If your business is navigating the regulation of payment services in the UK, understanding whether your services require FCA authorisation or registration under the Payment Services Regulations 2017 is essential.
These rules apply to a wide range of activities, including money remittance and card issuance, as well as payment initiation and account information services. With an evolving regulatory landscape and serious consequences for non-compliance, getting it wrong can be costly. This article sets out the key regulatory requirements for UK-based payment service providers.
If you require legal advice tailored to your specific operations, our financial services solicitors can assist you. We can assess your regulatory position, assist with FCA authorisation applications, or help you effectively structure your compliance framework.
Contents:
- The regulation of payment services in the UK
- Supervision and compliance
- Authorisation and registration requirements under the PSR
- Process for FCA authorisation or registration
- Operational requirements
- Penalties for non-compliance
- The future of Payment Services Regulation
- Understanding your obligations under the PSRs
The regulation of payment services in the UK
The Payment Services Regulations 2017 (PSRs) govern businesses offering payment services in the UK. They require that anybody providing payment services as a regular business activity must be authorised or registered to do so.
The UK used the PSRs to implement the European Union’s (EU) second Payment Services Directive (PSD2). After Brexit, the UK retained the PSRs with some amendments to make sure the rules would still work after the UK had left the EU. Although the UK government can now diverge from EU standards in the payment services space, it would need to carefully consider whether any divergence might jeopardise the UK’s continued participation in the Single European Payments Area (SEPA).
Supervision and compliance
The main regulator of payment services in the UK is the Financial Conduct Authority (FCA). Businesses providing in-scope payment services must apply for FCA authorisation or be registered by the FCA, which enforces compliance and sets specific rules for Payment Service Providers (PSPs) in its Handbook. The FCA provides detailed guidance, including an "approach document" and periodic communications on supervisory priorities and regulatory duties.
The Payment Systems Regulator (PSR) is responsible for supervising specific PSR requirements, including the transparency of ATM withdrawal charges and access to payment systems and bank accounts. The Payment Systems Regulator has set out its approach to monitoring and enforcing the revised Payment Services Directive (PSD2).
The Bank of England also contributes to the regulation of payment services, acting as the ‘settlement agent’ for UK payment systems like CHAPS. The Bank provides settlement accounts to banks and enables authorised non-bank PSPs to access these accounts directly, rather than having to rely on indirect access through a sponsoring bank.
Authorisation and registration requirements under the PSR
The FCA requires businesses providing the following payment services to seek authorisation or registration:
- Services enabling funding of, or withdrawal from, a payment account, including all operations needed to operate a payment account.
- Execution of payment transactions including direct debit, payment card transactions, credit transfers and standing orders (whether or not a credit line is provided to the service user).
- Issuing payment cards or providing merchant acquisition services.
- Money remittance.
- Payment initiation services (payments instigated by a payment account holder as an alternative to paying by credit or debit card online); and account information services (such as dashboards displaying multiple bank accounts or ‘open banking’ services). Certain payment services are excluded from the PSRs, such as:
- Payment transactions are made through commercial agents acting on behalf of a payer or payee.
- Cash-to-cash currency exchange (e.g., bureaux de change).
- Payment transactions linked to securities servicing (e.g. dividend payments, share sales or unit redemptions).
- Technical service providers provide specific services.
- The ‘limited network exclusion’ (for payments made using instruments within a limited network of service providers or for a very limited range of goods or services, e.g. shopping centre gift cards); and
- The ‘electronic communications exclusion’ (for payment transactions by internet or phone service providers where charges for certain lower value goods or services are added to subscriber bills).
The criteria which must be met to benefit from exclusions can be complex, and you may want to consider taking specialist legal advice from our team of financial services solicitors if you plan to rely on an exclusion.
Businesses using the limited network and electronic communications exclusions must notify the FCA and demonstrate compliance with the conditions of these exclusions if their transaction volume reaches a certain limit.
Additionally, credit unions, electronic money institutions, municipal banks, and firms already authorised for certain financial activities do not need separate authorisation to provide payment services, but may need to apply to the FCA to vary their existing regulatory permissions. Activities incidental to a business’s main function, like certain crowdfunding operations, also do not require authorisation.
Process for FCA authorisation or registration
Businesses must seek either FCA authorisation as an Authorised Payment Institution (API) or registration as a Small Payment Institution (SPI) based on their payment transaction volumes:
- Businesses projecting over EUR 3 million in payments annually should seek API authorisation; and
- Those expecting less than EUR 3 million can register as a SPI.
Firms providing payment initiation services should apply for authorisation as an API, whilst those providing account information services should apply to become a registered account information service provider (RAISP).
You can find out more about authorisation or registration with the FCA under the PSRs on the FCA’s website here.
Operational requirements
The following outlines key operational requirements:
- PSRs Parts 3 and 4 address the minimum requirements for APIs and SPIs, covering aspects such as capital adequacy, safeguarding of client funds, audits, and record-keeping.
- PSRs Parts 6-8: detail the information provision standards to customers, charge structures, transaction authorisation processes including strong customer authentication, and guidelines for accessing payment systems and bank accounts.
The FCA Handbook also contains regulatory requirements. These include:
- Principles for Business: outlines the overarching principles and behavioural expectations for how businesses should operate and treat their customers.
- Banking: Conduct of Business sourcebook (BCOBS): sets information and conduct rules for providers of deposit and payment accounts.
- Consumer Credit and Supervision Rules (CONC and SUP): address specific requirements for credit activities and interaction protocols with the FCA, including compliance reporting.
- Complaints Handling Rules (DISP): Establish standards for effectively addressing customer grievances.
PSPs must comply with broader regulations such as data protection laws and Money Laundering Regulations (MLRs). Guidance from HMRC and the FCA helps PSPs establish robust systems to prevent financial crimes, including tactics to deter money mules.
Penalties for non-compliance
Providing payment services without the required authorisation or registration is a criminal offence and, in the most serious cases, could lead to prosecution by the FCA.
While criminal offences are outlined in Part 11 of the PSRs, such as misleading the FCA or Payment Systems Regulator, these criminal offences generally do not impact reputable businesses.
Civil penalties for non-compliance pose a more common risk. These penalties can have a significant impact on firms, even for inadvertent breaches.
If the FCA or Payment Systems Regulator identifies a potential breach, they will likely first enter into dialogue with you to learn more and ask you to put things right. If matters are not quickly resolved, the regulators may then use their powers to compel your business to act, or to stop you from doing something they believe could cause problems.
In cases of severe or unrectified breaches, the regulators can launch formal investigations into potential wrongdoing. If a breach is subsequently proven, it could lead to significant sanctions for businesses or individuals, including substantial fines, mandatory customer compensation, or public censure.
The FCA’s primary aim in using its investigation and enforcement powers in the context of suspected unauthorised activities is to protect the interests of consumers. The FCA’s priority will be to confirm whether or not a regulated activity has been carried on in the United Kingdom by someone without authorisation or exemption, and, if so, the extent of that activity and whether other related contraventions have occurred. It will seek to assess the risk to consumers’ assets and interests arising from the activity as soon as possible.
For these reasons, understanding and complying with your regulatory obligations is vital for your business.
The future of Payment Services Regulation
The future of the UK's PSRs is set to evolve significantly under the government's Smarter Regulatory Framework program, which aims to enhance competitiveness and flexibility in the financial sector.
In January 2023, the government launched a review into the PSRs. The consultation highlighted several areas where potential changes were being considered, especially in consumer protection, where the FCA is slated to consult on a new safeguarding regime for client funds in 2024. Other potential changes include:
- Enhancing the safeguarding regime for client monies.
- Introducing more flexibility into regulatory technical standards for SCA.
- Revisiting requirements for prompt settlement, including whether deferral in cases of suspected fraud might be warranted.
- Reviewing disclosure requirements for currency conversion, and
- Looking at grounds and processes for terminating customer accounts.
The EU is also currently undertaking work on a third Payments Services Directive (PSD3), which is due to be voted on by the European Parliament later in 2024. Given potential developments in the UK PSRs and the advent of EU PSD3, there may be wider divergence between UK and EU regulation of payment services going forward. It remains to be seen whether this will impact UK participation in SEPA going forward.
Understanding your obligations under the PSRs
If you’re providing payment services in the UK, it’s crucial to identify whether your business needs FCA authorisation or registration. You must ensure that you are fully aware of your ongoing obligations under the Payment Services Regulations. With increasing regulatory scrutiny and changes on the horizon through the government’s Smarter Regulatory Framework, having the proper legal support is more crucial than ever. Our financial services solicitors can advise you on authorisation routes, applicable exemptions, safeguarding arrangements, and day-to-day compliance measures to help you manage risk and remain fully compliant.