EMI / PI Regulatory Maturity Framework

Score your regulatory compliance maturity as an EMI or PI across capital adequacy, safeguarding, regulatory reporting, wind-down planning and governance — with a gap analysis and remediation priorities.

How to Use This Framework

Authorised e-money institutions (EMIs) and payment institutions (PIs) operate under a comprehensive FCA regulatory framework that covers capital adequacy, safeguarding of customer funds, AML/KYC compliance, operational resilience, and regulatory reporting. Supervisory visits and thematic reviews increasingly focus on the quality of a firm's systems and controls, not just the existence of policies.

This framework evaluates your finance and compliance function against the five areas of FCA regulation that generate the most supervisory findings: capital adequacy, safeguarding, compliance framework, operational risk, and regulatory reporting. Score each question: 2 = fully in place, 1 = partially in place, 0 = not in place.

Regulatory note: This framework is a self-assessment tool and does not constitute legal or regulatory advice. Gaps identified by this framework should be discussed with your compliance officer and legal counsel. Certain deficiencies — particularly in safeguarding and capital adequacy — may require immediate remediation and FCA notification.

Assessment

Area 1: Capital Adequacy

Q1. Is the own funds calculation performed at least monthly, using the correct methodology for your authorisation type (fixed amount, payment volume, or average outstanding e-money)?

2 — Fully in place: own funds calculated monthly using the FCA-prescribed methodology; calculation documented and reviewed by the CFO; reconciles to management accounts 1 — Partially in place: own funds calculated but the methodology is not fully documented or has not been validated against the FCA handbook requirements since authorisation 0 — Not in place: own funds calculation is not performed regularly; capital adequacy position is unknown or based on an incorrect methodology

Q2. Does the firm maintain a capital buffer above the regulatory minimum, with a defined internal minimum threshold that triggers a board escalation?

2 — Fully in place: internal minimum threshold set above the regulatory minimum; board escalation procedure documented; buffer level reported monthly to the board 1 — Partially in place: a buffer is maintained but the internal threshold is informal; no documented escalation procedure if the buffer is breached 0 — Not in place: own funds are managed to the regulatory minimum without a buffer; any adverse movement risks a breach; no escalation procedure

Q3. Is there a formal capital monitoring process that projects own funds forward at least 12 months under base and stress scenarios?

2 — Fully in place: 12-month capital forecast under base and stress scenarios updated quarterly; integrated with the financial model; reviewed by the board annually 1 — Partially in place: capital is monitored monthly but forward projection is not formalised; stress scenario analysis has not been performed 0 — Not in place: no forward capital projection; the firm does not have visibility of its capital position beyond the current month

Q4. Is a wind-down capital plan maintained, with a documented estimate of the costs of an orderly wind-down of the regulated business?

2 — Fully in place: wind-down plan with cost estimate maintained and reviewed annually; own funds include an explicit wind-down buffer; plan reviewed by legal counsel 1 — Partially in place: wind-down plan exists but the cost estimate has not been updated in over 12 months or has not been reviewed by legal counsel 0 — Not in place: no wind-down plan; wind-down costs have not been estimated and are not reflected in the capital adequacy calculation

Area 2: Safeguarding

Q5. Is 100% of relevant funds safeguarded at all times, with the safeguarding balance reconciled to the sum of relevant funds daily?

2 — Fully in place: daily reconciliation of safeguarded balance to relevant funds; shortfalls identified and remediated same day; reconciliation records maintained for 5 years 1 — Partially in place: reconciliation performed but not daily; or shortfalls are remediated with a delay; reconciliation methodology has not been formally documented 0 — Not in place: 100% safeguarding is not maintained; reconciliation is performed weekly or less frequently; the firm is at risk of an FCA breach

Q6. Are relevant funds held in a safeguarding account at an approved bank or covered by an approved insurance policy from an approved insurer?

2 — Fully in place: safeguarding account at a UK-authorised credit institution; account designated as a safeguarding account; institution meets the FCA creditworthiness requirements 1 — Partially in place: funds held at an approved bank but the account is not formally designated as a safeguarding account; or the creditworthiness assessment has not been performed 0 — Not in place: relevant funds are not held in a formally designated safeguarding account or at an institution that meets FCA requirements

Q7. Has an annual safeguarding audit been completed by an external auditor, with findings documented and remediated?

2 — Fully in place: annual safeguarding audit completed; auditor's report received; all findings closed or on a documented remediation plan; audit submitted to FCA if required 1 — Partially in place: safeguarding audit has been completed but findings have not been fully remediated; or the audit is overdue by less than 6 months 0 — Not in place: no safeguarding audit has been completed; or the last audit identified material findings that have not been addressed

Q8. Is the safeguarding reconciliation methodology formally documented and tested, with a clear process for identifying and resolving shortfalls?

2 — Fully in place: written safeguarding methodology covering all relevant fund types; shortfall identification and resolution procedure documented; methodology reviewed by auditor 1 — Partially in place: reconciliation is performed consistently but the methodology is not formally documented; relies on institutional knowledge of a single individual 0 — Not in place: safeguarding methodology is undocumented; the reconciliation approach varies and has not been validated against the FCA safeguarding requirements

Area 3: Compliance Framework

Q9. Is a formal compliance monitoring programme in place, with scheduled reviews of key regulatory obligations and findings reported to the board?

2 — Fully in place: annual compliance monitoring plan covering all regulated activities; scheduled reviews completed on time; findings reported to board quarterly; action plans tracked 1 — Partially in place: a compliance programme exists but reviews are not completed to schedule; findings are not formally reported to the board with action tracking 0 — Not in place: no formal compliance monitoring programme; compliance is managed reactively rather than through a systematic annual review cycle

Q10. Is an MLRO (Money Laundering Reporting Officer) appointed, with appropriate experience and sufficient time allocated to the role?

2 — Fully in place: MLRO formally appointed and approved by the FCA; adequate time allocated; MLRO annual report submitted to board; deputy MLRO identified for continuity 1 — Partially in place: MLRO appointed but the role is performed on a part-time basis by someone with other significant responsibilities; FCA approval may not be current 0 — Not in place: no formal MLRO appointment; AML oversight is informal; the firm is in breach of its regulatory obligation to have a nominated officer

Q11. Are AML/KYC policies documented, current, and reflective of the firm's actual customer base and risk appetite?

2 — Fully in place: AML policies updated within the last 12 months; risk-based approach documented; enhanced due diligence procedures defined; policies reviewed by legal counsel 1 — Partially in place: AML policies exist but have not been updated for over 12 months; may not reflect changes to the customer base, product, or regulatory guidance 0 — Not in place: AML policies are generic, borrowed, or materially out of date; the risk-based approach has not been tailored to the firm's actual operations

Q12. Is the SAR (Suspicious Activity Report) reporting process documented, with staff training completed and a record of all SARs submitted?

2 — Fully in place: SAR procedure documented; all relevant staff trained; SAR register maintained; tipping-off procedures understood; NCA portal access confirmed 1 — Partially in place: SAR process exists but staff training is not up to date; or the SAR register has not been maintained systematically 0 — Not in place: no documented SAR procedure; staff are not trained on when and how to report; the firm has not registered with the NCA portal

Area 4: Operational Risk

Q13. Is a documented incident response plan in place, covering technology failures, safeguarding breaches, and FCA notification obligations?

2 — Fully in place: incident response plan covering operational, financial, and regulatory incident types; FCA notification thresholds defined; plan tested annually 1 — Partially in place: incident plan exists but does not cover all incident types; FCA notification obligations are not clearly mapped to incident categories 0 — Not in place: no formal incident response plan; the firm would not know how or when to notify the FCA in the event of a material incident

Q14. Is a complete and current outsourcing register maintained, with due diligence records for all material outsourced arrangements?

2 — Fully in place: outsourcing register covering all material arrangements; due diligence documented; exit plans maintained; annual review of all material outsourcers completed 1 — Partially in place: key outsourcing arrangements identified but the register is not comprehensive; due diligence records are incomplete for some arrangements 0 — Not in place: no outsourcing register; the firm does not have a complete view of its third-party dependencies and associated regulatory obligations

Q15. Is key person risk mitigated with documented succession plans and cross-training for all critical regulated functions?

2 — Fully in place: succession plans for MLRO, CFO, and compliance officer; cross-training documented; FCA-approved persons can be replaced without a significant operational gap 1 — Partially in place: key person risk acknowledged but succession planning is informal; loss of one or two individuals would create a significant operational and regulatory risk 0 — Not in place: no succession planning; critical regulatory functions are entirely dependent on a single individual with no cover arrangement

Q16. Is a business continuity plan (BCP) in place that has been tested within the last 12 months and covers the firm's critical regulated activities?

2 — Fully in place: BCP covering all critical functions; tested within 12 months; test results documented; recovery time objectives defined for regulated activities 1 — Partially in place: BCP exists but has not been tested recently or does not explicitly cover all regulated activities; recovery time objectives are not defined 0 — Not in place: no BCP; the firm has no documented plan for maintaining regulated activities in the event of a significant operational disruption

Area 5: Regulatory Reporting

Q17. Is REP-CORA (or the applicable FCA capital adequacy return) filed on time and with data that reconciles to the management accounts?

2 — Fully in place: REP-CORA filed on time for every period; underlying data reviewed and signed off by the CFO; reconciliation to management accounts documented 1 — Partially in place: filed on time but the data quality review is informal; reconciliation to management accounts has not been performed or is not documented 0 — Not in place: REP-CORA has been filed late, with incorrect data, or not filed; the FCA has been notified or should have been notified

Q18. Has the annual report and accounts been submitted to the FCA within the required timeframe?

2 — Fully in place: annual report submitted within the FCA deadline for each year since authorisation; submission confirmed in RegData; no late filing breaches 1 — Partially in place: annual report has been submitted but one or more submissions were late; FCA was notified and the breach was resolved without formal action 0 — Not in place: annual report has not been submitted on time; outstanding submissions have not been resolved; FCA enforcement risk

Q19. Is there a documented process for identifying, assessing, and notifying material changes to the FCA under SUP 15?

2 — Fully in place: SUP 15 notification obligations documented; responsibility assigned; change events assessed against notification thresholds before implementation 1 — Partially in place: the notification obligation is understood but the process for identifying notifiable changes is informal; risk of inadvertent non-notification 0 — Not in place: SUP 15 obligations are not formally managed; material changes may have been implemented without FCA notification; retrospective review recommended

Q20. Is all FCA correspondence (supervisory letters, Dear CEO letters, thematic review requests) logged, responded to on time, and held on file?

2 — Fully in place: FCA correspondence log maintained; all responses filed on time; Dear CEO letters assessed and response documented; RegData submissions tracked 1 — Partially in place: correspondence is responded to but not systematically logged; some historical correspondence may be missing from the compliance file 0 — Not in place: FCA correspondence is not systematically managed; responses may have been missed or delayed; no central log of all FCA interactions

Your Score

0 / 40

Answer questions above to see your result

Important: Any score of 0 in capital adequacy or safeguarding should be treated as an immediate priority. These are the two areas where FCA supervisory action is most likely to result in formal enforcement. Do not defer remediation of 0-scores in these areas.

EMI / PI Regulatory Maturity Framework

How to Use This Framework

Assessment

Area 1: Capital Adequacy

Area 2: Safeguarding

Area 3: Compliance Framework

Area 4: Operational Risk

Area 5: Regulatory Reporting

Build a regulatory finance functionthe FCA expects to see.

Build a regulatory finance function
the FCA expects to see.