Every applicant has obligations to protect its customers’ sensitive payment data, which could be used to carry out fraud in the context of its business model. Applicant should provide the procedures in place to authorise access to the sensitive payment data, the monitoring tool used in the IT system and technical security measures that have been implemented including encryption and/or tokenisation with description of the annual internal control program in relation to the safety of the IT systems.
Provide the description of the business continuity arrangements that include a business impact analysis covering the business processes and recovery objectives, the identification of the back-up site, access to IT infrastructure and the key software and data to recover from a disaster or disruption, an explanation of how the applicant will deal with significant continuity events and disruptions, the frequency with which the firm intends to test the business continuity and disaster recovery plans and any description of the applicant firm’s mitigation measures.
Provide a description of the principles and definitions applicable to the collection of the statistical data on performance, transaction and fraud that would be routinely made to the FCA after authorisation.
Provide a description of the applicant firm’s security policy document which include detailed risk assessment of services the firm intends to provide with risks of fraud, the security control (including Strong Customer Authentication) and mitigation measures taken to adequately protect customers against the risks identified.
Provide a description of the internal control mechanisms that the applicant firm has established to comply with its obligations under money laundering and counter terrorism financing legislation.
A condition of authorisation is that the applicant must satisfy the FCA that any persons having a qualifying holding in it are fit and proper persons. It must show they have regard to the need to ensure the sound and prudent conduct of the affairs of the institution.
Additionally, it must provide suitability assessment of directors and persons responsible for the management of the e-money institution are of good repute and possess appropriate knowledge and experience to issue e-money and perform payment services.
Provide a projected average outstanding electronic money at the end of the first year of authorisation, estimate the relevant income projected for the first year of authorisation in relation to its unrelated payment services business and whether the FOS exemption applies with supporting evidence for the exemption.
Application is submitted online through the ‘Connect’ system on the FCA website where relevant forms can be completed together with the relevant application fees to be paid.