The Bank of England has imposed an £11.9m fine on Vocalink Limited after the company failed to meet compliance obligations under section 196 of the Banking Act 2009.
This marks the first time the Bank has fined a financial market infrastructure firm, signalling its commitment to enforcing standards across UK payment systems.
Vocalink, regulated by the Bank since April 2018 as a specified service provider, was directed in 2021 to address identified weaknesses in its systems and controls under section 191 of the Act. Despite implementing a remediation programme, the company failed to meet the Direction’s requirements by the February 2022 deadline due to an ineffective risk management framework and weaknesses in its governance, controls and escalation processes.
Bank of England deputy governor for financial stability Sarah Breeden said, “Vocalink fell short of its obligation to have adequate risk management and governance arrangements when responding to the Bank’s Direction. Its failure to comply with that Direction in full has resulted in a significant fine.”
The investigation revealed that Vocalink’s compliance failure was rooted in a lack of an integrated risk management framework for the remediation programme. This hindered the firm’s ability to understand, monitor and share risks across its three lines of defence and with external assurance providers. The investigation also found failures in escalating critical risks and information to senior committees, undermining the firm’s ability to meet the required standards.
Despite the failures, Vocalink has since invested significantly in strengthening its systems to address the issues that led to the Direction and the subsequent compliance shortcomings. The company’s cooperation during the investigation and its early admission of the compliance breach resulted in a 15% reduction in the penalty, with an additional 30% reduction applied for agreeing to resolve the matter promptly. Without these reductions, the fine would have totalled £20m.
This enforcement action by the Bank underscores the importance of robust governance and effective risk management in the UK’s payment systems and financial market infrastructure landscape.
Areg Nzsdejan, CEO of Cardamon, offered his view on why this mattered for the FinTech and financial services industry on LinkedIn.
He said, “Vocalink’s core issue was a fragmented framework that failed to knit operational, technology and governance risks into one view. When risk sits in silos, problems hide in the gaps.”
He also outlined that escalation paths must work under pressure. “The Bank found that key risks never reached senior committees. If decision-makers do not see the signal, controls will fail no matter how many layers of oversight you add.”
Nzsdejan concluded with a three key point – that regulators are not messing around. “From the BoE’s fine here to the FCA’s £21 million penalty for Monzo this week, enforcement actions are growing bolder—and faster. Firms that wait for a notice letter before acting will find the cost far higher,” he said.
Keep up with all the latest RegTech news here
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
