Since early 2018, firms subject to the revised Payment Services Directive (PSD2) have been preparing for new European regulatory technical standards for strong customer authentication and for common and secure open standards of communication. These detailed, technical standards (known as “SCA-RTS”) supplement PSD2 by supporting the security and safety of electronic payments. The FCA issued its final policy position on the implementation of SCA-RTS in December 2018 under PS18/24.
If there is no ratification of the UK-EU Withdrawal Agreement by 29 March 2019, the EU (Withdrawal) Act 2018 will trigger a transfer of EU laws as they stand on that day into UK law (becoming “retained EU law”). However, as of that day, only paragraphs 3 and 5 of Article 30 of SCA-RTS will be in effect so only those provisions will become UK law if there is a no deal Brexit.
For the payments sector, which has been in the process of trying to understand and prepare for implementing these PSD2 technical requirements, this scenario presents a great deal of uncertainty. For example, account servicing payment service providers (ASPSPs), such as banks, have been busy preparing to meet the new requirement to have built testing interfaces for third party providers under open banking by 14 March 2019, the deadline required to meet the specific provisions of SCA-RTS that will already be in effect prior to exit day. (Third party providers here include account information service providers, payment initiation service providers, and card-based payment instrument issuers, collectively referred to as “TPPs”.)
The UK’s departure from the EU on 29 March 2019 would mean that the balance of SCA-RTS would not be implemented automatically because this is not due to come into effect until September 2019. This would leave a substantial gap in the UK regulatory framework and the FCA is now consulting to address this issue for the payments sector.
The UK’s proposed solution
To ensure PSRs 2017 delivers on consumer protection, the FCA needs to have technical standards in place. The UK’s (and the FCA’s) general approach to preparing for no deal is to ensure as much continuity as possible in the immediate aftermath. Accordingly, at the same time as releasing its final policy paper on SCA-RTS (PS18/24), the FCA set out proposals in consultation paper CP18/44 on how it intends to deal with these requirements if there is a no deal Brexit. The proposals provide as follows:
- The FCA will use the powers granted to it under regulation 106A of the Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018. In a no deal scenario, the EU Exit Regulations will trigger an amendment to PSRs 2017 so that they include a new power enabling the FCA to create a UK version of SCA-RTS. (
- Certain provisions of the amended PSRs 2017 will be uncertain, which could put the delivery of consumer protections in doubt unless the FCA makes technical standards. So, the FCA intends to make moderate changes only (such as, for example, changing references to “EBA” to “FCA” and “PSD2” to “PSRs 2017”) to ensure that the technical requirements will continue to operate effectively. To see the changes proposed by the FCA, please see Appendix I of CP18/44.
- After having made only moderate adjustments, the FCA will create a set of UK technical standards which it refers to as “UK-RTS” which will be “substantially in the same form” of the EU SCA-RTS. A draft copy of these proposed UK-RTS can be found in Appendix 2 of CP18/44.
The FCA points out that the benefit of adopting this approach is that after a no deal Brexit, payment service providers would still have systems and processes in place that follow technical standards substantially in the same form as SCA-RTS.
It also means that before Brexit, regardless of the outcome, by 14 March 2019 ASPSPs must make documentation available to TPPs specifying the routines, protocols and tools needed by them to allow their software and applications to interoperate with the systems of the ASPSPs. ASPSPs must also make available an access interface to enable TPPs to test software and applications used for offering payment services to their customers.
The FCA’s aims and next steps
The FCA’s plan for a no deal Brexit in relation to SCA-RTS is to ensure that these provisions will operate effectively after the UK exits by making the remainder of UK-RTS. This will mean that from 14 September 2019, under PSRs 2017, all PSPs (unless an exemption applies) will need to ask customers for more information to verify their identity before an electronic payment is made. The proposals help support an aim of PSRs 2017 to prevent harm caused by payment fraud. Making the UK-RTS will support strong customer authentication by setting out certain security measures. The proposed UK-RTS will include requirements to address security threats and will support open banking (e.g. standards governing security of communication sessions and data exchanges when TPPs access customers’ account data or initiate payment). This will help support market integrity.
Proposals in CP18/44 are open for comment until 19 February 2019. The FCA expects to publish the feedback it receives, and its final policy position sometime in April 2019.
With exit day so close to full implementation of SCA-RTS, so much preparation work already undertaken and underway and with so much common ground with Open Banking, it is natural for the FCA to adopt a UK version of SCA-RTS in the event of a no deal Brexit. Certainty combined with consumer protection and enhanced competition (from TPPs) are clear and compelling drivers.