Payment Services Regulations: A Complete Guide

The Payment Services Regulations 2017 govern how payment institutions are authorised, how they handle customer funds and how they must conduct themselves — making them the principal regulatory framework for any firm providing payment services in the UK.

The Payment Services Regulations 2017 (PSRs) implemented the EU’s Payment Services Directive 2 into UK law and, following Brexit, have been retained and amended as part of the UK’s standalone regulatory framework. They apply to any firm — bank, fintech, specialist payments business or embedded finance provider — that provides payment services in the UK to consumers or businesses.

What Are Payment Services?

The PSRs define payment services by reference to a list of regulated activities in Schedule 1. The activities include: operating a payment account; executing payment transactions; issuing payment instruments; acquiring payment transactions; money remittance; and initiating and account information services (the open banking activity types). A firm that carries on any of these activities in the UK as a regular occupation or business is a payment service provider and must be authorised or registered by the FCA unless an exemption applies.

Credit institutions — banks and building societies — are exempt from PSR authorisation because they are already authorised under the Financial Services and Markets Act and subject to equivalent obligations. Electronic money institutions are subject to the Electronic Money Regulations 2011 rather than the PSRs for their core e-money issuance activities, though they are subject to the PSRs for payment services they provide alongside e-money issuance.

Authorisation vs Registration

The PSRs create two tiers of regulatory status for payment service providers. An authorised payment institution (API) can provide payment services of any type and value without restriction. A small payment institution (SPI) can provide payment services where the average monthly payment transactions it executes do not exceed €3 million — a threshold assessed across a rolling 12-month period. SPIs face lower capital requirements and a lighter registration process, but must upgrade to full authorisation if they exceed the threshold.

The FCA’s authorisation process for APIs requires a detailed application covering the firm’s business plan, financial projections, governance arrangements, safeguarding procedures, SMCR senior manager appointments and compliance framework. The process typically takes three to six months for straightforward applications; complex applications or those with significant regulatory queries take longer. A regulatory business plan that clearly addresses the FCA’s assessment criteria is essential.

Capital Requirements

Authorised payment institutions must maintain minimum own funds calculated by reference to the method applicable to their payment service activities. The three calculation methods — Method A, Method B and Method C — produce different results depending on the firm’s fixed overheads, payment volume and the specific payment services it provides.

Method A requires own funds of at least a fixed percentage of fixed overheads from the prior year. Method B requires a percentage of total payment transaction volume on a sliding scale that reduces as volume increases. Method C uses a combination of a fixed component and a volume-related component. Firms must calculate their requirement under all applicable methods and maintain the highest result.

The minimum initial capital for an API is €125,000, with the ongoing requirement calculated by the methods above. SPIs have no minimum initial capital requirement but must maintain own funds of at least the ongoing calculated requirement. The FCA expects firms to maintain a capital buffer above the regulatory minimum to reflect operational and business risk.

Safeguarding Requirements

Regulation 23 of the PSRs imposes a safeguarding obligation on payment institutions that hold customer funds. The purpose is to protect customers’ money in the event of the firm’s insolvency: safeguarded funds are ring-fenced from the firm’s own assets and must be returned to customers in full before any other creditor claims are satisfied.

There are two compliance methods. Under the segregation method, the firm places customer funds in a designated safeguarding account at an eligible credit institution immediately on receipt, and maintains those funds separately from its own money at all times. Under the insurance or guarantee method, the firm obtains an insurance policy or bank guarantee covering the full amount of funds held for customers at any time. Most firms use the segregation method.

The safeguarding obligation is addressed in comprehensive detail in the Safeguarding Client Funds guide, including the acknowledgement letter requirement, eligible institution criteria, reconciliation obligations and the FCA’s audit expectations.

Conduct Requirements for Payment Institutions

The PSRs impose conduct requirements that govern the firm’s relationship with its payment service users — both consumer and business customers. These cover: the information that must be provided before and after a payment transaction; the charges that can be levied and how they must be disclosed; the timeframes for executing transactions; liability for unauthorised transactions; and complaint handling obligations.

For consumer payment service users, the liability regime for unauthorised transactions is particularly significant. Where a customer’s account is debited without their authorisation — through fraud, phishing or a payment provider’s system error — the PSRs require the payment institution to refund the amount immediately and restore the account to the position it would have been in had the transaction not occurred. The burden of demonstrating that the customer acted fraudulently or with gross negligence falls on the firm, not the customer.

The FCA’s enforcement activity in the payments sector has focused on firms that delayed refunds for unauthorised transactions, applied charges inconsistent with their disclosed fee schedules, and failed to provide adequate pre-contract information. Under the Consumer Duty, payment firms must go beyond the minimum PSR conduct standards: communications must actively support good customer outcomes, and products and services must deliver fair value.

Strong Customer Authentication

Strong Customer Authentication (SCA) is required by the PSRs for electronic payment transactions and for accessing payment accounts remotely. SCA requires the use of at least two of three authentication factors: something the customer knows (a password or PIN), something the customer has (a phone or hardware token), and something the customer is (a biometric). The combination must be dynamic — linking each authentication to the specific transaction — to prevent replay attacks.

The PSRs provide a list of exemptions from SCA for specific transaction types where the fraud risk is assessed as low — contactless payments below a threshold amount, low-value transactions, whitelisted payees and merchant-initiated transactions. Firms must apply exemptions carefully: an exemption applied incorrectly shifts liability for fraudulent transactions from the customer to the firm.

The FCA’s supervisory expectations for SCA include adequate testing of authentication systems, clear consumer communications about authentication requirements, and monitoring of SCA decline rates to identify where authentication friction is causing unnecessary customer harm.

AML and Financial Crime Obligations

Payment institutions are subject to the Money Laundering Regulations 2017 and must maintain a financial crime compliance framework covering customer due diligence, transaction monitoring, sanctions screening and suspicious activity reporting. The PSR framework and the AML framework interact closely: the safeguarding obligation applies to funds held for customers who have passed CDD, and the FCA expects payment firms to have controls that prevent their services being used for money laundering or sanctions evasion.

The FCA has taken enforcement action against payment institutions with inadequate financial crime controls — particularly firms that allowed high volumes of high-risk transactions without adequate transaction monitoring, or that onboarded customers in high-risk jurisdictions without enhanced due diligence. The financial crime compliance capability of a payment institution is a key factor in the FCA’s assessment of fitness for authorisation.

SMCR and Governance for Payment Institutions

The SMCR applies to FCA-authorised payment institutions. The relevant SMF functions are the same as for other FCA-authorised firms — SMF1 (CEO), SMF16 (Compliance Oversight), SMF17 (MLRO) and SMF29 (Limited Scope) for smaller firms. Each senior manager must have a Statement of Responsibilities documenting their area of accountability, and the firm must maintain a Management Responsibilities Map showing how the business’s regulated activities are allocated between senior managers.

The governance framework required by the PSRs — covering internal controls, risk management, audit arrangements and management information — sits alongside the SMCR framework. The FCA expects payment institutions to have a governance structure proportionate to their size and the risk profile of their activities, with effective board oversight of safeguarding, financial crime and conduct risk.

Key References

• Payment Services Regulations 2017
• FCA — Payment services and e-money
• FCA Handbook COND — Threshold Conditions