By John Burns, Advisory Board member, My Compliance Centre
The era of simply telling the Financial Conduct Authority (FCA) you are compliant is well and truly over. We now live in the age of “show me”.
For payments firms striving to follow regulations, this means providing evidence to support narratives. And if that evidence isn’t available immediately, the conversation can quickly shift towards the FCA issuing Section 166 (s166) notices. These are expensive, invasive independent reviews that no CEO wants to pay for.
To avoid the s166 route, management teams must fundamentally change how they document oversight, while keeping in mind a basic truth that if your board minutes look perfect, you could have a problem.
The “sweetness and light” trap
There is a natural human desire, particularly among founders and executives, to present a united front. In my career, I regularly saw board minutes where reports on safeguarding, AML and liquidity are “noted” and “approved” without comment.
From a regulator’s perspective, this is a significant red flag. For example, I once had a client where the company secretary minuted a disagreement during a board meeting. The CEO pressured her to remove it because they wanted to show that everything was “sweetness and light”. That is exactly the wrong approach. The FCA wants to see the tension. They want to see the challenge.
If a safeguarding breach occurs – even a minor one lasting half a day – attributing it to human error is no longer an acceptable defence. The board must be seen asking:“Why did our systems allow that human error? What controls were missing?”
If those questions aren’t in the minutes, legally – and as far as the FCA were concerned – they weren’t asked.
Silence is expensive
The financial consequences of an s166 review can be eyewatering, as FCA data for 2024/25 shows. The regulator used this power in 47 cases – three of which involved payments firms.
The aggregate cost incurred across the 47 firms for s166 work was £44.7m and related to issues including Consumer Duty, governance and culture, systems and controls, risk management, financial crime, and market abuse and transactions.
Data over narrative
The “show me” standard also applies to the management information (MI) presented to the board. It is insufficient to state that financial crime is under control; you need to produce granular data that tracks trends over time, including:
- Risk profiles: The specific risk rating of accounts opened versus accounts held.
- Volume metrics: Number of alerts generated versus suspicious activity reports (SARs) filed.
- External queries: The volume of inquiries from banking partners or liquidity providers.
The value of a challenging NED
Finally, board composition is under scrutiny. In many payments companies, the board is made up entirely of executives working in the business. While they are knowledgeable about the firm’s business, they lack the necessary independence and distance to challenge the narrative, and this can lead to the FCA feeling that the board is marking its own homework. (Not that this is a pitch for a non-exec role on my part)
Independent non-executive directors (NEDs) are essential not just for optics, but for survival. In the past there has been a perception that such roles are easy money for retired executives, involving being well paid for merely turning up to the odd meeting. But this is not what the FCA is looking for.
A NED with too many appointments will be hard pushed to give the time and attention expected. They must be active challengers, asking the uncomfortable questions about risk appetite to which executives, who are deep in the operational weeds, might have become desensitised.
Your warts-and-all minutes are your shield. If they don’t record the challenge, the disagreement and the resolution, you are leaving your firm exposed.
