Non-Bank Financial Institutions: Regulatory Framework and Compliance

The landscape of financial services has changed fundamentally over the past fifteen years. Banks are no longer the only institutions capable of holding customer funds, executing payments, or facilitating financial transactions at scale. E-money institutions, payment institutions, crypto asset service providers, and a growing range of specialist financial technology firms now operate alongside — and in direct competition with — traditional banks. These non-bank financial institutions (NBFIs) operate under their own regulatory frameworks, which share features with the banking regime but differ in important ways. Understanding the structure of NBFI regulation is increasingly essential not just for the firms themselves, but for any business that deals with NBFIs as counterparties, banking partners, or service providers.

The UK NBFI Regulatory Architecture

In the UK, the primary frameworks governing NBFIs are the Payment Services Regulations 2017 (PSRs 2017), which implement PSD2 into UK law and govern payment institutions (PIs) and their activities; the Electronic Money Regulations 2011 (EMRs 2011), which govern e-money institutions (EMIs); and the Financial Services and Markets Act 2000 (FSMA 2000), as amended by the Financial Services and Markets Act 2023, which governs the broader financial services regulatory perimeter including crypto asset activities. The FCA is the primary regulator for all three categories.

Within each framework, there are two tiers: authorised firms and registered (or small) firms. Authorised payment institutions and authorised e-money institutions face the full weight of regulatory obligations, including capital requirements, safeguarding, governance standards, and FCA supervisory oversight. Small payment institutions and small e-money institutions benefit from lighter-touch registration with higher thresholds or lower average monthly payment transaction volumes capping their eligibility.

Capital Requirements for NBFIs

Unlike banks — which are subject to the Capital Requirements Regulation (CRR) framework with risk-weighted asset calculations — NBFIs face simpler but still meaningful capital requirements. Authorised PIs must maintain own funds of at least the higher of: the minimum capital requirement (between €20,000 and €125,000 depending on payment service type); and the capital calculated under one of three methods set out in the PSRs 2017 (Method A: 10% of fixed overhead; Method B: percentage of payment volumes; Method C: multiplier of relevant indicator). Authorised EMIs must maintain initial capital of at least €350,000 and maintain ongoing own funds based on average outstanding e-money.

These requirements are substantially lower than bank capital requirements, reflecting the different risk profile of NBFIs — in particular the absence of credit risk on customer funds, which under EMR/PSR regimes must be safeguarded rather than used as bank capital.

Safeguarding as a Key Differentiator

The safeguarding framework is the mechanism by which NBFIs protect customer funds in the absence of deposit protection insurance. Under PSRs 2017 Regulation 23 and EMRs 2011 Regulation 19, authorised PIs and EMIs must either segregate customer funds in a designated bank account or obtain an insurance policy or bank guarantee covering the relevant amounts. The FCA's ongoing review of safeguarding requirements (CP23/29, consulted 2024) proposes strengthening this framework — including more prescriptive requirements for designated account terms and daily reconciliation documentation.

Governance and Senior Manager Standards

NBFIs authorised by the FCA are subject to the Senior Managers and Certification Regime (SM&CR). For most NBFIs this means a simplified version of SM&CR compared to banks, but the core obligations are the same: designated Senior Manager Functions (SMFs) for key roles including CEO, CFO, and MLRO; Conduct Rules applying to all staff; and the Certification Regime for employees whose activities could cause significant harm to customers or the firm. The FCA's focus on individual accountability in enforcement has made SM&CR increasingly significant — in several recent payment firm enforcement cases, individuals have faced personal financial penalties and prohibition orders alongside institutional fines.

Crypto Asset Firms: A Distinct Category

Crypto asset service providers occupy a rapidly evolving regulatory position. Currently, UK crypto asset firms must register with the FCA under the Money Laundering Regulations 2017 (as amended by the Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020), which brings them within the AML/CFT supervisory perimeter. The FCA's approach to crypto registration has been rigorous — the majority of crypto registration applications have been refused or withdrawn — and the regime will evolve significantly under the FCA's proposed crypto asset regulatory regime, which is expected to introduce a full authorisation framework for exchanges, custodians, and other crypto service providers. At the EU level, the Markets in Crypto-Assets Regulation (MiCA) is now in application, creating a harmonised licensing regime for crypto asset service providers across EU member states.

Proportionality in Practice

A recurring theme in NBFI regulation is proportionality — the principle that regulatory obligations should be calibrated to the size, nature, and risk profile of the firm. In practice, this means that a small PI with simple domestic payment services faces substantially different compliance obligations than a large EMI with cross-border exposure, complex products, and millions of customers. Regulators articulate this in guidance (the FCA's Payment Services and Electronic Money Approach Document) but enforcement outcomes are less proportionate — even small NBFIs can face significant penalties for fundamental compliance failures, particularly in the AML space.