Compliance & Security
Written by
Last editedMay 20261 min read
Payments processing is a regulated activity. Choosing a payments provider means trusting them with your customers’ bank account details, your financial flows, and your compliance posture. This section covers regulatory authorisation, information security certifications, access controls, business continuity and disaster recovery, data protection, and GDPR.
| # | Question | Explanation / what to look for |
|---|---|---|
| 1 | Are you authorised by the Financial Conduct Authority (FCA) or an equivalent regulatory authority in all markets where you operate? | Regulatory authorisation is non-negotiable. Verify the authorisation directly on the regulator’s register. Do not rely solely on the provider’s assertion. Understand the specific regulatory permissions (e.g., Payment Institution, EMI) and whether they cover all services in scope. |
| 2 | Is your solution CASS compliant, ensuring that client money is directed to a safeguarded account and segregated from your own funds? | CASS compliance ensures that funds collected on your behalf cannot be used by the provider as working capital or frozen in an insolvency. This is a critical protection if the provider faces financial difficulty. |
| 3 | Do you maintain compliance with the Payment Services Regulations 2017, PSD2, and all relevant payment scheme rules (Bacs, SEPA, BECS, etc.)? | Scheme membership and compliance with payment regulations governs what the provider can do on your behalf. Non-compliance can result in suspension of scheme access, which would immediately affect your ability to collect payments. |
| 4 | Do you adhere to Anti-Money Laundering (AML) and Know Your Customer (KYC) obligations, and how does your onboarding process reflect these requirements? | AML and KYC obligations affect how quickly you can onboard new payers and what documentation may be required. Understand how the provider’s controls balance compliance with user experience. |
| 5 | Have you been subject to any regulatory investigations, FCA actions, or material compliance breaches in the last three years? If so, please describe. | Disclosure of past regulatory issues is standard due diligence. A single minor finding addressed promptly is very different from repeated breaches or ongoing investigations. |
| 6 | How does your solution support us in meeting our Consumer Duty obligations? | The FCA’s Consumer Duty places obligations on firms in the distribution chain. Understand how the provider’s product design, customer communications, and data sharing support your own Consumer Duty assessment. |
| 7 | Do you hold current security certifications such as ISO 27001 and can you evidence this? | ISO 27001 is a baseline certification for a payments provider. Ask for both the certificate and the scope of the certification. |
| 8 | Is all customer and transactional data encrypted at rest and in transit, and what encryption standards are used? | Encryption at rest (AES-256 or equivalent) and in transit (TLS 1.2 or higher) are reasonable expectations. Ask specifically about database encryption, backup encryption, and the provider’s key management practices. |
| 9 | How frequently do you conduct vulnerability scans and penetration tests, and are these performed by accredited third parties? | Annual penetration tests by an accredited external party are the minimum expectation. Ask for the scope of the test, whether it includes the API and customer-facing flows, and how findings are tracked to remediation. |
| 10 | Are your systems protected by Web Application Firewalls (WAFs), DDoS mitigation, and intrusion detection systems? | WAFs protect against common web application attacks; DDoS mitigation prevents availability disruption. Ask whether these are managed services or configured in-house, and what the response process is when they trigger. |
| 11 | Is your platform cloud-native, and in which geographic regions is data hosted and processed? | Cloud-native architectures typically provide better resilience and scalability than on-premise alternatives. Geographic hosting location affects data sovereignty obligations under GDPR and local regulations. |
| 12 | Does your solution enforce Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for access to the payment portal? | SSO reduces password management risk; MFA is a critical control against compromised credentials. Ask whether MFA is enforced or optional, and whether SSO integration with your identity provider is supported. |
| 13 | Does your solution offer Role-Based Access Control (RBAC), allowing us to grant granular permissions to different user types? | RBAC is essential for applying the principle of least privilege, ensuring that finance staff can view reports but not initiate refunds, for example. Ask how granular the permission model is and whether custom roles can be created. |
| 14 | Does your platform capture a complete audit log of all user actions and system events, accessible for compliance and forensic purposes? | Audit logs are required for regulatory compliance, fraud investigation, and internal audit. Understand the retention period, whether logs are tamper-proof, and how they can be accessed or exported. |
| 15 | Do you have documented, regularly tested Business Continuity and Disaster Recovery plans that cover payment processing specifically? | BCP planning, and certifications around it, show that a supplier has considered and prepared for incidents. |
| 16 | Does your infrastructure feature a redundant multi-region architecture with automatic failover? | Multi-region active-active or active-passive architectures provide resilience against a regional failure. Understand the failover time (RTO) and whether failover is automatic or requires manual intervention. |
| 17 | How frequently do you create data backups, how long are they retained, and how are backups secured against tampering or loss? | Backup frequency (daily vs. continuous), retention period (days vs. months), and security (encrypted, off-site, immutable) are all relevant. Ask specifically whether backups are tested for recoverability. |
| 18 | When was your BCP last tested, and can you describe how the test was conducted and what the outcomes were? | Ask for test frequency, test methodology (tabletop exercise vs. live failover), and how are remediations put into place. |
| 19 | How do you ensure and demonstrate compliance with GDPR and applicable data protection regulations? | Understand whether the provider acts as a data controller or data processor for payer data, and what this means for your own accountability. |
| 20 | In which geographic regions is customer and transactional data stored, and how do you manage cross-border data transfers? | GDPR restricts transfers of personal data outside the EEA without adequate safeguards. Understand where your payers’ data is physically stored and what mechanisms (Standard Contractual Clauses, adequacy decisions) are used for any international transfers. |
| 21 | What Personally Identifiable Information (PII) is required from payers, and what data minimisation policies are in place? | Providers should collect only the PII necessary for payment processing. Excess data collection increases your GDPR exposure. |
| 22 | How does your platform technically support data subject rights, such as the right to erasure and the right to access? | Handling a data subject access request or erasure request quickly requires the provider to have built tooling for it. Ask how requests are processed and what the expected turnaround time is. |
| 23 | What is your process in the event of a data breach? How are we notified? | GDPR requires notification to regulators within 72 hours of becoming aware of a breach. Understand the provider’s detection capabilities, their internal escalation process, and how they would notify you as a customer. |
| 24 | Who stores the bank account details collected from payers? How is this data secured? | Bank account data is highly sensitive. Understanding exactly where it is stored, who has access, and how it is protected is fundamental due diligence that every buyer should ask. |
| 25 | How long is payment and customer data retained, and what is your process for data deletion at the end of the retention period or on request? | Retention policies affect your own data lifecycle management obligations. Understand the default retention period, whether you can configure shorter periods, and how deletion is verified. |
| 26 | How do you monitor and respond to changes in regulatory requirements that affect data protection or payment compliance? | The regulatory environment changes frequently. A provider with a compliance function and a proactive change management process reduces the risk of non-compliance affecting your operations. |
Our sample RFP includes all of the questions above and more. You can download it here and use it as a template for creating your own.
Note: The questions suggested on this page are intended as a starting place for writing your own RFP. They're provided for general information only: they're not intended to be prescriptive or to provide legal advice. We suggest working closely with your management to develop an RFP that is tailored towards the specific requirements of your business.
