Skip to main content Skip to navigation

The State of Financial Crime 2024: Download our latest research

Top 8 Requirements for FCA Approved PSP Compliance

Regulators & Key Institutions

All financial institutions that operate in the UK must be authorized by the Financial Conduct Authority (FCA). During the authorization process, financial service providers must ensure they are seeking the correct permissions for their business model – since those permissions will affect the way the FCA provides ongoing regulatory supervision. Firms that apply to the FCA with incorrect permissions risk delaying or even failing to achieve authorization. 

For prospective payment service providers (PSP), selecting the correct permissions on their application is a crucial step. The FCA has increased its focus on authorization: regardless of whether a PSP submits a Small Payment Institution (SPI) or an Authorized Payment Institution (API) application, the FCA will apply a high level of scrutiny to ensure their application meets the relevant standards. In cases where the FCA believes that an applicant has chosen incorrect permissions or has omitted a permission that the FCA thinks is required for the applicant’s proposed activities, the regulator may request a rationale as to why the applicant believes the permissions applied for are appropriate. 

Given the importance of PSP compliance with FCA rules and regulations, it pays to know what the regulator expects during the approval process – and how to deliver it. Accordingly, in this installment of our FCA approval series, we’re taking a closer look at the FCA’s range of operational permissions in order to help your firm streamline the approval process. 

Understanding which permissions your PSP needs

Under the Payment Services Regulations (PSR) 2017, there are eight possible permissions for which prospective payment services firms can apply. The permissions required for each firm will depend on the specific nature of its business model and its criminal risk exposure. When thinking about their FCA applications and ongoing UK AML compliance requirements, PSPs should examine the ways in which they serve their customers and how their customers interact with their products to determine which PSR permissions they will need to obtain. 

With that in mind, consider the following key service requirements: 

Customers that need to deposit cash in a payment account

When a firm creates payment accounts for its customers and allows customers to receive funds into such accounts, the PSP must obtain permission from the FCA for ‘Services enabling cash to be placed on a payment account and all of the operations required for operating a payment account’. The permission relates to processes in which a firm creates payment accounts for its customers and allows customers to receive funds into such an account. 

Most PSPs conducting payment acquiring activity would require this permission as per the FCA’s guidance in its approach document to payment services and e-money. The FCA deems the accounts in which payment acquirers receive transactions on behalf of merchants as payment accounts. 

FCA permission required: Services enabling cash to be placed on a payment account and all of the operations required for operating a payment account

Customers that need to withdraw cash from their accounts

Just as customers may need to deposit cash into payments accounts, they may also need to withdraw it. In this context, the PSP requires an FCA permission for customers to make withdrawals from their account. An example might include firms that allow customers to withdraw from their account at an ATM or over a counter. 

FCA permission required: Services enabling cash withdrawals from a payment account and all operations required to operate a payment account.

Customers that need to make transactions from their accounts and receive payment transfers

There are two circumstances where this kind of permission would be required. Firstly, it would be applicable in cases where a PSP enables its customers to make transactions from their payment accounts via direct debits, payments cards (or similar devices), or credit transfers (i.e., bank transfers). For example, if a PSP issued payment accounts to its customers and offered functionality for customers to set up direct debits from their accounts, the PSP would be conducting the execution of payment transactions and would require this permission. 

Secondly, the permission would be necessary in scenarios where a PSP permits its customer to receive payments via direct debit, card payments, or credit transfers. Typically, this scenario would apply to firms that acquire payments – such as card payments through point-of-sale devices – on behalf of customers, therefore allowing the customer to receive payments. 

FCA permission required: The execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider.

Customers that need to make or receive payments covered by credit

This permission also applies to firms that need to allow customers to complete or receive payment transactions. However, for this permission to apply, the transactions must be covered by a line of credit. For example, a firm permitting its customer to make bank transfers from their payment account using overdraft facilities would require this permission to undertake this activity. Likewise, PSPs that issue credit cards or deferred debit cards would execute payment transactions in line with this permission.

FCA permission required: The execution of payment transactions where the funds are covered by a credit line for a payment service user 

Firms that need to issue customers with payment instruments, such as devices or personalized procedures, in order to facilitate transactions

A firm would be issuing payment instruments if it was issuing personalized devices or a personalized set of procedures through which its customers could make payment transactions. At a basic level, issuing payment instruments would entail issuing debit or credit cards to customers, which is classified as a “personalized device” within the FCA’s guidance. Additionally, the requirement to obtain this permission applies to PSPs that offer physical instruments, such as payment cards, and PSPs that allow customers to request payments over the telephone through an online or mobile application. 

This permission would also be necessary for firms that contract with either businesses or sole traders to collect payments on their behalf. Traditional merchant acquiring activity, where PSPs contract with merchant businesses to receive payments for goods/services via card scheme transactions, would fall within the scope of this permission. However, this permission also applies to firms that accept payments through payment instruments other than payment cards, such as through direct debits or scanning unique QR codes on mobile devices.

FCA permission required: Issuing payment instruments or acquiring payment transactions

Customers that need to remit funds to a beneficiary or a beneficiary’s PSP

Money remittance entails transferring a customer’s funds, regardless of whether an exchange of currency has taken place, to a beneficiary or a beneficiary’s PSP. One of the central tenets of providing money remittance is that transmission of funds takes place without creating a payment account for either the payer (i.e., the individual or business sending the money) or the payee (i.e., the individual or company receiving the money). 

This permission is commonly required for money transfer companies operating a cash acceptance model or online platform and hawala (informal money transfer) brokers. 

FCA permission required: Money remittance

Customers that need to facilitate Open Banking Payments from customer accounts directly to another PSP

Firms may need to allow users to make Open Banking payments from their payment account at another PSP. When providing a payment initiation service under such an arrangement, a firm would not hold the user’s money in its account as would be the case in a remittance or payment acquiring model. Instead, a firm would simply be initiating a payment order to the user’s other PSP to make a transaction to a destination bank account. To conduct such a service, firms would either integrate the Open Banking APIs directly into their infrastructure or use a technical services provider (TSP). 

This permission would capture firms that provide a payment initiation service platform to account owners directly and firms that contract with merchants to allow them to accept initiated payment transactions. 

FCA permission required: Payment initiation services

Firms with online services need to provide customers with information from their payment accounts with other PSPs

A firm that offers an online financial service may be required to provide a consolidated overview of the information obtained from one or more of a customer’s payment accounts with other PSPs. This includes information on the customer’s account balances, recent incoming/outgoing transactions, and recurring payments. 

There are various use cases for account information services that range from firms that intend to use a customer’s account information data to offer a personalized financial management and budgeting tool, to firms that want to use the information for credit scoring and referencing purposes. 

FCA permission required:  Account information services

Activity Exclusions Under the PSRs 

Under Schedule 1 of PSR 2017, several potential activities are excluded from the scope of providing payment services. Any firm that offers or intends to offer these activities does not need to apply for FCA authorization as a PSP.

The exclusions include professional cash courier companies collecting and delivering banknotes, and coins and cash-to-cash currency exchange operations where the funds are not held in a payment account.

ComplyTry: FCA Compliance for Payment Service Providers

FCA compliance should be a significant priority for PSPs in the UK. Beyond ensuring the correct PSP permissions are sought during the FCA approval process, firms will also need to demonstrate to the regulator that they are capable of implementing effective compliance measures to meet the relevant UK AML/CFT regulations.  Those regulations include implementing a range of customer monitoring and screening measures, including transaction monitoring, sanctions screening, PEP screening, and adverse media screening. Those processes should be backed by suitable compliance software, capable of meeting the vast data collection and analysis obligations that the FCA requires. 

ComplyAdvantage’s ComplyTry platform represents a way for firms to ease their UK compliance burden with smarter, faster AML/CFT screening and monitoring, and streamlined payment experiences for customers. Free to use, ComplyTry enables PSPs to access a spectrum of compliance data resources including real-time sanctions information, PEP lists and watch lists, and adverse media. Using ComplyTry is simple and free: upload the relevant customer details, select a preferred data source, and hit search – our software will generate a customer profile as a pre-filled data card. 

Are you an early stage FinTech and need a KYC and AML solution?

Discover ComplyLaunch™, our automated compliance solutions package for early stage FinTechs.

Learn more

The Thistle Initiatives Group is an award-winning compliance consultancy that provides financial services firms with expert compliance resources and capabilities to manage projects across all regulatory areas. Payment Services Manager, Jack Williams, has extensive experience preparing successful electronic money and payment services applications for clients, including implementing their compliance framework and drafting key compliance policies and procedures. 

Originally published 02 September 2022, updated 29 January 2024

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2024 IVXS UK Limited (trading as ComplyAdvantage).