The FCA’s approach to payment and e-money institution authorisations: your key questions answered!

The impact of Brexit is a frequent – and often contested – topic of debate in virtually every industry. But the impact on payment and e-money firms based in the European Economic Area is clear: they can no longer establish a UK presence or carry out certain activities there without becoming authorised by the Financial Conduct Authority (FCA).

The FCA set up a temporary permissions regime to allow institutions to continue to operate in the UK for a certain period while they sought full authorisation. But with the time limit on this initiative running out, we recently held a webinar to guide firms through the authorisation process. Our specialists Alison Donnelly, Dipesh Patel and Dane Pedro tackled the most common questions that come up in their daily work with clients who are seeking authorisation.


  1. How long does the authorisation process take?
 

This is the question that crops up most often, and the answer is not straightforward. Recent delays mean that it can take up to nine months for a case worker even to be allocated to a firm’s application. This is because of the workload the FCA is dealing with – nearly 390 payments applications are open, and 15 more applications arrive each week. More generally, the FCA’s authorisations department are receiving more applications because of the applications from firms in the temporary permissions regime and the crypto-asset firms.


  1. Where do I start?
 

It would be a mistake for firms to see those long lead times and decide to file their application immediately and worry about the details later. The FCA expects firms to be ready, willing and able to run their business in compliance with the regulations from the moment they are authorised. This means that, before applying, firms must have in place:

  • A business plan which clearly articulates what you are trying to achieve, what services you are offering, who your target market is, what will make your services and products a success, and how will you measure that success.
  • An operational plan for how the business plan will work in practice and what permissions are needed to carry out these services. Firms should define, monitor, measure and mitigate their risks. You can’t eliminate all risks, but the FCA will want to see that you know where they are and who has responsibility for managing them.
 

  1. What staff do I need?
 

Cost-conscious applicants want to know how many staff they need, especially if they are able to keep many back-office functions in their parent company outside the UK. Firms should staff their UK entity accordingly but be prepared to demonstrate the following to the FCA:

  • Mind and management. Institutions must have a physical presence in the UK and generally be a UK-incorporated entity. Their directors, and central management and controls, should be situated in the UK.
  • “Three lines of defence” – while the FCA has not made this a focus of authorisation, it is a best practice approach which institutions should still adopt.
  • Fit and proper individuals with the relevant skills, knowledge, and experience, especially where a senior manager is performing dual functions like CEO and CFO.
  • Good corporate governance in place, especially around oversight and independent assurance.
  • A clear understanding of what functions are being outsourced. If, for example, IT is outsourced to the parent company, the UK entity should ensure the responsibility for the function remains squarely within the entity (you can outsource the function but not the responsibility).
 
 
  1. What are the conduct obligations?
 

Since August 2019, the regulator’s Principles for Businesses apply to e-money and payment institutions, just as they do for banks and other regulated financial services firms. This means that payment and e-money institutions must undertake the following, among other things.

  • Treat customers fairly, whether a firm deals directly with customers or is a step removed.
  • Identify and support vulnerable customers. This has become a key focus of the FCA in recent years, with new guidance released in February 2021.
  • Communicate clearly to customers, particularly on how funds are protected. Be open and transparent with the regulator.

There are also specific obligations in the Payment Service Regulations 2017 and the Electronic Money Regulations 2011 that must be met, including rules on how to deal with unauthorised transactions, the information that should be provided to customers and on handling complaints in a timely manner.


  1. What are the prudential obligations?
 

In July 2020, the FCA finalised temporary guidance for payment and e-money institutions which focused on the following.

  • Meeting safeguarding requirements to protect customers’ funds.
  • Ensuring there is adequate capital resources in the business.
  • Ensuring sufficient cashflow and liquidity.
  • Having a wind down plan in place so that the payment or e-money institution has identified the factors that will trigger a wind-down scenario and has planned how it will wind-down with as little detriment to customers as possible.

 
  1. What are the AML obligations?
 

Along with capital and safeguarding, Anti-Money Laundering (AML) is a key pillar of the FCA’s expectations of firms seeking authorisation. Applicants must provide evidence of a firm-wide AML risk assessment, taking into account customers’ geographies and services. Based on this assessment, firms should understand what controls they need to mitigate money laundering and terrorist financing risks, including customer due diligence, enhanced due diligence, transaction screening and transaction monitoring.


Any other questions?

Answering these questions satisfactorily will give firms the best chance of a successful application for authorisation. But the FCA has even wider expectations. At the webinar, our experts tackled other questions around what IT systems and controls are required and how to demonstrate operational resilience seeing the regulator is giving firms a deadline of 31 March 2022 to clearly identify and document how they do this. This subject is explored further in our Operational Resilience webinar which you can download here.

If you have questions about your firm’s readiness to apply and want fscom’s help in identifying gaps and how to fill them, get in touch today.

Related Posts