Enforcement risks for payment services firms raised by FCA's latest "Dear CEO" letter
On 9 July 2020, the FCA wrote to payment services firms highlighting the key areas of risk that firms must take steps to manage. Payment services is a key strategic priority for the FCA and these areas will likely form the basis of subsequent enforcement in the payment services sector.
The recent "Dear CEO" letter to payment services firms and e-money issuers sets out the actions the FCA expects firms to take to ensure compliance with regulatory obligations in six key areas: (i) safeguarding; (ii) prudential risk management; (iii) financial crime; (iv) financial promotions and consumer communications; (v) governance and oversight; and (vi) records management and reporting.
These areas naturally overlap but below we set out the key issues to be alive to.
The FCA has clearly marked payment services as a priority area, including in its 2020/21 Business Plan and in the context of its December 2019 Call for Input on Open Finance. The FCA unsurprisingly focuses on the risks of consumer harm in the context of a rapidly developing sector which offers access to a plethora of new financial products and services.
The risks should be assessed against the backdrop of the current pandemic which reinforces the importance of firm stability and public confidence.
Key areas of enforcement risk
Safeguarding customer funds is a key consumer protection measure under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. This is particularly important because authorised payment institutions (APIs) and e-money institutions (EMIs) are not covered by the Financial Services Compensation Scheme.
The Dear CEO letter emphasises that APIs and EMIs must have appropriate and well-managed safeguarding arrangements in place so that, if a firm becomes insolvent, customers' funds can be returned in a timely and orderly way.
The letter also states that the FCA will continue to proactively test firms' safeguarding arrangements and, where it finds inadequacies, will take action to prevent consumer harm.
Safeguarding has already been the subject of a Dear CEO letter, with the FCA writing to non-bank payment services providers in July 2019 to emphasise the need for APIs and EMIs to take adequate measures to safeguard customer funds.
At the same time as issuing its most recent Dear CEO letter, the FCA published a feedback statement and finalised guidance to provide further information for firms on how they can meet their safeguarding requirements – and little latitude will be given to firms that don’t take this guidance into account.
Prudential risk management
The letter states that during recent supervisory engagement with payment services firms, the FCA found several firms had not calculated their funds requirement correctly to ensure they had adequate financial resources and others had not demonstrated adequate governance and controls to appropriately manage prudential risk.
The FCA already has a track record of imposing penalties in respect of alleged prudential failures as evidenced by the fine of £125m imposed on the Bank of New York Mellon for failing to comply with the Client Assets Sourcebook (CASS), which applies to safe custody assets and client money. Firms should also remain alive to the potential links between prudential and conduct risks. A conduct issue that requires, for example, the payment of redress could raise prudential concerns where payment impacts a firm's ability to meet their funds requirements. As with the other areas highlighted, the letter states that the FCA will continue to test firms on prudential risk management and will take appropriate action where necessary.
The FCA stresses that the detection and prevention of financial crime is a key cross-sector priority. The letter emphasises the need for firms to assess their financial crime risks and ensure robust systems and controls are in place to mitigate any risks and ensure compliance with financial crime reporting obligations.
Financial crime has been a key area of focus for the FCA for some time and the subject of both s.166 FSMA skilled person reviews and enforcement actions.
There is much available guidance for firms on their obligations, including the Joint Money Laundering Steering Group (JMLSG) guidance, the FCA's Financial Crime Guide and various FCA thematic reviews, as well as the FCA's related enforcement actions.
The letter states that, as part of its proactive supervisory strategy, the FCA will continue to undertake targeted assessments of how payment services firms are performing in this area and will take action against firms that fall short of expectations.
The payments sector is vulnerable to financial crime which is increasingly being perpetrated by sophisticated and well-resourced third parties.
These risks are particularly acute for newer entrants who have successfully capitalised on the opportunities generated by PSD2 but may not have sufficiently robust systems to prevent and detect financial crime.
Governance and oversight
The Dear CEO letter states that, based on the FCA's observations, a root cause of many of the regulatory issues for APIs and EMIs is inadequate governance and oversight. The FCA notes in particular that many firms do not review their governance and oversight processes sufficiently frequently to ensure that they adapt as the business develops.
The FCA sets out its expectations in clear terms and stresses that senior management of payments firms should have the requisite knowledge and experience to provide the payment services in question (or, for EMIs, to issue e-money) and must ensure that the firm has robust governance arrangements (including for any business undertaken by its agents and distributors).
Sufficient senior management and Board oversight and accountability is already high up on the regulatory agenda. Recent enforcement actions have underscored the importance of appropriate risk appetite and accountability when things go wrong.
In particular, the letter raises the need for appropriate systems and controls to prevent and mitigate harm arising from IT resilience failures and cyber risk, which includes an understanding of the potential wider impact any disruption to business might have. The FCA's approach to Tesco Bank, following its experience of a cyber-attack in 2016, reveals the approach it will likely take to payments firms in respect of any perceived inadequacies in how Boards oversee risk and engage in the event that any risks crystallise.
More generally, the letter chimes with the FCA's broader focus on operational resilience – something which remains critical as firms navigate the ongoing pandemic. The letter states that firms should consider
the risks arising from activities undertaken on behalf of firms by agents and distributors, as well as those arising from reliance on intra-group operations (there being a requirement that a UK-authorised payment institution or EMI be headquartered in the UK). Firms must have appropriate contingency plans in place to mitigate these risks. Payments firms should heed the risks that arise from operational resilience and outsourcing failures that have resulted in fines against firms including the recent FCA action against Raphaels Bank, which was fined £1.89m in 2019.
Managing enforcement risk
The letter makes it clear that, particularly in the current pandemic environment, addressing any weaknesses in these key areas should be a priority.
The FCA expects firms to consider and discuss the risk areas highlighted in the recent feedback statement and guidance, including at Board level, to establish what further action firms need to take to meet the FCA's expectations
in a timely manner. Firms which have appointed agents should also ensure that those agents comply with the relevant parts of the letter and guidance, in view of the fact that the FCA's expectations bite against the principal firm.
A failure to respond adequately to a Dear CEO letter can amount to an aggravating factor in the assessment of any penalty imposed in subsequent enforcement action. Payment services firms should take swift and thorough steps to implement any required actions, engage with senior stakeholders and document steps taken in order to manage enforcement risk.