understanding of what functions are being outsourced. If, for example, IT is outsourced to the parent company, the UK entity should ensure the responsibility for the function remains squarely within the entity (you can outsource the function but not the responsibility).
  1. What are the conduct obligations?
 

Since August 2019, the regulator’s Principles for Businesses apply to e-money and payment institutions, just as they do for banks and other regulated financial services firms. This means that payment and e-money institutions must undertake the following, among other things.

 

  • Treat customers fairly, whether a firm deals directly with customers or is a step removed.
  • Identify and support vulnerable customers. This has become a key focus of the FCA in recent years, with new guidance released in February 2021.
  • Communicate clearly to customers, particularly on how funds are protected. Be open and transparent with the regulator.

There are also specific obligations in the Payment Service Regulations 2017 and the Electronic Money Regulations 2011 that must be met, including rules on how to deal with unauthorised transactions, the information that should be provided to customers and on handling complaints in a timely manner.

 

  1. What are the prudential obligations?
 

In July 2020, the FCA finalised temporary guidance for payment and e-money institutions which focused on the following.

  • Meeting safeguarding requirements to protect customers’ funds.
  • Ensuring there is adequate capital resources in the business.
  • Ensuring sufficient cashflow and liquidity.
  • Having a wind down plan in place so that the payment or e-money institution has identified the factors that will trigger a wind-down scenario and has planned how it will wind-down with as little detriment to customers as possible.
  1. What are the AML obligations?
 

Along with capital and safeguarding, Anti-Money Laundering (AML) is a key pillar of the FCA’s expectations of firms seeking authorisation. Applicants must provide evidence of a firm-wide AML risk assessment, taking into account customers’ geographies and services. Based on this assessment, firms should understand what controls they need to mitigate money laundering and terrorist financing risks, including customer due diligence, enhanced due diligence, transaction screening and transaction monitoring.

 

Any other questions?

 

Answering these questions satisfactorily will give firms the best chance of a successful application for authorisation. But the FCA has even wider expectations. At the webinar, our experts tackled other questions around what IT systems and controls are required and how to demonstrate operational resilience seeing the regulator is giving firms a deadline of 31 March 2022 to clearly identify and document how they do this. This subject is explored further in our Operational Resilience webinar which you can download here.

 

If you have questions about your firm’s readiness to apply and want fscom’s help in identifying gaps and how to fill them, get in touch today.

Article by fscom

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?