Module Application
Does your payment institution meet all applicable authorisation, risk management, business conduct, and information delivery obligations created by UK legislation, and treat customers in accordance with prescribed standards?
Is your payment institution meeting its risk management requirements, including capital requirements, safeguarding requirements, and other risk management arrangements?
Is your payment service provider operating with high standards of transparency and fairness, safeguarding customer interests throughout their engagement with financial services?
Does your payment service provider adhere to information requirements throughout payment transactions and framework contract management?
Does your payment institution comply with legislated restrictions on interchange fees and payment surcharges, and implement prescribed business rules?
Does your payment institution recognise and comply with technical standards including the strong customer authentication technical standard?
Module Scope
The Payment Services module outlines the regulatory requirements for payment service providers and e-money institutions operating in the UK.
The rules and standards are administered in the UK by:
- The Financial Conduct Authority (FCA), which focused on protecting consumer interests
- The Prudential Regulation Authority (PRA), an arm of the Bank of England focused on protecting the health of the UK economy
- The Payment Systems Regulator (PSR), an independent component of the FCA responsible for the oversight and direction of payment service providers operating in the UK
As providers of financial services, payment service providers are also subject to a broad range of UK financial legislation, including the Financial Services and Markets Act 2000, The Payment Services Regulations 2017 and The Electonric Money Regulations 2011.
Organisations that already provide, operate, or administer payment systems in the UK can use the module to confirm the adequacy of existing compliance measures and gauge the compliance burden of proposed expansions. The module covers topics such as:
- Authorisation and licensing requirements
- Risk management
- Outsourcing and use of agents
- Conduct of business requirements
- Consumer relations
- Cross-border payments
- Standards and interoperability
1. Authorisation and Licensing Requirements
Payment institutions must obtain authorisation from the FCA before providing payment services. To obtain FCA authorisation, the payment institution must demonstrate that the institution:
- Possesses prescribed levels of initial capital
- Is a corporate body subject to UK law with headquarters in the UK
- Intends to conduct part of its payment services business within the UK, and
- Has established robust governance, effective risk management, and adequate internal controls tailored to the scale of its services
2. Risk Management
To operate legally and protect its customers, a payment institutions must meet must meet prescribed risk management requirements. These include:
- Capital requirements
- Safeguarding requirements
- Security measures
3. Outsourcing and Use of Agents
Payment institutions can only provide payment services through agents listed on the Financial Services Register maintained by the FCA. Furthermore, the payment institution must notify the FCA of its intent to outsource operational functions, including a description of the function and the identity of the outsourcing provider.
Before entering an outsourcing arrangement, the payment institution must conduct thorough due diligence on potential outsourcing providers to ensure they have the capacity, capability, and authorisation to reliably and professionally perform the outsourced functions.
4. Conduct of Business Requirements
FCA guidelines require payment institutions to communicate with customers honestly and transparently. Additional FCA instruments govern how payment institutions must:
- Carry out distance marketing and sales
- Perform electronic commerce activity, and
- Treat customers after they enter a sales contract
In addition, the payment institution must enable customers to cancel a contract for a retail banking service free of charge and without giving any reason within a prescribed cooling-off period.
5. Information Requirements for Payment Services
Payment institutions are obligated to provide customers with detailed information throughout the payment process, tailored to the transaction type and communication method. The FCA publishes a consumer rights document that payment institutions must make freely available to customers in easily accessible formats, including online and in print at branches and through agents.
6. Authorisation and Execution of Payment Transactions
To achieve compliance with these standards and rules that govern the authorsiation, execution and liability associated with payment transactions, the payment institution must:
- Obtain explicit consent from the payer before executing a transaction
- Debit payment accounts only in accordance with a payment order, and
- Complete transactions within prescribed time frames
The payment institution must also accept liability for non-executed, unauthorised, or incorrectly executed payment transactions.
7. Access and Supervision
The UK payments industry is supported by a network of access arrangements between PSPs and indirect access providers (IAPs) who provide PSPs with access to interbank payment systems.
The industry has developed an IAP Code of Practice in collaboration with the PSR. The code governs access arrangements made between IAPs and PSPs. Compliance with the code is compulsory for subscribing IAPs. However, subscription to the code is voluntary.
Payment systems designated by the Bank of England are subject to the access rule. The access rule requires the operator to:
- Maintain appropriate access requirements
- Disclose access requirements publicly
- Notify the PSR of changes to access requirements, and
- Lodge annual access rule compliance reports with the PSR
8. Fees
There are caps on the interchange fees payable for card-based payment transactions. An interchange fee is a small payment made by an acquirer to an issuer after each debit and credit transaction. There are also a range of business rules applicable to payment institutions that provide card-based payment services (see Definitions). These rules address:
- Territorial licensing
- Separation of payment and processing functions
- Co-badging of multiple payment brands
- Unblending of fee structures
- The Honour All Cards rule
- Steering prohibitions, and
- The provision of information to payees
In addition, consumer protection legislation in the UK prohibits payees from applying surcharges to cover the costs of completing a transaction using a credit or debit card.
9. Consumer Protection
The FCA and PSR have issued numerous directions and guidelines designed to protect consumers of payment systems. As a PSP, the payment institution must:
- Establish and maintain a Confirmation of Payee (CoP) system
- Report authorised push payment (APP) scams
- Provide a switching service, and
- Treat vulnerable customers fairly
In addition, the payment institution must act in accordance with the Consumer Duty. The Consumer Duty consists of:
- The Consumer Principle, which is an overall standard of behaviour
- The cross-cutting rules, which are three requirements designed to ensure the Consumer Principle will be applied, and
- The four outcomes, which are a set of rules and guidelines that reflect four key areas of a financial firm’s relationship with its retail customers
10. Competition
Competition legislation in the UK creates two key prohibitions. The goal of these prohibitions is to prevent any dominant company or group from damaging the economy through market distortion or cartel behaviour.
As a company operating in the UK, the payment institution must not:
- enter into an anti-competitive agreement, or
- abuse a dominant market position
11. Standards and Interoperability
As a PSP, the payment institution must protect customers from fraud using strong customer authentication (SCA) in accordance with the SCA technical standard (SCA-RTS) issued by the FCA.
Unless an exemption applies, the payment institution must apply SCA each time a customer:
- initiates an electronic payment
- carries out any other action by a remote channel that carries a risk of payment fraud, or
- accesses a payment account online, either directly or through an account information service provider
The SCA-RTS also contains design, performance, and security standards related to open banking. The payment institution must maintain at least one SCA-RTS-compliant interface allowing secure communication with third-party providers.
12. Cross-Border Payments
As a PSP, the payment institution must disclose a range of currency conversion information to the payer before processing a card-based transaction or credit transfer involving a conversion between sterling and euros.
This information includes:
- The amount of any currency conversion charge, and
- The amounts to be debited and received in each currency
Additional disclosure requirements apply to card-transactions involving a currency conversion performed at an ATM.
13. Duties and Powers of the Regulators
The payment institution must act in accordance with rules, standards, and directions issued by the PRA, FCA, and PSR.
The payment institution should maintain a comprehensive awareness of the functions of each regulator and its enforcement processes.