PSD2 implementation: final rules – 17/17
26th September 2017
PSD2 implementation: final rules published
The FCA have published final rules implementing the Second Payment Services Directive (PSD2) within PS17/19. Concomitantly, a revised Approach Document has been published, serving as a guide to existent and new firms seeking re-authorisation, authorisation or registration in accordance with the Payment Services Regulations 2017 (PSRs).
The policy statement and associated approach document pave the way for the implementation of PSD2, which aims for maximum harmonisation of payment services across EU regulatory regimes. PSD2 is expected to enhance the security of payments, foster innovation, and boost competition. The expected outcomes of its implementation include lower costs and increased consumer protection. Salient points arising from the policy statement and approach document are as follows:
- Applications for registration or authorisation under PSD2 open from 13 October 2017.
- A transition period will exempt businesses that started Account Information Services (AIS) and Payment Initiation Services (PIS) prior to 12th January 2016 from authorisation or registration until July-2019.
- Remaining regulatory technical standards, implementing technical standards and European Banking Authority (EBA) guidance are expected to be finalised in late 2017 and early 2018, therefore the FCA will seek to update the Approach Document and Handbook upon these changes. Of particular note are the forthcoming EBA guidelines on fraud reporting, which will have a direct impact on firms.
Authorisation and registration
PSD2 seeks to ensure that all regulated firms meet the same new standards, whether they are newly authorised or not. As such, the PSRs 2017 sets out that all firms must submit the additional information required and meet the new conditions for authorisation. Businesses will need to provide additional information and meet new conditions as stipulated by the EBA authorisation guidelines when seeking authorisation or registration to become a PI or EMI. Existing PIs and EMIs will need to supply additional information by the deadlines set out in the PSRs 2017 and must meet the new conditions for authorisation or registration if they wish to continue providing services after the relevant transitional period has ended.
Under the PSRs 2017, authorised PIs and authorised EMIs must make their applications by no later than 13 April 2018 if they intend to continue providing payment services or issuing e-money on or after 13 July 2018.
The FCA have re-worded the re- authorisation forms to be clearer that firms do not need to resubmit information which they have previously provided to them. Some questions have also been removed from the re-authorisation forms as the FCA has deemed them irrelevant to existing authorised PIs and EMIs.
Existing PIs and EMIs will need to comply with the new requirements of PSD2 (introduced through the PSRs 2017 and the FCA’s Handbook) from 13 January 2018, prior to becoming re-authorised or re-registered. In addition, firms providing AIS and PIS will need to have a minimum cover of professional indemnity insurance (PII) in place in accordance with EBA regulations. A comparable guarantee also needs to be obtained.
Existing authorised PIs and authorised EMIs will need to be re-authorised in order to provide these new services. An application to provide AIS or PIS can be made alongside the re- authorisation application.
Information to be requested for re-authorisation or re-registration
The FCA will proceed with its proposed approach in CP17/22 on the information to be requested from firms for re-authorisation. In order to comply with PSD2, in addition to information already required under PSD, firms will need to provide descriptions of:
a) Procedure for monitoring, handling and following up security incidents:
Applicants should provide a description of the procedures in place to monitor, handle and follow up on security incidents and security-related customer complaints including the individuals and bodies responsible for assisting customers in the cases of fraud, technical issues and/or claim management.
The information required should include details of how the applicant will comply with its obligation to report major operational or security incidents under regulation 99 of the PSRs 2017
b) Process for filing, monitoring, tracking and restricting access to sensitive payments data:
Sensitive payment data are defined as “information, including personalised security credentials, which could be used to carry out fraud.” In relation to AIS and PIS, they do not include the name of an account holder or an account number.
Applicants must provide a description of the process in place to file, monitor, track, and restrict access to sensitive payment data including, for example, a list of the data classified as sensitive payment data in the context of the firm’s business model and the procedures in place to authorise access to the sensitive payment data
c) Principles and definitions used by the applicant in collecting statistical data on fraud:
Applicants are required to provide a description of the procedures they have in place for collecting statistical data on fraud (including the means of collecting collected). This should demonstrate how the applicant will ensure it can meet its obligations to report to the FCA.
d) Security policy:
Applicants will need to provide a description of their security policy which must include a detailed risk assessment of the services to be provided, including risks of fraud and illegal use of sensitive and personal information and the mitigation measures to protect users from the risks identified.
Applicants should also demonstrate how they will comply with their obligation under regulation 98(1) of the PSRs 2017 (management of operational and security risk). Firms may wish to consider the use of security training, accreditation and/or certification to support their application (in particular government-backed schemes, e.g. Cyber Essentials, a security certification scheme that sets out a baseline of cyber security for organisations).
Variation of authorisation and registration
The FCA is proceeding with its proposed variation forms with very minor changes. Small changes have been made to ensure the FCA obtains the right information on applicant’s PII or comparable guarantee arrangements.
Changes in control
PSD2 introduced new requirements for changes in qualifying holdings at authorised PIs. To implement these changes, and to align the position of authorised and small PIs with EMIs, the Treasury is applying (with modification) Part 12 of FSMA. To reflect these changes, the FCA will take the same approach for authorised PIs as the FCA currently take for EMIs. This is set out in Chapter 11 of the Supervision manual in the FCA Handbook.
No changes have been made to the FCA’s proposed approach. However, given the changes in the final PSRs 2017 the FCA are also implementing this approach for small PIs. The purpose of the change in control regime is to allow them to check the suitability of persons who may be taking control of firms. These persons will need to seek and obtain approval before they take control.
The new change in control requirements do not apply until firms are re-authorised or re-registered. During the transitional period authorised PIs and small PIs which have not been re-authorised or re-registered may continue to submit a notification rather than seek approval of prospective controllers.
Complaints handling and reporting
The FCA have delayed the introduction of their complaints reporting proposals. PSPs and e-money issuers resolve the majority of complaints within three days and the FCA will continue to allow them to use the Summary Resolution process in DISP to do this.
In relation to multi-faceted complaints, where part is a PSD/EMD complaint and part is not, the FCA are maintaining proposed guidance which states that PSPs may handle the whole complaint within 15 business days (or 35 in exceptional circumstances) rather than handling parts under separate timeframes. Guidance on ‘exceptional circumstances’ has not been provided as this will need to be determined on a case by case basis.
The FCA have added guidance in DISP 1.6.1R (keeping the complainant informed) to state that where the respondent has chosen to deal with a complaint in parts that they should inform the complainant that this is the approach they will take.
The EBA Guidelines on procedures for complaints of alleged infringements of PSD2 have yet to be finalised. Subject to the final EBA Guidelines, the FCA expect to comply with these Guidelines and will update the FCA’s website in due course to reflect the process for complaining to the FCA to reflect this.
Financial Ombudsman Service referrals
Eligible complainants will have the right to refer their complaint to the Financial Ombudsman Service 35 business days after a PSP has received their complaint, or 15 business days if no holding response has been sent. Consumers would still be able to refer such complaints as soon as a final response has been received even if this final response is received within 15 business days.
The FCA has maintained that for multifaceted complaints, leaflets providing information on the Financial Ombudsman Service should be issued as each element is responded to as this information will benefit the customer. In deciding what is fair and reasonable in all the circumstances of a case, the Financial Ombudsman Service will consider the relevant laws and regulations, the regulator’s rules, guidance and standards, as well as codes of practice, and what is considered to be good industry practice at the relevant time
The FCA will proceed with its proposed Payments Services Complaints return, to be due annually. The implementation date has been delayed, allowing for the first returns to be submitted for the period until 13th July 2018. Firms will not be required to separate PSD complaints from EMD complaints within the form.
Regulatory reporting, notifications and record keeping
The FCA sought clarification in relation to the fraud reporting requirement that requires PSPs to provide at least on at least an annual basis, statistical data on fraud relating to different means of payment to their competent authorities. In CP17/11 what was meant by statistical data was not specified, nor how it should be reported. The ECB and EBA considered standardising such reporting across different member states as a result of the data reporting requirements under Article 96(6) of PSD2.
From the 13th January 2018 all PSPs will be required to collect fraud data specified in form REP017 and report the data to the FCA on an annual basis.
PI/EMI regular reporting
The FCA will now collect additional information through regulatory reporting in order to assess the risks a business poses to the FCA’s objectives.
Questions have also been added to the returns authorised and small PIs complete. They must now also additionally apply the authorised PI return to registered account information service providers.
The current returns will now also be replaced with one new consolidated return that will be required to be filled in by all EMIs.
Under PSD2 the own funds requirement will now be stipulated in the Capital Requirements Regulation. A flowchart has been provided in order to help businesses understand the CRR.
Credit institution record keeping for account information service (AIS) and PIS business
Credit institutions carrying out AIS or PIS should keep records of the volumes of business in order to enable the FCA have better understanding of how competition is working in the AIS and PIS markets. Records will be required to be kept from the 13th January 2018.
Controllers and close links
The FCA are aware of the reporting requirements burden, however they believe that formalising a reporting requirement will allow the FCA to have a better view over who the controlling firms are and who their close links are. This will be done by requiring authorised PI’s to submit the Annual Controllers Report and Annual Close Links Report that currently is provided to them by EMIs and FSMA-authorised firms.
Regulation 99 states that PSPs must notify the FCA of any major operational or security incidents. SUP 15.14.20 D requires PSPs to comply with the EBA Guidelines on major incident reporting. The criteria that must be assessed in determining whether or not an operational incident is major are specified in the guidelines.
Firms are advised to read the final guidelines in order to understand the types of incidents which will need to be reported. The time allocated in order to report an incident has been increased to 4 hours instead of the proposed 2 hours.
Conduct of business
There will be changes to conduct of business requirements for Payment Services Providers (PSPs). In Consultation Paper 17/11 the FCA asked whether these changes proposed in the revised Approach Document in relation to rights, obligations and other changes are acceptable. A wide range of responses were generated on all areas to which the FCA has responded.
The FCA clarified that while there is an illustration of one model of acquiring in Annex 4 to the Approach Document, other avenues of acquiring may be available as well. What must be borne in mind is that adoption of a particular business model should not deprive customers of the protections enjoyed by the PSRs 2017, especially in relation to safeguards in the event of acquirer insolvency, execution time and information requirements.
Consumer credit and the PSRs 2017
Regulation 64 of the PSRs 2017 sets out the interaction between the PSRs 2017 and the consumer credit regime.
Consent and data protection law
It must be noted that for contracts entered into prior to 13 January 2018, the FCA do not expect to take regulatory or disciplinary action.
Consent and explicit consent must be interpreted in the context they are used and in line with the purpose and scope of PSD2.
Consent would be considered lawful if given in writing, verified by a signature, by means of a payment card and PIN number, over a secure password-protected website, by telephone or by use of a password. The customer must also be made aware of the procedure to withdraw consent. Regulation 67 states that the form and procedure for execution of a transaction to given must be set out in the information before entering into contract.
After consent has been given, the customer has the right to at any time given, withdraw their consent for any future transactions. The FCA believe withdrawal of consent should be notified to either the payer’s PSP or to the payee. Adding to that, the closure of a payer’s account will also amount to withdrawal of consent for any future direct debits or reoccurring transactions on that account.
For the purposes of explicit consent, it will be required for the execution of a payment transaction through a PISP. Information may not be passed on by PISPs to any person apart from the payee which would only permissible with the payer’s consent. CBPIIs, PISPs and AISPs must evidence the customer’s explicit consent before any confirmation of availability of funds.
In order to give explicit consent, customers must be able to understand the nature of the service being provided to them, and the consent must also be clear and specific. The necessary information must be provided to the customers in order for them to make an informed decision.
A durable medium for the purposes of making information available is defined in Regulation 55 as “any instrument which enables the payment service user to store information addressed personally to them in a way accessible for future reference for a period of time adequate for the purposes of the information and which allows the unchanged reproduction of the information stored.”
Incorrect charging codes
Regulation 66 states that PSPs may only charge their customers for carrying out their obligations where the PSRs specifically allow it. The charges must have been agreed to by the customer and must reasonably correspond to a provider’s actual costs.
There are two rules on charging in cases where the payer’s PSP and the payee’s PSP are located within the EEA irrespective of the currency of the transaction. The first rule states that the payee must pay any charges levied by their PSP. The second rule states that the payers must pay any charges levied by their PSP. This is known as a ‘SHARE arrangement.’
Refunds for unauthorised transactions
The PSRs 2017 clarify that refunds must be provided no later than the end of the next business day, except where the PSP reasonably suspects fraudulent behaviour by the customer which would need to be notified to a body designated under the Proceeds of Crime Act.
Business day, immediately available and credit rating
As soon as the funds are received in the payee’s PSP account, it must ensure the payee has immediate access to the funds and credit value date them no later than the business day on which the PSP’s account was credited. If the funds are received outside a business day, the requirements will apply from the start of the next business day. A business day is defined as a day on which the PSP is open for business as required for the execution of a payment transaction.
With regards to the term ‘banking services’ it is vital that non-bank PSPs use this term without misleading customers and that they should not use the term which implies that they are a bank.
Provisions such as Regulation 89(1) of PSRs 2017 in relation to value date and availability of funds which only apply to payments accounts, will not apply to non-payment accounts.
Liability of AISP and PISPs
Additionally, under regulation 95 and regulation 148, if a PSP has incurred a loss or been required to make a payment with respect to unauthorised transactions, non-execution, defective execution or late execution of a payment transaction, where the liability is attributable to another PSP or intermediary, the other PSP or intermediary must compensate the first PSP.
The first PSP will also have a right of action against the other PSP which will entitle the first PSP to bring an action against the other PSP for compensation through the courts on the basis of the other PSP’s failure to compensate the first PSP.
Finally, where a customer experiences detriment to an issue other than in relation to an unauthorised payment caused by its AISP, the customer must contact the AISP first prior to contacting the ASPSP. The AISP will be subject to complaints handling rules and FOS jurisdiction.
Relevant information for the purposes of Regulation 90 in relation to incorrect unique identifiers will include the payee’s name, address at which documents can be effectively served on that person, and a clarification that the interaction of this provision is within data protection law.
Confirmation of availability of funds
The FCA have updated their guidance clarifying that when a customer is seeking confirmation of availability of funds, the information that needs to be provided to them includes the name of the requestor and response given to them. ASPSPs must also be told how quickly they must respond to such request where an immediate yes or no answer must be provided. Regulation 68(4) states that immediate means sufficiently fast so as to not cause any material delay in the payment transaction.
Blocking access to PISPs and AISPs
It has been clarified by the FCA that in cases where an ASPSP stops a customer from using payment instrument which results in the PISP and AISP being unable to access the account as a result, it would not amount to the denial of access for AIS and PIS, requiring notification to the FCA.
Correspondent banking arrangements
Due to differing banking arrangements across jurisdictions, no guidance regarding the extension of PSD2 and its effect on PSP’s correspondent banking arrangements has been included.
Except in relation to interest and exchange rate, the PSRs 2017 do not distinguish between favourable and unfavourable changes in respect of the amount of notice required. Where a change is favourable to a customer, this does not mean that a PSP will be prevented from waiving its right to apply a charge during the two-month notice period.
Payments where the transaction amount is not known in advance
In cases of card-based payment transactions where the amount of the transaction is not specified at the moment the payer authorises the payment, the PSP must not block funds on the customer’s payment account unless the customer has authorised the exact amount of funds to be blocked.
Monthly statements (Regulations 53 and 54 of PSRs 2017)
The option to require PSPs to provide monthly statements to customers on a durable medium, thereby avoiding the default scenario was discussed.
It will be the customer’s choice to receive information in any other way than the monthly provision of transaction information in a durable medium. If the PSP gives the customer this choice, the PSP must adjust its framework contract as necessary, even in cases where it amounts to a continuation of an existing practice. Firms must put procedures in place enabling new customers the opportunity to exercise that choice and provide their agreement.
Existing customers that have already provided their agreement, would not be expected to be asked for their agreement again by PSPs.
Where customers have not expressed their choice or been provided with a durable medium, PSPs should consider how to implement measures in order for them to obtain the agreement.
Changes to perimeter guidance on excluded businesses
PSD2 makes changes to some of the activities excluded from the PSR 2017 (previously referred to as ‘exempted’). These include the commercial agent exclusion, limited network exclusion and electronic communications exclusion.
Commercial agent exclusion
The commercial agent exclusion (CAE) has been amended by PSD2 so that it will not apply where a commercial agent acts on behalf of both parties in a transaction (payer & payee). The FCA has confirmed that permission to act on behalf of either party must now be given via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee but not both.
The FCA have also amended Q33A of PERG to clarify that that the ‘regular occupation or business activity’ test will not remove all e-commerce platforms from the scope of regulation. More information on which activities fall within the scope of the CAE can be found in Q33A.
Some areas of guidance relating to the CAE have not been changed:
- The CAE only applies to payment transactions ‘through’ a commercial agent. The FCA therefore consider that it is already clear that the CAE only applies where an agent comes into possession or control of funds.
- The FCA believe that it was the intention of the PSRs 2017 to include professional (but not for-profit) fundraising platforms within the scope of regulation and so are not changing the guidance which suggests that these services are excluded from the scope of regulation.
- Examples of business models to which the CAE is applicable will not be supplied as the exclusion is dependent upon a firm’s business model.
Limited network exclusion
Under the PSRs 2009, a firm that offers a payment service may be excluded from regulation if its service is based on instruments that can be used only in a limited way to acquire goods or services in certain limited circumstances e.g. some gift or store cards. This is often called the ‘limited network exclusion’ (LNE).
PSD2 aims to standardise the application of the LNE across the EU. It makes changes to clarify how widely the exclusion should be interpreted. The FCA have now confirmed that, in accordance with PSD2 changes, the LNE exclusion is articulated in terms of ‘limbs’, one of which has now been amended to relate to instruments used to acquire a ‘very limited range of goods and services’.
A notification has also been introduced for firms utilising the LNE applicable in situations where the value of a payment transaction executed through a limited network exceeds EUR 1million in the previous 12 months. Descriptions of the activity must be made publicly available on a register. The notification requirement will not be in force until January 2019.
The FCA have confirmed that closed loop gift cards and fuel cards are within the scope of the LNE.
Electronic communications exclusion
The ‘digital download’ exemption previously existing under PSD has been replaced by electronic communications exclusion (ECE) under PSD2. The ECE excludes payment transactions by a provider of electronic communications networks or services where these are provided in addition to electronic communications services provided to a customer. An example of an excluded transaction could be the purchase of digital services such as apps charged to a mobile phone bill.
The ECE is limited to the purchase of digital content and voice-based services. It also includes charitable giving and the purchase of tickets but only via electronic devices and charged to the subscriber’s bill. Transactions are only excluded if they do not exceed €50 per single payment transaction or €300 cumulative value for an individual subscriber per month (‘transaction limits’).
The implementation of the ECE in the PSRs 2017 differs in two respects from the proposals set out in in the Treasury’s February 2017 consultation (which was the basis of the FCA’s consultation in CP17/11):
- the definition of the exclusion has been amended to ensure that it ‘cascades’ to include intermediaries that facilitate the transfer of money to merchants; and
- the transaction limits have been set out in sterling, rather than euro (so that for UK firms, the limits are £40 and £240 respectively).
Providers of electronic communications networks or services relying on the ECE must also provide the FCA with an audit opinion that the transactions to which the service relates are within the transaction limits on an annual basis. The aforementioned limits have been put in place to protect consumers and to ensure that providers facilitating significant payment transactions are properly regulated.
Under the PSRs 2017 each provider can only benefit from the exclusion by not exceeding these limits. Providers whose subscribers exceed transaction limits will not be permitted to operate these services under the exclusion. The FCA will expect such providers to seek authorisation under the PSRs 2017 or EMRs as appropriate. If they do not, they risk committing a criminal offence under Regulation 138 of the PSRs 2017.
The ECE is only relevant where the service provided would be a payment service if it weren’t excluded. The FCA provide guidance in PERG 15 Q18 and 41A to make clear that where a provider of a network or service sells subscribers additional goods or services itself (i.e. where it is acting as principal) no payment service is being provided by the provider of the network or service, even if the payment is charged to the related bill. The VAT law and guidance cited has no relevance to the application of the PSRs 2017 and so the FCA are not amending the guidance to reflect comments about tax treatment.’
The FCA have also amended Q41A of PERG to clarify that for the purposes of the application of the transaction limits, they will expect notification based on individual telephone numbers or SIM cards, rather than account holders being individual subscribers.
The PSRs 2017 have the effect of allowing intermediaries in transactions that fall within the ECE transactions to also benefit from the exclusion. This includes firms that acquire carrier billing transactions on behalf of merchants. PERG 15 Q41A has been updated to take account of this change. The FCA will not expect intermediaries to notify them. Intermediaries should consider whether any other activities they undertake constitute regulated payment services.
From October 2017, final direction and links to the FCA’s Connect Portal (where notifications can be submitted) will be available on the FCA website.
Information notified will be assessed by the regulator whom will provide a written response and publish the exclusion to the Financial Services Register, within 20 working days.
The FCA have made changes to the ECE direction and form taking into account that ECE providers will not need to convert transaction values into euro. Firms may submit notifications at any time after 13 October 2017. Those providing a service falling within the ECE before 13 January 2018 must submit the notification on or before 13 January 2018.
Details of services notified under the ECE will be publicly available on the Financial Services Register. The Register will display the name and registered address of each excluded firm as well as a description of the services that they carry out that fall within the ECE, and the specific exclusion being used.
The EBA will also maintain a register which will include the information covered in the Financial Services Register, together with information provided by the competent authorities in other EEA States. The EBA has consulted on RTS regarding this register.
Account Information Services (AIS) and Payment Initiation Services (PIS)
PSD2 aims to bring regulation up to date with developments in the market, and to capture new types of payment services. Under PSD2 AIS and PIS come under regulation for the first time therefore firms intending to provide such services from 13th January 2018 will need to be authorised on registered. Transitional arrangements are in place such that firms providing AIS or PIS before January 2016 may operate without authorisation/registration until after July-2019.
The FCA have added to PERG to clarify which firms will require authorisation or registration to provide AIS. The Approach document also advises that AIS or PIS providers will be ultimately responsible for arrangements put in place with others firms for the provision of AIS or PIS, including outsourcing arrangements.
As under the draft guidance previously issued, the FCA has confirmed that the regular occupation or business activity test is relevant for AIS, as with other payment services. An example is given in Q9 of PERG that a power of attorney business model is unlikely to be carrying out AIS or PIS as a regular occupation or business activity. AIS and PIS only relate to payment accounts.
Q25A of PERG 15 has been amended to confirm that in order for a business to be carrying out AIS, there must have been access to an account in which information has been consolidated and provided to a user.
The FCA also have updated their guidance in relation to mobile applications and mobile wallets. Funds cannot be held indefinitely by a PI.
Account information services, payment initiation services and confirmation of availability of funds
Account Information Service and Payment Initiation Services
The PSRs 2017 set out the requirements that cover interaction between ASPSPs and providers of AIS and PIS. They also set out the requirements for the confirmation of availability of funds for card-based payment transactions involving CBPIIs. The firms will be able to get a confirmation that funds are available on the account held with the ASPSP which will enable the CBPIIs to manage the credit risk.
The EBA has also developed Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication. These standards will dictate how CBPIIs, AISPs, PISPs and ASPSPs operate.
Respondents were mostly supportive of the FCA guidance, however there were three areas which posed challenges and needed additional clarification.
Access to accounts and confirmation of availability of funds CBPIIs and payment initiation
It has been clarified that ASPSPs do not need to make available functionality for CBPIIs to initiate payments.
In relation to AIS and PIS a customer does not require online banking security credentials for their account to be accessible online, however customers without credentials may need to receive them before using the services of AISPs and PISPs. Confirmation of availability of funds should not depend on whether the customer has registered for online banking and received credentials for their account.
The following modifications have been made to the guidance on information which must be available by ASPSPs to PISPs following the initiation of a payment, the functionality PISPs should be able to access, and the information that must be available to AISPs when requesting customers’ information:
- The information and functionality made available to PISPs and AISPs includes the disclosure of the failure or refusal to execute a transaction.
- ASPSP do not offer access to other functionality than that needed to initiate payments.
- AISPs should have access to all information that the ASPSP makes available in relation to the payment account, however information on the customer themselves would be more appropriately provided by the customer.
- There have been no changes to the value limits which ASPSPs may apply to payments made through PISPs as it may undermine the principle that ASPSPs must treat payment orders initiated PISPs or customers the same.
Messages ASPSPs communicate to their customers must not prohibit or discourage them from using AIS or PIS. This does not take away the fact that factual information about AIS and PIS may be explained.
There are no reasons for ASPSPs to treat AISPs or PISPs differently from consumers beside fraudulent or unauthorised access. Regulation 71(7) does not diminish the ASPSPs ability to refuse payment orders or information requests made through AISPs or PISPs for legitimate reasons which would lead them to refuse those orders or requests from the customer themselves.
It is being explored by the FCA to make the stakeholder’s ability to access information on the authorisation and registration status of AISPs and PISPs easier by making a subset of the register available in downloadable format. This would give ASPSPs better access to data about AISPs and PISPs.
Fraud and security
In relation to AISPs and PISPs accessing customer credentials, AISPs alongside any other outsourcers they utilise in provision of their services should only hold credentials when necessary for the services provided.
In relation to sensitive payment data, the FCA note that PISPs should not hold consumer credentials once used to initiate a payment, and that the requirement not to store sensitive payment data would not apply where a PISP legitimately holds the data as a result of the provision of another payment service. For AISPs, customer credentials should be requested from the customer themselves and not from the ASPSP.
It should also be noted that there is a distinction between sensitive payments data under PSRs and sensitive personal data under data protection legislation. Sensitive payment data is defined in Regulation 69(3)(e) and 70(3)(e) as “information, including personalised security credentials, which could be used to carry out fraud.” In relation to AIS and PIS it does not include the name of an account holder or an account number.
The PSRs 2017 intend to allow access to accounts for the purposes of AIS and PIS during the intermediate period before the SCA RTS applies. ASPSPs will not be obliged to provide an interface which complies with SCA RTS before this date. Additionally, ASPSPs are not obliged to respond to requests from CBPIIs seeking confirmation that funds are available before the SCA RTS applies.
Data and consent
More information has been provided on how the existing guidance would apply to both CBPIIs and ASPSPs when interacting to confirm that funds are available in a customer’s payment account. As previously discussed, what was meant by ‘explicit consent’ has been clarified.
In relation to AISP dispute resolution there are rules set in place, however these rules are not contained within PSRs 2017 or the EMRs. They are set out in the Dispute Resolution: Complaints sourcebook (DISP) in the FCA Handbook. It defines what will make a person an eligible complainant and further guidance on steps to be taken in cases of disputes.
AIS/PIS denial notification
Under PSRs 2017, an ASPSP may only deny an AISP or a PISP access to a payment service user’s payment account on the basis of reasonably justified and duly evidenced reasons. The reasons must relate to unauthorised or fraudulent access to the payment account by that AISP or PISP, including the unauthorised or fraudulent initiation of a payment transaction. If such occurs an ASPSP must immediately report the denial relating to the AIS or the PIS to the FCA. The report must include the details of the case and the reasons for taking action.
The FCA proposed in CP17/11 to direct the form, content and timing of notifications that must be provided where access has been denied to providers of AIS and PIS, including the proposed notification form. Subsequently, they have clarified that they would not expect notifications to be required for denial of access if it relates to valid reasons which lead them to refuse those orders or requests from the customer themselves.
The question asking about what steps need to be taken in order for access to be restored have been replaced with a simpler question whether access will be immediately restored. If ‘yes’ is selected to indicate that access will be immediately restored, then a restoration of access notification will not need to be provided.
Notifications will also need to be submitted immediately, which generally means giving enough time for the form to be completed on a satisfactory basis, including giving a description of the circumstances that led to the denial.
In cases where the same account has been repeatedly denied repeat notifications will not be required. However, where access is granted again a restoration of access notification will be required.
AIS/PIS credit institution notifications
Credit institutions will now be required to notify the FCA if they are providing Account Information Services or Payment Initiation Services which will help the FCA understand whether competition aims of PSD2 are being met and to understand the emerging markets.
Also, where payment institutions, e-money institutions or unregulated businesses wish to provide AIS or PIS they must apply to the FCA for permission to undertake those services.
Payment service providers’ access to payment account services
Guidance on payment service providers’ access to payment account services
In order to meet the aims of PSD2 the FCA proposed that PSPs have access, on a proportionate, objective and non-discriminatory basis to the account services they need in order to carry out their business.
Under Regulation 105, the FCA believe that credit institutions should not have policies based on restricting access to payment services they provide to certain categories or types of PSPs. This corresponds with their opinion that under Regulation 105 credit institutions should consider applications from PSPs and prospective PSPs individually and on their own merit. This will not prevent credit institutions from applying commercial appetite or risk tolerance as long as it is applied to the circumstances of the individual PSP or prospective PSP.
Credit institutions under Regulation 105 are under no obligation to communicate duly motivated reasons to PSPs or prospective PSPs. However, in practice a credit institution will communicate its decision to the PSP or prospective PSP, except to the extent that it is unlawful to do so.
All communications with customers should be treated in line with other regulatory and legal obligations such as the Proceeds of Crime Act s.333A.
In assessing whether a credit institution has been granted access on a proportionate, objective and non-discriminatory basis the FCA will check whether the credit institution has applied its criteria consistently. Every credit institution has their own set of criteria however the FCA may in the course of assessing notifications evaluate the set criteria. This would be done if they feel that criteria set by a credit institution discriminates against a certain category of PSPs and prevents the credit institution from being able to effectively assess a PSP or prospective PSP’s application on its own merits.
The PSRs 2017 provide powers for competent authorities to investigate potential breaches of a credit institution’s requirements. The time a credit institution takes to respond to an application can be a factor in a decision to investigate them, however other factors will also be considered.
A credit institution will have the right to charge higher fees in order to fund additional checks that could reduce risk. They may not always have possibility to offset risks or meet commercial drivers by charging applicants higher prices, however this is discussed between the credit institution and the applicant.
Finally, it is important to note that Regulation 105 that requires credit institutions to grant PSPs access to payment account services on a proportionate, objective and non-discriminatory (POND) basis applies to all UK credit institutions.
Access to payment accounts notification
Some changes to the Supervision Manual of the FCA Handbook have been proposed (SUP 15.14). These will be focused on the direction of the form, the content and the timing of the notification that needs to be given to the FCA when credit institutions provide their reasons for refusing or withdrawing access to payment account services.
There were some issues surrounding the submission channel to be used that the FCA have clarified on. The notification form will be available through the FCA Connect Portal as a web form. There will be no standardised responses for all questions however credit institutions are expected to assess requests for access individually and in the case of refusals or withdrawals, provide the FCA with duly motivated reasons which explain how the credit institution applied its criteria to a particular PSP or prospective PSP.
Credit institutions will now also be able to differentiate between pre-application refusals and post-application refusals in the notification form.
Guidance has been added in SUP to clarify that a credit institution that withdraws access from multiple PSPs at the same time, can contact the FCA in the first instance, prior to the withdrawal. After which, the FCA will advise how the duly motivated reasons should be given to the FCA.
Consequential changes and other revisions to the Approach Document Safeguarding
Safeguarding customer funds is the main consumer protection measure within PSRs 2017. It is highly important that firms have appropriate and well run safeguarding systems in place that will ensure that in the event of insolvency there is a timely and proper pay out to customers.
Funds that are not ‘relevant funds’ must be kept separate from ‘relevant funds’ in order to avoid any dilution of the asset pool. Where payment transactions are between payers and payees outside the EEA the payment transaction does not fall within the definition of ‘relevant funds’. The clarified guidance sets out how firms may legitimately deal with these unavoidable discrepancies and in no case will it be acceptable for firms to over-fund their accounts rather than maintain appropriate and robust processes and records for safeguarding and segregation accounts.
PSRs 2017 state that no other party can have a right or an interest in the safeguarding account.
Payment System’s Regulator’s approach
Access to payment systems
PSD2 preserves the existing PSD requirements on direct access to certain payment systems, and adds new requirements regarding indirect access. Regulations 103 and 104 of the PSRs 2017 transpose the PSD2 provisions on access into UK law.
Cases which do not involve seeking access to a payment account service cannot be considered under Regulation 105. Regulation 105 also does not cover the supply of payment account services to credit institutions, however Regulation 104 covers the supply of indirect access to payment systems to credit institutions.
The requirements of Regulation 104 apply to all direct participants who already allow PSPs that are not direct participants to ‘pass transfer orders’ through a payment system. However, the Payment System’s Regulator when deciding whether a decision is proportionate, objective and non-discriminatory will take account of whether the Indirect Access Provider (IAP) already provides the services being requested.
IAPs will only be required to give full reasons to the applicant to the extent permitted by law.
Payment System’s Regulator’s approach to monitoring Regulation 103 of PSRs 2017
The General Direction 3 will be replaced by a reporting requirement under PSR2 2017 for Payment System Operators (PSO) who are subject to Regulation 103 in order to assist in the monitoring of compliance. What will be included in the annual compliance report will be the PSO’s own assessment of its compliance with the requirements of Regulation 103, details of all expressions of interest from PSPs in potentially getting access to the system and the outcome of any expressions of interest.
Payment System’s Regulator’s approach to monitoring Regulation 104 of PSRs 2017
Compliance will be monitored through Regulation 104 by considering complaints that have been received from PSPs. An initial direction will also be issued to all IAPs, requesting information to help the PSR understand the criteria and governance processes they use to assess indirect access requests. Before such request is made to IAPs, the PSR will consider the precise information that is required and whether they already hold some of it.
Firms will need to ensure that they are compliant with new FCA rules implementing PSD2. Please contact a member of our compliance team to discuss:
- Applications for authorisation & re-authorisation
- On-going compliance support
- Applications for registration & re-registration
- Compliance review
© CPA Audit LLP 2019.