Outsourcing Obligations for Payment Institutions and EMIs Under FCA Rules

Outsourcing is integral to the business models of most payment institutions and electronic money institutions. Few firms maintain all operational capabilities in-house — common outsourced functions include transaction processing, IT infrastructure, AML transaction monitoring, KYC verification, card production, call centres, accounting and regulatory reporting. The FCA recognises that outsourcing can deliver operational efficiency, access to specialist expertise and cost savings. However, the regulatory framework imposes specific obligations on firms that outsource important operational functions, reflecting the principle that regulatory accountability cannot be delegated to a third party.

The Regulatory Framework

The FCA's outsourcing requirements for payment institutions derive from two primary sources: Regulation 24 of the PSRs 2017, which sets out conditions for outsourcing by payment institutions; and SYSC 8 of the FCA Handbook, which applies the general outsourcing requirements to all FCA-authorised firms, including PIs and EMIs.

Regulation 24 of the PSRs 2017 provides that a payment institution must not outsource important operational functions in a way that materially impairs the quality of the firm's internal controls or the FCA's ability to supervise the firm's compliance. Outsourcing of important operational functions must be notified to the FCA. The firm must ensure that the outsourcing does not result in the delegation of senior management responsibility, reduce the quality of the firm's governance, increase operational risk, impair the ability of the FCA to access data or premises, or affect the firm's ability to meet its regulatory obligations.

What Constitutes Important Operational Functions?

Not all outsourcing is subject to the enhanced requirements. The FCA distinguishes between routine outsourcing (e.g., cleaning, catering, facilities) and outsourcing of important operational functions — those whose failure or poor performance would materially affect the firm's ability to meet its regulatory obligations, financial stability or continuity of services.

For payment institutions and EMIs, functions commonly classified as important operational include: core payment processing and transaction execution; card issuing and management; AML and financial crime monitoring; KYC and customer onboarding; IT infrastructure and cybersecurity; safeguarding account management and reconciliation; regulatory reporting; and customer complaint handling. The firm must make its own assessment of which functions are important operational functions — there is no definitive FCA list.

Pre-Contract Due Diligence

Before entering into an outsourcing arrangement for an important operational function, the firm must conduct thorough due diligence on the proposed service provider. The FCA expects the due diligence to cover: the provider's financial stability and viability; technical capability and track record in delivering the relevant service; information security and data protection arrangements (including UK GDPR compliance); business continuity and disaster recovery capabilities; regulatory status and any history of regulatory action; sub-outsourcing arrangements (whether the provider itself outsources material elements to further third parties); and the provider's willingness to grant the firm and the FCA appropriate audit and access rights.

The due diligence should be proportionate to the criticality of the function being outsourced. A firm outsourcing its core transaction processing to a third party should conduct more intensive due diligence than a firm outsourcing its website hosting.

Contractual Requirements

Material outsourcing contracts must include specific provisions that protect the firm's regulatory position. The FCA expects contracts for important operational functions to include: clear description of the services to be provided and the performance standards (SLAs) expected; the firm's right to monitor and audit the provider's performance, including on-site access; data protection obligations, including compliance with UK GDPR and restrictions on data processing, transfer and storage; business continuity and disaster recovery obligations, including testing requirements; restrictions on sub-outsourcing — the provider should not be permitted to sub-outsource material elements without the firm's prior written consent; provisions allowing the FCA (or its appointed agents) access to the provider's premises, personnel and records; termination rights — the firm must be able to terminate the arrangement if the provider fails to meet its obligations or if the arrangement ceases to comply with regulatory requirements; and exit and transition planning — the contract must provide for orderly transition of the service to an alternative provider or back in-house.

Ongoing Monitoring and Governance

The firm's obligations do not end when the contract is signed. The FCA expects firms to maintain ongoing oversight of all outsourced important operational functions, including: regular performance monitoring against SLAs; periodic due diligence reviews (at least annually); incident reporting and escalation procedures; regular governance reporting on outsourcing arrangements to the board or relevant committee; and maintenance of a comprehensive outsourcing register that records all arrangements, risk assessments, review dates and responsible individuals.

The firm's governance structure should clearly allocate responsibility for each outsourcing arrangement to a named senior manager under the SMCR (or equivalent governance framework for firms outside full SMCR scope). This individual should receive regular reports on provider performance and any material incidents.

FCA Supervisory Focus

The FCA has identified outsourcing risk as a priority supervisory area for payment institutions and EMIs. This focus has intensified with the introduction of the critical third-party oversight regime and growing concern about concentration risk in the sector — where multiple payment firms rely on the same small number of service providers for core functions. The FCA has highlighted specific concerns including: firms that have outsourced core functions but lack the in-house expertise to monitor provider performance; contracts that do not meet the regulatory minimum for audit access or termination rights; inadequate exit planning — firms that would be unable to maintain services if a provider relationship ended abruptly; and concentration risk where the failure of a single provider could affect multiple regulated firms simultaneously.

Regulatory Counsel advises payment institutions and EMIs on outsourcing governance, contractual frameworks, FCA notification requirements and regulatory compliance. Contact us for a free initial consultation. See our governance frameworks page for more.