This was the view of the Payment Systems Regulator (PSR) back in 2015 when the PSR was still relatively new. Six years later and it’s fair to say that payments systems are even more critical today. It’s a message echoed by the Bank of England (BoE) and evidenced by the proposals to extend the Senior Managers & Certification Regime to include such firms.
Covid-19 has caused firms to rethink how they conduct business as well as where. They have had to react quickly to meet consumer demand as we’ve all become more reliant upon contactless payments. Necessity has driven a further increase in online shopping as well as a move away from cash.
What are Payment Systems and Payment Services?
Payment Systems relate to the organisations which enable payments to be transferred and settled across financial services. It includes clearing and settlement exchanges, Bacs or LINK as well as card payment services such as Visa. It also includes payment services providers.
These payment systems provide different payment services which fall under the Payment Services Directive 2 (PSD 2). Activities include all types of electronic and non-cash payments, such as
mobile and online payments
The PSD 2 was implemented with the intention to make it easier and safer to use internet payment services, but also to promote innovation in the use of mobile and internet payment services.
BoE’s 2020 annual report outlining how it supervises financial market infrastructures (FMIs), reinforces the crucial role that the payment services play in the wider financial services sector.
FMIs include Central Counterparties (“CCPs”), Central Securities Depositories (“CSDs”) and payment systems recognised under the Banking Act 2009 (“recognised payment systems”) as well as specified service providers to these recognised payment systems.
BoE’s view is that the current regulatory framework may not be sufficient to oversee all links in the supply chain.
In terms of financial stability, the current framework focuses on authorisation and clearing steps. Consequently, certain aspects of initial transfer of funds or access may not have the same regulatory oversight.
Due to the pace of innovation in digital payments, there is a risk that new entrants could become critical to the chain without appropriate supervision. Failures in these payment services providers could impact the Important Business Services provided by regulated entities and cause harm.
Given this risk, it’s not surprising to see BoE collaborating with the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) to emphasise the importance of operational resilience to support the future stability of financial markets.
Building resilient payment services:
The regulators issued their final policies and rules relating to operational resilience earlier in 2021. Project teams are beavering away to ensure they meet the March 2022 milestone. There's plenty to do in the next 8 months.
A recurring message from all the regulatory bodies is that firms need to take an holistic review. Consideration must be given to any third party chains to understand any impact upon the payment services chain. Firms should focus on:
avoiding disruption to the payment, settlement and clearing services;
avoiding behaviours that have an adverse impact on the safety and soundness of the FS sector; and
identifying and mitigating risks in the end-to-end process of making payments, clearing and settling securities transactions, and clearing derivatives trades.
Firms should note that the FCA’s business plan identifies payments sector as a priority for the next 3 years. It wants to see a safer and more accessible sector. The concern being the payment services sector's ability to weather the pandemic. FCA's supervision will focus on payment services' financial resilience and ability to identify risks.
Given the regulatory stance, aside from the risks of fraud and data security, firms must consider the wider environment in which they operate. Payment services can be complex and involve a number of third parties in the service chain including subcontractors. Failure of a link in the chain could cause intolerable harm to consumers as well as the wider financial services sector. Whilst third parties supply a service, regulated firms remain responsible for any failures.
Firms need to:
Identify third party dependencies and jurisdictions, including sub-contractors
Review the relationship with the providers and consider improvements
Evaluate the contract to meet regulatory expectations
Collaborate with third parties to identify vulnerabilities in the service chain
Assess third party impacts upon Important Business Services
Devise an action plan to address any weaknesses and consider past events
Set a tolerance for the disruption for each Important Business Service
Monitor the ability to remain within the tolerance
Ensure there is a clear escalation process for any issues
Maintain an issues log and report accurate and timely data to management
Ensuring an open and collaborative dialogue with service providers is key to building a resilient framework. Once the foundation is set, firms need to consider how they collate and analyse data on a continuing basis from various sources. Speedy collation of relevant data will be required to enable board oversight as well as timely regulatory notifications.
How Ruleguard can help you:
Ruleguard can help firms to collate management information and provide reassurance to the Board. Get in touch with the Ruleguard team to learn more.
Tel: 020 3965 2166 or firstname.lastname@example.org
Ruleguard hosts regular webinars on a variety of topics, including Operational Resilience. To be added to our mailing list click here.
Visit our website to find out more about how Ruleguard can help:
Contact the author
Head of Client Regulation| Ruleguard