The FCA’s action plan to clean the FinTech industry. Five changes to expect.
A few days ago, after I had heard the speech of the FCA CEO Nikhil Rathi and finished reading the FCA’s Business Plan 21/22, I had a revelation. The FCA, the UK financial services watchdog, was established in 2013 and assumed the responsibility for the conduct and relevant prudential regulation from the Financial Services Authority, matured into an 8-years old Staffordshire Bull Terrier with sharp teeth that is ready to bite anybody who is a threat to consumers or the health of the UK financial market. I realised why so many payments industry professionals have recently started complaining about the FCA becoming stricter. I joined the payments industry when the regulator had already quite a strict attitude towards the UK Electronic Money Institutions and Payments Institutions, but things were quite different 3-4 years ago. I wrote this article as I see more changes to come, resulting in fewer authorisations, more fines, more cancelled authorisations, and more people banned from conducting regulated activities.
By reading this article, you will understand what transition from reactive to proactive means and what to expect from the FCA in the future.
The Payments Wild West
During my career as a consultant, I have opened e-wallet/payment accounts with more than 50 PSPs in the EU and UK, browsed websites of thousands of EU and UK EMIs, PIs, AISPs, RAISPs, and their agents and distributors. So far, I have seen a huge number of violations of the applicable regulatory framework starting from non-bank payment service providers calling themselves banks and misrepresenting the nature of their services and afforded protection, to PIs operating like EMIs. At conferences, I spoke with directors who did not have a clue about operating a non-bank PSP in a compliant manner.
You cannot imagine how many low-quality documents were produced by “compliance consultants” who even failed to erase the names of their previous clients from the documents they “drafted.” This coupled together with the lack of understanding of the regulatory perimeter from the side of the management of the firm is a perfect mix for a disaster. If you still do not understand what I mean by saying “The Payments Wild West,” you should read how business was conducted by a company called Premier FX…
EMIs and PIs were not taken seriously either by the high street banks, consumers, or the regulators. Did you expect in 2015 that a company that made a mobile payment app could have 17 million customers and be valued at 33 billion in 2021? When the second Electronic Money Directive was enacted, it was hard to imagine that companies can operate as they are operating now and that they are as exposed to fraud, scams, and money-laundering as the conventional banks.
Obviously, I am not the only one who have noticed the problems. In the next parts of the article, I will tell you how the FCA is addressing the issues I described above.
The FCA’s transition from reactive to proactive
There is no officially recognised distinction between a reactive and proactive regulator, but because PSP Lab helps clients in various jurisdictions, we can compare the FCA with other regulators. In a nutshell, a reactive regulator is the one that acts when something bad has already happened, while the proactive regulator actively intervenes and checks the operations of the companies it supervises by conducting various types of inspections to prevent something bad from happening. Such inspections can vary from being purely documentary (where regulator requests to provide certain reports, data or documentation) or on-site visits to review certain documentation, processes, systems, interview key personnel, or a combination of the two.
It is much more comfortable for a business to operate in a jurisdiction where the regulator is less proactive. For example, Lithuanian FinTech companies are always complaining that the Bank of Lithuania carries out too many inspections (see an excerpt from the BoL’s inspection plan for 2021 below). In Cyprus, non-bank PSPs must annually “renew” their licenses by providing certain documentation and getting a green light from the Central Bank of Cyprus.
In the UK, where the number of financial institutions under supervision is significantly higher than in Lithuania and Cyprus together, the FCA had been rarely proactive until recently. At PSP Lab, we noticed that the FCA became more proactive when the FCA started actively sending “Dear CEO Letters” back in 2020, and requesting the payments service actors to provide more information at the beginning of the COVID-19 pandemic. During its webinars, the FCA expressed more and more dissatisfaction with the quality of documents and data it was provided with. More and more companies were contacted by the FCA, and more inspections were made.
During the summer of 2021, the FCA confirmed that, unlike many other watchdogs who behave more like Chihuahuas, the FCA is more like a Staffordshire Bull Terrier. This summer, the FCA, for the first time in the past 8 years, initiated criminal proceedings under its anti-money laundering powers. For the first time, the FCA revoked temporary permissions to prevent four EU investment firms from marketing CFDs to UK retail consumers. Finally, for the first time, the FCA used a freezing injunction to secure several million pounds of assets on behalf of consumers with final salary pension schemes.
What should you expect in the future?
I guess you are wondering how the change in the FCA’s behaviour will affect you or your payments business. Below, I identified five main changes I expect to see in the nearest future.
Fewer companies will get an authorisation from the FCA
In its Business Plan, the FCA states that the application process will become more straightforward as there will be easier-to-use forms and better digital applications. However, the standards to which the FCA benchmarks the applicant will become higher because of a more intensive assessment and greater scrutiny of the applicant’s financial and business models. Moreover, something that was unthinkable just a couple of years ago may become a new norm – interviews of the persons that are managing PIs/EMIs. Currently, instead of a simple exchange of the written communication between the case officer and the applicant firm, very often the FCA conducts interviews on a case-by-case basis to assess the key personnel more accurately.
The Financial Conduct Authority explicitly indicates that it expects to turn down more applications for authorisation. It takes at least three times the FCA resource to cancel a firm’s permissions once it has been authorised than if it had been refused authorisation in the first place. In their business plan, the FCA says “we will expect refusal, withdrawal, and rejection rates to increase initially as we make the gateway more robust.”
Nikhil Rathi’, Chief Executive of the FCA has appointed a new Executive Director of Authorisations, Emily Shepperd, and ordered to recruit approximately 100 additional people who will be responsible for authorisations. Hopefully, as a result, companies will get a case officer faster as, currently, the waiting time for the case officer to be allocated often exceeds 3 months.
More intervention and tougher supervision
The FCA anticipates intervening more often in real-time to prevent any harm to consumers and market integrity. You should expect more supervisory and enforcement actions from the FCA in 2021-2022. Mr Rathi insists that in no scenario the FCA will ever return to a light touch, don’t-ask-don’t-tell philosophy.
The FCA recognises that the payment industry has evolved rapidly since the Payment Service Directive and Electronic Money Directive were enacted. While there are benefits of EMIs/PIs for consumers and businesses, the FCA is concerned about the pandemic’s impact on the financial strength of PSPs. The FCA’s supervisory work will focus on ensuring PI/s and EMIs are financially stable, and it will identify firms at risk and contact them proactively. From 31 March 2022 to 31 March 2025, the FCA will be assessing if payments firms are able to remain within their impact tolerances (the maximum tolerable amount of disruption to an important business service) to understand how effective the FCA’s work to improve the operational resilience of the financial sector has been.
Moreover, there will be stronger oversight for newly authorised companies, which the FCA calls ‘a regulatory nursery’ to identify the potential harm to the market. When a company applies to get a license, it presents a business plan. However, a programme of operations and a business plan may change, and the FCA wants to make sure that the companies keep up with their initial plans and if there is a change, the FCA is duly notified and can assess a possible negative impact. This is a rule of thumb for authorised PSPs, however, not many of them were considering that such changes are mandating notification of the regulator, although, it is as it is part of the disclosure obligations as per Principle 11 of PRIN.
Higher standards and more guidance
During recent years, the FCA has been continuously raising standards for non-bank payment services providers. The regulator focuses on making sure that FinTech companies do not harm consumers and that they are resilient.
For example, in 2019, the FCA made sure that the Principles and Chapter 2 of the BCOBS apply to EMIs and PIs. It at least means that similar marketing rules apply to PIs/EMIs and banks. Currently, the FCA has an idea to create a so-called “A new Consumer Duty.” This Consumer Duty will equally apply to bank and non-bank institutions and will impose on EMIs/PIs even more obligations towards consumers.
Regulated entities must have adequate capital, liquidity and reserves to cover outstanding redress liabilities, and the goal of the FCA is to ensure companies it supervises cease their operations only in an orderly manner. The FCA obliged non-bank PSPs to have a wind-down plan (P.S. you can read our comprehensive article explaining how to draft a nearly perfect FCA wind-down plan). In March 2021, the FCA has issued final rules on operation resilience aimed to increase and enhance firms’ operational resilience.
The FCA publishes more and more guidance for different types of firms. During the pandemic, it issued guidance for payment and e-money firms to strengthen firms’ prudential risk management and arrangements for safeguarding customers’ funds. Most recently, the watchdog ordered PayTechs to explain to customers the difference between safeguarding e-money accounts and FSCS coverage. It promised to raise safeguarding and wind-down planning standards through targeted communications, reviewing EMIs/PIs’ arrangements and safeguarding audits.
Following its call for evidence in 2020 as part of its Payments Landscape Review, the FCA continues developing policies and recommendations for payments firms, and we can expect more and more regulations and guidance directed to PSPs.
Revocation of authorisations
By being more proactive and increasing its capability to detect signs of misconduct and act faster, the FCA expects a short-term increase in the number of firms whose authorisations will be restricted (suspended temporarily or even revoked permanently).
The watchdog will target not only bad actors but also inactive companies. In recent years, I have seen a lot of licensed companies that did not start operation as their shareholders wanted to sell a so-called “Ready-made Licensed UK company.” You should read our article explaining why “EMI License for Sale” is not the best choice.
Moreover, there are many companies that do not use their licenses for other reasons. In the best-case scenario, it happens because a company operates as a distributor of an e-money firm or an agent of a payment institution, and, in fact, it does not use its own license. In the worst-case scenario, a firm uses a “halo effect’ of regulation by using its license to make sure that its unregulated activities appear more trustworthy.
The FCA will be more actively undertaking a ‘use it or lose it’ approach by cancelling permissions of regulated companies where they haven’t started carrying out regulated activities within 12 months from the date of receipt of the authorisation. A lively example of the new approach is the Binance case.
Firms will have to become more transparent.
The FCA plans to publish more data about companies it supervises, make sure that consumers have enough information to make informed decisions, and incentivise firms to improve their conduct. The data will include regulatory data previously not available publicly, such as Financial Ombudsman Service complaints and uphold rates. I expect that FinTech will have to become more transparent. For example, banks, including neobanks such as Monzo and Starling, are already obliged to disclose their complaints data, and I expect this requirement to be expanded to PIs and EMIs.
How PSP Lab can help
PSP Lab is a FinTech consultancy focused primarily on the payments services sector. We help companies to get authorisation as non-bank e-money and payment services providers. Furthermore, we provide ongoing consulting services and help companies to be compliant and not be afraid of the inspection conducted by the FCA.