Implementation of PSD2 17/8
13th June 2017
Implementation of the revised Payment Services Directive (PSD2)
The Second Payment Services Directive (PSD2) is a fundamental piece of payments-related legislation in Europe. PSD2’s main aims are to bring about a more integrated and efficient European payments market, promote competition and improve consumer protection. The consultation period for the Directive ended on the 8th June 2017 and the FCA expect release a policy statement in Quarter 3 2017.
This report provides a high level overview of PSD2, a summary of the key changes and an initial assessment of the potential implications.
Business that will be affected by The Second Payment Services Directive (PSD2) include:
- Banks, building societies and credit unions
- E-money issuers
- Non-bank card issuers
- Money remitters
- Merchant acquirers
- Businesses that provide services that aggregate customers’ bank account data, or otherwise access these data in order to make use of it (AIS)
- Businesses that provide services that can initiate payments online between a customer’s bank and the merchants bank (PIS)
- Businesses providing services such as issuing limited network gift cards or travel cards
- Businesses that provide payment transactions ancillary to their electronic communication networks or services, such as mobile and fixed line network operators
Changes to the Perimeter and FCA Guidance in PERG -Widening regulation and narrowing exclusions
As mentioned PSD II brings more services under the regulatory umbrella by including Account Information Service and Payment Initiation Service providers within the realm of regulation of scrutiny and regulation and narrowing the conditions to which to determine the types of businesses that are excluded from regulation. Protection to customers is expected to become further strengthened.
Chapter 15 of PERG defines the scope of activity which helps determine whether authorisation is required by FCA and Payment Systems Regulator whilst chapter 3A provides the equivalent for businesses that may be issuing E-Money. Respectively changes to chapter 15 and 3A of PERG proposed by FCA will be explained in accordance with the Treasury’s draft legislation.
The following changes have been proposed in the now closed CP 17/11 which are:
- The regular occupation or business activity test
- Exclusions and notifications for excluded businesses
- Changes to the perimeter- newly regulated activities under PSD II
Regular occupation or business activity test
If a business provides payment services in the UK as a regular occupation or business activity it will be subject to the PSR 2017, unless an exclusion applies.
PSD2 makes changes to some of the excluded activities, and these are listed in Schedule 1 Part 2 PSD Exclusions. In short the following activities do not constitute payment services:
- Payment transactions executed wholly in cash and directly between the payer and the payee, without any intermediary intervention;
- Payment transactions between the payer and the payee through a commercial agent authorised in an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee;
- the professional physical transport of banknotes and coins, including their collection, processing and delivery;
- payment transactions consisting of non-professional cash collection and delivery as part of a not-for-profit or charitable activity;
- payment transactions based on any of the following documents drawn on the payment service provider with a view to placing funds at the disposal of the payee—
– Paper cheques of any kind, including traveller’s cheques
– Bankers’ drafts
– Paper-based vouchers
– Paper postal orders
Commercial agent Exclusion
Under PSD, payment transactions made via commercial agents could be exempt under certain conditions. The exclusion applied where payment transactions between a payer and payee were made through a commercial agent with permission to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or payee. PSD2 has amended this exclusion.
The exclusion will not apply where a commercial agent acts on behalf of both the payer and payee. A permission to act on behalf of either party must now be given via an agreement to negotiate or conclude the sale or purchase of goods and services on behalf of the payer or the payee but not both the payer and the payee. For the exclusion to apply the commercial agent must only act for the payer or the payee.
Application to online fundraising and other e-commerce platforms and other businesses
There is further clarification in the revised PERG 15 for fundraising platforms who should now have more clarity over when they may be caught.
The existing digital download exemption is being replaced by the electronic communication network exclusion which refers expressly to the purchase of digital content and voice based services which are charged to a related bill.
Questions have been added to the consultation and the FCA currently await clarification whether certain e-commerce platforms intended to be within the regulatory perimeter are actually afforded the exclusion. [Q33A in PERG 15].
Entities cash collecting on behalf of charities, only to electronically transfer the monies to charities will fall within the scope of the Payment Services Regulation 2017. Further guidance in this activity is to be published by the FCA.
Authorisation and Registration
As part of PSD2 EMIs will have to go through a re-authorisation process. This will involve authorised firms providing additional information which was not gathered by the FCA during the firm’s initial authorisation process.
PSD2 contains transitional provisions to allow existing authorised payment and e-money firms (including small e-money institutions) to continue their payment services without authorisation under PSD2 until 12 July 2018. In order to continue providing payment services or issuing e-money after this date, PSD 2 requires existing EMIs to provide additional information as part of the reauthorisation.
It has been proposed that authorised EMIs and small EMIs will need to provide this information to the FCA before 13th April 2018 in order to continue operating on or after 13 July 2018. The European Banking Authority are working alongside the FCA to finalise the information requirements. Currently, the draft papers set out that firms will need to provide information including:
- Procedures for incident reporting.
- Processes in place to file, track and restrict access to sensitive payment data.
- Principles and definitions they apply for collecting statistical data on performance, transactions and fraud
- Arrangements for business continuity and the procedure for testing and reviewing these plans.
- A security policy document. This will include a detailed risk assessment and mitigation measures to adequately protect payment service users against identified risks, including fraud and illegal use of sensitive and personal data.
- Description of checks on agents and branches.
PSD2 (and consequently the PSRs 2017) introduce new requirements for changes in qualifying holdings in an authorised PI and the FCA has proposed the same approach for PIs as it currently has for EMIs in relation to changes in control. The FCA will amend the current change in control forms used by EMIs and FSMA firms and these will be applicable to Payment Institutions likewise. For persons acquiring, increasing or reducing control over a payment institution, if they pass the test for significant influence, i.e. 10%, 20%, 30%, or 50% control, the person will need to notify the FCA.
For payment institutions (PI) or e-money institutions (EMI), PSD2 makes changes that mean they need to provide additional information and meet new conditions to be authorised. This will affect existing PIs or EMIs as well as new ones. Existing PIs and EMIs will need to provide this additional information to the FCA by 13 April 2018 to continue providing services on or after 13 July 2018 (small PIs have until 13 October 2018).
There is also a territoriality requirement which means part of the business must be carried on from the UK. Firms that wish to provide AIS or PIS must also have professional indemnity insurance or equivalent (such as be subject to a guarantee scheme for compensation) that covers these activities.
AIS providers can apply to be a registered account information service provider (RAISP) which will incur less onerous requirements for authorisation or registration.
Further concessions are available to small payment institutions (small PIs) and small e-money institutions (small EMIs). The FCA has not yet concluded whether the current EBA guidelines are appropriate for small PIs and small EMIs. A further consultation will be issued on this in mid-2017.
PSD2 introduces a number of changes in relation to passporting including:
- The information to be provided by the applicant to the home state competent authority in the application to exercise passporting rights
- The passporting notification process between regulators that may impact the timeframes in which authorised PIs, authorised EMIs and RAISPs can begin their passporting activities
- The powers of host state competent authorities and reporting requirements on those exercising their right to establishment.
To support their revised supervisory approach, the FCA have reviewed the data collected from EMIs through returns FSA059-FSA062. The data collected from EMIs has been deemed as no longer sufficient for supervisory purposes and so the regulator proposes the implementation of a new report. The FCA propose to replace existing (FSA059-FSA062) with one new consolidated return. The new return will cover additional data on; the group structure, the EMI’s income, the scale of the e-money issuance activity, the value and volume of payment transactions executed, access to payment systems, safeguarding arrangements and AIS/PIS. The proposed new return represents a decrease of 20 questions.
The FCA propose to extend the reporting rule to EMIs, which will mean EMIs will have to submit data on complaints. The FCA are also considering publishing aggregated and anonymised data on complaint filings. The complaints record rule in DISP that will be extended to EMIs states that businesses must keep a record of each complaint received and the measures taken in order to resolve it.
Conduct of Business rules [COBS]
PSD2 brings about a number of changes to conduct of business rules:
Interaction with other relevant legislation such as the Distance Marketing Directive, the Cross-border payments and Single Euro Payments Area (SEPA) legislation, Regulation 260/2012 (SEPA Regulation) and the E-Commerce Directive (2000/31/EC) are of significant importance for the purpose of setting forth the obligations of payment service providers.
Consumer Credit Act – as a result of changes made under the PSRs 2017 relating to how the PSRs 2017 and consumer credit regime interact. The FCA have also provided guidance on the interaction between the two regimes as a result of feedback from the Call for Input. The FCA have provided some examples of where information would not need to be provided under the PSRs 2017 as a result of it already being provided under the Consumer Credit Act.
Consumer Rights Act 2015 requires terms used by businesses in their contracts and notices to be fair. Further information about the CRA and UTCCRs can be found in The Unfair Terms and Consumer Notices Regulatory Guide (UNFCOG), the FCA and Competition Markets Authority website.
Monthly reporting requirement –Regulation 103 and 104 of the PSRs 2017
Most PSPs currently meet the requirements on the provision of information on individual transactions by issuing monthly statements. Changes in PSD2 (reflected in regulations 53 and 54 of the draft PSRs 2017) mean that payers would now need to ‘opt in’ to receiving monthly statements. Where a payer did not opt in, the default requirement would be for a PSP to provide information as soon as reasonably practicable after each transaction.
For PIs and EMIs, the FCA highlights the consequential changes in its revised Approach Document as a result of PSD2. In particular, the FCA signposts legislation which may impact PIs and EMIs business, the Consumer Credit Act, the Consumer Protection from Unfair Trading Regulations and the FCA’s Banking Conduct of Business Sourcebook (BCOBs).
One of the key discrepancies between the FCA’s implementation of PSD1 and PSD2 is in the complaints regime. Under PSD1, the FCA decided to apply the existing complaints requirements to payment services providers (PSPs) in an un-amended way. Under PSD2 the time limits for responding to complaints are longer than under the FCA’s DISP rules. The FCA is introducing new rules for what they term ‘PSD complaints’ which will bring the UK regime into line with PSD2. However, the FCA has chosen to exercise permitted discretion and apply its three day complaints handling rule to PSD and EMD businesses as the FCA’s shorter time limit is more favourable to the payment services user (by incentivising quicker resolution of complaints).
Liability for transactions and unauthorised transactions
The issue of liability is key under PSD2. The FCA is proposing guidance in BCOBS relating to some of the issues surrounding liability as a result of changes in how payment transactions are effected.
A new rule is proposed in BCOBs which would require firms to consider explicitly the risk of fraud involved in allowing customers to make electronic payments. Firms will be required to have procedures and safeguards in place to ensure safe and secure payments and this should include authentication procedures to verify the identity of the banking customer or the validity of the use of a particular payment instrument, proportionate to the risks involved. The FCA backs the Strong Customer Authentication and Common and Secure Communication Regulatory Technical Standard (which is yet to be adopted by the Commission).
Currently, a banking customer may be liable for a maximum of £50 in respect of an unauthorised transaction. The PSRs 2017 are reducing this limit to £35 for in the event of an unauthorised transaction arising from the use of a lost or stolen payment instrument, or from the misappropriation of a payment instrument.; Regulation 77. The Regulations also specify examples of the situations where the customer is not liable for any amount (such as where the loss or theft of the payment instrument was not detectable by the payer prior to the payment).
The FCA will align BCOBs with this £35 limit as well as applying exemptions to customer liability as set out in the PSRs 2017. Similarly, where a customer has given the wrong account information and a payment has been made, the firm must make reasonable efforts to recover the sum involved. Under the PSRs 2017, the requirements for dealing with these situations have been extended and the position will now be:
- The payee’s PSP must co-operate with the payer’s PSP in its efforts to recover funds, in particular by providing to the payer’s PSP all relevant information for the collection of funds
- If the payer’s PSP is unable to recover the funds it must, on written request, provide the payer with all relevant information for the payer to claim repayment of the funds.
- The FCA is proposing rules in BCOBs to implement these changes.
Incorrect Payment routing
BCOBS 5.1.15R (2) currently states that where a payment is made to the wrong recipient because the customer provided the incorrect payment routing information (for example sort code and account number) the firm must make reasonable efforts to recover the sums involved. This was based on a requirement in the PSRs 2009.Under the PSRs 2017, the requirements for dealing with such situations have been extended: the payee’s PSP must co-operate with the payer’s PSP in its efforts to recover funds, in particular by providing to the payer’s PSP all relevant information for the collection of fundsif the payer’s PSP is unable to recover the funds it must, on written request, provide the payer with all relevant information for the payer to claim repayment of the funds.
The FCA believe these changes, introduced through the PSRs 2017, provide consumers with appropriate protections by ensuring that customers can get information to help them to recover sums lost through misdirected payments which could not be recovered by the reasonable efforts of their provider. The FCA therefore propose to extend these provisions to circumstances where the PSRs 2017 do not apply, by adding rules and accompanying guidance in BCOBS.
Confirmation of availability of funds – Regulation 68 PSRs 2017
PSD2 introduces the concept of card-based payment instrument issuers (“CBPIIs”). These are PIs that issue payment instruments that are linked to an account held with a different account servicing payment service provider (ASPSP). These businesses can get confirmation of the availability of funds on the account held with the ASPSP, enabling CBPIIs to manage their credit risk. PSD2 creates the potential for CBPIIs to compete with ASPSPs when issuing payment instruments.
Time limits for complaints handling
The FCA propose new rules which will apply the new PSD2 complaint handling time limits to complaints concerning rights and obligations under Parts six and seven of the PSRs 2017.These are defined in the Handbook glossary as “PSD complaints”. The FCA also propose applying these time limits to complaints concerning rights and obligations under part five of the EMRs. The FCA define these in the glossary as “EMD complaints”.
The FCAare applying these time limits to EMD complaints as well as PSD complaints because the FCA consider the issuance of e-money to be closely linked to payment services, and it is believed consumers would benefit from a consistent approach to complaints handling across both of these types of services.
In practice the FCA also believe most e-money businesses will find it more practical to maintain a single process for complaint handling. If they want to, PSPs can apply the PSD2 time limits to all of their complaints. The DISP requirements will apply to complaints from eligible complainants;18 however PSPs should note that the PSRs 2017 contain requirements for handling complaints from payment service users that are not eligible complainants (such as larger businesses). PSPs should also be aware that the FCA intend to separately consult on expanding the definition of eligible complainant, so that more businesses, charities and trusts will be able to refer complaints to the Financial Ombudsman Service.
PSP’s access to payment account services
PSD2 is improving PSPs access to payment account services. The PSRs 2017 have implemented this through Regulation 105, which means providing access and notifying the FCA whenever access is refused or withdrawn.
To help firms understand Regulation 105, the FCA has provided guidance in its revised Approach Document which includes a non-exhaustive list of factors it may consider in its assessment of whether a credit institution has granted access on a proportionate, objective and non-discriminatory basis as well as examples of the types of arrangements that may be put in place. Reporting of withdrawal or refusal of access to the FCA is via a pro forma form.
Any notification to the FCA must be in good time in order for it to determine whether decisions have been made appropriately. The FCA believes that notifications to it of withdrawal or refusal should be made at the same time as the credit institution notifies the PSP or, if no notification is made to the PSP, immediately following the decision.
In order to identify issues within certain sectors, product types, and individual businesses, the FCA has proposed an extension of reporting requirements to both payment and e-money institutions. They will be required to monitor compliance with the new complaints time limit requirements of PSD2, and to monitor complaints across the payment service and electronic money market for supervision purposes.
PSPs (including banks and building societies) will be required to complete a “Payment Services Complaints Return” form to fulfil their complaints reporting obligations. To accommodate for this requirement, the FCA proposes to extend the complaints record rule in DISP which states that businesses must keep a record of each complaint received and the measures taken in order to resolve it.
Complaints noted on a Payment Services Complaints Return must be categorised by type of payment service provided and number. PSD and EMD complaints in excess of DISP time limits will need to be quantified for compliance monitoring purposes. Such complaints only need to be reported separately where they are not resolved within 15 business days.
The above data should be submitted annually within 30 days of a PSP#s accounting reference date (ARD), or where there is no ARD, 31st December.
Interim fraud reporting proposals
PSD2 requires PSPs annually to submit statistical data on fraud to the FCA. In anticipation of standardised reporting measures to be introduced by the ECB and EBA, the FCA has proposed an interim fraud return solution and outlined the statistical data that will need to be captured and submitted in such forms.
The ‘statistical data on fraud relating to payments’ return
Data required to be submitted will include:
- Data on the number and value of fraudulent transactions for each payment type
- Data on the total number and value of transactions (including non-fraudulent transactions) for each payment type
- Data on the number of transactions for each payment type that re initiated by payment initiation services providers (PISPs)
- For each listed payment type, the top three ways in which the fraud was executed from a list of fraud types provided in the form. These must be ranked by PSPs according to which type of fraud caused the highest value of fraudulent transaction for the payment type.
- The value of fraudulent transactions relating to each chosen fraud type must also be provided.
Account information services (AIS) will be required to populate table 2 of the form with:
- Information on the number of incidents of fraud relating to AIS
- The total value of fraud (or an estimation of the loss to persons affected) across all incidents.
- Descriptions of the top three most common fraud types affecting AIS.
Finally, the FCA propose to collect data on types of fraud which relate to authorised push payments. This is intended to capture data on the type of fraud highlighted by Which? in its Super Complaint which was made to the Payment Systems Regulator in September 2016.
An initial reporting period of 13 January – 30 November 2018 has been proposed by the FCA. PSPs will need to complete the form, providing data covering this period by 31 December 2018. Subsequent reporting periods for these data will run from 1 December to 30 November each year to be submitted by 31 December.
Changes to reporting to monitor compliance of PIs, RAISPs and EMIs
Following a review, data collected from PIs and EMIs through regulatory returns FSA056 – FSA065 have been deemed insufficient. The FCA have therefore proposed collecting additional information through regulatory reporting to enable an assessment of the risks that different businesses pose to the FCA’s objectives. Proposed reporting requirements will also be applicable authorised payment institutions (PIs) and registered account information service providers (RAISPs).
Proposed changes to returns for authorised payment institutions and small payment institutions complete include:
- A modified authorised PI return, FSA056, to be applicable to RAISPs with additional questions covering the authorised PI’s income, safeguarding arrangements, the value and volume of payment services activity, access to payment systems, and AIS or PIS (11 of the new questions relate to AIS or PIS).
- A modified small PI return, FSA057, will be modified with additional questions covering the group structure of the small PI, income, the value and volume of payment services activity (including the monthly average value for payment transactions executed over the reporting period), and access to payment systems. Additional safeguarding questions will also be added, applicable to small PIs that have volunteered to adopt such arrangements.
The FCA have also proposed the replacement of existing returns for authorised EMIs (FSA059-FSA062) and small EMIs (FSA064) with one new consolidated return which all EMIs will complete (different questions will be relevant for authorised EMIs and small EMIs):
- For authorised EMIs, the new return contains questions that will additionally cover the group structure, the authorised EMI’s income (split between e-money issuance and unrelated payment services), the scale of the e-money issuance activity (including number of accounts), the value and volume of payment transactions executed, access to payment systems, safeguarding arrangements, and AIS/PIS.
- For small EMIs the revised return includes questions covering the group structure, income, the scale of the e-money issuance activity, the value and volume of payment transactions executed, safeguarding arrangements, continued compliance with the conditions for registration as a small EMI, and access to payment systems
Close links and annual controller reports
The FCA proposes to require authorised PIs to submit the annual controllers report (REP002) and annual close links report (REP001) that EMIs and FSMA-authorised firms currently provide.
Payment service providers’ access to payment account services
Proposals on credit institutions’ requirement to report
The PSRs 2017 require credit institutions to provide to the FCA duly motivated reasons for refusal or withdrawal of access to payment account services. The FCA have proposed guidance on the form, content, and timing of such notifications.
Form and content of the notification
The proposed form asks credit institutions to set out duly motivated reasons for the refusal of access, as required by PSD2. Content of the form should include information on:
- details of the person that was subject to refusal or withdrawal
- what products they were seeking access to
- when the decision was made to refuse access
- what process was used to make the decision and whether the reasons for refusal were communicated to the PSP seeking access.
Timing of the notification
Notifications must be made at the same time a credit institution notifies a PSP of its decision to withdraw or refuse access, or, where the credit institution does not notify the PSP, immediately following the decision by the credit institution to refuse access. Proposed updates to SUP 15.14 of the FCA handbook outline the circumstances under which different timings of notification of refusal or withdrawal will be expected.
Account information services, payment initiation services and confirmation of availability of funds
Clarifying PSD2 guidance on ‘accessible online’
Account servicing payment service providers (ASPSPs) are required to permit their customers to use Account information services (AIS) and Payment initiation services (PIS) only in relation to their payment accounts that are accessible online. The FCA has proposed guidance clarifying the term “accessible online” as including ‘those which consumers can access through the internet or mobile applications’.
Treatment of payment orders and data requests
Under the PSRs 2017, ASPSPs must treat data requests and payment orders from AISPs and payment initiation service providers (PISPs) as no differently from those that come directly from the payer, except where the ASPSP has objective reasons for treating the payment order or request differently. To assist ASPSPs in understanding this requirement, guidance has been proposed in Chapter 17 of the revised Approach Document which gives examples of practices that would be inconsistent with this requirement for equality of service. This guidance also covers what ASPSPs should consider to be ‘objective reasons’.
Contracts between ASPSPs and AISPs or PISPs
Under the PSRs 2017, ASPSPs must not require AISPs and PISPs to enter into a contract in order to gain access to consumers’ payment accounts. As outlined in the revised Approach Document, an AISP or PISP should not be required to agree any specific arrangements with the ASPSP, such as for liability. However, this would not prevent parties from putting contractual arrangements in place if they both wish to do so (provided this is not a pre-condition of access set by the ASPSP)
Arrangements before parts of the PSRs 2017 dependent on the SCA RTS apply
Some of the PSRs 2017 requirements do not apply until 18 months after the Strong Customer Authentication (SCA) Regulatory technical Standards (RTS) comes into force. This creates some potential uncertainty for businesses. In Chapter 17 of the revised Approach Document expectations of how ASPSPs, PISPs and AISPs may meet the requirements of the PSRs 2017 during this period are stipulated.
Proposed notification by ASPSPs of incidents leading to denial of access
Changes have been proposed to the Supervision Manual of the FCA Handbook (SUP) to direct the form, content and timing of the notification. The draft notification form can be found in the Appendix of the consultation.
Beyond the information required by PSD2, the FCA are asking for a minimal amount of additional information from ASPSPs on the steps that the AISP or PISP would need to take in order for access to be restored. ASPSPs should have this information ready to hand where they have denied access.
Guidance has also been proposed in the Supervision Manual of the Handbook (SUP 15) to clarify that ASPSPs should complete and submit the notification required under regulation 71(8)(c) of the PSRs 2017 as quickly as possible.
Additional notifications will not be required where access to the same payment account is requested repeatedly by the same AISP or PISP. Similarly, where an ASPSP blocks access to more than one of its customers’ payment accounts for the same reasons relating to the same AISP or PISP, that only a single incident notification is required. A follow-up notification must be given if and when access is restored to that AISP or PISP
Requirements on credit institutions and e-money institutions (EMIs) prior to conducting AIS or PIS
Credit institutions will not need to apply to the FCA for permission to provide AIS or PIS. However, in order to understand whether the competition aims of PSD2 are being met and to understand the emerging market for AIS or PIS, amendments to SUP 15.8 will require credit institutions to notify the FCA if they are currently providing these services (before 13 Jan 2018) or before they commence providing these services (after 13 Jan 2018). The generic notification form at SUP 15 Ann 4, as per SUP 15.7.1, may be used to notify the FCA.
EMIs will have a restriction imposed on their regulatory permissions, and will need to apply to vary their permission before they are able to conduct AIS or PIS. This approach is required by the PSRs 2017, and it is necessary for us to make sure that they hold mandatory professional indemnity insurance (PII) cover before commencing the provision of these services. Payment institutions or unauthorised businesses that wish to provide AIS or PIS must apply to the FCA for permission to undertake these services.
The FCA’s proposed changes to supervision of PSPs and e-money issuers
The FCA will no longer make references to complaints-led supervision but will be aligned to the general supervisory approach for businesses they regulate.
Specific supervisory measures used will depend on the risk posed by an individual business, a category of business or by the sector as a whole. The FCA’s supervision will be informed by periodic reporting, events driven notifications, and complaints.
This reflects the new reporting and notification requirements introduced by PSD2 as well as arrangements the FCA will have in place for dealing with complaints about alleged breaches of the PSRs 2017 in line with new EBA Guidelines.
It will enable the FCA to meet their obligation under the draft PSRs 2017 to maintain arrangements that will allow it to determine compliance of businesses on all aspects of the requirements in the PSRs 2017.
Consequential Changes and other revisions to the Approach Document
The FCA propose a number of consequential changes to the Handbook, including to the Consumer Credit sourcebook (CONC).
Consequential changes will include:
- The addition of registered account information service providers (RAISPs) to the definition of “payment services provider” will also be made.
- Minor changes to the Dispute Resolution Complaints Sourcebook (DISP) to clarify how this sourcebook applies to FSMA-authorised firms that are also PSPs.
- Consequential changes will be made to the Decision Procedure and Penalties manual (DEPP) and Enforcement Guide (EG) to reflect changes to the FCA’s enforcement powers under the PSRs 2017.
The payment Systems Regulator’s approach
The majority of changes the PSR has made to the Approach Document merely reflect changes under the PSRs 2017.
Proposed chapter by chapter revisions to the Approach document include.
The PSR propose changes to update the introduction in line with the PSRs 2017 and other legislative changes.
The PSR set out proposed changes to reflect the increased scope of PSD2, including the extension of scope of the conduct provisions to cover transactions where only one payment provider is located in the EEA (one leg transactions) and transactions in all currencies (rather than only EEA currencies).
Authorisation and registration
The PSR propose changes to reflect the new category of payment service provider – RAISP
Update the guidance on information requirements to accompany an application for authorisation in accordance with draft EBA Guidelines.
Further changes will be made once the EBA finalises the Guidelines and will include guidance on the information requirements for registration as a small payment institution (small PI) or small e-money institution (small EMI).
Changes in circumstances of authorisation or registration
The PSR propose changes to reflect the change in qualifying holding requirements under PSD2 for those changing their level of control in authorised payment institutions.
Appointment of agents
The PSR set out proposed changes to reflect the changes arising from PSD2, in particular around the information that is required in the event that a payment institution (PI) or e-money institution (EMI) proposes to register an agent.
The PSR propose revisions to reflect changes introduced by PSD2, including changes to the activities that can be passported, additional information requirements, and new requirements around the information exchange between home and host competent authorities.
Further changes may need to be made once the EU Commission ratifies and publishes the Regulatory Technical Standard determining what information must accompany a passporting notification.
Use of the FSA and FCA logos
The PSR propose to make changes to remove references to the FSA as the FSA/FCA transition stage has ended.
Conduct of business requirements
The PSR propose revisions to reflect changes brought in by PSD2, and to respond to feedback received through its Call for Input, as well as adding additional clarification and examples to help PSPs understand their obligations.
Capital resources and requirements
The PSR propose to reflect changes introduced by PSD2, including requirements for account information service providers (AISPs) and payment initiation service providers (PISPs).
To reflect changes in PSD2 and the PSRs 2017 the PSR have removed guidance on what constitutes qualifying items for own funds purposes; this is in line with the FCA’s general approach to the Capital Requirements Regulation (CRR).
The PSR propose updates to reflect changes made by the PSRs 2017 and additional guidance on how safeguarding should be managed by PSPs.
The PSR are making changes to reflect PSD2, including new timescales for handling payment services complaints.
The PSR set out changes to reflect its proposed new supervisory approach for PSPs and e-money issuers.
Reporting and notifications
The PSR propose changes to reflect its proposals on complaints and fraud reporting, changes to annual reporting for EMIs and PIs, and its proposal that authorised PIs submit annual close links and controllers reports.
In addition to reporting, the PSR also summarise notification requirements to include:
- The notification for certain businesses operating under exclusions from regulation.
- The notification required when access to payment account services is refused or withdrawn
- The notification required when an AISP or PISP is denied access to a payment account
- The notification required by credit institutions when they plan to commence undertaking account information service (AIS) or payment initiation service (PIS)
the PSR have not yet updated this chapter to reflect PSD2 requirements to provide annual assessments of operational and security risks; regular reporting from inward passporting businesses; incident reporting; and the reporting requirements stemming from the Regulatory Technical Standard on Secure Communication but it will make changes to reflect these when the EBA finalises its approach.
The PSR propose updates in line with its proposed approach to enforcing the new requirements under PSD2.
Access to payment account services
The PSR propose to create a new chapter to reflect the new PSD2 requirements for credit institutions on access to payment account services. This chapter contains guidance which the FCA and Payment Systems Regulator are both responsible for.
Payment initiation and information services and confirmation of availability of funds
The PSR propose to create a new chapter to set out its approach to AIS, PIS and card-based payment instrument issuers (CBPIIs), which will come within the scope of the regulation.
Operational and security risks
The PSR propose to create a new chapter to set out its approach to AIS, PIS and card-based payment instrument issuers (CBPIIs), which will come within the scope of the regulation.
The PSR propose to create a new chapter based on the existing chapter in the E-Money Approach Document, which will apply to PIs, RAISPs and EMIs.
The PSR have made some minor updates in the Approach Document to Annex 1-5.
PSD2 comes into force on13 January 2018. The consultation closed on the 8th June 2017. Following this, the FCA aims to publish its policy statement setting out its finalised guidance and approach document in Q3 2017. This will follow the Treasury’s finalisation of the PSRs 2017. Alongside this the Payment Systems Regulator will finalise its approach, powers and procedures guidance which it hopes to publish in Q3 2017 (alongside the FCA’s policy statement). Notwithstanding all of this, the FCA will publish a further consultation once the EBA finalises certain guidelines and the Commission publishes its regulatory technical standards in the official journal.
© CPA Audit LLP 2019.