FCA further extends deadline for SCA implementation
The Financial Conduct Authority (FCA) announced on 20 May 2021 that it has further extended the deadline for implementing Strong Customer Authentication (SCA) for e-commerce transactions (that is, online card payments) to 14 March 2022.
This six month extension recognises the need for further coordination between acquirers, processors and merchants to minimise disruption to consumers. While the FCA continues to "encourage" merchants to be SCA-ready and expects firms to take robust action to reduce the risk of fraud, the new 14 March 2022 deadline is the latest the FCA expects full SCA compliance for e-commerce transactions.
E-commerce merchants should speak to their providers (for example, acquirers and gateways) to understand the steps to take in order to prepare and meet the agreed timeline, such as adopting 3D Secure v2.0 or higher. Acquirers and gateways should be tracking e-merchant progress and actively reaching out to those that have not yet taken action (which may include sending their merchant customers an agreed industry communication as requested by the FCA).
FCA's 'Dear CEO letter' to e-money institutions
The FCA sent a "Dear CEO letter" to electronic money institutions (EMIs) on 18 May 2021 expressing its concern that many EMIs compare their services to traditional bank accounts, but do not adequately disclose the differences in protections, in particular the fact that the Financial Services Compensation Scheme (FSCS) does not apply to e-money balances.
In light of the perceived risks, the FCA required EMIs to take three steps (the deadline for complying with the first requirement has passed but the second requirement is ongoing):
- To write to their customers within six weeks of the date of the letter (that is, by 29 June 2021), reminding them of how their money is protected through safeguarding and that FSCS protection does not apply;
- To review their financial promotions against FCA Handbook rules (specifically BCOBS 2.3.1AR and BCOBS 2.3.4G) to ensure that the promotions give customers enough information and that any promotion that refers to the FCA as regulator clearly distinguishes those products and services that are not regulated by the FCA; and
- To ensure that the Board has considered the letter and has approved the actions taken in response.
The FCA proposes to follow up with a sample of firms to assess the action taken. EMIs should therefore ensure that they can evidence compliance with the requirements and should have continuing regard to the FCA's concerns expressed in the letter, particularly in the context of marketing materials relating to e-money accounts.
New special administration regime for payment and electronic money institutions
Following HM Treasury's consultation on the insolvency of payment institutions and electronic money institutions, the draft Payment and Electronic Money Institution Insolvency Regulations have now been laid before Parliament.
If made, the draft regulations will create a new special administration regime for payment and electronic money institutions (referred to as "pSAR"). The pSAR will create three special administration objectives which administrators will have a duty to follow:
- Objective 1 is to ensure the return of relevant funds as soon as is reasonably practicable;
- Objective 2 is to ensure timely engagement with payment system operators, the Payment Systems Regulator and the Bank of England, HM Treasury and the FCA; and
- Objective 3 is to either rescue the institution as a going concern, or wind it up in the best interests of the creditors.
The pSAR would give insolvency practitioners administering the insolvencies of payments or electronic money institutions an expanded toolkit. This would allow insolvency practitioners to keep an insolvent institution operational and prioritise the return of client assets.
Regulator highlights risks associated with 'Deposit Aggregators'
The Prudential Regulation Authority and the FCA wrote to banks and building societies on 14 April 2021 to highlight the risks associated with the increasing volumes of deposits that are placed with these firms via Deposit Aggregators.
Deposit Aggregators are providers of intermediary services who sit between savings account providers and retail customers. Depending on the model, the core activity of a Deposit Aggregator may not be regulated.
The regulators flag that customers may not fully understand how these models work: for example, customers may not know that FSCS payments can take longer for deposits placed via a Deposit Aggregator under the trust model. There are also scenarios where customers may have less FSCS protection than they expected, for example where they hold deposit accounts at a bank or building society under both a direct and trust model and have balances that in total exceed £85,000.
In terms of actions and mitigating measures, the regulators point to the importance of:
- compliance with the FCA's financial promotions rules;
- preparing for an orderly resolution;
- managing their own liquidity risk (in light of the fact that aggregated deposits may represent a concentrated liquidity risk); and
- senior manager oversight.
Extension of annual financial crime reporting obligation
As set out in its policy statement, the FCA has extended the scope of firms which are required to submit the annual financial crime report (REP-CRIM). In particular, the policy statement proposes that all electronic money institutions, certain payment institutions, crypto-asset businesses and custodian wallet providers should be brought into scope of the return based on their business activities and the potential money laundering risks.
While the FCA is conscious of the need to allow firms that have been brought into scope the time to have the correct systems in place, the FCA also believes that the data covered by REP-CRIM should already be held by firms in order for them to be able to manage effectively their financial crime risks. Accordingly, firms being brought into scope are required to submit their first REP-CRIM within 60 business days after their first Accounting Reference Date falling after 30 March 2022.
Dates for the diary
July/August 2021: Payment Systems Regulator expected to publish consultation on phase 2 of introduction of Confirmation of Payee
Autumn 2021 (expected): FCA to publish updated and revised policy statement on changes to the regulatory technical standards on secure customer authentication, its payment services and electronic money approach document and Perimeter Guidance Manual
Q4 2021: Payment Systems Regulator expected to publish final decision relating to approach to delivering the New Payments Architecture
14 March 2022: Deadline for full Strong Customer Authentication compliance for e-commerce transactions