Vocalink, the Mastercard-owned entity responsible for powering the UK’s real-time payments infrastructure, has been fined £1.89 million by the Bank of England for failing to meet regulatory requirements under the Financial Market Infrastructure (FMI) regime. As reported by Finextra, the sanction highlights serious concerns around operational resilience and regulatory transparency within a systemically vital institution.
This is not just about a procedural breach — it reflects the growing scrutiny on infrastructure firms operating behind the scenes of the financial system.
What Happened: Failures in Risk Management and Notifications
The Bank of England identified multiple breaches of the Recognition Order applicable to Financial Market Infrastructures. Specifically, Vocalink was found to have:
- Failed to maintain adequate risk controls around system change management
- Breached notification requirements, by not informing the Bank of material changes in a timely manner
- Lacked appropriate governance structures for key decisions relating to the Faster Payments Service (FPS)
These failures occurred between 2019 and 2022 — a period during which the FPS was rapidly scaling due to the rise in digital and instant payments across the UK.
Although no outage or customer loss occurred, the Bank deemed the compliance gaps “significant enough to warrant public sanction,” especially given Vocalink’s role in underpinning billions of pounds in daily real-time transactions.
Why This Matters: When Critical Infrastructure Fails the Basics
Vocalink’s role in the UK payment ecosystem is foundational. It operates:
- The Faster Payments Service (FPS)
- BACS (direct debits and credits)
- Link (ATM switching)
This makes it one of the most critical components in the UK’s financial infrastructure — and a systemic point of risk if mismanaged.
The fine underscores two key regulatory expectations:
- Proactive disclosure: Critical service providers must inform authorities of all material changes, risks, and system modifications in a timely fashion.
- Robust internal governance: The Bank expects regulated FMIs to have deeply embedded compliance and oversight, not just operational uptime.
Vocalink’s Response and the Broader Mastercard Angle
Vocalink, owned by Mastercard since 2016, accepted the fine without contest and stated that it had already addressed the issues. However, for Mastercard, this adds to a growing list of compliance challenges in its global infrastructure footprint.
The broader implication? Owning the rails — whether in cards, open banking, or real-time payments — comes with increasing regulatory visibility and accountability. Payment giants can no longer operate in the background without facing the same governance standards as large banks.
Conclusion: A Warning Shot for FMI Providers Globally
This fine is not merely symbolic. It reflects a shift in how central banks treat infrastructure providers — no longer as vendors, but as systemic risk carriers.
The message is clear:
If you run the rails, you must operate like a regulator-grade institution — not just a tech provider.
As real-time payment volumes rise and open banking accelerates, FMIs must move from technical enablement to regulatory excellence. Vocalink’s penalty is a reminder that trust in the digital financial system starts with those who operate at its very core.
