Payments View - March 2023

Whilst we all digest the reports on the Digital Pound, Open Banking and BNPL covered in our last, bumper edition of Payments View, this month we cover a stark warning from the FCA on 'unacceptable' risks' in the sector, further updates on APP fraud and the FCA's regulatory initiatives grid. Also, for those in the space who have been affected by Silicon Valley Bank, we'd also suggest looking to our Insights page; both a podcast and FAQ are available and our team on this matter can be reached here.

If any of these topics spark further questions or if you know someone who might want to track these developments through the future editions of Payments View, please do let us know.

Dear CEO letter: 'Unacceptable' risks in payments firms says FCA

The FCA has written to nearly 300 payment companies highlighting concerns that many payments firms don't have sufficiently robust controls and that as a result "some firms present an unacceptable risk of harm to their customers and to financial system integrity".

In the wide-ranging letter the FCA says that whilst it welcomes the competition and innovation that has flourished in the UK's payments sector, they see what they regard as a number of key failings across the payments industry. In particular, the letter highlights concerns over:

• Wind-down planning: where "many firms have not yet created wind down plans and the plans that we have reviewed frequently fail to meet our expectations";
• Safeguarding: where it has found that some firms don't have documented processes for consistently identifying which funds are 'relevant funds';
• Prudential Risk management: including a lack of appropriate liquidity risk management or scenario planning and stress-testing;
• Money Laundering & Sanctions: where work over the past two years has identified "material issues with financial crime systems and controls at PIs and EMIs";
• Fraud prevention: with general weaknesses in controls being exacerbated, in the FCA's mind, by the current cost of living crisis; and
• Adoption of the Consumer Duty.

This shot across the bow of the industry concludes with a warning that the FCA "will continue to intervene using our full range of supervisory tools" and that "In cases where firms can't meet the conditions for authorisation, we will take more assertive action sooner and will remove or sanction firms who cannot or will not meet our standards."

With the increasing scrutiny being placed on the industry and significant regulatory changes coming (most immediately in relation to the Consumer Duty, with broader changes on fraud prevention and potential changes to the PSRs and EMRs), this Dear CEO letter is a useful guide to understanding  the FCA's focus and, if necessary, future enforcement.

If you had any concerns about the above, please do get in touch for a quick discussion and see the summary of the FCA's survey of fast-growing firms below.

APP fraud updates: PSR told to 'get their skates on' plus updated CRM code

Further criticism came this month of the PSR's proposed measures to tackle APP fraud, with the Treasury Committee calling the proposals to reimburse scam victims "half-baked" and calling on regulators "to get their skates on". 

In particular, the Treasury Committee was not best pleased on the lack of clarity of the meaning of 'gross negligence', which acts as an exclusion under the proposed rules. As covered in the October 2022 edition of Payments View, consumers who show 'gross negligence' will not, in most circumstances, need to be reimbursed. The Treasury Committee asked what actions would count as gross negligence and the PSR confirmed that the meaning of this will only be clarified "as complaints begin to be arbitrated by the Financial Ombudsman Service". 

This update comes as the Lending Standards Board has provided an updated contingent reimbursement model code for APP scams as part of its March 2023 update. The LSB explains that the updates to the CRM code require signatory firms to go further in identifying new and existing accounts that are at higher risk of being used by criminals. By no later than December 2023, firms under the CRM code must monitor the payments they are receiving to help them identify suspicious inbound payments and accounts that might be being used by scammers. 

The PSR has also provided a summary overview of how they intend to publish APP fraud data. The 14 directed groups will be required to provide the PSR with the first set of data by May 2023. The regulator then expects to publish this data in October, and on a six-monthly basis thereafter. As covered last month, this will (in line with the PSR's consultation) cover:

• the proportion of APP scammed customers who are "left out of pocket";
• sending PSPs' APP scam rates, as a measure of fraud incidence at the PSP; and
• receiving PSPs' APP scam rates (not including any money that has been returned to the victims). 

If you had any thoughts on this or wanted to discuss where the scope of 'gross negligence' might lie (before complaints end up at the FOS), please do get in touch.

The FCA has published its Regulatory Initiatives Grid

The latest Regulatory Initiatives Grid (the "Grid") has been published. The Grid is updated twice a year and sets out the details of regulatory initiatives relevant to the financial services sector which are planned for the next 24 months. The foreword notes that this Grid includes the "opportunities provided by the Edinburgh Reforms, including the Government's policy statement 'Building a Smarter Financial Services Framework for the UK', [which] will impact the regulatory pipeline and initiatives over the coming years". Particular payments initiatives of note include updates on:

• Confirmation of Payee Specific Direction 17 - implementation for Group 1 firms expected Q3 2023 and Group 2 in Q3 2024.
• further consultations on APP fraud- with a Policy Statement on Measure 3 expected Q2 2023.
• consultation on changes to safeguarding requirements for payments and e-money institutions - with a Consultation Paper expected this half of 2023 and final rules published "end 2023/early 2024".
• the market review of card scheme and processing fees - with further consultation expected Q2-4 this year and a final decision on remedies expected Q4 2024.
• consultations on rules for stablecoin regime - including a Consultation Paper in Q2 2023.
• the Consumer Duty - with this coming into force for open products in July.
• the FCA's Discussion Paper on 'Big Tech' (covered in our November edition) - with a Feedback Statement expected this half of 2023.
• updates to the supervisory approach to wholesale cash - expected from the BoE in Q2 2023 and a further consultation from the FCA expected in Summer.

A short update is expected following Royal Assent of the Financial Services and Markets Bill with the next edition of the Grid due at the end of 2023.

FCA findings on 'Fast-Growing Firms'

Earlier this month, the FCA published a summary of the findings of their three year, multi-firm review of 'fast-growing firms' flagging concerns over risk management frameworks, governance arrangements, financial resourcing assessments and "inadequate" wind-down plans. It is unclear how closely we are expected to read these across to the FCA's most recent Dear CEO letter, above.

The FCA had focused on 25 solo-regulated firms across fast-growing payment services, contract for differences providers and wealth managers, but notes that "all firms that have grown rapidly, or have plans to do so, should read our findings and consider whether they need to make changes to their own arrangements."

The regulator found that, for most firms, "unsustainable and inadequately planned growth" had apparently created key issues with firms' risk and governance frameworks leading to an increased risk of harm in the event of firm failure and an increased risk of poor outcomes for consumers. Where issues were identified, it seems as if the FCA took quite direct action - arranging detailed letters, recommending next steps and calling firms on the apparent issues.

Whilst these specific suggestions have not been published, the summary does include general lines in the ground, flagging where the FCA seems to have concerns over its expectations of firms. These include:

• Having robust plans in place to understand likely future growth, and to maintain sufficient resources to manage growth or unexpected stress.
• Taking action on risk management frameworks and governance arrangements to ensure that they remain proportionate and fit for purpose.
• Ensuring that assessment of adequacy of financial resources is "commensurate with the size, complexity and forecast growth of the business" and which should include regular, "proportionate" stress testing and scenario analysis - something the FCA did not see across 'most firms' in the review.
• Ensuring that wind-down plans are robust.
• Providing accurate and complete data in their regulatory submissions.

If you had any concerns about the above, please do get in touch.

Updates at the PSR: Annual Plan event and new senior advisors

The PSR has announced that they will be a stakeholder event on Tuesday 9 May (08:30 - 14:00) regarding their 2023/24 Annual Plan at etc.venues St Paul's, 200 Aldersgate, London, EC1A 4HD as well as online (for the opening section).

The session will begin with introductions from Chris Hemsley, Managing Director, and Aidene Walsh, PSR Chair, followed by a live panel session to discuss the horizon for payments in 2023 (this section will be available to join remotely 09:00 - 10:00). Breakout sessions covering APP fraud, Open Banking and digital currencies will then be held.

The PSR has also appointed two new senior advisers: Tessa Lyndon-Skeggs and Rob Kenny to provide advice, challenge and help the PSR prioritise. Full biographies from the PSR are set out here.

CFIT and OFRA

Two new regulatory bodies could come to grace the financial services industry in the form of the nascent Centre for Finance, Innovation and Technology ("CFIT") and the proposed Office for Financial Regulatory Accountability ("OFRA"). The former (recommended by the Kalifa Review) aims to bring together FinTech experts to address opportunities and barriers for innovation in the UK with Charlotte Crosswell as Chair. The latter, as its name suggests, is envisioned as a regulator of regulators - tasked with providing "evidence-based analysis of how the FCA and PRA are doing at the objectives they have been set".

• CFIT's first major announcement will be the establishment of financial innovation hubs across the UK - particularly flagging "key growth centres" such as Leeds. Crosswell said CFIT would act as a "central convening force" for the fintech sector and would bring together "coalitions of experts". The government will provide £5mn in seed funding, with an additional £500,000 from the City of London Corporation. CFIT's Steering Group Terms of Reference have also been published.
• OFRA on the other hand has been suggested as part of proposals in a recent House of Lords debate. Andrew Griffith (responding to the proposal as Economic Secretary to the Treasury) did not make any indication that the government would press forward with this suggested new body, but did in his response point to the existing and "particularly useful" powers of the Treasury to instruct independent reviews of the FCA and PRA. Following the, now shelved, 'call in' power it will be interesting to see if this regulator of regulators idea is taken further.

News Flash

• Two consultations of interest are closing next month:
  • Payment Services Regulations Review and Call for Evidence - closing 7 April
  • Regulation of Buy-Now Pay-Later: consultation on draft legislation - closing 11 April
• The PSR has issued a call for views on its first annual review of the specific direction issued to Link on maintaining free-to-use ATMs in the UK. The call for views closes at 5pm on 21 April 2023. 
• Klarna has started charging late fees for missed payments as the industry begins to shift and with new regulations (covered in last month's Payments View) on the horizon.
• Worldpay has published its 7th edition of its Global Payments Report which explores payment habits in 40+ markets.
• At the start of last month, the EBA launched its 2023 EU-wide stress test of the European banking sector.
• The OBIE has published a 'thought leadership' piece on VRPs for sweeping and non-sweeping use cases, building on the updates in last month's Future of Open Banking in the UK report.
• The Memorandum of Understanding between the BoE, PRA, FCA and PSR has been reviewed, with the relevant authorities identifying that it is working well. As part of this review, the authorities identified (i) effective cross-authority coordination on reforms to legislation and (ii) further enhancing the sharing of information and data as key foci for future cooperation and coordination over 2023-2024.