Is your business providing payment services in the UK? If so, you should know which types of payment services are subject to regulation and what you need to do if your business offers these.
This article provides an introductory overview of payment services regulation in the UK. If you need further advice or support in understanding how regulation may affect your payment services business, please do not hesitate to get in touch with Harper James’ financial regulation team.
Our solicitors have extensive experience in dealing with payment services authorisation, registration and regulatory compliance and are here to help you navigate payment services regulation.
- What is the main piece of legislation regulating UK payment services?
- Who supervises compliance with the PSRs in the UK?
- What other bodies are involved in looking after UK payment services?
- Which payment services are covered by the PSRs?
- Are there payment services which are excluded from PSR rules?
- Are there other exemptions from the requirement to be authorised or registered under the PSRs?
- How does FCA authorisation or registration under the PSRs work?
- What other regulatory requirements apply to authorised or registered payment institutions?
- What are the consequences of PSPs breaching regulatory requirements?
- What is the future of the PSRs?
What is the main piece of legislation regulating UK payment services?
Requirements for businesses wanting to offer payment services in the UK are set out in the Payment Services Regulations 2017 (PSRs). Broadly, the PSRs require that anybody providing in-scope payment services as a regular occupation or business activity must be authorised or registered to do so.
The UK used the PSRs to implement the European Union’s (EU) second Payment Services Directive (PSD2). EU Directives did not apply directly to businesses in the UK. Instead, whilst still a member of the EU, the UK was required to give effect to the intent of EU Directives by bringing in appropriate national laws.
After Brexit, the UK decided to retain the PSRs, with some amendments to make sure the rules would still work after the UK had left the EU. Although the UK government can now diverge from EU standards in the payment services space, it would need to carefully consider whether any divergence might jeopardise the UK’s continued participation in the Single European Payments Area (SEPA).
Who supervises compliance with the PSRs in the UK?
The main regulator of payment services in the UK is the Financial Conduct Authority (FCA). Businesses providing in-scope payment services must apply to be authorised or registered by the FCA.
The FCA oversees how payment service providers (PSPs) adhere to most of the requirements contained in the PSRs. The FCA also makes its own rules for PSPs (which are set out in the FCA’s Handbook) and issues guidance to help PSPs comply with their obligations. For example, the FCA has issued a detailed “Approach document” which explains how it looks after the activities of PSPs. It has also issued letters which set out FCA priorities for the supervision of payments firms (March 2023) and guidance on implementing the FCA’s Consumer Duty (February 2023).
The Payment Systems Regulator has responsibility for supervising specific PSR requirements. For example, the Payment Systems Regulator decides on the information which PSPs must provide about ATM withdrawal charges. It also supervises access to payment systems and, jointly with the FCA, access to bank accounts. The Payment Systems Regulator has issued a document setting out its role in relation to the PSRs.
What other bodies are involved in looking after UK payment services?
The Bank of England acts as ‘settlement agent’ for UK payment systems and also operates the CHAPS real-time gross settlement payment system. The Bank provides participating banks with settlement accounts to allow them to settle net obligations from UK payment systems. It also supports a mechanism whereby authorised non-bank PSPs can access a Bank settlement account rather than having to rely on indirect access through a sponsoring bank.
Which payment services are covered by the PSRs?
The PSR requirement to seek FCA authorisation or registration applies to providers of the following types of payment services:
- services enabling funding of, or withdrawal from, a payment account, including all operations needed to operate a payment account
- execution of direct debit, payment card transactions and credit transfers, including standing orders (whether or not a credit line is provided to the service-user)
- issuing payment cards or providing merchant acquisition services
- money remittance
- payment initiation services (payments instigated by a payment account holder as an alternative to paying by credit or debit card online)
- account information services (such as dashboards displaying multiple bank accounts or ‘open banking’ services).
Are there payment services which are excluded from PSR rules?
Yes. There are exclusions which can take services outside the scope of the authorisation and registration regime under the PSRs. Examples of such exclusions include:
- payment transactions through commercial agents acting on behalf of a payer or payee
- cash to cash currency exchange (e.g. bureaux de change)
- payment transactions linked to securities servicing (e.g. dividend payments, share sales or unit redemptions)
- certain services provided by technical service providers
- the ‘limited network exclusion’ (for payments made using instruments within a limited network of service providers or for a very limited range of goods or services e.g. shopping centre gift cards)
- the ‘electronic communications exclusion’ (for payment transactions by internet or phone service providers where charges for certain lower value goods or services are added to subscriber bills).
The criteria which must be met to benefit from exclusions can be complex and you may want to consider taking specialist legal advice if you plan to rely on an exclusion.
You should also be aware that businesses utilising the limited network and electronic communications exclusions must notify the FCA of this and provide the FCA with information confirming how you comply with the conditions of the exclusion (Part 5 of the PSRs).
Are there other exemptions from the requirement to be authorised or registered under the PSRs?
Yes. Credit unions and municipal banks are not in scope of the PSRs.
Also, if your business already holds authorisation to undertake certain other financial activities in the UK, you do not need to apply for further authorisation to provide payment services. This applies if your business is, for example:
- a bank or building society, or
- an authorised or registered e-money institution.
You also do not need to be authorised or registered if your business is not providing payment services as a regular occupation or business activity. This can be the case if payments activity is purely incidental to your main business. For example, operators of loan or investment-based crowd funding platforms which transfer funds between participants as part of that activity do not generally need to be authorised. The FCA’s guidance in the Perimeter Guidance regulatory guide at PERG 15.5 Question 9 has more information on this.
How does FCA authorisation or registration under the PSRs work?
The PSRs require business to seek either FCA authorisation or registration, depending on their activities and the volume of payments which they handle (Part 2 of the PSRs).
Businesses which expect to generate more than EUR3m of in-scope payments in a 12-month period should seek authorisation as an authorised payments institution (API). Businesses which project that they will generate less then EUR3m’s worth of payments in a 12-month period can opt to register as a small payment service institution (SPI).
Any firms looking to provide payment initiation services should apply for authorisation as an API, whilst business intending to provide account information services are asked to apply to become a registered account information service provider (RAISP).
You can find out more about authorisation or registration with the FCA under the PSRs on the FCA’s website here.
What other regulatory requirements apply to authorised or registered payment institutions?
Parts 3 and 4 of the PSRs deal with minimum requirements for APIs and SPIs and cover aspects such as capital adequacy, safeguarding of client funds, audits and record-keeping.
Part 6 of the PSRs covers standards for providing information to customers for different transactions and services, whilst Part 7 deals with charges and the authorisation and execution of payment transactions. Authorisation requirements include technical requirements for strong customer authentication (SCA). Part 8 deals with access to payment systems and bank accounts.
The FCA Handbook also contains regulatory requirements with which APIs, SPIs and RAISPs must comply. These include:
- FCA Principles for Business, or high-level, principles-based rules about how a business should be run
- Conduct of Business rules (in the BCOBS sourcebook), or rules about appropriate behaviour for businesses and how they should treat their customers
- Consumer Credit rules (in the CONC sourcebook) for PSPs involved in credit-related activities
- Supervision rules (in the SUP sourcebook), or rules about how businesses should interact with the FCA, including around regulatory reporting and notifications
- Complaints Handling rules for PSPs (in the DISP sourcebook).
PSPs will also have compliance obligations under non-PSP specific legislation. For example, PSPs must comply with data protection law and with the Money Laundering Regulations (MLRs). Both HMRC and the FCA publish guidance to help businesses to establish effective systems and controls to combat financial crime.
What are the consequences of PSPs breaching regulatory requirements?
Providing payment services without authorisation or registration is a criminal offence and, in the most serious cases, could lead to prosecution by the FCA.
There are a small number of other criminal offences dealt with in Part 11 of the PSRs (such as offences linked to misleading the FCA or Payment Systems Regulator). These criminal offences generally will not impact reputable businesses.
Of more concern are the civil penalties that attach to breaches both of PSR requirements and the regulatory rules made by the FCA or the Payment Systems Regulator. Civil sanctions can cause very real difficulties for firms which breach their regulatory obligations, even inadvertently.
If the FCA or Payment Systems Regulator identifies a potential breach of rules in your regulated business, they are most likely to enter dialogue with you to learn more and ask you to put things right. If matters are not quickly resolved, the regulators may then use their powers to require your business to act, or to stop doing something they believe could cause problems.
Where serious breaches are suspected or issues have not been properly remediated, the regulators can launch formal investigations into potential wrongdoing. If a breach is subsequently proven, this could lead to significant sanctions on a business or the individuals running it, including substantial fines, customer redress or public censure.
For these reasons, understanding and complying with your regulatory obligations is vital for your business.
What is the future of the PSRs?
In January 2023, the UK government launched a review into the PSRs. The consultation highlighted several areas where potential changes were being considered, including:
- enhancing the safeguarding regime for client monies
- introducing more flexibility into regulatory technical standards for SCA
- revisiting requirements for prompt settlement, including whether deferral in cases of suspected fraud might be warranted
- reviewing disclosure requirements for currency conversion
- looking at grounds and processes for terminating customer accounts.
The EU is also currently undertaking work on a third Payments Services Directive (PSD3). Given potential developments in the UK PSRs and the advent of EU PSD3, there may be wider divergence between UK and EU regulation of payment services going forward. It remains to be seen whether this will impact UK participation in SEPA going forward.
If your business is providing payment services in the UK, you need to consider whether you need to be authorised or registered with the FCA. You should also ensure that you understand all your regulatory and other legal obligations to minimise any compliance risks for your business. Harper James’ financial services solicitors can provide up-to-the-minute advice on the PSRs and related authorisation, registration and compliance requirements. We can also support you on data protection and anti-money laundering compliance. Please do not hesitate to contact our team for further information.