FCA Publishes “Dear CEO” Letter Outlining the Agency’s Priorities for Payments Firms

On March 16, 2023, the Financial Conduct Authority (FCA) issued a “Dear CEO” letter to payments firms authorized or registered under the Payment Services Regulations 2017, and Electronic Money Regulations 2011. Spanning ten pages, the letter was authored by Matthew Long, the FCA’s Director of Payments and Digital Assets, and focused on various points of concern from the regulator over a lack of “sufficiently robust” risk management controls among payment firms. 

As a result of these inadequate controls, Long noted that “some firms present an unacceptable risk of harm to their customers and to financial system integrity.” The letter also cited the cost of living crisis and tightening economic conditions as likely factors that are contributing to the growing risk of customer harm.

The letter is framed around three core outcomes payment firms must achieve: 

• Ensure your customers’ money is safe
• Ensure your firm does not compromise financial system integrity
• Meet your customers’ needs, including through high-quality products and services, competition and innovation, and robust implementation of the FCA Consumer Duty

Priorities for Payment Firms

To ensure a firm’s customers’ money is safe, the FCA highlights three main priorities:

• Safeguarding – In the case of insolvency, firms should implement adequate arrangements to return customers’ money to them without delay. 
• Prudential risk management – Risk appetites should be reviewed alongside key risk indicators to provide an up-to-date understanding of the threat environment.  Additional adequate financial resources should also be considered on an ongoing basis. 
• Wind-down planning – Firms should maintain wind-down plans that include clear triggers to commence an orderly, solvent winding down of business in certain circumstances.

To meet customers’ needs through high-quality products and services, the FCA recalls a letter written to payment firms in February 2023 reminding them of the regulator’s Consumer Duty expectations. Key things for firms to consider in this regard include:

• Using data and management information to monitor whether products and services continue to meet the needs of customers and contribute to good consumer outcomes
• Considering whether vulnerable customers are adversely impacted by their charging structures
• Making it clear to consumers which products are regulated, and which are not, and clearly setting out the consumer protections relating to each product
• Providing appropriate support channels

Money Laundering and Sanctions

The FCA letter’s second outcome relates to ensuring the integrity of the financial system. This section holds heavy implications for fraud and anti-money laundering (AML) professionals as it highlights common areas of non-compliance throughout the payments sector. Over the last two years, the FCA noted frequent issues related to control, governance, record keeping, and the risk-based approach. Specifically, these included:

• Failure to carry out and/or to evidence adequate know your customer (KYC)/due diligence
• Business-wide risk assessments that are not supported by a robust and effective methodology
• Failure to regularly review and refresh risk assessments and control frameworks in an evolving threat landscape
• Policies and procedures that are insufficiently detailed and tailored to firms’ business models
• Failure to maintain and evolve the control framework, in line with or ahead of business growth
• Failure to ensure name screening solutions from third-party providers are appropriately and adequately calibrated to meet their business requirements
• An inability to reasonably justify and/or verify why a sanction screening solution does not generate alerts against certain names on the UK’s Office of Financial Sanctions Implementation list

To combat these inefficiencies, the FCA reminds firms of its expectations regarding AML controls and sanctions screening measures: 

• Ensure that AML systems and controls are effective and commensurate with the risks in the business, including as it grows over time
• Conduct regular reviews to assess compliance with AML obligations and sanctions requirements, and to work swiftly to remediate weaknesses identified 
• Comply with responsibilities under the Proceeds of Crime Act 2002 and Terrorism Act 2000 through accurate and timely submissions of suspicious activity reports (SARs) and regularly review themes from SARs reporting

Fraud

Following the UK government reclassifying fraud as a national security threat in February, the FCA notes it has seen “elevated fraud rates” in some payment and electronic money institutions. It notes the cost-of-living crisis as a potential driver of additional fraud. As a result, firms must “take action now to address weaknesses in their systems and controls to prevent fraud.” 

Common issues identified by the FCA include:

• Insufficient emphasis on mitigating the risk of fraud against customers and insufficient customer education relating to fraud prevention
• A lack of engagement with industry information-sharing bodies
• Weaknesses in firms’ anti-fraud systems and controls
• Backlogs that have led to fraud reports from consumers not being actioned within a reasonable timeframe by relevant staff
• A high proportion of customer accounts being used to receive the proceeds of fraud

The FCA has a clear sense of urgency around fraud, stating firms must “take immediate action” to protect customers against fraud, and ensure their firm is “not being used to receive the proceeds of fraud.” Firms are instructed to:

• Review internal risk appetite statements, policies, and procedures to ensure that these adequately address the risk of fraud to customers
• Regularly review fraud prevention systems and controls to ensure that these are effective
• Maintain appropriate customer due diligence (CDD) controls at the onboarding stage and on an ongoing basis to identify and prevent accounts from being used to receive proceeds of fraud or financial crime

Cross-Cutting Priorities

The letter ends with three final priorities that underpin the outcomes that came before. These include:

• Governance and leadership, including oversight of agents and distributors – According to the FCA, a lack of adequate governance and leadership is often the root cause of regulatory issues among payment firms. To mitigate this, firms should ensure that directors and individuals responsible for providing payment services are “fit and proper” – meaning they should have appropriate knowledge and experience. Governance arrangements should also be regularly reviewed.
• Operational resilience – Payment firms are expected to monitor their dependency on providers of critical services and have appropriate contingency plans to move providers if necessary.
• Regulatory reporting – The FCA notes they have seen “sustained non-compliance” in regard to the authority’s regulatory reporting requirements. Payment firms are reminded to submit reports to the FCA in a “timely fashion” as the regulator is set to issue more fines if reports fail to meet predefined deadlines.

Key Takeaways

When it comes to complying with the FCA’s priorities related to money laundering and sanctions, compliance teams should ensure that the customer names submitted to any screening solution are derived using automated checks against official/state-issued identity documentation, as opposed to user-inputted. When implemented correctly, this can have a significant positive impact on the number of false positives emitted from name screening tools. Once these steps have been taken, compliance teams should devise tests for their screening solution by running name sets through the solution in a test environment, as part of their broader risk and control assessments. 

Payment firms should also ask vendors about the speed at which they can update their sanctions lists. In a tense, fragile geopolitical environment, new sanctions will likely continue to be issued at pace and unpredictably, meaning that receiving updates as close to real-time as possible will be critical to ensure continued compliance with regulatory requirements.

Regarding the FCA’s fraud priorities, compliance staff should consider leveraging AI to identify links between accounts – whether related to an individual(s) or an organization(s) – to help determine the true scale of the fraudulent activity. Sharing information and knowledge is also critical. This could be through participation in data-sharing initiatives like CIFAS, working with technology and data vendors who monitor and respond to emerging criminal typologies, or participating in regulator consultations.  

To read more about what the FCA’s letter might mean for your firm, read our full coverage here.