Bratby Law advises on payments authorisation for financial technology firms, payment institutions, electronic money institutions, and established regulated firms managing variation applications. Our focus is on helping applicants secure FCA authorisation under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. Rob Bratby holds a General Counsel appointment at UK Payments Initiative Limited, providing direct insight into regulated payments operations.

When does authorisation become an issue?

Payments authorisation becomes a pressing question at distinct moments in a payments business lifecycle. When a fintech startup is building a product designed to hold or transmit customer funds, regulatory status is not optional: the FCA has clear powers to take action against unauthorised activity, and the question shifts from “do we need authorisation?” to “how do we structure this to get it?” When a business model straddles the regulatory perimeter, the boundaries are often unclear. A firm offering cashback, invoice financing or cross-border settlement may believe it operates outside the Payment Services Regulations, but FCA interpretation is not always obvious and unauthorised operation carries serious consequences.

Authorisation is equally important for established regulated firms. A PI or EMI that wants to expand into new customer segments, new payment types, or new geographies must apply to vary its permissions. A financial services group acquiring a regulated payments business faces an immediate question about post-acquisition integration and whether the target’s authorisation conditions need to be re-opened. Private equity investors evaluating a payments platform need to understand the regulatory contingencies affecting valuation and exit options. In each case, getting professional advice early is far cheaper than discovering regulatory problems late.

Why payments authorisation matters now

The FCA’s approach to payments authorisation has become demonstrably more rigorous. Data published by the FCA and analysed by industry bodies including Adempi shows that approximately 78 percent of payments applications face rejection or withdrawal. The FCA has responded by publishing video guides setting out its expectations on common failure points, signalling a shift toward expecting higher quality applications on first submission. Firms can no longer treat the authorisation process as iterative negotiation; applications that fall short of regulatory standards are simply rejected.

PS25/12, which takes effect on 7 May 2026, introduces new safeguarding requirements for authorised payment firms. These rules are not changes to take effect after authorisation: applicants must demonstrate operational safeguarding readiness as part of their application. The FCA will assess whether your proposed systems, processes and controls actually work before permission is granted. The timeline for consolidating the PSR with the FCA’s rulebook (targeted for the end of 2026) also means regulatory expectations may shift again, placing early-stage applicants on more solid ground than late arrivals. Consumer Duty, meanwhile, applies from day one of authorisation. Your financial promotion, product design, customer communications, and complaints handling must all meet Consumer Duty standards from the moment you become authorised.

Where applicants get it wrong

The FCA’s rejection data reveals consistent patterns in application failure. Many firms submit policies that are generic and templated, reading as though the regulatory text has been copied into a Word document and reformatted. These policies fail to explain how the firm will actually implement the regulatory obligation in its own business model. They do not show that the applicant understands the regulation or has thought through what compliance looks like in practice. Similarly, business plans often lack clarity on the regulatory perimeter. They describe what the business does but not why it is or is not a regulated activity. When the FCA asks a follow-up question, applicants struggle to explain the regulatory framework underlying their answer.

Senior management arrangements are another common failure point. Applicants sometimes nominate individuals with insufficient regulatory experience or with undisclosed disciplinary history. The FCA will check individuals against the Financial Conduct Authority’s Register and against international registers. Regulatory experience need not be deep, but it must be real and honest. Risk assessment is often misdirected. Many applicants focus on operational risks to the firm (system downtime, fraud loss) when the FCA requires assessment of risks to customers and to financial stability. Finally, many applications treat authorisation as a compliance checkbox: a form to be completed and submitted, rather than an exercise in demonstrating operational readiness. Authorisation is not a credential or a badge. It is a permission granted by the FCA only when the FCA is satisfied that the firm will conduct its business in accordance with the law, treating its customers fairly and managing risks to financial stability.

What good looks like

Strong authorisation applications start with regulatory perimeter analysis, not with drafting the application form. Before committing to a business model, you should understand what activities trigger the Payment Services Regulations, where the boundaries sit, and what permissions you will need. The business plan must articulate regulatory obligations in operational terms. It should explain what “compliance” means for your specific business: if you must protect customer funds, how will you do it, who is responsible, how will you monitor it? Policies must be bespoke. A templated policy that does not address your specific business model, customer segment, risk profile and technology will not satisfy the FCA. Senior management arrangements must be stress-tested before submission: the individuals nominated must have demonstrated regulatory competence, relevant experience in payments, and clean disclosure history.

Your safeguarding approach must be designed as an operational system, not written as a policy document after the fact. This is especially important from 7 May 2026, when PS25/12 takes effect. The FCA will want to see that you have thought through how customer funds will physically and operationally be protected, and that you have appointed or arranged the relevant entities and controls before making the application. Bratby Law’s approach draws on direct operating experience. Rob Bratby holds a General Counsel appointment at UK Payments Initiative Limited, giving real insight into how regulated payment firms manage these obligations from the inside. This is not theoretical knowledge; it is derived from working within a regulated payments firm on live day-to-day challenges.

When to instruct a payments authorisation specialist

Firms can and should manage internal compliance monitoring themselves. But FCA authorisation is a one-shot exercise. Getting it wrong costs time (reapplication delays), money (legal costs, remodelling), and credibility (the FCA remembers poor applications). The single most important rule is to instruct early: before you have committed capital to building a product, not after you have built it and realised it requires authorisation. Specialist input adds most value at four critical junctures: perimeter analysis (deciding whether your business model requires authorisation, and if so, what permissions); application drafting (framing your business plan and policies in language and structure the FCA expects); FCA engagement (translating FCA information requests into clear, responsive answers); and post-authorisation setup (building compliance infrastructure for the permissions you have been granted).

How Bratby Law helps with payments authorisation

Regulatory perimeter analysis. We map your proposed activity against the Payment Services Regulations and Electronic Money Regulations to determine what permissions you need, what exemptions might apply, and what the practical implications are for your business model. This analysis often shapes product design and business structure.

FCA authorisation and registration applications. We draft applications for payment institution authorisation, small payment institution registration, and EMI authorisation. We handle the submission, manage correspondence with the FCA, and respond to information requests with clarity and precision.

Business plan and regulatory documentation. We work with your team to produce a business plan that articulates regulatory obligations in operational language, draft policies that are bespoke rather than templated, and create governance documentation that demonstrates control and accountability.

Senior management arrangements and governance. We advise on the individuals to nominate in senior management roles, help prepare disclosure statements and CVs that present regulatory experience accurately, and design governance structures that satisfy the FCA’s expectations on responsibility and control.

Safeguarding design and implementation. We design safeguarding systems before the application is made, advising on fund protection mechanisms, third-party engagement, and operational controls. This is especially important under the new requirements taking effect in May 2026.

Post-authorisation compliance setup. After the FCA grants permission, we help establish compliance infrastructure: policies for the permissions you hold, governance arrangements aligned with your permissions, monitoring and reporting frameworks, and change procedures for variations and breaches of conditions.

Variations and changes in control. If you need to vary your permissions, your business plan comes under review again. We advise on variation applications, changes to senior management, and regulatory reporting obligations when ownership or control changes hands.

Frequently asked questions about payments authorisation

Do I need FCA authorisation to provide payment services?

If you transmit customer funds, process payments on behalf of customers, or issue electronic money, you almost certainly need FCA authorisation unless you fall within a specific exemption. The Payment Services Regulations define regulated activities broadly. Even if you believe you operate outside the Regulations, if you handle customer funds or payment data, you should take specialist advice. Operating without required authorisation is a criminal offence under the Proceeds of Crime Act and attracts civil enforcement action by the FCA.

What is the difference between a payment institution and an electronic money institution?

A payment institution is authorised under the Payment Services Regulations to provide payment services (processing payments, operating accounts, issuing instruments). An EMI is authorised under the Electronic Money Regulations to issue electronic money, which is a prepaid monetary value stored electronically that can be spent with merchants. The choice depends on your business model. If you are building a prepaid wallet or stored value product, EMI regulation typically applies. If you are providing payment processing or account services, PI regulation applies. Some businesses need both authorisations.

How long does the FCA authorisation process take?

The FCA has a statutory deadline of 90 working days to make a decision on a complete and well-drafted application. In practice, most applications face information requests that pause the clock whilst you provide additional material. Well-prepared applications with clear documentation can reach decision in 6 to 9 months. Poor quality applications can take 18 months or longer, or be withdrawn and resubmitted. The quality of your application is the dominant factor in timescale.

Can I operate as a small payment institution to avoid full authorisation?

Small payment institution registration is available under the Payment Services Regulations if your payment transactions stay below an annual threshold (currently EUR 3 million). SPI registration is a lighter-touch regime with fewer regulatory requirements. However, you must notify the FCA before commencing business, you still have compliance obligations (safeguarding, complaints, anti-money laundering), and if you exceed the threshold you must apply for full PI authorisation. SPI is suitable only for very small, low-risk operations.

What are the new safeguarding requirements for authorised firms?

PS25/12 introduces enhanced safeguarding requirements effective 7 May 2026. Firms must segregate customer funds in designated bank accounts or with a custodian, monitor segregation daily, and reconcile holdings regularly. New applicants must demonstrate readiness to meet these standards as part of their authorisation application. Existing firms must comply by the deadline or vary their permissions accordingly. The requirements have significant implications for your banking relationships and operational systems.

Why do so many FCA applications fail?

The FCA rejects or withdraws approximately 78 percent of payments applications. Common reasons include generic policies that regurgitate regulatory text without explaining how the applicant will comply, business plans that lack clarity on regulatory boundaries, senior management with insufficient experience or undisclosed history, risk assessments focused on business risk rather than customer risk, and inability to answer FCA follow-up questions clearly. The FCA has published video guides to help applicants improve quality. The best protection is specialist advice at application design stage.

Should I apply for authorisation or registration?

The choice depends on the size and risk profile of your business. Small Payment Institution registration is available if your annual payment transactions are under EUR 3 million and you meet certain conditions. For larger operations or higher-risk activities, you will need full PI or EMI authorisation. You cannot choose registration simply to avoid authorisation: the Regulations determine which regime applies. Take specialist advice to determine which regime fits your business model.

When should I engage a specialist payments lawyer?

Engage early: ideally before you have locked in a business model or committed capital to product development. A specialist lawyer can help you navigate regulatory perimeter questions at the design stage, saving costly remodelling later. For applications, instruct well before your anticipated submission date. If you are already operating and think you may need authorisation, seek advice immediately to understand your regulatory exposure. The cost of early advice is almost always lower than the cost of late intervention.

Related payments regulation pages

See also our other payments regulation pages:

• Payments Regulation
• Open Banking and Variable Recurring Payments
• PSR and Scheme Governance
• Operational Resilience and DORA
• Safeguarding and Consumer Duty
• E-Money Regulation and EMI Compliance

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology