Adding Payment Services Permissions: A VoP Guide for PIs and EMIs

Introduction

Payment institutions and electronic money institutions authorised under the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs) may wish to expand their service offering by adding new payment service types to their existing authorisation. This is achieved through a variation of permission (VoP) application to the FCA.

This guide covers the practical considerations for PIs and EMIs seeking to add payment services, including the specific requirements for different service types.

Payment Service Types Under the PSRs

The PSRs define several categories of payment service:

• Service 1: Services enabling cash to be placed on a payment account and all operations required for operating the account
• Service 2: Services enabling cash withdrawals from a payment account
• Service 3: Execution of payment transactions (direct debits, card payments, credit transfers)
• Service 4: Execution of payment transactions where funds are covered by a credit line
• Service 5: Issuing of payment instruments and/or acquiring of payment transactions
• Service 6: Money remittance
• Service 7: Payment initiation services (PIS)
• Service 8: Account information services (AIS)

Each service type has specific regulatory requirements, and adding a new service type requires the firm to demonstrate that it meets those requirements.

Adding Money Remittance (Service 6)

Money remittance is one of the most commonly added payment services. Key requirements include:

• AML/CTF framework. Money remittance presents higher financial crime risk than many other payment services. The firm must demonstrate a robust AML framework tailored to remittance risks, including enhanced CDD for higher-risk corridors, transaction monitoring calibrated to remittance patterns and effective sanctions screening.
• Agent network management. If the firm will use agents to provide remittance services, it must demonstrate adequate agent DD, registration and monitoring arrangements.
• Safeguarding. The firm must confirm that its safeguarding arrangements will accommodate remittance-related funds and that daily reconciliation processes will cover the additional flow.
• Capital adequacy. The firm's own funds calculation must be recalculated to include projected remittance volumes. Depending on the calculation method, this may significantly increase the minimum capital requirement.

Adding Payment Initiation Services (Service 7 — PIS)

PIS, introduced under PSD2 and the PSRs 2017, allows the firm to initiate payments from a customer's bank account on behalf of the customer. Adding PIS requires:

• Professional indemnity insurance (PII). PIS providers must hold PII or a comparable guarantee covering their liability under the PSRs, including liability for unauthorised or incorrectly executed transactions.
• Strong customer authentication (SCA). The firm must implement SCA in accordance with the FCA's requirements and the Regulatory Technical Standards on SCA and common and secure communication.
• API integration. PIS providers must be able to communicate securely with account servicing payment service providers (ASPSPs — typically banks) through dedicated interfaces (APIs). The firm must demonstrate technical readiness for these integrations.
• Security. Enhanced security requirements including incident management, risk assessment, security-sensitive data handling and periodic security audits.
• Operational resilience. Robust business continuity and disaster recovery arrangements specific to PIS operations.

Adding Account Information Services (Service 8 — AIS)

AIS allows the firm to access and consolidate information from a customer's payment accounts held at other providers. Requirements include:

• PII or comparable guarantee. Similar to PIS, AIS providers must hold appropriate PII.
• SCA and secure communication. Compliance with SCA requirements when accessing customer account data.
• Data protection. AIS providers handle sensitive financial data. The firm must demonstrate robust data protection arrangements, including GDPR compliance, data minimisation, encryption, access controls and clear customer consent mechanisms.
• API readiness. Technical capability to integrate with ASPSP dedicated interfaces.
• Limited data use. AIS providers may only access data that the customer has explicitly consented to share, and may only use it for the account information service requested by the customer.

Adding Card-Based Payment Services (Service 5)

Firms wishing to issue payment instruments (e.g., prepaid cards) or acquire payment transactions (merchant acquiring) must address:

• Card scheme membership. Most card issuance and acquiring requires membership of card schemes (Visa, Mastercard). The firm must obtain scheme membership or demonstrate a partnership arrangement with a scheme member.
• PCI DSS compliance. Firms handling cardholder data must comply with the Payment Card Industry Data Security Standard. This requires significant technical investment and periodic certification.
• Fraud prevention. Robust fraud prevention measures including transaction monitoring, velocity checks, geolocation checks and customer authentication.
• Safeguarding. For prepaid card issuers, safeguarding arrangements must cover funds loaded onto cards.

The Application Process for PIs and EMIs

The VoP application process for PIs and EMIs follows the same general structure as for other FCA-authorised firms:

Step 1: Identify the specific payment services to be added. Ensure the regulatory perimeter analysis is correct and the right service types are identified.

Step 2: Conduct a gap analysis. Assess current arrangements against the requirements for the new services. Identify gaps in capital, compliance, systems, staff and processes.

Step 3: Prepare supporting documentation. This includes:

• Updated business plan covering the new services
• Revised own funds calculation including projected volumes for the new services
• Updated AML/CTF risk assessment reflecting new service risks
• Updated compliance policies and procedures
• Evidence of technical readiness (particularly for PIS and AIS)
• PII certificates (for PIS and AIS)
• Staff competence evidence
• Updated safeguarding arrangements

Step 4: Submit through FCA Connect. Complete the variation application form and upload all supporting documentation.

Step 5: Respond to information requests. The FCA will typically request additional information or clarification. Respond promptly and comprehensively.

Capital Implications

Adding new payment services may significantly affect the firm's minimum capital requirement. The own funds calculation under the PSRs is based on the firm's payment transaction volumes (Method A, B or C). Adding high-volume services such as card acquiring or money remittance can substantially increase the capital requirement. The firm must:

• Recalculate its own funds requirement under all applicable methods
• Confirm that it has (or will have) sufficient capital to meet the revised requirement
• Include capital projections for three years showing continued compliance

Practical Tips

• Begin preparation at least 6 months before the intended submission date
• For PIS and AIS, ensure API integration is technically proven before applying — the FCA will want evidence of readiness, not just intent
• Update the firm's AML risk assessment to specifically address the new service risks
• If adding services that require PII, obtain quotes and confirm insurability early — some insurers have limited appetite for PIS/AIS coverage
• Consider the impact on existing safeguarding arrangements and ensure the safeguarding infrastructure can handle increased volumes
• Engage with the FCA through a pre-application meeting for complex variations

Regulatory Outlook

The FCA continues to encourage innovation in payment services while maintaining robust consumer protection standards. Firms that can demonstrate genuine operational readiness — not just a paper exercise — will find the VoP process smoother. The FCA's assessment is increasingly focused on outcomes: can the firm actually deliver the new services safely, compliantly and in a way that delivers good customer outcomes?