FCA “Dear CEO” Portfolio Strategy Letter for PSPs and e-money issuers
On the 9th of July, the Financial Conduct Authority (FCA) has written the Dear CEO Portfolio strategy letter for payment services firms and e-money issuers. In this letter, the FCA has reiterated that in their business plan 2020/2021 it is a priority to protect consumers, especially in the payments services sector, which has grown exponentially within the last years.
The growth of the sector has prompted both consumers and businesses to use services of Payment Service Providers (PSPs), and as recent disturbance with Wirecard has revealed it may affect many market players at once while bringing damage to customers and their trust. Furthermore, startups are always a question of profitability and many of them will not be profitable while seeking to grow market share and burning investor’s money. This leads to the problem of the long-term viability of the FinTech sector.
The letter in question focuses on six key areas in which the FCA has identified non-compliance with the obligations that can ultimately lead to the harm to the consumers. The areas to which the letter referred are the most wide-ranging across the FinTech field.
In the table below we summarised main failures of regulated firms underlined by the FCA in its Dear CEO Letter
The FCA has reiterated countless times that safeguarding is a core concern for Payment Institutions (PIs) and E-Money Institutions (EMIs). It underpins the fabric of properly managed and maintained financial sector and without having proper controls customers are placed at risk. In the current letter the FCA has stated that top mistakes that PSPs are making are:
- Improper accounts for safeguarding arrangements or their designation;
- Inadequate frequency of reconciliations;
- A lack of records evidencing the ‘relevant funds’.
In our previous article, we have already discussed the safeguarding requirements to which PIs and EMIs are subject and outlined the top 5 mistakes and how PSPs can remedy them. To briefly summarise the remedial actions (which were discussed in the previous article and in the same vein apply in the current situation) we can outline the following:
- Robust counterparty due diligence of credit institutions, custodians, or insurers;
- The proper designation of the safeguarding accounts that would bar third parties’ rights over any funds placed therein;
- Timely and consistent reconciliation arrangements;
- Precise and well-documented practices in allocating funds and designating them as ‘relevant funds’;
- Ongoing monitoring of safeguarding practices and remediation of shortcomings.
Prudential risk management
Own funds requirements are the cornerstone for the viability of the business in the financial sector since without it companies will not offer adequate protection to their customers. Adequacy of a firm’s capital is critical for each firm to remain compliant, solvent, and continue as a going concern. As a sole regulator of PIs and EMIs, the FCA has the responsibility of ensuring that firms have sufficient own capital at all times. It is especially relevant in the current times when we are facing an economic downturn as a consequence of the Covid-19 crisis. Notably, the FCA expects firms to have a forward-looking approach to risks which is assessing how these evolve throughout the economic cycle. It means that regulated firms must be aware of the risks that may materialise and undertake necessary measures to survive even a worst-case scenario.
The FCA recognised that some PSPs failed in retaining sufficient own funds and performed incorrect calculations. If you wish to learn more about what would be deemed proper safeguarding arrangements and how to protect your business in these unsettling times you can read our article discussing the Covid-19 crisis and response plan that includes measures aimed at reducing prudential risks.
In its Dear CEO Portfolio strategy letter the FCA has raised concerns about financial crime prevention and lack of proper measures implemented by PSPs. The main points raised by the FCA concerned failures on four aspects:
- Improper financial crime risk assessment failing to consider business-wide anti-money laundering risks;
- Absence of customer risk assessment or improper measures that do not account for all shortcomings;
- Lack of enhanced due diligence for high-risk customers;
- Improper arrangements for the oversights of the agents that act on behalf of PSPs.
Notably, financial crime prevention is an ongoing exercise and regulated firms must implement robust policies, procedures, and controls to prevent financial crime occurrence. By doing so, the firm will reduce the risk of regulatory action as well as contribute to the industry-wide fight against criminals. If criminals cannot derive benefits from their crimes (i.e. use proceeds of crimes) they will be desensitized to commit them.
In order to know how to implement proper controls within the firm, it is advisable to read guidance offered by the Joint Money Laundering Steering Group (that was updated in June 2020), which is a competent body for interpreting UK’s law on anti-money laundering. As well, the FCA has itself issued the Financial Crime Guide (FCG) that provides practical assistance and information for firms of all sizes and across all FCA-supervised sectors on actions firms can take to counter the risk that they might be used to further financial crime. It is essential to have well-versed and experienced staff members that will minimise the possibility of financial crimes without the detriment to the business and customers.
Financial promotions and communications
Customers choose firms based on the information that is available to them before entering into the relationship or opening of the account. However, quite often PIs and EMIs tend to misrepresent their services/status/prices to attract more customers. Notably, such an approach is not consistent with the Banking Conduct of Business sourcebook (BCOBS), which became applicable to PIs and EMIs since 1 August 2019.
We have discussed the BCOBS in more detail in one of our previous articles that considered the importance of adhering to the newly applicable rules. In order for a firm to act in accord with the FCA Handbook and principles, its compliance and legal departments must familiarise themselves with these rules and review their consistency of the business practices/promotions. Failure to adhere to the principles may lead to substantial regulatory fines and irreparably damage the reputation of the PI/EMI in question.
Governance and oversight
Further, the FCA turned to the root cause of the inadequacies in the practices of the firms and noted that most of the problems arise from inadequate governance and oversight. It is the responsibility of the firm to ensure that it maintains robust governance arrangements that are comprehensive and proportionate to the nature, scale, and complexity of the regulated services that the firm provides.
In the Dear CEO Portfolio Strategy Letter the FCA has reiterated the responsibility of the directors and senior management for the conduct of business supervision. The senior management must ensure that internal arrangements are consistent and reviewed on an ongoing basis. To reach this aim, it is important to establish an ongoing review and audit of the firm.
The best practice is to perform an ongoing review of the consistency of the operational practices within the firm by the internal auditor and from time-to-time to engage an independent firm that would perform the audit of all internal policies and procedures such as IT, data protection, financial crime, AML/CTF, regulatory reporting, operational risks. If you wish we offer such services so do get in touch.
Records management and reporting
PIs and EMIs are responsible for maintaining proper records that reveal their compliance with their regulatory obligations. The FCA may request certain information as a part of regular reporting (fraud report, customer complaints report, close links report, etc.) and as an ad hoc exercise (as just recently was requested from firms in light of Covid-19 pandemic).
The FCA has found that certain firms are failing in maintaining proper arrangements to demonstrate their compliance. As such, it is essential to strictly follow the rules and regulations that apply to the PIs and EMIs and document its practices. It should be done through record retention practices that consider such aspects as data protection and security. Such an approach will help firms not only to maintain compliance with the regulatory obligations but as well will lower the operational and reporting workload.
Wish to learn more about how to remain compliant?
Above we have shared some insights and outlined common failures of firms, however, not all of them may apply to every PI/EMI. To ascertain whether your business is compliant and what is the best approach to maintain proper internal controls while remaining compliant with the regulatory obligations it is advisable to seek qualified advice. Thankfully, you are in the right place and can contact PSP Lab in order to ascertain whether there are any shortcomings in your business and how to remedy them.