LS Consultancy, is a niche consultancy that specialises in Financial Conduct Authority (FCA) authorisations, authorisation related work (audits, assessments etc) and financial services regulatory compliance solutions for firms across the many disciplines.
Find out more about us, here.
We serve the whole of the United Kingdom (UK), as well as provide a service for European Union (EU), Middle East, Africa and the Americas.
The purpose of this post is driven by the desire for us to help you avoid making costly mistakes as well as save at least £100,000 and one year of your life when applying for authorisation as a payment institution or e-money institution in any member state of the EU, or in the UK.
Don’t believe us? That’s fine, but let’s just does a high level calculation.
On average, it takes around 500 man-hours to prepare the entire regulatory application package from scratch on your own. That works out to almost 13 weeks work for a single person.
Moreover, it will take you at least 200 hours to do the necessary research, conduct HR interviews, find suitable software, and conduct all other ancillary actions required to apply. This is assuming the hourly rate is £150.
If your application fails due to your naivety in interpreting the rules and requirements, then you lose about £100,000 and that is roughly the cost of a brand-new S-Class Mercedes.
Assuming your application succeeds, it usually takes between 6 months and up to one year (in the EU minimum of 1 year) from the decision to become an authorised Payment Institute (API) if you do all the work on your own.
It is much harder to become authorised today. From 2021 the regulator’s approach has become very different. Due to the numerous high-profile scandals that have echoed in the payment and e-money services sector and the fuzzy boundaries from some crypto related operations, the regulators have toughened their stance regarding new market entrants.
“The FCA confirmed in their perimeter report in July that the declined rate fell from 1 in 14 in 2021 to 1 in 5 in 2022.”
Luckily, LS Consultancy has been conducting authorisation since 2015.
We have intrinsic knowledge of the FCA authorisation process, and we have connections throughout Europe, a relationship network that you would be hard pressed to find elsewhere. We’ve created this guide that encompasses experience from our team, clients, our professional network, and people who desperately contacted us after the refusal of their applications, which they either prepared themselves or together with incompetent or inexperienced advisors. If you don’t want to be a loser, even if you are doing your own application, I would advise you to at least read this guide and account for all of the points mentioned here.
Please remember that in the FCA handbook, Perimeter Guidance (PERG) it states in PERG 1.2.3 “PERG uses words and phrases that have specific meanings in the Handbook or in legislation; these may be different from, or more precise than, their usual dictionary meanings. “This means that you may not fully understand what you read and it is best to get professional assistance.
This post explains 13 main reasons why applications are rejected, starting from the mind and management presence in the jurisdiction where the application was made and ending with tricky questions from the regulator. These are the real reasons, explained by the regulators to the applicants.
Keep in mind that regulation and practice are similar but quite different beasts. While, on the one hand, they are in accord, some red lines must be accounted for. For instance, all national competent authorities of the EU member states are working under substantially the same umbrella – i.e., PSD2 when assessing their applications.
On that note – why do you think the UK accounts for almost 34% of all payment and electronic money institutions authorisations in the EU?
Evidence for these issues can be found in the FCA Approach Document (or FCA Payment Services Approach document) at www.fca.org.uk/publication/finalised-guidance/fca-approach-payment-services-electronic-money-2017 if you wish to validate the points below. We always work from available evidence and do not use hearsay or rumour in our work. Our reference is the payment services regulations 2017 (PSRs).
- Reason 1
Your conceptual idea and management are not in the jurisdiction where you made the application
The vast majority of your management (members of the board and C-level executives) must be legal residents of the country where you applied for the authorisation.
It means that decisions relating to your firm’s central direction must be made within the country of application. It’s not as easy as it sounds. We have been made aware of differences requirements from different EU member states, where the entire management team had to stay in the country for a whole year, while the regulator was reviewing the application. It is a long time and significant investment which had to be made, before the company even got the license and started operations. Not the best and not the most efficient approach, but it is driven by the fact that the regulators have to be mindful and use their resources economically and efficiently, as supervising a firm whose management team primarily overseas adds significant time, costs, complexity, and uncertainty.
Furthermore, it’s a common situation when entrepreneurial minds that wish to start a new venture together are located in different parts of the world. At some point, if they are taking upon essential management functions, they must relocate and demonstrate physical presence. Regulators may ask for proof of residence in the same way as banks do. Your team members may need to show utility bills, tax statements, bank account statements, and other documents to prove their residence.
Another factor to consider is the unannounced visits of the regulators, for example, the FCA can visit an authorised firm at their own discretion and any given moment, and if majority of your C-level management team is not present, it may result even in the withdrawal of authorisation. Usually it is vital for at least 1 C-level director with complete access to the entire system should be UK based.
- Reason 2
Insufficient presence in the country of authorisation
The second reason is connected to the first one, but it is a slightly different one. It is not enough to have mind and management based in the country where you want to be regulated. Additionally, you must be able to prove that the applicant has an office with substance (i.e. an active place of business with significant assets, systems and controls, records, personnel (including senior management), and its own governance arrangements.
While it is allowed to outsource certain functions, too much outsourcing and too many employees outside of the country is never welcomed by the regulators. The idea is that you should be able to manage and control your personnel where you received a license. Regulators are concerned with how efficiently they can supervise their authorised entities. Supervising an authorised entity with significant personnel based overseas increases costs, time, and uncertainty for the regulators.
For this reason, it is of the essence to have a strong team within the country of authorisation.
- Reason 3
The management team is not fit and proper
It is recommended that at least one of the C-Level executives, the CEO, for example, must have prior experience with managing a PSP in the CEO or COO capacity. Experience as a CTO or CLO is not always relevant for the position of the CEO. Companies which failed to persuade a regulator that their CEO has expertise allowing them to operate a PSP successfully, ended up with a “Minded to reject” email.
At least one of the company’s management team members must have knowledge and experience with the most recent anti-money laundering laws and payment services laws in the jurisdiction applicable. If there is no practical experience, you should be ready to present certifications or evidence of participation in courses relating to AML & CTF compliance (obviously, courses should be relating to laws and regulations of the country of application). We can provide a list of providers on request.
You shouldn’t think that a promise to have a fit and proper team in the future is enough. Regulators expect firms to be ready, willing and organised on the submission of application, including having the right people at the helm, satisfying the regulatory conditions, and providing full disclosures. It is crucial to explain a clear division of responsibilities, how they will change in the future, and how you plan to expand your team in the application document.
- Reason 4
Low quality of the regulatory application documents
The EBA in its guidelines for authorisations (which are followed by all national competent authorities of the EU) listed information which a company must present to a regulator. Too many people think that the forms are similar to applying for a driving licence or car tax; there is a whole lot more to it. Some think that just filling in the application forms, developing the business plan, and answering all questions together with submitting of an AML/CTF policy is enough; it isn’t.
You must have relevant risk management policies and procedures, dedicated to each business risk your start-up will face and have many other compliance policies, not directly related to the specific risk factor.
You don’t want to lose your chance of building a new FinTech unicorn due to a weak application. You need to:
- properly identify your risks and create a risk matrix. Then, develop related policies and procedures. I would suggest at least the following additional policies: General IT Risk Policy, IT Risk Policy for each significant software component that you use (for example one for money transfers and currency exchange services and one for acquiring services), FX Risk Policy, Liquidity Risk Policy, Merchant Underwriting Risk Policy, Financial Crime Risk Policy, Market Risk Policy, Disaster Recovery Plan, Counterparty Risk Policy and others.
- don’t just reply to questions, but present the relevant policies, procedures, and manuals to a regulator. For example, the regulator needs to know how you are going to collect statistical data, protect sensitive payments and customer’s data, handle complaints, safeguard client funds, and conduct an internal audit. Don’t just explain, but also create a manual for your company guiding the whole process of risk management.
- Create a “Customer Journey” from the first and various touchpoints through to end game for both data and money. Add in the controls and assessments and any data collection and processing points.
- Reason 5
Low quality of the governance and customer facing documents
You didn’t start all this process merely to get an authorisation, right? You must build a robust, effective, and efficient compliance and risk management framework, that is ready to take on the new business once the authorisation is granted.
Getting authorisation is just the beginning and getting your risk management right at the very beginning is as vital as developing an innovative product or service. Why not making your life easier from the start and show the regulator that you know what are you doing?
Finally, please make sure that your policies and procedures, as well as customer terms and conditions, and/or agreement, are compliant with the law. We have seen too many mistakes due to superficial understanding of the applicable law, or somebody copied and pasted the details from another business and didn’t edit them. Suddenly your API or EMI is described as a doughnut maker company based in Harrogate!
- Reason 6
Programme of operations and business plan
One of the critical documents of your regulatory application documents pack is the programme of operations and business plan, which should provide full information on how the company will operate, how it will be managed, which products and services the company will be providing, how they will be marketed, and you have to do it all in a structured manner. The EBA has developed excellent guidelines on authorisations and registrations under the PSD2. These guidelines are very detailed and provide a comprehensive framework for your programme of operations and business plan.
Most of the failures we have seen relate to the poor programme of operations and business plan and from the fact that many applicants are providing limited information associated with the particular questions that the firm has to address. For example, it is not enough to confirm that the firm will comply with the requirement to maintain safety and confidentially of the sensitive payment information, you have to provide details on how you are going to do it, which measures you will take, and which IT solutions you will use in the process.
A properly prepared programme of operations and business plan for an EMI consists of at least 110 pages, 135,000 characters, and over 20 diagrams.
- Reason 7
Assumptions and financial projections
Assumptions and financial projections are critical parts of the regulatory authorisation application package, as they quantify all the innovative and advanced services and products that you have explained in your programme of operations and business plan. This is the primary source of information for the regulators to assess if your business idea is feasible and if you are going to reach the breakeven in three years and stop reliance on recurring injections of capital. You may say that reaching a breakeven is not so important. Most regulators will have different views on when you have to become profitable.
Even well-established FinTech unicorns are constantly facing regulatory scrutiny over capital adequacy and overall viability of their business model, not even talking here about small wannabe unicorn start-ups applying for a license.
We have witnessed various mistakes and omissions in financial projections, to name a few: failure to clearly state assumptions of customers count, pricing and cost of different products and services, failure to take into account customer churn, account for non-active customers, inflated projections of the new customer signups not backed by the acquisition costs, unrealistic pricing of the service and their cost, understated staffing and payroll, and so on. Once a potential client, whose application (that they prepared themselves) was rejected, asked us to assess the regulatory documents package that he submitted, the first thing we checked was the financial projection, where they stated that they would be attracting tens of thousands of European consumers and charging them for example 10 euros for the SEPA payment. In the age of freemium unicorns and all SEPA payments being offered free of charge, this is not just an unrealistic assumption, it is simply not a feasible one.
- Reason 8
With regulations, you cannot outsource critical material functions, like Compliance. You always keep that responsibility.
You know that FinTech is a symbiosis of financial services and information technology and you understand that many great companies, including unicorns, are using third-party software in building their payments’ ecosystems. It is impractical, time-consuming, very expensive, and in some cases impossible for the start-up to create from scratch a robust core banking software or an e-commerce gateway. Thus, most FinTech start-ups focus on developing customer-facing solutions, such as mobile apps and web interfaces, that are connected to the backends developed by the third-party providers, many of which are legacy systems, being developed over two decades ago.
Outsourcing is not limited to the information technology as many companies are outsourcing AML screening, customer due diligence, PEP and sanctions screening, card issuing programmes, and even a license, by becoming distributors or agents of the authorised electronic money or payment institutions.
Such outsourcing can become very complex, and the failure of any of the company’s outsourced vendors or their products can cause harm to the firm’s customers and even put the firm into such a jeopardy that it can no longer provide services. This is why regulators are treating this aspect of your regulatory authorisation application with great and close scrutiny. Failure to identify the vendors and products that you will be outsourcing as well as failure to provide signed or draft agreements for the assessment may cause the rejection of your application. Under the new Consumer Duty rules within the UK you are required to assess and risk rate your providers. We can help you in this area.
After the Wirecard fiasco and collapse in the summer of 2020, many EU regulators realised that dozens of companies and hundreds of co-brand card issuing programmes were paralysed across Europe, as they relied on a large provider that went bankrupt. Therefore, your application is not going to fly if you are going to tell the regulator that you will do everything yourself or fail to properly disclose all the outsourced functions or services. You must have a thorough and robust business continuity arrangement in case one of the companies you rely on fails. Always have a plan B and an effective exit strategy.
- Reason 9
In order to obtain authorisation to provide payment or e-money services other than remittance, account information, or payment initiation services, you must have measures in place to safeguard customer funds. By the way, if you are not fully familiar with the requirements, you can read the FCA’s pages on this. While there are a couple of options to safeguard your customer funds, I am sure that you will need a safeguarding account with a credit institution (i.e., bank) in 95% of the cases.
It is a nightmare to obtain the safeguarding bank account for the client’s funds before the authorisation is granted. An option is to provide evidence that a bank is ready to open it once you get a license. However, it is also a challenge to get a letter of intent from a bank or anything similar in a timely manner. The FCA (and other regulators for that matter) recognises the problem and as a result, applications are not rejected solely on that basis. Instead, applications are hibernating in a “waiting mode” until the applicant firm can present evidence of the safeguarding account being opened or a firm commitment from the credit institution that it will be opened.
Nevertheless, if you are unable to do it yourself, failure to find somebody who is able to help you at the end of the day will result in failure to get an authorisation since authorities don’t like to have “hanging” applications.
- Reason 10
Failure to demonstrate commitment
What can be easier?! I will get a license for a PI with €125,000 initial capital. Or even, a small PI that does not have the requirement to have any capital. Or, why bother, I will make a PISP and code the interface myself! In theory, yes, but in real life, the required investment (unless you have an existing clients’ portfolio that you can easily switch onto your start-up) goes way up and above the required minimum capital, and founders of the company have to demonstrate the ability and commitment to fund the CAPEX under the submitted regulatory programme of operations and the business plan.
The payment services sector is highly regulated. It is the spine of the economy, and without it, the sector would be paralysed. That is the main reason why national competent authorities expecting from the founders a demonstration of funding commitment and knowledge of the industry. It means that not only the management must be fit and proper – the founders must also demonstrate that they are committed to creating a successful business that will continue to work for the foreseeable future. Let’s not forget that one of the main tasks of the regulator is to protect an average payment service user who don’t know of all of the differences between payment services and products and their underlying risks.
Therefore, without the proper commitment that can be substantiated, regulators will be reluctant to grant authorisation.
- Reason 11
What is the value proposition of your start-up?
Where is the innovation and competitive advantage in your envisaged products and services, how will the overall public benefit from the services that you will provide?
Is what you are looking to create and sell, a useful solution to identified problems; or is it a fanciful idea with no substance?
Such questions are key to a successful application; and you must know the answers. I cannot imagine why you would wish to obtain authorisation for the provision of payment or e-money services on the back of a dream. You must be able to demonstrate to the regulators your competitive advantage, backed by the robust financial model and market research, otherwise, what is the point of issuing an authorisation to another PSP, as the market is already saturated with almost 4,000 of them in the EU alone, (around 1,500 in the UK).
We take you through the Regulatory Business Plan development and explain our 9 section RPB ‘Summary Plan on a Page’ (SPP) system, unique to LS Consultancy.
It is important to present your idea in a concise manner that anyone can understand the problem, which your solution is going to resolve. You need to explain what you will bring to the table and how it will benefit each and every one of your customers. You must fully understand your business model and be able to plainly demonstrate the core of it. The regulator won’t try to dig into vague ideas hidden in the cumbersome and chaotic business plan constructed from copy-pasted articles you found on the Internet. It is important to be precise and explain everything that you have in mind in a language, understandable to the persons responsible for the review of the application.
- Reason 12
Lack of understanding of the industry and expertise to address questions from a regulator
So, you have prepared all the documents in accordance with the regulatory requirements by following national and EBA guidelines. You spent countless hours and sleepless nights while reading all of the guidance and opinions on forums. It is bulletproof, nobody can stop you anymore! I hope that it is so, but for this, you need to have a solid knowledge of the industry. In no manner are we saying that it is impossible to get an authorisation on your own. However, remember that even after preparing all of the documentation the next difficult step is that the Case Officer will review and question every aspect of the application. They also live and breathe reviewing applications, and their knowledge of the industry is most likely much deeper than yours, although their commercial application may be limited.
Depending on the jurisdiction of your choice you may receive from 40 to 200 questions from a regulatory authority (and this is for a good application, not even talking about poorly prepared ones). The questions will be not only based on the theory, but they will also consider practical implications derived from the industry experience. The role of a person who is reviewing your application is to be sure that they are granting the authorisation to the fit and proper individuals who can build and develop a sustainable business which will not cause any harm to the consumers.
Therefore, the questions asked by the regulatory authority will be tricky, and without deep knowledge, it will be difficult to answer them. That’s where we can help, we speak their language and know the words and terms that can cause inflammatory responses.
- Reason 13
You customer journey mapping is too high level, or doesn’t exist
You may have had the whole application packed, all the appendices in order and catalogued, CV’s dusted off, Outsource service contracts in alphabetical order and then you the regulator asks for a copy of your Customer Journey. The amount of cases we are asked to salvage because there is no customer journey map are into the hundreds.
What is a customer journey map?
A customer journey map is a visual representation of the customer journey (also called the buyer journey or user journey). It helps you tell the story of your customers’ experiences with your brand across all touchpoints. Whether your customers interact with you via social media, email, live chat or other channels, mapping the customer journey out visually helps ensure no customer slips through cracks. There are numerous other benefits to mapping this out as well. We can help you and work through the mapping with you.
- Bonus 1
Congratulations! You are one step closer to getting a license and saving your time and money.
As no one does more to help you gain authorisation (or registration for SMI/SEMI/RAISP) than LS Consultancy we have arranged a specially priced feature for you.
What many firms fall foul of is the SMF interview, usually conducted by telephone with the FCA. Other regulators may prefer a face-to-face meeting. Whichever the preference, the questions asked can be daunting, even overwhelming with the added pressure of your application riding on your performance, isn’t it a good idea to get some coaching?
As an additional service to our clients, we are proud to present the SMF Interview Coaching Course. This is in addition to our PDF explaining the topic.
This personalised coaching course designed over two days is designed for the MLRO/Compliance/MD/CEO and will consist of a review of your business, what to expect, a set of live interview questions and discussion around whatever is considered to be a hot topic.
The Course Director is an experienced Head of Compliance (CF10/SMF16) and MLRO (CF11/SMF17). Former Member of the Money Laundering Advisory Panel (MLAP) and the Joint Money Laundering Intelligence Taskforce (JMLIT), with over 35 years’ experience in the financial services industry. Chartered Member of the Chartered Institute for Securities and Investments (MCSI). He holds an LLB in English Law and relevant industry qualifications in Regulation, Compliance, Financial Crime, Investment Operations and GDPR.
- Bonus 2
How would you like a £500 value immediately?
We have a policy of “there are no stupid questions”. If you don’t know you need to ask, but who do you approach?
The answer is LS Consultancy.
Unlike many consultancies who have calls and meetings managed by salespeople (or even receptionists), we won’t waste your time, sending you round the telephone system. You will meet for a free 30-minute consultation with us, or someone who can answer for the business. No commitments, just a free consultation that will help you understand your further steps to build the next unicorn. You will get a real value immediately with full explanations of complex things.
We can discuss any of the topics below.
- Whether you need a license at all
We can help you to save your time by discussing with you whether you should choose the path of Authorisation or Registration.
- Your readiness to apply
If you are not ready, we will discuss your next steps and how we can help you.
- What alternatives you have
For example, maybe the best option for you is to become an agent, distributor, or even buy an already licensed company.
- The best jurisdiction for your needs
One call with us will help you to avoid problems you could not know about.
- Potential Partners
We may know companies you might be interested in being introduced to.
Download: FCA authorisation – the basic process
Like this post? Want to be kept up to date with compliance and regulatory information regarding PSPs, AML, Reporting etc?
If you need any assistance, in strictest confidence,
call us today on
020 8087 2377
FREE downloadable content for Marketing, Compliance, Sales teams, small and medium-sized enterprises. Click here.
We’re looking for guest writers with business know-how and experience to create outstanding articles to feature on our website. Sound like you? Then find out more…