Principles for Financial Markets Infrastructure Pay.UK Self-Assessment Bacs and Faster Payments
Although all reasonable efforts have been made to ensure that information contained in this Disclosure Document is accurate and complete as of the date of this document, Pay.UK does not make any representation or warranty as to the accuracy and completeness of this information. This document and all the information contained herein are provided for information purposes only. Nothing in this document is intended to constitute legal, business, financial or operational advice or advice of any other nature and therefore Pay.UK does not accept liability for any errors or omissions or for the use of information that may be contained herein.
Contents Executive summary ...... 3 Summary of major changes since the previous disclosures ...... 4 1. The Self-Assessment Methodology ...... 4 1.2 Summary of ‘broadly observed’ ratings ...... 6 2.0 Pay.UK Governance ...... 7 2.1 Pay.UK’s Legal and Regulatory Framework ...... 7 2.2 Pay.UK’s Vision and Purpose ...... 8 3.0 An Overview of Bacs and FPS ...... 9 3.1 The Current Direct Participants in Bacs and FPS ...... 9 3.2 Bacs System Design and Operations ...... 11 3.3 FPS System Design and Operations ...... 12 4. Principle by Principle Narrative Disclosure ...... 15 4.1 Principle 1- Legal Basis ...... 15 4.2 Principle 2 - Governance ...... 18 4.3 Principle 3 - Framework for the Comprehensive Management of Risks ...... 24 4.4 Principle 4 - Credit Risk ...... 28 4.5 Principle 5 - Collateral...... 31 4.6 Principle 7 - Liquidity Risks ...... 33 4.7 Principle 8 - Settlement Finality ...... 41 4.8 Principle 9 - Money Settlements ...... 45 4.9 Principle 13 - Participant default rules and procedures ...... 47 4.10 Principle 15 - General Business Risk ...... 49 4.11 Principle 16 - Custody and Investment Risks ...... 52 4.12 Principle 17 - Operational Risks ...... 55 4.13 Principle 18 - Access and Participation Requirements ...... 59 4.14 Principle 19 - Tiered Participation Arrangements ...... 65 4.15 Principle 21 - Efficiency and Effectiveness ...... 67 4.16 Principle 22 - Communication Procedures and Standards ...... 69 4.17 Principle 23 - Disclosure of Rules, Key Procedures, and Market Data ...... 70
Page 2
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
Executive summary
This is Pay.UK’s first self-assessment against the Principles for Financial Market Infrastructures (PFMIs) since taking on responsibility as the operator of the Bacs and Faster Payment Service (FPS) payment systems. As such, the reporting period (1 May 2018 to 30 April 2019) covered a period of significant transition. Pay.UK Limited (‘Pay.UK’), previously known as the New Payment Systems Operator Limited (NPSO), was incorporated on 18 July 2017 as a not-for-profit company limited by guarantee. In May 2018 Pay.UK acquired Bacs Payments Service Limited (BPSL) (operator of the Bacs Payment System) and Faster Payments Service Limited (FPSL) (operator of the FPS Payment System). This was followed by Cheque and Credit Clearing Company Limited (C&CCC) (operator of the Paper Cheque and Image Clearing System) and UK Payments Administration in July 2018. This assessment is in relation to Pay.UK as the operator of Bacs and FPS payment systems as recognised under the Banking Act 2009. Pay.UK has agreed with the Financial Markets Infrastructure Directorate (FMID) of the Bank of England that Paper Cheque and Image Clearing System is out of scope for this assessment as it is not recognised as a systemically important payment system. BPSL and FPSL (collectively referred to as the previous operators throughout this document are in scope of this assessment). The activities and responsibilities of the previous operators have now been absorbed into Pay.UK. During the past year Pay.UK has focussed on establishing Pay.UK as the operator for non-card, non- cash retail interbank payments in the UK and has included:
The design and implementation of a new Target Operating Model (TOM), which Pay.UK continues to embed. The transfer of staff under TUPE1 into the new operating model. A new “Foundation Strategy” establishing objectives and plans for Pay.UK together with Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). An integrated Business Continuity and Incident Management Framework, which includes Disaster Recovery Plans. The creation of the Pay.UK Enterprise Risk Management Framework. Execution of two section 195 (Banking Act 2009) reviews (which were Financial and FPS incident management elaborate), with implementation of recommendations in progress. Implementation of a new funding model. Development of the Pay.UK Financial Recovery Plan. The development of projects such as New Payments Architecture (NPA), Confirmation of Payee (CoP) and Request to Pay (RtP). The novation of system-critical agreements from the previous operators to Pay.UK.
Pay.UK has consolidated the activities of the previous operators into one organisation. A significant amount of time has been allocated to scoping, creating and starting the process on embedding new ways of work.
The Central Infrastructure (CI) for Bacs and FPS remains outsourced to a key supplier (formally 2003 for Bacs, and 2008 for FPS). The supplier has provided the CI for Bacs since 1968 when Bacs was initially set up. As stated above the underlying agreements have been novated from the previous
1 Transfer of Undertakings (Protection of Employment) Regulations 2006
Page 3
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
operators to Pay.UK. Pay.UK has established a close relationship with the supplier, enabling the monitoring of their operations. Pay.UK has inherited comprehensive contracts in place which includes control requirements and specific Service Level Agreements (SLAs) commensurate with the activities undertaken. During this reporting period Pay.UK has continued to work closely with the supplier, developing a more co-ordinated approach to resilience and robustness elaborate. Ongoing implementation of changes / updates to the Pay.UK’s suppliers CI are undertaken with appropriate testing and communications with Participants and Service Users.
Alongside operating the existing payment systems, Pay.UK is undertaking a programme to deliver the NPA. The NPA is a new conceptual model for the future development of the UK’s shared retail payment infrastructure. Pay.UK’s NPA Programme will include delivery of a core clearing and settlement infrastructure that supports the wider evolution of the existing ecosystem. As part of the programme, Pay.UK is testing and validating the conceptual design of the CI implied, to confirm that robustness and resilience are maintained, whilst addressing user detriments by supporting an ecosystem that fosters competition and innovation. Pay.UK began the procurement process for the core clearing and settlement infrastructure in late 2018 and it has now issued a Request for Information (RFI). This process will run through the summer and autumn of 2019. During this period Pay.UK will use the information together with feedback from a joint solutioning activity, and other stakeholder engagements to determine an appropriate timeframe for the Request for Procurement (RFP). Pay.UK will also actively engage with both the Bank of England and the Payment Systems Regulator (PSR) throughout the process to fulfil Pay.UK’s regulatory requirements. Summary of major changes since the previous disclosures
As stated above, the activities and responsibilities of the previous operators have now been absorbed into Pay.UK. A summary of the changes are included in the Executive Summary.
Pay.UK has already harmonised some common processes including Governance, Risk Management, Finance, Internal Audit and Human Resources. Where different responses are required for either payment systems, this has been made clear within the report. 1. The Self-Assessment Methodology
This assessment has been completed for the reporting period and follows the template provided within the PFMI Disclosure Framework and Assessment Methodology (the Framework).
Pay.UK is still in its first year as a fully functioning organisation, so it’s not yet possible for it to demonstrate a track record of all the FMI principles being fully embedded over a sustained period of time. As such, there are a number of principles (summarised in section 3) that we have self-assessed as being ‘broadly observed’ rather than “observed”. We anticipate that further maturity of these processes over the coming year will enable Pay.UK to self-assess as fully-observed in a year’s time.
Page 4
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
The Framework describes and defines the four assessment ratings. The assessment criteria
Ratings Rating Definitions The FMI observes the principle. Any identified gaps and shortcomings are not issues of Observed concern and are minor, manageable and of a nature that the FMI could consider taking (Green) them up in the normal course of its business. Broadly The FMI broadly observes the principle. The assessment has identified one or more observed issues of concern that the FMI should address and follow up on in a defined timeline. (Yellow) Partly The FMI partly observes the principle. The assessment has identified one or more issues observed of concern that could become serious if not addressed promptly. The FMI should accord (Amber) a high priority to addressing these issues. Not The FMI does not observe the principle. The assessment has identified one or more observed serious issues of concern that warrant immediate action. Therefore, the FMI should (Red) accord the highest priority to addressing these issues.
For each of the applicable principles, Pay.UK rated itself against each principle to reflect the assessment criteria. The table below provides a summary of the assessment ratings.
Assessment Principles Category 1 Legal Basis 9 Money Settlements 2 Governance 13 Participant-default rules and procedures 3 Framework for the comprehensive management of 16 Custody and investment risks risks Observed *22 Communication procedures and 4 Credit Risk standards 5 Collateral 23 Disclosure of rules, key procedures and market data 7 Liquidity Risk 8 Settlement Finality 17 Operational Risks 15 General Business Risk
Broadly Observed 18 Access and Participation 19 Tiered Participation Arrangements Requirements 21 Efficiency and Effectiveness None Partly Observed
None Not Observed
*This principle is not applicable to the Bacs System
Page 5
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
1.2 Summary of ‘broadly observed’ ratings
Principle: Broadly observed ratings summary 15 - General Pay.UK recognises that it is still building its capital reserves. Pay.UK has Business Risk plans in place to build its capital reserve to equal at least six months of its current operating expenses. Earlier this year Pay.UK provided FMID with a
plan for achieving the defined level of capital reserve which it has proposed to accumulate over a three year period. Pay.UK is expecting a response from FMID on the proposed capital requirements and rate of build. 17 - Operational Pay.UK is undertaking deep dives on Technology risk and End to End Risks Resiliency. The assessment reflects Pay.UK’s status in embedding and updating Risk and Control Self-Assessments (RCSA) as well as creating and testing Business Continuity and Incident Management plans. 18 – Access and Pay.UK is consolidating its access and participation requirements and is Participation addressing a number of challenges to implementing the FPS aggregator Requirements model. 19 - Tiered Pay.UK has a process in place for identifying, monitoring and managing Participation material risk as highlighted in Principle 3. However, Pay.UK is working Arrangements towards an integrated process for the analysis of the maximum output volumes to an Agency bank in relation to sponsoring Participant volumes, and the analysis of the maximum settlement values for an Agency bank in relation to sponsoring Participant volumes. 21 - Efficiency and The Pay.UK transformation journey outlined within this report is an ongoing Effectiveness evolution. Pay.UK’s strategic priorities are set over the next three years 2019 - 2021. As at the time this document was prepared, Pay.UK was still within its first year as a fully functional organisation, it will be difficult for it to demonstrate the full benefits of the strategy and how it has been efficient and effective for meeting the requirements of its Participants and the market it serves. The strategy will evolve over time as the organisation continues to develop.
Pay.UK is the operator of retail payment services. The principles listed below are not applicable to Pay.UK as they only apply to Central Counterparty Clearing Houses (CPPs), Wholesale or foreign exchange payment services.
Principles Not Applicable - 6 Margin - 14 Segregation and Portability - 10 Physical Deliveries - 20 FMI Links - 11 Central Securities - 22 Communication procedures and Depositories standards (Not applicable to Bacs only) - 12 Exchange of Value - 24 Disclosure of Market Data by Trade Settlement Systems Repositories
Page 6
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
2.0 Pay.UK Governance
Pay.UK has clearly defined governance arrangements. The Pay.UK Board (Board) follows the principles of the UK Corporate Governance Code, the Financial Reporting Council’s (FRC) Guidance on Board Effectiveness and the Bank of England’s Supervisory Statement SS51/16 Corporate Governance: Board Responsibilities. The Board retains all decision-making powers and functional responsibilities except those delegated to Pay.UK Committees (Committees), the Chief Executive Officer (CEO) or other individuals, in line with its Delegation of Authorities. The figure below provides an overview of the Committees. Day to day operations is delegated to the CEO who chairs the Executive Committee (ExCo). Figure 1 provides an overview of the Board and its Committees.
Figure 1 – Overview of Board and Committees
The response provided within Principle 2 Governance specifies additional information about the Committees, which are accountable to the Board but does not relieve the Board of any of its responsibilities. 2.1 Pay.UK’s Legal and Regulatory Framework
Supervision of Pay.UK is undertaken by FMID, and the PSR. Pay.UK is also subject to competition laws, specifically the Competition Act 1998 and Enterprise Act 2002. The PSR has concurrent competition powers along with the Competition and Markets Authority (CMA), and is therefore the most likely competition authority to intervene with respect to the payment systems activities of Pay.UK. The Financial Conduct Authority (FCA) (which also has concurrent competition powers) and the CMA (as the lead national competition authority) may also intervene in some circumstances where the need arises.
Page 7
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
Bacs and FPS have been designated (and continue to meet designation requirements) under the EU Settlement Finality Directive (SFD) and UK implementing regulations (the Financial Markets and Insolvency (Settlement Finality) Regulations 1999, or SFRs, as amended from time to time). Both Bacs and FPS are payment systems recognised by HM Treasury in accordance with section 184 of the Banking Act 2009 and are designated by HM Treasury in accordance with section 44 of Financial Services (Banking Reform) Act 2013 (‘FSBRA’).
2.2 Pay.UK’s Vision and Purpose
Pay.UK’s vision is “to be the leading retail payments authority, delivering best in class infrastructure and standards for the benefit of people everywhere”. The Board considered the Payment System Operator Delivery Group (PSODG) recommendations for Pay.UK to act as the operator for Bacs and FPS. The Board has approved Pay.UK’s core purpose, which is “to support a vibrant UK economy enabling a globally competitive payments industry through the provision of robust, resilient, collaborative retail payment services, rules and standards for the benefit, and meeting the evolving needs, of all users”. Pay.UK will deliver its visions and purpose by: - “Driving more participation and involvement in payments so payment service providers are competing and innovating solutions which respond to customer needs, driving better service and value for end users”. - “Being the guardians and pioneers of payments, modernising the payments ecosystem and ensuring that companies and individuals participate in payments according to the standards and rules which Pay.UK will set”. - “Ensure that participation is reliant on Standards and Rules which enable interoperability, alignment and fairness so that payment providers, businesses and individuals can provide payment solutions, apps and facilities to help people in the UK have more control and more benefits from making payments”.
Page 8
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
3.0 An Overview of Bacs and FPS
Bacs processes automated bulk retail payments. It is a means to make payments (through Direct Credit) salaries, pensions, benefits, suppliers, and to collect payments (through Direct Debit), regular scheduled consumer payments such as utilities, insurance, mortgages, subscriptions. Over 6.4 billion2 Bacs transactions were processed in 2018 and 79% of UK adults have at least one Direct Debit commitment, with 73% of household bills paid this way. Over 90% of the UK workforce is paid via Bacs Direct Credit, which is also used to make one billion welfare payments per annum. FPS is a deferred net settlement payment system which processed over 2.0 billion payments in 20183. It is a fully cash collateralised near real-time 24x7 payment system. FPS enables mobile, internet, telephone and standing order payments to move quickly and securely, almost at the touch of a button, 24 hours a day. At its launch in 2008, FPS was the first new payments service to be introduced in the UK for more than 20 years. 3.1 The Current Direct Participants in Bacs and FPS
As of 30 April 2019, we have 25 Direct Participants in Bacs and 33 Direct Participants in FPS (of which two are Directly Connecting Non-Settling Participants).
Direct Participant Bacs FPS
The Access Bank UK Ltd x x
Atom Bank PLC x x
AIB Group UK PLC x
BoE as Participant & SSP x
Bank of Scotland x
Barclays Bank PLC x x
Barclays Bank UK PLC x x
BFC Bank Limited x
CitiBank N.A x x
Clearbank Limited x x
Clydesdale Bank PLC x x
Coutts and Company x
2 Source: https://www.bacs.co.uk/documentlibrary/payuk_record_volumes_infographic.pdf 3 Source: http://www.fasterpayments.org.uk/statistics
Page 9
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
Direct Participant Bacs FPS
The Co-Operative Bank PLC x x
Credec Limited x
Ebury Partners UK Ltd x
Elavon Financial Services DAC x
HSBC UK Bank PLC x x
HSBC Bank PLC x x
ipagoo LLP x x
LHV x
Lloyds Bank PLC x x
Metro Bank x
Monzo Bank Limited x
National Westminster Bank PLC x x
National Westminster Bank PLC trading as Bó x
Nationwide Building Society x x
Northern Bank Limited x x
Paynet Limited x
PrePay Technologies Limited (t/as PrePay Solutions) x
Santander UK PLC x x
Spectrum Payment Services Limited x
Starling Bank Limited x x
The Royal Bank of Scotland PLC x
Transferwise Limited x
Turkish Bank (UK) Limited x x
TSB Bank PLC x x
Virgin Money PLC x x
Page 10
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
In addition, over 400 institutions access FPS via agency arrangements through one or more Participants. Over 30 Indirect Participants access Bacs via agency arrangements through one or more Direct Participants. This includes approximately 750 Commercial Bureaux and approximately 60 Accredited Facilities Management Providers. The Accredited Facilities Management Providers facilitate 100,000+ Service Users and around 50,000 have direct payment submission access to the Bacs system. 3.2 Bacs System Design and Operations
Bacs operates on a three-day processing cycle, which has been summarised below. - Day 1 - Input of payment messages by Participants, their customers, and bureaux. Input can take place ahead of Day 1 in accordance with submitter requirements, this will be stored (“warehoused”) and retrieved for processing on the required day. Receipt of input reports by submitters occurs on the day of input. - Day 2 - Processing of input and warehoused submissions. Output of payment details to Participants (and some agencies). - Day 3 - Settlement at the Bank of England. Application of individual payments to customer accounts.
The core components of the Bacs service are listed below and access is controlled using ‘Public Key Infrastructure’ security protocols.
Bacstel-IP Service This is the main access channel used by Participants to interface with the Bacs service. Service users can connect to Bacstel-IPusing the internet or other connectivity methods such as an extranet.
Page 11
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
Bacstel-IP is accessed by service users via Bacs Approved Software. Approval of software by Pay.UK operations confirms that all software used to connect to the Bacstel-IP service meets a minimum set of standards, and confirms that the software performs a minimum set of requirements needed to submit data and receives report. Enhanced Transmission Service (ETS) This channel supports service users and Payment Service Providers (PSPs) sending inputs (credit and debit payment information applicable to customers, and related reports) and PSPs collecting outputs (credits and debits to be applied to their customers’ accounts, and related reports). SWIFTNet Transmission Service (STS) STS uses the SWIFT service for connectivity and routing, enabling PSPs to reuse existing SWIFT infrastructure to connect to Bacs, and delivering the same Bacs functionality as ETS. Bacs Payment Services Website (PSW) The PSW is the main user interaction portal for the Bacs service, and is used by service users, Direct and Indirect Participants to manage customer account data. Participants are able to receive reports relating to their use of the Bacs service and manage breaches of value limits. Bacs Payments and Associated Messages Direct Debits and Direct Credits A Direct Credit or Direct Debit payment item is a transaction, in a standard format (Standard 18), containing payment amount, credit and debit account details, as well as originator and submitter details (the submitter may be a bureaux acting on behalf of one or more third-party originators). The submitter transmits encrypted files containing these payment items to the Infrastructure Supplier, where they are authenticated (to check they are from a valid user), their content is validated and then routed to receiving Participants (Bacs Direct Participants and some Indirect Participants such as agency banks) who apply these to the destination accounts. Transactions between all Participants are totalled at the end-of-day and the final net position for each Bacs Participant is sent to the Settlement Service Provider (Bank of England) for settlement. Direct Debit Instructions (DDI) DDIs are sent by the service user to the payer’s PSP as the authority to pay Direct Debits from the payer’s account. The Automated Direct Debit Instruction Service (AUDDIS) enables organisations to send new DDIs to their customers' PSP electronically through Bacs, instead of in paper format. AUDDIS automates the transfer of DDIs from collecting organisations to the paying PSPs via Bacs. With AUDDIS, the organisation keeps the original signed DDI and electronically sends the details to the customers' PSP to validate and, if accepted, set up the Instruction on its database. Transfer of Direct Debit and Direct Credit advice information for consumers; these transfers form part of the Current Account Switch Service (CASS), which was introduced in September 2013 to enable customers to transfer their current account to a new bank in seven days. Direct Debit instructions can be amended from time to time, either by the originator, or by a bank/building society in line with the Direct Debit Guarantee. 3.3 FPS System Design and Operations
FPS supports the following payment types; all are credit (push) payments.
Page 12
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
- Single Immediate Payments (SIPs) - Forward Dated Payments (FDPs) - Standing Order Payments (SOPs) - DCA Corporate Bulk Payments (DCAs) - Return Payments The latter two payment types are generated by the Receiving Participant and the CI retrospectively. These return payments relate to payments that cannot be applied to an eligible account or cannot be processed on to the receiving bank. Clearing Timetable The system clears about 95% of SIPs and FDPs in Near Real Time (NRT) 24 hours a day, 7 days a week, 365 days a year. The remaining 5% relate to payments being made to non-current accounts or sent to Indirect Participants that may not operate 24/7. These payments are applied to the beneficiary account within timescales compliant with the Payment Services Regulations 2017. Standing Order Payments (SOPs) SOPs are cleared only on ‘Working Days’ which are defined as Monday to Friday excluding English Bank Holidays. SOPs are always cleared within a single working day, so that the Originating Customer is debited on the same day that the Beneficiary Customer is credited. In most cases, Standing Orders are cleared by 06:00. Settlement Prefunding FPS is a Deferred Net Settlement (DNS) system where customer payments are cleared instantly but values owed by each Participant are netted together by the CI and settlement occurs at the Bank of England Real Time Gross Settlement (RTGS) system three times a day at 07.00, 13.00 and 17.00 Monday to Friday excluding English Bank Holidays. Since September 2015, the service has worked on a ‘pre-funded’ basis where all Participants in FPS leave a cash deposit sufficient to cover their own net transactions in a segregated, interest-bearing account at the Bank of England called the Reserve Collateralisation Account (RCA). These deposits underpin the net flows of payments between each Participant and will only ever be used to settle the obligations of Participants if they get into financial difficulties. This means that there is no credit or liquidity risk within settlement. The process is governed by a legally binding agreement called the Reserve Collateralisation Account Agreement (RCAA). Pre-Funded Settlement is managed utilising Multilateral Net Sender Caps (MNSCs) that are backed in full by a lodgement of cash collateral in the RCAs at the Bank of England. The MNSCs are under the control of Pay.UK and structurally designed to equal the total payments that all Participants and their sponsored or Indirect Participants have received and accepted, less the total value of all payments all Participants and their Indirect Participants, have submitted and have been accepted. As payments pass through, the Participant positions in relation to the caps are updated by debiting the sender Participant Position and crediting the receiving Participant Position subject to there being adequate headroom to complete the debit transaction. Participants utilise a Net Sender Threshold, which alerts them electronically if they are within a pre-determined percentage of their MNSC. This threshold is controlled by each Participant. Settlement takes place when the CI sends a SWIFT MT298 settlement message to the Bank of England and an Unsolicited Message (USM) to each Participant informing them of how much they
Page 13
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
are obliged to pay or due to receive in the settlement. After a pre-determined period the Bank of England settles, and returns a settlement complete message to the CI, which informs Participants that settlement is complete via a USM. All Participants settle or no Participants settle; there is no partial settlement. If a Participant was unable to settle, due to liquidity or solvency problems, the RCAA would be activated and the failing Participant’s RCA would be used to cover any liabilities.
Page 14
Pay.UK Limited is a company limited by guarantee, incorporated in England. Company Registration Number: 10872449 Registered Office: 2 Thomas More Square, London, E1W 1YN Email: [email protected]
4. Principle by Principle Narrative Disclosure
The following section provides a detailed summary of the narrative for all the principles that are applicable to Pay.UK. The responses have been provided in accordance with the key considerations detailed against the relevant principles. 4.1 Principle 1- Legal Basis
Legal Basis Rating: Observed FMI should have a well-founded, clear, Summary: transparent, and enforceable legal basis This principle is observed. Pay.UK’s legal basis is achieved by Pay.UK being properly established and for each material aspect of its activities in having legal agreements with Participants of the Bacs and FPS systems. The legal status of Pay.UK is all relevant jurisdictions. explained in section 1.3 below:
o Pay.UK’s rules, procedures and agreements are clear, understandable, and consistent with the applicable laws and regulations under which Pay.UK operates. o As part of its transformation programme, Pay.UK novated its main agreements with Bacs and FPS Participants from BPSL and FPSL to Pay.UK Limited with effect from 1 March 2019. o The Bacs and FPS rules and procedures are accessible directly on the Bacs and FPS websites (as appropriate, on extranets accessible to Participants). o All agreements are signed by all relevant parties. Key Considerations Pay.UK Assessment 1.1 What are the material aspects of the The material aspects that require a high degree of legal certainty are: settlement finality, netting, FMI’s activities that require a high degree collateral arrangements, and default procedures. of legal certainty (for example, rights and Pay.UK’s agreements with Participants address default procedures, responsibilities and liabilities interests in financial instruments; of Participants, eligibility criteria for new Participants, withdrawal of Participants’ rights, settlement finality; netting; suspension and exclusion of existing Participants, and financial contributions of Participants, in interoperability; immobilisation and particular: dematerialisation of securities; arrangements for DvP, PvP or DvD; o The Settlement Agreement between Bacs and its Participants defines the net amount that collateral arrangements (including margin is owed by or owed to each Participant each settlement day, known as the “Single Amount”
Page 15
arrangements): and default procedures)? (clause 5). The Single Amount is due for settlement on the “Due Date” (clause 6.1). o For FPS, the Participation Accounts Agreement between FPS and its Participants defines the net amount that is owed by or owed to each Participant each settlement cycleday, known as the “Single Amount”. The Single Amount is due for settlement on the “Due Date” at the “Settlement Time” each “Settlement Cycle” (clause 3.2(e) (iii)). 1.2 An FMI should have rules, procedures, Pay.UK’s agreements with Participants: and contracts that are clear, o Are enforceable (specific legal opinions are sought in relation to the enforceability of legal understandable, and consistent with agreements with Participants based outside of the EU and, going forward and in light of relevant laws and regulation. Brexit, outside the UK). o Are drafted, reviewed, and supported on an ongoing basis by lawyers. o Are signed by all relevant parties. o Are consistent with applicable English law and regulatory requirements. o Are complemented by Payment System Rules and appropriate processes. All of Pay.UK’s main agreements for Bacs and FPS have been reviewed during the course of 2018/19, in each case after appropriate consultation with relevant stakeholders (Direct Participants, FMID, and the PSR as appropriate):
1.3 An FMI should be able to articulate the Pay.UK’s operations are entirely conducted in the United Kingdom (UK) and it provides settlement legal basis for its activities to relevant for GB Sterling transactions in the UK. It does not provide clearance and settlement for non-GB authorities, Participants, and, where Sterling Transactions. All activities are articulated in a clear and understandable manner and relevant, Participants’ customers, in a relevant stakeholders are consulted where applicable. clear and understandable way.
1.4 An FMI should have rules, procedures, Bacs and FPS operate within the UK and under English law therefore, all legal agreements are and contracts that are enforceable in all governed by English law, with jurisdiction in the English courts. relevant jurisdictions. There should be a All Participants must sign agreements before they are on-boarded and whenever agreements are high degree of certainty that actions taken
Page 16
by the FMI under such rules and updated or revised. procedures will not be voided, reversed, or Although the strict enforceability of the rules, procedures and agreements of Bacs and FPS subject to stays. cannot be tested until a party chooses to challenge them in the courts, Pay.UK is as confident as it can be as to the enforceability of its rules, procedures and agreements. In addition the enforceability of the Bacs and FPS rules, procedures and agreements is further supported by these documents having originally been drafted by external counsel, and reviewed by Pay.UK in-house counsel and by Participants (and their legal departments) in 2018/19. Brexit related settlement finality points As part of the European Union Withdrawal (Brexit) preparations, Pay.UK reviewed all of its current Bacs and FPS Direct Participants to identify the extent to which they participate in Pay.UK systems through UK-incorporated subsidiaries versus passported UK branches of EU/EEA- incorporated entities. Pay.UK has appropriate mitigation activities in place where required.
1.5 An FMI conducting business in multiple Bacs and FPS do not conduct their business in multiple jurisdictions; all business is conducted in jurisdictions should identify and mitigate the UK. the risks arising from any potential conflict of laws across jurisdictions.
Page 17
4.2 Principle 2 - Governance
Governance Rating: Observed An FMI should have governance Summary arrangements that are clear and This principle is observed. Pay.UK’s internal governance has been established during the reporting transparent, promote the safety and period during which the previous operators were acquired and consolidated into Pay.UK. Pay.UK is efficiency of the FMI, and support the focussed on maintaining clear and transparent governance arrangements, which confirms that stability of the broader financial system, decision-making takes appropriate account of stakeholder feedback, as needed, in particular: other relevant public interest considerations, and the objectives of Payment Systems Rules have been updated and issued to reflect the new funding arrangements relevant stakeholders. that took effect from 1 January 2019, and then the new corporate governance and decision- making frameworks that took effect from 1 March 2019.
The Board has approved specific Delegations of Authority over specific matters to Board Committees or individuals, while reserving some matters for itself. The Delegations of Authority is reviewed annually to confirm that they continue to function appropriately. Committees have Terms of Reference (ToR) which set out roles and responsibilities, as well as reporting lines into the Board. The objectives governing the financial stability of Pay.UK are set within Pay.UK’s Corporate KPI’s. Key Considerations Pay.UK Assessment 2.1 An FMI should have objectives that Pay.UK’s strategic framework was initially recommended by the PSODG and after careful place a high priority on the safety and consideration and challenge by the directors it has been amended and adopted by the Board.
Page 18
efficiency of the FMI and explicitly support Pay.UK’s strategy articulates its role as the market catalyst and highlights its priorities for the financial stability and other relevant public next three years. These priorities are expected to evolve over time with the changing dynamics of interest considerations. the organisation and the payments ecosystem in which Pay.UK operates. Pay.UK’s objectives include the need to be “Robust and Resilient”, “Efficient” and “End User Focused”, which requires Pay.UK to confirm the safety and efficiency of the FMI whilst acting in the wider public interest. Pay.UK has financial stability of the organisation embedded in its corporate KPIs and these will be used to track its related objectives. 2.2 An FMI should have documented Governance Arrangements governance arrangements that provide The Board operates in accordance with Pay.UK’s articles of association, rules, policies and good clear and direct lines of responsibility and practice to confirm it is compliant with UK company law and any relevant codes of practice. accountability. These arrangements should be disclosed to owners, relevant The Board adheres to the principles as set out in the UK’s Corporate Governance Code, FRC whist authorities, Participants, and, at a more adhering to the Bank of England’s requirements for the governance of financial market general level, the public. infrastructure operators. A description of the Pay.UK governance arrangements is published on its website https://www.wearePay.UK/who-we-are/. From their acquisition by Pay.UK both BPSL and FPSL have been wholly-owned subsidiaries. The Pay.UK Board reserved to itself all decision-making powers, except where, and to the extent, it specifically delegated decisions to the Boards of BPSL and FPSL and/or to the General Managers of Bacs and FPS. From 1 March 2019: o The revised Bacs and FPS payment system rules reflecting the new corporate governance and decision-making frameworks took effect. o The Board membership, ToR and redacted minutes are disclosed on the Pay.UK website. o The Board has approved specific Delegations of Authority over specific matters to Board committees or individuals in the CEO who has further delegated authority to other specific roles within the company, while Board has reserved some matters for itself. The Delegations of Authority will be reviewed at the end of Q2 to confirm that they are
Page 19
functioning appropriately. o All Committees have terms of reference which set out roles and responsibilities, as well as reporting lines into the Board. o The Committees include: . the Risk Committee . the Audit Committee . the Finance Committee . the Nomination Committee . the Remunerations Committee . the NPA Committee . the Security Sub-Committee of the Risk Committee . the Managed Services Committee . the Legal, Governances and Standards Committee . Other special purpose Committees or councils which may be set up and maintained as deemed necessary by the Board, such as that required by the CASS governance arrangements. 2.3 The roles and responsibilities of an Roles and Responsibilities of the Board FMI’s board of directors (or equivalent) The roles and responsibilities of the Board of Directors are articulated within its Terms of should be clearly specified, and there Reference. should be documented procedures for its functioning, including procedures to Conflicts of Interest identify, address, and manage member The Guarantors of Pay.UK are drawn from wide range stakeholders including Participants. This conflicts of interest. The board should represents a major change from the previous operators which were owned by Participants only. review both its overall performance and The Board is designed to be free from conflicts of interest see key consideration 2.4 below. None the performance of its individual board of the directors are appointed by the Participants. The majority of directors are independent and members regularly. all the Committees are chaired by an Independent Non-Executive Director.
Page 20
A register of directors’ conflicts is maintained. At each Board meeting each director present declares direct or indirect interests in the proposed transactions or items to be considered at the meeting in accordance with section 177 of the Companies Act 2006 and the Company’s Article of Association. All staff and directors are required to comply with Pay.UK Policy on Conflict of Interest. Review of Board Performance The Pay.UK Chair and Senior Independent Director (SID) are responsible for carrying out and commissioning a review for each of the directors. The SID is also responsible for reviewing the performance of the Chair. During this reporting period Pay.UK has undertaken one internal review of the Board’s effectiveness and has engaged an external organisation to review the output of which will be considered by the Board and will reported to FMID. 2.4: The board should contain suitable The Board is comprised of 12 directors, including an Independent Chair, 2 Executive Directors members with the appropriate skills and (the Chief Executive Officer and the Chief Operating Officer), a Senior Independent Non-Executive incentives to fulfil its multiple roles. This Director, 6 Independent Non-Executive Directors, and 2 Non-Executive Directors. typically requires the inclusion of non- The Board and all Board Committees have access to subject matter experts who attend meetings executive board member(s). and provide advice as needed. The Chief People Officer has prepared a skills matrix which has been reviewed by the Board and is used to map current capability and to inform areas of development. The skills matrix determines whether the Board as a collective have the right combination of industry knowledge, diversity and independence. 2.5 The roles and responsibilities of All management team responsibilities are clearly specified within role profiles, which set out the management should be clearly specified. individual responsibilitiesof the management team. An FMI’s management should have the appropriate experience, a mix of skills, and The role profiles are designed to ensure that the management team has the appropriate mix of the integrity necessary to discharge their skills and knowledge. These profiles include behavioural requirements to enable the responsibilities for the operation and risk management team to focus on “How” it works rather than just on “What it needs to achieve”, management of the FMI. thereby ensuring integrity.
The People Directorate is launching “Ways of Working” for leaders to provide training and insight
Page 21
to leaders in terms of responsibilities and approach. Pay.UK intends to launch a new approach to goal setting and management during the course of 2019 which will move from an annual approach to a much more rigorous and ongoing focus on delivery against objectives. 2.6 The board should establish a clear, The Board documented risk management framework The Board meets monthly and is chaired by an Independent Non-Executive Director (the Chair). that includes the FMI’s risk-tolerance policy, assigns responsibilities and The Board has approved the Pay.UK Enterprise Wide Risk Framework which includes statements accountability for risk decisions, and and policies on addresses decision making in crises and o Risk-tolerance policy. emergencies. Governance arrangements should ensure that the risk management o Responsibilities and accountability for risk decisions. and internal control functions have o Decision making during continuity or resiliency events including crises and emergencies. sufficient authority, independence, o resources, and access to the board. Limits of Authority. The Chief Risk Officer (CRO) reports to the Board each month on the top risks and threats facing Pay.UK. The CRO also meets individually with the Chair each month. Risk Committee The Risk Committee meets monthly, ahead of the Board meeting. It is chaired by a Board Independent Non-Executive Director (iNED) and is governed by the Risk Committee Terms of Reference, which were endorsed by the Board and provided to FMID as part of the Pay.UK response to the section 204 information request. The Risk Committee is responsible for ensuring the effective management and reporting on Pay.UK’s overall risk profile. This involves advising the Board on the setting of the risk appetite and tolerance; risk identification, assessment, mitigation, and monitoring; risk breaches; internal controls; and oversight of the risk management function. Risk Executive Committee (Risk ExCo) The Risk Exco meets monthly, ahead of the Risk Committee meeting. It is chaired by the CRO and governed by agreed Terms of Reference. The Risk ExCo reviews the key risks and issues from
Page 22
across the individual payment systems and key functions and programmes (IT, Security and NPA) in the form of Key Risk Dashboards. Risk Management Principle 3 provides in-depth information about the Pay.UK Enterprise Risk Management Framework (ERMF). 2.7 The board should ensure that the FMI’s The Board is also supported by two advisory groups, the Participant Advisory Council (PAC) and design, rules, overall strategy, and major the End User Advisory Council (EUAC). decisions reflect appropriately the The End User and Participant Advisory Councils were established on a representative basis and legitimate interests of its direct and with agreed Terms of Reference to advise and provide constructive challenge to Pay.UK’s Board. indirect Participants and other relevant EUAC met for the first time in March 2018 and PAC in June 2018. Further information on both stakeholders. Major decisions should be Councils can be found on the Pay.UK website at https://www.wearePay.UK/who-we-are/. clearly disclosed to relevant stakeholders and, where there is a broad market The advisory councils enable the Board to remain sufficiently informed about the wider impact, the public. ecosystem, which helps reduce the risk of any unintentional “groupthink”, and helps to appropriately reflect the legitimate interests of Pay.UK’s various stakeholders. The two separate councils help to enable the Board to understand the separate views of End Users and Participants, and to identify where there is consensus or tension. The advisory councils are independent in their construct and representation, with no identified conflicts of interest. Pay.UK chairs a Participant Engagement Forum, which is a non-decision-making forum for discussing issues of common interest to Payment Service Providers (PSPs) and other industry stakeholders active in the UK’s retail payments industry.
Page 23
4.3 Principle 3 - Framework for the Comprehensive Management of Risks
Framework for the comprehensive Rating: Observed management of risks An FMI should have a sound risk- Summary management framework for This principle is observed. Pay.UK has a risk management framework in place with a clear risk comprehensively managing legal, credit, taxonomy that supports the management of legal, credit, liquidity, operational and general business liquidity, operational, and other risks. risk. Pay.UK is in the process of embedding its risk framework into the organisation and plans are on track to complete this.
During this reporting period, Pay.UK has taken on the risk frameworks from the previous operators and merged them into a new Enterprise Risk Management Framework (ERMF) to meet the needs of Pay.UK. It has adopted the three lines of defence model which has been embedded across the business. The framework includes: Governance Risk Appetite Risk Management tools and procedures; including Risk & Control Self-Assessments (RCSAs) Risk reporting requirements Risk Culture
As part of the transformation programme, Pay.UK has developed and consolidated the previous Operator’s risks approach. The integrated Pay.UK ERMF enables the identification, assessment, monitoring, management, and reporting of risks. Work on enhancing the ERMF is ongoing. Key Consideration (s) Pay.UK Assessment 3.1 An FMI should have risk-management Risks are managed through the overarching ERMF which enables consistent, effective policies, procedures, and systems that identification, assessment and management of risks that arise in or are borne to Pay.UK. enable it to identify, measure, monitor, and manage the range of risks that arise in The key policies and procedures, which are reviewed and updated annually, that help to identify, or are borne by the FMI. Risk-management measure, monitor and manage the risks are: frameworks should be subject to periodic o Pay.UK Risk Appetite Statement review. o Pay.UK Key Risk register
Page 24
o Pay.UK ERMF Policy / Document o Pay.UK Risk Management Procedures. o Pay.UK Risk Management Control Framework Document o Pay.UK RCSA – Procedures, guidelines & RCSA template o Pay.UK Assurance policy and procedures o Pay.UK KRIs (we are currently developing a suite of data driven Key Risk Indicators)
• All risks are reviewed on a regular basis by risk owners and these are monitored by the Risk Committee and Board.
• Risks are aggregated both within a directorate and across multiple directorates as required and are then reported to the Risk Committee. Reporting structures are in place throughout the business to feedback risks to Participants, regulators and End Users including monthly meetings between the CRO and the Bank of England.
Pay.UK Risk Directorate is enhancing the three lines of defence model, by aligning processes and methods that enable the organisation to operate more effectively. 3.2 An FMI should provide incentives to • Pay.UK design and implement its policies and systems with Participants, and were relevant, with Participants and, where relevant, their their customers in mind. Participants are consulted when there are changes to agreements, rules, customers to manage and contain the risks and Service Line Procedures. they pose to the FMI. • Reports are produced in relation to Participant assurance. Monitoring of code compliance is undertaken, together with service user reporting and feedback, through regular Participant engagement. • Rules and changes are designed to address identified risks. In relation to the Bacs and FPS Services: Bacs o Settlement positions are reported to each Participant at least 24 hours before settlement is due, in the Settlement Agent Summary. o Monthly stress testing reports, tracking settlement positions (one, two, and three day) against the hard cap and two alert trigger points (thresholds one and two) for every
Page 25
settlement day are produced and distributed to Participants monthly. o Participants can see their real-time intra-day positions, via the Payment Services Website, updated every 30 minutes throughout the day. o Monthly report of operational performance against SLA, including notification of Participants failure to comply with the Payment System Operating Manuals, and timely receipt of output from Pay.UK’s supplier. FPS Participants are required to self-certify against the key risks that are identified as ‘systemic’ to itself, in that any weaknesses in a Participant’s internal FPS-related controls may have a direct negative impact on its other Participants. The Assurance Statement, which forms the self-certification process, is based on the Pay.UK Risk Register and FPS Rules and FPS Security Code of Conduct. The Pay.UK Assurance team provides feedback to Participants relating to their self-certification reviews, as well as changes to their Risk Profile. 3.3 An FMI should regularly review the • Pay.UK regularly reviews risks (including those resulting from interdependencies) as part of its material risks it bears from and poses to ERMF. Pay.UK has identified that more work needs to be done reviewing and modelling systemic other entities (such as other FMIs, risk in the wider Retail Payments Ecosystem. settlement banks, liquidity providers, and service providers) as a result of • Pay.UK regularly reviews material risks it bears from and poses to other entities. Key tools interdependencies and develop include; the management of principle risks in the Risk Register, Risk Contagion analysis, and appropriate risk management tools to Deep Dives analysis on Key suppliers. address these risks. • The previous operators worked closely with other Payment Schemes and the Bank of England (via Cross Market Operational Market Resilience Group (CMORG)) to manage cross payment system and wider banking industry risks. This process will continue within Pay.UK.
• The Pay.UK Committee Governance structure supports the identification of internal interdependencies via its Risk Exco. 3.4 An FMI should identify scenarios that Pay.UK has developed a Recovery Plan based on PMFIs and ISO. The plan provides Pay.UK with may potentially prevent it from being able the mechanics to navigate through the systemic and idiosyncratic stresses that may impact the to provide its critical operations and organisation’s capital adequacy, liquidity and solvency. Moreover, the scenarios planned take
Page 26
services as a going concern and assess the into account the key risks posed to Pay.UK whilst factoring external intelligence. effectiveness of a full range of options for Pay.UK Plans for recovery are listed below: recovery or orderly wind-down. An FMI should prepare appropriate plans for its o Pay.UK Business Continuity Policy recovery or orderly wind-down based on o Pay.UK Recovery Plan the results of that assessment. Where applicable, an FMI should also provide o Pay.UK Incident Management Policy relevant authorities with the information o Pay.UK Business Continuity Policy needed for purposes of resolution o planning. Pay.UK Financial statements (showing company reserve) o Pay.UK Capital Policy o Pay.UK Overarching Incident Management Manual • Risk Committee Terms of Reference includes regular periodic task to review financial recovery plan and procedures including orderly wind-down and review.
Page 27
4.4 Principle 4 - Credit Risk
Credit Risk Rating: Observed An FMI should effectively measure, Summary monitor, and manage its credit exposure to This principle is observed. As a retail payments operator, Pay.UK is only exposed to a relatively Participants and those arising from its minimal amount of Credit Risk. The Credit Risk exposure that does exist is limited to the ability of payment, clearing, and settlement Participants to pay their Fees and any additional charges incurred on time. Pay.UK monitors and processes. An FMI should maintain manages this credit risk on an on-going basis. Consequently, overall Pay.UK has concluded that sufficient financial resources to cover its Credit Risk imposes minimum impact in the firm’s financial resilience. credit exposure to each Participant fully with a high degree of confidence.
Key Consideration (s) Pay.UK Assessment 4.1 An FMI should establish a robust • Pay.UK has a framework for the management of risks. Principle 3 provides details in relation to framework to manage its credit exposures the Risk Management Framework. to its Participants and the credit risks Financially arising from its payment, clearing, and settlement processes. Credit exposure may Pay.UK’s credit risk exposure is directly linked to the following events: arise from current exposures, potential o Participant(s) defaulting on the Price Per Click (PPC) invoice(s); future exposures, or both. o Participant(s) defaulting on invoice(s) payable in connection with the maintenance of the payment system in which the participant(s) takes part. o Third party income not paid for the services Pay.UK delivers. o Failure of the commercial bank that Pay.UK holds the majority of its capital reserves with and Revolving Credit Facility (concentration risk). During the S195 review, Pay.UK conducted a stress testing exercise where severe but plausible scenarios were developed to assess the financial losses arising from credit risks. Furthermore, Pay.UK has also calculated the amount of financial resources required to cover the firm’s credit exposure. The outcome of both exercises was that credit risks, from a financial
Page 28
perspective, have an immaterial impact on Pay.UK. Pay.UK will continue to assess its credit risks through its risk management framework. Further, at a minimum, Pay.UK will conduct a stress testing exercise on an annual basis to confirm the financial implications due to credit risks are appropriately assessed and quantified. 4.2 An FMI should identify sources of credit Pay.UK’s only Participant Credit risk exposure relates to the collection of their fees. Pay.UK, risk, routinely measure and monitor credit therefore, has a limited Credit Risk exposure that is not considered to be significant. exposures, and use appropriate risk- management tools to control these risks. 4.3 A payment system or SSS should cover • In March 2019, Pay.UK provided the Bank with its Capital Reserve Calculation. Pay.UK has its current and, where they exist, potential developed its Financial Recovery Plan which provides recovery tools to address any deficit that future exposures to each Participant fully may arise from a credit event. with a high degree of confidence using • Pay.UK financial resources are cash held in two UK Commercial Banks, ring fenced from other collateral and other equivalent financial operational accounts. These resources are readily accessible to be used to mitigate credit losses resources (see Principle 5 on collateral). In arising from Participant (s) in default, or unpaid invoices from third parties. the case of a DNS payment system or DNS SSS in which there is no settlement guarantee but where its Participants face credit exposures arising from its payment, clearing, and settlement processes, such an FMI should maintain, at a minimum, sufficient resources to cover the exposures of the two Participants and their affiliates that would create the largest aggregate credit exposure in the system. Key Consideration 4.4 – Not Applicable to Retail Payment Systems Key Consideration 4.5 – Not Applicable to Retail Payment Systems Key Consideration 4.6 – Not Applicable to Retail Payment Systems 4.7: An FMI should establish explicit rules • Pay.UK rules and procedures address credit losses and losses that may arise from a Participant and procedures that address fully any defaulting. The Payment System Rules specify the rules and procedures credit losses it may face as a result of any • The Settlement pre-funding of RCA’s fully covers all exposures for all Participants in all individual or combined default among its
Page 29
Participants with respect to any of their circumstances. obligations to the FMI. These rules and • Pay.UK finalised its Financial Recovery Plan in April 2019. The plan lists the tools the firm has at procedures should address how its disposal to replenish its financial resources in periods of credit stress events. potentially uncovered credit losses would be allocated, including the repayment of any funds an FMI may borrow from liquidity providers. These rules and procedures should also indicate the FMI’s process to replenish any financial resources that the FMI may employ during a stress event, so that the FMI can continue to operate in a safe and sound manner.
Page 30
4.5 Principle 5 - Collateral
Collateral Rating: Observed An FMI that requires collateral to manage Summary its or its Participants’ credit exposure This principle is observed as Pay.UK payments systems operate with a cash reserve held at the Bank of should accept collateral with low credit, England. Therefore market liquidity risks are eliminated. liquidity, and market risks. An FMI should also set and enforce appropriately conservative haircuts and concentration limit. Key Consideration (s) Pay.UK Assessment 5.1 An FMI should generally limit the • The Pay.UK systems operate with cash collateral reserves held at the Bank of England. assets it (routinely) accepts as collateral to those with low credit, liquidity, and market risks. 5.2 An FMI should establish prudent For Bacs and FPS, GB Sterling collateral is held to match each Participant’s maximum allowable valuation practices and develop haircuts net debit position (which is also in GB sterling), therefore the development of haircuts and regular that are regularly tested and take into testing is not required. account stressed market conditions. 5.3 In order to reduce the need for In relation to the Bacs service there is no requirement for haircuts or procyclical adjustments, and procyclical adjustments, an FMI should this is also not applicable to FPS. establish stable and conservative haircuts that are calibrated to include periods of stressed market conditions, to the extent practicable and prudent. 5.4: An FMI should avoid concentrated • Participants of the Bacs and FPS service need to secure GB Sterling deposits against Participant GB holdings of certain assets where this Sterling debit positions, to confirm that there is no risk of adverse price effects or market would significantly impair the ability to conditions. liquidate such assets quickly without
Page 31
significant adverse price effects. 5.5: An FMI that accepts cross-border There is no scope to accept cross-border collateral for the Bacs and FPS service. collateral should mitigate the risks associated with its use and ensure that the collateral can be used in a timely manner. (last year Pay.UK stated that this was not applicable to FPS and Bacs). 5.6: An FMI should use a collateral • Each Direct Participant (except the Bank of England as a Bacs participant, which as the Central management system that is well- Bank is considered to bring no credit risk) has an account at the Bank of England in the Real Time designed and operationally flexible. Gross Settlement (RTGS) system.
Page 32
4.6 Principle 7 - Liquidity Risks
Liquidity Risk Rating: Observed An FMI should effectively measure, Summary monitor, and manage its liquidity risk. An This principle is observed. From a financial perspective, Pay.UK’s exposure to liquidity risk relates to FMI should maintain sufficient liquid short term stress in the firm’s cash flow cycle. These risks will be monitored and managed on a forward resources in all relevant currencies to basis and measured through the firm’s annual stress testing exercise. effect same-day and, where appropriate, intraday and multiday settlement of Pay.UK has defined a process for regularly testing its liquid resources. The monthly stress testing payment obligations with a high degree analysis report includes information about settlement flows which is then reviewed by Pay.UK of confidence under a wide range of Operations, Participants and FMID. potential stress scenarios that should The Stress Testing analysis report assesses the previous positions, including intraday profile; plausible include, but not be limited to, the default future scenarios, including extreme but credible circumstances; and, credit and liquidity exposure of of the Participant and its affiliates that non-defaulting Participants in the event of other Participant defaults. This review highlights data that would generate the largest aggregate would show sudden and significant increase(s) in Participants’ payment flow positions. liquidity obligation for the FMI in extreme but plausible market conditions. Pay.UK has a Settlement Service Provider Agreement with the Bank of England to provide settlement services to cover settlement obligations and the provision of security custodian services for the Participants. Pay.UK's company assets are held in the form of cash in two UK regulated commercial banks. For the purposes of its capital reserves these amounts are ring fenced from the cash sitting in operating current accounts and will only be used to mitigate business losses. Key Consideration (s) Pay.UK Assessment 7.1 An FMI should have a robust The ERMF has clear risks taxonomy that supports the management of legal, credit, liquidity, framework to manage its liquidity risks operational and general business risks. from its Participants, settlement banks, Bacs Service nostro agents, custodian banks, liquidity providers, and other entities. Bacs liquidity needs arise from its Participants’ settlement obligations each day. As a deferred net settlement system, each Participant is obliged to meet its needs on a multilateral basis. Liquidity risk arises if a Participant was unable to fund a debit settlement position. The Prefunding arrangements confirm settlement will proceed even if a Participant defaulted, as each
Page 33
Participant’s maximum debit position is covered by funds locked in their Prefunding Account at the Bank of England. There is always sufficient liquidity to confirm the current settlement obligations are met. Aggregate liquidity risk for each Participant cannot exceed its debit cap so this risk is minimised. FPS Service FPS’ settlement process is fully liquid with all payments fully backed up in cash within RCAs at the Bank of England. 7.2: An FMI should have effective The operational and analytical tools that Pay.UK has in place for measuring and monitoring operational and analytical tools to settlement and funding flows differs according to the payment system being monitored. identify, measure, and monitor its Bacs Service settlement and funding flows on an on- going and timely basis, including its use For the Bacs Service, end of day settlement positions for all Participants are collated daily. This of intraday liquidity. enables Pay.UK to compile monthly stress testing reports, which show Participants settlement positions in relation to its debit cap and its two threshold trigger points, for one-, two-, and three- day positions. Participants with Bacs are able to view their live net balances (at 30 minute intervals) each day via the Payment Services Website. This information is also available to the Pay.UK Operations. Monitoring of debit cap breaches on a “trigger point” basis, (i.e. each Participant has two thresholds set in the Bacs system, say 65% and 95% of their maximum allowed debit balance) is in place, and system generated emails alert Bacs and the affected Participant should this occur. Pay.UK has set an additional threshold (threshold 3) for each Participant to provide early warning additional to the threshold 1 and 2 alerts. See also responses in Principles 4 & 5. Bacs processes payments on a generally cyclical basis overall, and analysis of this supports monitoring of settlement and funding flows: o For individuals who are paid weekly, Bacs service users submit files two days in advance, e.g. input on a Wednesday for credit to account Friday. This can result in higher file input volumes on the Wednesday. o Monthly salary payments will have a similar effect, e.g. input on 29 January, to account 31
Page 34
January (assuming consecutive working days). This can result in higher file input volumes on the 29th in this example. o There are increased Direct Debit collections on the first working day of each month, so there will be a high item volume input two working days ahead of this. o Bacs values are also affected by large payments o The above are mapped well in advance in the Debit Cap calendar maintained by the Pay.UK Operations team. This allows both Pay.UK and the Participants to monitor peak days and confirm Debit Caps are set accordingly to confirm there are no intra or end of day breaches of the debit cap. For FPS The settlement and funding flows are monitored through the CI. Participant’s net settlement positions are instantaneous and monitored by the Operations team throughout the day. Settlement positions relative to Net Sender Caps (NSCs) are monitored . An additional alerting mechanism has been developed, independent of the Participant-set NST, to provide early notification to the Pay.UK a Participant's Multilateral Net Settlement Position is increasing. Participants must add additional collateral at the central bank to increase their NSC. A process for changes to NSC and supporting RCAs is in place. Information regarding the Participant's position against NST and NSC is provided by Pay.UK’s supplier on an hourly basis, retrospectively. 7.3: A payment system or SSS, including Pay.UK carries out modelling based on a number of stressed scenarios to provide an one employing a DNS mechanism, should understanding of liquidity requirements should one of these stress scenarios materialise. maintain sufficient liquid resources in all Participants proactively manage cap changes in hours (and out of hours if required) in relation to relevant currencies to effect same-day actual and anticipated debit positions. settlement, and where appropriate intraday or multiday settlement, of Bacs Service payment obligations with a high degree Pay.UK sets the Cap for Participants with the Bacs service, hence the potential maximum liquidity of confidence under a wide range of required – based on the anticipated highest debit position, whichever is higher); this applies potential stress scenarios that should equally to all Participants. This is highlighted within the Stress Testing report at 7.2.1. include, but not be limited to, the default of the Participant and its affiliates that Pay.UK issues monthly Stress Testing information in reports to its Bacs Participants, which uses
Page 35
would generate the largest aggregate data modelling to assess the robustness of the debit caps, supporting cash collateral payment obligation in extreme but requirements. This assesses: plausible market conditions. o the month’s daily positions in relation to caps and thresholds, and
o Plausible future scenarios, including the impact of a 24 hour settlement delay, and the impact of a three-day outage as mentioned in 7.2. FPS FPS only operates in one currency and settlement is conducted at the UK Bank of England. The RCA mechanism guarantees that liquidity is always available to settle Participant positions at any time; therefore same day settlement can be effective if required. The size of the potential liquidity shortfall is dynamic and varies each day, according to Participant (and their customers) payment needs, managed through cap and collateral Prefunding arrangements. Overall, the larger Participants will have a larger maximum debit position on some days, however it should be noted that all Participants have funds ring-fenced in their Prefunding Account to cover maximum debit positions in any case.
7.4: Not Applicable to Retail Payment Systems 7.5: For the purpose of meeting its Under the Settlement Agreement each Participant funds their Prefunding Account at the Bank of minimum liquid resource requirement, England to confirm funds are available to meet settlement obligations even if the Participant an FMI’s qualifying liquid resources in defaults. The composition of liquid resources is GB Sterling only. each currency include cash at the central Accordingly, Pay.UK has no need to convert collateral and investments into cash. bank of issue and at creditworthy commercial banks, committed lines of Bacs Service credit, committed foreign exchange The Settlement Agreement and Settlement Service Providers Agreement require and enable swaps, and committed repos, as well as Participants of Bacs to settle each day; settlement is scheduled for 09.30 each working day at the highly marketable collateral held in Bank of England. In the event a Participant cannot meet its settlement obligation at 09.30, the custody and investments that are readily Settlement Agreement enables Pay.UK to call upon the balance in the affected Participant’s available and convertible into cash with Reserves Collateralisation Account by 12.00 noon London time – see clause 6.1(a) ii. prearranged and highly reliable funding
Page 36
arrangements, even in extreme but All collateral is in cash (GB Sterling); at the Bank of England for Prefunding purposes, and at plausible market conditions. If an FMI has NatWest for company operational purposes. access to routine credit at the central FPS bank of issue, the FMI may count such access as part of the minimum The settlement process is fully liquid with all payments fully backed up in cash within RCAs at the requirement to the extent it has collateral Bank of England. that is eligible for pledging to (or for conducting other appropriate forms of transactions with) the relevant central bank. All such resources should be available when needed. 7.6: An FMI may supplement its qualifying This consideration is not applicable to Pay.UK or its payments systems because neither Bacs nor liquid resources with other forms of liquid FPS maintains supplemental liquid resources. resources. If the FMI does so, then these liquid resources should be in the form of assets that are likely to be saleable or acceptable as collateral for lines of credit, swaps, or repos on an ad hoc basis following a default, even if this cannot be reliably prearranged or guaranteed in extreme market conditions. Even if an FMI does not have access to routine central bank credit, it should still take account of what collateral is typically accepted by the relevant central bank, as such assets may be more likely to be liquid in stressed circumstances. An FMI should not assume the availability of emergency central bank credit as a part of its liquidity plan.
7.7: An FMI should obtain a high degree of Pay.UK does not use a liquidity provider to meet its minimum required qualifying liquidity
Page 37
confidence, through rigorous due resources. diligence, that each provider of its Participants with the Bacs service are obligated to provide the required liquidity through the minimum required qualifying liquid Settlement Agreement. resources, whether a Participant of the FMI or an external party, has sufficient FPS does not require Supplemental liquid resources are not required as all liquidity risk is covered information to understand and to by RCAs at the Central Bank. manage its associated liquidity risks, and that it has the capacity to perform as required under its commitment. Where relevant to assessing a liquidity provider’s performance reliability with respect to a particular currency, a liquidity provider’s potential access to credit from the central bank of issue may be taken into account. An FMI should regularly test its procedures for accessing its liquid resources at a liquidity provider. 7.8: An FMI with access to central bank Pay.UK has a Settlement Service Provider Agreement with the Bank of England to provide settlement accounts, payment services, or securities services to cover settlement obligations and the provision of security custodian services for the services should use these services, where Participants. practical, to enhance its management of Bacs Service liquidity risk. The Bank of England acts as settlement agent for Bacs. Bacs Participants are required to hold a
settlement account at the Bank of England, across which daily settlement takes place. In the event of a default, the cash collateral held in the Reserves Collateralisation Account would be used. FPS Service Settlement is carried out over Bank of England RTGS three times daily, Monday to Friday (excluding Bank Holidays). FPS makes full use of the Central Bank to confirm all Participant Settlement obligations are fully offset (pre-funded) in GB Sterling Central Bank Money through an RCA which is fully liquid and immediately available.
Page 38
The FPS Rules require Participants, as a condition of Membership, to have settlement accounts with the Bank of England. FPS is a GB Sterling only payment system, with settlement through the Central Bank. All Participant Settlement obligations are fully offset (pre-funded) in GB Sterling at the Central Bank through the RCAA which is fully liquid and immediately available when settlement is required.
7.9: An FMI should determine the amount Pay.UK has defined a process for regularly testing its liquid resources. The monthly stress testing and regularly test the sufficiency of its analysis report includes information about settlement flows which is then reviewed by the Pay.UK liquid resources through rigorous stress Operations team, Participants and FMID. testing. An FMI should have clear The Stress Testing analysis report assesses the previous positions, including intraday profile; plausible procedures to report the results of its future scenarios, including extreme but credible circumstances; and, credit and liquidity exposure of stress tests to appropriate decision non-defaulting Participants in the event of other Participant defaults. This review highlights data that makers at the FMI and to use these would show sudden and significant increase(s) in Participants’ payment flow positions. results to evaluate the adequacy of and adjust its liquidity risk-management framework. In conducting stress testing, an FMI should consider a wide range of relevant scenarios. Scenarios should include relevant peak historic price volatilities, shifts in other market factors such as price determinants and yield curves, multiple defaults over various time horizons, simultaneous pressures in funding and asset markets, and a spectrum of forward-looking stress scenarios in a variety of extreme but plausible market conditions. Scenarios should also take into account the design and operation of the FMI, include all entities that might pose material liquidity risks to the FMI (such as settlement banks, nostro agents, custodian banks, liquidity providers, and linked FMIs), and
Page 39
where appropriate, cover a multiday period. In all cases, an FMI should document its supporting rationale for, and should have appropriate governance arrangements relating to, the amount and form of total liquid resources it maintains. 7.10: An FMI should establish explicit rules The Pay.UK rules and procedures. and procedures that enable the FMI to In relation to the Bacs system, the rules and procedures enable settlement to continue in the event affect same-day and, where appropriate, of default of all Participants, as provided for by the Settlement Agreement and Prefunding intraday and multiday settlement of arrangements. Hard debit caps prevent any Participant defaulting at a level above committed payment obligations on time following available liquidity. Increasing debit positions must be matched by cash collateral ring-fenced at any individual or combined default the Bank of England, or by extraction of Participant items to reduce the debit position where the among its Participants. These rules and cap can’t be raised. Bacs rules and procedures require Participants to fully collateralise their procedures should address unforeseen settlement obligations. In the event a Participant’s cash collateral is used to enact settlement, the and potentially uncovered liquidity Participant is required to top up its RTGS account so that the Prefunding Account balance can be shortfalls and should aim to avoid maintained. unwinding, revoking, or delaying the same-day settlement of payment Default and exclusion of the affected Participant would ensue if this was not carried out. obligations. These rules and procedures FPS requires Participants to settle in GB Sterling through the RCAA which is fully liquid and should also indicate the FMI’s process to immediately available. The RCAA provides explicit rules and procedures to affect almost replenish any liquidity resources it may immediate settlement following a settlement delay caused by one or more Participants. employ during a stress event, so that it can continue to operate in a safe and sound manner.
Page 40
4.7 Principle 8 - Settlement Finality
Settlement Finality Rating: Observed An FMI should provide clear and certain Summary final settlement, at a minimum by the This principle is observed. The point of Settlement Finality is clearly defined within the Pay.UK rules, end of the value date. Where necessary or procedures and agreements. preferable, an FMI should provide final settlement intraday or in real time. Bacs and FPS have clear points of settlement which are certain. For the Bacs service, settlement is final at “settlement time” on the “due date”. For FPS the point of settlement finality (as per the Settlement
Finality Directive) and when a settlement payment (opposed to an individual payment) is irrevocable (i.e. cannot be extracted from settlement) is at the point the payment (single amount) is recorded with the Market Infrastructure Resilience Services (MIRS) timestamp. Key Consideration (s) Pay.UK Assessment 8.1: An FMI’s rules and procedures should Point of Settlement Finality clearly define the point at which The Pay.UK rules and procedures clearly define the points at which settlement is final for both the settlement is final Bacs service and the FPS service. Bacs Bacs payment becomes irrevocable at the point defined in the Settlement Agreement (SA). In practice, this is 23:00 on day one of the Bacs cycle (“Input day”), although this can be extended at the discretion of Pay.UK in the event of operational difficulties (for example if Pay.UK was to experience an internet outage which prevents Pay.UK’s users from submitting payments). The SA states that settlement is final at “settlement time” on the “due date”. In practice, this is 09:30 on day three of the Bacs cycle (“settlement day”), although this can be extended in times of stress – i.e. non-settlement by a Participant of a debit position – until no later than 14:00 (London time). The SA (section 4.2) defines these obligations. There are no payment obligations in this respect between Participants and Pay.UK.
Page 41
FPS In relation to FPS, the point of settlement finality (as per the Settlement Finality Directive) and when a settlement payment (opposed to an individual payment) is irrevocable (i.e. cannot be extracted from settlement) is as at the point the payment (single amount) is recorded with the Market Infrastructure Resilience Services (MIRS) timestamp. The point of settlement finality and individual payment irrevocability is disclosed within the FPS rules. Settlement occurs on a Fully Cash Prefunded Deferred Net Settlement (Prefunded DNS) basis, three times a day at 07.00, 13.00 and 17.00 Monday to Friday excluding English Bank Holidays; this information can be found within the FPS procedures and rules. 8.2: An FMI should complete final Final Settlement on the Value Date settlement no later than the end of the In extreme events where settlement cannot occur by the end of the value date Pay.UK has value date, and preferably intraday or in contingency processes in place. real time, to reduce settlement risk. An LVPS or SSS should consider adopting Bacs Settlement RTGS or multiple-batch processing The Bacs System Settlement takes place at 09:30 on day three of the Bacs cycle (settlement day). during the settlement day Principle 15 – The Settlement Service Provider Agreement (between Bacs and the Bank of England) states, in General Business Risk. clause 3.3(a), that the Bank will use “reasonable endeavours” to notify Bacs if settlement is delayed. In extreme circumstances, such as Participant default, settlement can take place later on the same settlement day, but must not go beyond this except as a result of Force Majeure. FPS Settlement The FPS system does not undertake batch processing, settlement and cut off occurs at three points during the day 07.00, 13.00 and 17.00 Monday to Friday excluding Bank Holidays. If a Participant has insufficient liquidity to settle, then the RCA would be invoked and the defaulting Participant's RCA would be debited to provide the liquidity and effect full settlement. The Participant debit cap determines whether the maximum exposure of each Participant cannot be higher than the funds secured in the RCA. This has the effect of a pre-funding settlement. This pre- funding of settlement eliminates settlement risk meaning that a settlement cycle at the very end of the value date is not necessary.
Page 42
8.3: An FMI should clearly define the point The Pay.UK rules and procedures have clearly defined points after which a payment becomes after which unsettled payments, transfer irrevocable. For the Bacs Service this is at 23:00 on day one of the Bacs Cycle, and the point of instructions, or other obligations may not irrevocability of an individual payment is normally the moment a payment is submitted to the CI, be revoked by a Participant. though Pay.UK can extend this in the event of operational difficulties at its discretion Prior to close-down on day one, items can be extracted by the submitter. Once the Bacs system goes into closedown, the facility for automated extraction of payments is not available to submitters Bacs payment messages cannot be revoked after the end of day cut off time as they have moved into the processing and output stage. In the event of unwanted payments moving into processing, Participants can issue Reversal instructions (i.e. instructions to cancel out payments with ones of opposite value). These do not revoke the initial payment, as they are entered the next day and so will apply to accounts the day after the unwanted payment(s). This applies to Bacs Direct Credit and Direct Debit and is designed to address errors: Bacs Direct Credit: There is a facility for Manual Recalls, as described in the Bank of England Guide and Rules to the Bacs Direct Credit Scheme (section 5.2.1): “Recalls are normally made by a Remitting Bank, however a Service User who is not a bank may be authorised by its Sponsor to effect recalls either individually i.e. each time a recall is required, or on an on-going basis. Where a Service User is authorised to effect a recall or recalls, its Sponsor is responsible for ensuring that the Service User is aware of and complies with the Rules, including the following: o Manual recalls can be initiated up to 5 working days ahead of Day 2 of the Bacs Cycle (i.e. Processing Day) and up to 15:30 hours on Day 2 however see section 5.2.4”. o In September 2016, the Bacs and Faster Payment Service introduced Credit Payment Recovery (CPR) as an industry process to assist the recovery of payments sent in error, either by customers or banks, using FPS or Bacs. The Operating Guide states the CPR facility “aims to treat all parties involved in a fair and consistent way by setting out steps to support effective communication between banks and customers; timescales that must be followed and protection of funds in the majority of cases”. o Although CPR does not guarantee recovery, it determines whether customers and banks know the outcome of their claim within a maximum of 20 working days and where recovery has not been possible, what further action they may choose to take. It is noted that this process is not
Page 43
a means of revoking payments. Direct Debit: The error recovery procedures (section 5.3) has rules that allow for the correction of single or multiple items collected in error, and specifies actions within recall timelines: o Single item – “Before debit due day”, and “Day of or day after debit due day”. o Majority of submission in error – “up to and including Bacs input day”, and “Processing day and up to processing day plus 6”. o The above information is defined, according to whether it relates to Bacs Direct Credit or Direct Debit, in the Bank’s Guide and rules to the Bacs Direct Credit Scheme v1.8 (section 5.2.1), or the Sponsoring Bank’s Guide and Rules to the Direct Debit Scheme v2.0 (section 5.3). FPS For FPS, the rules state the point of irrevocability of an individual payment as the moment a payment is submitted to the CI. After this point no payment can be reversed and the system has no revocation messaging capability. The FPS Rules define this point.
Page 44
4.8 Principle 9 - Money Settlements
Money Settlements Rating: Observed An FMI should conduct its money settlements in Summary: central bank money where practical and available. If This principle is observed. Both the Bacs and FPS payment system conduct their money central bank money is not used, an FMI should settlements in GB Sterling using central bank money. minimise and strictly control the credit and liquidity risk arising from the use of commercial bank money Key Consideration(s) Pay.UK Assessment 9.1: An FMI should conduct its money settlements in Both the Bacs service and FPS service conduct their money settlements in GB Sterling central bank money, where practical and available, only, in central bank money and therefore avoid credit and liquidity risks. to avoid credit and liquidity risks.
9.2: If central bank money is not used, an FMI should This is not applicable to Pay.UK operated systems because central bank money is used. conduct its money settlements using a settlement asset with little or no credit or liquidity risk. 9.3: If an FMI settles in commercial bank money, it This is not applicable to Pay.UK operated systems because central bank money is used. should monitor, manage, and limit its credit and liquidity risks arising from the commercial settlement banks. In particular, an FMI should establish and monitor adherence to strict criteria for its settlement banks that take account of, among other things, their regulation and supervision, creditworthiness, capitalisation, access to liquidity, and operational reliability. An FMI should also monitor and manage the concentration of credit and liquidity exposures to its commercial settlement banks.
Page 45
9.4: If an FMI conducts money settlements on its own This is not applicable to Pay.UK operated systems because central bank money is used. books, it should minimise and strictly control its credit and liquidity risks 9.5: An FMI’s legal agreements with any settlement This is not applicable to FPS and Bacs as they settle in Central Bank Money. banks should state clearly when transfers on the books of individual settlement banks are expected to occur, that transfers are to be final when effected, and that funds received should be transferable as soon as possible, at a minimum by the end of the day and ideally intraday, in order to enable the FMI and its Participants to manage credit and liquidity risks.
Page 46
4.9 Principle 13 - Participant default rules and procedures
Participant-default rules and procedures Rating: Observed An FMI should have effective and clearly defined Summary rules and procedures to manage a Participant This principle is observed. Pay.UK has in place clearly defined rules and procedures to manage default. These rules and procedures should be a Participant default. Procedures, rules and process created within the previous operators designed to ensure that the FMI can take timely have been enhanced and reflected into the new organisation operating structure. In the event action to contain losses and liquidity pressures and of an incident Pay.UK will be able to respond and contain losses and liquidity pressures. continue to meet its obligations.
Key Consideration(s) Pay.UK Assessment 13.1: An FMI should have default rules and Pay.UK’s Incident Procedures indicates the methods by which Pay.UK will identify sources procedures that enable the FMI to continue to meet of default. The Incident Procedures confirms that Pay.UK can take action when a default is its obligations in the event of a Participant default declared by explicitly defining actions within the Settlement Agreement, clause 10 and that address the replenishment of resources Consequences of an Exclusion Event, and clause 11 Event of Default, and including the following a default. blocking of payment messages and loss of Participation (and therefore access to the Bacs system). The legal agreement structure removes procedural uncertainty from the default management process. The normal settlement practices can only be changed through a change to the Settlement Agreement, which must then be agreed and signed by all Participants. The Settlement Agreement enables the Bank of England to access the defaulting Participant’s Prefunding Account, protecting Pay.UK as the FMI. There is no call on other Participants for liquidity, and the Bacs clearing will settle in RTGS. 13.2: An FMI should be well prepared to implement its Pay.UK has comprehensive internal plans that set out the roles, responsibilities, and default rules and procedures, including any authorities for addressing a default. These are known as the Incident Management and appropriate discretionary procedures provided for in Business Continuity Management System procedures. its rules. The Pay.UK Incident handling roles and responsibilities are allocated across the Executive Team, Operations Team, and others as required to deliver Gold, Silver and Bronze incident
Page 47
management teams. Communication procedures to contact the relevant stakeholders are defined in the Incident Management document set (specifically the Pay.UK Incident Escalation Process and Industry Incident Management Framework). Initial contact is made to relevant stakeholders. Communication thereafter is verbal where possible (face to face or telephone/conference call, key contact numbers are held by the Pay.UK incident handling team), supported by e-mail, and the Suremail and Everbridge facility if a message needs to be sent to the wider Bacs service user community. Pay.UK has in place proactive procedures, via its Press Office, to manage wider communications, for example communications with the Media. 13.3: An FMI should publicly disclose key aspects of its Pay.UK discloses key aspects of the default rules on www.bacs.co.uk, and default rules and procedures. www.fasterpayments.org.uk. In addition to the above Pay.UK lists all circumstances in which action may be taken within the Settlement Agreement (clause 9.1), and the FPS Rules V13.2. All documents also include insolvency and failing to meet settlement obligations. 13.4: An FMI should involve its Participants and other Pay.UK and the Bank of England engage relevant stakeholders in the testing of the RCAA. stakeholders in the testing and review of the FMI’s Procedural testing is undertaken with the Bank of England, Participants and Pay.UK’s default procedures, including any close-out supplier. Tests are undertaken at least annually and when rules and procedures are procedures. Such testing and review should be materially changed. Test results are reviewed to identify any changes that are necessary to conducted at least annually or following material the FPS Rules and procedures. Any relevant findings of the test are shared with the Board changes to the rules and procedures to ensure that and the Bank of England. they are practical and effective
Page 48
4.10 Principle 15 - General Business Risk
General Business Risk Rating: Broadly Observed An FMI should identify, monitor, and manage its Summary general business risk and hold sufficient liquid net This principle is broadly observed. Whilst Pay.UK has a risk management framework which assets funded by equity to cover potential general helps the organisation identify, assesses, monitor, manage and report general business risks, business losses so that it can continue operations it is still building its capital reserve. and services as a going concern if those losses materialise. Further, liquid net assets should at all Pay.UK is still within its first year of operation as a fully functional organisation and is building times be sufficient to ensure a recovery or orderly its capital reserve. Pay.UK has plans in place to build its capital reserve to equal at least six wind-down of critical operations and services. months of its current operating expenses. Pay.UK has provided FMID with its plan for achieving its defined level of capital reserve which it is proposing to accumulate over a three year period.
Pay.UK has also developed a Recovery Plan under which has established a Recovery Trigger Framework, Escalation Framework and has identified a series of Recovery Tools that will enable the continuity of operations as a going concern.
Key Consideration (s) Pay.UK Assessment 15.1: An FMI should have robust management and Pay.UK identifies regulatory risks, operational/system risks, technological risks, credit control systems to identify, monitor, and manage risks & financial risks, which could have financial implications to the Firm's financial general business risks, including losses from poor resilience if the risks crystallise. execution of business strategy, negative cash flows, The process for monitoring and managing Pay.UK’s general business risks align to the or unexpected and excessively large operating monitoring processes defined in the ERMF. expenses. Monthly review and monitoring of the key risks is facilitated by the Pay.UK Risk Team. Pay.UK performs stress tests to quantify the potential financial losses arising from business risks, to determine the financial implications on the organisation’s capital and cash base, should an unexpected stress event crystallise.
Page 49
15.2: An FMI should hold liquid net assets funded by Pending the establishment of reserves which will be built through surpluses earned on equity (such as common stock, disclosed reserves, or trading, Pay.UK is holding funds in a ring-fenced account with a UK commercial bank. other retained earnings) so that it can continue Pay.UK is in the process of building its capital reserves by the end of 2021, in accordance operations and services as a going concern if it incurs with the paper submitted to the Bank of England in March 2019. As a minimum, it aims to general business losses. The amount of liquid net build enough reserves equal to 6 months of current operating expenses. Pay.UK’s assets funded by equity an FMI should hold should be approach when calculating its capital reserves determine whether the below criteria are determined by its general business risk profile and met. Namely, we are aiming at capital reserves to be at least: the length of time required to achieve a recovery or orderly wind-down, as appropriate, of its critical Six months’ worth of current operating expenses to deliver Pay.UK’s payment services; operations and services if such action is taken. sufficient to cover general business risks (including the risk of extraordinary one-time losses); sufficient to cover credit risk losses; and sufficient for the implementation of the Firm’s Recovery Plan. 15.3: An FMI should maintain a viable recovery or Pay.UK is building its capital reserve, to meet this requirement. Earlier this year Pay.UK orderly wind-down plan and should hold sufficient submitted its capital reserve plans to FMID which provides for Pay.UK to have a capital liquid net assets funded by equity to implement this reserve equal to at least six months of its current operating expenses by 2021. plan. At a minimum, an FMI should hold liquid net Pay.UK has taken into consideration tail business risks, which if crystallised could result in assets funded by equity equal to at least six months the Firm triggering is Recovery Plan. These tail risks are extreme in nature, but borderline of current operating expenses. These assets are in plausible, that could threaten the financial resilience of the Firm, as they could addition to resources held to cover Participant significantly deplete its capital reserves and in extremis require the Firm to recapitalise. defaults or other risks covered under the financial The Pay.UK objective is to build enough financial resources that would enable the Firm to resources principles. However, equity held under absorb extraordinary losses and implement its Recovery Plan, if such action is needed. international risk-based capital standards can be included where relevant and appropriate to avoid Pay.UK has distinguished between the financial resources required to cover for credit duplicate capital requirements. exposures and the financial resources to cover for general business risks. The total capital reserves calculated is the summation of the reserve to cover business risk and the reserve to cover credit. In April 2019, Pay.UK submitted an updated version of its Recovery Plan (the " Plan") to FMID. The key components of the plan are listed below: Recovery Trigger Framework: The Plan includes a framework of Early Warning Indicators
Page 50
(“EWIs”) that the Firm deems appropriate and sufficient to monitor in order to detect early signs of financial stress. Thresholds have been set against each indicator, which if breached, results in an escalation process being triggered. Escalation Framework: The Plan explains how the breach of one or more thresholds will trigger an escalation process, which will ultimately results in a crisis management body being convened with responsibility to monitor the breach, implement recovery actions. Recovery Tools: The Plan also details the tools the Firm has at its disposal to alleviate financial distress and return the Firm to a state of Business as Usual. Scenarios: The Plan considers extreme in nature, but plausible stress scenarios that if no action is taken the Firm will be pushed into recovery. These scenarios are market-wide as well as idiosyncratic stress events. 15.4: Assets held to cover general business risk Pay.UK's liquid net assets funded by equity are in the form of cash and ring-fenced in UK should be of high quality and sufficiently liquid in commercial banks. The cash is readily available to be used for the purposes of mitigating order to allow the FMI to meet its current and any losses. projected operating expenses under a range of scenarios, including in adverse market conditions. 15.5: An FMI should maintain a viable plan for raising Pay.UK has a range of tools, explained in the Recovery Plan, which could be used to raise additional equity should its equity fall close to or additional capital if the current forecast levels were to fall below the amount needed. below the amount needed. This plan should be The Board has approved both the organisations capital reserve calculation and Recovery approved by the board of directors and updated Plan. In periods of severe stress, where the Firm requires to raise additional equity the regularly. Board via the company's ExCo will be advised accordingly.
Page 51
4.11 Principle 16 - Custody and Investment Risks
Custody and Investment Risks Rating: Observed An FMI should safeguard its own and its Participants’ Summary assets and minimise the risk of loss on and delay in This in principle is observed. Pay.UK has safeguarded its own assets by placing them within access to these assets. An FMI’s investments should regulated institutions. Participant’s cash collateral assets are held at the Bank of England. be in instruments with minimal credit, market, and liquidity risks.
Key Consideration (s) Pay.UK Assessment 16.1: An FMI should hold its own and its Participants’ Pay.UK's company assets are held in the form of cash in two UK regulated commercial assets at supervised and regulated entities that have banks. For the purposes of its capital reserves these amounts are ring fenced from the robust accounting practices, safekeeping cash sitting in operating current accounts and will only be used to mitigate business procedures, and internal controls that fully protect losses. these assets.
Page 52
16.2: An FMI should have prompt access to its Financially assets and the assets provided by Participants, Pay.UK does not hold any assets provided by Participants. Pay.UK's company assets are when required. held in the form of cash in two UK regulated commercial banks. Pay.UK has contracts in place governing the operation of the underlying accounts. Pay.UK has prompt access to all its assets which are held in cash operating and reserve accounts. These are only accessible by authorised signatories. Operationally Participant’s assets are in the form of cash collateral held at the Bank of England to mitigate the impact of a default. The nature and timing of access to these assets is governed by the Settlement Agreement. With the introduction of prefunding in 2015, the only applicable Participant assets are cash held at the Bank of England, ring-fenced to confirm settlement in the event of Participant default. 16.3 An FMI should evaluate and understand its Financially exposures to its custodian banks, taking into account Pay.UK's company assets are held in the form of cash in two UK regulated commercial the full scope of its relationships with each. banks. Pay.UK has considered a risk regarding the bank with which its cash is held defaults. As a mitigant for this risk, Pay.UK intends to diversify its exposure across more custodians to mitigate the single concentration risk. Operationally The assets of the Participants of Bacs are only in the form of cash collateral, and are held securely at the Bank of England for a defined purpose, its availability is not a concern. For FPS the Bank of England is the custodian of all collateral in cash, thus eliminating the risk of custodian default.
16.4: An FMI’s investment strategy should be Pay.UK does not hold any other forms of investment. All assets, held in cash, are available consistent with its overall risk-management on demand. strategy and fully disclosed to its Participants, and investments should be secured by, or be claims on, high-quality obligors. These investments should
Page 53
allow for quick liquidation with little, if any, adverse price effect.
Page 54
4.12 Principle 17 - Operational Risks
Operational Risks Rating: Broadly observed An FMI should identify the plausible sources of Summary operational risk, both internal and external, and This principle is broadly observed. Pay.UK has in place a risk management framework which mitigate their impact through the use of has clear risks taxonomy that supports the management of legal, credit, liquidity, appropriate systems, policies, procedures, and operational and general business risks. Pay.UK has adopted the three lines of defence model, controls. Systems should be designed to ensure a and this approach is being embedded across the business. high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the FMI’s obligations, including in the event of a wide- scale or major disruption. Key Consideration (s) Pay.UK Assessment 17.1 An FMI should establish a robust operational Pay.UK has an operational risk management framework with the appropriate systems, risk-management framework with appropriate policies, procedures and controls. All Policies align with Pay.UK Policy standards, systems, policies, procedures, and controls to existing Risk Policies have been provided to Pay.UK Legal to be held in a central identify, monitor, and manage operational risks. repository.
The processes for identifying operational risks are incorporated in the monthly risk review cycle, during which risk owners meet with the Risk team to discuss and evaluate their operational (and other) risks, based on in the business
As part of the integration process Pay.UK developed a Risk Framework Policy, Risk Identification Assessment Policy and Controls Assessment Framework Policy. mentioned in Principle 3, Pay.UK is now working on refining and embedding these policies.
Operational risks are monitored and managed through the Operational risk taxonomy to manage: o Impact of central system disruption (internal or external causes)
Page 55
o Implications of Participant operational or settlement issue o Impact of legal breach or insufficient legal framework
The main controls in place to determine whether operational procedures are implemented appropriately are the Payment System Operating Manuals, Supplier Technical Manuals and Functional Specifications.
17.2: An FMI’s board of directors should clearly The Board has delegated authority to address and manage operational risk to the CEO, define the roles and responsibilities for addressing who in turn has confirmed each material risk is owned by a Director or Head of operational risk and should endorse the FMI’s Department. The CRO is responsible for establishing and maintaining an Enterprise Wide operational risk-management framework. Systems, Risk Management framework and this discharged via the Risk Co and Risk ExCO. operational policies, procedures, and controls This includes the underlying systems, operational policies and procedures. Internal should be reviewed, audited, and tested periodically audit provide assurance on the effectiveness of the Enterprise Wide Risk Management and after significant changes. framework 17.3: An FMI should have clearly defined operational Pay.UK has established SLAs within its contracts with its supplier which set the required reliability objectives and should have policies in level of availability and reliability. Pay.UK’s strategic objectives include the requirements place that are designed to achieve those objectives. to receive, process, and output payment messages and associated reports so that the clearing is unimpeded and proceeds on time.
In the event that any of the SLAs described above are not met, this is highlighted in the Key Risk Indicator report, with remedial action stated and tracked. This is reported to Risk committee and Board. This is additional to incident handling procedures at the time of an outage, which incorporate supplier outage scenarios and the actions required by Pay.UK.
Pay.UK’s supplier produces monthly capacity forecasts to confirm Service Levels can be achieved. Service Levels are monitored by first and second line functions.
Policies and procedures are in place to confirm incidents can be resolved on a timely basis. Incidents are subject to a post incident review, incorporating measures to prevent
Page 56
repeat occurrence. 17.4 An FMI should ensure that it has scalable The system capacity is regularly reviewed and assessed against future forecasts. The capacity adequate to handle increasing stress comparison of projected volumes to known system capacity is conducted on an on-going volumes and to achieve its service-level objectives. basis, as forecasts are revised and updated. Pay.UK forecast three years ahead for both payment systems.
In the event that the forecast item volumes projected are to exceed current capacity in the future, an upgrade to existing capacity would be introduced. 17.5: An FMI should have comprehensive physical Pay.UK’s key partners for the provision of payment systems infrastructure are required to and information security policies that address all have a Information Security Policy which must include physical access, and is reviewed potential vulnerabilities and threats. regularly, promulgated to staff, and applied across the company.. Pay.UK’s security policy is based on BS7799 Part 1 / ISO 27001 and ISO 27002. The Pay.UK supplier’s policy is accredited under ISO/IEC 27001:2013. Physical security of the Bacs processing sites is covered under the ISAE 3000, Manage Physical Security section.
17.6: An FMI should have a business continuity plan Pay.UK has introduced an integrated Business Continuity Management Framework that addresses events posing a significant risk of document set, available to all staff via the SharePoint web portal. The framework sets disrupting operations, including events that could out the incident management processes and covers four main scenarios which are an cause a wide-scale or major disruption. The plan Operational Incident, Settlement incident, loss of building and loss of key service. In should incorporate the use of a secondary site and order to support the resilience of Pay.UK services i.e. Bacs and FPS. should be designed to ensure that critical Pay.UK’s key suppliers are required to have a business continuity plan designed to information technology (IT) systems can resume enable the rapid recovery and timely resumption of critical operations following a wide- operations within two hours following disruptive scale or major disruption, by ensuring that the key input, processing and output activities events. The plan should be designed to enable the are resumed in an orderly and timely manner. FMI to complete settlement by the end of the day of the disruption, even in case of extreme Pay.UK’s key suppliers are certified to ISO22301 Business Continuity Management and circumstances. The FMI should regularly test these ISO27001 Information Security Management; these certificates are provided as part of arrangements. the agreed assurance process which also includes regular meeting to discuss the services provided. Pay.UK and its key supplier’s Incident Management processes are aligned to coordinate the management of impacts and response actions, testing is also coordinated; this
Page 57
testing is supported by a tailored Continuity “Live Proving” plan for each service, scoping a number of scenarios and dates. The Service Continuity Plan and Live Proving Plan, plus test reports are reviewed by Operations Committee. The ISAE3000 Risk assurance activity confirms that all security and availability assurances are received (if not supplementary assurances are sought from the supplier) and a report is provided to the Risk Committee.
We are in the process of embedding the Pay.UK Business Continuity and Incident Management plan, which will include full testing requirements. 17.7: An FMI should identify, monitor, and manage Pay.UK has a risk management framework in place with a clear risk taxonomy that the risks that key Participants, other FMIs, and supports the management of legal, credit, liquidity, operational and general business service and utility providers might pose to its risks. operations. In addition, an FMI should identify, monitor, and manage the risks its operations might Pay.UK ERMF regularly reviews risks (including those resulting from interdependencies). pose to other FMIs. This includes reviewing and modelling systemic risk in the wider Retail Payments Ecosystem. To this end, Pay.UK is undertaking a mapping exercise in respect of the Payments ecosystem which will document identified interdependencies.
Pay.UK’s Risk Team has identified the systemic cyber-Risks to the ecosystem, these cyber risks are managed by its primary supplier and against Pay.UK’s operations. These risks are being monitored and reviewed monthly in accordance to Pay.UK’s governance structure.
Page 58
4.13 Principle 18 - Access and Participation Requirements
Access and Participation Requirements Rating: Broadly Observed An FMI should have objective, risk-based, and Summary publicly disclosed criteria for participation, which This principle is broadly observed. Whilst Pay.UK has risk-based processes in place for permit fair and open access. participation. Pay.UK risk management processes require all current risks to be regularly and objectively identified, assessed and mitigated where required, Pay.UK is addressing a number of challenges to implementing the FPS aggregator model. This risk assessment approach applies equally to all risks brought to the payment systems by any new indirect or direct Participant types, using their established risk assessment methodologies. In addition, Pay.UK has identified and is looking at how to mitigate concentration risks following Pay.UK’s access review; hence this assessment is broadly observed. Key Consideration (s) Pay.UK Assessment 18.1 An FMI should allow for fair and open access to Given the nature of the two payment systems, Pay.UK has in place different access its services, including by direct and, where relevant, processes. Pay.UK is developing a streamlined access management process so the indirect Participants and other FMIs, based on systems are accessible to Participants in the simplest manner, commensurate with the reasonable risk-related participation requirements. underlying risks. Pay.UK has dedicated On-boarding Managers (and supporting team) for both Bacs and FPS, and they actively engage with prospective Participants. The On-boarding Managers provide introductory information to the prospective new Participant outlining requirements for the services whilst also exploring the potential Participant’s requirements and needs. All access and eligibility criteria for the Bacs and FPS services are objective and risk based. These are disclosed on the FPS and Bacs websites. The Participant assurance model is risk based and the scope continually reviewed to determine whether it focuses on the highest areas of risk.
Page 59
Bacs For direct participation Bacs has the following Bacs Direct Membership requirements which are stated on the Bacs website. To become a Direct Participant of Bacs a number of criteria need to be met. Each Participant must: o Have a settlement account at the Bank of England o Carry out business and operate an office in the EEA o Meet agreed technical and operational requirements, including having an agreement in place with the approved Pay.UK supplier (or another provider of approved clearing services), and having an approved trust service either a bank or building society. o Enter an agreement in respect of participation, and of the settlement arrangements Non-direct Participants are invited to join the Electronic Payments Affiliate Interest Group. The criteria identified above, apply to current and prospective full Bacs Participants (indirect Participants have a relationship with their sponsoring Bacs Participant). We are working to confirm that a participation criterion is not too onerous and that the requirements are commensurate with the underlying risks. FPS The access criteria for FPS are the minimum necessary to enable a safe, secure and resilient payment system which operates 24 hours a day; 7 days per week. All Pay.UK’s access and eligibility criteria are objective and risk based. . In accordance with Rule 2 of FPS rules, to participate in the payment system, a Participant will be required to: o be an authorised Payment Services Provider (PSP) under the Payment Services Regulations (2009) o hold a GB Sterling Settlement Account at the Bank of England, or be able to use a GB Sterling Settlement Account held by a Group Company at the Bank of England o be able to comply on a continuous basis (i.e. 24*7) with the technical and
Page 60
operational requirements of the system o have, or be eligible to hold at least one unique sort code o commit to pay any additional legal costs incurred by Pay.UK with regard to their participation o validly execute and remain party to all FPSL legal agreements o for overseas entities confirm that agreements are legally binding and enforceable 18.2: An FMI’s participation requirements should be Pay.UK has two different participation requirements for Bacs and FPS. It is in the process justified in terms of the safety and efficiency of the of making participation requirements consistent across Bacs and FPS. The participation FMI and the markets it serves, be tailored to and requirements of Bacs and FPS are commensurate to operating in the UK Retail payments commensurate with the FMI’s specific risks, and be ecosystem. Consequently, entities are required to operate under English Law and to hold publicly disclosed. Subject to maintaining settlement accounts with the Bank of England. Bacs and FPS only process GB Sterling acceptable risk control standards, an FMI should payments. endeavour to set requirements that have the least- The Bacs participation requirements are designed to allow the Bacs clearing and restrictive impact on access that circumstances settlement to proceed as planned. The FPS requirements are the minimum necessary to permit. allow safe, secure and resilient payment systems which operate 24 hours a day; 7 days per week. These requirements are risk-based and designed to enable a safe and efficient process. Bacs Participation Requirements All classes of Participants (i.e. Bacs Participants, Commercial bureaux, Affiliates, Cash ISA Participant, and Current Account Switching Service Participants) are subject to the same access criteria within their classification. This will also apply to any new Payment Service Provider or FinTech vendor that joins under the new access model. Bacs access restrictions and requirements are reviewed each time a new Participant joins (or an application is significantly progressed). The last time BPSL conducted this self-assessment, it had requested to seek a rules to allow Non-bank Payment Service Providers (i.e. entities that are not Credit Institutions) to be eligible to join Bacs, thus widening the pool of potential applicants. This was on the basis of a risk-based assessment, and required a non-objection from the Bank of England
Page 61
(FMID). This was progressed and in May 2018, the first Non-Bank PSP using its own fund was on boarded to the Bacs service. All criteria are disclosed on the Access area of the publicly-accessible Bacs website, under the area appropriate to the type of Participant. FPS Participation Requirements FPS is a Deferred Net Settlement (DNS) service requiring settlement between Participants in Central Bank Money; therefore, they must have a Bank of England account. Participants must be a registered Payments Service Provider (PSP) with the PRA. The risk of financial loss is covered in the RCAA and Participants are required to lodge cash with the Bank of England to cover settlement. Requirements for indirect Participants (in FPS Rules) are not mandatory except for: o Legal requirements o Sort code addressability o Other requirements of indirect Participants are a matter for commercial negotiation between the indirect and their sponsoring Participant. Requirements of a payments service provider are stated in the 2nd Payment Service Directive. Participants are required to have a settlement account with the Bank of England. The decisions to grant a settlement account is made by the Bank of England. The Bank of England risk assesses applicants before approving. There are different but consistent criteria for Direct Agencies as they do not need a settlement account. FPS Rules containing the participation criteria are available on the FPS website. 18.3: An FMI should monitor compliance with its Pay.UK monitors compliance to requirements on an on-going basis via operational participation requirements on an on-going basis and performance monitoring and through a Participant Assurance Model. Procedures for the have clearly defined and publicly disclosed orderly suspension and orderly exit of a Participant breaching requirements or in a default procedures for facilitating the suspension and scenario are clearly defined and available under Non Disclosures Agreements (NDAs). orderly exit of a Participant that breaches, or no longer meets, the participation requirements. Operational Performance Monitoring o Technical problems are highlighted when operational incidents occur.
Page 62
o These incidents are reported and rectification activity is monitored by Pay.UK. o Disciplinary procedures for persistent incidents/non rectification are managed through a points system and the Performance Enhancement Reviews (PER) process. Participant Assurance Pay.UK gains assurance that Participants, for both Bacs and FPS, meet requirements through an Assurance model that has the following elements: o An assurance statement and attestation completed by Senior Manager (SMR) registered role holders on behalf of Participant organisations against a set of risk based requirements. The requirements require the additional attestation from the Participants SMR Registered Head of Internal Audit. o Non-rectification of an issue of sufficient magnitude results in a ‘Derogation’ which is a formal escalation, acceptance, and tracking of a Participant operational deficiency accompanied by a plan to rectify within a specified timeline. Participant Suspension / Orderly Exit Bacs For Participants of the Bacs systems, there is on-going compliance with the access criteria, principally through event monitoring. This captures and reports all unwanted events and summarises these in the Risk Profile report, and agrees remedial action where appropriate. Credit rating monitoring and the Codes of Conduct process also assist this. A Bacs Participant whose risk profile deteriorates will be assessed by Risk committee, on the basis of evidence provided to the committee by Participants or Bacs. For example, a failure to comply with the operational documents (e.g. as noted by Bacs in the Codes of Conduct returns or advised by Pay.UK’s supplier in its monthly SLA report) will be reported as a non-compliance, and a remedial plan will be required and reviewed by Risk committee. FPS For FPS, Participant suspension or orderly exit processes are included in the FPS Rules and Procedures. Specifically, the RCAA specifies procedures at a Participant default. If
Page 63
Participants have material breaches or they no longer have the assets to meet criteria/back up payments, then the relevant Participant is suspended. Resolution of operational incidents or technology failures is managed through event monitoring and review. Suspension and orderly exit processes are covered in the Settlement Agreement.
Page 64
4.14 Principle 19 - Tiered Participation Arrangements
Tiered Participation Arrangements Rating: Broadly Observed An FMI should identify, monitor, and manage the Summary material risks to the FMI arising from tiered This principle is broadly observed. Pay.UK has a process in place for identifying, monitoring participation arrangements. and managing material risk as highlighted in Principle 3. However, Pay.UK is working towards an integrated process for the analysis of the maximum output volumes to an Agency bank in
relation to sponsoring Participant volumes, and the analysis of the maximum settlement values for an Agency bank in relation to sponsoring Participant volumes. Pay.UK has plans in place to address these risks during H2 2019.
Currently, Pay.UK gathers information about indirect participation and reports are developed to assess any material risks, however Pay.UK is developing a more appropriate method for gathering the information to support the analysis risks identified. Three potential risks to Bacs arise generally from tiering:
o Settlement risk: An agency bank with a debit settlement value which is a large proportion of the sponsoring Bacs Participants’ position could default when settlement is due. Prefunding of Participant settlement positions with cash collateral is the main mitigants to settlement risk.
o Operational risk: Should a sponsoring Participant be excluded from Bacs, its agency banks and sponsored users would have no access to Bacs for transaction processing and settlement. To mitigate this, the Bacs system allows for service users to be moved from one sponsoring Participant to another, although it is recognised that this can take time.
o Indirect Participant risk: entities that receive large credit balances may not be able to access these in the event their sponsoring Bacs Participant fails to settle.
Page 65
Key Consideration(s) Pay.UK Assessment 19.1: An FMI should ensure that its rules, procedures, Pay.UK collects information on Faster Payment volumes/values submitted by indirect and agreements allow it to gather basic information Participants from the relevant Participants via the CI. This right is exercised on a monthly about indirect participation in order to identify, basis. The Pay.UK Operations team also receive information about FPS Participants monitor, and manage any material risks to the FMI payment volumes/values each month directly from Pay.UK’s supplier , (the CI supplier). arising from such tiered participation arrangements. For the indirect Participants, Pay.UK is able to obtain information (volume and value) from
each Participant that sponsors indirect Participants. This enables us to have sight of "on- us" transactions that would otherwise not be visible to Pay.UK. 19.2: An FMI should identify material dependencies This consideration is not applicable for Bacs as the Bacs indirect Participants still settle between direct and indirect Participants that might through a direct Participant. The response for FPS the same as that provided at Key affect the FMI. Consideration 19.1.
19.3: An FMI should identify indirect Participants Pay.UK monitors the monthly transaction volumes for all Bacs and FPS Participants. responsible for a significant proportion of Bacs transactions processed by the FMI and indirect Participants whose transaction volumes or values For Bacs, Pay.UK monitors the volume and value of transactions being processed of Direct are large relative to the capacity of the direct Participants, Indirect Participants and Settlement software providers. The level of Participants through which they access the FMI in assurance activity is commensurate with the market share and value and volume of order to manage the risks arising from these transactions processed. transactions. FPS For FPS, participants are allocated a tiering level based on their volumes and value of transactions with different levels of assurance activity commensurate with the number and value of transactions being processed. 19.4: An FMI should regularly review risks arising Pay.UK is working on developing an integrated process in order to mitigate risks. The from tiered participation arrangements and should response provided for FPS Key Consideration 19.1 is also applicable for this Key take mitigating action when appropriate. Consideration.
Page 66
4.15 Principle 21 - Efficiency and Effectiveness
Efficiency and Effectiveness Rating: Broadly Observed An FMI should be efficient and effective in meeting Summary the requirements of its Participants and the markets This principle is broadly observed, because the Pay.UK transformation journey outlined within it serves. this report is an on-going evolution. During the reporting period Pay.UK has developed its foundation strategy which sets the organisations strategic objectives. A key element of Pay.UK’s strategic framework is to balance its six strategic objectives, and how it facilitates competition and innovation, whilst ensuring an appropriate resilience across the ecosystem. Pay.UK’s strategic priorities are set over the next three years 2019 - 2021. As Pay.UK is still within its first year as a fully functional organisation, it is difficult for it to demonstrate the full benefits of the strategy and how it has been efficient and effective for meeting the requirements of its Participants and the markets it serves. The strategy will evolve over time as the organisation continues to develop. Key Consideration (s) Pay.UK Assessment 21.1: An FMI should be designed to meet the needs of Pay.UK has been established to support a vibrant UK economy enabling a globally its Participants and the markets it serves, in competitive payments industry through the provision of robust, resilient, collaborative particular, with regard to choice of a clearing and retail payment services, rules and standards for the benefit, and meeting the evolving settlement arrangement; operating structure; scope needs, of all users. of products cleared, settled, or recorded; and use of In setting the six core strategic objectives, the Board has taken into consideration the technology and procedures. many different parties involved in the process of enabling, initiating, processing, and receiving payments across the UK economy. Hence, once of its specific objectives is focussed on ensuring the continued relevance, competitiveness and usefulness of the services Pay.UK provides as part of the UK payments ecosystem. Pay.UK has established representative End User and Participant Advisory Councils to advise and provide constructive challenge to Pay.UK’s Board. The End User Council met for the first time in March 2018 and the Participant Advisory Council in June 2018. Further information on both Councils can be found on Pay.UK’s website at https://www.wearePay.UK/who-we-are/.
Page 67
We elicit Participant feedback through a number of different forums and consultation groups. Thus the scope of products offered, settlement models etc., are driven by a mix of market requirements and regulatory requirements. In addition, to serve the needs of Participants and to maintain a robust and resilient payment services, Pay.UK will:
o Avoid payment and liquidity risk and identify where appropriate systemic risks arising in the retail payments systems to give payment certainty. o Be collaborative and responsive in order to allow payments services to operate in line with continually evolving End User needs. o Catalyse and lead collaborative innovation, including new products for the benefit of consumers, End Users and the economy.
21.2: An FMI should have clearly defined goals and Pay.UK’s goals and objectives are clearly defined and also disclosed on the Pay.UK objectives that are measurable and achievable, such website. Pay.UK has established a suite of KPIs and KRIs that will enable the achievement as in the areas of minimum service levels, risk of these goals and objectives to be monitored. management expectations, and business priorities. 21.3: An FMI should have established mechanisms for Operationally, the previous operators had established mechanisms in place for the regular the regular review of its efficiency and effectiveness review of their efficiency and effectiveness. These were all reported in the last PFMI disclosure. During the transformation journey these mechanisms were maintained. As mentioned above Pay.UK has developed preliminary KPIs to measure the performance of the organisation. Pay.UK Operations is working on an integrated process to enable regular reviews of its efficiency and effectiveness.
Page 68
4.16 Principle 22 - Communication Procedures and Standards
Communication Procedures and Rating: Observed Standards An FMI should use, or at a minimum Summary accommodate, relevant internationally FPS fully observes this principle as it utilises a mixtures of internationally accepted communication accepted communication procedures and procedures and standards to facilitate payment. This principle is not applicable to Bacs, as since standards in order to facilitate efficient created in 1968 Bacs has used a different standard (Standard 18). Standard 18 is converted by payment, clearing, settlement, and Pay.UK’s supplier into ISO 8583 (which is an international standard). recording. Pay.UK has set up an advisory group Industry Standard Coordination Committee (ISCC) to consolidate feedback on Communication Procedures and Standards. ISSC was set up as an advisory
group to the Standards Authority (SA) to help review and validate the Pay.UK standards as they develop and evolve. Key Consideration (s) Pay.UK Assessment 22.1: An FMI should use, or at a minimum Whilst the Communication standard, ISO 8583, used by FPS is an international standard, the accommodate, internationally accepted standard used by Bacs, Standard 18 is not an international standard. communication procedures and FPS uses internationally accepted communication procedures. FPS employs a Multi-Protocol standards. Label Switching ('MPLS') based network provided by a major telecoms provider to interconnect the FPS Participants through a real-time switch operated by Pay.UK’s supplier. Within this network, the service complies with international messaging standard ISO 8583. Direct Corporate Access (DCA) enables Corporates to submit payment files via a secure internet connection to the Pay.UK supplier’s URL. Communications between Pay.UK’s supplier and Bank of England RTGS for settlement are carried via third party using standard message formats. Direct Participants can accept payments from their customers in a variety of formats but always convert them into ISO 8583 for submission into FPS. As mentioned above this principle is not applicable to Bacs, as DCA Participants are permitted by FMID to use the Bacs Standard 18 format which is not an international standard but is converted by Pay.UK’s supplier, into ISO 8583 standard for onward submission.
Page 69
4.17 Principle 23 - Disclosure of Rules, Key Procedures, and Market Data
Disclosure of Rules, Key Procedures, and Rating: Observed Market Data An FMI should have clear and comprehensive rules Summary and procedures and should provide sufficient This principle is observed, as Pay.UK maintains clear and comprehensive rules which are fully information to enable Participants to have an disclosed to Participants. Pay.UK believes that the legal basis is sound and always supported by accurate understanding of the risks, fees, and contractual arrangements. other material costs they incur by participating in the FMI. All relevant rules and key procedures The rules, procedures and contracts are clear, understandable and consistent with the relevant should be publicly disclosed. laws and regulations in which it operates. These include the costs and fees, outlining the cost per click charging structure. Pay.UK provides support to potential Participants in assessing their risks if required. Key Consideration (s) Pay.UK Assessment 23.1: An FMI should adopt clear and comprehensive Pay.UK has adopted comprehensive procedures as highlighted within the response for rules and procedures that are fully disclosed to Principle 1. Participation agreements require compliance with Pay.UK’s payment system Participants. Relevant rules and key procedures rules, which in turn require Participants to comply with the operating requirements of the should also be publicly disclosed. service. All documentation is available to all Participants (and to applicants under NDA). The Payment System rules and procedures are made available to the Participants. The participation agreements that have been drafted for Bacs and FPS require compliance by Participants with the relevant Payment System rules, which in turn require Participants to comply with the operating requirements of the system. All documentation is available to all Participants (and to applicants under NDA). Pay UK reviews any requested changes to Bacs and FPS rules and procedures with Participants through consultations. Bacs and FPS rules and procedures are referenced in contracts, which comply with relevant English law. Bacs and FPS rules, procedures and contracts are also available for review by Participants’ legal departments. 23.2 An FMI should disclose clear descriptions of All existing Participants of the Pay.UK service have access to system’s design and operations the system’s design and operations, as well as the as well as all rules and procedures, which include Participants rights and obligations.
Page 70
FMI’s and Participants’ rights and obligations, so Changes to the rules and procedures are managed through appropriate committees. that Participants can assess the risks they would All key documents in relation to the systems are disclosed and accessible. incur by participating in the FMI.
23.3 An FMI should provide all necessary and All existing Participants have access to all rules and procedures documents and Pay.UK can appropriate documentation and training to provide training or explanations for these. Any changes to the rules and procedures are facilitate Participants’ understanding of the FMI’s managed through an appropriate committee with any changes to the main Payment System rules and procedures and the risks they face from rules requiring Board agreement. participating in the FMI. Bacs For applicant Participants, all rules and procedures are provided for consideration by the applicant, under NDA, and Bacs meets with new applicants (or new staff at existing Participants) to explain requirements as needed. FPS All Participants of FPS are provided with documentation and training required to enable them to understand the rules, procedures and risks they face. 23.4: An FMI should publicly disclose its fees at the Pay.UK discloses that the costs of participating in the Bacs and FPS Services, in terms of the level of individual services it offers as well as its price per click model, within the respective services websites. policies on any available discounts. The FMI should Bacs provide clear descriptions of priced services for comparability purposes Bacs tariff is published annually to all Participants. This information is made available to prospective and applicant Participants under NDA. Overall Bacs membership costs are described on the Bacs website. FPS For FPS, this includes the full costs of using the FPS service for direct settling Participants. o Potential new Participants are provided with financial information before they make the decision to join the service. o Disclosure of detailed costs to potential new Participants is completed under the Non- Disclosure Agreement.
Page 71
o Costs of participating in the FPS are provided to Participants via the annual company budgeting process and the supplier contract. We also discuss with our supplier the potential costs, external to the onboarder, of the onboarding itself. o Charges made to the public for use of the FPS Service are a commercial decision for each Participant. 23.5 An FMI should complete regularly and disclose The previous operators have provided disclosure of its compliance to the PFMI via its publicly responses to the CPSS-IOSCO disclosure website and it also provides key data on transaction volumes and values. Pay.UK will also framework for financial market infrastructures. An disclose its compliance to the PFMI via its website. FMI also should, at a minimum, disclose basic data on transaction volumes and values.
Page 72