Complyport – Your Trusted Partner in Governance, Risk, Compliance & Technology

Learning from the Evolution of UK Financial Services Supervision

E. Michael — Mon, 22 Jun 2026 10:03:56 +0000

Author: James Borley, Dierctor of Payment Services

The UK’s supervisory evolution offers a number of practical and, in some respects, cautionary lessons for overseas regulators. While institutional structures will always reflect domestic legal and political contexts, the underlying shifts in supervisory philosophy are broadly transferable. In particular, the UK experience illustrates the importance of moving beyond static supervision toward dynamic, intervention-capable regulatory models. As such, it might be helpful to reflect on just how supervision in the UK has changed over the years.

By any measure, the UK’s approach to financial services supervision has undergone profound transformation since the modern regulatory era began in 1988. What started as a largely rules-based, institutionally fragmented framework has evolved into a far more intrusive, judgement-led and outcomes-focused model. Having observed and, at times, participated in this evolution from both regulatory and advisory perspectives, one theme stands out: supervision in the UK has progressively shifted from checking compliance to assessing culture, governance, and risk in real time.

This journey has been shaped by crises, political priorities, global regulatory developments and, perhaps most significantly, recognition of the limitations of supervision that is too reactive or overly reliant on firms’ self-assessments and attestations.

A notable feature of this evolution, particularly in the past five years, is the subtle but important shift in language and practice, from traditional ‘supervision’ toward what might more accurately be characterised as ‘market intervention’. Indeed, the supervisory departments at the Financial Conduct Authority (FCA) are today named as ‘Market Interventions’. This reflects a regulator that is no longer content to observe and assess but is increasingly willing to shape outcomes proactively.

The 1988 Baseline

The Financial Services Act 1986, implemented in 1988 (and often referred to as ‘A-Day’), marked the first comprehensive attempt to regulate the UK’s financial services industry. It introduced a system built on Self-Regulating Organisations (SROs) overseen by the Securities and Investments Board (SIB). The philosophy was based on the expectation that markets, guided by detailed rulebooks and industry expertise, could regulate themselves effectively with limited central oversight.

Supervision during this period was:

Rules-based: Firms were assessed against prescriptive requirements rather than broader risk considerations;
Fragmented: Different sectors (e.g. securities, insurance, banking) were overseen by different bodies;
Reactive: Intervention generally followed breaches rather than anticipating them.

The model reflected the prevailing belief in market discipline. However, it also created inconsistencies in supervisory approach, arbitrage opportunities, and a tendency for regulators to focus on technical compliance rather than underlying risks.

My part on this journey began in 1995, as a ‘Monitoring Officer’ with the Personal Investment Authority (PIA), one of the aforementioned SROs. Monitoring (Supervision) of firms was based around a rudimentary risk framework: High Risk firms received an annual physical inspection, Medium Risk every two years, Low Risk every three years. Crucially though, all firms got a visit.

1997–2007: FSA and Risk-Based Supervision

The establishment of the Financial Services Authority (FSA) in 1997 represented a decisive shift toward consolidation. For the first time, the UK had a single, integrated regulator responsible for prudential and conduct supervision across financial sectors.

The FSA introduced a more sophisticated risk-based approach, encapsulated in frameworks such as ARROW (Advanced Risk-Responsive Operating Framework). The intention was to allocate supervisory resources to firms and activities posing the greatest risk to the regulator’s objectives.

This period saw the emergence of several important developments:

Supervisory prioritisation based on impact and probability of risk;
Greater emphasis on firms’ systems and controls;
Introduction of principles-based regulation, moving away from purely prescriptive rules.

The FSA’s Principles for Businesses signalled that firms were expected not only to comply with specific rules but to act in a way consistent with broader regulatory expectations.

Yet, despite these innovations, supervision retained a relatively light-touch character. There was a degree of confidence, arguably overconfidence, in firms’ internal risk management capabilities and governance structures.

Post-2008: The End of ‘Light Touch’

The global financial crisis of 2007–2008 exposed significant shortcomings in the UK’s supervisory model. Failures such as Northern Rock highlighted weaknesses in prudential oversight, risk assessment and regulatory intervention.

The response was swift and fundamental. By 2013, the FSA had been dismantled and replaced with a “twin peaks” model:

The Prudential Regulation Authority (PRA), focused on the safety and soundness of certain firms (e.g. banks, insurers);
The Financial Conduct Authority (FCA), responsible for conduct of business and market integrity across all firms.

This restructuring marked a philosophical reset in supervision.

Key changes included:

Judgement-Based Supervision

Supervisors were encouraged to apply forward-looking judgement, rather than relying solely on firms’ data or historical performance, and a willingness to intervene early and decisively, even in the absence of clear rule breaches.

Intensive Engagement

Supervision became more intrusive and continuous, especially for systemically important firms. Regulators expected access to senior management, board minutes and internal debates.

Focus on Governance and Culture

Regulators recognised that many failures stemmed not from technical breaches but from poor decision-making, weak challenge and cultural deficiencies within firms.

The Gloster Report: A Catalyst for Change

While the post-crisis reforms were significant, the Gloster Report (2020), ostensibly reviewing the FCA’s handling of the collapse of London Capital & Finance (LCF), marked another turning point for supervision.

The report identified not just failings in specific supervisory decisions, but deeper cultural and structural issues within the FCA, including:

A tendency toward narrow, siloed supervision;
Insufficient willingness to act decisively on emerging risks;
Failure to connect information across teams to form a coherent risk picture.

Perhaps most importantly, the Gloster Report challenged the FCA’s traditional conception of supervision itself. It highlighted the risks of a model that waits for clarity before acting, particularly in fast-moving or boundary issues where harm can crystallise quickly.

The FCA’s response has been telling. It has signalled a move away from passive monitoring toward assertive, preventative engagement, even where regulatory perimeters are not entirely clear. This has been prevalent not just in the supervision of regulated firms but also at the ‘gateway’ with applications for authorisation subject to similarly increased scrutiny.

The Senior Managers Regime: Accountability at the Core

Perhaps the most significant supervisory innovation of the past decade has been the Senior Managers and Certification Regime (SM&CR), introduced initially for banks in 2016 and subsequently extended across most other financial services (not yet for payments firms).

SM&CR fundamentally changed the supervisory dynamic:

Individual accountability became explicit;
Responsibilities had to be clearly mapped and documented;
Firms were required to certify the fitness and propriety of key staff.

Supervision increasingly moved beyond assessing firms as abstract entities to examining decisions, behaviours and accountability frameworks at an individual level.

This has had a notable cultural impact. Senior managers are now acutely aware that regulatory scrutiny will focus on their personal actions (‘reasonable steps’) and oversight.

Data, Technology and Real-Time Supervision

Another recent defining shift has been the increasing role of data and technology in supervision.

Regulators now leverage:

Advanced data analytics to identify outliers and emerging risks;
Regulatory reporting platforms enabling near real-time visibility;
Supervisory technology to enhance monitoring efficiency.

Supervision has consequently become more proactive and evidence-driven, with the ability to detect trends and intervene earlier.

At the same time, firms face growing expectations to demonstrate robust data governance, particularly where regulatory reporting underpins supervisory decisions. Bizarrely perhaps, the FCA has felt it necessary to remind firms to take care when completing their RegData returns!

Outcomes-Focused Regulation and Consumer Duty

More recently, the FCA has sharpened its focus on outcomes, culminating in the introduction of the Consumer Duty in 2023.

This represents a further evolution in supervision:

Firms are judged on the fairness of customer outcomes, not just compliance processes;
There is heightened scrutiny of product design, pricing and communications;
Supervisors expect firms to evidence good outcomes through data and Management Information (MI).

This shift reinforces a broader trend: supervision is no longer just about whether firms followed the rules, but whether they achieved the right results. To this end, “show your working out” can still serve as a practical defence.

From Supervision to Market Interventions

In the years following Gloster, there has been an observable shift from ‘supervision’ to ‘market intervention’:

Earlier and More Decisive Action

Regulators are increasingly willing to act before risks fully materialise, including:

Imposing restrictions on firms at an earlier stage;

Challenging business models that appear inherently unsustainable;

Using skilled person reviews and other tools more proactively.

Willingness to Operate at the Boundary

The FCA in particular has become more comfortable acting in areas where the regulatory perimeter is blurred, especially where consumer harm is evident.

Focus on Market-Wide Outcomes

Rather than confining attention to individual firms, there is greater emphasis on sector-wide risks, pricing practices, and structural issues within markets.

Conclusion

Looking back over nearly four decades, UK financial services supervision has evolved from:

Fragmented → Integrated → Differentiated (twin peaks)
Rules-based → Principles-based → Judgement-led
Reactive → Risk-based → Proactive and data-driven

Crucially, supervision has moved beyond the narrow confines of simple rulebook compliance. It now encompasses culture, governance, accountability and outcomes, supported by increasingly sophisticated tools and a more active and assertive supervisory function.

For overseas regulators, the central takeaway is not necessarily to replicate the UK model wholesale (although there are historic examples where this was indeed the case), but to recognise the underlying principle: effective supervision requires both the capability and the willingness to intervene early, decisively and proportionately.

How Complyport Can Help

As regulatory expectations continue to evolve across global financial markets, firms must ensure that their governance frameworks, accountability arrangements, risk management processes and regulatory reporting controls remain fit for purpose.

Complyport supports financial services firms worldwide by helping them manage complex regulatory environments and strengthen their compliance frameworks. Our services include:

Regulatory advisory support across multiple jurisdictions;
Governance and risk management framework reviews;
Senior management accountability and conduct assessments;
Compliance monitoring and assurance programmes;
Regulatory reporting reviews and remediation projects;
Licensing, authorisation and registration support;
Policy and procedure development and enhancement;
Training and ongoing regulatory change management.

Our subject matter experts work closely with firms to interpret regulatory expectations, identify compliance gaps and implement practical, proportionate solutions that support sustainable business growth.

Contact Complyport

If you would like to discuss any of the topics covered in this article or understand how evolving supervisory expectations may affect your organisation, please contact Complyport and arrange a meeting with one of our Subject Matter Experts.

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat

The post Learning from the Evolution of UK Financial Services Supervision first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

FSCS Protection for E-Money and Payment Institution Customers?

E. Michael — Fri, 19 Jun 2026 10:00:12 +0000

Author: James Borley, Director of Payment Services

The UK’s payments sector has matured considerably since the introduction of regulation in 2009. What began as a niche segment of historic remittance firms, and challenger firms facilitating online transactions and wallets, has evolved into a critical component of the financial services ecosystem. Today, millions of consumers and businesses rely on Electronic Money Institutions (EMIs) and Payment Institutions (PIs) for day-to-day financial activities, from salary payments and foreign exchange to merchant acquiring, international remittances and holiday spending.

Yet one notable distinction remains between payments firms and banks: customer funds held by EMIs and PIs do not benefit from protection under the Financial Services Compensation Scheme (FSCS).

Instead, customers rely upon safeguarding.

Historically, legislators have viewed safeguarding as an appropriate alternative to deposit protection. However, as payment firms increasingly perform functions that consumers perceive as ‘bank-like’, an important policy question emerges: if the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs) are eventually absorbed into the Financial Services and Markets Act 2000 (FSMA) framework, as has been touted in recent times, should access to some form of compensation scheme follow?

The answer is not straightforward.

Why the Question Is Becoming More Relevant

The distinction between banks and EMIs remains clear from a legal perspective.

Banks take deposits and invest them and/or lend against them. EMIs issue electronic money and are required to safeguard customer funds. The regulatory frameworks were intentionally designed to reflect these differing risk profiles.

However, from a customer’s perspective, the distinction is often less obvious.

Consumers increasingly receive salaries into EMI accounts, maintain significant balances in digital wallets, and use payment accounts as their primary financial relationship. Many customers assume that funds held with a regulated financial institution enjoy the same protection regardless of the underlying authorisation category.

The Financial Conduct Authority (FCA) has long sought to address this through disclosure requirements (necessitating a targeted ‘Dear CEO’ letter to EMIs in 2021), but disclosure alone may not fully bridge the gap between legal reality and consumer expectation.

As the UK continues its post-Brexit redesign of financial services legislation, the prospect of bringing the PSRs and EMRs more fully within the FSMA architecture inevitably raises questions regarding the future of customer protection.

The Case for Extending FSCS Protection

The most obvious argument is consumer confidence and understanding.

Deposit protection schemes (at its core, what the FSCS is) exist not merely to compensate consumers after failures, but to promote trust in the financial system. Consumers are generally unconcerned with the technical distinctions between deposits, electronic money and safeguarded funds. They are concerned with whether they can access their money when they need it.

While safeguarding is designed to protect customer funds in the event of a firm’s insolvency, it is not exactly equivalent to FSCS protection.

The insolvency of several payment firms in recent years has demonstrated that even where safeguarding arrangements ultimately prove effective, customers may experience prolonged delays in accessing their funds. In some cases, the costs of the insolvency process itself have reduced the amount available for distribution.

An FSCS-backed regime, or similar, could potentially provide greater certainty and faster customer outcomes.

It might also remove a competitive distortion whereby firms offering functionally similar services operate under significantly different customer protection regimes and, consequently, different levels of customer understanding.

The Counterargument: Solving the Wrong Problem

Equally compelling arguments exist on the other side.

The fundamental purpose of safeguarding is different from deposit insurance.

Safeguarding is intended to prevent all customer funds from becoming part of the firm’s insolvency estate in the first place. If safeguarding functions correctly, customers should receive their funds back in their entirety, without requiring potentially capped compensation from an external scheme.

In theory, therefore, extending FSCS protection to EMIs risks addressing symptoms rather than causes.

If regulatory concern centres on delays in returning customer funds following insolvency, policymakers may be better served by strengthening safeguarding requirements, improving resolution planning, and enhancing insolvency procedures rather than introducing a compensation mechanism designed for an entirely different business model. This has been the thrust of the FCA’s recent changes to the safeguarding regime, as set out in PS25/12.

There is also a moral hazard consideration.

Deposit guarantee schemes inevitably weaken the incentive for consumers to assess the financial soundness of providers. While this may be acceptable in the banking sector, policymakers may question whether similar protections should be extended to firms that do not undertake deposit-taking activities.

If FSCS Protection Were Extended, At What Level?

Another interesting policy question concerns coverage levels.

The current FSCS deposit protection limit of £120,000 reflects the needs of bank customers, many of whom maintain substantial savings balances.

EMI customers typically behave differently. Most electronic money products are designed primarily as transactional accounts rather than savings vehicles, and often as secondary to a primary ‘current account’ held with a bank. Average balances held by EMI customers are often significantly lower than those seen in traditional banking relationships. Would applying the full banking limit to EMIs represent proportionate regulation?

A strong argument exists that it would not. If the objective is consumer protection, policymakers should first examine actual customer behaviour rather than simply importing banking rules into the payments sector.

A compensation limit of £10,000, £20,000 or £30,000 may provide meaningful protection for the overwhelming majority of EMI customers while significantly reducing the funding burden imposed upon the industry.

Indeed, a lower compensation threshold may align more closely with the operational purpose of many payment products, as noted above.

The challenge, of course, lies in identifying that appropriate level. Too low, and consumers may remain exposed to material losses. Too high, and firms may face disproportionate funding obligations relative to the underlying risks.

The Funding Question

No discussion of FSCS protection can avoid the issue of cost. Ultimately, compensation schemes are funded by industry participants, with different sectors having strong views about the ‘appropriateness’ of their contribution.

Extending FSCS coverage to hundreds of payment firms would require difficult decisions regarding:

Levy allocation;
Risk weighting;
Cross-subsidisation between sectors;
Prudential treatment; and
Ongoing supervisory expectations.

Many smaller fintechs already operate within tight margins, especially at the start-up/scale-up stage. A significant increase in regulatory levies could create further barriers to entry (payments firms already cite low FCA Authorisation approval rates) and undermine competition, the very objective that much of the UK’s payments framework was originally designed to encourage.

There is also the perpetual question of fairness. Should banks effectively subsidise compensation for payment firms (as they largely do for other sectors)? Or should the payments sector fund its own protection mechanism?

The latter may be more politically and economically sustainable.

A Bespoke Compensation Scheme?

Rather than extending traditional FSCS protection wholesale, HM Treasury may wish to consider a bespoke protection regime tailored specifically to payments firms, as part of its work to update the PSRs and EMRs.

Such a scheme could reflect the unique characteristics of safeguarded funds.

For example, protection might:

Apply only where safeguarding arrangements have failed;
Cover insolvency-related shortfalls rather than all losses;
Operate with lower compensation limits;
Be funded exclusively by payment and e-money firms; and
Sit alongside, rather than replace, existing safeguarding requirements.

This would preserve the core safeguarding model while addressing public policy concerns regarding customer outcomes following firm failures.

Importantly, it would also acknowledge that EMI customers face different risks from bank depositors.

Regulation should reflect those differences rather than assuming that identical outcomes require identical frameworks.

Could Enhanced Safeguarding Be the Better Solution?

There is a further possibility.

Rather than creating any compensation scheme at all, regulators could continue strengthening safeguarding requirements. Indeed, this has been signposted in PS25/12, with the ‘interim rules’ introduced on 7 May 2026 hoping to move the dial in terms of both firm behaviour and customer outcomes. But should that not be the case, the FCA may look to go further with ‘end-state rules’.

As has been well-publicised, recent years have seen increasing supervisory attention focused on safeguarding audits, reconciliation processes, insolvency planning, and customer fund protection. One can expect a future framework incorporating:

Mandatory resolution planning for larger EMIs;
Pre-positioned insolvency arrangements;
Faster payout mechanisms;
Enhanced capital requirements linked to safeguarding risks; and
Greater regulatory intervention powers where safeguarding weaknesses emerge.

Such measures may achieve many of the benefits associated with compensation schemes without introducing the complexity and cost of an entirely new levy-funded regime.

Conclusion

The debate regarding FSCS protection for payment firms is ultimately a debate about legislative frameworks as well as regulatory maturity.

When safeguarding requirements were originally conceived, EMIs did not yet exist and then proceeded to occupy a relatively narrow corner of the financial services market. Today, many have become integral to the everyday financial lives of consumers and businesses.

As the UK continues to modernise its payments framework and consider the long-term integration of payments regulation into FSMA, HM Treasury (in consultation with the FCA) will need to consider whether safeguarding alone will remain sufficient.

There is a credible case for introducing some form of compensation protection. Equally, there is a credible case for preserving the existing safeguarding model while strengthening its effectiveness.

If reform beyond PS25/12 does occur, however, policymakers should resist the temptation simply to import the banking framework wholesale. The risks, business models and customer behaviours associated with payment firms are fundamentally different from those of deposit-taking institutions.

The most effective solution may therefore be neither traditional FSCS protection nor the status quo, but a bespoke customer protection regime designed specifically for the realities and quirks of the modern payments sector.

How Complyport Can Help

Complyport supports EMIs, Payment Institutions and fintech firms in managing evolving FCA requirements and strengthening their regulatory frameworks. Our specialist services include:

FCA authorisation and regulatory applications;
Safeguarding framework reviews and gap analyses;
Governance and SM&CR support;
Prudential risk management and wind-down planning;
Consumer Duty implementation and oversight;
Regulatory reporting and compliance monitoring; and
Ongoing compliance advisory and outsourced compliance services.

If you would like to discuss your firm’s safeguarding arrangements or broader regulatory obligations, contact Complyport and book a meeting with one of our Subject Matter Experts.

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat

The post FSCS Protection for E-Money and Payment Institution Customers? first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

Cryptoassets and Operational Resilience Expectations

E. Michael — Thu, 18 Jun 2026 10:00:26 +0000

Author: James Borley, Director of Payment Services

In our last article, we highlighted the increased prioritisation by the Financial Conduct Authority (FCA) of payments firms’ operational resilience arrangements. An additional area that payments firms should now consider carefully is the interaction between operational resilience obligations and the forthcoming UK cryptoasset regulatory regime under Financial Services and Markets Act 2000 (FSMA).

The UK government and FCA are progressing towards a comprehensive authorisation framework for cryptoasset activities under the FSMA, with the new regime expected to commence in October 2027. Firms carrying on in-scope cryptoasset activities, including custody, exchange, dealing, arranging and stablecoin-related services, will require FCA authorisation under a substantially expanded regulatory perimeter.

For many existing payments firms and Electronic Money Institutions (EMIs), particularly those involved in digital asset payments, stablecoin settlement infrastructure, embedded wallets or crypto-fiat conversion services, the operational resilience implications are likely to be significant.

The FCA has already indicated that cryptoasset firms entering the FSMA perimeter will become subject to broader conduct, governance and prudential expectations comparable to those applying across traditional financial services sectors.

Operational resilience is therefore expected to become a key component of cryptoasset authorisation assessments, particularly where firms rely on:

distributed ledger infrastructure;
third-party wallet or custody technology;
outsourced blockchain analytics providers;
cloud-native operating models;
algorithmic transaction monitoring;
cross-border liquidity providers; or
stablecoin settlement mechanisms.

From an Authorisations perspective, the FCA has been explicit in stating that it will focus heavily on whether firms, once authorised for cryptoasset activities, can continue delivering critical services during periods of technological disruption, cyber incidents, blockchain congestion, smart contract failures or third-party outages.

This is particularly relevant given the increasing convergence between traditional payments infrastructure and cryptoasset-related services. A growing number of FCA-authorised payments firms are either exploring stablecoin use cases directly or integrating digital asset functionality into broader payment ecosystems.

Consequently, firms seeking cryptoasset permission under FSMA should avoid treating operational resilience as a standalone compliance workstream. Instead, resilience considerations should be integrated early into product design, outsourcing frameworks, custody arrangements and governance structures.

Importantly, firms transitioning from the current Money Laundering Regulations registration regime into full FSMA authorisation may underestimate the extent to which the FCA will scrutinise operational controls, governance maturity and resilience capabilities as part of the authorisation process. As part of the Authorisations assessment, firms must clearly describe and explain their operational resilience arrangements in detail. When I say clearly, I mean exactly that; if the FCA cannot understand it, they will assume that neither does your Board. That then threatens to undermine the whole application.

As with Consumer Duty, the FCA expects operational resilience to cut across all aspects of a firm’s application for Part4A permission. Rather than running through it like a stick of rock though, perhaps it’s more of a marble cake effect?

How Complyport Can Help

As the UK cryptoasset regulatory framework continues to develop, firms should begin assessing whether their governance, operational resilience and control frameworks are capable of meeting FCA expectations under the future FSMA regime.

Complyport supports firms at every stage of this process, including:

Conducting operational resilience gap analyses against FCA expectations and industry good practice;
Assisting with cryptoasset and payments firm FCA authorisation applications and regulatory business plans;
Reviewing governance frameworks, Board oversight arrangements and Senior Management accountability structures;
Supporting the identification and mapping of important business services and critical operational dependencies;
Reviewing incident management, business continuity and disaster recovery arrangements;
Performing compliance monitoring reviews and independent assessments of operational resilience programmes; and
Providing regulatory compliance support for firms transitioning from Money Laundering Regulations registration to full FSMA authorisation.

Contact Complyport today to book a meeting with one of our Subject Matter Experts and discuss how we can support your regulatory journey.

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat

The post Cryptoassets and Operational Resilience Expectations first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

Dormant Accounts: A Different Approach for Electronic Money

E. Michael — Wed, 17 Jun 2026 09:31:20 +0000

Author: James Borley, Director of Payment Services

Dormant accounts are a familiar feature of the financial services landscape. Whether arising from forgotten savings accounts, unused payment cards, or e-wallets abandoned after a single transaction, firms inevitably encounter customer funds that remain untouched for extended periods.

However, while banks and Electronic Money Institutions (EMIs) may face similar operational challenges in managing dormant customer relationships, the regulatory treatment of dormant balances differs significantly. These differences become particularly important when considering customer protection, safeguarding requirements, and the treatment of funds in the event of insolvency.

For compliance officers, safeguarding specialists, and senior management within payment firms, understanding these distinctions is essential.

The Banking Position

Traditional banks accept deposits under a banking licence (Part 4A permission granted under the Financial Services and Markets Act 2000 (FSMA)) and hold customer money as liabilities on their balance sheets.

When a customer account becomes dormant, ownership of the funds does not change. The bank continues to owe the money to the customer, regardless of the period of inactivity. In many jurisdictions, banks are permitted to transfer long-dormant balances into central reclaim funds or unclaimed asset schemes, provided customers retain a perpetual right to reclaim their money.

In the United Kingdom, customers of authorised banks benefit from protection under the Financial Services Compensation Scheme (FSCS). Eligible deposits are protected up to £120,000 should the bank fail.

Consequently, although dormant accounts may present operational and conduct risks, the underlying customer protection framework remains relatively straightforward: customer funds form part of the bank’s balance sheet and are protected by the FSCS.

The EMI Model is Fundamentally Different

EMIs operate under an entirely different regulatory regime, the Electronic Money Regulations 2011 (‘EMRs’).

Unlike banks, EMIs are explicitly prohibited from taking deposits. Instead, they issue electronic money in exchange for funds received from customers. The customer’s claim is therefore not a deposit claim against a bank but a redemption claims against the EMI.

This distinction has profound implications.

Because EMIs do not operate under the banking model, customer funds are not protected by FSCS. Instead, customer protection is achieved through safeguarding requirements imposed under the EMRs and associated FCA rules and guidance, notably CASS 15.

In practice, customer funds received in exchange for electronic money must, upon receipt, be segregated from the firm’s own money and protected through prescribed safeguarding arrangements.

The regulatory objective is clear: if the EMI fails, all safeguarded funds should be available for return to customers rather than being distributed amongst the firm’s general creditors.

Can an EMI Close Dormant Accounts?

The answer depends largely on the firm’s contractual arrangements and applicable legal requirements.

Most EMIs include inactivity provisions within their customer terms and conditions. These may permit the charging of dormancy fees after a specified period or, in some cases, account closure following reasonable attempts to contact the customer.

However, a crucial distinction must be remembered: account closure does not extinguish the customer’s entitlement to their funds.

Where electronic money remains redeemable, firms must continue to maintain appropriate records demonstrating customer entitlements and ensuring that any residual balances remain protected.

The Financial Conduct Authority (FCA), as regulator of the EMI population, is generally concerned with ensuring that firms can demonstrate:

Accurate reconciliation of dormant balances;
Effective record keeping;
Appropriate customer communication efforts;
Continued safeguarding of outstanding customer funds; and
Fair treatment of customers seeking redemption after prolonged inactivity.

Dormancy should therefore be viewed primarily as an operational and governance issue rather than a mechanism through which customer funds can be absorbed by the firm.

Safeguarding Challenges Created by Dormant Accounts

Dormant accounts frequently create practical safeguarding challenges.

Over time, firms may accumulate thousands of low-value dormant balances. While individually immaterial, collectively they can represent a significant safeguarding obligation.

Compliance and finance teams must ensure that:

Dormant balances continue to be included within safeguarding calculations;
Reconciliations accurately capture inactive customers;
Customer records remain accessible;
Data retention obligations are met; and
Policies exist for managing long-outstanding balances.

Weak governance in this area can lead to safeguarding shortfalls, inaccurate reconciliations, and regulatory findings.

Indeed, regulatory reviews of payment firms have repeatedly identified safeguarding governance as a key area of supervisory concern, with firms sometimes failing to adequately account for historic customer balances.

What Happens if an EMI Becomes Insolvent?

This is where the distinction between banks and EMIs becomes most apparent.

If a bank fails, eligible depositors typically look to the FSCS for compensation.

If an EMI fails, customers instead rely upon the effectiveness of the safeguarding arrangements.

The intention of safeguarding is that relevant customer funds are separated from the firm’s own assets and therefore excluded from the general insolvency estate. An insolvency practitioner should identify safeguarded funds and distribute them to customers in accordance with their respective entitlements.

However, unlike deposit guarantee schemes, safeguarding is not an insurance mechanism.

If safeguarding arrangements have been poorly implemented, records are incomplete, reconciliations are inaccurate, or there is a shortfall in safeguarded funds, customers may face delays and potentially losses during the insolvency process.

Recent insolvencies within the payments sector have highlighted the importance of robust safeguarding governance, accurate books and records, and effective reconciliation processes. The FCA increasingly focused on ensuring that firms can facilitate a prompt return of customer funds in a stress or failure scenario, hence the introduction of wide-ranging safeguarding reforms in May 2026.

The Problem of Dormant Customers During Insolvency

Dormant accounts introduce additional complexity during insolvency proceedings.

Where customers have not engaged with the firm for many years, insolvency practitioners may encounter difficulties in:

Locating customers;
Verifying customer identities;
Confirming entitlement records; and
Returning safeguarded funds efficiently.

Consequently, firms should not assume that dormant accounts represent a negligible compliance issue. Poor record keeping may significantly increase the operational burden and cost of a future insolvency process.

From a regulatory perspective, firms should be able to demonstrate that dormant customer records remain sufficiently complete to facilitate the eventual return of funds, regardless of the period of inactivity.

Governance Expectations for EMIs

Senior management should ensure that dormant account management forms part of the firm’s wider safeguarding framework.

A robust approach typically includes:

A documented dormant account policy;
Periodic reviews of inactive balances;
Defined customer communication procedures;
Clear treatment of dormancy fees where applicable;
Ongoing safeguarding and reconciliation controls; and
Board-level oversight of safeguarding risks.

As the FCA continues to scrutinise safeguarding arrangements across the payments sector, dormant balances should not be viewed merely as an operational nuisance. They represent ongoing customer liabilities that remain subject to safeguarding requirements and regulatory expectations.

Conclusion

Although dormant accounts exist in both banking and electronic money sectors, the regulatory treatment differs fundamentally.

Banks protect dormant customer funds through the deposit-taking framework and, where applicable, FSCS. EMIs, by contrast, rely on safeguarding arrangements designed to preserve customer funds outside the firm’s own estate.

The practical consequence is that dormant balances within an EMI remain a live regulatory obligation long after customer activity has ceased. Firms must continue to safeguard those funds, maintain accurate records, and ensure that customers retain the ability to redeem their money. Inactivity does not diminish regulatory responsibility. Dormant accounts remain customer funds, and customer funds remain subject to safeguarding until they are returned to their rightful owner.

We await revisions to the EMRs, likely folding the current legislation into FSMA, and hope that this provides an opportunity to set out clear parameters of how EMIs might treat dormant accounts in the future.

How Complyport Can Help

Dormant balances can present complex operational, safeguarding and governance challenges for payment and electronic money firms.

Complyport assists firms with:

Safeguarding framework reviews;
CASS 15 implementation and gap analysis;
Governance and Board effectiveness assessments;
Regulatory compliance reviews;
EMI and payment institution advisory support; and
Preparation for FCA supervisory engagement.

If you would like to discuss your safeguarding framework or dormant account processes, contact Complyport to arrange a meeting with one of our Subject Matter Experts.

Book a meeting with a Complyport Subject Matter Expert today.

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat

The post Dormant Accounts: A Different Approach for Electronic Money first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

Prudential Requirements for Cryptoasset Firms Under the UK’s New FSMA Regime

E. Michael — Mon, 15 Jun 2026 10:00:31 +0000

Author: James Borley, Director of Payment Services

For firms seeking cryptoasset authorisation under the Financial Services and Markets Act 2000 (FSMA), the transition from the current anti-money laundering registration regime to full prudential regulation will require substantially higher standards of governance, financial resilience and operational capability.

While much of the public focus surrounding crypto regulation has perhaps centred on financial promotions and consumer protection, the FCA’s developing framework makes clear that prudential supervision will become a central component of the UK regime.

For many cryptoasset businesses, particularly early-stage firms and fintech-led operators, this is likely to represent the most commercially significant aspect of authorisation.

From MLR Registration to FSMA Authorisation

Currently in the UK cryptoasset firms operate under registration requirements contained within the Money Laundering Regulations (MLRs). However, the new FSMA framework will bring a broad range of cryptoasset activities formally within the perimeter, including activities such as:

operating cryptoasset trading platforms;
custody and safeguarding;
dealing and arranging activities;
stablecoin-related services; and
certain staking activities.

As we have previously reported, the FCA has confirmed that firms will be able to apply for authorisation ahead of the regime becoming fully operational in 2027.

Importantly, firms should not underestimate the difference between MLR registration and full FSMA authorisation. The FCA has repeatedly highlighted that the new regime will involve significantly broader scrutiny of firms’ prudential resources, governance arrangements, systems and controls and operational resilience capabilities.

In practice, many firms currently operating under relatively lean compliance structures may require extensive remediation before they are capable of meeting FSMA standards.

The FCA’s Prudential Focus

The FCA’s proposed prudential framework is designed to ensure that cryptoasset firms maintain sufficient financial and operational resources to conduct business safely and minimise harm to consumers and markets.

The FCA’s approach is increasingly focused on ensuring that firms can:

absorb financial losses;
maintain adequate liquidity;
continue operating during periods of stress;
safeguard client assets appropriately; and
wind down in an orderly manner if necessary.

This reflects a wider regulatory concern arising from previous crypto market failures, where weak governance, insufficient capital and inadequate operational controls contributed to significant consumer losses and disorderly collapses.

Capital Requirements and K-Factors

One of the most significant aspects of the FCA’s proposed prudential framework is the introduction of minimum capital and own funds requirements broadly aligned to prudential methodologies already familiar under the UK Investment Firms Prudential Regime (IFPR).

Historically, many cryptoasset firms registered under the MLRs have operated without formal regulatory capital obligations beyond maintaining sufficient working capital to support business operations. Under the new FSMA regime, this position is expected to change materially.

The FCA has indicated that cryptoasset firms will likely become subject to a combination of:

permanent minimum capital requirements;
Fixed Overhead Requirements (“FOR”); and
risk-sensitive capital methodologies linked to the nature, scale and complexity of regulated activities.

Importantly, the prudential framework is expected to incorporate concepts similar to the ‘K-factor’ methodology used under IFPR for MiFID investment firms.

Under the IFPR model, K-factors are designed to measure potential harm posed by firms to customers, markets and the firm itself. The FCA’s cryptoasset proposals suggest a comparable approach may be adopted to ensure prudential requirements are proportionate to the operational and financial risks generated by cryptoasset business models.

Although the final calibration remains under consultation, relevant prudential metrics for cryptoasset firms may include factors linked to:

assets safeguarded or administered;
customer transaction volumes;
trading activity;
client money exposures;
custody operations; and
operational concentration risks.

For firms engaged in custody or safeguarding activities, prudential expectations are likely to be particularly stringent given the FCA’s continued focus on consumer protection and asset security.

The introduction of K-factor style requirements would represent a significant shift for many crypto businesses, particularly firms that have historically operated with relatively asset-light structures or highly volatile revenue models.

In practice, firms should expect the FCA to assess not only whether minimum capital thresholds are met at a point in time, but whether financial resources remain sufficient under stressed operational and market conditions.

This is especially relevant given the FCA’s increasing focus on wind-down preparedness, operational resilience and the potential systemic impact of large-scale cryptoasset service providers.

Accordingly, firms preparing for FSMA authorisation should already be assessing:

the quality and permanence of capital resources;
liquidity management arrangements;
capital forecasting methodologies;
stress testing capabilities; and
governance oversight of prudential risk.

For many firms, prudential planning is likely to become one of the most commercially significant components of the authorisation process.

Wind-Down Planning

A major feature of the proposed regime is the emphasis on wind-down preparedness.

The FCA has repeatedly highlighted concerns regarding disorderly cryptoasset firm (and other firm types!) failures and the risks these create for consumers, counterparties and market confidence. As a result, firms seeking authorisation are expected to maintain credible wind-down plans capable of demonstrating how regulated activities could cease in an orderly manner.

This is likely to require firms to consider:

liquidity forecasting;
customer communication arrangements;
safeguarding continuity;
operational dependencies;
outsourcing arrangements; and
governance escalation procedures.

For custody and safeguarding firms, the FCA is likely to focus particularly closely on how customer assets would remain protected during stressed conditions or insolvency events.

Governance and SM&CR Expectations

The FCA’s cryptoasset regime also reflects a clear expectation that firms adopt governance standards comparable to those operating elsewhere within regulated financial services.

This includes increasing alignment with the Senior Managers and Certification Regime (SM&CR), governance oversight requirements and broader FCA systems and controls expectations.

In practice, firms should expect supervisory scrutiny covering:

board composition and expertise;
risk management arrangements;
financial crime controls;
conflicts management;
internal reporting structures;
outsourcing oversight; and
compliance monitoring frameworks.

For many entrepreneurial crypto firms, this may require significant changes to existing operating models.

The FCA has consistently emphasised that innovative technology does not reduce the need for effective governance disciplines. Firms seeking authorisation should therefore expect increasing regulatory focus on senior management accountability and governance maturity.

Operational Resilience and Technology Risk

Operational resilience is also expected to become a major prudential consideration under the new regime. Cryptoasset firms often rely heavily on complex technology infrastructure, including cloud hosting, distributed ledger systems, APIs, smart contracts and third-party custody providers.

These arrangements create significant operational and concentration risks which regulators increasingly expect firms to identify and manage appropriately.

The FCA’s wider operational resilience framework already applies across much of the financial services sector and is likely to influence supervisory expectations for cryptoasset firms operating under FSMA. We have provided comment on FCA expectations in our recent articles here.

Importantly, the FCA increasingly views financial resilience and operational resilience as interconnected supervisory outcomes rather than separate compliance disciplines.

Safeguarding and Client Asset Protection

The safeguarding of customer cryptoassets will undoubtedly be another of the FCA’s principal areas of concern.

The proposed framework is expected to introduce enhanced requirements for firms carrying out custody and safeguarding activities, including obligations relating to segregation, reconciliation, governance and operational controls.

The FCA is likely to focus heavily on:

wallet governance;
private key management;
outsourcing oversight;
record-keeping;
reconciliation procedures; and
customer disclosure arrangements.

The FCA is also expected to assess whether firms can maintain safeguarding arrangements effectively during operational disruption or stressed market conditions.

Conclusion

The FCA is clearly moving towards a regime in which cryptoasset firms are expected to meet standards broadly comparable to those applying across mainstream financial services sectors (“Crypto goes mainstream” anyone?). Prudential supervision will therefore extend far beyond current financial crime compliance and financial promotions oversight.

For firms seeking authorisation under FSMA, preparation should begin well in advance of the implementation timetable. Many businesses are likely to require significant enhancement of governance arrangements, financial resources, operational resilience frameworks and safeguarding controls before they are capable of meeting FCA expectations.

How Complyport Can Help

Complyport supports firms preparing for the UK’s evolving cryptoasset regulatory framework and the enhanced prudential expectations that will accompany FSMA authorisation.

Our services include:

Prudential risk assessments and gap analyses.
Capital adequacy and own funds framework reviews.
Wind-down planning and stress-testing support.
SM&CR implementation and accountability mapping.
Operational resilience framework design and testing.
Outsourcing and third-party risk management reviews.
Safeguarding and custody control assessments.
FCA authorisation application support.
Ongoing compliance advisory and outsourced compliance services.

To discuss how your firm can prepare for the prudential requirements of the future UK cryptoasset regime, contact Complyport and book a meeting with one of our Subject Matter Experts today.

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat

The post Prudential Requirements for Cryptoasset Firms Under the UK’s New FSMA Regime first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

SM&CR and the UK Cryptoasset Regime: What Authorised Firms Should Expect

E. Michael — Thu, 11 Jun 2026 10:00:10 +0000

Aurhor: James Borley, Director of Payment Services

The UK’s forthcoming cryptoasset regime under the Financial Services and Markets Act 2000 (FSMA) will fundamentally reshape the regulatory expectations applying to firms operating within the digital assets sector. While much of the public attention has focused on financial promotions, prudential regulation and stablecoins, one of the most significant developments for firms seeking FCA authorisation is likely to be the application of the Senior Managers and Certification Regime (SM&CR).

For many cryptoasset firms currently registered and operating under the Money Laundering Regulations (MLRs) framework, SM&CR will represent a substantial governance and accountability shift. Founder-led structures, informal decision-making processes and rapidly evolving operational models are likely to face increased regulatory scrutiny as firms transition into fully authorised FSMA entities.

The FCA’s direction of travel is increasingly clear: cryptoasset firms authorised under FSMA will be expected to operate with governance standards broadly comparable to those applying across mainstream financial services sectors.

What is SM&CR?

Introduced across the UK financial services sector following the 2008 financial crisis, SM&CR was designed to strengthen individual accountability and improve governance standards within regulated firms.

The regime operates through three core components:

the Senior Managers Regime;
the Certification Regime; and
the Conduct Rules.

At its core, SM&CR seeks to ensure that firms allocate clear responsibility for key business functions and that senior individuals can be held accountable where regulatory failures occur.

The FCA has consistently emphasised that firms should not treat SM&CR as a purely administrative exercise. Instead, it increasingly views the regime as a central mechanism for embedding governance, operational discipline and cultural accountability.

For cryptoasset firms, this may require substantial changes to existing management structures and reporting arrangements.

Senior Management Functions

Under SM&CR, certain senior roles require FCA approval before individuals can perform them. These controlled functions are referred to as Senior Management Functions (SMFs).

While the final application of SMFs to cryptoasset firms remains subject to consultation and policy development, firms seeking authorisation should expect the FCA to require several core functions typically seen across other FSMA-regulated businesses.

Common SMFs likely to apply include:

SMF1 – Chief Executive

The Chief Executive function will typically hold overall responsibility for managing the firm’s business and implementing strategy.

For many founder-led crypto firms, this individual is likely to become one of the primary points of regulatory accountability. The FCA is expected to assess not only technical expertise but also governance capability, regulatory understanding and oversight competence.

SMF3 – Executive Director

Executive directors involved in running regulated business activities may also require FCA approval.

This is particularly relevant for firms were multiple founders or senior executives exercise material influence over strategy, operations or product development.

SMF16 – Compliance Oversight

The Compliance Oversight function is expected to become particularly significant for cryptoasset firms transitioning into FSMA regulation.

The FCA is likely to expect firms to appoint appropriately experienced compliance officers capable of overseeing:

financial promotions compliance;
Consumer Duty obligations;
market abuse controls;
prudential requirements;
operational resilience; and
financial crime frameworks.

Many crypto firms may face challenges recruiting individuals with sufficient experience across both digital assets and mainstream UK regulatory frameworks.

SMF17 – Money Laundering Reporting Officer (MLRO)

The MLRO function already exists for firms operating under the MLRs. However, under FSMA authorisation, the FCA is likely to apply heightened expectations regarding the seniority, independence and effectiveness of MLRO oversight.

Given the FCA’s continued concerns regarding financial crime risks within crypto markets, the MLRO role is expected to remain a key area of authorisation and supervisory focus.

SMF24 – Chief Operations Function

For firms with complex operational infrastructure, including custody arrangements, trading systems or outsourced technology dependencies, the FCA may expect dedicated operational oversight through an approved senior manager where appropriate.

This is particularly relevant given the increasing regulatory focus on operational resilience and third-party risk management.

Other Potential SMFs

Depending on a firm’s size, complexity and business model, additional SMFs may apply, including:

SMF2 – Chief Finance Function;
SMF4 – Chief Risk Function;
SMF9 – Chair; and
SMF27 – Partner Function.

The FCA’s expectations are likely to increase significantly for larger firms, trading platforms or businesses safeguarding substantial customer assets.

Statements of Responsibilities and the Management Responsibilities Map

A central component of SM&CR is the requirement for firms to allocate prescribed responsibilities clearly across senior management.

Each approved senior manager must maintain a Statement of Responsibilities (SoR) setting out their specific regulatory accountabilities.

Larger firms may also be required to maintain a Management Responsibilities Map (MRM) documenting governance structures and reporting lines.

For crypto firms accustomed to relatively informal governance arrangements, this may require substantial operational change.

The FCA is likely to scrutinise closely whether responsibilities are genuinely understood and embedded in practice, particularly where firms operate through international group structures or decentralised operational models.

The FCA is increasingly sceptical of unclear governance arrangements or situations where accountability becomes fragmented across multiple jurisdictions, and additionally likely to impact the ‘Location of Offices’ Threshold Condition.

Certification Regime and Staff Fitness and Propriety

Beyond senior management, the Certification Regime requires firms to assess annually whether certain staff are fit and proper to perform roles capable of causing significant harm to the firm or its customers.

Within cryptoasset businesses, this may capture individuals involved in:

trading activity;
algorithmic systems;
client asset oversight;
product governance;
operational infrastructure; and
financial promotions.

Firms will therefore need robust processes for assessing employee competence, conduct, qualifications and integrity.

Again, this may prove particularly challenging for rapidly scaling firms with international workforces or limited prior experience operating within regulated financial services environments.

Conduct Rules and Culture

The FCA’s Conduct Rules are likely to become increasingly important for crypto firms under FSMA authorisation.

These rules apply basic standards of integrity, due skill, customer treatment and regulatory cooperation across firms’ workforces.

The FCA has repeatedly emphasised that SM&CR is ultimately intended to drive cultural change rather than simply increase documentation.

For crypto firms, this may represent one of the most significant long-term implications of the regime.

Historically, parts of the crypto sector have prioritised rapid innovation and commercial growth over formal governance structures. Under FSMA regulation, however, firms are likely to face increasing expectations regarding governance maturity, escalation processes and challenge culture.

Operational Resilience and Individual Accountability

Operational resilience is also expected to interact closely with SM&CR obligations.

The FCA increasingly expects firms to identify clearly which senior managers hold responsibility for:

cyber resilience;
outsourcing oversight;
incident response;
customer communications during disruption; and
third-party dependency management.

Where operational failures occur, regulators are increasingly likely to assess not only firm-level controls but also whether appropriate senior management oversight existed.

For crypto firms reliant on cloud providers, distributed ledger infrastructure and complex outsourcing arrangements, this creates heightened accountability risk for senior individuals.

Conclusion

The application of SM&CR to cryptoasset firms authorised under FSMA is likely to represent one of the most significant governance developments within the UK digital assets sector.

The FCA is clearly moving towards a framework in which crypto firms are expected to operate with governance, accountability and conduct standards broadly comparable to those applying across traditional financial services sectors.

For many firms, this will require substantial enhancement of governance structures, senior management oversight and internal accountability arrangements.

Ultimately, firms that begin preparing early for SM&CR implementation, particularly around senior manager appointments, governance mapping and operational accountability, are likely to be significantly better positioned during the FCA authorisation process and ongoing supervision. The FCA will likely want to interview SMFs as part of the assessment of any application for authorisation and will need assurance that they understand their responsibilities and have the competence to execute them.

How Complyport Can Help

Complyport assists firms in preparing for these enhanced regulatory requirements through:

SM&CR gap analysis and implementation programmes.
Senior Manager Function identification and role mapping.
Statements of Responsibilities drafting and review.
Management Responsibilities Map design and implementation.
Governance framework reviews and Board effectiveness assessments.
FCA authorisation application support for cryptoasset firms.
Fitness and propriety assessment frameworks.
Operational resilience and outsourcing governance reviews.
Consumer Duty implementation and monitoring frameworks.
Ongoing compliance advisory and outsourced compliance services.

To discuss how your firm can prepare for the implementation of SM&CR under the future UK cryptoasset regime, contact Complyport and book a meeting with one of our Subject Matter Experts today.

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat

The post SM&CR and the UK Cryptoasset Regime: What Authorised Firms Should Expect first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

Why Firms are Moving to Bespoke Compliance Training

E. Michael — Wed, 10 Jun 2026 12:29:03 +0000

In the current regulatory climate, the way firms approach professional development is undergoing a fundamental shift. The feedback we consistently hear from clients across the financial services sector is clear: standard, tick-box training is no longer enough.

The Financial Conduct Authority’s (FCA) expectations regarding competence and capability are unequivocal. Regulators do not just look for a record of completed modules, they expect firms to ensure that all employees – including members of the Board of Directors – possess the appropriate skills, knowledge and expertise to carry out their specific roles effectively. Crucially, the training received must be highly relevant, continuous and the employee must be capable of demonstrating a practical understanding for their day-to-day operations.

When regulatory scrutiny intensifies, a firm’s resilience relies entirely on whether its teams truly understand how complex rules apply to their roles.

Moving Beyond the Slide Deck

At Complyport we deliver tailored training compliance programmes designed specifically around your firm’s business model, the internal risk matrix and the exact regulatory obligations.

We believe that passive e-learning and generic presentation decks fail to drive meaningful behavioural change. Instead, our practitioner-led approach focuses on:

Applied Learning: Utilising real-life scenarios, case studies and practical examples that reflect the actual challenges your teams face.
Practical Knowledge Transfer: Equipping employees with the toolsets and confidence needed to support robust, defensive day-to-day decision-making.
Interactive & Engaging Sessions: Swapping dry lectures for dynamic workshops that encourage open discussion, debate and active engagement.
Rigorous Testing & Assessment: Implementing tailored assessments to formally evidence knowledge retention and understanding for internal governance and regulatory reporting.
Meticulously Tailored Content: Aligning the curriculum to your firm’s unique activities, client base and regulatory permissions.

Targeted Training Pathways Under High Demand

As regulatory frameworks evolve, we are seeing a significant surge in demand for targeted, specialised training across a broad spectrum of critical compliance disciplines, including:

Financial Crime & AML: Anti-Money Laundering, Market Abuse and Proactive Fraud Prevention.
Governance & Oversight: The Senior Managers and Certification Regime (SM&CR) and robust Corporate Governance.
Retail & Conduct: Embedded compliance with the Consumer Duty, Conduct Rules and Complaints Handling.
Operational Risk: Operational Resilience, Outsourcing and Third-Party Risk Management.
Specialist Regulations: Client Assets (CASS), Prudential Requirements and emerging ESG & Sustainability Governance.

Building a Stronger Compliance Culture

Effective training is not simply a regulatory hurdle to clear, it is a strategic asset. By moving away from generic solutions and investing in bespoke, context-specific education, firms build stronger internal controls, cultivate better decision-making at all levels and foster a healthier compliance culture across the entire business.

If your firm is currently reviewing its training framework, preparing for an upcoming regulatory milestone or looking for practical, tailored solutions that deliver measurable value, Complyport can help.

How Complyport Can Assist

With over 25 years of practitioner-led experience, Complyport’s team of consultants, former regulatory officials, training specialists and professional educators design and deliver training programmes that bridges the gap between regulatory requirements and operational reality.

Combining deep regulatory expertise with proven instructional design and learning methodologies, we support c firms through comprehensive training needs analyses, bespoke curriculum development and interactive workshop delivery tailored to the needs of Boards, compliance functions and front-line staff.

Whether your aim is to strengthen regulatory knowledge, enhance governance standards and embed a compliance culture or address specific competency gaps, our training solutions will meet your firm’s requirements and regulatory obligations.

To discuss how Complyport can develop a bespoke training programme aligned to your firm’s needs, visit our Training & Professional Development Services.

The post Why Firms are Moving to Bespoke Compliance Training first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

Euro Exchange Securities Ltd: FCA Market Intervention in Action

E. Michael — Tue, 09 Jun 2026 11:00:33 +0000

Forget the recent smattering of Voluntary Requirements (VREQs), the Financial Conduct Authority’s (FCA) recent intervention into Euro Exchange Securities UK Limited (EES) represents one of the most decisive supervisory actions taken against a UK payments institution in recent years. It is also emblematic of a continued shift in regulatory posture: from reactive supervision to proactive, intrusive intervention where risks to financial crime controls, safeguarding and governance crystallise.

After all, the clue’s in the title. Whereas the supervision function used to be called just that (‘Supervision’), few really picked up on the name change to ‘Market Interventions’. Does the FCA have your attention now?

This article considers the drivers behind the FCA’s action, what happens next procedurally and, importantly, what this signals for the wider payments and e-money sector.

The Regulatory Trigger: When Risk Becomes Reality

On 4 June 2026, the FCA exercised its supervisory powers to require EES to cease all regulated electronic money and payment services activities with immediate effect. Simultaneously, the FCA applied to the Court for the appointment of interim managers, effectively displacing the firm’s management and placing its operations under independent control.

This was not a routine supervisory measure, where we have been used to seeing a negotiated VREQ as a signal of concern and a brake on escalation. This was a clear escalation, driven by “serious concerns” regarding how the firm operated its business and the resultant significant risks of financial crime.

At the core of the FCA’s concerns were three interrelated themes. As headings, they read straight off the FCA’s: Regulatory Priorities Report for Payment firms

Systemic Weaknesses in Financial Crime Controls

The FCA identified deficiencies in EES’s Anti-Money Laundering (AML) framework that pointed to widespread or systemic failings, rather than isolated control gaps. These included concerns regarding the risk profile of customers, some of whom were deemed “high-risk”, and potential links to money laundering activity across the firm’s network.

Safeguarding Deficiencies

Alongside AML, safeguarding arrangements, arguably the cornerstone of consumer protection in payments, and the focus of current regulatory change and attention, were also found wanting. Weakness in safeguarding raises the prospect of customer funds being improperly held (or not at all), commingled or at risk in insolvency.

Governance and Ownership Concerns

The FCA also pointed to deficiencies in governance structures and ownership oversight. This is significant, as weak governance often acts as the root cause of broader control failures, particularly where high-risk business models are not matched by commensurate understanding, discussion or oversight.

Taken together, these issues created a scenario where the FCA considered there to be ongoing and immediate risk to both consumers and market integrity, necessitating urgent intervention rather than supervised remediation. And that’s just based on the information publicly available; there may yet be more horror stories to uncover.

Why the FCA Acted Decisively

The manner of intervention is as interesting as the failings themselves.

Rather than issuing requirements or entering into a voluntary remediation plan, the FCA:

Imposed an immediate business restriction (cessation of activities);
Applied to court for interim managers; and
Signalled potential special administration.

This reflects a regulatory judgement that the risks were not theoretical or historic but live, material and incapable of being mitigated within the existing governance framework.

Furthermore, court filings referenced concerns about “widespread breaches” of money laundering rules and potential criminal linkages, raising the stakes beyond mere compliance deficiencies.

From a supervisory perspective, this aligns directly with the FCA’s strategic priority of protecting financial system integrity, where firms are expected to act as the first line of defence against financial crime.

What Happens Next: The Legal and Regulatory Pathway

The immediate future for EES appears to be shaped by the interplay between regulatory action and court oversight.

‘Interim Managers’ in Control

The Court has appointed independent interim managers (from Teneo) to oversee the firm’s affairs. These individuals act as officers of the Court, with authority to stabilise operations, assess financial position and protect client interests.

Court Hearing and Potential Outcomes

A key milestone is the Court hearing (scheduled for 11 June 2026), at which EES has the opportunity to present its case.

The potential outcomes include:

Lifting of restrictions (unlikely absent compelling remediation evidence);
Continuation of interim management;
Entry into special administration.

The latter is particularly important. Special administration under the Payment and Electronic Money Institution Insolvency Regulations 2021 is designed to prioritise:

Return of customer funds;
Continuity of critical payment services (where feasible);
Orderly wind-down.

The FCA has already indicated its intent to pursue this route, including seeking recognition of proceedings in the United States, reflecting the firm’s cross-border footprint.

Implications for the Payments Sector

While firm-specific in execution, the EES case has sector-wide implications that should not be underestimated.

The End of “Supervisory Forbearance”

The FCA has made clear, both through action in this case and a broader policy direction as contained within the Regualtory Priorites Report, that tolerance for weak control environments has diminished significantly.

Historically, firms might have expected:

VREQs;
Skilled person reviews;
Remediation plans;
Supervisory engagement over extended timelines.

In contrast, the EES intervention demonstrates that where risks are acute, the FCA will move directly to restriction and control.

This is consistent with the broader evolution toward a more data-led, assertive regulator, requiring firms to evidence compliance in real-time, not retrospectively.

Financial Crime as the Primary Fault Line

Financial crime controls continue to be the principal driver of regulatory intervention in payments.

EES reinforces a key message, that payments firms are not merely technology providers, they are financial crime gatekeepers.

Where business models involve cross-border flows, complex correspondent relationships, high-risk customer segments, the expectation is that control frameworks scale proportionately.

Failure to do so will result not in guidance or incremental correspondence, but enforcement.

Safeguarding Moves Centre Stage

The reference to safeguarding weaknesses is particularly timely, given the transition to the CASS 15 regime on 7 May 2026, on which we have commented regularly over recent months.

Safeguarding is no longer a technical compliance exercise. It is:

A Board-level accountability issue;
A key determinant of supervisory trust;
A trigger for intervention where deficient.

As the FCA has tried repeatedly to make clear, firms must move beyond policy documentation to operational robustness and evidential assurance.

Governance Is the Root Cause

In virtually all significant regulatory failures, governance sits upstream. ‘Tone from the top’ anyone?

The FCA’s explicit reference to ownership and governance deficiencies highlights a recurring theme:

Boards failing to understand business risk profiles;
Inadequate challenge to growth strategies;
Lack of alignment between risk appetite and operational capability.

For payments firms, this translates into a requirement for:

Stronger Board oversight;
Clear accountability and responsibility of directors and senior managers;
Demonstrable and effective decision-making frameworks.

Cross-Border Complexity Increases Regulatory Risk

EES’s international footprint, with operations in the US and Spain, added complexity and regulatory concern.

The FCA’s move to seek recognition of UK proceedings in US courts illustrates a growing reality. Payments regulation has always been global in consequence, even if national in execution. Firms operating across jurisdictions must ensure consistency of controls, not fragmentation.

Conclusion

The FCA’s intervention into Euro Exchange Securities Ltd is not an isolated enforcement action, it is a signal event.

It reinforces a number of critical themes:

The FCA will act early and decisively where financial crime risks crystallise;
Weak safeguarding and governance are no longer tolerable gaps;
Payments firms must evidence control effectiveness, not simply assert it.

Above all, it reflects a regulatory approach that prioritises outcomes over intent.

For the payments sector, the message is clear. Growth, innovation and scale are welcome, but only where matched by control frameworks of equal sophistication.

Those firms that understand this, and act accordingly, will continue to thrive. Those that do not may find themselves, like EES, subject to a far more intrusive and immediate regulatory response.

As we asked at the beginning, does the FCA have your attention now?

How Complyport Can Help

The FCA’s intervention serves as a reminder that firms must maintain robust financial crime controls, effective safeguarding arrangements and strong governance frameworks at all times.

Complyport supports payment institutions, e-money institutions and other regulated firms through:

AML and financial crime framework reviews;
Safeguarding assessments and CASS 15 implementation support;
Governance and Board effectiveness reviews;
Regulatory health checks and gap analyses;
Skilled Person and remediation support;
FCA authorisation and ongoing compliance assistance.

If you would like to assess the effectiveness of your firm’s control framework or discuss the implications of recent FCA interventions, contact Complyport and arrange a meeting with one of our Subject Matter Experts.

Book a meeting with a Complyport Subject Matter Expert today.

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat

The post Euro Exchange Securities Ltd: FCA Market Intervention in Action first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

Operational Resilience Back to the Fore for Payments Firms

E. Michael — Mon, 08 Jun 2026 10:05:41 +0000

Author: James Borley, Director of Payment Services

As noted in the Financial Conduct Authority’s (FCA’s) Regulatory Priorities Report for Payments operational resilience framework is now moving decisively beyond implementation planning and into active supervisory scrutiny. For Payment Institutions (PIs) and Electronic Money Institutions (EMIs), the 31 March 2025 transition deadline marked the end of the mobilisation phase and the beginning of a new era of evidencing resilience in practice.

While many firms approached operational resilience initially as a regulatory project driven by Policy Statement PS21/3: Building Operational Resilience, the FCA increasingly expects firms to demonstrate that resilience considerations are embedded into governance, outsourcing oversight, product design, technology decision-making and incident response frameworks on an ongoing basis.

For firms operating under the Payment Services Regulations 2017 (PSRs) or Electronic Money Regulations 2011 (EMRs), the challenge is no longer whether an operational resilience framework exists on paper, but whether it can withstand severe but plausible disruption without causing intolerable harm to customers or the wider financial system.

Regulatory Background

In March 2021, the FCA, alongside the Bank of England and Prudential Regulation Authority, published PS21/3. The framework already applied to a number of regulated firms but was now extended to entities authorised under the PSRs and EMRs. Firms were required to identify their ‘Important Business Services (IBSs)’, establish impact tolerances and conduct mapping and testing by 31 March 2025.

The FCA defines operational resilience as the ability of firms and the financial sector to prevent, adapt, respond to, recover and learn from operational disruptions. Importantly, the regime focuses less on preventing all disruption and more on ensuring that firms can continue delivering critical services within acceptable tolerances during disruption events.

This distinction is particularly significant for payments firms whose business models are heavily reliant on technology infrastructure, cloud providers, APIs, card processors and outsourced operational functions.

Why Payments Firms Remain a Supervisory Focus

The UK payments sector has experienced rapid growth, increasing technological complexity and heightened customer reliance over recent years. At the same time, regulators continue to observe incidents involving payment outages, cyber-attacks, third-party failures and migration-related disruptions.

The FCA and Bank of England have repeatedly highlighted concerns around firms’ dependency on concentrated technology providers and the systemic implications of operational failures within payments infrastructure. Recent industry incidents, including large-scale cloud outages and software failures, have reinforced supervisory concerns that even short-term disruption can result in significant consumer harm and reputational damage.

For payments firms, operational resilience is therefore closely linked to several wider regulatory themes, including:

Consumer Duty;
outsourcing and third-party risk management;
cyber resilience;
operational incident reporting;
governance and senior management accountability; and
financial crime controls continuity.

Increasingly, the FCA appears to view operational resilience as an indicator of overall organisational maturity rather than a standalone compliance requirement.

Important Business Services: Avoiding Overly Broad Definitions

One of the most common weaknesses identified by regulators relates to the identification of IBSs. The FCA has cautioned firms against defining IBSs too broadly or by reference to internal business lines rather than customer outcomes.

For payments firms, examples of IBSs may include:

execution of outbound customer payments;
safeguarding and access to customer funds;
card transaction processing;
customer authentication services;
onboarding and account access functionality; and
fraud monitoring and transaction screening.

A common supervisory issue arises where firms classify virtually all business activities as ‘important’, thereby diluting management focus and undermining meaningful scenario testing.

The FCA expects firms to identify those services where disruption could cause ‘intolerable harm’ to consumers, threaten market integrity or undermine confidence in the UK financial system. The emphasis remains on external impact rather than internal operational significance (which is more the domain of business continuity).

Mapping and Third-Party Dependencies

Mapping remains one of the most resource-intensive aspects of operational resilience compliance. For many payments firms, the complexity arises not from internal systems but from interconnected outsourcing arrangements and technology dependencies.

The FCA has specifically emphasised the importance of understanding vulnerabilities arising from third-party providers, including cloud hosting providers, payment processors, fraud systems, telecommunications infrastructure and software vendors.

In practice, firms should be capable of demonstrating:

end-to-end mapping of IBS delivery chains;
identification of single points of failure;
documented dependency inventories;
resilience assessments of material suppliers;
exit and substitution planning; and
escalation and communication protocols during disruption events.

FCA is increasingly sceptical of firms that rely solely on contractual assurances from providers without independently assessing operational resilience capabilities.

This is particularly relevant where firms rely heavily on a small number of critical cloud or infrastructure providers. Regulators continue to signal concerns regarding concentration risk across the financial sector and the potential systemic implications of outages affecting critical technology providers.

Scenario Testing: Demonstrating Credibility

Scenario testing remains central to the FCA’s expectations. Firms must demonstrate that they can remain within impact tolerances during severe but plausible disruption scenarios.

However, many firms continue to approach testing as a theoretical desktop exercise rather than a realistic assessment of operational capability.

The FCA has indicated that effective testing should evolve into a business-as-usual discipline and should incorporate lessons learned from real-world incidents.

For payments firms, relevant scenarios may include:

cyber-attacks impacting payment processing;
ransomware incidents;
cloud service outages;
data centre failures;
telecoms disruption;
payment gateway failures;
sanctions screening system outages;
third-party supplier insolvency; and
internal change management failures.

Importantly, firms should avoid assuming ideal recovery conditions. The FCA increasingly expects testing to consider degraded operating environments, staff unavailability, simultaneous incidents and communications failures.

The FCA also expects firms to identify vulnerabilities revealed through testing and demonstrate remediation planning supported by appropriate governance and funding.

Governance and Senior Management Accountability

Operational resilience cannot be delegated exclusively to Compliance or IT functions.

Boards and senior management are expected to understand the firm’s IBSs, impact tolerances, vulnerabilities and remediation priorities. Accountability for operational resilience should be clearly allocated and evidenced through governance arrangements.

The FCA has emphasised the importance of maintaining comprehensive self-assessment documentation capable of demonstrating the rationale behind resilience decisions, testing methodologies and investment priorities.

For many firms, operational resilience now forms part of broader prudential and conduct discussions during supervisory engagement.

Firms should therefore expect operational resilience evidence to feature increasingly within:

FCA thematic reviews;
section 166 skilled person reviews;
authorisation assessments;
change in control applications;
outsourcing reviews; and
Consumer Duty assessments.

Incident Reporting and the Evolving Regulatory Landscape

In March 2026, the FCA introduced new operational incident and third-party reporting requirements, with implementation expected from March 2027. These measures are intended to strengthen regulators’ visibility over disruption events and sector-wide vulnerabilities.

Payments firms should therefore anticipate heightened supervisory expectations around:

incident classification;
escalation timelines;
root cause analysis;
board reporting;
third-party incident visibility; and
post-incident remediation tracking.

The direction of travel is clear: operational resilience is becoming increasingly data-driven, evidence-based and supervisory intensive.

Operational Resilience as an Ongoing Regulatory Obligation

One of the most important messages emerging from recent FCA communications is that operational resilience is not a one-off implementation exercise. Important business services, impact tolerances and mapping should be reviewed regularly and updated following material business, technological or regulatory changes.

For rapidly scaling fintechs and payments firms, this presents a particular challenge. Business models, outsourcing structures and technology environments often evolve faster than governance frameworks.

Accordingly, firms should ensure operational resilience remains integrated into:

product development;
outsourcing approvals;
acquisitions and integrations;
cloud migration projects;
cyber security governance;
change management programmes; and
enterprise risk management frameworks.

Conclusion

The FCA’s operational resilience regime has now entered a significantly more mature supervisory phase. For UK payments firms, the regulatory focus is shifting away from implementation plans and towards demonstrable operational effectiveness.

Firms that continue to treat operational resilience as a static compliance programme risk falling behind supervisory expectations, particularly as regulators intensify scrutiny of outsourcing dependencies, cyber resilience and customer outcomes.

Ultimately, operational resilience is no longer simply about avoiding disruption. It is about demonstrating that firms can continue delivering critical services, protect customers and maintain market confidence even when disruption inevitably occurs.

For payments firms operating in an increasingly interconnected and technology-dependent environment, that expectation is unlikely to diminish.

How Complyport Can Help

Complyport assists payment institutions, electronic money institutions and fintech firms in designing, reviewing and enhancing operational resilience frameworks that meet FCA expectations.

Our services include:

Operational resilience gap analyses and independent reviews;
Identification and assessment of Important Business Services and impact tolerances;
Operational resilience self-assessment preparation and review;
Outsourcing and third-party risk management assessments;
Governance and Board effectiveness reviews;
Business continuity and disaster recovery framework reviews;
Regulatory authorisation and change-in-control support;
Compliance monitoring and operational resilience testing reviews;
Senior management training and regulatory workshops.

Whether you are preparing for FCA supervisory engagement, reviewing your Important Business Services or strengthening third-party oversight arrangements, Complyport can provide practical and proportionate support tailored to your business.

Contact Complyport today to book a meeting with one of our Subject Matter Experts and discuss how we can support your operational resilience programme.

Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat

The post Operational Resilience Back to the Fore for Payments Firms first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .

Sanctions Compliance Remains Under the FCA Spotlight in 2026

E. Michael — Fri, 05 Jun 2026 10:00:05 +0000

The FCA has recently published the findings of its latest review of sanctions systems and controls across the financial services sector. While the regulator acknowledges that firms have made significant progress in strengthening sanctions compliance since 2022, it has also identified a number of weaknesses that continue to result in sanctions breaches.

The review is particularly relevant for MLROs, compliance teams and senior management as sanctions remain a key regulatory priority and continue to evolve in scope and complexity.

A More Complex Sanctions Environment

The FCA notes that UK sanctions regimes have expanded considerably in recent years. What was once largely focused on asset freezes now extends to broader financial restrictions, trade sanctions and sector-specific measures.

This increased complexity has led to a significant rise in sanctions exposure across the financial sector. The value of frozen assets in the UK increased from £24.4 billion in 2023/24 to £37 billion in 2024/25, highlighting the growing importance of effective sanctions controls.

Since February 2022, the FCA has assessed the sanctions systems and controls of more than 150 firms across a range of sectors. While many firms have strengthened their frameworks and successfully prevented potential breaches, the regulator has identified a number of common weaknesses that continue to create risk.

Key Areas of Concern

The FCA found that the most common causes of sanctions breaches stem from weaknesses in due diligence, transaction and name screening, alert management and the handling of frozen assets.

In particular, firms continue to face challenges in identifying indirect sanctions exposure through complex ownership structures and intermediary relationships. The regulator also observed weaknesses in firms’ oversight of third-party providers and screening vendors, with some firms unable to demonstrate adequate governance over outsourced sanctions controls.

Another key finding was the variation in the quality of sanctions risk assessments. While some firms demonstrated a clear understanding of their sanctions exposure, others relied on outdated assessments or failed to adequately consider trade sanctions and emerging risks.

Growing Focus on Trade Sanctions

A notable theme throughout the report is the FCA’s increasing focus on trade sanctions.

The regulator found that firms’ controls for financial sanctions are generally more mature than those used to manage trade sanctions risks. However, trade sanctions have become increasingly important as restrictions now cover a wider range of goods, technologies and services.

The FCA expects firms to understand their exposure to trade sanctions and ensure that appropriate controls are incorporated into their wider sanctions framework.

The Importance of Governance

The report reinforces the importance of strong governance and senior management oversight.

The FCA found that firms with effective sanctions frameworks typically maintained up-to-date policies, provided meaningful management information and delivered targeted sanctions training to relevant staff. These firms were also more likely to undertake regular assurance testing and independent reviews of their controls.

Conversely, weaker firms often had outdated policies, insufficient oversight of outsourced arrangements and limited management information on sanctions risks.

What Firms Should Do Next

The FCA expects firms to review their sanctions frameworks and ensure that controls remain proportionate to their business model and risk exposure.

Particular attention should be given to governance arrangements, risk assessments, due diligence processes, screening controls and the management of sanctions alerts. Firms should also ensure they have appropriate oversight of third-party providers and contingency arrangements in place to manage operational disruptions.

With closer cooperation now in place between the FCA, the Office of Financial Sanctions Implementation (OFSI) and the Office of Trade Sanctions Implementation (OTSI), firms can expect continued regulatory focus on sanctions compliance.

How Complyport Can Help

Complyport assists regulated firms in assessing and enhancing their sanctions compliance frameworks in line with FCA expectations.

Our services include:

Sanctions risk assessments;
Sanctions framework reviews;
Independent testing of screening and transaction monitoring controls;
Governance reviews;
Internal audits;
Staff training and awareness programmes;
Remediation support and regulatory review preparation.

We also support firms with the implementation of robust sanctions controls and ongoing compliance enhancements.

Book a Meeting with a Complyport SME

To learn more and ensure compliance with upcoming regulatory developments, book a consultation with a Complyport Subject Matter Expert today.

Ask ViCA, your Virtual Compliance Assistant.

Access instant answers on regulatory changes.

Claim your complimentary 20 queries today! Register here: https://vica.chat

CPT social media:

Sanctions Compliance Remains Under the FCA Spotlight in 2026

Key findings from the FCA’s latest review and what firms should do next

#SanctionsCompliance #FinancialCrime #AMLCompliance #TradeSanctions #FinancialSanctions #FCA #Compliance #RegulatoryCompliance #RiskManagement #Governance #FinancialServices #MLRO #TransactionMonitoring #OperationalResilience #FinancialCrimePrevention

The post Sanctions Compliance Remains Under the FCA Spotlight in 2026 first appeared on Complyport - Your Trusted Partner in Governance, Risk, Compliance & Technology .