The establishment of NZ Consultants was conceptualised as a high-performance professional consultancy firm

Who We Are

The establishment of NZ Consultants was conceptualized as a high-performance professional consultancy firm at one of the several meetings at the Cafés of East London for providing services to the Financial Services Sector. As Financial Services is a highly
specialised market there is a requirement for the professionals to have a very strong background with a good understanding of the sector.

As a firm, we can provide a very specialised service in preparing, applying and follow-up support related to applications to the Financial Conduct Authority for different licences in case you want to carry put a regulated activity which requires a prior authotisation from the regulatory authorities.

Our Services



Brexit has happened  with the UK government triggering Article 50 with the official notice that the British EU envoy Tim Barrow delivered a letter by hand to the European CouncilRead More »


The UK is a uniquely well-suited location for technology applied to financial services – Fintech.

Read More »


E-Money Institution (EMI)

Electronic money (e–money) is electronically (including magnetically) stored monetary value, represented by a claim on the issuerRead More »

Consumer Credit Licence

Firms must be authorised by the FCA, or have interim permission, to offer consumer credit. Firms authorised under the Consumer Credit licence can offer servicesRead More »

Authorised Payment Institution (API)

Becoming an Authorised Payment Institution (API) is a challenging application procedure in this highly regulated market.Read More »

REP018 Operational and Security risk

The New Operational and Security Risk Assessments Guidelines by FCA: What Does It Mean To PSPs?

In June 2018, FCA published its proposal Approach on how payment service providers (PSPs) should provide operational and security risk assessment to FCA annually under SUP 16.13.15. The FCA published this policy after EBA had already prepared its final guidelines December 12th last year. Since then the FCA has had the opportunity to publish the final guidelines, but they finally did it June this year. What does this mean for payment service providers?

The background

Under the FCA, all PSPs must have an effective operational and security management framework that relates to the services they offer. Since the EBA published its final guidelines, it has been up to FCA to publish it, but now that it has implemented it, the guidelines are now officially introduced into national law. Even if the consultation does not tell us much, it introduces PSPs to a new and essential requirement. All PSPs need to submit the risk assessment reports of their operational and security risk every year. It must be related to the services they provide.

The published guideline on FCA also acts as a form of direction that all PSPs must follow. All PSPs including payment institutions, credit institutions, registered account service provides and e-money institutions, whether registered or authorized must abide by the guidelines. Each PSP must submit the latest risk assessment, details of the number of security-related complaints from the customer, the audit and their findings.

The new guidelines are also designed to highlight key areas which FCA has identified as potential for operational and security concerns. Potential concerns include the way payment accounts are assessed for:

  • Account Information Services (AIS) purposes
  • Payment Initiation Services (PIS purposes
  • Expectations where PSPs use third parties

These changes are made available in the FCA’s supervision handbook. The FCA is also mandating additional proposals such as:

  • The operational and security risk management by the PSPs should be proportionate to the nature, size, scope, riskiness, and complexity of its payment services and operational models it offers.
  • PSPS should also consider how agents introduced the security or operational risk. It is the PSP responsibility to ensure that every identified risk are mitigated.
  • The PSP operational and security risk framework also needs to set out mitigation measures when outsourcing relevant payment services they offer. The guidelines apply whether they outsource the services within the PSP’s organization or other organizations. Even when you outsource to parties that fall outside the FCA’s regulations, they still have full responsibility to discharge their obligations under the FCA’s regulatory perimeter.
  • Any PSP firm that wants to outsource these obligations to a third party IT Company or the cloud should consult and seek the assistance of an FCA’s specialist.

It is not a must for FCA’s specialist to take the risk assessment task for your PSP. Your internal audit team can undertake the assessment task or hire a professional company that can help you with the process. The FCA has made everything clear for everyone and expects PSPs to comply with the published guidelines

Our Clients

Our Blog

REP018 Operational and Security risk

The New Operational and Security Risk Assessments Guidelines by FCA: What Does It Mean To Payment and E-Money Services? In [...]

Read More

Open Banking in the UK

Open Banking aims to increase the number of companies that can offer financial services and to enable them to [...]

Read More

PSD 2: Re-authorisation

PSD2 has been implemented in the UK through the Payment Services Regulations 2017(link is external) (PSRs 2017). The FCA had issued a [...]

Read More

Our Partners