As we await the final rules and guidance from the FCA following its consultation through CP18/25 (the consultation period on which closed on 12 October 2018), we take the opportunity to summarise some of the FCA’s key proposed changes on the final pieces of the PSD2 puzzle, namely:
- fraud reporting;
- notification and reporting changes;
- the exemption from contingency measures as PSPs gear up to designing, developing and testing their dedicated TPP interfaces; and
- strong customer authentication and applicable exemptions.
Background to CP18/25
On 17 September 2018, the FCA published its Consultation Paper (CP18/25). CP18/25 deals with a number of different topics.
Its primary focus is on the implementation of the Regulatory Technical Standards (RTS) on Secure Customer Authentication and Common and Secure open standards of Communication (SCA-RTS) and the EBA’s Opinion on the SCA RTS.
In addition, the FCA sets out its approach towards the UK’s implementation of the EBA’s draft guidelines on the conditions to be met in order for an exemption from the contingency measures under Article 33(6) of the SCA-RTS to apply (the draft “Exemption Guidelines”). Final form guidelines are expected by the end of 2018.
Thirdly, the FCA deals with the EBA’s Final Report on Fraud Reporting, which was published in the summer, aligning its position and updating its Approach Document.
Lastly, the FCA has taken the opportunity to propose amendments to its current Payment Services and E-money Approach Document (Approach Document) (last amended in July 2018) and to clarify certain perimeter issues (mostly PSD2 derived) through changes to its Perimeter Guidance (PERG). See our separate article on these proposed PERG changes here.
The FCA is replacing its REP017 notification form with a new Payments Fraud Report which all PSPs will now need to submit on a semi-annual basis, with the first reporting falling due in August 2019 (two months after the end of the first reporting period). The FCA has mirrored the requirements set out by the EBA in its Guidelines and has helpfully produced detailed completion notes on how PSPs should approach reporting.
On first blush, it appears that in some circumstances, the reporting may inadvertently result in some double counting. For example, the FCA comments that where a payment transaction meets the prescribed conditions, it should be recorded as a fraudulent transaction for the purposes of the report “irrespective of whether (i) the PSP had primary liability to the user; [or] (ii) the fraudulent transaction would be reported as such by another PSP in the same payment chain”.
Notification and reporting changes
Changes to Chapter 13 of the FCA's Approach Document reflect the fraud reporting changes and also go on to deal with reporting and notification requirements under the SCA-RTS. Notably, PSPs utilising dedicated interfaces and relying on an exemption from contingency measures will, on a quarterly basis, be required to furnish the FCA with statistics on the availability and performance of their dedicated interface (from the time of testing in March 2019 and beyond). Not only will this initially assist the FCA with its assessment for any exemption application which may follow, it will also assist the FCA when monitoring PSPs more generally and their compliance with the SCA-RTS.
Further, PSPs must notify the FCA without ‘”undue delay” where they encounter problems with their dedicated interface(s). Whilst the FCA has yet to confirm the preferred method of submission, problems with the interface must be submitted on form NOT005, details of which are set out in CP18/25.
One welcome clarification is that provided in respect of Articles 18, 19 and 20 of the SCA-RTS and the entwined relationship between the three. Notably, only those PSPs seeking to rely on the TRA exemption under Article 18 are required to monitor their fraud rates in accordance with Article 19. The obligation to report to the FCA under Article 20 is only triggered where those fraud rates exceed the applicable reference rate, is. Changes to the Approach Document at Chapter 13 clarify what information the FCA expects and circumstances in which PSPs should report to the FCA.
Exemption from contingency measures
Chapter 17 of the Approach Document introduces a raft of new text in an attempt to accommodate and address the current draft Exemption Guidelines. Importantly, the FCA has recognised that PSPs need clarity as a matter of urgency with respect to regulatory expectations in readiness for the imminent dedicated interface testing deadline of 14 March 2019. While reflecting the EBA’s position, the FCA provides welcome clarity on the expectations on PSPs when submitting an exemption application in readiness for the September implementation date. The FCA sets out what will be taken into account as part of the exemption application process and provides helpful guidance on how PSPs can overcome some hurdles that are time constrained.
Perhaps ambitiously, exemption applications are invited by the FCA from January 2019 onwards. The FCA remarks that firms should consider how long it may take them to design a contingency measure in the event that the application for the exemption is unsuccessful, given that 14 September 2019 is a hard-stop deadline. The FCA considers that unsuccessful firms would need at least three months to build a contingency measure and accordingly, is expecting to receive exemption applications by 14 June 2019 at the latest.
The FCA will scrutinise exemption applications against OB conformance testing of ASPSP interfaces. Where firms have multiple dedicated interfaces (for each brand, within a group), they will be required to submit one exemption per dedicated interface. Dedicated interfaces will also be scrutinised against direct access systems to ensure both systems are on a ‘like for like’ basis, so that dedicated interfaces are not offering a subservient service or functionality to that offered to the customer had he or she gone ‘direct’. So, for example, the FCA remarks that if a customer can access their payment account via biometric fingerprints, this functionality ought to be made available on the dedicated interface.
Less surprisingly, the FCA has also confirmed the deadline for making available technical specifications for testing interfaces as being 14 March 2019. In order to meet the ‘wide usage’ requirement, TPPs must have been able to use the interface with customers for at least three months before the FCA will consider an exemption application. Again, the FCA will take into account whether firms have followed the standard implementation of industry initiatives such as OBIE.
Authentication and a brand new chapter
From 14 September 2019, all firms will need to comply with regulation 100 of the Payment Services Regulations 2017 (PSRs) regarding authentication of payments and with the SCA-RTS requirements. SCA must be applied unless one of the exemptions applies. Unsurprisingly, the newly introduced Chapter 20 in the Approach Document is in the main reflective of (and endorses) the EBA Opinion.
Within the chapter, the FCA clarifies its expectations on: (i) the security of communication sessions and exchange of data between an ASPSPs and TPPs:,(ii) the scope of information an AISP can access; (iii) the exchange of qualified certificates between ASPSPs and TPPs; and (iv) access to a customers’ personal identifying information. The FCA also provides clarification on the four times daily limit when the customer is not actively involved and the level of payment functionality when the customer uses a PISP.
PSPs relying upon the dedicated corporate protocols SCA exemption (in Article 17 of the SCA-RTS) may be relieved to know that the FCA is not requiring them to make any formal application in order to rely upon the exemption. Rather, they are simply required to notify the FCA that they are doing so as part of their usual SCA-RTS annual reporting on operational and security risks. PSPs will be required to confirm that the levels of security are equivalent to those provided for under PSD2.
Lastly, the FCA confirms that PSPs relying on any exemptions set out in Articles 10 to 18 of the SCA-RTS will need to record and monitor (on at least a quarterly basis) prescribed data elements in accordance with Article 21 of the SCA-RTS.
Finally, no article or regulatory update is complete without a word on complaints. In response to the super complaint from Which in 2016, the FCA has used this opportunity to make some changes to the Approach Document (at Chapter 8), by imposing further recording and reporting requirements on all PSPs regarding APP fraud. The recording and reporting requirements are also intended to capture credit unions. Such reporting will take place via completion and submission of the Payments Services Complaints Return.
Osborne Clarke comment
With the FCA confirming it is open to accepting exemption applications from January 2019 and the EBA final guidelines on the contingency measures due imminently, it would be prudent for firms seeking any exemptions to familiarise themselves with the guidance provided under CP18/25 and ensure that they are operationally ready to comply with the forthcoming changes.