Systems and Controls Requirements: A Deep Dive for Payment Institutions

What are the core systems and controls requirements for Payment Institutions? The core systems and controls requirements for Payment Institutions (PIs) stem primarily from **Principle 3 of the FCA’s Principles for Businesses**, which mandates that "A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems." This overarching principle is supplemented by specific provisions within the **Payment Services Regulations 2017 (PSRs 2017)**, particularly **Regulation 22 (Conditions for authorisation)**, **Regulation 23 (Operational risk and security requirements)**, and **Regulation 24 (Safeguarding requirements)**, as well as guidance found in the FCA’s Perimeter Guidance (PERG) 15 and various policy statements and supervisory handbooks.

Effectively, these regulations mean PIs must implement comprehensive frameworks covering governance, risk management, operational resilience, financial crime prevention, information security, and safeguarding of client funds. The FCA expects these controls to be proportionate to the PI’s business model, its size, the complexity of its services, and the risks it poses to consumers and the financial system. For example, a small PI offering a single, low-risk payment service will have different, though no less critical, control requirements than a large institution engaged in multi-jurisdictional, complex payment processing. It is not a "one-size-fits-all" approach, but rather a principle-based expectation that demands careful consideration of a firm’s unique operating environment. Failure to establish and maintain adequate systems and controls not only exposes the PI to operational risks but also carries the potential for significant regulatory sanctions, including public censures, fines, and potentially the revocation of authorisation. Therefore, understanding and meticulously implementing these requirements is paramount for any PI operating in the UK.

How do Payment Institutions ensure adequate operational resilience? Payment Institutions ensure adequate operational resilience by embedding a robust framework that allows them to prevent, adapt to, respond to, recover from, and learn from operational disruptions, as mandated by the FCA’s **Operational Resilience** policy (PS21/3, finalised in March 2021). The FCA expects PIs to identify their **"important business services"**—those services that, if disrupted, could cause harm to consumers, market integrity, or financial stability. For each important business service, PIs must: - **Set impact tolerances**: These are the maximum acceptable levels of disruption to an important business service. For instance, a PI might set an impact tolerance of four hours for a critical payment processing service outage. - **Map resources**: Identify the people, processes, technology, facilities, and information that support each important business service. This mapping exercise helps understand interdependencies and potential single points of failure. - **Perform scenario testing**: Conduct regular, severe but plausible scenario testing to ensure that the firm can remain within its impact tolerances. This includes testing for cyber attacks, third-party failures, and major IT outages. - **Implement a communication strategy**: Develop clear internal and external communication plans for when disruption occurs, including notifying the FCA where required. - **Continuously learn and adapt**: Review test results, incidents, and near misses to identify weaknesses and improve resilience capabilities.

The operational resilience framework extends beyond traditional disaster recovery and business continuity planning; it focuses on the impact of disruption on the end-user or market and proactively building resilience from that perspective. The FCA’s SYSC Sourcebook, specifically SYSC 3.2.6 (Proportionality) and SYSC 3.2.7 (Operational risk), outlines general requirements for systems and controls. Furthermore, Regulation 23 of the PSRs 2017 states that PIs must establish "effective procedures for managing operational risks and security risks relating to the payment services they provide." This holistic approach to resilience ensures PIs can withstand adverse events and continue to provide essential services, thereby protecting their customers and maintaining market trust. For more information on this, consider exploring our insight on operational resilience.

What are the specific requirements for managing financial crime risks? Specific requirements for managing financial crime risks for Payment Institutions are primarily driven by the **Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017)**, alongside guidance from the FCA’s **Financial Crime Guide (FCG)** and the **Joint Money Laundering Steering Group (JMLSG) Guidance**. PIs are considered high-risk entities for money laundering and terrorist financing, meaning they face stringent obligations. These include: - **Conducting a firm-wide Money Laundering and Terrorist Financing Risk Assessment**: This assessment must identify and evaluate the specific risks associated with the PI’s business activities, customer base, geographic exposure, products, and delivery channels. - **Implementing a robust Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) framework**: This involves verifying the identity of customers, understanding the nature and purpose of the business relationship, and conducting ongoing monitoring. EDD is required for higher-risk customers, such as Politically Exposed Persons (PEPs) or clients from high-risk jurisdictions. - **Appointing a Nominated Officer (MLRO)**: A senior individual responsible for the firm’s compliance with the MLRs, including making Suspicious Activity Reports (SARs) to the National Crime Agency (NCA). - **Providing regular staff training**: All relevant employees must receive training on financial crime risks, the firm’s policies and procedures, and their reporting obligations under the MLRs. - **Establishing effective systems for transaction monitoring**: PIs must have systems to monitor payment transactions for unusual patterns or activities that could indicate money laundering or terrorist financing. - **Maintaining comprehensive records**: Proper records of CDD, transactions, and risk assessments must be kept for the prescribed period. - **Engaging in independent audits**: Regular independent audits of compliance with the MLRs are crucial to assess the effectiveness of the firm’s anti-money laundering (AML) controls.

The FCA’s expectations are high, and PIs must demonstrate that their financial crime controls are dynamic, proportionate, and truly effective in mitigating identified risks. This requires continuous review and adaptation of policies and procedures in response to evolving threats and regulatory expectations. Further insights on this can be found in our article on AML compliance for payment services firms.

How should Payment Institutions safeguard client funds? Payment Institutions must safeguard client funds by adhering strictly to the requirements outlined in **Regulation 23 and 24 of the Payment Services Regulations 2017 (PSRs 2017)**. Safeguarding is a critical consumer protection measure, ensuring that funds received from or on behalf of payment service users are protected in the event of the PI’s insolvency. The PSRs 2017 present two primary safeguarding methods: - **Segregation of funds into a separate safeguarding account**: This method requires PIs to hold relevant funds in a separate account at an authorised credit institution (bank) or an equivalent regulated entity. These funds must be segregated from the PI’s own funds and clearly designated as client funds. The PI must ensure that these funds are not mingled with its own operational capital or subject to claims from its creditors. - **An insurance policy or guarantee**: As an alternative, PIs can obtain an insurance policy or comparable guarantee from an insurance company or credit institution. This policy must cover an amount equivalent to that which would have been safeguarded, and it must - Ensure that any sum recovered under the policy is payable to the firm’s payments service users. - Be issued by a person which is **not** a financial institution, or an insurer, with which the firm has any close links.

Crucially, PIs must perform a daily reconciliation of their safeguarding accounts and the corresponding client liabilities. Any discrepancies must be promptly investigated and rectified. The FCA expects PIs to have clear policies and procedures for identifying "relevant funds" that need safeguarding, performing the safeguarding itself, managing safeguarding accounts, and handling reconciliation processes. Furthermore, Regulation 23 requires PIs to have "adequate arrangements for the safeguarding of funds received from payment service users" including, but not limited to, the methods described above. The firm must also appoint a responsible individual for safeguarding and ensure that this individual has the necessary authority and resources. Failure to meet safeguarding obligations is one of the most serious breaches a PI can commit, often leading to immediate supervisory action due to the direct risk to client money. Detailed guidance is available in FCA Perimeter Guidance PERG 15.6.2 and PERG 15.6.3, which provides extensive detail on the application of safeguarding rules.

What is the role of governance and oversight in systems and controls? The role of governance and oversight in systems and controls for Payment Institutions is foundational, ensuring that all other control mechanisms are effectively designed, implemented, and monitored, as reinforced by **Principle 2 (Skill, care and diligence)** and **Principle 3 (Management and control)** of the FCA’s Principles for Businesses. - **The Board and Senior Management** bear ultimate responsibility for establishing and maintaining an effective systems and controls framework. They must articulate a clear **"tone from the top"** that prioritises compliance, risk management, and ethical conduct. This includes approving policies, overseeing their implementation, and regularly reviewing their effectiveness. - **Defined Reporting Lines and Responsibilities**: A clear organisational structure with well-defined roles, responsibilities, and reporting lines is essential. Every individual within the PI should understand their contribution to the control environment. - **Risk Management Framework**: A robust risk management framework should identify, assess, monitor, and mitigate all material risks inherent in the PI’s business model. This framework should be integrated into strategic decision-making and operational processes. - **Internal Audit Function**: An independent internal audit function is crucial for providing objective assurance to the board and senior management on the effectiveness of systems and controls, risk management, and governance processes. The frequency and scope of internal audits should be proportionate to the PI’s risks and complexity. - **Compliance Oversight**: An independent compliance function is responsible for advising the board on regulatory requirements, monitoring adherence to policies and procedures, and reporting compliance breaches. This function plays a vital role in ensuring that the PI meets its regulatory obligations. - **Management Information (MI)**: The board and senior management must receive timely, accurate, and relevant Management Information to monitor the firm’s risk profile, control effectiveness, and compliance status. This MI should highlight key risk indicators and performance metrics. - **Third-Party Risk Management**: Given the increasing reliance on outsourcing within the payments sector, effective oversight of third-party providers is a critical governance requirement. PIs must conduct due diligence on service providers, implement robust contractual agreements, and monitor their ongoing performance and controls. The **EBA Guidelines on outsourcing arrangements** (EBA/GL/2019/02), whilst directed at credit institutions, are often considered best practice for PIs by the FCA, particularly for critical outsourced functions.

Effective governance ensures that systems and controls are not merely theoretical but are actively embedded in the PI’s culture and day-to-day operations. It ensures accountability and fosters a proactive approach to regulation and risk management, which are vital for sustained business success and regulatory good standing. Firms should regularly review their governance arrangements to ensure they remain fit for purpose as the business evolves.

What are the consequences of non-compliance with systems and controls? The consequences of non-compliance with systems and controls requirements for Payment Institutions can be severe and far-reaching, encompassing regulatory, financial, reputational, and operational impacts. The FCA has a wide range of enforcement powers under **FSMA 2000**, the **PSRs 2017**, and the **MLRs 2017**, which it will not hesitate to use when firms fail to meet their obligations. - **Regulatory Action**: This can include formal warning notices, requirement notices, public censures, and significant financial penalties. The FCA can also impose restrictions on a firm’s business activities, appoint skilled persons (under Section 166 of FSMA) to review the firm’s processes, or even withdraw a firm’s authorisation, effectively ending its ability to operate. For example, breaches of safeguarding rules or persistent failures in AML controls have led to substantial fines and, in some cases, cancellations of licenses. - **Financial Penalties**: Fines can be substantial, calculated based on the severity and duration of the breach, the harm caused, and the firm’s financial resources. The FCA’s statement of policy on **"Penalties: A Guide for Firms and Individuals"** outlines the methodology for calculating fines, which can run into millions of pounds. - **Reputational Damage**: Regulatory enforcement actions are often publicly announced, leading to severe damage to a PI’s reputation, trust with customers, and credibility with business partners. This can result in loss of customers, difficulties in attracting new business, and potential challenges in securing banking relationships or investor funding. - **Increased Scrutiny**: Firms that have demonstrated weaknesses in their controls are likely to face enhanced supervisory scrutiny from the FCA, requiring more frequent reporting, audits, and potentially imposing ongoing restrictions or conditions on their authorisation. - **Operational Disruption and Client Harm**: Inadequate systems and controls can lead to operational failures, cyber security breaches, or financial crime incidents, directly impacting customers through service interruptions, fraud, or loss of funds. This can also lead to direct financial losses for the PI, including costs associated with remediation, customer compensation, and legal fees. - **Personal Accountability**: Under the **Senior Managers and Certification Regime (SM&CR)**, senior individuals responsible for specific areas (e.g., MLRO, Head of Operations) can be held personally accountable for failures within their remit. This can lead to sanctions against individuals, including bans from working in regulated financial services and personal fines.

Ultimately, neglecting systems and controls is not just a compliance issue; it poses a fundamental threat to the viability and sustainability of a Payment Institution. Proactive and continuous investment in robust, effective controls is therefore an absolute necessity.