Further to our recent blog exploring some of the key challenges we see firms facing when seeking authorisation as a payment service provider (PSP) by the Financial Conduct Authority (FCA), we continue to explore some key aspects of the application process where the FCA has placed intense scrutiny.
In this blog, we’ll share our insights on key aspects/expectations of the FCA in respect of firms’ governance arrangements.
A common shortcoming across firms looking to secure permission to carry out regulated payments/e-money services consist of treating the application process as a mere box ticking exercise. Our view is that it's important to look at the bigger picture and not treat each requirement in isolation at the authorisation gateway.
An important example of when this ‘siloed’ approach is detrimental to the success of authorisation applications relates to articulating the role of risk management procedures in the context of governance arrangements.
According to the FCA Approach Document, risk management procedures must clarify how firms will ‘effectively identify, manage, monitor and report any risks to which it might be exposed’. Governance arrangements are defined within the same source as ‘the procedures used in the decision-making and control of the business that provide its structure, direction and accountability’.
It's important to consider these two components together whenever possible. If firms can't demonstrate that senior decision-makers are receiving risk data/metrics on a regular and timely basis, enabling them to challenge and instigate actions to address issues promptly, it raises doubts about the firm's ability to manage their risks because of deficiencies in respect of firms’ governance frameworks.
When considering the role of decision makers in joining the dots between governance and risk management procedures, the following aspects should be key.
Risk assessment
Authorisation applications require firms to map their identified risks, classifying them by the type of risk and explain the underlying procedures to assess such risks. The phrase ‘enterprise-wide risk assessment’ (EWRA) is often used to describe this process, although we have observed some firms misinterpreting the EWRA as relating solely to financial crime prevention only. The FCA expects payments applicants to assess their risk exposure across all aspects of its business including, but not limited to, financial crime.
Joining the dots between governance and risk assessments means ensuring that senior individuals have full visibility and understanding of the outcomes of the identification and assessment of risks applicable to the firm’s activities, services, processes and products, combined with robust understanding of how the relevant controls have been embedded across the firm’s wider risk management framework.
Risk reporting
Risk reporting should proactively provide valuable information to decision-makers. It should comprise of an open and transparent forum to help firms’ senior management to make informed decisions, having regard to the firm’s risk tolerance levels and appetite. This can only be achieved if there are clearly defined communication channels and escalation routes for reporting.
Joining the dots between governance and risk reporting means ensuring that risk reports are sufficiently comprehensive, accurate, consistent and actionable, covering the firm’s range of products, services and activities. The formal meetings arrangements should provide a forum to review and challenge risk reporting data and remediation steps proposed (where required).
Risk monitoring
Risk monitoring processes should be able to test (on an ongoing basis) firms’ adherence to their own policies and relevant rules, as well as the position against desirable tolerance levels or limits. In the event of deviations, the procedures should enable the timely deployment of mitigants to remediate unexpected deviations and avoid high-scale impact scenarios.
Joining the dots between governance and risk monitoring means ensuring that senior individuals should take very seriously the signing off of risk appetite statements, and further to that, challenge the adequacy of existing monitoring processes against their tolerance levels and limits, as well as the ability of existing monitoring processes to capture intrinsic and extrinsic environment changes capable of affecting the firm’s ability to carry out its regulated payment services.
Why does it matter?
During the authorisation journey, a key component consists of satisfying the FCA that senior management and its central administrative functions are provided with the means to exercise adequate and dynamic oversight over the business.
If the matters explored above combined do not form a robust view of how this objective is met from a risk management perspective, there may be concerns that the firm’s governance arrangements fail to bring to life its business strategy within the context of an always evolving compliance environment.