FCA publishes ‘Dear CEO’ letter to payment firms – key considerations for firms

On 3 February 2025, the UK’s Financial Conduct Authority (FCA) issued a new ‘Dear CEO’ letter to firms in its payments portfolio which focused on key regulatory priorities and expectations in the space.

In this article we highlight the key priorities and risks in the letter, and consider actions that firms need to take to meet ongoing regulatory requirements.

Which firms are in scope?

The letter is relevant to firms within its payment portfolio so this includes FCA authorised or registered firms under the UK’s Payment Services Regulations 2017 and the Electronic Money Regulations 2011, for example authorised payment institutions (PIs) and electronic money institutions (EMIs) and registered account information service providers. It’s also relevant to small PIs and EMIs registered with the FCA.

What are the key points highlighted?

The FCA focuses on priorities and risks linked to three key outcomes:

1. Effective competition and innovation to meet customer needs, characteristics and objectives.
2. Non-compromise of financial system integrity.
3. Keeping customer’s money safe. 

Considering some of those focus areas within the letter:

1. Consumer Duty implementation: firms should do this effectively, adequately considering Consumer Duty requirements as appropriate to its business and services. The FCA’s recent payments multi-firm review gives further detail on expectations and examples of 'good and bad' practice. The FCA will continue to monitor this area.
2. Innovation: a key reminder, not least given the FCA’s secondary objective to support international competitiveness and UK growth. The letter reiterates commitment to support innovative firms, benefiting UK consumers and wider markets, via its Innovation Hub.
3. Financial crime and authorised push payment fraud: reducing financial crime is a feature of the FCA’s 2024/25 business plan. The letter refers to encouraging signs that firms have been enhancing financial crime controls, however weaknesses remain in terms of governance and oversight and adequacy of systems and controls – which increases risks of poorly prepared firms being targeted by bad actors. The FCA also reminds firms of obligations to implement Payment Systems Regulator reimbursement requirements for authorised push payment fraud, which is also tied to delivery of Consumer Duty requirements and achieving good consumer outcomes.
4. Operational resilience: disruption and unavailability of important business services have potential to harm consumers, threaten firm viability and overall stability in the financial systems, whether due to internal or external factors. The three year transitional period for the FCA’s final rules and guidance on strengthening operational resilience ends on 31 March 2025. Firms are reminded of the requirement to map and test impact tolerances set for important business services and ensure they can operate consistently within the same.
5. Safeguarding: firms are required to safeguard customer funds in accordance with the Payment Services Regulations 2017/Electronic Money Regulations 2011 and guidance within the FCA Approach Document. The FCA is consulting on new safeguarding rules, proposed to be introduced in two stages – interim and end state rules. Final interim rules are expected in mid-2025. Firms should be mindful of this and allocate time and resource to meet updated safeguarding requirements once available. The FCA notes firm should already be:
   1. Appropriately identifying relevant funds for purposes of safeguarding.
   2. Ensure books and records are up-to-date and accessible, with (at least) daily reconciliations.
   3. Mindful of changes to safeguarding insurance, if this method is relied upon.

What actions do firms need to take?

It’s clear the FCA expects firms to prepare for the future and effectively manage regulatory change. Proper governance, oversight and leadership is a critical part of this, to ensure effective service delivery and that a firm meets ongoing regulatory requirements. 

The FCA notes that weaknesses in these areas can often be root causes to regulatory issues it subsequently sees in the firms it supervises. With that in mind, firms should consider:

• Reviewing governance arrangements and appropriateness of systems and controls – do these remain effective and proportionate given the scale of your firm and type of services? Do these properly account for risks identified or do new and emerging risks require you to change these? Can approach and decision making be independently challenged in an appropriate way?
• Oversight of functions – consider how your firm delivers its services, are outsourced functions working as intended, are these carried out to standards set or expected as a regulated firm? Equally, if operating with agents and distributors, how are you monitoring arrangements, do you have sufficient oversight and processes to remedy issues, is the correct information flowing and reporting in place to properly monitor this against customer outcomes?
• UK substance and presence – UK authorised firms must maintain a UK head office and directors and senior management responsible for day-to-day decision making and direction should be based in the jurisdiction. This is an important reminder, particularly with many firms operating via hybrid or remote working arrangements.
• Customer terms – take time to review relevant terms and conditions and related processes in place for customers. The Payment Services Regulations 2017 and Electronic Money Regulations 2011 set out specific requirements for UK framework agreements, whilst the letter also flags legislative changes which may need to be considered too – such as rights to delay payments and authorised push payment fraud requirements.

What can we take away from this? 

The letter is a helpful reminder of important regulatory items that have been high on the FCA agenda for some time now. Firms, whether well-established or having recently passed through the FCA gateway, will no doubt be aware of these! 

It’s therefore wise for firms to take steps to review matters identified, in context of their business models and the products and services provided, to mitigate risks of falling short of FCA expectations.

For further information, please contact Oliver Woodhouse, who leads the Ashford’s financial regulatory practice. The Ashfords team support a variety of firms subject to the Payment Services Regulations 2017 and Electronic Money Regulations 2011.