In recent years the payment industry has changed beyond recognition. Technological developments such as internet and mobile payments offer consumers real alternatives to the traditional payment landscape. However, such services have found it extremely difficult to break the monopoly that the banks have traditionally held over the industry. This was a point acknowledged by the European Union when it introduced the revised Payment Service Directive (‘PSD2’), part of the purpose of which was to increase innovation and improve market access for payment service providers.

PSD2, implemented in January 2018, acknowledged the increased security risk relating to electronic payments due to the ‘growing technical complexity of electronic payments.’ The Directive, therefore, set out rules concerning:

• Strict security requirements for electronic payments
• Transparency of conditions and information requirements for payment services;
• The rights and obligations of users and providers of payment services.

The Financial Conduct Authority (FCA) requires that all applicants seeking authorisation as a payment service provider provide a robust suite of IT security policy and procedures alongside a detailed risk assessment. Recent EBA guidance has established that security measures must be audited by an operationally independent individual with ‘expertise in IT Security and Payments’ and that the frequency and focus of such audits should be applicable to the firm’s risks.

The Payment Services team are highly knowledgeable in the regulatory requirements imposed on firms operating in this industry. The team will use its experience to provide a tailored solution to your firm. Types of payment services firms we work with include:

• Payment Initiation Services Providers (PISP)
• Account Information Service Providers (AISP)
• Alternative Finance Platforms
• FX Exchange
• Payment Acquirers
• Bill Payments
• Commercial Agents

Some of the ways in which the team can help your firm include but are not limited to:

FCA applications: To submit your application to become a Payment Services Provider an applicant must have in place the requisite documentation. This will include documents such as a regulatory business plan, a suite of compliance policies and procedures and an IT security risk assessment. Thistle can assist you with template documents and work with you to tailor these to your firm’s specific requirements. Thistle can also do a gap analysis on the policies and procedures currently in place and help you action any outstanding points.

Small Payments Institutions Registration:  We can help you become a Small Payments Institution and ensure you are up to date with your regulatory requirements.

REP018  We can provide support and guidance for firms needing to complete their REP018 report.

Auditing: The team is also experienced in conducting audits on firms operating within the payment industry, these audits can be based on general compliance matters or can be tailored to address any specific areas required such as IT systems, complaints policies and procedures and training programmes. In line with the European Banking Authorities guidance, Thistle can conduct a joint audit with an operationally independent individual with expertise in IT Security and Payments to meet the regulatory testing framework requirements.

Financial Crime Policy and Procedures: The Payment Services team works closely with the Financial Crime team and is well versed in assisting payment firms in updating their policies and procedures in line with a risk-based approach, as required by the Money Laundering Regulations 2017

Regulatory Returns:  We can help you should you need any assistance with submitting regulatory returns on GABRIEL.