FCA Supervision of Payment Firms: What's Changed in 2026

The FCA's approach to supervising payment institutions and electronic money institutions has undergone a fundamental shift over the past three years. What was once a relatively light-touch regime — focused primarily on authorisation standards and periodic attestation — has evolved into an active, proactive supervisory model that more closely resembles the intensive oversight applied to banks. For payment firms operating in the UK, this is not background noise. It is a direct operational challenge that requires significant investment in compliance infrastructure and senior management engagement.

The Shift to Proactive Supervision

The FCA's payment sector supervisory approach is now embedded in its three-year strategy, which identifies payment firms as a priority area for supervision alongside investment management and retail banking. The catalyst was a series of high-profile failures — most notably the collapse of Wirecard's UK subsidiary, which left customer funds exposed — combined with supervisory reviews that revealed systemic weaknesses across large parts of the authorised payment firm population.

In practical terms, proactive supervision means that the FCA no longer waits for a trigger event (a complaint, a suspicious activity report, a media story) before engaging with a firm. Supervisors are now assigned to cohorts of payment firms on a risk-segmented basis, and firms above a certain size or risk profile receive regular supervisory engagement even where no specific concern has been identified. This is a significant change from the reactive model that predominated before 2022.

Dear CEO Letters: Reading Between the Lines

The FCA's Dear CEO letters are the most efficient indicator of where supervisory attention will focus. Since 2022, the payments sector has received multiple sector-specific Dear CEO letters covering: safeguarding of customer funds (March 2023), financial crime frameworks (January 2024), wind-down planning (September 2024), and operational resilience (February 2025). Each letter sets out the FCA's findings from thematic reviews across the sector and the specific actions firms are expected to take.

These letters are not merely advisory. The FCA has made clear that failure to act on the concerns raised constitutes a regulatory risk in its own right — firms that cannot demonstrate, when asked, that they have reviewed their practices against a Dear CEO letter and taken appropriate action will face additional scrutiny. Some firms have been required to submit attestations confirming compliance with specific aspects of these letters.

Key Themes from Recent Dear CEO Letters

• Safeguarding: The FCA found that a significant proportion of authorised payment institutions and e-money institutions were not safeguarding customer funds correctly. Common failures included failure to reconcile safeguarded funds daily, inadequate documentation of safeguarding arrangements, and use of safeguarding accounts that did not meet regulatory requirements.
• Financial crime: The FCA identified widespread weaknesses in financial crime frameworks across smaller payment firms, including inadequate transaction monitoring, absence of meaningful risk appetite frameworks, and failure to conduct adequate customer due diligence for higher-risk customers.
• Governance: Multiple firms were found to have inadequate senior management accountability for compliance matters, with compliance functions under-resourced and lacking direct board access.

Attestations: Increased Personal Accountability

One of the most significant developments in FCA supervision is the increased use of attestations — formal statements by senior managers confirming that their firm complies with specific regulatory requirements. Attestations shift individual accountability from the firm to named senior managers, creating personal liability for regulatory failures.

Under the Senior Managers and Certification Regime (SM&CR), which applies to all FCA-authorised payment firms, senior managers already bear personal accountability for the activities within their prescribed responsibility. Attestations go further: they require a named individual to make a positive confirmation of compliance, at a specific point in time, on a specific issue. Providing a false attestation — knowingly or through gross negligence — can result in individual enforcement action, including financial penalties and prohibition from performing senior management functions.

Payment firms should expect attestation requests to increase. The FCA's use of attestations has expanded from a tool used in specific enforcement investigations to a routine supervisory mechanism. Firms need to ensure that their systems for verifying compliance are robust enough to support the preparation of credible, evidenced attestations before they are required to submit them.

Wind-Down Planning Requirements

The FCA's September 2024 Dear CEO letter on wind-down planning set out explicit expectations for payment firms to maintain credible, regularly tested wind-down plans. This requirement has become a significant operational focus across the sector. A wind-down plan must demonstrate that the firm can cease regulated activity in an orderly manner that protects customer funds, minimises disruption to payment systems, and allows the FCA and customers to have confidence that obligations will be met even in a failure scenario.

The FCA's minimum expectations for a wind-down plan include:

• A realistic trigger analysis — what events would lead to a decision to wind down, and who has authority to make that decision
• A detailed timeline showing the sequence of actions from wind-down trigger to final closure, with realistic time estimates for each step
• A liquidity analysis demonstrating that the firm has sufficient financial resources to fund the wind-down process
• A communications plan for customers, counterparties, and the FCA
• A safeguarded funds return plan — how customer funds will be identified, segregated, and returned
• Documentation of the plan sufficient for someone unfamiliar with the firm to execute it

Plans must be tested — either through a desktop simulation or, for larger firms, a more structured exercise involving senior management. The FCA expects plans to be reviewed and updated at least annually, and whenever there is a material change to the business model.

Compliance Programme Expectations

The FCA's supervisory expectations for payment firm compliance programmes have crystallised around several key dimensions. Firms that cannot demonstrate maturity in these areas face an elevated risk of supervisory intervention:

• Three lines of defence: The FCA expects to see a genuine three-lines model, not a compliance function that is simultaneously first and second line. First-line ownership of compliance controls, second-line oversight and challenge, and third-line audit testing are all expected to be genuinely independent.
• Compliance resourcing: Compliance functions must be adequately resourced for the risk profile of the firm. The FCA has been explicit that "we cannot afford more staff" is not an acceptable explanation for compliance failures in a growing payment business.
• Board engagement: The FCA expects compliance matters to receive substantive board attention, not just annual reports. Board minutes should evidence genuine challenge and discussion of compliance risks, not routine sign-off of management reports.
• Training: AML and financial crime training must be role-specific, regularly refreshed, and completion must be tracked. Generic annual e-learning is not sufficient for high-risk or customer-facing roles.
• Regulatory change management: Firms must have a process for monitoring regulatory developments, assessing their impact, and implementing required changes within required timelines.

The message from the FCA is consistent: payment firms that want to operate in the UK market must invest in compliance infrastructure commensurate with their risk profile and growth trajectory. The supervisory scrutiny that was once reserved for banks has arrived for payment institutions. Firms that have not made this investment are likely to find themselves on the wrong end of a supervisory intervention in the months ahead.