Regulatory scrutiny, higher operating costs weigh on European payment firms

Intensified regulatory scrutiny and higher operating costs are weighing on the European and UK payment service provider (PSP) sector and could drive market consolidation. Compliance and operating costs have grown, in part because regulators want PSPs’ “mind and management” to be based in the countries where they are licensed, along with some compliance and technology staff.

In addition, new UK rules governing scam repayments are another hurdle for PSPs to negotiate. If ineffectively managed, these risks could drive up costs and force weaker firms out of business.

Tougher authorisation process

UK regulators assessing payment firms’ licensing applications are paying greater attention to applicants’ business models and financial projections, and scrutinising policies and procedures, said Dmitrijus Apockinas, a designated partner at PSP Lab, a regulatory compliance, consulting and advisory firm specialising in fintech. UK regulators increasingly want to interview candidate firms’ management in person.

“Letʼs invite [them] for a face-to-face interview. Letʼs see how they answer the questions: do they really understand the business? Do they really have the knowledge that is required? And itʼs for a good reason: it costs the Financial Conduct Authority (FCA) much more (in respect of the human resources allocation) to cancel an authorisation than to issue a new one,” Apockinas said.

Ripe for consolidation

“Payments has been a huge growth area, because it is not as high risk as banking [in terms of investment],” said Jon Chertkow, a financial services partner at Hogan Lovells in London. “But cases like [the 2022 scandal involving German fintech] Wirecard make regulators nervous, and while that was fraud, there have been safeguarding and financial crime issues when they’ve looked [at payment businesses]. There has been an enhanced regulatory focus and regulators are looking at enforcing rules at payment firms more.”

The European and UK payments market is now ripe for consolidation, he added.

According to Apockinas: “The market is crowded if not already saturated, and there is a natural cleansing going on, which is forced by the regulators and market conditions. There are barriers, not just from the FCA, but from Visa, MasterCard, other payment schemes, and safeguarding banks.”

Licences pulled

There are currently about 661 electronic money institutions (EMIs) registered in the EU, and another 1,200 in the UK. Many PSPs have licences in multiple countries.

Last year alone, the FCA pulled 95 PSP licences for reasons ranging from firms not using the authorisation, to serious client money safeguarding controls. That included Transactive Systems, once a high-flyer, which lost its Lithuanian licence in 2023 after it was found to have violated anti-money laundering (AML) rules.

Contis Financial Services, an EMI licensed by the FCA, went into administration in January. It has closed its EU EMI business, after being fined 840,000 euros by the Bank of Lithuania in 2023 and put into monitorship by Germany’s Federal Financial Supervisory Authority (BaFin) for AML systems and controls failures.

The Lithuanian regulator also closed down Foxpay and Kevin EU in 2024 for compliance and AML failings.

On/offshore balancing act

The FCA wrote to payment firms this month setting out its priorities for the sector. In addition to familiar reminders about financial crime systems and controls and the new reimbursement requirements for authorised push payment (APP) fraud, the FCA said UK-licensed payment institutions and EMIs must have their head office in the UK and their senior managers should be based in that office.

It is not a new requirement, however, but now the UK regulator wants senior managers to be able to attend meetings at its offices and to verify where they are based, Apockinas said. The trend for remote working and offshoring means that firms’ management and staff are geographically dispersed. Firms need to find a balance between onshore and offshore staffing, because the cost of having everything in the UK is so high, he added.

“There should be a balance when it comes to insourcing, outsourcing, where the management is based, what are the governance, internal controls, and decision making, where and how the compliance functions are undertaken. Those are key priorities, so these functions must be based in the UK, and any European regulator will have the same approach,” Apockinas said.

Costly compliance upgrades

UK EMIs have been subject to many supervisory interventions — with 52 being hit with s166 skilled persons reviews since 2020, and 20 being subject to FCA-imposed requirements. These interventions often target weak compliance controls, which require expert guidance to implement upgrades. Start-ups failing to scale their compliance needs to their business growth is a recurring theme.

Investors tend to drive compliance upgrades as much, if not more, than regulators once shortcomings become evident, Hogan Lovell’s Chertkow said.

If PSPs do not use artificial intelligence (AI) for transaction monitoring, for example, compliance costs can be huge. However, some regulators do not encourage using tech for these purposes, Apockinas added.

Dutch PSP bunq, for example, took De Nederlandsche Bank (DNB) to court in 2022 to challenge the central bankʼs objection to using AI for AML compliance. The tribunal found bunq could use AI for AML compliance, but upheld the DNB’s findings that it did not comply with various AML rules.

Fraud repayments

UK payment firms have been subject to reimbursement arrangements for scams since an October 2024 ruling by the Payments Systems Regulator (PSR). These arrangements require all payments firms, even smaller ones, to repay scam victims for losses up to £85,000 within five working days of a claim, with the burden split between the sending and receiving institutions.

These requirements will be tough on smaller PSPs, said Uri Rivner, chief executive at Refine Intelligence, an Israel-based AML and anti-fraud compliance software company.

“I’m not sure if cost of controls is going to be the issue. If you are a small company, inbound payments are all good, money is coming in. Small fintechs haven’t fought scams before, especially on inbound payments. So that’s the problem and I think that’s why some of them will go out of business. Not because of the cost of getting a good model or some analysts, it’s the cost of actually reimbursing customers who complain,” Rivner said.

Criminals will target firms with the weakest controls, compounding the reimbursement costs of scams for those firms, he added.