SPI vs API: FCA Audit Expectations in 2025

The UK’s fintech payment landscape operates under a bifurcated regulatory structure established by the Payment Services Regulations 2017 (PSRs 2017): Small Payment Institutions (SPIs) and Authorised Payment Institutions (APIs). Both categories fall under the Financial Conduct Authority’s (FCA) supervisory remit, but the regulatory obligations, capital requirements, and audit expectations differ substantially. For fintech startups and payment service providers navigating this regime, understanding these distinctions directly impacts operational costs, scalability potential, and regulatory risk exposure.

It’s important to note that this guide focuses specifically on payment institutions under the PSRs 2017. Firms issuing electronic money should also consider the parallel framework of Small Electronic Money Institutions and Authorised Electronic Money Institutions under the Electronic Money Regulations 2011 (EMRs 2011), which have similar but distinct requirements. Additionally, while the FCA supervises payment institutions, the Payment Systems Regulator (PSR) separately oversees payment systems themselves—distinct regulatory functions that sometimes create confusion.

As we move through 2025, the FCA has intensified its supervisory approach toward payment institutions, driven by operational resilience expectations, the Consumer Duty framework implemented in 2023-2024, and persistent concerns about financial crime vulnerabilities in digital payments. FCA audit expectations have evolved from periodic compliance reviews to more intensive, data-informed supervisory engagement with heightened focus on demonstrable customer outcomes and robust financial crime controls.

This guide provides comprehensive analysis of SPI versus API regulatory frameworks, examines the FCA’s current audit priorities, and offers practical guidance for maintaining compliance readiness. Whether you’re determining the appropriate authorization tier for your payment services or preparing for regulatory examination, understanding these requirements is essential for sustainable operations in the UK’s regulated fintech ecosystem.

---

Section 1: Regulatory Distinctions – SPI vs API

What is a Small Payment Institution (SPI)?

A Small Payment Institution represents a lighter-touch regulatory category introduced under the PSRs 2017, designed for payment service providers with limited transaction volumes. SPIs must register with the FCA but are not fully authorized, creating a middle ground between exempt entities and fully Authorised Payment Institutions.

SPI Qualification Criteria:

According to Regulation 13 of the PSRs 2017, SPIs qualify when their payment transaction volumes do not exceed specific monthly average thresholds. Critically, these thresholds are calculated as the average monthly payment transactions over the preceding 12-month period:

• €3 million per month average for payment services generally, OR
• €5 million per month average if providing only money remittance services

For new entrants without 12 months of trading history, the calculation is based on projected volumes over the first 12 months of operation, supported by business plan forecasts. The FCA expects realistic projections—inflating figures or underestimating growth to remain within SPI thresholds when API authorization is appropriate constitutes a regulatory concern.

These thresholds are based on the total value of payment transactions executed, not the value of funds held at any given time. SPIs must actively monitor their transaction volumes and notify the FCA immediately if they anticipate exceeding these limits. Continued operation above thresholds without applying for full authorization constitutes unauthorized business and regulatory breach.

Key SPI Characteristics:

• Registration-Based: SPIs register with the FCA rather than obtaining full authorization. The registration process, while still requiring significant information about the business model, governance, and principals, is less intensive than full authorization, typically taking weeks to a few months rather than 6-12 months for API authorization.
• Reduced Capital Requirements: SPIs must maintain adequate capital relative to their business, but are not subject to the prescriptive own funds calculations required for APIs. The FCA expects SPIs to demonstrate they hold sufficient capital to wind down in an orderly manner if necessary, but the quantum is generally lower than API requirements.
• Simplified Safeguarding Obligations: SPIs must protect customer funds, but the safeguarding framework provides more flexibility than the stringent requirements imposed on APIs. While SPIs must segregate customer funds from operational funds, the specific mechanisms and reporting requirements are lighter.
• No EEA Passporting Rights: Pre-Brexit, SPIs could not passport services across the European Economic Area, unlike APIs. Post-Brexit (following December 31, 2020 when the transition period ended), the passport regime no longer operates for UK firms accessing EEA markets. SPIs seeking to provide cross-border payment services must comply with individual country requirements, typically through local partnerships or licenses.
• Simplified Reporting: Regulatory reporting requirements for SPIs are less extensive than those for APIs. SPIs submit annual information returns and notify the FCA of material changes, but avoid the quarterly capital, safeguarding, and operational reports required of larger APIs.
• FCA Registration and Public Record: All SPIs receive an FCA Firm Reference Number (FRN) and are listed on the FCA’s Financial Services Register, enabling customers and partners to verify regulatory status.

Critical Limitation: SPIs cannot provide certain payment services considered higher-risk or requiring enhanced oversight, particularly acquiring services (merchant acquiring) or operating payment accounts that can be loaded remotely. These services require full API authorization.

What is an Authorised Payment Institution (API)?

An Authorised Payment Institution represents full FCA authorization for payment service providers operating above SPI thresholds, providing restricted services, or seeking complete regulatory permissions for their payment services.

API Authorization Requirements:

APIs must obtain formal authorization from the FCA before commencing operations. The authorization process under Part 2 of the PSRs 2017 involves comprehensive assessment of:

• Business model sustainability, viability, and compliance structure
• Adequacy of governance, systems, and controls
• Financial resources and capital adequacy meeting prescribed calculations
• Fitness and propriety of key personnel, including senior management, significant shareholders (10%+ ownership), and individuals performing Senior Management Functions under the Senior Managers and Certification Regime
• Safeguarding arrangements for client funds with detailed policies and procedures
• Outsourcing arrangements, particularly for critical functions, with appropriate oversight
• Anti-money laundering and counter-terrorist financing frameworks demonstrating compliance with Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

The authorization process is rigorous and typically takes 6-12 months, sometimes longer for complex business models or where the FCA raises questions requiring substantial clarification.

Key API Characteristics:

• Full Authorization: APIs undergo intensive FCA vetting before authorization, with ongoing supervisory oversight throughout their operational life. The FCA assigns APIs to supervisory groups based on size and risk profile, with larger or higher-risk firms receiving more intensive supervision.
• Capital Requirements: APIs must maintain own funds calculated using one of three prescribed methods under Regulation 19 and Schedule 2 of the PSRs 2017:
  • Method A: Based on fixed overhead requirements—typically 10% of fixed overheads from the preceding year’s audited accounts
  • Method B: 10% of payment transaction volumes over the preceding year, divided by 12 to yield average monthly volume multiplied by the scaling factor
  • Method C: A more complex calculation using various risk indicators including transaction values, customer numbers, and operational factors
  The applicable method depends on the API’s transaction volumes and service types, with the FCA specifying which method applies. APIs must maintain these own funds at all times, with breaches requiring immediate FCA notification.
• Comprehensive Safeguarding: APIs face stringent safeguarding obligations under Regulation 23 of the PSRs 2017, requiring client funds to be protected through:
  • Segregation in designated accounts separate from the institution’s operational funds, typically held with authorized credit institutions
  • Insurance or comparable guarantee arrangements covering the full value of customer funds
  • Daily reconciliation of customer fund balances to safeguarded amounts
  • Annual external audit specifically addressing safeguarding arrangements and compliance with regulatory requirements
  Safeguarding failures or breaches must be reported immediately to the FCA and may trigger enforcement action given direct consumer harm potential.
• Extensive Reporting: APIs must submit regular regulatory returns to the FCA, including:
  • Quarterly capital adequacy reports demonstrating ongoing compliance with own funds requirements
  • Safeguarding reports detailing customer fund holdings and protection mechanisms
  • Annual audited financial statements
  • Material incident notifications
  • Senior Managers and Certification Regime annual reporting
  The FCA has increasingly moved toward more frequent data submissions for larger APIs, with some firms now reporting certain metrics monthly.
• Post-Brexit Cross-Border Operations: Prior to December 31, 2020, UK APIs held passporting rights enabling them to provide payment services throughout the EEA under home state (UK FCA) authorization without requiring individual country licenses. The UK’s departure from the EU ended these passporting rights definitively. UK APIs now seeking to service EEA customers must either:
  • Establish EEA entities with local authorization
  • Partner with EEA-authorized institutions
  • Utilize reverse solicitation where EEA customers approach UK firms (complex and limited application)
  Conversely, EEA payment institutions lost automatic UK access, requiring FCA authorization or Temporary Permissions Regime arrangements that have largely concluded.
• Senior Managers and Certification Regime: APIs are subject to SM&CR under the Limited Scope regime (as payment institutions are not deposit-takers). This requires:
  • Designated Senior Management Functions including SMF16 (Compliance Oversight) and SMF17 (Money Laundering Reporting)
  • Certification of certain customer-facing and operational staff
  • Conduct rules applicable to all staff
  • Individual accountability with Statements of Responsibilities for senior managers

Comparative Overview: SPI vs API

Regulatory Aspect	Small Payment Institution (SPI)	Authorised Payment Institution (API)
Authorisation Type	Registration with FCA	Full FCA authorisation required
Transaction Thresholds	≤ €3m monthly average (€5m for remittance-only), calculated over the preceding 12 months	No upper limit
Capital Requirements	Adequate capital to ensure orderly wind-down	Prescribed own funds calculation (Method A/B/C) maintained continuously
Safeguarding Obligations	Customer fund protection required under a lighter framework	Comprehensive segregation/insurance with daily reconciliation and annual audit
Regulatory Reporting	Annual returns and material change notifications	Quarterly capital/safeguarding reports, annual audited accounts, and ongoing data submissions
Application Timeline	Faster registration (weeks to months)	Lengthy authorisation process (6–12+ months)
Application Fees	£500 registration fee	£1,500 authorisation application fee
Ongoing Supervision	Risk-based FCA engagement	Intensive FCA supervision based on firm size and risk
Annual Fees	Lower ongoing fees based on firm type	Higher periodic fees scaled to payment volume and services
AML/CTF Obligations	Full compliance with MLRs 2017 required	Full compliance with MLRs 2017 required
Governance Requirements	Standard governance expectations	Enhanced governance with SM&CR Limited Scope application
Service Restrictions	Cannot provide acquiring or certain account types	Full range of payment services permitted
FCA Register Listing	Yes – searchable FRN on Financial Services Register	Yes – searchable FRN on Financial Services Register

---

Critical Note: Both SPIs and APIs must comply fully with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017). There is no lighter-touch AML regime for SPIs—financial crime prevention obligations are identical across both categories, including:

• Conducting a business-wide risk assessment of money laundering and terrorist financing risks (Regulation 18)
• Implementing policies, controls, and procedures proportionate to identified risks (Regulation 19)
• Appointing a Money Laundering Reporting Officer (MLRO) and nominated officer for suspicious activity reporting
• Customer due diligence for all business relationships and occasional transactions over €1,000
• Enhanced due diligence for high-risk customers, PEPs, and correspondent relationships
• Ongoing monitoring of business relationships
• Suspicious Activity Reporting to the National Crime Agency
• Recordkeeping for five years
• Staff training and awareness programs

---

Section 2: Evolving FCA Audit Expectations for 2025

The FCA’s supervisory approach toward payment institutions has undergone significant transformation, particularly accelerating in 2023-2025. Understanding these evolving expectations is critical for both SPIs and APIs preparing for regulatory scrutiny.

Shift Toward Data-Informed, Intensive Supervision

The FCA has explicitly articulated its intention to move from periodic, backward-looking regulatory reviews toward more intensive, data-informed supervision. This transformation manifests in several observable trends:

Enhanced Data Collection:

Payment institutions now face expectations for more frequent data submissions beyond traditional annual returns. While the FCA’s broader “Transforming Data Collection” program continues development, payment institutions are already experiencing:

• More frequent requests for operational data outside formal regulatory returns
• Data collection following industry-wide events or emerging risk themes
• Increased scrutiny of submitted data quality and accuracy
• Follow-up questions when data suggests unusual patterns or risk indicators

Larger APIs particularly face heightened data requests, with some firms now providing monthly metrics on customer fund holdings, transaction volumes, operational incidents, and financial performance. The FCA uses this data to identify outliers or emerging risks requiring supervisory intervention.

Risk-Based Supervisory Intensity:

The FCA allocates supervisory resources based on firm size, complexity, and assessed risk profile. In practice, this means:

• Fixed Portfolio Firms (typically smaller APIs and SPIs): Primarily event-driven supervision, with contact triggered by regulatory filings, notifications, or identified concerns
• Flexible Portfolio Firms (mid-sized APIs): Regular supervisory engagement including periodic meetings, data reviews, and occasional thematic work
• Intensive Fixed Portfolio and Enhanced firms (largest, most complex APIs): Continuous supervision with dedicated supervisors, regular meetings, ongoing monitoring, and proactive engagement

SPIs generally receive lighter supervisory engagement unless growth patterns, business model changes, or identified concerns elevate risk profile.

Consumer Duty Implementation and Ongoing Scrutiny

The FCA’s Consumer Duty represents the most significant conduct regulation development in recent years. The Duty came into force on July 31, 2023 for new and existing products and services open to sale or renewal, with a further implementation deadline of July 31, 2024 for closed products and services.

The Four Outcomes Framework:

Consumer Duty creates enforceable obligations around four customer outcome areas:

1. Products and Services Outcome: Payment services must be designed to meet customer needs, enable customers to achieve their financial objectives, and deliver fair value. The FCA expects evidence that product design explicitly considers customer needs and potential harm, not solely revenue optimization.
2. Price and Value Outcome: The price charged for payment services must represent fair value proportionate to the service provided and benefits received. The FCA has scrutinized payment institution pricing, particularly:
   • Foreign exchange margins and markup transparency
   • Transaction fees, especially where multiple overlapping fees apply
   • Account maintenance or inactivity fees
   • Hidden fees or charges not prominently disclosed
3. Consumer Understanding Outcome: Communications must enable customers to make informed decisions at all stages of the customer journey. For payment institutions, this includes:
   • Clear explanation of how payment services work, including timing, routing, and potential delays
   • Transparent pricing and fee structures
   • Clear terms and conditions in plain language
   • Effective disclosure of risks including exchange rate fluctuation, fraud risks, or service limitations
4. Consumer Support Outcome: Firms must provide support meeting customer needs throughout the relationship, including:
   • Accessible, responsive customer service channels
   • Effective complaints handling
   • Support for vulnerable customers
   • Clear processes for fraud reporting and dispute resolution

2025 Audit Implications:

FCA supervisory work in 2025 continues assessing Consumer Duty embedding. Audits examine whether payment institutions have moved beyond initial implementation to genuine operational integration. Expect examiners to review:

• Board and senior management Consumer Duty oversight, including regular management information on the four outcomes
• Evidence that Consumer Duty considerations inform product development, pricing decisions, and distribution strategies
• Customer outcome monitoring data including complaints, service failures, vulnerability indicators, and customer satisfaction metrics
• Distribution chain oversight where firms use agents, introducers, or white-label arrangements
• Fair value assessments for all products with documented analysis supporting value determination
• How Consumer Duty insights drive business changes and continuous improvement

Payment institutions treating Consumer Duty as one-time documentation exercise without ongoing outcome monitoring and improvement will face regulatory criticism.

Operational Resilience Expectations

While the FCA’s formal operational resilience rules under Policy Statement PS21/3 primarily target banks, insurers, and systemically important financial institutions, the underlying principles are cascading to payment institutions through supervisory expectations and thematic work.

Operational Resilience Principles:

The FCA expects payment institutions to demonstrate:

• Identification of Important Business Services: Understanding which services, if disrupted, would cause intolerable harm to customers or threaten market integrity
• Impact Tolerances: Defining how long important services can be disrupted before causing intolerable harm (even if not subject to formal impact tolerance setting requirements)
• Mapping and Testing: Understanding dependencies supporting critical services and testing ability to remain within impact tolerances during disruption scenarios
• Incident Response: Clear procedures for detecting, responding to, and recovering from operational incidents
• Third-Party Risk Management: Robust oversight of critical outsourcing arrangements and dependencies, particularly cloud infrastructure and payment processing partners

2025 Audit Focus:

FCA audits assess whether payment institutions have moved beyond generic business continuity plans to sophisticated operational resilience thinking. Examiners review:

• Mapping of important payment services and critical dependencies (technology, third parties, facilities, key personnel)
• Scenario testing demonstrating ability to maintain or quickly restore services during various disruption events (cyber incidents, vendor failures, technology outages, staff unavailability)
• Incident management frameworks with clear escalation, communication, and recovery prioritization aligned with customer impact
• Third-party risk management including due diligence, ongoing monitoring, exit planning, and concentration risk assessment
• Evidence that operational resilience considerations inform technology investments, vendor selection, and business decisions

Financial Crime Prevention and AML/CTF Controls

Financial crime prevention remains a top FCA supervisory priority across all regulated sectors. For payment institutions—which facilitate rapid, often cross-border money movement—AML/CTF controls receive intensive audit scrutiny.

MLRs 2017 Core Requirements:

Payment institutions must comply fully with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, including:

• Business-Wide Risk Assessment (Regulation 18): A documented assessment identifying and evaluating money laundering and terrorist financing risks arising from the firm’s customers, countries/geographic areas, products/services, transactions, and delivery channels. This assessment must be kept up-to-date and used to inform the firm’s policies, controls, and procedures.
• Policies, Controls, and Procedures (Regulation 19): Written policies and procedures proportionate to the business and risks identified, covering customer due diligence, reporting, recordkeeping, internal controls, risk assessment, compliance management, and communication.
• Customer Due Diligence (Regulations 27-30): Identifying and verifying customers, understanding ownership and control structures for legal entities, understanding the purpose and intended nature of business relationships, and conducting ongoing monitoring.
• Enhanced Due Diligence (Regulation 33): Heightened scrutiny for high-risk scenarios including customers from high-risk third countries, politically exposed persons, correspondent banking relationships, and any situation where risks are assessed as higher.
• Simplified Due Diligence (Regulation 37): Reduced diligence only where risks have been assessed as lower and specific conditions are met—not a default option.

2025 Financial Crime Audit Priorities:

Transaction Monitoring Effectiveness: The FCA continues identifying weak transaction monitoring as a prevalent deficiency. Audit expectations include:

• Transaction monitoring systems calibrated to the firm’s specific risk profile, customer base, and identified typologies—not generic out-of-box configurations
• Monitoring rules and thresholds regularly tested and tuned based on false positive/false negative analysis
• Alert investigation demonstrating genuine analysis with documented rationale, not template-based responses
• Clear escalation to suspicious activity reporting where appropriate, with evidence of MLRO involvement in filing decisions
• Periodic independent testing of monitoring system effectiveness against known suspicious patterns

Customer Due Diligence Quality and Depth: The FCA expects risk-based, meaningful due diligence:

• Risk assessment methodology producing differentiated customer risk ratings
• CDD procedures tailored to risk levels—not one-size-fits-all approaches
• Enhanced due diligence for high-risk customers with genuine inquiry into source of wealth, source of funds, and business rationale
• Beneficial ownership verification for legal entity customers, understanding control and ultimate ownership
• Ongoing monitoring demonstrating the firm understands customer transaction patterns and can identify anomalies
• Periodic customer reviews ensuring information remains current

Sanctions Screening Robustness: Following geopolitical developments and expanding sanctions regimes, sanctions screening receives heightened attention:

• Screening against UK consolidated sanctions list, UN sanctions, and (for firms with US dollar clearing or US exposure) OFAC sanctions
• Real-time screening at onboarding and transaction processing
• Periodic rescreening of existing customers to catch newly designated individuals or entities
• Name-matching technologies appropriate for the customer base, considering transliteration issues, aliases, and cultural naming conventions
• Clear escalation and decision-making processes for potential sanctions matches, with documented analysis

MLRO Function Effectiveness: The FCA has expressed persistent concern about under-resourced or ineffective Money Laundering Reporting Officers. Audit expectations include:

• MLRO with appropriate seniority and organizational independence—not junior staff or individuals with conflicting operational responsibilities
• MLRO reporting directly to board or senior management with demonstrated influence
• Adequate staff and technology resources supporting the MLRO function relative to firm size and risk
• Regular MLRO reporting to board on financial crime risks, control effectiveness, suspicious activity trends, and resource needs
• MLRO involvement in material decisions including new products, customer acceptance policies, and significant business changes
• Evidence of MLRO concerns being addressed rather than ignored

Many smaller payment institutions lack scale justifying full-time senior MLROs, creating resourcing challenges. This dynamic has driven increasing adoption of outsourced MLRO services, where specialist compliance firms provide experienced officers serving as the institution’s designated MLRO while managing costs appropriately.

Governance, Accountability, and Culture

The FCA’s focus on governance reflects recognition that compliance failures typically originate in poor governance structures, inadequate oversight, or inappropriate culture rather than isolated technical breaches.

SM&CR Application to Payment Institutions:

Payment institutions fall under the SM&CR Limited Scope regime. This requires:

• Designation of Senior Management Functions (SMFs), particularly:
  • SMF16 (Compliance Oversight Function): The individual responsible for the firm’s compliance with FCA rules
  • SMF17 (Money Laundering Reporting Function): The individual serving as MLRO
  • Additional SMFs as applicable based on firm structure (SMF3 Executive Director, SMF1 Chief Executive, etc.)
• Statements of Responsibilities clearly defining each senior manager’s accountability areas
• Conduct Rules applicable to all staff (Individual Conduct Rules) and senior managers (Senior Manager Conduct Rules)
• Certification of certain staff in customer-facing or material risk roles (the Certification Regime)
• Fitness and propriety assessments for senior managers and certified staff

2025 Governance Audit Focus:

FCA audits assess whether governance structures support effective oversight and accountability:

• Senior Management Function holders genuinely discharging their responsibilities with documented oversight activities
• Board-level compliance and risk oversight with appropriate challenge and scrutiny
• Management information enabling board and senior management to identify and address risks and compliance issues
• Appropriate resources allocated to compliance, risk management, and control functions
• How the firm responds to compliance breaches, audit findings, or customer complaints—evidence of continuous improvement culture
• Whether incentive structures encourage appropriate conduct or create risks of customer harm

Culture and Conduct Assessment:

The FCA increasingly probes firm culture through various indicators:

• Staff incentive structures and whether they encourage risk-taking or mis-selling
• Whistleblowing arrangements and evidence that concerns are investigated and addressed
• Training programs and staff competence frameworks
• How mistakes or compliance issues are handled—blame culture vs. learning culture
• Whether conduct risk and customer outcomes feature in performance management and promotion decisions

Technology Governance and Cyber Resilience

As payment institutions increasingly rely on complex technology infrastructure, cloud services, and digital channels, the FCA’s supervisory attention extends to technology governance.

Technology Governance Focus Areas:

• Change Management: Controlled processes for technology changes including impact assessment, testing, approval gates, and rollback procedures
• Third-Party and Outsourcing Oversight: Due diligence, ongoing monitoring, and contingency planning for critical service providers, particularly:
  • Cloud infrastructure providers
  • Payment processing partners
  • Core banking technology vendors
  • API and connectivity providers
• Cyber Security and Resilience: Controls protecting against cyber threats, incident response capabilities, and recovery procedures. While detailed cyber requirements primarily apply to larger institutions, all payment institutions face expectations for appropriate cyber hygiene.
• Data Governance: Compliance with UK GDPR and data protection requirements (noting that data protection is primarily the Information Commissioner’s Office jurisdiction, though the FCA considers data security from operational risk and consumer protection perspectives)
• AI and Algorithmic Decision-Making: For firms deploying AI or machine learning in credit decisions, fraud detection, customer service, or other functions, the FCA expects:
  • Appropriate governance and oversight of AI systems
  • Testing for accuracy and bias
  • Explainability enabling understanding of how decisions are reached
  • Human oversight and intervention capabilities

---

Section 3: Common FCA Audit Findings in Payment Institutions

Understanding typical deficiencies identified during FCA audits enables proactive remediation before regulatory scrutiny. Based on publicly available enforcement actions, Dear CEO letters, supervisory findings, and thematic reviews, common issues include:

Deficiency 1: Inadequate or Outdated Risk Assessments

The Problem: Risk assessments treated as one-time compliance exercises rather than living documents informing actual business decisions. Common deficiencies include generic risks copied from templates, risk ratings without supporting analysis, and assessments unchanged for years despite business evolution.

FCA Expectations:

• Enterprise-wide risk assessment covering all material risks to the business (strategic, operational, financial, compliance, conduct, financial crime)
• Business-wide money laundering and terrorist financing risk assessment required by Regulation 18 of MLRs 2017, addressing risks arising from customers, countries/geographies, products/services, transactions, and delivery channels
• Risk assessments reviewed at least annually and updated when material changes occur (new products, customer segments, geographies, delivery channels, or external risk environment changes)
• Risk appetite statements approved by the board defining acceptable risk levels
• Evidence that risk assessments inform control design, resource allocation, and business decisions—not shelf documents

Common Deficiencies:

• Risk assessment last updated several years prior despite significant business changes
• Generic risk descriptions not tailored to the specific business model or customer base
• Risk ratings assigned without documented rationale or supporting analysis
• No evidence of board review, challenge, or approval of risk assessments
• Controls identified in theory but no testing or effectiveness monitoring
• Risk assessment disconnected from compliance activities, product development, or resource decisions

Deficiency 2: Weak Safeguarding Controls and Client Money Protection

The Problem: Safeguarding failures represent elevated compliance risk given direct customer harm potential. Deficiencies include inadequate segregation, poor reconciliation discipline, and insufficient safeguarding oversight.

FCA Expectations for APIs:

Under Regulation 23 of PSRs 2017, APIs must safeguard customer funds either through:

• Segregation in accounts held with authorized credit institutions, separate from the payment institution’s operational funds, OR
• Insurance or comparable guarantee covering customer fund balances

Key requirements include:

• Customer funds identified and segregated promptly upon receipt
• Daily reconciliation of customer fund balances to safeguarded amounts
• Reconciliation variances investigated and resolved promptly with documented analysis
• Safeguarding arrangements documented in board-approved policies
• Annual external audit covering safeguarding arrangements and compliance
• Immediate FCA notification of safeguarding breaches or concerns

Common Deficiencies:

• Reconciliation performed weekly or monthly rather than daily, violating regulatory requirements
• Reconciliation variances not investigated or resolved, accumulating over time
• Commingling of customer funds with operational funds in the same accounts
• Inadequate documentation of which funds require safeguarding under regulatory definitions
• Failure to segregate funds promptly upon receipt—delays of days or weeks
• Insurance coverage insufficient relative to actual customer fund holdings
• No independent testing or external audit of safeguarding arrangements
• Safeguarding policies not updated to reflect operational changes

Deficiency 3: Ineffective Transaction Monitoring and Financial Crime Controls

The Problem: Transaction monitoring systems poorly configured, not calibrated to the business, or generating outputs that receive perfunctory review rather than meaningful investigation.

FCA Expectations:

• Transaction monitoring systems appropriate to business size, complexity, and risk profile
• Monitoring rules and thresholds based on the firm’s specific financial crime risk assessment and relevant typologies
• Regular review and tuning of monitoring systems based on effectiveness testing and false positive/negative analysis
• Alert investigation documentation demonstrating genuine analysis of customer behavior and transaction patterns
• Clear escalation criteria for suspicious activity with appropriate MLRO involvement
• Suspicious Activity Reports (SARs) filed where genuine suspicion exists, with supporting analysis
• Periodic independent testing of transaction monitoring effectiveness

Common Deficiencies:

• Generic out-of-box monitoring rules never customized to the firm’s customer base or risk profile
• Monitoring thresholds set excessively high, allowing suspicious activity to pass undetected
• Alert investigation notes generic or template-based without customer-specific analysis
• Massive alert backlogs indicating investigations aren’t timely or adequately resourced
• No evidence of periodic monitoring system testing, calibration, or tuning
• Monitoring system failures or gaps not detected for extended periods
• SAR filing decisions lacking documented analysis or MLRO review

Deficiency 4: Under-Resourced or Ineffective MLRO Function

The Problem: MLRO function treated as part-time addition to unrelated operational roles, or MLROs lacking seniority, resources, or organizational independence to effectively discharge regulatory responsibilities.

FCA Expectations:

• MLRO (designated under SMF17 for payment institutions in SM&CR) with appropriate seniority and direct board or senior management access
• MLRO function adequately resourced relative to firm size, transaction volumes, and financial crime risk
• MLRO independence from revenue-generating operations to avoid conflicts of interest
• Regular MLRO reporting to board on financial crime risks, control effectiveness, emerging threats, and resource adequacy
• MLRO involvement in material decisions including new products, customer segments, jurisdictions, or delivery channel changes
• MLRO authority to challenge business decisions and escalate concerns

Common Deficiencies:

• MLRO function combined with incompatible operational roles (e.g., Head of Operations serving as MLRO)
• Junior MLRO without seniority, experience, or organizational influence
• MLRO responsible for tens of thousands of customers without supporting compliance staff
• MLRO excluded from product development, strategic planning, or material business decisions
• No documented MLRO reporting to board or evidence that MLRO concerns receive attention
• MLRO capacity constraints preventing effective oversight of financial crime risks

For smaller payment institutions where full-time senior MLROs may be economically challenging, outsourced MLRO services provide a viable solution. Specialist firms offer experienced MLROs serving as the institution’s designated SMF17, providing strategic oversight, board reporting, regulatory liaison, and policy development while managing costs appropriately.

Deficiency 5: Inadequate Customer Due Diligence and Enhanced Due Diligence

The Problem: CDD processes focused on collecting documents rather than understanding customers. EDD for high-risk customers lacks genuine inquiry or enhanced scrutiny.

FCA Expectations:

• Risk-based approach to CDD with clear risk assessment methodology producing differentiated customer risk ratings
• Standard CDD procedures appropriate for lower-risk customers including identification, verification, and purpose/nature of relationship understanding
• Enhanced due diligence for high-risk scenarios including:
  • Customers from high-risk third countries identified by FATF or UK government
  • Politically Exposed Persons (PEPs), their family members, and known close associates
  • Complex ownership structures or unusual business arrangements
  • Customers whose transaction patterns are unusual relative to their profile
• EDD procedures demonstrating genuine enhanced scrutiny, including:
  • Source of wealth (how customer accumulated wealth overall)
  • Source of funds (origin of specific funds being used)
  • Rationale for business relationship or specific transactions
  • Additional information or verification beyond standard CDD
• Ongoing monitoring demonstrating the firm understands customer behavior and can identify anomalies
• Periodic customer reviews ensuring information remains current

Common Deficiencies:

• One-size-fits-all CDD approach regardless of customer risk levels
• EDD that is nominally “enhanced” but substantively identical to standard CDD
• No genuine inquiry into source of wealth or source of funds for high-risk customers
• PEP identification processes that miss PEPs or don’t distinguish between foreign PEPs, domestic PEPs, and international organization PEPs (each requiring different treatment)
• Beneficial ownership verification for corporate customers that accepts information at face value without independent verification
• Ongoing monitoring limited to transaction monitoring alerts rather than holistic relationship understanding
• Customer reviews not conducted or performed without meaningful reassessment

Deficiency 6: Poor Documentation and Recordkeeping

The Problem: Inadequate documentation of compliance activities, risk decisions, or control execution creates challenges demonstrating regulatory compliance during FCA audits.

FCA Expectations:

• Comprehensive recordkeeping policies aligned with regulatory requirements (typically five years under MLRs 2017, six years for financial records)
• Documentation of key compliance activities including risk assessments, control testing, training delivery, incident investigations, and regulatory notifications
• Audit trails for customer due diligence, transaction monitoring investigations, and suspicious activity reporting decisions
• Records organized and accessible to facilitate regulatory reviews
• Version control for policies and procedures with evidence of reviews, updates, and approval
• Evidence supporting key risk or business decisions

Common Deficiencies:

• Critical compliance documents lost, not retained, or stored inconsistently
• Decentralized documentation across multiple systems preventing efficient retrieval
• No document version control creating ambiguity about which policies were effective when
• Incomplete CDD files missing verification documents or risk assessment rationale
• Transaction monitoring alert investigations with minimal documentation or template responses
• Training records incomplete, missing dates, content details, or attendee confirmation
• Key decisions (e.g., customer acceptance, product approvals) lacking documented rationale
• Inability to produce requested documents during audit creating inference of non-compliance

Deficiency 7: Failure to Notify FCA of Material Changes or Breaches

The Problem: Payment institutions failing to notify the FCA of significant business changes, regulatory breaches, or operational incidents as required by PSRs 2017 and FCA Principles.

FCA Expectations:

Payment institutions must notify the FCA of various events under specific timeframes:

• Immediate notification (without delay): Safeguarding breaches, capital adequacy shortfalls, significant operational incidents affecting customers, suspected financial crime
• 30 days advance notice: Material changes to business model, services provided, or operational arrangements
• Changes to Senior Management Functions: Applications or notifications as required under SM&CR
• Quarterly/Annual: Regular regulatory returns per prescribed schedules
• Approaching SPI thresholds: SPIs must notify when anticipating exceeding €3m/€5m thresholds

Specific notification requirements and timeframes are detailed in PSRs 2017 Regulations and the FCA Handbook.

Common Deficiencies:

• Significant business changes (new products, customer segments, geographies) implemented without FCA notification
• Regulatory breaches discovered internally but not reported to FCA
• SPIs approaching or exceeding transaction thresholds without FCA engagement or API authorization application
• Senior Management Function changes not notified within required timeframes
• Operational incidents treated as purely internal matters without considering FCA notification obligations
• Misunderstanding notification triggers, leading to unreported events

---

Section 4: Preparing Your Payment Institution for FCA Audit

Proactive compliance readiness significantly improves audit outcomes and reduces regulatory risk. Payment institutions should approach FCA audit preparation as ongoing discipline rather than crisis response.

Step 1: Conduct Comprehensive Compliance Gap Assessment

Before external scrutiny, conduct rigorous internal assessment of compliance across all regulatory obligations:

Regulatory Obligations Mapping:

• Create comprehensive inventory of all applicable regulatory obligations (PSRs 2017, MLRs 2017, SM&CR, Consumer Duty, UK GDPR, etc.)
• Map each obligation to responsible individuals, implementing controls, and evidence artifacts
• Identify gaps where obligations lack clear ownership, documented controls, or testing evidence

Independent Compliance Health Check:

Many payment institutions engage external compliance specialists to conduct independent gap assessments providing objective evaluation of compliance maturity. These assessments typically examine:

• Governance structures and senior management accountability under SM&CR
• Risk assessment frameworks for enterprise risks and money laundering/terrorist financing
• Financial crime controls including transaction monitoring, sanctions screening, and customer due diligence
• Safeguarding arrangements, reconciliation disciplines, and client money protection
• Regulatory reporting accuracy, completeness, and timeliness
• Training programs and staff competence frameworks
• Incident management and operational resilience
• Technology governance and third-party risk management
• Consumer Duty embedding and customer outcome monitoring

External assessments provide regulatory expertise, benchmark perspectives from multiple institutions, and independence avoiding institutional blind spots or unconscious bias.

Step 2: Strengthen Core Compliance Documentation

FCA auditors request extensive documentation during examinations. Ensuring documentation is current, comprehensive, and accessible streamlines audit response:

Critical Documentation:

• Risk Assessments: Current enterprise-wide risk assessment and business-wide money laundering/terrorist financing risk assessment with evidence of board approval and annual review
• Policies and Procedures: Complete policy framework covering all regulatory obligations with version control, regular review evidence, and board approval
• Governance Records: Board and committee meeting minutes demonstrating risk and compliance oversight, challenge, and decision-making
• Training Records: Comprehensive logs showing all relevant staff received appropriate regulatory training, with dates, content, and completion evidence
• Control Testing Evidence: Results from control effectiveness testing, transaction monitoring tuning, safeguarding audits, and compliance monitoring
• Regulatory Correspondence: All FCA notifications, regulatory returns, and correspondence organized chronologically and easily retrievable
• Incident Logs: Comprehensive incident register documenting operational disruptions, breaches, remediation actions, and lessons learned
• Customer Due Diligence Files: Well-organized CDD documentation retrievable by customer, including identification, verification, risk assessments, and ongoing monitoring

Implement centralized compliance repository with role-based access controls, automated retention management, and audit trail capabilities to avoid documentation chaos during audits.

Step 3: Test and Optimize Transaction Monitoring Systems

Given FCA’s persistent focus on financial crime controls, transaction monitoring effectiveness warrants dedicated attention:

Monitoring System Assessment:

• Review all transaction monitoring rules and thresholds ensuring alignment with identified money laundering/terrorist financing risks and relevant typologies
• Analyze false positive rates and investigate whether monitoring configuration might miss genuine suspicious activity
• Test monitoring systems using known suspicious transaction patterns (including typologies from National Crime Agency, FATF, or FCA publications)
• Evaluate alert investigation quality assessing whether documentation demonstrates genuine customer-specific analysis
• Review SAR filing decisions ensuring appropriate escalation and MLRO involvement

Consider engaging financial crime technology specialists to conduct independent monitoring assessments, particularly for APIs with complex customer bases or higher-risk services.

Step 4: Strengthen MLRO Function and Financial Crime Governance

Effective MLRO oversight is fundamental to FCA expectations. Evaluate whether the MLRO function meets regulatory requirements:

MLRO Effectiveness Assessment:

• Does the MLRO have appropriate seniority, experience, and independence from operations?
• Is the MLRO function adequately resourced for the firm’s size, transaction volumes, and risk profile?
• Does the MLRO report regularly to the board with meaningful management information on financial crime risks and control effectiveness?
• Is the MLRO involved in material decisions including new products, customer segments, or business changes?
• Does the MLRO have access to necessary systems, information, and specialist support?
• Can the MLRO demonstrate influence over business decisions when financial crime concerns exist?

For payment institutions where full-time senior MLRO capacity exceeds current needs or where recruiting experienced MLROs proves challenging, outsourced MLRO services provide flexible, cost-effective solutions delivering experienced regulatory professionals, strategic oversight, and credibility with the FCA.

Step 5: Validate Consumer Duty Embedding and Customer Outcomes

Consumer Duty represents significant regulatory shift requiring operational integration, not just documentation:

Consumer Duty Evidence Preparation:

• Board-level Consumer Duty oversight with regular management information demonstrating the four outcomes monitoring
• Product governance showing how consumer needs assessments and value considerations inform product design and pricing
• Customer outcome data including complaints analysis, service failure tracking, vulnerable customer support metrics, and satisfaction indicators
• Distribution oversight frameworks if using agents, introducers, or white-label partners
• Fair value assessments for all products with documented supporting analysis
• Evidence that Consumer Duty insights drive business improvements and customer experience enhancements

Demonstrate genuine Consumer Duty embedding through data, not just policy documentation. The FCA will probe whether the framework influences actual decisions.

Step 6: Enhance Operational Resilience Frameworks

Even if not subject to formal operational resilience rules, demonstrate sophisticated resilience thinking:

Operational Resilience Preparation:

• Map important business services and dependencies (technology systems, third-party providers, critical facilities, key personnel)
• Define intolerable disruption for critical services (how long can services be down before causing unacceptable customer harm?)
• Conduct scenario testing simulating various disruption events (cyber attacks, vendor failures, technology outages, facility unavailability)
• Document incident response procedures with clear escalation protocols and communication plans
• Test business continuity arrangements regularly with documented results
• Identify and mitigate single points of failure or concentration risks
• Demonstrate third-party risk management including due diligence, monitoring, and exit planning

Step 7: Organize Audit Response Procedures

Effective FCA audit response requires advance preparation and coordination:

Audit Response Framework:

• Designate audit response coordinator (typically MLRO, Head of Compliance, or Senior Manager for Compliance Oversight)
• Establish audit response team including representatives from operations, finance, technology, risk, and legal
• Create document request tracking system ensuring timely, complete responses with quality review before submission
• Establish communication protocols defining who interacts with FCA auditors and information review procedures
• Prepare senior managers for FCA interviews, ensuring they understand their accountability areas and can articulate control oversight
• Plan daily team coordination during audit periods to share information and escalate issues
• Brief board on upcoming audit, potential areas of focus, and escalation procedures for significant findings

Step 8: Consider External Compliance Advisory Support

Many payment institutions, particularly smaller SPIs and mid-sized APIs, benefit from external compliance expertise during audit preparation:

External Support Options:

• Pre-Audit Gap Assessments: Independent compliance reviews identifying vulnerabilities before FCA scrutiny
• Remediation Implementation: Technical assistance strengthening specific areas (e.g., transaction monitoring optimization, safeguarding framework enhancement)
• Mock Audits: Simulation of FCA audit process testing preparedness and documentation adequacy
• Audit Co-Sourcing: On-site support during actual FCA audits assisting with document preparation, response coordination, and technical questions
• Post-Audit Remediation: Implementation support addressing FCA findings and required improvements

Compliance advisory firms specializing in FCA payment institution regulation provide targeted expertise particularly valuable when internal compliance resources are limited or lack specific payment institution experience.

---

Section 5: The Value of Ongoing Compliance Monitoring

FCA audit readiness isn’t achieved through crisis preparation when audit notification arrives—it requires sustained compliance monitoring and continuous improvement.

Building Continuous Compliance Culture

Essential Elements:

Regular Compliance Reporting: Monthly or quarterly reporting to senior management and board covering:

• Key risk indicators and compliance metrics
• Control testing results and identified deficiencies
• Regulatory change impacts and implementation status
• Compliance issues, breaches, and remediation progress
• Training completion rates and competence assessments
• Incident frequency, severity, and lessons learned
• Customer outcome metrics supporting Consumer Duty

Systematic Control Testing: Ongoing testing of key controls ensuring continued effectiveness:

• Transaction monitoring system performance and alert quality
• Safeguarding reconciliation accuracy and timeliness
• Customer due diligence completeness and quality
• Policy adherence through spot-checks and sampling
• Access controls and information security
• Incident response and business continuity exercises

Risk Assessment Maintenance: Regular risk assessment reviews reflecting:

• Business changes including new products, customers, or geographies
• Emerging risks and evolving threat landscape
• Control effectiveness insights from testing
• Regulatory changes and supervisory expectations
• External events affecting the payments sector

Regulatory Intelligence: Systematic monitoring of regulatory developments:

• FCA policy statements, consultation papers, and guidance
• Dear CEO letters and supervisory findings affecting payment institutions
• Enforcement actions and lessons for the industry
• Parliamentary and HM Treasury developments
• International regulatory trends relevant to UK operations

Structured Training Programs: Regular training ensuring staff compliance awareness:

• Comprehensive onboarding training for new hires covering regulatory obligations and internal procedures
• Annual refresher training for all relevant staff
• Role-specific training tailored to job functions (customer-facing staff on CDD, finance on safeguarding, etc.)
• Training on regulatory changes or emerging risks
• Assessment mechanisms verifying comprehension and competence

Technology-Enabled Compliance

Technology investments enhance compliance efficiency and effectiveness:

Compliance Management Platforms:

• Centralized policy management with version control and staff attestation
• Automated compliance calendars with alerts for required activities
• Risk and incident management modules with workflow
• Evidence collection and audit trail generation
• Regulatory change tracking and impact assessment tools

Financial Crime Technology:

• Real-time transaction monitoring with machine learning capabilities
• Sanctions screening with automated daily list updates
• Case management systems for alert investigation and SAR workflow
• Customer risk rating engines
• Reporting analytics identifying trends and control effectiveness

RegTech Solutions:

• Automated regulatory reporting preparation and submission
• Digital identity verification and CDD automation
• Adverse media screening and ongoing customer monitoring
• Regulatory intelligence feeds with impact analysis

Compliance Framework Development and Enhancement

Payment institutions benefit from structured compliance frameworks rather than reactive, ad hoc control development:

Comprehensive Framework Components:

• Governance Architecture: Board and committee structures, senior management responsibilities, three lines of defense model implementation
• Risk Management Infrastructure: Enterprise risk framework, specific regulatory risk assessments, risk appetite statements
• Policy Library: Complete, current policies covering all regulatory obligations with version control
• Control Framework: Key controls mapped to risks and regulatory requirements with testing procedures
• Monitoring and MI: Control testing programs, compliance monitoring activities, management information, and board reporting
• Training and Competence: Training curricula, delivery mechanisms, competence assessment frameworks
• Regulatory Relationship Management: FCA liaison protocols, regulatory reporting calendars, change notification procedures
• Incident Management: Detection, investigation, reporting, and remediation frameworks

For payment institutions developing or enhancing compliance frameworks, external expertise accelerates maturity while building internal capability. Specialized compliance firms provide structured implementation methodologies, documentation templates, and regulatory intelligence tailored to payment institution requirements.

---

Conclusion

The regulatory distinction between Small Payment Institutions and Authorised Payment Institutions extends well beyond transaction volume thresholds to encompass fundamentally different authorization processes, capital requirements, safeguarding obligations, and supervisory intensity. As the FCA continues its evolution toward more intensive, data-informed supervision with heightened expectations around consumer outcomes, operational resilience, and financial crime prevention, both SPIs and APIs face elevated audit scrutiny in 2025 and beyond.

Successful navigation of the FCA’s regulatory regime requires operational embedding of robust risk management, genuine consumer protection, and effective financial crime controls—not merely documentation exercises. Payment institutions thriving under intensified supervision treat compliance as strategic foundation rather than cost center, investing in appropriate frameworks, qualified expertise, and enabling technology from inception.

The FCA has demonstrated increasing willingness to use enforcement powers, including public censures, financial penalties, and authorization restrictions or withdrawals, against firms with inadequate compliance infrastructure. Conversely, payment institutions demonstrating strong governance, effective controls, and proactive compliance culture earn regulatory confidence enabling sustainable growth.

Whether you’re an SPI approaching API authorization thresholds, an established API preparing for upcoming supervisory engagement, or a fintech founder evaluating regulatory pathways for payment services, proactive compliance preparation is essential. The compliance expectations outlined in this guide reflect the FCA’s current supervisory priorities and typical audit findings—understanding and addressing these areas positions your institution for regulatory success.

For payment institutions seeking to strengthen compliance frameworks ahead of FCA scrutiny, partnering with specialist compliance advisors provides targeted regulatory expertise, implementation support, and ongoing monitoring capabilities. ComplyFactor offers comprehensive compliance solutions for UK payment institutions, including:

• FCA Audit Preparation and Support: Gap assessments, mock audits, remediation planning, and audit co-sourcing ensuring regulatory readiness
• Outsourced MLRO Services: Experienced Money Laundering Reporting Officers serving as your designated SMF17, providing strategic financial crime oversight, board reporting, policy development, and FCA liaison
• Compliance Framework Development: End-to-end compliance program design and implementation tailored to SPI and API requirements
• Regulatory Health Checks: Independent assessment of compliance maturity benchmarked against FCA supervisory expectations
• Transaction Monitoring Optimization: Financial crime system calibration, effectiveness testing, and alert quality improvement
• Consumer Duty Implementation: Support embedding Consumer Duty into governance, operations, and customer outcome monitoring

The FCA’s 2025 audit expectations reflect a regulator that has moved decisively from periodic compliance reviews to continuous, intensive supervision. Payment institutions embracing this reality—building dynamic compliance frameworks, investing in effective controls, maintaining genuine audit readiness, and leveraging specialist expertise where appropriate—position themselves for sustainable success in the UK’s evolving payments regulatory landscape.

---

Authoritative References

• FCA Handbook – Payment Services (PSR): https://www.handbook.fca.org.uk/handbook/PSR.pdf
• Payment Services Regulations 2017: https://www.legislation.gov.uk/uksi/2017/752/contents
• Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017: https://www.legislation.gov.uk/uksi/2017/692/contents
• Electronic Money Regulations 2011: https://www.legislation.gov.uk/uksi/2011/99/contents
• FCA Consumer Duty: https://www.fca.org.uk/firms/consumer-duty
• FCA Operational Resilience: https://www.fca.org.uk/publications/policy-statements/ps21-3-operational-resilience
• FCA Senior Managers and Certification Regime: https://www.fca.org.uk/firms/senior-managers-certification-regime
• Financial Services Register: https://register.fca.org.uk/
• HM Treasury Payment Services: https://www.gov.uk/government/collections/payment-services
• National Crime Agency – SARs: https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/money-laundering-and-illicit-finance/suspicious-activity-reports