The FCA recently published its ‘Dear CEO’ portfolio letter for payment firms, outlining three key outcomes and underlying priorities as well as additional cross-cutting priorities, which it expects payments firms to deliver upon (where relevant). The FCA’s thinking and structuring of its expectations is not surprising given its sustained and increased focus on the payments industry. But combining outcomes and priorities brings with it the need for a more holistic approach that firms should consider adopting beyond the use cases specified in the letter.
I believe that a key takeaway for firms, from reading the letter, is to use the principles behind the priorities and to evaluate where those can be replicated across other compliance use cases. By doing so, payments firms will be able to meet and evidence compliance more broadly, so acting in the spirit of the regulator’s expectations and Principles for Business.
Below are a few of my thoughts and application of the priorities based on my observations of the industry.
Articulating outsource-enabled compliance
The FCA has called out that common issues in this respect include the ‘failure to ensure name screening solutions from third party providers are appropriately and adequately calibrated to meet their business requirements, and that firms were ‘unable to reasonably justify and/or verify why their sanction screening solution does not generate alerts against certain names’.
To me, this scenario sets a fundamental principle to be addressed by firms beyond sanctions screening and may be applied in many outsourcing use cases. For example, in the context of fraud prevention, I have seen some firms being unable to qualify how they are comfortable that their third-party tools effectively meet regulatory requirements, which in turn puts themselves at risk of inadequate oversight.
As firms become more interested in making technology investments to scale up and increase efficiency of compliance procedures, via third-party solution providers, firms should also become better prepared to implement effective third-party risk management frameworks, expressed not only in the form of effective due diligence during onboarding but also ongoing robust governance and oversight mechanisms.
Unlocking value from diversity and inclusion by design
Another point explored in the Portfolio Letter relates to the FCA’s expectation for increased diversity and inclusion within the payments sector. I believe that firms who take this seriously will be better prepared to meet compliance with other regulatory issues, where diversity is a key enabler for compliance.
For instance, the Consumer Duty products and services outcome requires firms to consider characteristics of the target market, as well as intended customers with characteristics of vulnerability, at design stages. I believe that one of the ways to meet and evidence compliance with this requirement is embedding diversity across product teams and other business units whose activities may have an impact on regulatory compliance. In other words, payments product development and innovation should go hand in hand with enhancing diversity within the business. This can help informing whether firms are confident that their products meet the needs of its target market.
Controls, controls, controls
The FCA expressed its concerns about the failure by payment service providers (PSPs) to ‘maintain and evolve the control framework, in line with or ahead of business growth’. This is something I’ve also observed in my own work.
For instance, payments firms have the crucial responsibility of protecting customer money. The FCA expects firms to manage this through three priorities: safeguarding, prudential risk management and wind-down planning. All three priorities have a common thread: the need for consistent controls, subject to ongoing adequacy checks to validate that they still reflect business growth and/or change of market circumstances. Examples of how this should be achieved include taking a proactive posture in periodically revising, updating and validating financial forecasts (and liquidity arrangements) to ensure that those reflect both the current economic environment, and the up-to-date financial position of the business to protect customer money.
The FCA’s priority areas aren’t themes we haven’t heard of before – but this simply reinforces that the regulator remains concerned and will continue to scrutinise payment firms if significant improvements are not made. It is a worthwhile exercise for payments firms to pause and think about the broader picture and consider how the outcomes and priorities could be more far-reaching than first meets the eye.
As highlighted, the read across from the content of the letter, in terms of the principles behind the priorities/use cases and applying these to all other relevant aspects of firms’ business models would be a worthwhile investment and should help firms stay ahead of the curve and avoid undesirable regulatory scrutiny.
Should you have any questions or concerns about the priorities outlined in the Letter or would like to discuss this topic in more detail, don’t hesitate to contact us.