Skip to main content

Payments and E-Money Authorisations

This blog is the first in a Deloitte series focussed on UK Authorisations. Here we provide an overview of the key considerations and requirements for prospective payments or E-Money firms, along with areas where these firms sometimes don’t initially manage to meet the expectations of the regulator – exploring the following key areas:

  • The Payments and E-Money Authorisations process;
  • Regulatory focus for Authorisations;
  • What to expect when submitting an application; and
  • Typical misunderstandings during the application process.

Who this blog is for

  • Businesses interested in applying for Payment Services and E-Money permissions;
  • Businesses considering changing or increasing the type of Payment Service or E-Money permissions they hold; and
  • Those who are currently unregulated - businesses generally interested in moving into the regulated Financial Services sector.

Increased Regulatory Focus
 

As a firm wishing to become authorised, you must have a clear view on the investment it will take, your ability to meet the Authorisation requirements  and the benefits you expect to gain, including your growth prospects. 
The Financial Conduct Authority (“FCA”) Authorisation strategy was updated 2 years ago and has become tougher. The FCA has publicly indicated its intention to raise standards, recently citing that its application rejection rate rose from 1 in 14 (2021) to 1 in 5 (2023)1. In addition, there has been increasing scrutiny over a sustained period as the regulator has sought to drive up standards within the sector. This is at least in part due to growth generated by innovation in the fintech sector and businesses moving into scope of the regulation for the first time (notably AISP and PISPs2) following the introduction of the Payment Services Directive 2 (“PSD2”) and Payment Services Regulations (PSRs).  We have seen an increased volume of ‘Dear CEO letters’3, new guidance and supervisory and enforcement intervention all of which has increased focus on:

  • Preventing foreseeable customer harm;
  • Ensuring good outcomes for customers; and
  • Financial system integrity through robust AML/fraud practice and operational resilience.

In addition, the Payment System Regulator’s Authorised Push Payment (“APP”) scams reimbursement rules came into effect in October 20244. This has placed a requirement on regulated businesses handling payments to reimburse eligible customers who fall victim to APP fraud up to the value of £85,000 per transaction5.

Payments Authorisations in the UK – Which one is for you?
 

Payment Services and E-Money are key regulated sectors in the UK financial services market that continue to experience significant growth. For organisations wanting to join the marketplace, they must first be authorised by the FCA. There are a number of different Payment Services and E-Money activities. It is important to determine what your business intends to offer and what permissions you will need to apply for. 

A payment service can cover services such as:

  • Sending money from a to b (money remittance);
  • Direct debits; and
  • Allowing cash withdrawals from a payment account.

E-Money can include activities such as:

  • Accepting money to be held electronically allowing customers to spend from the account.

Businesses which are ready to operate in line with regulatory expectations on the day the application is submitted typically find the route to approval more straightforward. These businesses use the application requirements as a helpful set of milestones to determine when they are ready for Authorisation, using the regulator’s expectations as a baseline for business operations. Conversely, those that rush to apply often latterly report that they found the process lengthy and resource intensive. Spending the time preparing to apply has proven to be a strategic investment in future success.

To apply or not to apply?
 

Organisations should carefully consider what they want to bring to the market and whether it requires any Authorisation from the FCA to do so. It is important that businesses apply for the correct permissions and do not use the Authorisations process as a means of trial and error to determine what permissions best suit their business model. This should be established before the point of application. Several factors may necessitate applying for Payments or E-Money permissions:

  • Bringing a new product to market: Businesses that have developed a new regulated financial product or that want to move into the Payment Services or E-Money sector;
  • Getting bigger: Existing payment services or E-Money businesses that have grown in size and need to increase the scope of permissions;
  • Strategic repositioning: Changes in the target market and/or business model; and
  • Regulatory changes: The FCA continuously updates its regulations, and organisations must adapt to become or remain compliant.\

To answer the question ‘to apply or not to apply?’ businesses are expected to be aware as to whether or not their business model requires Authorisation. Operating a regulated business activity without permission is a criminal offence so, if in doubt, find out!
There is a suite of different permissions that can be considered, all of which permit a different style and size of regulated business. Businesses should consider what will best suit their immediate to medium term business plan when choosing what permissions to apply for, considering whether or not plans for growth align with the permissions they are seeking.

Table 1: Description of payment permission types
Table 1: Description of payment permission types

Approval type

Permission type

Description6

Registration

SPI Small Payment Institution

Offer the same services as an API but have limits on the value of payments they can take over time. Also, are not required to safeguard client money.

Registration

SEMI Small E-Money Institution

Offers the same services as an AEMI but has limits on the total value of E-Money it can hold over a period of time and average transaction amount.

Authorisation

API Authorised Payment Institution

Can offer the same services as an SPI, with no payments limit over time. Must safeguard client funds.

Authorisation

AEMI Authorised Electronic Money Institution

Authorised to hold E-Money, stored in an E-wallet. Can provide non-bank current accounts.

Authorisation

ASIP Account information Service Provider

Provides consolidated information on payment accounts only, no ability to initiate transactions.

Authorisation

PISP Payment Initiation Service Provider

Facilitates payments on behalf of customers, initiating payment instructions from the customer's account to another payment service provider.

The Authorisation Journey
 

The FCA employs a defined approach for assessing an application for payments or E-Money services, covering the following steps:

  • Application submission;
  • Acknowledgement of receipt;
  • Allocation to a case officer;
  • Review and follow up; and
  • Decision.

The process has defined timescales, with the entire process often taking 12 months. The FCA states if an application is complete, they will assess it and give a decision within 3 months. However, businesses often inadvertently submit incomplete applications, meaning the total timeframe allowable to determine the application for the FCA is 12 months. This is often a key stumbling block for applicants who prepare an application without expert support. 

Key Requirements for a Successful Application – Things to consider when applying for Authorisation


The application process is often misunderstood: Businesses typically underestimate the amount of time and the level of scrutiny the application undergoes. Aside from completion of a relatively detailed application form, applicants are expected to demonstrate at point of application that they are ready to undertake regulated financial services. This means having in place any and all policy, process, operational arrangements, premises, resources, finances and marketing that is required.

Key Requirements for a Successful Application – Creating a foundation for success


Firstly, businesses need to consider whether they adhere to the base criteria for all regulated financial services applications in the UK: the threshold conditions. These act as minimum standards which all regulated business must meet7:

  1. Location of offices: The applicant must have its head office and (if it has one) registered office in the UK;
  2. Effective Supervision: A business must be capable of being effectively supervised; having regard to the nature, scale, complexity of its business;
  3. Appropriate resources: A business must have appropriate resources given the nature, scale and complexity of its business;
  4. Suitability: The business and its mind and management must be fit and proper; and
  5. Business model: The business model must be suitable for the regulated activity it intends to carry out.

We outline below the key areas of focus the application for Authorisation requires. The FCA can at times, extend its area of review more widely than this, so it is important to be prepared for any area of your business to face scrutiny8

Area of review

Points to include

Company details

  • Principal place of business and legal status;
  • Whether the business is incorporated;
  • How long the business has been trading for;
  • What the business’s website address is;
  • What the business’s control structure is (full details of this);
  • Whether you're a sole trader – sole traders generally:
    • Have the right to make all decisions affecting the business;
    • Own all the assets of the business;
    • Are responsible for paying income tax on profits of the business; and
    • Are responsible for the debts and obligations of the business without any limit.

Consumer duty

  • Sets the standard of care that business should give to customers in retail financial markets across four outcomes:
    • Products and Services;
    • Price and Value;
    • Consumer Understanding; and
    • Consumer support.

The business will need to demonstrate under the above points how it will work to avoid foreseeable harm to consumers and provide good outcomes.

Governance

  • Who will be carrying out the day to day running of the business
  • Who are the director(s)/proprietor(s) of your business, and key persons
  • What senior management functions (SMFs) will each individual hold
  • Who will be responsible for compliance oversight
  • What experience your business’s governing body or senior management has of the regulated activities your business wishes to carry out
  • What the background and experience is of everyone performing SMFs (including their employment

Business model overview

  • What services (both regulated and non-regulated) your business will provide, as well as the areas the business specialises in;
  • Why your business requires Authorisation for the activities it will undertake;
  • Details of any relationships/agreements with lead generators or brokers;
  • If your business is trading, provide details on your existing customer base and how the regulated activities proposed will impact on these customers;
  • What your business’s long-term strategy is (e.g.: growth targets, changes in personnel);
  • Whether the business will hold any client money; and
  • Details of any fees and how they are explained to the customer.

Marketing

  • Marketing plans; and
  • Any financial promotions that your business may be using or is planning to use.

Customer journey

  • How your business obtains new clients;
  • Whether your business is acquiring any existing clients from another business;
  • What your business’s ongoing client relationship is;
  • Providing a step-by-step guide of the journey a customer takes for the sale/service; and
  • What the after-sales care process is.

Vulnerable Customers

  • How your business identifies when a customer is in a vulnerable circumstance;
  • What your business’s process is when dealing with customers in vulnerable circumstances;
  • What services are offered to customers who find themselves in vulnerable circumstances; and
  • If your business has a detailed document for this policy, please provide this as a supporting document.

Compliance

  • Whether your business uses a third-party compliance business to assist in this area, and, if so, provide the details of this arrangement and set out the oversight that the business has in place;
  • What quality assurance processes are in place for your business;
  • What key risks have been identified and how your business will mitigate these risks; and
  • Whether your business has a risk-based compliance monitoring programme.

Complaints

  • How the business will monitor complaints;
  • What will happen when a customer isn't satisfied with your business's resolution; and
  • If your business has a detailed document for this policy, please provide this as a supporting document.

Training

  • How your business will ensure staff are sufficiently trained to deliver the requested activities in line with the regulatory requirements;
  • Whether your business will hold any refresher training, and, if so, how often;
  • Whether your business will provide specialist training in relation to specific products; and
  • Whether your business's training material covers vulnerable customers and the complaints policy.

Incentives

  • Whether your business will offer incentives to staff, and, if so, provide details of what your business bases the incentives on. This might include, but is not limited to, productivity, quality, compliance caveats and customer feedback.

Capitalisation

  • How your business will hold sufficient capital to meet the relevant capital resource requirement; and
  • The information here should corroborate with the financial information you send us as part of your application.

Overview of Policies

  • Provide an overview of the policies and procedures you have in place that are relevant to your business’s business model.

Key Requirements for a Successful Application – Current areas of supervisory focus


To secure Authorisation, your organisation must also demonstrate its ability to meet the above requirements and provide necessary information across areas of current focus. The FCA Payments Supervision recently expressed concerns about the conduct of the payments and E-Money sector in the following areas9:

  • Safeguarding;
  • Prudential resilience;
  • Wind down plans; and
  • Fraud.

So, it is imperative applicants have robust measures in place against each of the above and are able to articulate them accurately. 

Key Requirements for a Successful Application – Regulatory expectations


The regulator expects applicants to be “ready, “willing” and “organised” at the point of Authorisation. As noted above, this means having all the relevant information, documentation, resource, finance, people and process in place at the point of application.
Businesses should not expect to use the application process as a means to develop the business or material aspects of it.Businesses should expect the regulator to have questions and be ready and open when answering. Further, the following key points should be adhered to in order to avoid delays:

  • Engage with questions from the regulator during the application process in an open, prompt and concise manner. Expect the review to cover any area of the regulatory business model and ensure the response answers the regulator’s question. Case officers are considering the knowledge and experience of everyone involved with the business when making a decision;
  • Use the information required by the regulator as a metric for preparedness. If all required information can be provided and the requirements can be demonstrated as met, the business is likely ready to apply you can provide all required information and demonstrate you meet all the requirements;
  • Be prepared to demonstrate levels of significant control and ownership; anyone with a controlling stake of 10% or more, may be considered and held to regulatory standards regarding control of a regulated business;
  • Be prepared to demonstrate the end to end customer journey, investing in preparing this up front, saves time during the application process, as it will likely be requested;
  • Be ready to articulate how the business will ensure a customer is receiving good customer outcomes and will take steps to avoid foreseeable harm. The regulator is focused on customer outcomes and will want to see alignment with the consumer duty in the proposed business plan; and
  • Suitable policies and processes should be in place and available for review, the regulator will consider whether the business is able to undertake the business model it proposes and uses the quality of such documentation as a point of consideration.

Below is an end-to-end application preparation and decision process:

Next Steps and How Deloitte can help:

The Authorisation journey for payments and E-Money firms is a broad one, requiring input from many different specialist areas. At Deloitte, we are able to bring all the necessary capabilities and skillsets together in one place to support and enable you and your business to demonstrate you are ready for Authorisation as well as to help you navigate the application process. We break the type of support provided into two areas:

End to end support:
This can be scaled according to need, from off the shelf support to bespoke policy and process preparation, dialling this in and out according to levels of need and maturity within the areas of your business that will undergo during the application process.

Modular support:
We can support with drafting, reviewing and development of your business plan and application. This can be combined into a multi-module support package as required.

Below we outline some configuration of support available; however, these can be flexed to accommodate your requirements