Risk Appetite Statements for EMIs: How to Build a Framework That Satisfies the FCA

The risk appetite statement (RAS) is the document through which a firm's board formally articulates the quantum and nature of risk it is willing to accept in pursuit of its strategic objectives. For EMIs and payment institutions, the FCA expects the RAS to be a living governance document — not a compliance artefact — that is genuinely integrated into decision-making at board and management level. In practice, many smaller payment firms have risk appetite statements that are generic, unmeasured, or disconnected from the actual risks the business faces. This is a consistent regulatory finding and a credible indicator to the FCA that governance is inadequate.

What the FCA Expects

The FCA's expectations for risk appetite derive from SYSC 4.1 (governance), SYSC 7.1 (risk management), and the FCA's Approach Documents for Payment Firms and EMIs. SYSC 4.1.1R requires firms to have robust governance arrangements, including a clear organisational structure, effective processes to identify, manage, monitor and report risk, and adequate internal control mechanisms. The risk appetite statement is the document that operationalises these requirements at the strategic level.

For the FCA, a credible RAS must demonstrate: that the board has actively considered the risks inherent in the business model; that risk tolerances are specific and measurable rather than generic; that there is a mechanism to escalate breaches of appetite to the board; and that the RAS is reviewed and updated when the business environment or strategic direction changes materially.

Structure of an Effective RAS

Risk Categories

An EMI's RAS should cover each material risk category relevant to its business model. For a specialist payment firm serving high-risk sectors, these typically include: financial crime risk (AML, CTF, sanctions, fraud); regulatory compliance risk (authorisation, reporting, conduct); operational risk (systems and technology, third-party dependencies, data security); credit and settlement risk (counterparty exposure, safeguarding account provider risk); liquidity risk (ability to meet client redemption demands); and reputational risk.

The common mistake is to list these categories without attaching specific appetite statements or metrics to each. A RAS that says "we have low appetite for financial crime risk" is meaningless unless it is accompanied by: a definition of what constitutes a financial crime risk event in the context of this firm; a quantitative tolerance (e.g., zero tolerance for facilitated sanctions breaches; tolerance for a defined false-positive rate in transaction monitoring); and a trigger that would cause the board to review whether appetite has been exceeded.

Quantitative Metrics

The most compelling RAS frameworks translate risk appetite into measurable key risk indicators (KRIs) that are reported to the board at defined intervals. For financial crime risk, relevant KRIs might include: number of SARs filed per quarter against a prior-period baseline; false positive rate in sanctions screening; percentage of EDD files completed within the defined SLA; and number of overdue AML training completions. Breaches of defined tolerances on these KRIs trigger mandatory board escalation and remediation planning.

Red Lines

A well-constructed RAS includes explicit red lines — categories of risk for which the firm has zero tolerance, regardless of commercial opportunity. For a payment firm, these might include: knowingly processing transactions for sanctioned persons; onboarding customers without completing mandatory KYC; operating in jurisdictions where doing so would violate UK sanctions; or processing transactions where source of funds is known to be criminal proceeds. Red lines are not negotiable and their breach should automatically trigger escalation to the board and notification to the regulator as appropriate.

Board Ownership and Review

The RAS must be owned by the board, not by the compliance function. The compliance function may draft and maintain it, but the board must approve it and demonstrate active engagement with it. Board minutes should reflect genuine discussion of risk appetite — reviewing whether actual risk exposures are within appetite, approving changes to appetite when strategic direction shifts, and considering whether the risk framework has identified and appropriately captured new risks from product launches or market changes.

Annual formal review is the minimum. Material changes to the business — a new product category, significant client growth in a high-risk sector, a material regulatory change — should trigger an off-cycle review. The FCA will look at the dating and approval history of the RAS as a proxy for board engagement quality. A RAS approved once at authorisation and never subsequently reviewed tells the examiner everything they need to know about the quality of governance at that firm.

Integration with the AML Risk Assessment

The enterprise risk appetite statement and the AML/CTF risk assessment required under Regulation 18 of MLR 2017 are distinct documents but must be coherent with each other. The AML risk assessment identifies specific financial crime risks by business line, geography, and customer type. The RAS sets the board-level appetite framework within which those risks are managed. Where the AML risk assessment identifies a high-risk business area, the RAS should reflect the firm's appetite for that risk and the controls required to bring it within tolerance. Disconnects between the two documents — a RAS that claims low financial crime risk appetite while the AML risk assessment identifies materially elevated risks — will be immediately apparent to an experienced FCA examiner.