Payments authorisations: Encompassing new businesses and emerging business models

From our wide-ranging relationships with clients and prospective clients, we’re seeing many firms expanding their business models in order to remain relevant to their clients and competitive in their chosen markets. In a number of cases, these business expansions have included the embedding of payment offerings, which has brought firms within the payments regulatory perimeter and so requiring authorisation as payment service providers (PSPs) with the Financial Conduct Authority (FCA) in the UK. Similar can be said for new market entrants in the payments eco-system.

Some such firms have not previously been regulated or, as a result of the expansion of UK operations, have not been regulated by the FCA in the UK before.

We have seen a number of firms experiencing challenges in gaining UK authorisation as the FCA strengthens its expectations of firms at this initial and critical gateway for firms to provide payment services in the UK. This has created significant commercial issues as the FCA has rejected applications or requested their withdrawal, so impacting firms’ business strategies and planned revenue streams.

Authorisation is not a ‘tick-box exercise’, with the FCA having built a specialised payments authorisation team, which is far more stringent, curious and intrusive than ever before when considering applications. This is further emphasised with the continuing shift from rules-based to principles-based regulation by the FCA.

With this in mind, we wanted to share our insights from our extensive work with clients on the key challenges we have seen them experience in their authorisation efforts.

It is important to articulate and demonstrate a clear and profitable strategy as part of the application process which explicitly considers the ongoing viability of the firm. This is especially key in the current economic environment. The strategy should demonstrate consideration of specific UK customer needs and opportunities available in the UK market, backed by sound assumptions and stress scenarios based on empirical evidence. There is also an expectation that the Board will have set, challenged and approved details of the Business Plan and strategy.

Few things, other than the strategy and viability of the proposed business model, are more important to the FCA than firms’ governance arrangements. This is not limited to identifying and appointing an appropriate UK Board and Senior Management team but also requires significant care to be taken in the design of governance arrangements including reporting lines, committee structures and the definition of their terms of references.

Firms must demonstrate in their applications how they will comply with conduct of business requirements. This will include documenting information requirements and customers’ rights and obligations.

A significant element of a firm’s application is to demonstrate how it will evidence compliance with the Consumer Duty Principle – a key element that many firms neglect to articulate as part of their application documentation.

Where firms are part of a wider Group and/or intends to outsource certain activities to third parties as part of the business model, we often observe the FCA challenging how appropriate initial and ongoing due diligence has/will be conducted and how these functions will be subject to oversight, including the establishment and monitoring of service levels and key performance indicators. And, importantly, escalation arrangements to resolve concerns and/or compliance failings.

It is critical to ensure that anti-money laundering legislation (AML) is adhered to and understood within the business model and processes of firms, which should have the appropriate systems and controls in place to comply with the legal obligations.

Demonstrating how IT infrastructure planned for deployment in the UK will be adequate to both run the business and also meet UK regulatory expectations with regards to security and resilience is critically important. As part of the application, the Regulatory Business Plan must outline the overarching IT strategy as well as set out high level features of the systems to be used, including back-up arrangements to ensure the continuity of customer services.

Our experience with several firms has highlighted that they have only considered AML requirements as part of their EWRA, when in fact the FCA expects much broader coverage, to include all risks relevant to firms’ business operations, for example:

• Settlement risk;
• Operational risk;
• Counterparty risk;
• Liquidity risk;
• Market risk; and
• Foreign exchange risk

In recent years, the FCA has applied ever increasing scrutiny on firms’ safeguarding arrangements and wind-down plans. We have seen the FCA routinely challenging the level of detail of firms’ arrangements in these two critical areas from a consumer protection perspective, having issued significant guidance on its expectations through its ‘Approach Document’.

The FCA’s expectations for the robustness and quality of firms’ authorisation applications and supporting documentation is continuing to strengthen and evolve, so authorisation cannot be taken for granted. Here at KPMG, we have worked on numerous PSP authorisations, including Electronic Money, Merchant Acquiring and Money Remittance authorisations.

This means that we are well positioned to support firms gain payments authorisation as they enter the UK’s regulatory perimeter. Please reach out to us if you would like to discuss how we can help you.

And, please do look out for future articles as we explore some of our insights on the more granular FCA expectations on specific elements of the authorisation application process.