FCA's Dear CEO letter to all the regulated payments and e-money firms

Additionally, the FCA highlights cross-cutting priorities that underpin the three outcomes noted above, including governance and oversight, progressing operational resilience requirements by 31 March 2025, and providing regulatory reports to the FCA within reporting deadlines.

In response to the letter, payments firms need to assess themselves against the key outcomes above and notify the FCA of any changes planned or underway.

Specifically, as it relates to ensuring that safeguarding controls are robust, firms need to:

• identify all relevant funds that they hold, including funds held on behalf of clients, money received for transactions, and fees and charges;
• segregate client funds from their own to prevent them from being used for any other purpose;
• establish and maintain effective systems and controls to manage the risks associated with holding relevant funds; and
• conduct regular internal and external reconciliations of their safeguarding flows to ensure accurate accounting.

The letter also reminds firms of a requirement to conduct an annual audit of their safeguarding arrangements. When performing an audit of safeguarding arrangements, the main considerations are to ensure that the organisation has effective policies, procedures, and systems in place to safeguard relevant funds. This should include reviewing the organisation's risk management and reporting processes, training, reporting, and monitoring and evaluating control effectiveness related to safeguarding.

On the financial system integrity outcome, the letter is a clear call to action to professionals in the financial crime space, with specific focus on anti-money laundering, sanctions compliance and fraud risk mitigation. Payments firms need to review risk and control frameworks to help ensure both the design and effectiveness of controls are robust and commensurate with an approved risk appetite, which should have clear linkage to the risk assessment methodology and reporting processes. Further, as sanctions evasion tactics continue to mature, payment firms need to understand the underlying data and compliance obligations it has on transaction and party screening throughout the end-to-end payment life cycle.

Lastly, in order to meet the requirement of the FCA’s Consumer Duty, firms will need to be able to evidence that:

• products and services offered meet the needs of an identified target market;
• products and services are priced correctly and provide value to customers;
• communications with consumers enable them to understand them and make informed decisions; and
• consumers are supported throughout the product and service lifecycle.

Evidencing that customers receive good outcomes will require the right data to be in place from 1 August 2023 and for all payment firms to understand, and embed within their cultures, the requirements of the Consumer Duty. This is not a simple task and, in some instances may require a shift in culture of compliance, and will involve having to review products and services, internal processes and control systems and define the outcomes that firms want to deliver. The FCA will be testing the implementation of the Consumer Duty when the new regime starts, so firms need to focus now on their implementation planning.

If you would like to discuss the letter and how best to positively react and respond, please contact one of our Payments specialists, Christine Reisman, Bernadine Reese, Olga Robertson or Stuart O’Sullivan.