Principles for Business for Electronic Money Institutions and Payment Institutions
Under both the Payment Services Regulations 2017 (“PSRs”) and the Electronic Money Regulations 2011 (“EMRs”) the Financial Conduct Authority (“FCA”) can issue guidance to UK Electronic Money Institutions (EMIs) and Payment Institutions (PIs). Since 2017, the FCA has the power to extend its Handbook rules to EMIs and PIs. Unsurprisingly, the FCA used the power and some FCA rules (namely the Principles for Businesses (PRIN, Principles or Principle for Business) and Chapter 2 Banking Conduct of the Business Sourcebook (BCOBS) apply to EMIs and PIs since 1 August 2019.
The FCA expects EMIs and PIs to evidence their compliance with the aforementioned rules through having systems and controls in place and record keeping, in line with the PSRs 2017 / EMRs 2011.
Many industry professionals are still confused, and we still see conduct incompatible with the new rules. Therefore, if you are confused too or just interested in avoiding the risk and not to be penalised by the FCA, you can read our series of articles regarding the PRIN and BCOBS.
PRIN for E-money Institutions and Payment Institutions
If you are from the UK banking and insurance sectors you are well aware of the consequences of breaching the PRIN, especially if you are from The Carphone Warehouse that was recently fined for £29 million for the breach of the PRIN. If you worked only with EMIs and PIs, most likely you did not deal with the Principles at all. To comply with the PRIN is essential, as in 2018 and 2019, 49% of the FCA fines were also due to the violation of some Principles. Fortunately, PSP Lab got you covered.
The FCA is the regulator vested with the powers to direct and monitor the market conduct of regulated firms and ensure that consumers are protected. One of the FCA’s regulatory instruments are the Principles, the high-level standards that set out fundamental consumer protection and conduct obligations of the regulated firms, including PIs and EMIs. There is a total of eleven Principles, which are listed below.
According to the Principles for Business, Electronic Money Institutions and Payment Institutions must
- conduct its business with integrity (1), due skill, care and diligence (2);
- organise responsible and effective management and control and adequate risk management system (3);
- maintain adequate financial resources (financial prudence) (4);
- observe proper standards of market conduct (5);
- pay due regard to the interests of its customers and treat them fairly (6), and pay due regard to the information needs of its clients, and communicate information to them in a way which is clear, fair and not misleading (7);
- manage conflicts of interest fairly both between itself and its customers and between a customer and another client (8);
- take reasonable care to ensure the suitability of its advice and discretionary decisions for any customer who is entitled to rely upon its judgment (relationships of trust) (9);
- protect clients’ assets (10);
- deal with its regulators in an open and cooperative way, and disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice (relationship with a regulator) (11). Regulators are the FCA and other regulators with recognised jurisdiction in relation to payment and e-money services whether in the UK or abroad.
Difference between client and customer
The FCA Principles for Business differentiate between clients and customers. While the Principle Integrity implies that both of them shall be treated with honesty, the differentiation is still relevant as, generally, consumer protection does not apply to companies other than micro-enterprise and small charities.
Briefly, your clients are individuals and bodies corporate to whom you intend or provide services as a PI or EMI. Every customer is your client, but not every client is a customer. A customer is only:
(a) a consumer;
(b) a micro-enterprise; or
(c) a charity which has an annual income of less than £1 million.
In a nutshell, the Principles apply to the provision of e-money, payment services and connected activities including communication and promotion of such services by all EMIs and PIs including small PIs and Registered Account Information Service Providers (RAISPs). The Principles apply to firms in a way that is appropriate and proportionate, taking into consideration size, the complexity of business and other characteristics.
The PRIN (except for Principle 4 Financial Prudence) also apply to non-UK EMIs and PIs if they issue electronic money or provide payment services in the UK as long as the responsibility for the matter regulated by the Principles is not reserved to the home state regulator of such EMIs and PIs by the Electronic Money Directive, Payment Services Directive or other EU instruments.
Some Principles have extended applicability. Principles 3 Management and control, 4 Financial Prudence, 11 Relationship with a Regulator take into account the activities of members of an EMI or PI group. Principle 1 Integrity, 2 Skill, Care and Diligence, 3 Management and control, 4 Financial Prudence, 5 Market conduct, 11 Relationship with a Regulator apply to world-wide activities of the Payment Institutions and E-money Institutions.
Conflict between regulations
The Principles impose obligations to the extent that they are not in conflict with other rules regulating PIs and EMIs such as Payment Services Regulations, Electronic Money Regulations, Consumer Credit (Disclosure of Information) Regulations. The FCA made it clear that if there is a conflict between the PSRs, EMRs, and Principles, the firm should follow its obligations under PSRs or EMRs as they are more specific regulations than the PRIN.
Applicability to Hybrid companies
There was a certain concern from the side of so-called hybrid institutions, firms that provide services other than those regulated by the FCA such as ‘bureaux de change’ activities. The FCA Principles for Business also apply to connected activity when the activity is connected to the provision of the payment services or issuance of e-money.
The problem is that it may be unclear what connected activity actually means. According to the FCA connected activity has its natural broad meaning, and there is no need for further clarifications. For example, in relation to foreign currency conversion, mere cash to cash conversion of currency at a bureaux de change is not considered a connected activity, but rather an independent service. When a PI or EMI makes a payment of currency to its client in settlement of a foreign exchange transaction, such PI or EMI acts as principal in purchasing the other currency from its customer, so no payment services are provided and such activity is not a connected activity.
However, as it is clear from the Payment Services and Electronic Money – FCA Approach, the Principles apply to a foreign exchange transaction service when the funds are paid to a third party on behalf of its client.
Violation of the FCA Principles for Business
According to the FCA Principles for Business, what constitutes ‘fault’ varies between different Principles. Failures to comply with the Principles can cost a company quite a significant amount of money.
Below we provide some examples on how a company can violate the Principles
- For Principle 1 Integrity, lack of integrity in the conduct of a firm can be penalised. For example, the FCA found lack of integrity in conduct when a regulated person recklessly failed to mitigate the risks to potential policyholders.
- To breach Principle 2 Skill, Care and Diligence, any failure to act with skill, care and diligence is sufficient. For example, Tesco was found in breach of the Principle 2 as it failed to protect customers from cyber attackers who exploited deficiencies in the design of Tesco debit card, in financial crime controls and its financial crime operations team to carry out the attack.
- Many companies breach Principle 3 Management and control. An example that is relevant for PIs and EMIs is the outsourcing of the authorisation and processing of card transactions by a retail bank without adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers. The breach occurred due to the failure systems and controls not enabling the bank properly to identify when it was relying on outsourcers for the performance of functions that were critical for the performance of its regulated activities (in particular, the provision of e-money) on a continuous and satisfactory basis.
- Nobody was recently fined for the breach of Principle 4 Financial Prudence. However, EMIs and PIs that are not compliant with capital requirements have all chances to get a fine, as we can understand from the FCA’s Consultation Paper.
- An example of Principle 5 Market Conduct breach can be market manipulation. Regarding PIs and EMIs, currently, there are no market standards for them, so it is hard to say what could constitute a breach.
- Principle 6 Customers’ Interests is often breached by members of the credit industry. For example, a company omitting to indicate that the full cost of the financial product included the interest component is in breach of Principle 6. In general, it is clear that for PIs and EMIs requirements to treat customers fairly go beyond just mere compliance with PSRs and EMRs.
- Additionally, the aforementioned company is in breach of Principle 7 Communications with clients. Misleading and/or untrue communication and promotion can easily lead to a fine by the FCA for the breach of Principle 7.
- It is not completely clear what kind of conflict of interest may arise. However, the FCA in its Consultation Paper connects Principle 8 Conflicts of Interest and Principle 9 Customers: relationship of trust, by providing that a conflict of interests may arise when a company gives advice.
- As an example, the FCA expects potential conflicts of interests and application of Principle 9 relationship of trust when an Account information services (AIS) provides its clients advice on what is the best current account for them based on their transaction history). Thus, a company can breach Principle 8 and 9 by advising an account based on company’s own interest rather client’s interest.
- To breach Principle 10 Client’s Assets it would be enough for a company to fail under its safeguarding requirements according to the PSRs and EMRs.
- EMIs and PIs have their reporting/notification requirements under the PSRs and EMRs. Unless they fail with the obligations they should not be worried about violation of Principle 11 Relationship with a Regulator.