Corporate Governance Requirements for Payment Firms: FCA Expectations for Boards and Senior Management

Corporate governance at payment firms has become a focal point for FCA supervision. Where historical regulatory scrutiny concentrated on specific controls — transaction monitoring rules, capital calculations — the FCA's current supervisory approach takes a systems view: is the governance structure adequate to identify and manage the firm's risks, and does board behaviour reflect genuine engagement with those risks rather than rubber-stamping? For the FCA, poor governance is not merely an abstract concern — it is the common root cause of most serious regulatory failures. Firms with genuinely effective governance tend to identify and address compliance issues before they become regulatory events; firms with governance deficiencies do not.

SYSC Requirements for Payment Firms

The Senior Management Arrangements, Systems and Controls (SYSC) sourcebook in the FCA Handbook applies to payment firms and EMIs. SYSC 4.1.1R requires firms to have robust governance arrangements including a clear organisational structure with well-defined, transparent, and consistent lines of responsibility; effective processes to identify, manage, monitor, and report the risks they are or might be exposed to; and adequate internal control mechanisms. SYSC 4.3 requires firms to ensure that management and staff with responsibility for the firm are of good repute and possess appropriate knowledge, skills, and experience.

The Senior Managers and Certification Regime (SM&CR)

Most FCA-authorised payment firms and EMIs are subject to the SM&CR, which creates individual accountability for senior managers. Under SM&CR, firms must designate individuals to specific Senior Manager Functions (SMFs) and submit Statements of Responsibilities (SoRs) for each SMF holder. For a typical payment firm, the core SMFs are: SMF1 (Chief Executive), SMF3 (Executive Director), SMF16 (Compliance Oversight), SMF17 (MLRO), and potentially SMF2 (Chief Finance Officer) and SMF24 (Chief Operations Officer) depending on structure.

Prescribed Responsibilities under SM&CR must be allocated among SMF holders. For payment firms, key prescribed responsibilities include: overall responsibility for the firm's compliance with applicable financial crime law (typically allocated to the CEO or a designated Executive Director); responsibility for the firm's anti-money laundering and counter-terrorism financing systems and controls (typically the MLRO/SMF17); and responsibility for the firm's safeguarding arrangements (typically CFO or CEO). The allocation must be documented in the SoRs and genuinely reflect actual responsibility.

Board Composition

The FCA does not prescribe a minimum board size for payment firms, but SYSC requires the governance structure to be appropriate to the nature, scale, and complexity of the firm's activities. For early-stage payment firms, a board of two to three executive directors may be acceptable. As the firm grows and the risk profile becomes more complex, the FCA will expect to see independent non-executive directors (INEDs) who can provide genuine independent challenge. INEDs must have relevant expertise — understanding of payment services, financial crime, or regulatory compliance — and must be willing to exercise challenge rather than providing passive approval.

The FCA is specifically looking for evidence that the board, including INEDs, actively challenges management on risk and compliance matters. Board minutes are a primary supervisory tool — they should reflect genuine discussion, dissenting views where they exist, and specific decisions with rationale. Sparse minutes that record only approvals without discussion are a red flag that governance is nominal rather than substantive.

Key Governance Documents

A well-governed payment firm maintains a suite of governance documents that together evidence the adequacy of its oversight arrangements. These should include:

• Terms of Reference for the board and any board committees (audit, risk, remuneration), specifying membership, frequency, quorum, and decision-making authority
• Matters Reserved for the Board, defining the decisions that require board approval rather than management delegation
• Delegated Authority Matrix, setting out operational limits within which management can act without board approval
• Risk Appetite Statement, reviewed and approved by the board at least annually
• Conflicts of Interest Policy, including a register maintained by the Company Secretary
• Whistleblowing Policy, with a named whistleblowing champion at board level

Governance Failures the FCA Investigates

FCA supervisory action against payment firms frequently identifies the same governance failures: boards that receive compliance reporting but do not demonstrate they have understood or acted on it; SMF holders whose Statements of Responsibilities do not match their actual day-to-day involvement; MLRO functions that operate in isolation from the board without regular formal reporting; and firms where all governance decisions in practice are made by a single dominant shareholder-director with no independent oversight.

The FCA uses its supervisory toolkit — section 166 skilled person reviews, information requests, supervisory letters — to probe governance quality when it has concerns. Firms that invest in genuine governance quality, and can demonstrate it through documentation and board behaviour, are consistently more resilient when supervisory scrutiny increases.