On 9 July 2025, the Bank of England (BoE) took the unprecedented step of fining Vocalink Limited £11.9 million for failing to comply with a supervisory direction issued under section 191 of the Banking Act 2009. This marks the first time the BoE has fined a financial market infrastructure (FMI) firm. This is a stark reminder that regulators are no longer hesitant to wield their enforcement powers against critical service providers in the payments ecosystem.
The BoE is making clear that payment system providers and other FMIs will be held to the highest standards of governance, risk management, and transparency. Compliance teams should take this case as a warning: regulators are not waiting for another systemic crisis to act.
What happened with Vocalink
Vocalink, a UK-based company that designs and operates payments systems infrastructure, was brought under the BoE’s remit in 2018 after being designated a specified service provider to recognised payment systems.
The review (2020): An independent review identified serious weaknesses in Vocalink’s systems and controls.
The direction (2021): The BoE formally required Vocalink to remediate these weaknesses by 31 January 2022.
The remediation programme: Vocalink implemented a remediation plan with board-level oversight and external consultants, but its progress quickly fell short.
February 2022 deadline: Vocalink confirmed to the BoE that it had complied, despite internal and external assurance reports showing unremediated issues.
Independent expert review (2022): The BoE appointed an independent expert who found the remediation programme had an unrealistic scope and timeline, failed to act on valid risk concerns, and left issues unresolved. Key assurance reports highlighting problems were not escalated to the board or disclosed to the regulator until months later.
The BoE concluded that Vocalink’s fragmented governance, poor escalation of critical information, and ineffective integration of its risk management framework meant the firm failed to comply with the direction by the February 2022 deadline.
The Vocalink fine
The penalty started at £20 million, reflecting the seriousness of the case and Vocalink’s systemic role in the UK’s payments infrastructure. However Vocalink received a 15% reduction for cooperation, admissions, and remediation efforts, and then a 30% settlement discount for agreeing to resolve the matter early bringing their final penalty to £11.9 million.
The ramifications of the Vocalink fine
Governance failures are costly
The BoE found that Vocalink’s governance structures failed to ensure accurate information reached the board. Decisions to narrow remediation scope were taken informally, outside proper processes, and critical assurance findings never reached decision-makers.
Risk must be integrated across the three lines of defence
The “three lines of defence” model collapsed under pressure. Vocalink’s risk function raised concerns but these were not acted upon. Internal Audit and consultants produced assurance reports that either sidestepped the core compliance question or downplayed serious issues. The result: a fragmented view of risk and false assurance of compliance.
Escalation is non-negotiable
When negative findings were kept within the first line and not escalated, Vocalink deprived its board—and the regulator—of crucial information. This mismanagement directly contributed to the compliance breach.
Supervisory directions are binding, not box-ticking
The BoE was clear: remediation had to fix root causes and reduce risk “within risk appetite,” not just meet deadlines on paper. Firms that treat directions as administrative exercises risk enforcement.
A warning for FinTech compliance teams
This case should serve as a cautionary tale across the financial services and FinTech sectors:
- Scope remediation properly: Rushed or narrow fixes won’t satisfy regulators.
- Embed governance rigor: Escalation paths must work under pressure—boards cannot sign off blind.
- Assurance must be fit for purpose: Internal and external reviews must be scoped to the regulatory requirements, not just internal project milestones.
- Transparency with regulators is essential: Withholding adverse reports is a red flag that compounds breaches.
