On the 9 July, the Financial Conduct Authority (FCA) published its Finalised Guidance around safeguarding customers’ funds for payment and e-money firms. Particularly relevant in this were the extended prudential requirements for authorised payment institutions (APIs), authorised e-money institutions (AEMIs), and small e-money institutions (SEMIs) which go considerably beyond the guidance included in the FCA’s own Payment Services Approach (PSA) document.
Nearly five months on, how have you as a firm managed the FCA’s additional requirements?
Whilst the PSA document contains some requirements around capital and operational risks, the Finalised Guidance went much further, moving closer to guidelines seen in investment firms and asset managers.
Key points and challenges include:
1. Governance & Controls – Firms should ensure they have robust governance arrangements, and effective procedures to identify, manage and monitor risks, in accordance with their conditions of authorisation or registration. A firm’s senior management should ensure that the firm regularly reviews its systems and controls, including its governance arrangements. It should also ensure that the firm’s governance functions, procedures and controls appropriately reflect the firm’s business model, its growth and relevant risks.
Governance and control challenges for firms:
- Understanding where they should be in their risk management maturity journey
- Resourcing (capacity and capability) issues arising from growing pains and the new expectations
2. Liquidity & capital stress testing - Firms should carry out stress testing to analyse their exposure to a range of severe business disruptions, or the failure of one or more of their major counter-parties, and assess whether they would cause the firm's business to fail, and assess their potential impact, using internal and/or external data and scenario analysis.
Stress testing should be appropriate to the nature, size and complexity of the firm's business and the risks it bears. Business failure in the context of stress testing should be understood as the point at which the market loses confidence in a firm and this results in the firm no longer being able to carry out its business activities.
A firm’s senior management or governing body should document, review and approve – at least annually – the design and results of a firm's stress testing. A firm should also carry out stress testing if it is appropriate to do so in the light of substantial changes in the market or in macroeconomic conditions.
If the firm is a member of a group, it should carry out stress testing on a solo basis, taking into account risks posed by its membership of its group.
Stress testing challenges for firms:
- Technical capability in existing staff – across all three lines of defence
- Interplay with new operational resilience requirements
- Board education, engagement, and oversight
- Ensuring scenarios and tests of appropriate severity and plausibility
- Quality of documentation (e.g. assumptions) plus appropriate review and challenge by independent staff
- Realism of management actions
- Model risk management and oversight for capital and liquidity frameworks
3. Risk management arrangements - As part of their liquidity risk-management procedures, firms should consider their own liquid resources and available funding options to meet their liabilities as they fall due, and whether they need access to committed credit lines to manage their exposures.
When firms are assessing whether they have adequate liquidity to ensure that they can meet their liabilities as they fall due, it is best practice for APIs, AEMIs, and SEMIs to exclude any uncommitted intra-group liquidity facilities.
This is to reduce exposure to intra-group risk. If a firm does not apply this approach, it still needs to be able to demonstrate that it is adequately managing liquidity risk and group risk to comply with its conditions for authorisation or registration.
Risk management challenges for firms:
- Appropriately evidencing independence from group, both financial and decision making
- Identifying a full population of group risks – reputational, financial and operational
4. Capital adequacy - It is essential that firms accurately calculate their capital requirements and resources on an ongoing basis, and report these correctly as required in regulatory returns, as well as on request.
A firm’s senior management should ensure that its capital resources are reviewed regularly. Under their conditions for authorisation or registration, APIs, AEMIs and SEMIs are required to operate effective procedures to identify, manage, monitor and report any risks to which they might be exposed.
As part of their stress testing and risk-management procedures, it is best practice for firms to deduct any assets representing intra-group receivables from their own funds, to reduce exposure to intra-group risk. Intra-group receivables include amounts owed to the firm by another member of its group, which are included as assets in the firm’s balance sheet.
Capital adequacy challenges for firms:
- Identification of full populations of material risks and how these are being appropriately managed within the capital levels held by the firm
- Achieving an appropriate level of capital adequacy without formal intra-group support
Classification and calculation errors in how capital is comprised
5. Wind-down planning - The conditions for authorisation or registration require a firm to have effective procedures to manage any risks to which they might be exposed.
As part of satisfying the FCA that they have such procedures APIs, AEMIs and SEMIs are required to have a wind-down plan to manage their liquidity, operational and resolution risks.
The complexity of firms’ wind-down plans should be proportionate to the size and nature of the firm. Firms should review their wind-down plans at least annually, and when there is a change to a firm’s operations which may materially change the way in which it can wind down.
Firms which are members of a group should ensure that their wind-down plan considers how the regulated firm within the group would manage its liquidity, operational and resolution risks in a solvent and insolvent scenario, on a solo basis.
The plan should consider risks posed by the firm’s membership of its group. These firms should also have a contingency plan to maintain key operational services which are provided by another member of the group in a group stressed scenario.
Wind-down planning challenges for firms:
- Adherence to FCA guidelines and good practice expectations
- Allocating ownership and accountability
- Ongoing maintenance for dynamic elements – e.g. staff lists
- Ensuring realistic timeframes
- Tendency to rely on ‘white knight’ solutions
- Excessive group reliance which is not formally captured by service level agreements
- Failure to consider operational elements – staff retention, liquidity, third party contracts containing break clauses
The FCA has made it clear that this is not going away.
For any questions on the above or to set up a no-obligations call with our Risk Consulting Director, Ross Molyneux, please click on the link below: