Payment Institution Compliance Obligations After FCA Authorisation

Payment institution compliance obligations in the UK do not end at the point of FCA authorisation — they intensify. An FCA-authorised payment institution is subject to continuous regulatory requirements under the Payment Services Regulations 2017 (PSRs 2017), the Money Laundering Regulations 2017 (MLRs 2017), the FCA Handbook (including SYSC, SUP and the Approach to Payment Services sourcebook) and, from August 2025, the enhanced safeguarding requirements under PS25/12. Failure to meet ongoing obligations is the most common reason for FCA supervisory intervention, enforcement action and, in serious cases, cancellation of authorisation. This article sets out every material ongoing obligation that UK payment institutions must fulfil.

What Are Payment Institution Compliance Obligations?

Payment institution compliance obligations are the regulatory requirements that FCA-authorised payment institutions (APIs) and registered small payment institutions (SPIs) must satisfy on a continuing basis after receiving authorisation. These obligations are imposed by statute (PSRs 2017, MLRs 2017, POCA 2002), by FCA rules (SYSC, SUP, Approach to Payment Services) and by supervisory expectations communicated through Dear CEO letters, policy statements and thematic reviews. The obligations cover regulatory reporting, anti-money laundering programme maintenance, governance and personnel changes, conduct of business, complaints handling, and responsiveness to FCA supervisory engagement. For APIs, safeguarding of client funds is a mandatory ongoing obligation, enhanced by PS25/12 (effective 7 May 2026). SPIs are not legally required to safeguard but may opt in voluntarily. Non-compliance is not a theoretical risk — the FCA has cancelled the authorisation of payment institutions for ongoing compliance failures including safeguarding shortfalls, AML deficiencies and failure to submit regulatory returns.

Who Must Comply?

This requirement applies to:

• All FCA-authorised payment institutions (APIs) providing regulated payment services under PSRs 2017
• All FCA-registered small payment institutions (SPIs)
• Agents of payment institutions, where the principal institution is responsible for the agent's compliance
• Firms authorised under both PSRs 2017 and EMRs 2011 where payment services are provided alongside electronic money issuance
• Payment institutions providing services under the temporary permissions regime following Brexit
• Electronic money institutions to the extent they provide payment services in addition to issuing e-money
• Payment institutions operating through branches or passporting under legacy EEA arrangements

Key Ongoing Regulatory Requirements

RMAR regulatory reporting. Payment institutions must submit their annual Retail Mediation Activities Return (RMAR) via the FCA's RegData system (which replaced the Gabriel reporting platform). The RMAR for payment institutions includes sections on firm details, payment service volumes, safeguarding data, complaints volumes, financial resources calculations and revenue. The return is due annually within 80 business days of the firm's accounting reference date. Late or inaccurate RMAR submissions are a common FCA enforcement trigger — the FCA publishes lists of firms that fail to submit on time and may impose financial penalties. Firms should establish internal data collection processes well in advance of the reporting deadline to avoid last-minute errors.

Daily safeguarding reconciliation. Under PS25/12 (published August 2025, effective 7 May 2026), all authorised payment institutions and EMIs holding client funds must perform a daily reconciliation of safeguarded balances. This requires reconciling the total amount held in safeguarding accounts against the firm's total client fund obligations. Any shortfall must be topped up by the end of the same business day. The reconciliation must be documented with a full audit trail, signed off by an appropriately senior individual, and records must be retained for a minimum of five years. Firms must also submit to an annual independent safeguarding audit by an external auditor, with the audit report presented to the board and available to the FCA on request. Note: SPIs are not subject to mandatory safeguarding requirements but may opt in voluntarily.

AML programme maintenance. The initial AML programme submitted with the FCA application is not a static document. Under the MLRs 2017, firms must maintain their AML framework as a living document. The business-wide risk assessment must be reviewed at least annually and updated whenever the firm's risk profile changes — for example, entering new markets, adding new products, or experiencing changes in customer demographics. CDD procedures must be applied consistently. The MLRO must produce an annual MLRO report to the board summarising SAR activity, compliance monitoring results, emerging risks and recommended improvements. Staff training must be refreshed at least annually and whenever significant regulatory changes occur.

Material change notifications. The FCA requires payment institutions to notify it before making material changes to their business. Material changes include: significant changes to the business model or payment services offered; changes to the firm's governance structure including new directors or senior managers; changes in qualifying holdings (ownership above 10%); outsourcing of critical functions; opening new offices or branches; and significant changes to IT systems or payment infrastructure. Failure to notify material changes is a common enforcement trigger and can be treated as a breach of Principle 11 (relations with regulators).

PSD2 conduct obligations. Payment institutions must comply with the conduct of business requirements in Part 6 of the PSRs 2017. These include providing clear pre-contractual information to payment service users, executing transactions within prescribed timescales (D+1 for domestic, D+4 for cross-border), applying the correct value dating, and refunding unauthorised transactions within specified timeframes. Firms providing payment accounts must comply with the Payment Accounts Regulations 2015 requirements for fee information and switching.

Complaints handling. Payment institutions must maintain a complaints handling procedure compliant with the FCA's DISP rules. Complaints must be acknowledged within 5 business days, investigated thoroughly, and a final response issued within 8 weeks (or 15 business days for payment services complaints under the PSRs 2017 short timeframe). Firms must report complaints data to the FCA twice annually. Complaint patterns are a key FCA supervisory indicator — a spike in upheld complaints or complaints relating to unauthorised transactions or safeguarding will attract supervisory attention.

Wind-down planning. The FCA expects all payment institutions to maintain a viable wind-down plan. This plan must demonstrate how the firm would cease regulated activities in an orderly manner, return all client funds to customers, notify the FCA, and meet all outstanding obligations. The wind-down plan should include a financial assessment demonstrating adequate resources to fund the wind-down period — typically 3–6 months of operating costs.

The Compliance Monitoring Cycle

Step 1 — Establish an annual compliance monitoring programme at the start of each financial year, identifying the key regulatory areas to be tested and the testing methodology. Present the plan to the board for approval.

Step 2 — Conduct compliance monitoring reviews throughout the year according to the plan. Reviews should cover AML file reviews, safeguarding reconciliation checks, complaints analysis, regulatory reporting accuracy, conduct of business compliance and IT security.

Step 3 — Document all findings, assign remediation actions with clear deadlines and responsible owners, and track completion. The FCA expects evidence that findings are acted upon — a monitoring programme that identifies issues but does not remediate them is worse than no programme at all.

Step 4 — Produce quarterly compliance MI reports for the board covering monitoring results, open issues, regulatory developments, SAR activity and complaints trends. Board discussion and challenge must be documented in minutes.

Step 5 — Conduct an annual review of the compliance monitoring programme itself, assessing whether it adequately covers the firm's regulatory risk profile and updating it for any changes to the business or regulatory environment.

Common Post-Authorisation Failures

The most common post-authorisation failure is treating compliance as a one-time exercise. Firms invest heavily in the authorisation application but fail to maintain the same standard of documentation, monitoring and governance once authorised. The FCA consistently identifies this pattern in supervisory visits and thematic reviews.

Second, safeguarding reconciliation failures. Firms that reconcile weekly or monthly rather than daily, that use manual spreadsheets with no audit trail, or that fail to top up shortfalls promptly are in breach of PS25/12 and at risk of enforcement action.

Third, MLRO vacancy. When a firm's MLRO leaves, a replacement must be appointed immediately. Operating without an MLRO is a breach of the MLRs 2017 and an aggravating factor in any subsequent enforcement action. Firms should have succession plans in place.

Fourth, failure to submit material change notifications. Firms that change directors, outsource critical functions, or expand into new payment services without notifying the FCA are in breach of their regulatory obligations. The FCA treats non-notification as a governance and culture failure.

What Firms Should Do Now

1. Establish an internal compliance calendar mapping every regulatory reporting deadline, board reporting cycle and compliance monitoring review to specific dates.
2. Implement a daily safeguarding reconciliation process compliant with PS25/12 — documented, auditable and with same-day shortfall remediation.
3. Review and update the AML risk assessment, ensuring it reflects the firm's current customer base, products and geographies, not the profile at the point of authorisation.
4. Produce the MLRO's annual report to the board, covering SAR volumes, monitoring results, emerging risks and regulatory developments.
5. Ensure all material changes since authorisation have been properly notified to the FCA — and implement a process to identify and notify future changes.
6. Review the wind-down plan annually and update financial projections to ensure adequate wind-down resources.

Regulatory Context and Outlook

The FCA's supervisory approach to payment institutions has shifted from reactive to proactive. The regulator's 2024/25 Business Plan identifies payment firm supervision as a priority, with specific focus areas including safeguarding compliance, financial resilience and AML effectiveness. The FCA has increased its supervisory capacity in the payments sector and is conducting more frequent desk-based reviews and on-site visits. PS25/12 represents a step-change in safeguarding expectations, and the FCA has indicated it will use the new reporting data to identify and intervene with firms that show signs of non-compliance. The direction of travel is clear: firms that treat ongoing compliance as a cost centre rather than a core business function face increasing regulatory risk.

Regulatory Counsel provides ongoing compliance support for FCA-authorised payment institutions, including compliance monitoring programmes, regulatory reporting assistance, AML programme reviews, safeguarding compliance and board advisory services. Our team works with payment institutions at every stage of the regulatory lifecycle. Firms seeking specialist support with payment institution compliance can contact Regulatory Counsel for a free initial consultation. See our compliance support service for details.