Compliance technology is nothing if it’s not underpinned by genuine expertise. And it is with that sentiment in mind that My Compliance Centre recently appointed payments regulation veteran John Burns to its advisory board, expanding our team of specialists guiding our development plans.
For those who don’t know John, he’s been in the sector for 40 years, playing a key role with the Financial Conduct Authority’s predecessor the FSA, where he worked with HM Treasury on drafting the Payment Services Regulations and Electronic Money Regulations as well as drafting the FSA’s guidance for payments providers. As part of his onboarding, we sat down with him over a coffee to seek his insights on the trends that are shaping the industry today.
One of John’s most fascinating perspectives centres on the shift in the regulator’s stance on payments. Previously seen as a low-risk area by the regulator, many firms, especially smaller payment and e-money institutions, were able to thrive without the intense compliance burdens faced by major banks.
However, according to John, there has been “a 180-degree change in attitude from the FCA”. “What was once a low-risk area is now considered high-risk, particularly for financial crime,” he said, adding: “The FCA has gone from having two part-time supervisors for the entire sector to a team of over 60. They are actively closing firms down, and the message is clear: the rules of the game have changed.”
But what else do payment services businesses need to be mindful of? We’ve distilled five key critical compliance areas that John believes every payment services firm needs to address right now.
1. Safeguarding: are your customers’ funds fully protected?
This is the FCA’s primary concern. If your firm becomes insolvent, customer funds must be safe and returnable. However, many firms are failing to correctly segregate and reconcile these funds daily, and if it’s not done correctly the risk is that customers will lose their money.
It’s not enough to simply do it; you must be able to prove it. “As far as the FCA is concerned, if it’s not written down, it didn’t happen,” warns John. Firms need a clear, auditable trail showing that safeguarding processes are robust, reviewed and effective every single day.
2. Governance: is your board really engaged?
In many smaller firms, risk and compliance are discussed but not formally documented. The FCA now demands evidence that the board and senior management are actively monitoring risk, with minutes, reports and clear action plans.
This includes having a credible and tested wind-down plan. The expectation is that governance is not an annual tick-box exercise, but an ongoing process.
3. Operational resilience: what happens when the plumbing breaks?
“Payments is like the plumbing of financial services,” says John. “No one thinks about it until it goes wrong, but when it does, you notice really quickly.”
The FCA requires every payment services firm to identify its critical functions, set a time-based threshold for what constitutes “intolerable harm” to customers during an outage, and conduct testing (the FCA specifies in the Handbook a number of areas which must be tested) at least once a year. If your systems go down, the first thing the regulator will ask for is the records of your testing and the lessons learned. The rules require firms to hold at least six years of testing records. Without them, you are in serious trouble.
4. APP fraud: how risk is split 50/50
The Payment Systems Regulator’s new rules on Authorised Push Payment (APP) fraud are a potential financial minefield. In most fraud cases, the sending and receiving firms must fully reimburse the victim and split the cost 50/50.
For firms, particularly those at the receiving end of fraudulent payments, this creates a huge potential liability. Demonstrating robust due diligence and controls for account opening is now essential to mitigate potentially significant losses.
5. Consumer Duty: are you showing fair value?
Consumer Duty is another area of intense focus, especially concerning foreign exchange (FX) rates. The FCA is looking closely at firms that advertise “fee-free” transfers while making significant margins on the exchange rate.
You must be able to evidence your fair value assessments and prove that your marketing is transparent and not misleading customers about the true cost of the service.
Absence of evidence is a dangerous thing in payments compliance
The central message from our conversation with John Burns is clear. The FCA is undeniably moving payment firms into the same compliance sphere as other regulated financial institutions. Doing the right thing is all well and good. But if you cannot prove it, then you’re running an existential risk.
And this scrutiny isn’t just coming from the regulator. Banks providing safeguarding accounts are also demanding higher standards of evidence before they will partner with payment firms. Taken together, that means a demonstrable, evidence-based compliance framework is vital to both meeting compliance obligations and achieving commercial success.
With thanks to John for these important insights. If you would like to learn more about how My Compliance Centre can help your payments firm to mitigate risk, talk to us today.