Don’t Get Caught Out! Ensure FCA Compliance with Our Ultimate Compliance Checklist (FREE!)

UK Payment firms don’t get caught out! With 2023 in full swing, it’s time to take control of your regulatory obligations and ensure compliance with the Financial Conduct Authority (FCA). We know regulatory compliance can be a real headache, but with a structured approach, you can improve compliance, reduce costs, and say goodbye to the burden of regulatory complexity.

To help you get started, we’ve put together a handy FCA Compliance checklist, which you can download for free by hitting the button below. We suggest reading it alongside this blog so that you’re fully prepared to tackle whatever the FCA throws your way.

ComplyFirst Ultimate Compliance Checklist

What’s the Risk?

In March 2023 the FCA wrote to Payment and e-Money companies with the subject FCA Priorities for Payment Firms. They made clear their concerns that Payment firms “do not have sufficiently robust controls” and said that where they see issues, they’ll “take swift and assertive action”.

And you best believe them. Because the FCA’s appetite for enforcement is up.

In 2022 the FCA imposed 26 financial penalties, up from 10 the year before. Fines stood at £215 million+ with the regulator focusing on classic areas of compliance, including financial crime and regulatory reporting.

Going back to basics and ensuring you satisfy your core compliance obligations is more important than ever.

In this post, we help you figure out how to nail your regulatory obligations and provide an at-a-glance checklist so you can tick them off your to-do list.

4 step framework to nail your compliance obligations

4 steps to nail your compliance obligations

Step 1: Your annual obligations

Anti-money laundering (AML):

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“the MLRs”) requires an annual assessment of your AML framework. You’ll need to complete a risk assessment for your business, identifying the money laundering and terrorist financing risks facing your business and put in place mitigation plans.

Capital adequacy:

As an FCA regulated business, you’ll need to conduct regular checks on your capital position to ensure that you continue to meet the FCA’s ongoing capital requirements.

Your firm’s minimum initial capital requirements can be found below (unless the FCA has directed you to hold more or less capital):

Minimum Capital Adequacy Requirements

However, your firm’s ongoing capital (or “own funds”) requirements will vary depending on your business activity and the method the FCA has directed you to apply to calculate your own funds.

Chapter 9 of the FCA’s Payment Services and Electronic Money Approach Document provides more information on capital resources and how to calculate your own funds requirements.

Wind down planning:

If you’re an Authorised Payment Institution (API) or E-money Institution (EMI) you must have a wind-down plan (also known as a “living will”) in place to manage your resolution risks.

Your wind-down plan should account for the different scenarios under which you might need to wind down your business, including a solvent and insolvent wind-down, and how you would do this safely, effectively and with minimal impact on consumers and the market.

For more information on wind-down planning, check out the FCA’s Wind Down Planning Guide.

Business continuity:

Business continuity is a company’s level of readiness and ability to maintain its critical business functions in times of stress or disruption.

The 5 key components included in a good business continuity plan are:

  • Identification of risks and potential business impact
  • Foreword planning for an effective response.
  • Documentation of roles and responsibilities
  • Description of how the plan will be communicated.
  • Description of ongoing testing and training.

You should conduct an annual assessment of your Business Continuity Plan to ensure that it continues to remain effective.


Safeguarding is a big focus for the FCA, and you should conduct an annual review of your client safeguarding arrangements, ensuring that:

All relevant funds are identified and safeguarded upon receipt and;
That this happens within the appropriate timeframes.

If your business is required to have an annual audit of your company’s financial accounts, then you must also arrange an annual external audit of your safeguarding arrangements as set out in the Payment Services Regulations 2017.

Operational resilience:

The FCA define operational resilience as “the ability of financial services firms and the finance services sector to: prevent, adapt, respond to, recover, and learn from operational disruptions.”

In other words, your company’s ability to bounce back. You can review your firms operational resilience by:

  • Identifying and mapping your business’s important services
  • Setting up your impact tolerances
  • Undertaking scenario testing
  • Completing a self-assessment
  • Preparing internal and external comms plans and templates.

You should review and asses your firm’s Operational Resilience at least annually.

IT Security:

As part of your Operational and Security Risk RegData Return, you’ll need to provide an independent review of your firm’s operational and IT security risks in accordance with European Banking Authority guidance.

This review can be completed by someone within your business who is sufficiently independent and understands the requirements of the regulations, or by an external auditor.

Review your agents (if applicable):

If you have agents or appointed representatives, you should meet with them at least annually to conduct a review and ensure they’re operating in a compliant manner.


All Payment and e-Money firms should establish an annual training programme for employees, to ensure they perform their duties in a manner consistent with the regulations.

Step 2: Your FCA RegData reports.

A big chunk of your compliance resources will be directed towards regulatory reporting. In fact, the European Banking Authority (EBA) estimates that you’ll expend up to 38% of your annual compliance budget on regulatory reporting. So, it’s critical to know how to meet FCA expectations on reporting. Below is a list of FCA reports that may apply to your business along with descriptions of each report’s requirements. You can locate your unique reporting schedule by visiting FCA RegData login and logging in.


Content and purpose

Capital Adequacy Return (FSA056) This report provides information on safeguarding methods, the number of agents, volume and value of payment transactions and volume of AIS and/or PIS activity and Professional Indemnity Insurance in place for firms with these permissions. This report helps the FCA determine whether the firm continues to meet its capital requirements.
Payment Fraud Report (REP017) This is a semi-annual report requiring statistical data on fraud relating to different payment methods.
Operational and Security Risk Report (REP018) This report must be completed by all Payment Service Providers (PSPs). You must provide the FCA with an updated and comprehensive assessment of the operational and security risks relating to the payment services you provide and the adequacy of the controls implemented in response to those risks.
Statistics on the availability and performance of a dedicated interface (REP020) For those firms that provide a dedicated interface under “open banking”, a quarterly report on the KPIs used to measure performance and availability is required.
Annual Controllers Report (REP002) The annual Controllers Report asks for information on the current control structure. The FCA expects firms to understand who owns their business and notify the FCA of any change in control.
Annual Close Links Report (REP001) The annual Close Links Report asks the firm to provide information on its close links and to confirm whether there have been any material changes since its last report (or application for authorisation).
REP-CRIM regulatory return Firms are asked to provide a range of financial crime information including
  • High risk jurisdictions in which it operates
  • Number of high-risk customers
  • Number of customers in certain geographies
  • Number of SARs filed
  • Number of employees working in financial crime roles
  • Details of sanctions screening
PS-Complaints Report Annual report of complaints made by payment service users who are eligible to complain to the Financial Ombudsman.

 Step 3: Understand what the FCA Expects from You.

The FCA also has some implied expectations of your business, so it’s good to understand what these are, upfront, so you avoid any pitfalls.

PSR compliance:

You should annually review your policies, controls, and procedures to ensure they continue to meet the requirements of the Payment Services Regulations.

Regulatory permissions check:

You should annually review your business activities to ensure you have the correct permissions and/ or identify when you may need to apply for a variation of permission.

MLR compliance:

You should get an annual independent audit to provide assurance that you continue to meet the requirements of the Money Laundering Regulations (MLR’s).

Check reporting periods:

You should check that your company accounting reference date matches the date held in the FCA RegData platform. Otherwise, you could be misreporting to the FCA.

Step 4: Notifications under the Payment Services Regulations (PSRs 2017)

Lastly, the FCA expects you to keep them apprised of any incidents, breaches, or changes to your business model, including:

Incident reporting:

Once you become aware of an incident you need to decide whether you should notify the FCA about it. You should consider the FCA’s incident reporting requirements and if you need to report, then:

  • Report to the FCA within 4 hours;
  • Monitor the incident through to closure (including updating the FCA);
  • Perform a “lessons learned” review, root cause analysis and produce an improvement report.

PSD / EMD individual applications:

When you plan to make changes to your senior management team, you’ll need to notify the FCA before the individual takes up their new role.

Change of control:

If you plan to sell your business or make other changes to your qualifying holdings, you’ll need to notify the FCA and get their approval before making any changes. You can notify the FCA through the Connect Platform.

Other mandatory notifications:

This is a catch-all requirement.

Principle 11 of the FCA’s Principles for Businesses states that “a firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice”.

So, if in doubt, put yourself in the FCA’s shoes and ask, “Would I want to know?”

How can ComplyFirst help?

ComplyFirst provides an automated reporting platform to help you get your FCA reports done quicker and more accurately with less effort.

We collect regulatory data from your business tools, apply the FCA’s regulatory logic then validate and upload your reports in the required format to the FCA RegData platform.

Plus, we provide some amazing value-add tools for your team to log customer complaints and collaborate on reports and assign/manage tasks. Using these tools means you can effectively say bye-bye to manually reconciling customer complaints and email ping pong with your team when your reports are due. You’re welcome.


FCA Regulatory reports giving you a headache? Book a FREE 30-minute reporting session with our Founder and resident reporting guru, Fiona Jelly. With 12 years + of experience, she knows regulatory reporting like the back of her hand. Plus, she’s got a knack for making it all feel easy. So, if you’ve got questions or just need some friendly advice, hit the button below.