Knowledge Hub
for Growth


Regulation of payment services in the UK: what you need to know

Is your business providing payment services in the UK? If so, you should know which types of payment services are subject to regulation and what you need to do if your business offers these.

This article provides an introduction to payment services regulation in the UK. If you need further advice or support in understanding how regulation may affect your business, please do not hesitate to contact our financial services team.

Our solicitors have extensive experience in dealing with payment services authorisation, registration and regulatory compliance and are here to help you navigate payment services regulation.

The regulation of payment services in the UK

The Payment Services Regulations 2017 (PSRs) govern businesses offering payment services in the UK. They require that anybody providing payment services as a regular business activity must be authorised or registered to do so.

The UK used the PSRs to implement the European Union’s (EU) second Payment Services Directive (PSD2). After Brexit, the UK retained the PSRs with some amendments to make sure the rules would still work after the UK had left the EU. Although the UK government can now diverge from EU standards in the payment services space, it would need to carefully consider whether any divergence might jeopardise the UK’s continued participation in the Single European Payments Area (SEPA).

Supervision and compliance

The main regulator of payment services in the UK is the Financial Conduct Authority (FCA). Businesses providing in-scope payment services must apply to be authorised or registered by the FCA, which enforces compliance and sets specific rules for Payment Service Providers (PSPs) in its Handbook. The FCA provides detailed guidance, including an "approach document" and periodic communications on supervisory priorities and regulatory duties.

The Payment Systems Regulator (PSR) has the responsibility for supervising specific PSR requirements, such as the transparency of ATM withdrawal charges and access to payment systems and bank accounts. The Payment Systems Regulator has set out its approach to monitoring and enforcing the revised Payment Services Directive (PSD2).

The Bank of England also contributes to the regulation of payment services, acting as the ‘settlement agent’ for UK payment systems like CHAPS. The Bank provides settlement accounts to banks and enables authorised non-bank PSPs to access these accounts directly, rather than having to rely on indirect access through a sponsoring bank.

Authorisation and registration requirements under the PSR

The FCA requires businesses providing the following payment services to seek authorisation or registration:

  • Services enabling funding of, or withdrawal from, a payment account, including all operations needed to operate a payment account.
  • Execution of payment transactions including direct debit, payment card transactions, credit transfers and standing orders (whether or not a credit line is provided to the service user).
  • Issuing payment cards or providing merchant acquisition services.
  • Money remittance.
  • Payment initiation services (payments instigated by a payment account holder as an alternative to paying by credit or debit card online); and account information services (such as dashboards displaying multiple bank accounts or ‘open banking’ services). Certain payment services are excluded from the PSRs, such as:
  • Payment transactions through commercial agents acting on behalf of a payer or payee.
  • Cash to cash currency exchange (e.g. bureaux de change).
  • Payment transactions linked to securities servicing (e.g. dividend payments, share sales or unit redemptions).
  • Certain services provided by technical service providers.
  • The ‘limited network exclusion’ (for payments made using instruments within a limited network of service providers or for a very limited range of goods or services e.g. shopping centre gift cards); and
  • The ‘electronic communications exclusion’ (for payment transactions by internet or phone service providers where charges for certain lower value goods or services are added to subscriber bills).

The criteria which must be met to benefit from exclusions can be complex and you may want to consider taking specialist legal advice from our team of financial services solicitors if you plan to rely on an exclusion.

Businesses using the limited network and electronic communications exclusions must notify the FCA and demonstrate compliance with the conditions of these exclusions if their transaction volume reaches a certain limit.

Additionally, credit unions, electronic money institutions, municipal banks, and firms already authorised for certain financial activities do not need separate authorisation to provide payment services but may need to apply to the FCA to vary their existing regulatory permissions. Activities incidental to a business’s main function, like certain crowdfunding operations, also do not require authorisation.

Process for FCA authorisation or registration

Businesses must seek either FCA authorisation as an Authorised Payment Institution (API) or registration as a Small Payment Institution (SPI) based on their payment transaction volumes:

  • Businesses projecting over EUR 3 million in payments annually should seek API authorisation; and
  • Those expecting less than EUR 3 million can register as an SPI.

Firms providing payment initiation services should apply for authorisation as an API, whilst those providing account information services should apply to become a registered account information service provider (RAISP).

You can find out more about authorisation or registration with the FCA under the PSRs on the FCA’s website here.

Operational requirements

The following outlines key operational requirements:

  • PSRs Parts 3 and 4: deal with minimum requirements for APIs and SPIs and cover aspects such as capital adequacy, safeguarding of client funds, audits and record-keeping.
  • PSRs Parts 6-8: detail the information provision standards to customers, charge structures, transaction authorisation processes including strong customer authentication, and guidelines for accessing payment systems and bank accounts.

The FCA Handbook also contains regulatory requirements. These include:

  • Principles for Business: Outlines overarching principles and behavioural expectations for how businesses should operate and treat customers.
  • Banking: Conduct of Business sourcebook (BCOBS): sets information and conduct rules for providers of deposit and payment accounts.
  • Consumer Credit and Supervision Rules (CONC and SUP) address specific requirements for credit activities and interaction protocols with the FCA, including compliance reporting.
  • Complaints Handling Rules (DISP): Set standards for addressing customer grievances effectively.

PSPs must comply with broader regulations such as data protection laws and Money Laundering Regulations (MLRs). Guidance from HMRC and the FCA helps PSPs establish robust systems to prevent financial crimes, including tactics to deter money mules.

Penalties for non-compliance

Providing payment services without the required authorisation or registration is a criminal offence and, in the most serious cases, could lead to prosecution by the FCA.

While criminal offences are outlined in Part 11 of the PSRs, such as misleading the FCA or Payment Systems Regulator, these criminal offences generally do not impact reputable businesses.

Civil penalties for non-compliance pose a more common risk. These penalties can significantly impact firms, even for inadvertent breaches.

If the FCA or Payment Systems Regulator identifies a potential breach, they will likely first enter into dialogue with you to learn more and ask you to put things right. If matters are not quickly resolved, the regulators may then use their powers to compel your business to act, or to stop you from doing something they believe could cause problems.

In cases of severe or unrectified breaches, the regulators can launch formal investigations into potential wrongdoing. If a breach is subsequently proven, this could lead to significant sanctions on businesses or individuals, including substantial fines, mandatory customer compensation or public censure.

The FCA’s primary aim in using its investigation and enforcement powers in the context of suspected unauthorised activities is to protect the interests of consumers. The FCA’s priority will be to confirm whether or not a regulated activity has been carried on in the United Kingdom by someone without authorisation or exemption, and, if so, the extent of that activity and whether other related contraventions have occurred. It will seek to assess the risk to consumers’ assets and interests arising from the activity as soon as possible.

For these reasons, understanding and complying with your regulatory obligations is vital for your business.

The future of Payment Services Regulation

The future of the UK's PSRs is due to evolve significantly under the government's Smarter Regulatory Framework program, which is aimed at enhancing competitiveness and flexibility in the financial sector.

In January 2023, the government launched a review into the PSRs. The consultation highlighted several areas where potential changes were being considered, especially in consumer protection, where the FCA is slated to consult on a new safeguarding regime for client funds in 2024. Other potential changes include:

  • Enhancing the safeguarding regime for client monies.
  • Introducing more flexibility into regulatory technical standards for SCA.
  • Revisiting requirements for prompt settlement, including whether deferral in cases of suspected fraud might be warranted.
  • Reviewing disclosure requirements for currency conversion; and
  • Looking at grounds and processes for terminating customer accounts.

The EU is also currently undertaking work on a third Payments Services Directive (PSD3), which is due to be voted on by the European Parliament later in 2024. Given potential developments in the UK PSRs and the advent of EU PSD3, there may be wider divergence between UK and EU regulation of payment services going forward. It remains to be seen whether this will impact UK participation in SEPA going forward.

Conclusion

If your business provides payment services in the UK, you need to consider whether you need to be authorised or registered with the FCA. You should also ensure that you understand all your regulatory and other legal obligations to minimise any compliance risks for your business.

Our  financial services solicitors can provide current legal advice on the PSRs and related authorisation, registration and compliance requirements. We can also support you on data protection and anti-money laundering compliance. Please do not hesitate to contact our team for further information.

About our expert

John Pauley

John Pauley

Financial Services Partner
John is a specialist solicitor with extensive expertise in financial services regulation. He advises financial institutions, services providers, and merchants on regulated activities including payments, e-money, consumer credit, Financial Conduct Authority (FCA) Authorisation, anti-money laundering (AML), data protection and gambling operations.


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry