FCA consultation on PSD2 implementation: draft authorisation and reporting forms 17/14

17th July 2017

FCA consultation on PSD2 implementation: draft authorisation and reporting forms

The FCA have published a consultation affecting existing and potential Payment Service Providers (PSPs). CP17/22 makes a number of proposals pertaining to authorisation and reporting as a consequence of PSD2.

The scope of the consultation covers:

  • banks and building societies
  • e-money issuers
  • non-bank card issuers
  • money remitters
  • merchant acquirers
  • businesses that provide services that aggregate customers’ bank account data or otherwise access these data to make use of it – termed account information services
  • businesses that provide services that can initiate payments online between a customer’s bank and the merchant’s bank – termed payment initiation services.

In summary, the FCA proposes to:

  • direct that PSPs follow the European Banking Authority’s (EBA) Guidelines to notify the FCA of major operational or security incidents, which is a new requirement under PSD2
  • update the capital returns for authorised PIs and EMIs to reflect new PSD2 requirements around how own funds can be met
  • make rules requiring records to be kept by banks and building societies on their account information services and payment initiation services business
  • specify the forms to be used by:

–       businesses seeking registration as a small PI or small EMIs

–       existing small PIs and small EMIs seeking re-registration in accordance with PSD2

–       existing authorised PIs and authorised EMIs seeking re-authorisation in accordance with PSD2

–       PIs and EMIs wishing to change the regulatory permissions they hold or to remove a requirement

–       make amendments to Chapter 3 (authorisation and registration), Chapter 9 (capital resources and requirements), and Chapter 13 (reporting and notifications) of the Approach Document to reflect the above.

Proposals affecting all PSPs

Incident reporting

In order to meet PSD2 obligations, the FCA propose to amend the Supervision manual (SUP) to direct that PSPs follow the EBA Guidelines to notify the FCA of major operational or security incidents. These notifications will be made via its Connect system. The FCA propose guidance in SUP that major incident notifications do not need to be submitted when the notification channel for these notifications is not operational. However, they should be submitted as soon as the channel is operational again. The FCA may direct certain PSPs that they must also notify the FCA of major operational or security incidents that occur outside of its general hours of operation for incident reporting.

Proposals affecting authorised PIs and EMIs

Capital returns – own funds

The FCA propose to amend the returns completed by authorised PIs and EMIs to reflect the categories of own funds under the CRR, which replace the old categories under PSD. The FSA056 return for authorised PIs would be modified, and a new consolidated return created for all EMIs (different questions will be relevant for authorised EMIs and small EMIs)

Proposals affecting banks and building societies

Record keeping by credit institutions on account information services and payment initiation services business

PSD2 brings account information service and payment initiation service activities within regulation for the first time. The FCA propose to create a record-keeping rule in its Senior Management Arrangements, Systems and Controls sourcebook (SYSC) which would apply to credit institutions that carry out account information services or payment initiation services business. The FCA propose that credit institutions be required to keep records on the following:

  • the number of different payment accounts that the credit institution has accessed for the purposes of providing account information services
  • the number of customers who have used the credit institution’s account information services
  • the number of payment accounts that the credit institution has accessed for the purposes of providing payment initiation services
  • the number of payment transactions the credit institution has initiated when providing payment initiation services.

Authorisation & registration forms

Re-authorisation form for authorised PIs and authorised EMIs

Existing authorised PIs and authorised EMIs must meet the conditions for authorisation (including the new conditions set out in PSD2) if they wish to continue to provide payment services or issue e-money after the transitional period has ended.

Businesses that have not applied for and been granted re-authorisation in accordance with the transitional provisions in the PSRs 2017 before 13 July 2018 will have to stop providing payment services, as will their agents, and authorised EMIs will have stop issuing e-money; the FCA will update the Financial Services Register to reflect that these businesses will no longer be authorised. The FCA would encourage businesses to apply for re-authorisation as early as possible.

Authorised PIs and authorised EMIs will only need to provide information to the FCA which was not provided previously (whether as part of their original application for authorisation or through other means). The required information includes the applicant’s programme of operations and its procedure to monitor, handle and follow up on a security incident and security related customer complaints. Applicants will also be asked to confirm that there have been no material changes to information previously provided to the FCA.

The FCA have provided draft re-authorisation forms in Appendix 2 of the consultation.

Registration and re-registration forms for small PIs and small EMIs

In addition to the information currently requested, the FCA propose that applications for registration as a small PI or EMI include:

  • a description of the applicant’s procedure for monitoring, handling and following up security incidents
  • a description of the applicant’s process for filing, monitoring, tracking and restricting access to sensitive payments data
  • a description of the principles and definitions used by the applicant in collecting statistical data on fraud
  • a description of the applicant’s security policy.

Appendix 2 of the consultation contains the draft version of the registration form which includes the above information.

The FCA propose the same information about individuals responsible for the management of the business from prospective small EMIs and small PIs as they do from prospective authorised PIs and authorised EMIs. Similarly, the FCA propose to apply the aspects of the EBA Guidelines on authorisation relating to qualifying holdings in full to small PIs.

Complaint handling is a core requirement under PSD2 for relevant firms, therefore the FCA propose to ask them to describe how they will comply with complaint handling requirements more widely (i.e. payment services complaints beyond those relating to security).

For small PIs the FCA additionally propose requesting information about how they will monitor the monthly average value of payment transactions, to allow the FCA to understand whether these businesses will stay within the registration threshold. Small EMIs already provide the FCA with information on their governance arrangements that includes this.

Re-registration form

Existing small PIs and small EMIs will need to re-register with the FCA if they wish to continue providing payment services or issuing e-money after the transitional period has ended. Small EMIs must make their applications by no later than 13 April 2018 if they intend to continue providing payment services or issuing e-money on or after 13 July 2018. Small PIs must make their applications by no later than 13 October 2018 if they intend to continue providing payment services on or after 13 January 2019. The information that the FCA propose to require for re-registration is the same as the additional information that the FCA will require under its draft registration form for small PIs and small EMIs.

PSD2 variation of permission form and EMD variation of permission form

To reflect changes under PSD2 the FCA propose to amend the existing variation of permission form to create a PSD2 variation of permission form. The FCA will update this form to take account of the payment services that will be newly regulated under PSD2 – account information service and payment initiation service.

The FCA are also creating an EMD variation of permission form. Previously there was no need for a bespoke form for EMIs, as applications for varying permissions were not common. However, under regulation 7 of the amended EMRs a requirement will automatically be placed on existing EMIs preventing them from providing account information services or payment initiation services. New EMIs that do not intend to provide these services will also have a restriction placed on their permission.

For these restrictions to be lifted EMIs will need to apply for a variation of permission and demonstrate that they hold mandatory professional indemnity insurance (PII). The proposed PSD2 variation of permission form (for PIs) and the proposed EMD variation of permission form (for EMIs) are set out at Appendix 2.

Next steps

The FCA are accepting consultation responses until the 18th August 2017. PSD2 must be implemented in the U.K by 13th January 2018 therefore firms should bear in mind the current proposals which may affect the format and information necessary for re-authorisation under PSD2. CPA are happy to support payment services firms in getting authorised under PSD2. Please contact a member of our Compliance Team to discuss your needs.

 

Download this article