The FCA sent a Dear CEO Letter dated 16 March 2023 to CEOs of payment firms (broadly meaning firms registered under the Payment Services Regulations and the Electronic Money Regulations).
The FCA clearly has some real concerns about payment firms:
"..we remain concerned that many payment firms do not have sufficiently robust controls and that as a result some firms present an unacceptable risk of harm to their customers and to financial integrity."
It requires firms to take appropriate action to deliver three fundamental outcomes. These are that:
- Customers' money is safe, including that customers' funds are safeguarded
- The firm does not compromise financial system integrity
- Customers' needs are met, including through high quality products and services, competition and innovation, and robust implementation of the FCA Consumer Duty.
These outcomes are divided into detailed priorities, with a description of the action to take for each. The letter includes examples of common failings it has found. Whilst it does not set out a hierarchy of outcomes, it does describe safeguarding customers' money as a top priority. This is perhaps unsurprising, following as the letter does so hot on the heels of the Silicon Valley Bank collapse.
Having set out the outcomes it expects, the letter goes on to set out three cross cutting priorities, which it says underpin the three outcomes, and describes the issues it sees with them and the action to take. These priorities are:
- Governance and leadership, including oversight of agents and distributors
- Operational resilience
- Regulatory reporting
The FCA is clear that it expects firms to take "prompt action to address the risks we have highlighted in this letter" and that it "will expect your firm to explain the actions it has taken in response to this letter on request." It ends with the warning of future swift assertive action for firms that cannot or will not meet the standards the FCA expects. Enforcement type action is easy to envisage.
Whilst firms will of course need to work carefully through the letter and decide on the action they need to take, we draw attention to three aspects in particular:
- First, the vexed issue of notifications to the FCA. If, having considered the matters raised in the letter, firms think that they are falling short, not only will they need a documented plan to remedy their shortcomings, but they will need also to decide whether the matter should be notified to the FCA and, if so, what should be notified and when. Sometimes, the position is obvious. But, on many occasions we have seen, firms find the position is much less clear. On those occasions, some real judgement is needed about the path to follow.
- Second is the question of governance and leadership. As the FCA makes clear, inadequate governance and oversight is a root cause of many of the regulatory issues in the payments portfolio. This is where it all starts, and the FCA is focussed on the issue. It should not be expected that the review of the SMCR regime this quarter will reduce the focus on this to any extent. Governance and leadership is a fundamental issue, and individual accountability goes hand in hand with it.
- Third, the issue of AML controls. Although payment firms operate through accounts held at regulated banks, those banks do not customarily have access to details of underlying customers and are reliant on payment firms undertaking appropriate due diligence and transaction monitoring on customers. The FCA sets out a long list of common material issues it has found in respect of AML controls and, in our experience, will not hesitate to take action against payment firms; in some cases intervening to suspend operation. Payment firms need to ensure that they are operating the same standards as banks and other financial services firms.