- Regulatory scrutiny of payments firms and activities is rising, unsurprisingly given our increasing reliance on digital payments.
- Operational resilience, dependence on outsourcing and unregulated third-parties, financial resilience, and protection of customers’ assets are areas of immediate supervisory focus.
- Boards and senior management must ensure their firm has the resources, skills, governance and oversight arrangements to match the complexity, risks, and growth of the underlying business.
- Longer-term, we expect the regulatory perimeter to expand to capture additional firms and activities, and the regulatory requirements for non-bank payments providers to strengthen.
- To be well prepared, firms should assess whether and how the additional costs arising from these changes could affect the economics of their business models.
COVID-19 underlined the crucial role digital retail payments play in our society and modern economy. But as our collective reliance on digital payments grows, so does the need to ensure that payments providers remain operationally and financially resilient.
As the pandemic hit, cash usage declined and many individuals and companies switched to cashless and online payments virtually overnight. The sector's business, technological and regulatory innovations of the previous decade made this possible.
However, recent supervisory activity and headline corporate failures have also exposed weaknesses in some firms’ financial strength and ability to withstand operational disruption. They shed light on the complexity of the payments transaction chain, especially the growing numbers and types of firms and activities, many of them unregulated.
These developments also revealed the limitations in how the current regulatory framework identifies and addresses emerging risks. Now EU and UK authorities are making changes to strengthen how payments firms and activities are regulated and supervised. The objective is to balance support for competition and innovation with effective oversight of the new payment landscape and customer protection. Areas of focus will include the growing importance of non-bank payments providers, groups carrying out both regulated and unregulated activities, and outsourcing. 
This shift in the regulatory environment will happen in different stages. Many changes are happening now, others are just around the corner, and some will take longer to materialise. The effects of these changes will not be the same for all firms. But for many, they will have significant repercussions on their operating and business models and, in some cases, overall strategies. This is why boards and senior management of payments providers and payments technology firms need to understand these changes, assess their likely impact and take action accordingly now.
Here and now: strengthening financial and operational resilience, and protection of customers' money
Two trends stand out in the current payments landscape.
The first is the significant increase in the number of regulated non-bank payment service providers (PSPs) in the market. For example, in the UK, more than 1,100 non-bank PSPs were authorised under PSD2 since it took effect in 2018. 
The second trend is that while many individual firms are highly profitable, PSPs collectively only just break even. The FCA estimates that the profitability of the median non-bank PSP firm decreased from £387 to zero between February and August last year.
Confronted with a fast-growing but barely profitable industry, supervisors have already intensified their scrutiny of firms' prudential risk management and safeguarding of customers' assets.
In our experience, these are areas where PSPs often fall short of supervisory expectations. Firms, therefore, need to review their governance and risk control frameworks, identify any shortcomings and remediate them. Some common material issues include lack of appropriate safeguarding accounts, infrequent reconciliations, and incorrect calculations of own funds requirements. Smaller but fast-growing firms, in particular, should ensure their risk-management procedures and internal controls match their growing size and complexity.
PSPs will also have to assess their preparedness for the finalised UK regulatory approach to operational resilience in financial services. This will affect firms in two ways.
The first is a direct impact. PSPs will need to identify their most Important Business Services (IBS) - including any they outsource to third party providers - and their impact tolerances. Before 31 March 2022, firms will need to undertake scenario stress testing to determine whether the resilience of each IBS remains within the specified tolerances. Firms will have until 2025 to address any vulnerabilities, but they can expect supervisors to place significant pressure on them to move at pace.
The second impact is indirect and applies if a PSP provides part of another regulated firm’s IBS. In that case, it may also need to comply with the information requests, service levels, and impact tolerances that the firm expects of them. This is potentially challenging, especially if a PSP provides services to several different regulated entities and those entities have different information needs and service levels. PSPs need to make sure that they have the resources to respond to such requests, particularly if any are likely to require changes in the way they provide their services. These same considerations apply to unregulated firms providing technical services to regulated firms, if their services are categorised as IBS.
Just around the corner: probing firms' business models
Headlines, however, can be misleading. It would be wrong to characterise the payment ecosystem as a large collection of similar, small and scarcely viable firms. The reality is much more complex.
Today's payments sector comprises a wide variety of business and operating models. Let's take e-money institutions (EMIs) as an example. EMIs' business models are neither standard nor straightforward. Some are very big and often rely on a very complex web of agents and distributors. Some EMIs can be regulated businesses within much larger unregulated groups, operating across jurisdictions - e.g. GooglePay. Some other EMIs are growing rapidly and play an increasingly crucial role in the payment value chain - e.g. payments aggregators such as Stripe.
And as we see in other financial services areas, PSPs' reliance on outsourcing and third-party providers is also increasing. Examples of outsourced business services include identity verification, anti-money laundering checks, and - since most new entrants are cloud natives - cloud data storage and processing. In some cases, some regulated entities complement their offering by acting as third-parties providers themselves to other PSPs, e.g. by providing card payments processing.
Against this background, we expect supervisors to increase their scrutiny of firms' business and operating models. They will expect firms to be able to explain them clearly and in detail, including their inherent risks. Firms will have to demonstrate they have the skills, resources, and capabilities to ensure the firm's resilience and protect customers from harm - including as the business grows and increases in complexity. For any material outsourcing or third-party relationships, regulators are likely also to probe more deeply firms’ understanding and management of any concentration risk, as well as their business continuity and wind-down plans. If the firm, or the group it is part of, provides unregulated services, we expect supervisors to probe potential spill-overs risks on their regulated business.
Looking further ahead: reinforcing the regulatory framework and expanding the regulatory perimeter
The digital payments landscape has grown and changed dramatically over the last decade, but so have the risks. Given society’s increasing reliance on digital payments, regulators and supervisors are acutely aware of the need to secure the sector's operational and financial resilience.
However, regulators find that their hands are tied by the boundaries of the current regulatory framework, limiting how far they can go. As a result, as part of their far-reaching reviews of the payments landscape, both the EU and UK will consider further legislative changes to empower regulators to address new risks posed by currently unregulated services and complex payments transactions chains.
- many currently unregulated firms will be brought within or much closer to the regulatory perimeter. This could include technology providers, such as firms providing technical solutions for e-merchants to accept payment (i.e. payments gateways), payments processors or pass-through digital wallets.
- in the wake of the Wirecard case, regulators will receive additional powers to strengthen their oversight of firms or groups that provide both regulated and unregulated activities.
- regulatory requirements for EMIs will increase proportionately with their growth and importance in the payments transaction chain.
The digital payments landscape is at a critical inflexion point. Opportunities abound, but so do the risks. The regulatory response to these risks is already emerging and will be significant. While the exact form of the upcoming changes is not yet known, it seems clear that they will increase the regulatory scrutiny many firms experience. Currently regulated activities will be subject to more intense supervision than they are today. Some activities and firms will be brought within the regulatory perimeter for the first time. This will result in some firms incurring greater costs, affecting the economics of their business models.
We also expect some regulators to use their existing powers to anticipate some of these changes. For example, regulators will seek to understand how regulated activities and firms link to unregulated activities within the firm or the wider group to which it belongs. They will expect regulated firms’ boards and senior management to identify any resulting vulnerabilities and take action to address them.
One thing is certain. To ensure the ongoing success and resilience of digital payments, neither regulators nor firms can rest on their laurels.
 These are firms authorised under the second Payment Services Directive (PSD2) or E-money regulations.
 Data downloaded from the FCA register on 11 April 2021, https://register.fca.org.uk/s/resources#Downloads
 Articulation of the maximum tolerable disruption of those services when faced with a 'severe but plausible' scenario.