top of page

How to Maintain FCA Compliance for Payment Institutions (2026)

  • 6 days ago
  • 6 min read
How to Maintain FCA Compliance for Payment Institutions (2026)

How to Maintain FCA Compliance for Payment Institutions (2026)

Maintaining FCA compliance as a UK payment institution is an ongoing programme, not a one-off exercise completed at authorisation. The recurring obligations that firms must meet are: safeguarding customer funds, strengthened from 7 May 2026 under Policy Statement PS25/12; maintaining adequate own funds; submitting regulatory returns accurately and on time; operating a genuine financial crime framework; meeting the Consumer Duty; evidencing operational resilience; and notifying the FCA of material changes and incidents. Firms that come to grief in supervision almost always do so on one of these, most often safeguarding or regulatory reporting, so a disciplined, continuous compliance programme is what keeps a firm in good standing.


This guide sets out what maintaining compliance actually requires, month to month and year to year, and where firms most commonly fall short. It is written for payment institutions, their compliance teams and their boards.


The ongoing obligations at a glance

Compliance is a set of recurring activities with different cadences, and the discipline lies in operating all of them consistently rather than addressing them reactively.

Obligation

Cadence

Safeguarding reconciliation

Frequent, cycle-based under PS25/12 from 7 May 2026

Safeguarding return to the FCA

Monthly

Safeguarding audit

Annual, external, unless the firm is below the £100,000 threshold

Regulatory reporting

Periodic, according to the firm's permissions

Own funds monitoring

Continuous

Consumer Duty board report

Annual

Fitness and propriety of key individuals

Ongoing, assessed at least annually

Financial crime and anti-money-laundering review

Continuous, with an annual review

Operational resilience self-assessment

Annual

Material change and incident notifications

As events occur


Maintaining safeguarding compliance

Safeguarding is where most payment firms come unstuck, and it is the FCA's central prudential concern. Under the Supplementary Regime introduced by PS25/12 and effective from 7 May 2026, firms must operate enhanced reconciliation of safeguarded funds, submit a monthly safeguarding return to the FCA, undergo an annual safeguarding audit unless they are below the £100,000 exemption threshold, and maintain a resolution pack demonstrating an orderly wind-down. In practice this means keeping a clear safeguarding methodology, an accurate and current record of safeguarding accounts and the associated acknowledgement letters, and reliable evidence of reconciliation, with the board taking on its new responsibility for signing off reconciliation processes. Any shortfall must be corrected promptly and, where material, notified to the FCA.


Keeping regulatory reporting on track

Regulatory returns must be submitted accurately and by their deadlines, because late or inaccurate returns are a common trigger for FCA attention. Firms should maintain a reporting calendar mapped to their specific permissions, reconcile the figures in each return to their underlying systems before submission, and keep an audit trail of what was reported and when. Beyond scheduled returns, firms must notify the FCA promptly of material changes, incidents and breaches, which is a standing obligation rather than a periodic one. A firm that treats reporting as an afterthought, rather than an integral part of its operations, is at heightened risk of both error and supervisory concern.


Financial crime, governance and the Consumer Duty

A payment institution must operate a genuine, risk-based financial crime framework on a continuing basis: a current business-wide risk assessment, effective customer due diligence and ongoing monitoring, suspicious activity reporting, and a properly resourced nominated officer. It must maintain sound governance, with fitness and propriety of key individuals assessed at least annually and responsibilities clearly allocated. Where it serves retail customers, it must meet the Consumer Duty by monitoring the outcomes its customers receive across the four outcomes and producing the annual Consumer Duty board report. Each of these is an ongoing obligation: a risk assessment that is never updated, or a Consumer Duty framework that exists only on paper, is precisely the kind of weakness that supervision is designed to detect.


The most common compliance failures

Certain failures recur across the sector, and knowing them helps a firm avoid them. The most common are safeguarding breaches, such as poor reconciliation, funds held in the wrong accounts, or missing acknowledgement letters; late or inaccurate regulatory returns; weak financial crime frameworks, including stale risk assessments and under-resourced compliance functions; missed notifications of material change; and a Consumer Duty that exists on paper but is not supported by genuine outcomes monitoring or a credible board report. Each of these is avoidable with a disciplined, continuous compliance programme, and each is a frequent cause of supervisory intervention when it is not addressed.


How Buckingham Capital Consulting can help

Buckingham Capital Consulting provides ongoing compliance support to UK payment institutions and e-money institutions. We help firms operate their safeguarding arrangements under PS25/12, including reconciliation, the monthly return, the annual audit and the resolution pack; keep their regulatory reporting accurate and on time; maintain a genuine, risk-based financial crime framework; meet the Consumer Duty and prepare the annual board report; and evidence operational resilience. We also help firms respond when supervision identifies areas that need to improve, and we support boards in discharging their governance and sign-off responsibilities.


If you need ongoing compliance support, or a review of your firm's compliance arrangements against the FCA's expectations, contact our team for an initial assessment.




Frequently asked questions

What is the biggest FCA compliance risk for payment institutions?

Safeguarding is the biggest and most consistent compliance risk for payment institutions. It is the FCA's central prudential concern because it determines whether customers are made whole when a firm fails, and safeguarding failures are the most common cause of consumer harm and of FCA supervisory intervention in the sector. The FCA found that failed payment and e-money firms left, on average, a substantial shortfall in the funds owed to customers, which is precisely why it has strengthened the regime under PS25/12 from 7 May 2026. Firms must therefore treat safeguarding, including reconciliation, the monthly return, the annual audit and the resolution pack, as a core operational discipline rather than a compliance formality, with the board actively engaged in oversight.


How often must a payment institution report to the FCA?

A payment institution must submit regulatory returns periodically, with the frequency depending on its permissions, and from 7 May 2026 must additionally submit a monthly safeguarding return under PS25/12. On top of scheduled returns, the firm has a standing obligation to notify the FCA promptly of material changes, incidents and breaches as they occur, which is event-driven rather than periodic. To stay on top of these obligations, firms should maintain a reporting calendar mapped to their specific permissions, reconcile each return to their underlying systems before submitting, and keep an audit trail. Late or inaccurate returns are a common trigger for FCA attention, so reliable, timely reporting is an essential part of maintaining compliance.


Do payment institutions need an annual audit?

From 7 May 2026, most payment institutions that hold customer funds require an annual safeguarding audit under the Supplementary Regime introduced by PS25/12. A qualified auditor provides the FCA with a reasonable-assurance report on the adequacy of the firm's safeguarding arrangements and its compliance with the rules. Firms that have not been required to safeguard more than £100,000 of relevant funds at any point over a period of at least 53 weeks are exempt from the audit requirement, although senior management must keep the firm's eligibility for that exemption under continuing review. This safeguarding audit is separate from any statutory audit of the firm's accounts, though a firm may use the same auditor for both if it chooses. It is a significant new assurance obligation for the sector.


Can a payment institution outsource its compliance function?

A payment institution can, and often does, obtain external support for its compliance function, and outsourcing certain compliance activities is common and legitimate. However, the regulatory accountability for compliance cannot be outsourced: it remains with the firm and its senior management. The firm must also manage any outsourcing arrangement properly, with appropriate due diligence, oversight and contractual arrangements, in line with the FCA's expectations on outsourcing and operational resilience. In practice, external compliance support is most effective when it complements a firm that retains genuine internal ownership and oversight of compliance, rather than one that treats outsourcing as a way to disengage from its obligations. The firm remains responsible for the outcomes, regardless of who performs the underlying work.


What happens if a payment institution breaches FCA rules?

The consequences of a breach depend on its nature and seriousness. Minor issues identified and corrected promptly, and notified where required, are part of normal supervision. More serious or persistent failures, particularly around safeguarding, financial crime or reporting, can lead to closer supervisory engagement, requirements or restrictions on the firm's permissions, remediation programmes, and in serious cases enforcement action including financial penalties. Under the individual accountability expectations that apply to senior managers, individuals can also face consequences where they failed to take reasonable steps to prevent a breach. The most effective protection is a disciplined, continuous compliance programme that identifies and corrects issues early, together with prompt and candid notification to the FCA where the rules require it.

 
 
bottom of page