FCA's consultation on PSD2 (CP17/11)

The FCA has published a consultation on its approach to implementing the second Payment Services Directive (PSD2). This briefing summarises what the FCA (and where relevant the Payment Systems Regulator) is proposing.

Background

PDS2 updates the original Payment Services Directive (PSD1) with the aim of bringing regulation up to date with developments in the payment services industry. The majority of PSD2 must be implemented by member states by 13 January 2018 (through maximum harmonisation, which leaves little discretion available to member states). The Treasury has proposed to implement PSD2 largely through the draft Payment Services Regulations 2017 (PSRs 2017), leaving little discretion to the FCA in how it applies PSD2. As a result the FCA is consulting mainly on its approach to interpreting and applying the PSRs 2017. The FCA is keen to note that the PSRs 2017 are still under consultation and so the FCA's proposals remain subject to any future change of the PSRs.

Third party access to accounts (XS2A) and open banking

One of the biggest changes initiated by PSD2 is the requirement on providers of online payment accounts to allow third parties providing account information services (AIS) or payment initiation services (PIS) to have access to customers' online payment accounts, with the customers' consent (this will, in turn, create new categories of payment service providers which will need to be authorised or registered by the FCA. This change is also being implemented at the same time as the UK's Competition and Markets Authority's Open Banking remedy, which requires nine UK retail banks to develop application programming interface (APIs) standards to facilitate access to customers' current account data by third parties. This is commonly referred to as "XS2A" or "open APIs". In CP17/11, the FCA is consulting jointly with the Payment Systems Regulator on their approach to supervising these new account access requirements and on the responsibilities of the businesses to whom these requirements apply.

Approach document

CP17/11 proposes a replacement Approach Document (to that already in issue), which sets out the FCA's approach to interpreting and applying the PSRs 2017 and the Electronic Money Regulations 2011 (EMRs). The FCA has decided to combine two existing approach documents (for payment services and e-money, respectively) into one document, titled Payment Services and Electronic Money – Our Approach (the revised Approach Document).

Perimeter guidance

PSD2 broadens the scope of payment services by bringing two new activities¹ under regulation for the first time as well as narrowing excluded business activity². Chapter 15 of the FCA's Perimeter Guidance Manual (PERG) currently governs payment related activities in the UK and PERG 3A does the same for e-money. 

The FCA has proposed that the commercial agent exclusion (which exempts payment transactions made via commercial agents under certain conditions) is amended in light of the changes brought about via PSD2. Under PSD2, the amended exclusion will not apply where a commercial agent acts on behalf of both parties in a transaction (payer and payee). For the exclusion to apply the commercial agent must only act for the payer or the payee. In addition, permission to act on behalf of either party must now be given via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee, but not both.

There is further clarification in the revised PERG 15 for fundraising platforms who should now have more clarity over when they may be caught.

The existing digital download exemption is being replaced by the electronic communication network exclusion which refers expressly to the purchase of digital content and voice based services which are charged to a related bill.

Account information services and payment initiation services

The new regulated activities of AIS and PIS mean that any business providing these services will need to be authorised or registered to do so by 13 January 2018. The FCA has sought to keep its interpretation of PSD2 requirements on AISs and PISs as broad as possible to account for potential new business models. 

Authorisation and registration

For payment institutions (PI) or e-money institutions (EMI), PSD2 makes changes that mean they need to provide additional information and meet new conditions to be authorised. This will affect existing PIs or EMIs as well as new ones. Existing PIs and EMIs will need to provide this additional information to the FCA by 13 April 2018 to continue providing services on or after 13 July 2018 (small PIs have until 13 October 2018).

There is also a territoriality requirement which means part of the business must be carried on from the UK. Firms that wish to provide AIS or PIS must also have have professional indemnity insurance or equivalent (such as be subject to a guarantee scheme for compensation) that covers these activities.

AIS providers can apply to be a registered account information service provider (RAISP) which will incur less onerous requirements for authorisation or registration.

Further concessions are available to small payment institutions (small PIs) and small e-money institutions (small EMIs). The FCA has not yet concluded whether the current EBA guidelines are appropriate for small PIs and small EMIs. A further consultation will be issued on this in mid-2017.

PSD2 (and consequently the PSRs 2017) introduce new requirements for changes in qualifying holdings in an authorised PI and the FCA has proposed the same approach for PIs as it currently has for EMIs in relation to changes in control. For persons acquiring, increasing or reducing control over a payment institution, if they pass the test for significant influence, i.e. 10%, 20%, 30%, or 50% control, the person will need to notify the FCA.

Passporting

PSD2 introduces a number of changes in relation to passporting including:

• the information to be provided by the applicant to the home state competent authority in the application to exercise passporting rights;
• the passporting notification process between regulators that may impact the timeframes in which authorised PIs, authorised EMIs and RAISPs can begin their passporting activities; and
• the powers of host state competent authorities and reporting requirements on those exercising their right to establishment.

Conduct of business rules

For PIs and EMIs, the FCA highlights the consequential changes in its revised Approach Document as a result of PSD2. In particular, the FCA signposts legislation which may impact PIs and EMIs business: the Consumer Credit Act, the Consumer Protection from Unfair Trading Regulations and the FCA's Banking Conduct of Business Sourcebook (BCOBs).

One of the key discrepancies between the FCA's implementation of PSD1 and PSD2 is in the complaints regime. Under PSD1, the FCA decided to apply the existing complaints requirements to payment services providers (PSPs) in an unamended way. Under PSD2 the time limits for responding to complaints are longer than under the FCA's DISP rules. The FCA is introducing new rules for what they term 'PSD complaints' which will bring the UK regime into line with PSD2. However, the FCA has chosen to exercise permitted discretion and apply its three day complaints handling rule to PSD and EMD businesses as the FCA's shorter time limit is more favourable to the payment services user (by incentivising quicker resolution of complaints).

Liability for transactions

The issue of liability is key under PSD2. The FCA is proposing guidance in BCOBS relating to some of the issues surrounding liability as a result of changes in how payment transactions are effected.

A new rule is proposed in BCOBs which would require firms to consider explicitly the risk of fraud involved in allowing customers to make electronic payments. Firms will be required to have procedures and safeguards in place to ensure safe and secure payments and this should include authentication procedures to verify the identity of the banking customer or the validity of the use of a particular payment instrument, proportionate to the risks involved. The FCA backs the Strong Customer Authentication and Common and Secure Communication Regulatory Technical Standard (which is yet to be adopted by the Commission). For more information on this please see our briefing here.

Currently, a banking customer may be liable for a maximum of £50 in respect of an unauthorised transaction. The PSRs 2017 are reducing this to £35. The FCA will align BCOBs with this £35 limit as well as applying exemptions to customer liability as set out in the PSRs 2017. Similarly where a customer has given the wrong account information and a payment has been made, the firm must make reasonable efforts to recover the sum involved. Under the PSRs 2017, the requirements for dealing with these situations have been extended and the position will now be:

• The payee's PSP must co-operate with the payer's PSP in its efforts to recover funds, in particular by providing to the payer's PSP all relevant information for the collection of funds;
• If the payer's PSP is unable to recover the funds it must, on written request, provide the payer with all relevant information for the payer to claim repayment of the funds.

The FCA is proposing rules in BCOBs to implement these changes.

PSPs' access to payment account services

PSD2 is improving PSPs access to payment account services. The PSRs 2017 have implemented this through Regulation 105, which means providing access and notifying the FCA whenever access is refused or withdrawn.

To help firms understand Regulation 105, the FCA has provided guidance in its revised Approach Document which includes a non-exhaustive list of factors it may consider in its assessment of whether a credit institution has granted access on a proportionate, objective and non-discriminatory basis as well as examples of the types of arrangements that may be put in place. Reporting of withdrawal or refusal of access to the FCA is via a pro forma form. Any notification to the FCA must be in good time in order for it to determine whether decisions have been made appropriately. The FCA believes that notifications to it of withdrawal or refusal should be made at the same time as the credit institution notifies the PSP or, if no notification is made to the PSP, immediately following the decision.

Next steps

The consultation is open for comments until 8 June 2017. Following this, the FCA aims to publish its policy statement setting out its finalised guidance and approach document in Q3 2017. This will follow the Treasury's finalisation of the PSRs 2017. Alongside this the Payment Systems Regulator will finalise its approach, powers and procedures guidance which it hopes to publish in Q3 2017 (alongside the FCA's policy statement). Notwithstanding all of this, the FCA will publish a further consultation once the EBA finalises certain guidelines and the Commission publishes its regulatory technical standards in the official journal. 

PSD2 will apply from 13 January 2018.

^{1.  Account information services and payment initiation services, as defined.}

^{2.  PSD2 will continue to allow certain business activities undertaken by non-bank organisations to remain outside the scope of its requirements but the exclusions have narrowed so, for example, the purchase of physical goods and services through a telecoms operator will fall within scope of PSD2 based on certain monetary thresholds.}