Upgrading from Small Payment Institution (SPI) to Authorised Payment Institution (API): Process and Requirements

Navigating the United Kingdom’s regulatory landscape for payment services can be a complex undertaking. For many burgeoning fintech firms, commencing operations as a Small Payment Institution (SPI) offers an accessible entry point. However, as these firms grow in scale and ambition, the limitations inherent to SPI status often necessitate an upgrade to an Authorised Payment Institution (API). This article provides a detailed examination of the process and stringent requirements involved in this pivotal regulatory transition.

Why Upgrade from an SPI to an API?

Upgrading from an SPI to an API becomes necessary when a firm either exceeds the operational thresholds stipulated by the Payment Services Regulations 2017 (PSRs 2017) or seeks to expand its service offerings beyond what SPI status permits. SPIs are subject to several key limitations. For instance, per Regulation 12 of the PSRs 2017, the average of the total amount of payment transactions executed by the firm, including through any agents, in the preceding 12 months, must not exceed €3 million per month. While this threshold offers a viable starting point, rapid business growth can quickly lead to its breach. Beyond transactional volume, SPIs are restricted in the payment services they can provide; they cannot offer payment initiation services (PIS) or account information services (AIS), nor can they safeguard client funds – a core requirement for many advanced payment models. Additionally, only APIs benefit from passporting rights under the Payment Services Directive 2 (PSD2), allowing them to operate across the European Economic Area (EEA), although post-Brexit, this has evolved into distinct UK and EEA authorisation requirements. Therefore, an upgrade is not merely a formality but a strategic move to unlock significant growth potential, enhance market credibility, and comply with evolving regulatory expectations.

Key Regulatory Requirements for an API Application

The requirements for API authorisation are considerably more onerous than those for an SPI, reflecting the greater operational scale and systemic importance of APIs. The Financial Conduct Authority (FCA), as the UK’s prudential and conduct regulator for payment services firms, expects a comprehensive demonstration of a firm's capability to operate safely, soundly, and in customer’s best interests. The application process, governed primarily by Part 2 of the PSRs 2017 and detailed guidance in the FCA’s Payment Services and Electronic Money Approach Document (PERG 15), necessitates meticulous preparation across several key areas.

### Capital Requirements

One of the most significant distinctions lies in initial capital requirements. While SPIs are not subject to initial capital requirements, APIs must hold a minimum amount of initial capital. This requirement is specified in Regulation 67(1) of the PSRs 2017, which references Article 9(1) of PSD2. The specific amount depends on the type of payment services offered: - For money remittance (Service 6): €20,000 - For payment initiation services (Service 7): €50,000 - For other payment services (Services 1-5, and 8): €125,000

This capital must be sustained on an ongoing basis and firms must demonstrate robust capital adequacy calculations to the FCA.

### Safeguarding Operations

APIs are generally required to safeguard relevant funds received from or on behalf of payment service users. This is a critical consumer protection measure. Regulation 23 of the PSRs 2017 mandates specific safeguarding arrangements. Firms must ensure that relevant funds are either held in a separate account at an authorised credit institution or an authorised e-money institution, or covered by an insurance policy or comparable guarantee from an insurance company or credit institution. The FCA expects clear, detailed policies and procedures outlining how safeguarding measures are implemented, reconciled, and audited. This typically includes designated safeguarding accounts, clear segregation of client funds from operational funds, and robust reconciliation processes.

### Governance and Risk Management Frameworks

The FCA expects APIS to possess robust governance arrangements and comprehensive internal control mechanisms. This includes a clear organisational structure with well-defined, transparent, and consistent lines of responsibility, effective risk management processes, and internal control mechanisms including sound administrative and accounting procedures. The application must include a detailed Risk Management Framework covering operational risk, financial risk, compliance risk, and reputational risk. Specific attention should be paid to anti-money laundering (AML) and counter-terrorist financing (CTF) controls, adhering to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017). Firms must demonstrate how they identify, assess, monitor, and mitigate these risks effectively. This involves documented policies, procedures, and clear accountabilities across the organisation. For further reading on this, see our article on Risk Management for Payment Institutions.

### Business Plan and Financial Projections

A detailed and credible business plan is central to the API application. This document must articulate the firm’s strategy, target market, service offerings, operational model, and growth projections for a minimum of three years. Crucially, the business plan must be supported by realistic and robust financial projections, including profit and loss forecasts, balance sheets, and cash flow statements. The FCA scrutinises these projections to assess the firm’s financial viability and its ability to meet ongoing regulatory requirements, including capital and safeguarding obligations. Unrealistic assumptions or a lack of demonstrable funding sources will undoubtedly lead to rejection.

### Fit and Proper Requirements for Key Personnel

The individuals responsible for the management and oversight of the API must be deemed “fit and proper” by the FCA. This applies to directors, senior managers, and individuals responsible for key functions such as compliance and risk. The assessment considers their honesty, integrity, competence, capability, and financial soundness. Applicants must submit Form A applications for individuals performing Senior Management Functions (SMFs) under the Senior Managers and Certification Regime (SMCR), which applies to solo-regulated firms like APIS. This involves extensive background checks, criminal record checks, and a review of past professional conduct. A failure to demonstrate the fitness and propriety of key personnel is a frequent cause of application delays or rejections. Our guide to SMCR for Payment Institutions offers more detail.

The Application Process: Navigating the FCA’s Expectations

The upgrade from SPI to API is not merely a formality but a full re-application for authorisation. The process typically involves several stages, each demanding meticulous attention to detail.

### Pre-Application Engagement

While not mandatory, engaging in pre-application discussions with the FCA can be highly beneficial. This allows firms to clarify specific regulatory interpretations, discuss complex business models, and receive initial feedback on their proposed application approach. While the FCA cannot pre-approve an application, these discussions can help identify potential issues early and refine the application strategy.

### Preparing the Application Pack

The core of the application process involves assembling a comprehensive application pack. This typically includes: - Application Form: The FCA’s standard application form for payment institutions. - Business Plan: As detailed above, including descriptions of services, target market, and operational model. - Financial Projections: Detailed three-year financial forecasts. - Capital Adequacy Calculations: Demonstrating ongoing compliance with capital requirements. - Safeguarding Narrative and Procedures: Detailed explanation of how client funds will be safeguarded. - Governance Arrangements and Internal Control Document: Outlining organisational structure, roles, responsibilities, and control mechanisms. - Risk Management Framework: Covering all relevant risks, including specific AML/CTF policies compliant with the MLRs 2017. - Operational Resilience Framework: Demonstrating the firm's ability to prevent and recover from disruptions, in line with FCA PS21/3 on operational resilience. - IT and Security Audit: Demonstrating robust IT systems and security measures, aligning with Regulation 98 of the PSRs 2017 on security requirements. - Outsourcing Policy: If any critical functions are outsourced, detailing due diligence, oversight, and contingency plans. - CVs and DBS checks for all relevant individuals: For Fit and Proper assessments. - Shareholder Structure and Funding Information: Transparency regarding ownership and funding sources.

The FCA provides detailed application guides on its website, and applicants should meticulously follow these.

### FCA Review and Queries

Once submitted, the FCA undertakes a thorough review of the application. This phase typically involves significant information requests (Q&As) where the regulator seeks clarification, additional detail, or amendments to the submitted documents. It is crucial to respond to these queries promptly, comprehensively, and precisely. A failure to adequately address FCA queries can lead to significant delays or, ultimately, rejection. The FCA has a statutory deadline of three months from receiving a complete application, but this clock stops every time they issue a request for further information. Therefore, proactive and comprehensive responses are paramount.

### Interview Process

The FCA may request interviews with key personnel, including directors and senior managers. These interviews are an opportunity for the regulator to assess the individuals’ understanding of their roles, the firm’s business, its risks, and the regulatory obligations. Candidates must demonstrate competence, commercial awareness, and a strong commitment to regulatory compliance.

### Approval and Post-Authorisation Obligations

Successful applicants will receive an authorisation notice. However, obtaining authorisation is not the end of the regulatory journey; it is merely the beginning. APIs are subject to ongoing stringent regulatory obligations, including: - Regular Reporting: Submitting prudential, financial, and incident reports to the FCA (e.g.,REP001, REP002, REP003 details). - Ongoing Compliance: Maintaining robust AML/CTF controls, safeguarding arrangements, and operational resilience. - Changes in Control/Business Model: Notifying the FCA of any significant changes to the firm's ownership, business model, or key personnel. - Annual Accounts and Audit: Submitting audited accounts annually.

Firms must embed a strong compliance culture from the outset to meet these ongoing requirements effectively.

Common Pitfalls and How to Avoid Them

The SPI to API upgrade process is challenging, and various missteps can lead to delays or outright rejection. - Lack of granular detail: General statements without supporting evidence or detailed procedures are unlikely to satisfy the FCA. Every section of the application requires specific, actionable details. - Unrealistic financial projections: Overly ambitious revenue forecasts or insufficient capital to cover projected expenses will raise red flags. Be conservative and provide clear justifications for all figures. - Inadequate AML/CTF controls: The FCA has zero tolerance for weaknesses in this area. Generic policies are insufficient; firms need tailored controls reflecting their specific risk profile, in line with the MLRs 2017. - Failure to demonstrate ‘Fit and Proper’ status: Any concerns regarding the honesty, integrity, or competence of key individuals can derail an application. Ensure all disclosures are accurate and complete. - Underestimation of the process complexity and timeline: It is a demanding process requiring significant resources and time. Firms should budget for at least 6-12 months from preparation to authorisation, depending on their readiness and the FCA’s backlog.

Engaging experienced regulatory consultants, such as our team at Regulatory Counsel, can significantly mitigate these risks. We provide expertise in preparing comprehensive application packs, advising on regulatory interpretations, and guiding firms through the FCA’s rigorous assessment process.

Conclusion

The upgrade from an SPI to an API represents a significant milestone for any payment services firm in the UK. It is a transition driven by growth, ambition, and the need to operate within a more robust regulatory framework. While the requirements are extensive and the FCA’s scrutiny profound, careful preparation, a deep understanding of the PSRs 2017 and associated guidance, and a proactive approach to addressing potential challenges can pave the way for a successful authorisation. This strategic move not only enables greater operational scope and market reach but also instils greater confidence among customers, partners, and the broader financial ecosystem. Firms embarking on this journey should approach it with diligence, foresight, and a commitment to embedding strong regulatory compliance at the core of their operations.