With the vast majority of e-money and payment institutions successfully re-authorised, let’s take a look at how the FCA intends to monitor this growing population of firms.
Traditionally, e-money and payment institutions came under most scrutiny by the FCA at the application stage. The payments authorisation team would, and still does, review the application in detail but once through the authorisation gateway, the majority of payment and e-money institutions were not relationship managed, i.e. they do not have a named supervisor with whom they engage regularly.
This is because the FCA has categorised these payment service providers as having a low potential for negative impact on consumers and markets. They, like most of the firms within the FCA’s remit, are supervised as a sector, or sub-sector (what the FCA terms a ‘portfolio’), with the Firm Contact Centre as their supervisory contact. Only a very small number of payment and e-money institutions are directly supervised by a dedicated, named individual because of their size, measured in terms of income, market presence and customer footprint.
Dedicated supervision resource
While the fixed/flexible portfolio system hasn’t changed, what has changed is the number and make up of the supervisory team responsible for this portfolio. Previously, the payments supervisory team was a virtual team made up of supervisors who sit on other teams but who would be pulled in to work on payments firms as need arose. Now, the FCA has established a dedicated payments supervision department.
The department has four teams:
- a sector team whose job it is to understand the sector by undertaking stakeholder engagement to identify the harm that could be posed and the latest developments;
- a proactive team that assesses the small number of fixed portfolio firms in the payments sector;
- a reactive team that undertakes event-driven supervision by responding when there is a major incident, for example, large scale outages or whistle-blowing report; and
- a thematic team that analyses current events and investigates potential drivers of poor outcomes for consumers and markets.
The proactive team has identified a small number of firms (probably six) with which it will have a direct relationship and the rest will fall into the flexible portfolio category. Nonetheless, the sectoral review of business models, customer complaints and breach notifications has identified outliers for whom there will be direct engagement now to better understand the risks those businesses pose. Otherwise, there will be at least one touchpoint with firms a year, which may consist of a letter or a phone call.
What are the FCA’s key messages for the payments sector?
In the FCA’s recently published Approach to Supervision, the FCA states that its focus is mainly on the key areas of business models, culture and prudential soundness.
The FCA intends to understand how business models, commercial pressures and competition dynamics impact on consumer outcomes but, given the lack of supervisory attention on this sector to date, there has not been much data to consider. This is changing under PSD2. The re-authorisation process has produced a wealth of up-to-date data on business models, including analysis of target markets, financial viability and risk assessments. The new annual requirement to submit operating and security risk assessments and complaints handling data, as well as the obligation to report on major incidents, will enable the FCA to get a much better handle on where the risks are for consumers.
Three areas have already been highlighted (by Karina McTeague, Director of Retail Banking Supervision, at the end of last year).
- IT stability and security – the FCA expects security measures to be adequate and continuously reviewed for sufficiency. The Cyber Essentials certification would, for example, help to demonstrate that the firm is taking the right approach. The governance systems and controls and management of outsourced services will also be considered.
- Fraud – attention will be focused on whether customers’ data is being kept safe and secure and whether customers are being given helpful, clear and consistent messages on open access to online accounts.
- Conduct risk – while payment and e-money institutions are not subject to the ‘Treating Customers Fairly’ principle, consideration will be given to whether they provide clear information on the pros and cons of different payment mechanisms, and to helping customers understand that they’re consenting to when granting access to their accounts and how to withdraw consent. Liability for unauthorised transactions has always been an area of keen focus for the FCA and the greater scope for the customer to be caught in the middle without a refund when there is a disputed transaction is flagged as of special interest to the FCA.
The FCA is keen to hold individuals to account for their role in creating and maintaining the culture of a firm. There are no plans to extend the Senior Manager and Certification Regime (SM&CR) to payment and e-money institutions but there is disappointment that some senior managers have not yet taken to heart their obligations and, indeed, personal liability as leaders of regulated financial services firms.
The re-authorisation process has revealed many examples where firms have simply not kept the regulator updated of its changes in business models, significant outsourced functions, controllers and PSD/EMD individuals. Indeed, the number of bounce-backs received by the FCA when attempting to inform the sector of PSD2 changes caused a great deal of consternation.
Prudential supervision aims to avoid a disorderly failure and minimise the harm to consumers. In this context, the FCA is interested in the robustness of the business continuity plans (or discontinuity plans) submitted as part of the re-authorisation application, the adequacy of the resources to meet the capital requirement and the measures taken to safeguard clients’ payment services funds.
There are no plans to publish a report following the thematic review of safeguarding conducted in 2016 – all involved will have received feedback already – but it’s likely that there will be follow up analysis. The FCA’s guidance published in its 2017 approach document is still problematic for firms given the wide variation of business models and the lack of clarity over expectations, but it is a key protection that all are invested in to get right. The new Protean Risk product that offers either a complementary or alternative method for safeguarding could be a game changer for many firms, enabling them to maintain cover even when funds are in transit.
Payment and e-money institutions are used to a hands-off approach from FCA Supervision and, while I don’t expect that will change dramatically for most firms, it stands to reason that the:
- greater supervision resource and focus;
- enhanced regulatory reporting requirements; and
- higher standards expected under PSD2
will cause an upshift in attention. Firms should use their compliance monitoring programme to keep under review the risks, systems and controls mapped out for the re-authorisation application. The management information must be assessed by the senior management team, and minuted for evidence of senior engagement.
For smaller firms, it’s easy for the resource that should be put towards compliance monitoring to be subsumed into business as usual and that’s why our clients prefer to engage us to do the testing and provide the management information that helps the senior management team assess the risks throughout the year.