PSD2: how will the UK regulators be implementing the new regime?
Published on 14th Nov 2017
On 19 September 2017, the FCA confirmed its Handbook changes and revisions to the Approach Document. The policy statement (PS17/19) summarises feedback the FCA received to its consultation papers and provides a number of clarifications. In this article we provide an overview of some of those clarifications and also consider what still remains uncertain with less than two months to go until the new regime is operational.
What has changed?
The FCA’s key changes are in relation to its perimeter guidance, guidance on the new account information services (AIS) and payment initiation services (PIS), complaints handling and reporting and conduct of business requirements. The amendments include the following:
Chapter 2 of PS17/19 summarises and sets out the FCA’s response to feedback relating to proposed changes to its Perimeter Guidance Manual (PERG). It is worth noting the following in relation to the electronic communications exemption (ECE) and the limited network exclusion (LNE):
- ECE: The exemption applies to payment transactions by a provider of electronic communications networks or services where these are provided in addition to electronic communications services provided to a customer. Transactions are only excluded if they do not exceed €50 per single payment transaction or €300 cumulative value for an individual subscriber per month.
A number of firms raised concerns about effective monitoring but the regulator is keen to proceed, on the basis that the provisions protect consumers. The FCA confirms that the ECE is only relevant where the service provided would otherwise be a payment service if it wasn’t excluded. It has clarified its guidance in PERG to make clear that, where a provider of a network or service sells subscribers additional goods or services itself (i.e. where it is acting as principal), no payment service is being provided by the provider of the network or service, even if the payment is charged to the related bill.
- LNE: This exclusion enables a firm that offers a payment service to be excluded from regulation if its service is based on instruments used to acquire a “very limited range of goods and services.” The FCA has confirmed that it does not intend to provide any additional guidance to that already provided on the meaning of ‘very limited range of goods and services’.
Firms that are providing, or intend to provide, services that benefit from the LNE must notify the FCA where the value of payment transactions executed through these services was more than €1 million in the previous 12 months. The FCA has made some amendments to its rules so that notifications are not required until January 2019. This change is intended to avoid firms having to apply the new requirements to services provided in the period before PSD2 comes into effect. However, the FCA states that a service provider can still submit a services notification before 13 January 2019 if they wish to (from 13 October 2017).
AIS and PIS
The FCA has clarified its guidance in relation to business models or activities that it considers to be within the perimeter of an AIS. It states that there has to have been access to an account, the information has to have been consolidated in some way and it must have been provided to a user.
The regulator considered other business models that may be inside or outside the perimeter with respect to AIS and PIS. However, it concluded that these models are still evolving so it intends to monitor market developments, raising the prospect of further guidance as the FCA’s understanding of AIS and PIS business models develop.
The revised Approach Document states that, although a business may be involved in obtaining, processing and using payment account information to provide an online service to the customer, only the entity providing consolidated account information to the end payment services user will require authorisation/registration as an AISP.
Chapter 3 of the revised Approach Document now sets out the FCA’s expectations in terms of documentation from prospective AIS and PIS providers around outsourcing arrangements, security risks, business models, how consent will be obtained and how data will be used.
Authorisation and registration
In relation to re-authorisations, the FCA has been in contact with firms to let them know that they need to apply. It has re-worded the re-authorisation forms to clarify that firms do not need to resubmit information that they have previously provided to the FCA.
PIs and EMIs will need to comply with the new requirements of PSD2 (including those discussed in this article) from 13 January 2018, prior to becoming re-authorised or re-registered.
Complaints handling and reporting
Much of the focus during the consultation period was in relation to handling multifaceted complaints where part of the complaint related to an eligible complainant under the PSRs and part in relation to rights and obligations under the EMRs. The FCA has confirmed that it is maintaining the guidance that states that PSPs may handle the whole complaint within 15 business days (or 35 in exceptional circumstances) should they wish to, rather than handling parts under separate timeframes.
In relation to reporting, the FCA will introduce the new payment services complaints return from 13 July 2018. PSPs (including EMIs) will need to complete the return on an annual basis. In addition, the regulator has simplified the return, so that the timeframes within which complaints are resolved only need to be reported under the broader ‘complaints about payment services and electronic money’ category, and so that ‘PSD complaints’ and ‘EMD complaints’ do not need to be separated out.
Conduct of Business
Key points to note include:
- Liability of AISPs and PISPs – Non-payment accounts: The FCA has made some changes to the guidance on non-payment accounts so as to clarify that provisions such as Regulation 89(1) of the PSRs 2017 (value date and availability of funds), which only apply to payment accounts, will not apply to non-payment accounts.
- Liability of AISPs and PISPs: The FCA has made a number of amendments to its proposals in this area in response to two issues: (i) the lack of a mechanism to deal with claims between account servicing payment service providers (ASPSPs) and PISPs; and (ii) the fact that there are no liability provisions relating to AISPs. The revised Approach Document now clarifies that, where a PISP is responsible for an unauthorised, non-executed or defectively executed transaction, an ASPSP which has refunded a customer can seek compensation from the PISP. The PISP must, on request, provide that compensation immediately. The FCA clarifies that, where a customer experiences detriment caused by its AISP, other than in relation to an unauthorised payment, the customer should contact the AISP in the first instance, rather than its ASPSP. The FCA has provided guidance in the revised Approach Document on the ASPSP’s right of recourse and action under the PSRs (relevant when seeking compensation from AISPs).
- Blocking access to PISPs and AISPs. In its guidance, the FCA confirms that, where an ASPSP stops a customer’s use of a payment instrument, and the PISP or AISP cannot access the account as a result; this does not amount to a denial of access for AIS and PIS, requiring notification to the FCA.
In relation to regulatory reporting, notifications and record-keeping, the FCA confirms:
- its approach to collecting data on payment services fraud;
- revisions to the regular reporting required from payment institutions and e-money institutions;
- that authorised payment institutions will be required to submit the annual controllers report and close links reports; and
- that credit institutions will need to notify the FCA before carrying out account information and payment initiation services, and will need to keep records of business undertaken.
What is still unknown?
Much of the uncertainty that still remains is in relation to aspects that are dependent on key mandates that remain outstanding from the EBA – for example in relation to operational and security risk. This helpful infographic from the EBA provides clarity on its required mandates.
In addition, the industry is clearly still waiting for the regulatory technical standards (RTS) on Strong Customer Authentication and Common and Secure Communication. The EBA have confirmed publicly that their work is done and that these now reside with the Commission but they are yet to be adopted. We consider the background to these standards in the next article.
The approach of the Payment Systems Regulator (PSR)
The PSR has also confirmed its approach to monitoring and enforcing the four Regulations in the PSRs 2017 that it is the competent authority for Regulation 61 and Part 8 of the PSRs 2017.
As highlighted in PS17/19, elements of PSD2 implementation are still on-going at the EU level. As a result, the FCA will need to make further changes to the Approach Document and Handbook in due course. As of 13 October 2017, the FCA is now open for business as regards applications for authorisation and registration for providers of PIS and AIS, with the new regime due to go live in less than two months. Given the on-going uncertainty on key elements it is understandable why countries such as the Netherlands and Sweden have delayed implementation until May 2018, pulling PSD2 in line with GDPR.