FCA Investigations and Enforcement
Enforcement powers, penalties and appeal rights for payment service providers
FCA enforcement against payment firms carries serious consequences: financial penalties, public censure, loss of authorisation, and criminal prosecution. Payment institutions, electronic money institutions and payment system participants face FCA enforcement under three distinct statutory regimes, each with its own powers, procedures and appeal routes. With the proposed PSR/FCA consolidation transferring Payment Systems Regulator functions into the FCA, the enforcement framework for payments is converging into a single supervisory structure. Understanding how enforcement works, what triggers it, and how to respond is essential for any firm operating in the UK payments sector.
What statutory powers do the FCA and PSR have to investigate and enforce against payment firms?
The FCA enforces against payment service providers under three overlapping statutory regimes. Each grants distinct powers and applies to different categories of firm and conduct.
Under the Financial Services and Markets Act 2000 (FSMA 2000), the FCA has broad information-gathering powers (Part XI, sections 165-171), disciplinary powers including financial penalties and public censure (Part XIV, sections 205-206), and the ability to seek injunctions and restitution orders through the courts (Part XXV, sections 380-384). These powers apply to all FCA-authorised firms, including authorised payment institutions (APIs) and authorised electronic money institutions (AEMIs).
The Payment Services Regulations 2017 (PSRs 2017) contain a dedicated enforcement framework in Part 9 (regulations 108-117). Regulation 111 gives the FCA power to impose financial penalties on any payment service provider that contravenes a PSRs requirement. Regulations 113-114 provide powers of injunction and restitution mirroring FSMA. The FCA's Enforcement Guide chapter 19 (EG 19.20-19.22) confirms that PSRs investigations follow the same procedural framework as FSMA enforcement.
The Electronic Money Regulations 2011 (EMRs 2011) contain parallel enforcement provisions in regulations 48-58. These include financial penalties (reg 51), public censure (reg 50), and power to suspend or restrict authorisation (reg 52). The EMRs also create criminal offences: issuing electronic money without authorisation carries up to two years' imprisonment and an unlimited fine (regs 63-70).
The Payment Systems Regulator (PSR) operates a separate enforcement regime under Part 5 of the Financial Services (Banking Reform) Act 2013 (FSBRA 2013). The PSR regulates participants in designated payment systems, not individual payment institutions. Its enforcement powers include financial penalties (section 73), compliance directions (section 74), and publication of compliance failures (section 72). The PSR also has concurrent competition enforcement powers alongside the CMA.
A firm that is both an authorised payment institution and a participant in a designated payment system faces potential enforcement from both regulators simultaneously. HM Treasury has proposed consolidating the PSR into the FCA, with legislation expected in 2026 and operational integration already underway. For a detailed analysis of the consolidation and its implications, see our post on PSR/FCA consolidation.
Enforcement powers comparison
| Power | FCA (FSMA 2000) | FCA (PSRs 2017) | FCA (EMRs 2011) | PSR (FSBRA 2013) |
|---|---|---|---|---|
| Financial penalties | s206: unlimited | reg 111: unlimited | reg 51: unlimited | s73: unlimited |
| Public censure | s205 | reg 110 | reg 50 | s72 |
| Variation/cancellation of permissions | s55J-55L | reg 10-12 | reg 10-12 | s75 |
| Injunctions | s380-381 | reg 113 | reg 54-55 | Not available |
| Restitution | s382, s384 | reg 114 | reg 56 | Not available |
| Criminal prosecution | Various | Not directly | regs 63-70 | Not available |
| Skilled person reports | s166 | Via FSMA s166 | Via FSMA s166 | ss81-95 |
| Appeal route | Upper Tribunal (s133) | Upper Tribunal | Upper Tribunal | Competition Appeal Tribunal (s78) |
What triggers an FCA investigation into a payment institution?
FCA investigations into payment firms are typically triggered by specific supervisory concerns rather than routine inspection. The FCA is a risk-based regulator with limited resources and concentrates enforcement activity where it identifies the greatest harm to its statutory objectives of consumer protection, market integrity and competition.
The most common triggers for FCA enforcement against payment firms include safeguarding failures (where customer funds are not properly protected in accordance with PSRs 2017 regulations 23-25), anti-money laundering and financial crime control weaknesses (under the Money Laundering Regulations 2017), breaches of the Consumer Duty (now the FCA's primary conduct standard for retail-facing firms), operational resilience failures, and APP fraud reimbursement non-compliance (the PSR's mandatory reimbursement framework, effective October 2024, creates new enforcement exposure under FSBRA for payment system participants).
Investigations may also follow a section 166 skilled person review that identifies serious weaknesses, a whistleblower report, a pattern of consumer complaints, or a firm's failure to respond to supervisory requests under section 165 FSMA 2000. Thematic reviews across the payments sector (such as the FCA's ongoing work on safeguarding standards under PS25/12) can lead to firm-specific enforcement action where the review identifies individual failures.
Self-reporting a breach to the FCA does not prevent enforcement action but is treated as a mitigating factor under the penalty framework. The FCA expects firms to report significant breaches promptly under Principle 11 of its Principles for Businesses.
What does the FCA enforcement process look like for payment firms?
The FCA's enforcement process follows a structured sequence set out in its Enforcement Guide (EG) and Decision Procedure and Penalties Manual (DEPP). Payment services enforcement under PSRs 2017 and EMRs 2011 follows the same procedural framework as general FSMA enforcement (EG 19.20).
The process begins with a scoping phase, where the FCA carries out initial fact-finding. This may include a scoping visit to the firm, requests for information under section 165 FSMA, and a preliminary assessment of whether formal investigation is warranted. In some cases, the FCA commissions a section 166 skilled person report at this stage, at the firm's cost, to establish the factual position before deciding whether to proceed.
If the FCA decides to investigate, it appoints investigators under section 167 (general investigations) or section 168 (investigations in particular cases). Investigators have statutory powers to compel the production of documents, require attendance at interview, and in certain circumstances obtain warrants to enter premises. Failure to cooperate with an investigation is a criminal offence.
Following investigation, the case team prepares a recommendation. If enforcement action is recommended, the case is referred to the Regulatory Decisions Committee (RDC), an independent body within the FCA that decides whether to issue a warning notice. The firm has the opportunity to make written and oral representations to the RDC before a decision notice is issued.
At any stage before the RDC makes its decision, the firm can seek to settle. The FCA operates a graduated settlement discount scheme under EG 5: firms that settle during the scoping or investigation phase receive a 30% reduction in any financial penalty; later settlement attracts smaller discounts. The commercial logic of early settlement is straightforward, but it requires the firm to have a clear understanding of its exposure and a realistic assessment of the evidence.
After a decision notice, the firm has 28 days to refer the matter to the Upper Tribunal (Tax and Chancery Chamber). The Tribunal conducts a full merits review under section 133 FSMA and can vary, reduce or cancel the FCA's decision. An automatic stay prevents the FCA from implementing its decision while a reference is pending.
Typical timelines vary significantly. Straightforward cases may conclude within 12 to 18 months. Complex investigations involving multiple firms or cross-border elements can take three years or longer.
How does the FCA calculate penalties for payment service providers?
The FCA applies a five-step framework under DEPP 6 to determine financial penalties.
Step 1 assesses the seriousness of the breach on a scale of 0-20% of relevant revenue, considering the nature of the breach, whether it was deliberate or reckless, the duration of the non-compliance, and the impact on consumers or market integrity. Step 2 calculates the base penalty by applying the seriousness percentage to the firm's relevant revenue for the period of breach. Step 3 adjusts for mitigating factors (cooperation, remedial action, isolated breach) and aggravating factors (repeated non-compliance, deliberate concealment, harm to vulnerable consumers). Step 4 applies a further uplift if the FCA considers the penalty insufficient to deter the firm or the wider industry. Step 5 applies the settlement discount (up to 30% for early settlement).
There is no statutory maximum penalty. Beyond financial penalties, the FCA may impose public censure under section 205 FSMA (a published statement of the firm's failings), vary or cancel the firm's authorisation or registration, impose requirements restricting the firm's activities, and seek restitution for consumers. For EMIs, criminal prosecution for unauthorised issuance carries up to two years' imprisonment.
The PSR applies a separate penalty methodology under its Financial Penalty Scheme and Revised Penalty Statement 2023. While the PSR's approach shares the principle of proportionality, the calculation methodology and the decision-making body (the Enforcement Decisions Committee, not the RDC) differ from the FCA's framework.
How does PSR enforcement differ from FCA enforcement?
Payment system participants face a distinct enforcement regime under the PSR. Although the PSR/FCA consolidation will merge these regimes in due course, the current dual structure remains in effect and both sets of powers are actively exercised.
The PSR's jurisdiction covers participants in designated payment systems (Faster Payments, Bacs, CHAPS, LINK, Mastercard, Visa and others designated by HM Treasury under section 43 FSBRA). The FCA's jurisdiction covers individual payment service providers (payment institutions, EMIs, registered account information service providers). A firm may be subject to both.
Three structural differences are significant. First, enforcement decisions at the PSR are made by the Enforcement Decisions Committee (EDC), not the FCA's Regulatory Decisions Committee. The EDC comprises a pool of independent members, with three-member panels deciding individual cases. Second, appeals against PSR penalty decisions go to the Competition Appeal Tribunal under section 78 FSBRA, not the Upper Tribunal. The CAT applies a different standard of review (judicial review plus limited merits review) from the Upper Tribunal's full merits review. Third, the PSR has concurrent competition enforcement powers alongside the CMA, enabling it to investigate and penalise anti-competitive conduct within payment systems.
The PSR's mandatory APP fraud reimbursement framework (effective October 2024) creates a new layer of enforcement exposure: non-compliance with reimbursement requirements is a compliance failure under FSBRA section 73, subject to financial penalties. Post-consolidation, the FCA will inherit the PSR's enforcement powers under a new part of FSMA. HM Treasury has confirmed that the substance of PSR regulation is intended to survive the institutional merger.
What are section 166 skilled person reviews and voluntary requirements?
Before formal FCA enforcement proceedings, the FCA frequently uses softer supervisory tools that carry significant practical consequences for payment firms.
A section 166 FSMA skilled person report is an independent review commissioned by the FCA into a specific aspect of a firm's business. The FCA sets the scope, the firm pays the cost, and the skilled person reports directly to the FCA. In the payments sector, s166 reviews are commonly used to assess safeguarding arrangements, anti-money laundering controls, governance structures, and operational resilience. The firm cannot refuse a s166 review, and the findings frequently inform decisions about whether to proceed to formal enforcement.
The practical burden should not be underestimated. Skilled person reviews typically take six to twelve months, divert significant management time, and the FCA publishes data on s166 reviews and their outcomes through freedom of information responses.
Voluntary requirements (also known as VREQs) are consent-based restrictions that a firm agrees to accept without formal enforcement proceedings. A payment institution might agree to suspend onboarding new customers, ring-fence specific funds, appoint additional compliance personnel, or commission an external audit. VREQs are typically published on the FCA Register and are visible to the market. While formally voluntary, declining a VREQ when the FCA has signalled supervisory concerns typically leads to the FCA imposing the same restrictions compulsorily through an own-initiative variation of permission (OIVOP) under section 55J FSMA.
What rights does a payment firm have to challenge an FCA or PSR enforcement decision?
Payment firms have statutory rights to challenge enforcement decisions at every stage of the process, and the choice of appeal forum depends on which regulator has taken the action.
For FCA enforcement decisions (whether under FSMA, PSRs 2017 or EMRs 2011), the firm may refer the matter to the Upper Tribunal (Tax and Chancery Chamber) within 28 days of the decision notice (section 133 FSMA). The Tribunal conducts a full merits review, considering the case afresh on the evidence before it. It may vary, reduce or cancel the FCA's decision. Importantly, the FCA cannot implement its decision (including collecting a penalty) while a Tribunal reference is pending, under section 133(9) FSMA.
For PSR enforcement decisions under FSBRA, the appeal route is the Competition Appeal Tribunal under section 78 FSBRA. The CAT's jurisdiction encompasses both judicial review and limited merits review of the penalty amount. This is a narrower standard of review than the Upper Tribunal's full merits approach.
Before reaching the appeal stage, the firm has procedural rights within the enforcement process itself: the right to make written and oral representations to the RDC (or EDC for PSR cases) before a decision notice is issued, the right to access the evidence against it (subject to public interest immunity and third-party confidentiality), and the right to seek settlement at any stage. Early engagement with the process, understanding the evidential basis for the case, and realistic assessment of the firm's exposure are the foundations of effective representation.
Common enforcement triggers for payment firms
| Trigger | Primary regulator | Typical statutory basis | Typical outcome |
|---|---|---|---|
| Safeguarding failures | FCA | PSRs 2017 regs 23-25, EMRs 2011 regs 20-22 | Financial penalty, requirements, possible cancellation |
| AML/CTF control weaknesses | FCA | MLR 2017, FSMA Principle 3 | Financial penalty, s166 review, VREQ |
| Consumer Duty breaches | FCA | FCA Handbook PRIN 2A | Financial penalty, public censure, remediation |
| APP fraud reimbursement non-compliance | PSR | FSBRA s73, Specific Direction | Financial penalty, compliance direction |
| Unauthorised payment services or e-money issuance | FCA | PSRs 2017 reg 138, EMRs 2011 regs 63-70 | Criminal prosecution, injunction |
| Interchange fee non-compliance | PSR | Interchange Fee Regulation, FSBRA | Financial penalty |
| Operational resilience failures | FCA | FCA Handbook, FSMA | s166 review, VREQ, financial penalty |
| Misleading financial promotions | FCA | FSMA s21, FCA Handbook COBS | Financial penalty, public censure |
| Failure to cooperate with investigation | FCA | FSMA s177 | Criminal offence, separate penalty |
Key regulatory references
Primary legislation: Financial Services and Markets Act 2000 (Part XI investigations, Part XIV discipline, Part XXV injunctions and restitution). Payment Services Regulations 2017 (SI 2017/752) (Part 9 enforcement). Electronic Money Regulations 2011 (SI 2011/99) (regs 48-58 supervision and enforcement, regs 63-70 criminal offences). Financial Services (Banking Reform) Act 2013 (Part 5 PSR enforcement powers).
FCA guidance: FCA Enforcement Guide (EG), including EG 19.20-19.22 on payment services. Decision Procedure and Penalties Manual (DEPP), including DEPP 6 penalty framework. FCA Enforcement Information Guide.
PSR guidance: PSR Powers and Procedures Guidance (September 2024). PSR Financial Penalty Scheme. PSR Revised Penalty Statement 2023.
Appeal routes: Upper Tribunal (Tax and Chancery Chamber) (FCA decisions). Competition Appeal Tribunal (PSR decisions).
Facing an FCA or PSR investigation into your payments business?
Frequently asked questions about FCA investigations and FCA enforcement
Can the FCA investigate a small payment institution?
Yes. Small payment institutions (SPIs) registered under PSRs 2017 regulation 14 are subject to FCA enforcement powers under Part 9 of the PSRs. SPIs must comply with the same conduct and AML requirements as authorised payment institutions, and the FCA can impose financial penalties, cancel registration, or pursue criminal prosecution for operating without registration.
What is the difference between a section 165 request and a section 166 review?
A section 165 request is a statutory demand for specific information or documents. Non-compliance is a criminal offence. A section 166 review requires the firm to appoint an independent skilled person (at the firm's cost) to report to the FCA on a particular aspect of the firm's business. Section 165 gathers evidence; section 166 provides an independent assessment.
How long does an FCA investigation typically take?
Straightforward cases may conclude within 12 to 18 months from the scoping phase to final notice. Complex investigations, particularly those involving multiple firms, cross-border elements or contested proceedings before the Upper Tribunal, can take three years or longer. The FCA publishes average investigation timelines in its annual enforcement data.
Does self-reporting a breach to the FCA prevent enforcement action?
No. The FCA can and does take enforcement action against firms that self-report. However, self-reporting is treated as a mitigating factor under DEPP 6.5.3G and may reduce the financial penalty. The FCA expects firms to report significant breaches promptly under Principle 11.
What happens to PSR enforcement powers after the FCA/PSR consolidation?
HM Treasury has confirmed that the substance of PSR regulation will survive the institutional merger. PSR enforcement powers under FSBRA 2013 will transfer to the FCA under a new part of FSMA 2000. Firms currently supervised by the PSR should expect continuity of regulatory obligations, with changes to reporting lines and supervisory contacts. See our post on PSR/FCA consolidation for a detailed analysis.
Can the FCA prosecute individuals as well as firms for payments offences?
Yes. The EMRs 2011 create criminal offences for issuing electronic money without authorisation (reg 63), punishable by up to two years' imprisonment. Under FSMA 2000, the FCA can pursue individuals for misleading statements (section 89). The FCA can also take action against individuals who are knowingly concerned in regulatory contraventions by authorised firms (FSMA 2000, s.66).
What is the settlement discount and when should a firm consider settling?
The FCA operates a graduated settlement discount under EG 5: up to 30% reduction in the financial penalty for early settlement (during scoping or investigation), reducing for later settlement. The decision to settle requires a clear understanding of the firm's exposure, the strength of the FCA's evidence, and the commercial consequences of a contested process. Early legal advice on the settlement calculus is essential.
Is a voluntary requirement (VREQ) truly voluntary?
In form, yes. In practice, the FCA typically signals that if the firm does not accept a VREQ, it will impose the same restrictions compulsorily through an own-initiative variation of permission (section 55J FSMA). VREQs are published on the FCA Register. A firm that accepts a VREQ avoids the cost and uncertainty of contested proceedings but accepts the reputational impact of a published restriction.
Related payments regulation pages
See also our other payments regulation pages:
- Authorisation and Licensing
- Open Banking and Variable Recurring Payments
- PSR and Scheme Governance
- Safeguarding and Consumer Duty
- E-Money Regulation and EMI Compliance
- Operational Resilience and DORA
For information about our engagement models, see How We Work. If you are currently facing or anticipating a regulatory investigation, see Investigations and Enforcement Support.
Independent directory rankings
Our specialist expertise is recognised in major independent legal directories:
- Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
- The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
- Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology
