Market review into the supply of card acquiring services
On 15 September 2020, the Payment Systems Regulator (PSR) published its interim report on the supply of card acquiring services. The report shows that merchants could make savings by shopping around and either switching or negotiating with their current provider – but many small and medium-sized ones don’t.
The aim of the review is to examine whether the supply of card-acquiring services is working well for merchants, and ultimately consumers. This includes how competition is working, looking at the fees merchants pay for card-acquiring services and the quality of service they receive. The report includes several potential remedies to make it easier to search and switch for a new provider or better deal, for example, by requiring all contracts for card-acquiring services to have an end date, providing a prompt for merchants to shop around.
A final report is expected this year.
FCA’s six priority areas for preventing customer harm
The FCA has set out, via a “Dear CEO” letter, the actions it expects payment services firms and e-money issuers to take to prevent harm to their customers by ensuring compliance with regulatory obligations in six key areas:
- Prudential risk management.
- Financial crime.
- Financial promotions and consumer communications.
- Governance and oversight.
- Records management and reporting.
Directors of firms should be considering what further actions should be taken to ensure their firm meets the FCA’s requirements.
FCA additional safeguarding guidance
Firms should be considering the Financial Conduct Authority’s (FCA’s) additional guidance for payments and e-money firms to strengthen their prudential risk management and arrangements for safeguarding customers’ funds.
The guidance provides additional direction for firms to meet their safeguarding requirements and outlines the FCA’s expectation of firms to put in place more robust plans for winding down, so that customer funds can be returned in a timely manner.
This guidance is expected to be reflected in amendments to the FCA’s Approach Document when it is updated this year – this is expected imminently.
New industry guidance on Strong Customer Authentication
On 17 December 2020 UK Finance (supported by Osborne Clarke) published updated guidance on Strong Customer Authentication (SCA) to assist the payments industry in implementing the requirements under the revised Payment Services Directive (PSD2), along with the accompanying Regulatory Technical Standards on strong customer authentication and common and secure communication (RTS), which have been in place since 14 September 2019.
The guidance has been updated to reflect, among other things, the revised SCA enforcement date and includes updated information on the implementation of the exemptions from SCA in Article 18, transaction risk analysis (TRA) and Article 16, low value remote payments.
All players in the e-commerce industry are encouraged to review the guidance. UK Finance expects to update this guidance further to include additional sections, for example, dealing in detail with GDPR considerations of behavioural biometrics at a future date.
In addition, on the same day, UK Finance published UK Finance T&H SCA communication requirements. UK Finance formed a travel and hospitality (T&H) sales Special Interest Group to identify challenges for the sector with respect to the application of SCA and to recommend solutions.
One area identified was “Indirect Channel Sales” due the number of participants in the sector, the geographic distribution and the varying levels of understanding SCA implications. Historically, third party providers operating in this sector have only had to pass booking information and in some instances limited payment information. As a result of these new rules, all participants in the sector will need to be capable of transmitting authentication data down the chain as well as receiving authorisation data upstream.
The communication requirements set out what is expected of participants to upgrade their systems to enable this flow of data. Affected participants will need to upgrade their systems accordingly.
New special administration regime for payment institutions and electronic money institutions
On 3 December 2020, HM Treasury launched a consultation proposing a new bespoke special administration regime for payment institutions and electronic money institutions. On 17 December 2020, a summary of the draft rules to accompany the regulations was also published.
The principal aim of the proposed special administration regime is to protect consumers if an institution becomes insolvent. It is broadly modelled on the equivalent provisions in the existing special administration regime for investment banks.
Responses specifically on the proposals for the draft rules can be submitted up to midnight on 28 January 2021.
New guidelines on the interplay of PSD2 and the GDPR
On 15 December 2020, the European Data Protection Board (EDPB) published guidelines on the interplay between PSD2 and the General Data Protection Regulation (GDPR). The main focus of the guidelines is on the processing of personal data by account information service providers (AISPs) and payment initiation service providers (PISPs). As such, the guidelines address the conditions for granting access to payment account information by account servicing payment services providers (ASPSPs) and for the processing of personal data by PISPs and AISPs. The guidance also deals with the different notions of explicit consent under the PSD2 and the GDPR.
These guidelines will be of interest to AISPs, PISPs and ASPSPs in respect of their compliance with the data protection and security requirements under PSD2.
In Focus: Regulation after Brexit
What do UK businesses trading in the EU need to do now that the Brexit transition period has ended?
UK firms that have customers in the EEA need to decide on their approach to servicing existing contracts, if they have not already done so. Firms should take the steps available to ensure they act in accordance with local law and national regulators’ expectations.
Firms should have a clear understanding of their dependencies on outsourcing or third-party service providers and assess whether they are able to continue providing their services now that the transition period has ended.
UK authorised payment institutions (APIs) and electronic money institutions (EMIs) may hold safeguarding accounts with ‘an approved foreign credit institution’ following the end of the transition period. This new concept of an approved foreign credit institution is defined as either a credit institution supervised by an OECD state, or alternatively a credit institution based elsewhere in the world provided certain conditions are met. UK APIs and EMIs who currently hold safeguarding accounts with an EEA credit institution (or intend to do so) will need to ensure it fulfils the relevant criteria and keep this assessment under periodic review.
Since the end of the transition period, banks and payment service providers are required to provide the name and address of the originator/debtor when making payments between the UK and the EEA. Firms should ensure they are ready to provide the relevant customer information when making payments, including in relation to direct debit transactions.
The FCA’s temporary transitional power will permit UK firms to continue to comply with the existing requirements of the Wire Transfer Regulation and process payments initiated by EU PSPs, even if the EU PSP hasn’t provided the full name and address details, until 31 March 2022. After that time, UK firms acting as recipient PSPs can credit a payment with missing information or make the funds available to the payee, on a risk sensitive basis. If any payments are disrupted, the FCA expects firms to communicate promptly with any affected customers.
UK card issuers should be prepared to change their behaviour towards EEA-acquired transactions in line with their own approach towards UK-acquired transactions after the end of the transition period. This may include applying soft declines and requiring SCA as part of their own ramp-up plans.
See above regarding new UK Finance SCA Guidance.
The UK Regulatory Technical Standards on strong customer authentication and common and secure methods of communication (as amended) (UK-RTS) which came into force at the end of the transition period permit UK-based third-party providers (TPPs) to use an alternative to eIDAS certificates to access customer account information from account providers, or to initiate payments. Account providers (for example, banks) will likely need to make technical changes to their systems to enable TPPs to continue accessing customer account information, by accepting an alternative certificate and informing TPPs as soon as possible which certificate(s) they will accept.
The FCA has provided a transition period until 30 June 2021, during which it will allow ASPSPs to accept a certificate obtained from a provider of an API programme that does not meet the requirements of Article 34 UK-RTS, subject to certain conditions set out in the FCA’s PS 20/13.
What do non-UK businesses trading in the UK need to do now that the transition period has ended?
EEA-based EMIs, payment institutions and registered account information service providers (RAISPs) that have notified the FCA to enter the Temporary Permissions Regime must send the FCA a “notice of intention” within one year of the end of the transition period. In this notice, the firm must state whether it or a UK subsidiary (whichever is applicable) intends to apply for authorisation or, in the case of a RAISP, whether it intends to apply for registration or whether it is intending to cease providing payment services in the UK.
EEA firms within the Temporary Permissions Regime must also carefully consider which UK rules and regulatory guidance apply to them and ensure that they are operating in full compliance.
Which incoming EU laws should UK businesses be aware of, and is the UK likely to implement similar rules?
Certain provisions in the Cross Border Payments Regulation 2 relating to post-transaction disclosure for card-based transactions will apply from 19 April 2021. However, since these provisions did not become part of EU retained law at the end of the transition period and are therefore not part of UK law, UK-based payment service providers will not need to comply with them.
Although the UK government has opted out of transposing the EU Sixth Money Laundering Directive into UK law, any regulated UK businesses in the financial sector that operate within the EU jurisdiction will nevertheless need to comply with changes set out in the directive when it comes into force across the individual Member States.
Are there any other areas where the UK regime might start to diverge from that of the EU? If so, what should businesses do to ensure they are prepared?
In the short term, there are expected to be very few instances of divergence, given the very high level of harmonisation achieved to date. However, the UK Finance SCA Guidance referred to above notes areas of potential divergence, including in the context of dynamic linking, where in certain cases and subject to certain conditions, UK card issuers may process e-commerce card transactions for which the final amount is higher than the amount authenticated by the customer.
Areas of divergence in the longer term may be highlighted as part of HM Treasury’s Payments Landscape Review, in relation to which new plans to support the UK payments sector are expected to be published shortly.