Is your business providing payment services in the UK? If so, you should know which types of payment services are subject to regulation and what you need to do if your business offers these.
This article provides an introduction to payment services regulation in the UK. If you need further advice or support in understanding how regulation may affect your business, please do not hesitate to contact our financial services team.
Our solicitors have extensive experience in dealing with payment services authorisation, registration and regulatory compliance and are here to help you navigate payment services regulation.
Contents:
The regulation of payment services in the UK
The Payment Services Regulations 2017 (PSRs) govern businesses offering payment services in the UK. They require that anybody providing payment services as a regular business activity must be authorised or registered to do so.
The UK used the PSRs to implement the European Union’s (EU) second Payment Services Directive (PSD2). After Brexit, the UK retained the PSRs with some amendments to make sure the rules would still work after the UK had left the EU. Although the UK government can now diverge from EU standards in the payment services space, it would need to carefully consider whether any divergence might jeopardise the UK’s continued participation in the Single European Payments Area (SEPA).
Supervision and compliance
The main regulator of payment services in the UK is the Financial Conduct Authority (FCA). Businesses providing in-scope payment services must apply to be authorised or registered by the FCA, which enforces compliance and sets specific rules for Payment Service Providers (PSPs) in its Handbook. The FCA provides detailed guidance, including an "approach document" and periodic communications on supervisory priorities and regulatory duties.
The Payment Systems Regulator (PSR) has the responsibility for supervising specific PSR requirements, such as the transparency of ATM withdrawal charges and access to payment systems and bank accounts. The Payment Systems Regulator has set out its approach to monitoring and enforcing the revised Payment Services Directive (PSD2).
The Bank of England also contributes to the regulation of payment services, acting as the ‘settlement agent’ for UK payment systems like CHAPS. The Bank provides settlement accounts to banks and enables authorised non-bank PSPs to access these accounts directly, rather than having to rely on indirect access through a sponsoring bank.
Authorisation and registration requirements under the PSR
The FCA requires businesses providing the following payment services to seek authorisation or registration:
- Services enabling funding of, or withdrawal from, a payment account, including all operations needed to operate a payment account.
- Execution of payment transactions including direct debit, payment card transactions, credit transfers and standing orders (whether or not a credit line is provided to the service user).
- Issuing payment cards or providing merchant acquisition services.
- Money remittance.
- Payment initiation services (payments instigated by a payment account holder as an alternative to paying by credit or debit card online); and account information services (such as dashboards displaying multiple bank accounts or ‘open banking’ services). Certain payment services are excluded from the PSRs, such as:
- Payment transactions through commercial agents acting on behalf of a payer or payee.
- Cash to cash currency exchange (e.g. bureaux de change).
- Payment transactions linked to securities servicing (e.g. dividend payments, share sales or unit redemptions).
- Certain services provided by technical service providers.
- The ‘limited network exclusion’ (for payments made using instruments within a limited network of service providers or for a very limited range of goods or services e.g. shopping centre gift cards); and
- The ‘electronic communications exclusion’ (for payment transactions by internet or phone service providers where charges for certain lower value goods or services are added to subscriber bills).
The criteria which must be met to benefit from exclusions can be complex and you may want to consider taking specialist legal advice from our team of financial services solicitors if you plan to rely on an exclusion.
Businesses using the limited network and electronic communications exclusions must notify the FCA and demonstrate compliance with the conditions of these exclusions if their transaction volume reaches a certain limit.
Additionally, credit unions, electronic money institutions, municipal banks, and firms already authorised for certain financial activities do not need separate authorisation to provide payment services but may need to apply to the FCA to vary their existing regulatory permissions. Activities incidental to a business’s main function, like certain crowdfunding operations, also do not require authorisation.
Process for FCA authorisation or registration
Businesses must seek either FCA authorisation as an Authorised Payment Institution (API) or registration as a Small Payment Institution (SPI) based on their payment transaction volumes:
- Businesses projecting over EUR 3 million in payments annually should seek API authorisation; and
- Those expecting less than EUR 3 million can register as an SPI.
Firms providing payment initiation services should apply for authorisation as an API, whilst those providing account information services should apply to become a registered account information service provider (RAISP).
You can find out more about authorisation or registration with the FCA under the PSRs on the FCA’s website here.
Operational requirements
The following outlines key operational requirements:
- PSRs Parts 3 and 4: deal with minimum requirements for APIs and SPIs and cover aspects such as capital adequacy, safeguarding of client funds, audits and record-keeping.
- PSRs Parts 6-8: detail the information provision standards to customers, charge structures, transaction authorisation processes including strong customer authentication, and guidelines for accessing payment systems and bank accounts.
The FCA Handbook also contains regulatory requirements. These include:
- Principles for Business: Outlines overarching principles and behavioural expectations for how businesses should operate and treat customers.
- Banking: Conduct of Business sourcebook (BCOBS): sets information and conduct rules for providers of deposit and payment accounts.
- Consumer Credit and Supervision Rules (CONC and SUP) address specific requirements for credit activities and interaction protocols with the FCA, including compliance reporting.
- Complaints Handling Rules (DISP): Set standards for addressing customer grievances effectively.
PSPs must comply with broader regulations such as data protection laws and Money Laundering Regulations (MLRs). Guidance from HMRC and the FCA helps PSPs establish robust systems to prevent financial crimes, including tactics to deter money mules.
Penalties for non-compliance
Providing payment services without the required authorisation or registration is a criminal offence and, in the most serious cases, could lead to prosecution by the FCA.
While criminal offences are outlined in Part 11 of the PSRs, such as misleading the FCA or Payment Systems Regulator, these criminal offences generally do not impact reputable businesses.
Civil penalties for non-compliance pose a more common risk. These penalties can significantly impact firms, even for inadvertent breaches.
If the FCA or Payment Systems Regulator identifies a potential breach, they will likely first enter into dialogue with you to learn more and ask you to put things right. If matters are not quickly resolved, the regulators may then use their powers to compel your business to act, or to stop you from doing something they believe could cause problems.
In cases of severe or unrectified breaches, the regulators can launch formal investigations into potential wrongdoing. If a breach is subsequently proven, this could lead to significant sanctions on businesses or individuals, including substantial fines, mandatory customer compensation or public censure.
The FCA’s primary aim in using its investigation and enforcement powers in the context of suspected unauthorised activities is to protect the interests of consumers. The FCA’s priority will be to confirm whether or not a regulated activity has been carried on in the United Kingdom by someone without authorisation or exemption, and, if so, the extent of that activity and whether other related contraventions have occurred. It will seek to assess the risk to consumers’ assets and interests arising from the activity as soon as possible.
For these reasons, understanding and complying with your regulatory obligations is vital for your business.
The future of Payment Services Regulation
The future of the UK's PSRs is due to evolve significantly under the government's Smarter Regulatory Framework program, which is aimed at enhancing competitiveness and flexibility in the financial sector.
In January 2023, the government launched a review into the PSRs. The consultation highlighted several areas where potential changes were being considered, especially in consumer protection, where the FCA is slated to consult on a new safeguarding regime for client funds in 2024. Other potential changes include:
- Enhancing the safeguarding regime for client monies.
- Introducing more flexibility into regulatory technical standards for SCA.
- Revisiting requirements for prompt settlement, including whether deferral in cases of suspected fraud might be warranted.
- Reviewing disclosure requirements for currency conversion; and
- Looking at grounds and processes for terminating customer accounts.
The EU is also currently undertaking work on a third Payments Services Directive (PSD3), which is due to be voted on by the European Parliament later in 2024. Given potential developments in the UK PSRs and the advent of EU PSD3, there may be wider divergence between UK and EU regulation of payment services going forward. It remains to be seen whether this will impact UK participation in SEPA going forward.
Conclusion
If your business provides payment services in the UK, you need to consider whether you need to be authorised or registered with the FCA. You should also ensure that you understand all your regulatory and other legal obligations to minimise any compliance risks for your business.
Our financial services solicitors can provide current legal advice on the PSRs and related authorisation, registration and compliance requirements. We can also support you on data protection and anti-money laundering compliance. Please do not hesitate to contact our team for further information.