Author: Priscilla Gaudoin - Head of Risk & Compliance
Topics: Payment Services, operational resilience frameworks
Regions and Regulators: UK, FCA, Payments Systems Regulator (PSR)
%2024%20(1).png?width=150&height=161&name=Recognised%20CPD%20Badge%20(transparent)%2024%20(1).png)

This was the view of the Payment Systems Regulator (PSR) back in 2015 when the PSR was still relatively new. Six years later and it’s fair to say that payments systems are even more critical today. It’s a message echoed by the Bank of England (BoE) and evidenced by the proposals to extend the Senior Managers & Certification Regime to include such firms.
Covid-19 has caused firms to rethink how they conduct business as well as where. They have had to react quickly to meet consumer demand as we’ve all become more reliant upon contactless payments. Necessity has driven a further increase in online shopping as well as a move away from cash.
What are Payment Systems and Payment Services?
Payment Systems relate to the organisations which enable payments to be transferred and settled across financial services. It includes clearing and settlement exchanges, Bacs or LINK as well as card payment services such as Visa. It also includes payment services providers.
These payment systems provide different payment services which fall under the Payment Services Directive 2 (PSD 2). Activities include all types of electronic and non-cash payments, such as
- credit transfers
- direct debits
- card payments
- mobile and online payments
The PSD 2 was implemented with the intention to make it easier and safer to use internet payment services, but also to promote innovation in the use of mobile and internet payment services.
Regulatory concern:
BoE’s 2020 annual report outlining how it supervises financial market infrastructures (FMIs), reinforces the crucial role that the payment services play in the wider financial services sector.
BoE’s view is that the current regulatory framework may not be sufficient to oversee all links in the supply chain.
In terms of financial stability, the current framework focuses on authorisation and clearing steps. Consequently, certain aspects of initial transfer of funds or access may not have the same regulatory oversight.
Given this risk, it’s not surprising to see BoE collaborating with the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) to emphasise the importance of operational resilience to support the future stability of financial markets.
The regulators issued their final policies and rules relating to operational resilience earlier in 2021. Project teams are beavering away to ensure they meet the March 2022 milestone. There's plenty to do in the next 8 months.
- avoiding disruption to the payment, settlement and clearing services;
- avoiding behaviours that have an adverse impact on the safety and soundness of the FS sector; and
- identifying and mitigating risks in the end-to-end process of making payments, clearing and settling securities transactions, and clearing derivatives trades.
Firms should note that the FCA’s business plan identifies payments sector as a priority for the next 3 years. It wants to see a safer and more accessible sector. The concern being the payment services sector's ability to weather the pandemic. FCA's supervision will focus on payment services' financial resilience and ability to identify risks.
Action points:
Given the regulatory stance, aside from the risks of fraud and data security, firms must consider the wider environment in which they operate. Payment services can be complex and involve a number of third parties in the service chain including subcontractors. Failure of a link in the chain could cause intolerable harm to consumers as well as the wider financial services sector. Whilst third parties supply a service, regulated firms remain responsible for any failures.
Firms need to:
- Identify third party dependencies and jurisdictions, including sub-contractors
- Review the relationship with the providers and consider improvements
- Evaluate the contract to meet regulatory expectations
- Collaborate with third parties to identify vulnerabilities in the service chain
- Assess third party impacts upon Important Business Services
- Devise an action plan to address any weaknesses and consider past events
- Set a tolerance for the disruption for each Important Business Service
- Monitor the ability to remain within the tolerance
- Ensure there is a clear escalation process for any issues
- Maintain an issues log and report accurate and timely data to management
Ensuring an open and collaborative dialogue with service providers is key to building a resilient framework. Once the foundation is set, firms need to consider how they collate and analyse data on a continuing basis from various sources. Speedy collation of relevant data will be required to enable board oversight as well as timely regulatory notifications.
If you’d like to learn more about Ruleguard's Compliance Monitoring or Client Assets Compliance or Operational Resilience Solutions, please contact us for further information on: Tel: 0800 408 3845 or hello@ruleguard.com.
Webinars and Blogs:
Ruleguard hosts regular events on various regulatory topics, which you can read/watch on-demand at your convenience. Here are some pertinent pieces that you may wish to view:- Avoid the Pitfalls: Proactive Compliance Monitoring
- Operational Resilience: Protect Investors & Enhance Compliance
- Take the sting out of your CASS audit with PIMFA
- Demonstrate CASS Oversight
- Rathbones Asset Management Success Story - Client Asset Compliance, Risk Mapping and Transfer Agent Oversight
- Tips for Effective Compliance Monitoring

How Ruleguard can help
With automated logging, one-click reporting, and secure data-sharing, Ruleguard makes preparing for audit a smooth, seamless, and — dare we say it? — even pleasant process.
About the Author
