PSD2 authorisation and registration – clarity at the EU and UK level?

Hot on the heels of the EBA publishing its final report setting out guidelines on the information to be provided by applicants intending to obtain authorisation as a payment institution (PI) or e-money institution (EMI), or to register as an account information service provider (AISP) under PSD2 (the EBA Final Report), the FCA has today published its consultation paper on the draft authorisation and reporting forms (CP17/22).

The EBA Final Report: what changes have been made?

Following feedback from 23 respondents to the consultation process, the EBA Final Report makes a number of changes to the draft guidelines that were consulted on. Four areas of concern were raised repeatedly; these related to:

• Scope – some respondents had doubts about the scope of application of the guidelines, specifically whether they were also addressed to credit institutions that provide account information services (AIS) or payment initiation services (PIS), and also queried which set of guidelines apply to applicants that intend to provide both AIS and PIS. The EBA has clarified that credit institutions are outside the scope of the guidelines. Applicants that apply for both AIS and PIS are subject to the first set of guidelines set out in the Final R
• Level of detail – a number of respondents considered the proposals to be too detailed, which could have the effect of: discouraging new entrants from applying, increasing the time required by authorities to assess applications, and adding to the on-going regulatory burden as information needs to be updated. The EBA is of the view that a lack of detail could lead to a lack of certainty; however, it acknowledged that a degree of proportionality was required. As a result, a number of guidelines in the first, second and third sets have been streamlined and/or removed. This comparison enables you to identify the changes more readily.
• Disproportionate impact on smaller and/or less complex applicants – in the EBA Final Report, the authority acknowledged that, while the applicants have to comply with all of the requirements, the level of detail provided can plausibly vary depending on a number of factors. Amongst other changes, the EBA has modified the first set of guidelines to make clear that the level of detail should be proportionate and adjusted to the particular service or services that the applicant intends to provide, namely their nature, scope, complexity and riskiness, and to the institution’s size and internal organisation.
• Transitional provisions – respondents asked for clarity on: (i) whether or not existing addressees of the guidelines that are already licensed need to reapply for a licence; and (ii) when, in time, existing providers of AIS and PIS need to apply for authorisation. The EBA confirmed that such clarification was outside the scope of the guidelines but that it would explore whether other EBA measures are available.

The final guidelines will be translated into the official languages of the European Union. Member State competent authorities will have two months from the publication date of the translations to notify the EBA whether or not they comply or intend  to comply with the guidelines, and if not, to provide reasons for non-compliance

The FCA’s CP17/22 – an overview

Key changes being consulted upon by the FCA include:

• Reporting and record keeping: chapter 2 of CP17/22 sets out proposed changes to the FCA’s reporting, notification and record keeping requirements for payment service providers (PSPs) in light of PSD2. These include:
  • new major incident reporting for all PSPs as required under PSD2 – the current proposal reflects the draft EBA Guidelines and may need to be amended to reflect the finalised guidelines;
  • changes to the regular reporting on own funds for authorised PIs and EMIs to reflect changes under PSD2; and
  • the introduction of a rule to ensure that records are kept by banks and building societies about the volume of their AIS and PIS business – whilst the FCA is happy for such firms to not report regularly on point, it wants the ability to request such data in the future.

• Authorisation and registration forms: in chapter 3 of CP17/22, the FCA sets out its proposals for six application forms where it has some discretion on the approach it takes. This includes:
  • the re-authorisation form for authorised PIs and authorised EMIs – the draft forms included in Appendix 2 seek the information that is specified in the PSRs 2017 and the EBA Final Report. Authorised PIs and authorised EMIs will only need to provide information which they have not provided previously. Applicants will also be asked to confirm that there have been no material changes to information previously provided to the FCA;
  • the registration form for prospective small PIs and small EMIs – these draft forms reflect the categories of further information set out in the FCA’s consultation paper (CP17/11) and include (amongst other items), a request for the description of the applicant’s procedure for monitoring, handling and following up security incidents as well as a description of the applicant’s process for filing, monitoring, tracking and restricting access to sensitive payments data. The FCA proposes to require the same information about individuals responsible for the management of the business from prospective small EMIs and small PIs as it does from prospective authorised PIs and authorised EMIs. Similarly it proposes to apply the aspects of the EBA Guidelines on authorisation relating to qualifying holdings in full to small PIs; and
  • the re-registration form for registered small PIs and registered small EMIs – in line with the PSRs 2017 and the amended EMRs, the information required for re-registration is the same as the additional information required under our draft registration form for small PIs and small EMIs.

In relation to re-authorisation, the FCA reminds firms of the 13 April 2018 (13 October 2018 for small PIs) deadline for applications – to the extent applications have not been made and approved before 13 July 2018 (13 January 2019 for small PIs), firms will have to stop providing payment services or issuing e-money and the Financial Service Register will be updated accordingly.

Appendix 2 of CP17/22 also sets out the proposed PSD2 variation of permission form (for PIs) and the proposed EMD variation of permission form (for EMIs). Previously, there was no need for a bespoke form for EMIs, as applications for varying permissions were not common; however, under regulation 7 of the amended EMRs, a requirement will automatically be placed on existing EMIs preventing them from providing AIS or PIS. New EMIs that do not intend to provide these services will also have a restriction placed on their permission. For these restrictions to be lifted EMIs will need to apply for a variation of permission and demonstrate that they hold mandatory professional indemnity insurance.

The FCA is requesting comments by 18 August 2017 in order to allow the regulator to publish final forms during September ahead of the application process opening on 13 October. The finalised reporting and record keeping requirements should be expected during the course of Q3 2017 and the FCA will consider whether it needs to consult on any further changes in Q3-Q4 2017 to reflect EBA Guidelines or Regulatory Technical Standards.