FCA Policy Statement PS17/19 - UK implementation of PSD2 almost finalised

The FCA has recently published final rules relating to the UK implementation of PSD2 in the form of Policy Statement PS17/19. The Policy Statement summarises feedback the FCA received in relation to its consultation papers CP17/11, published in April 2017 (see our briefing), and CP17/22. The FCA has also published the final version its approach document "Payment Services and Electronic Money –our approach" (the revised Approach Document), a draft of which was consulted on in April 2017. The Payment Systems Regulator has also published its own document in relation to monitoring and enforcing PSD2.

The Policy Statement provides some clarity, especially in the relation to the regulation of the new so called Third Party Providers, account information service providers (AISPs) and payment initiation ser vice providers (PISPs). However, uncertainty still remains in relation to certain aspects of the implementation of PSD2 regime, owing to outstanding key guidance from the European Banking Authority. The FCA comments that it may have to amend its guidance once EBA final guidance is released.

The FCA notes that, although many of the changes apply from 13 January 2018, firms should also be aware that elements relating to authorisation and registration, including professional indemnity insurance requirements, apply earlier (from 13 October 2017). The FCA has set out upcoming deadlines its Policy Statement.

Background

Directive (EU) 2015/2366 (PSD2) must be implemented by Member States by January 2018. PSD2 brings about a number of significant changes, in particular the introduction of AISPs and PISPs. The majority of the requirements relating to PSD2 were implemented via the Payment Services Regulations 2017(SI 2017/0752) (PSRs), which were published by the Treasury in July 2017. The FCA rules are, therefore, intended to serve as guidance on the application of the PSRs.

The revised Approach Document sets out the FCA's approach to applying the PSRs and the amended E Money Regulations 2011. It replaces the existing Payment Services and E-Money Approach Documents (the FCA’s role under the Electronic Money Regulations 2011 and the FCA’s role under the Payment Services Regulations 2009). It also contains some new guidance, largely in response to The FCA's February 2016 Call for Input on the FCA’s approach to the current payment services regime.

Perimeter guidance

In this section, the FCA summarises and responds to feedback received to proposed amendments to its Perimeter guidance, including on the following exclusions.

Limited network exclusion (LNE)

The "limited network exclusion" enables a firm that offers a payment service to be excluded from regulation if its service is based on instruments used to acquire a "very limited range of goods and services." Firms that are providing, or intend to provide, services that benefit from the LNE must notify the FCA where the value of payment transactions executed through these services was more than €1 million in the previous 12 months. The FCA proposed the form, content and timing of the notification and has made some amendments (contained in Appendix 2 of PS17/19) so that notifications are not required until 12 months after the implementation of PSD2 i.e. from January 2019. This change is intended to avoid firms having to apply the new requirements to services provided in the period before PSD2 came into effect. However, the FCA states that a service provider can still submit a services notification before 13 January 2019 if they wish to (from 13 October 2017).

The FCA confirms that details of services notified under the LNE will be publicly available on the Financial Services Register in relation to services provided in the UK.

The FCA confirms that is not proposing to issue additional guidance on the definition of "very limited range of goods and services" for the purposes of the LNE as it has already given guidance using fuel cards and store cards as examples.

Electronic communications exemption (ECE)

The FCA had included proposals to direct the form, content and timing of the notification for providers of electronic communication network or services intending to rely on this exemption. The exemption applies to payment transactions by a provider of electronic communications networks or services where these are provided in addition to electronic communications services provided to a customer. Transactions are only excluded if they do not exceed €50 per single payment transaction or €300 cumulative value for an individual subscriber per month.

The FCA comments on concerns raised by firms in relation to monitoring effectively customers’ transactions to ensure they can continue to benefit from the ECE but states that these have been introduced to protect consumers and so the regulator's position remains unchanged.

The FCA confirms that the ECE is only relevant where the service provided would otherwise be a payment service if it wasn't excluded. It has clarified its guidance in PERG to make clear that, where a provider of a network or service sells subscribers additional goods or services itself (i.e. where it is acting as principal), no payment service is being provided by the provider of the network or service, even if the payment is charged to the related bill.

Account Information Services and Payment Initiation Services

Under PSD2, providers of online payment accounts such as banks or building societies (referred to as Account Servicing Payment Service Providers (ASPSPs)) must allow AISPs or PISPs to have access to customers' online payment accounts, with the customer's consent.

The FCA refers to the Competition and Markets Authority (CMA)’s Open Banking remedy, published in February 2017 (and covered in our newsflash here), and states that the initiative, whereby the UK's largest nine retail banks are required to develop application programming interface standards (APIs), could improve competition and access to banking services. However, no specific guidance is given on how the CMA's Open Banking remedy is expected to interact with the PSRs requirement to enable payment initiation services (PIS) and account information services (AIS).

The FCA has provided guidance on what processes need to occur for a business to be carrying out an AIS. It states that there has to have been access to an account, the information has to have been consolidated in some way and must have been provided to a user. Effectively, the FCA is looking to maintain flexibility here. It intends to monitor market developments with the prospect of further guidance as the FCA's understanding of AIS and PIS business models develop. The revised approach document states that, although a business may be involved in obtaining, processing and using payment account information to provide an online service to the customer, only the entity providing consolidated account information to the end payment services user will require authorisation/registration as an AISP.

Authorisation and registration

The FCA confirms that firms intending to provide AIS or PIS from 13 January 2018 will likely need to apply to be authorised or registered and notes that the Treasury has included an exception to this in the PSRs (Regulation 154 of the PSRs). The FCA states that firms providing AIS or PIS before January 2016 may operate without authorisation or registration until 18 months following the adoption of the EBA’s regulatory technical standards on strong customer authentication and common and secure communication under PSD2. The FCA comments that this is likely to be after mid-2019.

The FCA has also included guidance in the revised Approach Document to state that firms not yet authorised or registered for the provision of AIS or PIS will not be subject to the rights of access to account information or obligations in the PSRs. It encourages businesses not to wait until the end of this transitional period to become authorised. However, it also states that all businesses that started to provide AIS or PIS on or after 12 January 2016, or are planning to do so, will have to be appropriately authorised or registered from 13 January 2018 if they wish to continue operating in the market.

The FCA provides additional guidance on:

• The requirement to be re-authorised and the level of information required. The FCA confirms that it intends to comply with the EBA Guidelines on authorisation and states that it has issued communications to firms to let them know they need to apply for re-authorisation. It has re-worded the reauthorisation forms to clarify that firms do not need to resubmit information which they have previously provided to the FCA.

• Transitional provisions. The FCA confirms that payment institutions (PIs) and e-money institutions (EMIs) will need to comply with the new requirements of PSD2 from 13 January 2018, prior to becoming re-authorised or re-registered. This includes the amended conduct of business requirements, new complaints handling timeframes and new reporting and notification requirements. PIs and EMIs are advised to look at the FCA Handbook, revised Approach Document and the PSRs, to find out the start date of each requirement.
• Professional indemnity insurance. The FCA confirms its intention to follow EBA Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance. The FCA sets out the minimum amount of cover that must be held by firms providing AIS or PIS in the revised Approach Document. It states that those seeking authorisation or registration to carry out PIS or AIS will need to demonstrate they have this cover in place.
• Expectations of prospective AIS and PIS providers. Chapter 3 of the revised Approach Document now sets out the FCA's expectations in terms of documentation from prospective AIS and PIS providers around outsourcing arrangements, security risks, business models, how consent will be obtained and how data will be used.

Complaints handling and reporting

PSD2 introduces new requirements for dispute resolution, including new time limits for payment service providers (PSPs) handling of payment services complaints. The FCA had proposed amendments to its Dispute Resolution Sourcebook (DISP) for complaints from eligible complainants in relation to rights and obligations under parts six and seven of the PSRs 2017 (defined as "PSD complaints") and applying the same time limits to complaints concerning rights and obligations under part five of the EMRs (defined as "EMD complaints"). The FCA notes concerns relating to handling multifaceted complaints, where part of the complaint is a "PSD complaint" or "EMD complaint", and part is not a "PSD complaint" or "EMD complaint". It is maintaining the guidance which states that PSPs may handle the whole complaint within 15 business days (or 35 in exceptional circumstances) should they wish to, rather than handling parts under separate timeframes.

In relation to reporting, the FCA has made amendments:

• Timing of reporting. The FCA is proceeding with its proposal to introduce the new Payment Services Complaints Return but this will not be required for the first six months of PSD2’s implementation (i.e. the period until 13 July 2018). Transitional provisions are set out in DISP in Appendix 1 to the Policy Statement
• Separating complaints. The FCA has amended the return so that the times in which complaints are resolved only need to be reported under the broader "complaints about payment services and electronic money" category, and so that "PSD complaints" and "EMD complaints" do not need to be separated out.

Conduct of business

The FCA summarises the feedback it received about proposed changes to its conduct of business rules in its Banking: Conduct of Business sourcebook and guidance in Chapter 8 of the revised Approach Document. Points to note include the following

• Liability of AISPs and PISPs - Non-payment accounts. The FCA has made some changes to the guidance on non-payment accounts so as to clarify that provisions such as Regulation 89(1) of the PSRs 2017 (value date and availability of funds), which only apply to payment accounts, will not apply to non-payment accounts.
• Liability of AISPs and PISPs. The FCA has made a number of amendments to its proposals in this area in response to two issues: (i) the lack of a mechanism to deal with claims between account servicing payment service providers (ASPSPs) and PISPs; and (ii) the fact that there are no liability provisions relating to AISPs. The revised Approach Document now clarifies that, where a PISP is responsible for an unauthorised, non-executed or defectively executed transaction, an ASPSP which has refunded a customer can seek compensation from the PISP. The PISP must, on request, provide that compensation immediately. The FCA clarifies that, where a customer experiences detriment caused by its AISP, other than in relation to an unauthorised payment, the customer should contact the AISP in the first instance, rather than its ASPSP. The FCA has provided guidance in the revised Approach Document on the ASPSP’s right of recourse and action under the PSRs (relevant when seeking compensation from AISPs).
• Blocking access to PISPs and AISPs. In its guidance, the FCA confirms that, where an ASPSP stops a customer’s use of a payment instrument, and the PISP or AISP cannot access the account as a result, this does not amount to a denial of access for AIS and PIS, requiring notification to the FCA.

Regulatory reporting, notifications and record keeping

The FCA provides clarification on a number of issues.

• Fraud reporting. The FCA is proceeding with the fraud reporting requirements as consulted.
  Therefore, PSPs will be required to collect the fraud data specified in Form REP017 (contained in Appendix 1) and report this annually to the FCA. The FCA has amended the proposed submission date so that the first return should cover the period beginning on 13 January 2018 and ending on 31 December 2018. After that, reporting periods will run from 1 January to 31 December each year. The FCA confirms that it would not expect payment service providers to record data on transactions initiated via PISPs until they are able to recognise such payments, as distinct from those made directly by customers.
• Controllers and close links. The FCA is proceeding with its proposal to require authorised PIs to submit the annual controllers report (REP002) and annual close links report (REP001) that EMIs and FSMA-authorised firms currently provide to the FCA.
• Incident reporting. The FCA confirms its intention to comply with the EBA Guidelines on major incident reporting and has updated its requirements on PSPs to reflect the final version. Firms are advised to read the final Guidelines to understand the types of incidents that should be notified. Firms are reminded that the final Guidelines require notifications to be made within four hours of an incident being identified, rather than the proposed two hours.