KPMG Law - FCA Dear CEO letter

On 16 March 2023 the Financial Conduct Authority (FCA) issued a Dear CEO letter to payment and e-money institutions, as well as registered information service providers (together referred to as “payment firms”). It focuses on the FCA’s priorities for payment firms going forward.

The letter refers to the FCA concerns that many payment firms do not have sufficiently robust controls and that, as a result, some firms present an unacceptable risk of harm to their customers and to financial system integrity. It flags that the risk of customer harm is heightened by the tightening economic conditions and the cost-of-living crisis.

The FCA set out three outcomes for payment firms to achieve going forward to address these concerns:

1. Outcome 1: Firms should ensure that customers’ money is safe, including in the event that the firm fails in a disorderly way. To achieve this outcome, firms should focus on:

• Safeguarding: payment firms must ensure that they safeguard customers funds in line with the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs) and guidance set out in the FCA’s Approach Document.
• Prudential risk management: payment firms must ensure that they regularly review its prudential risk management arrangements, including having adequate capital and liquidity resources (that may include considering holding additional capital above the minimum requirement under the PSRs or EMRs).
• Wind-down planning: payment firms must have appropriate wind-down plans that should be reviewed regularly.

2. Outcome 2: Firms should ensure that payment firms do not compromise financial system integrity by being used for financial crime. To achieve this outcome, firms should focus on two priorities:

• Money laundering and sanctions: payment firms must have robust and proportionate to its risk profile anti-money laundering systems and controls in place. Compliance with anti-money laundering obligations and sanctions requirements must be monitored and regularly reviewed.
• Fraud: payment firms must regularly review their fraud prevention systems and controls, maintain appropriate customer due diligence controls and review its internal risk appetite statements, policies and procedures.

3. Outcome 3: Firms should implement and be ready for the Consumer Duty, as set out in the recently issued FCA’s Dear CEO letter dated 21 February 2023. This means conducting all necessary reviews and implementing the required changes in time for 31 July 2023.

Further, the FCA identified three cross-cutting priorities that underpin the above outcomes:

1. Payment firms must ensure that they properly oversee their agents and distributors, maintain robust and proportionate to the complexity of the business governance arrangements and have directors and individuals responsible for providing payment services that are fit and proper and have the appropriate knowledge and experience.
2. Payment firms must comply with the FCA’s rules and guidance on operational resilience set out in SYSC 15A (the Senior Management Arrangements, Systems and Controls sourcebook). By no later than 31 March 2025, payment firms have to comply with rules requiring them to remain within their impact tolerances for each important business service in the event of a severe but plausible disruption. This includes developing more sophisticated mapping processes and scenario testing.
3. Payment firms must comply with all applicable regulatory reporting requirements.

The FCA also noted that payment firms should take action to support the ESG agenda and promote diversity and inclusion. They also warned payment firms of consequences of failure to get FCA’s approval for change in control (which is a criminal offence) and noted that they will continue their robust approach to assessing payment firms’ applications for authorisations, registrations, or variation of permissions.

Your firm’s board or executive committee will have to consider the concerns identified by the FCA in this Dear CEO letter and take appropriate action where appropriate, and documenting this analysis will be an important exercise. This will require an in-depth assessment of the underlying risks and a review of all the relevant systems, control, policies and procedures. The firms will also have to ensure that they are geared up for the upcoming deadline for implementation of Consumer Duty (31 July 2023) and the required mapping and testing for Operational Resilience (31 March 2025), among other actions.  

We understand navigating the regulatory landscape, especially in the current macroeconomic climate, can be difficult. KPMG offers a broad range of relevant skills and expertise that enables us to help you identify and action the steps that you need to take as a result of this letter.