How to Navigate Regulatory Compliance as a Payment Company

22nd August 2024

As a payment company, complying with regulations is a challenge because:

The landscape of payments compliance is constantly fluctuating. Regulators continually add or update guidelines based on market feedback, requiring dynamic processes to keep pace with requirements and maintain auditability. Global companies must also navigate the complexities of complying with regulations that stretch across multiple territories.
They rarely provide prescriptive guidance about how to build compliant processes—such as what information to include in reports or how to format reports. Most companies need to solve this independently.
Have to evidence how you plan to maintain compliance before it’s necessary – e.g., before launching your business or product, you must demonstrate intentions for safeguarding processes (even though you have no customer funds yet).

A fluctuating landscape and lack of prescriptive guidance mean companies must either rely on external consultation or recruit expertise onto their team.

Luckily, there are ways to overcome challenges by embedding compliance into your business processes (i.e., incorporating compliant behaviours and procedures into your daily operations), using tools to automate compliance tasks, and following the guidance of payments experts.

In this article, we’ll demystify payments compliance by guiding you through:

Looking for a solution to automate payments compliance and report generation? Try a demo of Kani

The three most important regulations in payments compliance

Payments regulations are best sorted into two categories: one-off regulations and ongoing regulations.

One-off regulations don’t require constant compliance activities. If you’re setting up an in-scope business, you embed compliance into processes from the outset. You’re then audited once a year to ensure you meet requirements.

1. Safeguarding compliance

Set by the FCA, safeguarding rules ensure that Payment Service Providers (PSPs) protect customer funds in the event of insolvency. They require companies to store customer funds separately, maintain sufficient funds to cover liabilities, and file quarterly reports to demonstrate compliance.

The FCA’s instructions on safeguarding include:

Proving that your company can cover liabilities both now and any time in the past.
Performing an annual safeguarding audit. While the FCA has no current safeguarding audit standard, you’re still required to have an independent auditor confirm that safeguarding provisions meet compliance standards.
E-money businesses and relevant financial institutions must safeguard the relevant funds related to different payment services, such as money remittance.
Providing evidence that any past reconciliation issues were resolved.

Enhancing customer protection is at the forefront of the FCA’s supervisory strategy. Non-compliance is therefore taken seriously and often results in severe penalties.

The best way to remain compliant with safeguarding rules is to:

Perform regular safeguarding reconciliations, ensuring that customer accounts have the correct balances.
Maintain an audit trail of safeguarding reports for reference during audits (you’ll need to pull the safeguarding report for any specific date the auditor requests).

2. Fraud Reporting

Fraud reporting is usually volume-based, covering metrics like:

Fraud volume (quantity of transactions going through your product)
Where fraud is coming from
The type of fraud

Regulators use fraud reports to gauge the level of fraud risk in your business. This allows them to forecast future fraud risk, assess actions taken to mitigate fraud, track trends in fraudulent activity, and more.

Robust fraud reporting requires:

Ongoing monitoring to detect and measure fraudulent activity in your accounts.
Submitting fraud reports that comply with specific standards depending on your geography, such as Rep 17 or EU payments statistics reporting.
Demonstrating to regulators the actions you’re taking to prevent and mitigate fraud.

3. PSD2 and Strong Customer Authentication (SCA)

The revised Payment Services Directive (PSD2) is one of the most significant regulatory frameworks reshaping the payments industry in Europe. One of the core elements of PSD2 is Strong Customer Authentication (SCA) – a requirement designed to reduce fraud and enhance the security of electronic payments. PSD2 mandates that payment service providers (PSPs) implement SCA for online card transactions.

SCA is essentially a two-factor authentication process that requires customers to verify their identity through two of three methods: knowledge (a password), possession (their mobile phone), and inherence (fingerprint or facial recognition).

Staying compliant with PSD2 and SCA regulations can be complex, particularly because they apply to a wide variety of payment scenarios.

Payment companies need to implement compliant authentication methods, manage exceptions (such as low-risk transactions), and ensure that their systems remain adaptable as interpretations of the regulations evolve.

Successfully navigating PSD2 compliance requires:

Understanding SCA requirements and exemptions: Not all transactions require SCA under PSD2. Payment companies need to stay on top of which exemptions apply (e.g., low-value transactions, recurring payments) and ensure they’re properly categorised.
Implementing compliant authentication methods: Businesses need to integrate solutions that securely authenticate users while ensuring a frictionless customer experience. These could include biometric verification, multi-factor authentication, or tokenisation.
Staying agile with compliance processes: Given that regulators can revise interpretations of PSD2, payment companies need change-friendly systems and processes to remain compliant even as things evolve.

Fortunately, automated solutions like Kani help to simplify PSD2 compliance by ensuring that payment service providers adhere to SCA requirements. Kani automatically ingests and standardises transaction data, applies the correct authentication criteria, and flags transactions that may require special handling under SCA.

Three effective methods to simplify payments compliance

Derived from our work with payments companies, here are three proven strategies to create robust compliance procedures:

1. Embed compliance into your operations from the outset

Many payment companies treat compliance as an obligatory afterthought, only becoming a factor when a report is due or before an upcoming audit. But this approach leads to inefficiencies, noncompliance, and penalties.

It’s much easier to embed compliance into your operations from the outset – i.e., building your processes with compliance in mind and encouraging compliant-centric behaviours in your company culture.

The following behaviours are key to embedding compliance into your operations:

Identify what each regulation requires of you (and the financial and operational processes you’ll need to accommodate the requirements of regulators and auditors)
Maintain an audit trail for everything — every reconciliation and report, every change made to reports or reconciliations, and all of your original data.
Protect the integrity of your data — maintain a copy of your original financial data for reference, lock data fields to prohibit unauthorised changes (accidentally or fraudulently)
Create clear processes for finalising reports — e.g., who reports are circulated to, who provides final sign-off, etc.

Integrating these behaviours is difficult when you’ve already got well-established processes.

Take safeguarding, for example. Embedding safeguarding compliance into your operations means setting up daily safeguarding reconciliations, regular automations to circulate safeguarding reports to key stakeholders, and an easily-accessible audit trail to evidence correct funding. These processes are far easier managed when considered from the very beginning.

2. Develop internal payments expertise so you can strategically navigate the regulatory landscape

The payments industry is in a constant state of flux. Technological advancements, the emergence of non-traditional digital payment methods, and new types of risk all contribute to the ever-evolving regulatory landscape. Keeping up with changing guidelines is a significant burden for many.

Sourcing or hiring payments compliance expertise offers significant time savings. Finding someone with direct experience of licence applications, audits, or compiling regulatory reports helps you:

Navigate regulatory guidelines and deal with potential issues — such as ad-hoc audits, new regulations, etc.
Take steps to anticipate and prepare for future regulations — e.g., predicting changes to existing regulations, identifying regulatory trends, understanding new payment systems, or adjusting to regional payment processing regulations.
Formulate compliance strategies where there isn’t clear/explicit instructions or guidance.

3. Automate regulatory processes to make compliance faster and easier

While it’s best practice to conduct daily compliance processes (such as daily reconciliations and reports), performing processes manually is cumbersome and time-consuming.

For example, manually running and reporting on daily safeguarding reconciliations drains the precious time of your finance team, distracting from core activities like investigations and reconciling variances. Not to mention the risk of error, which is always present when working in spreadsheets.

Thankfully, many software applications today automate critical compliance processes. These include:

Account and safeguarding reconciliations
Transaction monitoring
Anti-Money Laundering (AML) reports
Organising data into the correct format
Maintaining an audit trail of all documents and activities
Taking report snapshots at predetermined intervals
Signing-off on reports
Sending reports to the appropriate parties

Adopting higher levels of automation means that reconciliation occurs within seconds of the data becoming available, rather than hours. It also makes accurate and properly formatted reports available at a moment’s notice.

How Kani automates and embeds payment compliance into your operations

After realising his team was spending too much time and resources on manual reconciliations, our CEO and co-founder Aaron Holmes sought to create an automated solution for quicker and more accurate compliance processes.

So he founded Kani — the reconciliation and reporting solution built by payments experts for businesses in the payment industry, such as BIN sponsors, acquirers, challenger banks, and more.

Kani is tailored to address the specific needs and challenges of payment companies. Through automation and other cutting-edge features, Kani enhances compliance for many critical financial regulations.

Here are a few ways Kani helps create robust compliance processes:

Automated compliance activities

Manually performing reconciliations and generating compliance reports may be the most challenging aspects of payments compliance. Our research finds that more than 50% of the payments industry acknowledges they spend too much time creating regulatory reports.

To give you back this time, Kani:

Ingests data from any source: Kani ingests data in multiple formats (such as JSON, CSV, and XLS) and from any data source (such as processors, card transactions, internal ledgers, banks, or third parties).
Standardises data according to specifications: Kani automatically standardises your data into a consistent format and presents it in any way you choose. For example, if incoming files have time and date merged into one column, Kani automatically separates them into two.
Performs fast and accurate reconciliations without manual intervention: Kani uses advanced record matching to reconcile large and contrasting datasets in roughly 30 seconds. Rather than spending hours combing through accounts each day, your financial team can simply verify reports.
Generates properly formatted compliance reports: Kani includes pre-built templates for reports specific to the payments industry — such as safeguarding reports, Mastercard QMR reports, Visa GOC reports, transaction monitoring and fraud reports, e-money reports, and more.
Alerts you when there’s a reconciliation break or error: You can create triggers that notify you if there’s a reconciliation error and allocate case managers to investigate based on predefined workflows.

Ensure compliance with high-quality data, detailed audit trails, controlled access, and automated sign-offs

Beyond automated reconciliation and reporting, Kani includes other features to ensure compliance-ready operations. You can use these features to:

Preserve data integrity: Though Kani does automatically standardise your data, it maintains an unaltered copy of your source data and locks data fields to prevent further alterations.
Maintain detailed audit trails: Kani enables you to maintain a complete audit trail with:
Timestamps: Any time someone makes a change to your data (such as when reconciling a variance), Kani marks the change with a timestamp that includes information about who made the change and when.
Snapshots and version control: You can configure Kani to take snapshots of your documents at intervals you choose.
Track investigations: You can use Kani to assign the task of investigating a variance to an employee and track the entire process through the platform using notes, attachments, and timestamps.
Set up multiple types of user accesses: Our automated platform provides you with multiple ways of accessing your data. To save downloading and transferring large volumes of data for audits, Kani allows you to offer time-limited, read-only access to auditors.
Streamline sign-offs: Automated signatures allow senior staff to sign off reports, creating a formalised process to determine the final version.

Navigate compliance challenges with payments expertise by your side

Navigating regulatory requirements is always more difficult without the guidance of legitimate expertise. We’re proud that our team consists of payments professionals with direct operational experience.

Kani isn’t just another solution–we’re a group of payments, data and tech experts united by the goal that payments compliance should be simple. We’ll work with you to:

Tailor the solution to your needs: Most reporting solutions involve a steep learning curve. But with Kani, our team builds data ingestion pipelines and tailors data standardisation, reconciliation, and reporting processes to your specifications.
Get a second opinion on your regulatory reports: We’ve worked with many payment companies that have been audited and successfully received licences. If you’re not sure about a specific type of report, we can take a look and share what we’ve seen in our work with other companies.

How one client used Kani to build a unique report, provide an auditor with read-only access, and easily pass an ad-hoc audit

One of our financial services clients used Kani to prepare for and pass an ad-hoc audit in less than three weeks.

The auditor made a highly specific request to access data, necessitating a custom report. Standard templated reports couldn’t accommodate their needs, and a complex series of spreadsheets would have hindered data analysis. So we worked with their team to build a tailored report, successfully consolidating data from over 10 sources.

Rather than compiling and sharing over 10 spreadsheets, our client granted their auditor read-only access to the platform. During a specified time window, the auditor could sort, filter, and amend the report as needed. This approach ensured the audit was passed without all the typical manual data work involved in generating and sharing custom reports.

Use Kani to make payments compliance easier and more reliable

Everything in finance is underpinned by regulation, and the payments industry is no exception. But the lack of prescriptive guidance, an evolving regulatory framework, and the challenge of maintaining auditability make it difficult to remain compliant.

Finding an effective compliance solution for specific requirements is tough, especially when many software packages cater to a broad spectrum of financial businesses. Having experienced the complexities of payments compliance first-hand, we’ve designed our software specifically for payments companies like yours.

Kani offers a comprehensive tool to automate compliance processes, maintain data integrity, and generate custom reports. With our platform and expertise, you can focus on growing your business knowing your compliance needs are fully covered.