Technology has transformed the payment services industry in recent years. Online and mobile payments now offer consumers real alternatives. But newer payment services providers (PSPs) have often found the banks’ traditional monopoly tough to break.

The EU recognised this in January 2018 when it introduced its revised Payment Service Directive (PSD2), part of whose purpose was promoting innovation and improving market access for PSPs.

Acknowledging the heightened security risk in the payment services arena created by the ‘growing technical complexity of electronic payments’, PSD2 brought in stricter new requirements around:

• Security of electronic payments
• Transparency of conditions and information from PSPs
• The rights and obligations of users and providers of payment services.

The FCA now requires all applicants seeking authorisation as PSPs to provide evidence of robust IT security policies and procedures – and a detailed risk assessment.

The European Banking Authority (EBA) recently stipulated that PSPs’ security measures should be audited by an operationally independent individual with expertise in both IT security and payments. The EBA guidance also specified that the frequency and focus of such audits should be appropriate to the risks a firm faces.

Thistle’s Payment Services team has in-depth knowledge of the regulatory compliance requirements facing PSPs. We apply our experience and expertise to create a service tailor-made to your precise needs.

Among the firms we work with are:

• Payment initiation services providers (PISPs)
• Account information service providers (AISPs)
• E-Money institutions
• FX exchange companies
• Merchant acquirers
• Bill payment service providers
• Electronic communication exclusion businesses

Among the many ways we can help PSPs are:

FCA applications

Applying for authorisation as a payment service provider (PSP) requires submitting a wide array of documentation. This includes a regulatory business plan, a suite of compliance policies and procedures, and an IT security risk assessment. We can provide template documents and work with you to tailor these to your specific circumstances. We can also carry out a gap analysis on your current policies and procedures – and help you address any action points identified.

Small payments institutions registration

We can help with your registration as a small payment institution (SPI or small PI) and ensure you’re up to date with your regulatory requirements.

REP018 submissions

We can provide payment service providers with effective support and guidance on completing and submitting REP018 operational risk reports.

Auditing

We have extensive experience of auditing firms in the payment services space – whether on compliance issues generally, or specifically in areas such as IT systems, complaints policies and procedures, or training programmes. In line with EBA guidance, we can meet regulatory testing framework requirements by auditing jointly with an operationally independent individual with expertise in IT security and payment services.

Financial crime policy and procedures

Working closely with Thistle’s Financial Crime team, can help PSPs update their policies and procedures in line with a risk-based approach, as required by the Money Laundering Regulations 2017.

Regulatory returns

If you’d like help submitting regulatory returns via Gabriel (the FCA’s online system for collecting and storing regulatory data from firms), we can also help with this.

We’re always happy to hear from businesses operating in this space. So if there’s anything at all you’d like some help, advice or support with, please don’t hesitate to get in touch.

Contact us on 0207 436 0630 or email info@thistleinitiatives.co.uk.