On 3 February 2025, the UK’s Financial Conduct Authority (FCA) published a Dear CEO letter to payments firms that are supervised by the FCA (including payment institutions and e-money institutions), setting out three key outcomes:
1. Effective competition and innovation to meet customers’ needs, characteristics and objectives.
2. Firms do not compromise financial system integrity.
3. Firms keep customers’ money safe.
As an overarching point for each outcome, the FCA identifies the importance of governance, oversight and leadership, noting that weaknesses in these areas are a root cause of many of the regulatory issuers that they see in the payments portfolio.
We look at each of these outcomes further below, but it is particularly interesting to consider the wider context in which the letter was published. As we identified in our financial services trends briefing and our 2025 fintech predictions, the payments regulatory landscape is changing all across the globe and the UK is no different. The FCA’s letter references the UK Government’s recently published National Payments Vision, which set out the UK’s ambition for a trusted, world-leading payments ecosystem delivered on next-generation technology (which we covered as part of our Mansion House post in November 2024). Of course, the FCA will also have in mind its secondary competitiveness and growth objectives and the clear steer from the UK government to regulate for growth (as further expanded on in our recent post).
The outcomes in the letter also tie in very neatly with other key trends and themes that we identified: financial crime (which feels like an evergreen hot topic), protection of retail consumers and expanding scrutiny of senior manager conduct. Further, the letter refers to open banking as a policy priority where firms will need to be prepared for change and alludes to innovative advances such as digital currencies (both also identified in our trends pieces).
Outcome 1: effective competition and innovation to meet customers’ needs, characteristics and objectives
Innovation
The FCA notes that competition and innovation have benefited customers in areas such as Open Banking, which remains a policy priority as the FCA focuses on development of the Future Entity, premium APIS and long-term regulatory framework. In line with the National Payments Vision, the FCA reiterates its commitment to supporting innovation by measures such as the Innovation Hub and the devoting more support to the Early and High Growth Oversight function.
The letter calls on firms looking to offer new and innovative products and services to speak to the FCA and attend Tech and Policy Sprints to share insights, indicating the regulator’s stance to engage in proactive communication.
Consumer Duty
Noting the FCA’s multi-firm review of Consumer Duty implementation in payment firms, the letter reiterates the findings that while many firms have implemented the Consumer Duty, a significant portion of firms have more to do (see our recent post for a summary of the findings of the review).
The FCA intends to continue monitoring firms’ implementation of the Consumer Duty (and support firms through remediation of deficiencies) and will take action against firms that consistently fail to meet the standards of the Consumer Duty or demonstrate reasonable steps to remediate any deficiencies. A specific priority for the FCA will be the assessment of foreign exchange pricing in payment services, in particular the extent to which firms help ensure consumers clearly understand the price they pay for such services.
Outcome 2: firms do not compromise financial system integrity
As part of its outcome relating to integrity of the financial system in the payments sector, the FCA identifies that two of its focus areas are financial crime and operational resilience.
Financial crime
Reducing and preventing financial crime remains a key commitment for the FCA. In a similar vein to the commentary on the Consumer Duty, the FCA notes that whilst some firms have significantly enhanced their financial crime controls, there is still more for firms to do.
The FCA also referred to the Payment Systems Regulator’s reimbursement requirements for authorised push payment (APP) fraud (see here) and notes the FCA’s expectations that firms’ approaches to compliance (and to “on-us” or intra-firm APP fraud) to ensure good consumer outcomes for the APP fraud victims in line with Consumer Duty. For unauthorised fraud, the FCA expects firms to show the same diligence as with APP Fraud.
We discussed the FCA’s September 2024 consultation proposing changes to allow payment processing delays (here), noting that the proposed amendments would address, amongst other things, how the FCA would monitor and evaluate the implementation of the payment delays legislation. In its letter, the FCA confirms that it will continue to monitor the impact of this legislation and states that it expects firms to minimise the impact on legitimate payments if payment delays are applied.
Operational resilience
The FCA’s final rules and guidance on operational resilience came into effect on 31 March 2022 with a three-year transitional period that will end on 31 March 2025. The FCA reminds that firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service.
The FCA identifies cyber-attacks, IT system outages, and third-party supplier failure as operational disruptions that have the potential to cause harm to consumers, threaten the viability of firms and cause instability in the financial system. The FCA flags in the letter that it has seen weaknesses in some firms’ technological resilience, which is, in some cases, coupled with a lack of oversight of change programmes, which has resulted in weakened resilience and/or business interruption.
Outcome 3: firms keep customers’ money safe
Protection of customer funds in the payments sector has been an area of focus for the FCA for several years (see, for example, the relatively new special administration regime which includes an express objective regarding the return of relevant funds). The FCA’s letter outlines areas of focus in this area as follows.
Safeguarding
Following a consultation on changes to the safeguarding regime for payments and e-money firms in September 2024 (which you can read about here), the FCA will be publishing final interim rules in mid-2025 and the letter alerts firms to start preparing for necessary changes.
As required under the relevant legislation and in the FCA’s approach document, firms should:
- identify which funds are relevant funds for the purposes of safeguarding;
- ensure that its books and records are up to date and accessible, including by undertaking daily reconciliations, notifying the FCA of material adverse findings and taking immediate action to rectify such findings; and
- if using safeguarding insurance, consider potential changes in its availability and cost when assessing the firm’s financial resilience.
Prudential risk
To effectively manage prudential risk, firms are expected to ensure that they meet regulatory capital requirements and adequate financial resources at all times, as well as to consider and manage financial risks.
Wind-down planning
Firms are reminded by the FCA in the letter that they should maintain effective and actionable wind-down plans, taking into account obstacles to an orderly wind-down.
Overarching reminder: governance, oversight and leadership
A recurring observation in this letter is that weakness in governance, oversight and leadership is a root cause of various regulatory issues that it sees. As part of ensuring that the firm’s governance, oversight and leadership meets the FCA’s expectations, the FCA notes that firms should:
- ensure governance arrangements and systems and controls, including reporting mechanisms, are effective and proportionate to the nature, scale, and complexity of the business, and the risks to which it is exposed;
- ensure arrangements should provide effective and independent challenge to business and operational decisions, with non-executive directors playing a crucial role;
- take a robust and holistic approach to maintain active oversight of agents and distributers; and
- ensure outsourced functions are working as intended and remain compliant with relevant obligations.
The FCA notes in the letter that UK-authorised payment institutions and e-money institutions must have their head office in the UK, and directors and senior management who direct the firm on a day-to-day basis should be based in the UK head office.
Finally, the letter specifies that the FCA expects CEOs and the board to discuss this letter and take necessary steps to deliver on the outcomes set by the FCA - the FCA will be engaging with firms to ensure this is the case.
