Global menu

Our global pages

Close

Payment Matters: No. 50

  • United Kingdom
  • Payment systems and digital commerce
  • Financial services - Payment services

16-06-2021

Welcome to the latest edition of Payment Matters, our regular legal update exclusively for organisations involved in the payments market. In this edition, we discuss the implications from developments and updates from the last three months that you should be aware of, and the potential impact on your business. 

Contents

1. The Financial Conduct Authority (FCA) extends the deadline for implementing Strong Customer Authentication (SCA) for e-commerce transactions

2. The Payment Systems Regulator (PSR) issues Call for Views on Phase 2 of Confirmation of Payee (CoP)

3. The FCA issues “Dear CEO” letter to the UK’s e-money businesses

4. The European Banking Authority (EBA) publishes revised Guidelines on major incident reporting under the revised Payment Services Directive

5. The FCA publishes guidance for firms on the fair treatment of vulnerable customers

6. The FCA and PSR issue joint statement on access to cash in the UK

7. The Bank of England’s discussion paper on central bank digital currencies (CBDCs) and stablecoins

8. The PSR has published its proposed new 5 year strategy

9. The Competition Market Authority (CMA) publishes feedback received regarding UK Finance’s “Future Entity” to replace the Open Banking Implementation Entity (OBIE)

10. The Open Banking Implementation Entity (OBIE) has publishes the latest Open Banking standard

11. Germany to implement ‘travel rule’ for crypto assets transfers

12. ECON report: ECB to regulate EU stablecoins

13. Tunisia’s Digital Payment System - Ensuring Payment Security without hindering the Development of Digital Payments

 



    1.    The Financial Conduct Authority (FCA) extends the deadline for implementing Strong Customer Authentication (SCA) for e-commerce transactions

    The FCA has issued a press release (here) extending its deadline for implementing SCA for e-commerce transactions under the Payment Services Regulations 2017 until 14 March 2022.  The six month extension aims to ensure minimal disruption to merchants and consumers and to recognise the ongoing challenges which the industry is facing which would have impacted the previous 14 September 2021 deadline. UK Finance have also published a draft revised SCA roadmap in response to the FCA’s announcement (available here).

    What this means for you?

    The FCA emphasises that it still expects firms to continue to take robust action to reduce the risk of fraud in the interim period. However, firms will now have an additional six months to finalise their SCA solutions for e-commerce transactions.

    The extended implementation deadline for e-commerce transactions in the UK will largely be welcomed due to growing concerns that a roll-out of any potential solutions in September 2021 could have adversely impacted firm’s operations (resulting in increased customer calls, complaints, and a drop-off in e-commerce transactions).

    The industry can now continue collaborating (in a timely manner) to develop SCA compliant solutions for e-commerce transactions. In particular, the industry can continue to work on developing solutions including those utilising behavioural biometrics as a second factor (alongside the use of one-time passcodes as a possession factor) to apply SCA to e-commerce transactions. 

    The FCA and the payments sector in general have indicated their preference for inherence factors involving behavioural biometrics due to their ability to create a detailed and unique linkage with the relevant individual over time rather than being a ‘static’ identifier such as a fingerprint which is potentially easier to hack. Behavioural biometric identifiers such as signatures, voice modulation habits, on-line navigational patterns, or screen swiping or typing can build up a picture of an individual’s behavioural traits as they continue to interact with their account.

    There are, however, concerns of conflicts over the use of biometric information due to its classification as ‘special category data’ under the General Data Protection Regulation (GDPR). This raises concerns over whether individuals can meaningfully consent to the use of their biometric information in this way and on an ongoing basis. A workable solution to this issue, developed between the FCA and the Information Commissioner’s Office, is eagerly anticipated.

    2.    The Payment Systems Regulator (PSR) issues Call for Views on Phase 2 of Confirmation of Payee (CoP)

    The PSR has published a Call for Views to gather feedback on the proposed implementation of Phase 2 of CoP across the payments industry. The deadline for responding is 30 June 2021 and the PSR expects that it will consult on next steps in July/August and publish a policy statement regarding Phase 2 of CoP in September/October.

    What this means for you?

    The key proposals for Phase 2 of CoP which the PSR is seeking feedback on include:

    ·       CoP only Profile - enabling PSPs with unique sort codes to join CoP through a dedicated ‘CoP-only’ role profile via Open Banking. Current participants must be a full member of Open Banking to be able to offer CoP. However, the implementation of a new CoP-only profile aims to reduce costs and timelines for joining CoP by giving more PSPs the technical capability to join without requiring full Open Banking membership.

    ·       Secondary Reference Data - enabling CoP to be offered for customer accounts that are not uniquely addressable by a sort code and account number, but instead rely on secondary reference data. These typically include collection accounts and can also include HOCAs for credit cards, mortgages, savings accounts and loans.

    We, therefore, recommend that all PSPs review the consultation and provide their feedback on or before 30 June 2021. For example, one of the questions on which the PSR is seeking feedback is whether certain types of accounts with secondary reference data should be excluded from the scope of Phase 2, and whether alternative solutions are more appropriate for secondary reference accounts overall. This will be an important consideration for many institutions across the industry as we understand that incorporating secondary reference data accounts will require extensive changes to identify SRD accounts and to build in CoP across the large variety of accounts that are currently being offered using SRD.

    3.    The FCA issues “Dear CEO” letter to the UK’s e-money businesses

    The FCA has issued a “Dear CEO” letter to the UK’s e-money businesses asking them to write to their customers to explain the difference between the services and protections offered by a traditional bank account and an e-money account.

    The FCA has ongoing concerns that many e-money firms compare their services to traditional bank accounts or hold themselves out as an alternative in their financial promotions, but do not adequately disclose the differences in protections between e-money accounts and bank accounts.

    For example, the letter notes that e-money firms may not clearly disclose that the Financial Services Compensation Scheme (FSCS) protection does not apply to e-money accounts. This means customers may not be aware that it could take longer for their monies to be refunded, and some costs could be deducted by the administrator or liquidator of the insolvent firm.

    The FCA has published a list of the key differences between the services and protections offered by a traditional bank account and an e-money account on its website here.

    What this means for you?

    The FCA has requested that firms write to their customers within six weeks of the date of the letter (dated 18 May 2021) to explain how their money is protected through safeguarding and that FSCS protection does not apply to e-money accounts.

    The communication must be separate from any other messaging or promotional activity sent to customers and the FCA expects firms to consider the appropriate method(s) of communication based on their business model and customer base, including any vulnerable customers.

    The FCA also requests that firms review their financial promotions in light of the requirements under BCOBS 2.3.1AR and BCOBS 2.3.4G. In particular, firms should ensure that:

    ·       promotions give customers enough information; and

    ·       where any promotion names the FCA as the firm’s regulator, and refers to matters which the FCA does not regulate, it is clear which of those matters are not regulated by the FCA.

    E-money firms should also follow the progress of the proposed special administration regime for payment and e-money institutions. These include, as key obligations of the special administrator, constituting the asset pool for distribution. Such distribution requires using “reasonable measures” to include any identifiable customer funds and assets in the asset pool, including relevant funds (as defined by the Payment Service Regulations and the Electronic Money Regulations) which should have been safeguarded. You can find our briefing note on the special administration regime here.

    4.    The European Banking Authority (EBA) publishes revised Guidelines on major incident reporting under the revised Payment Services Directive

    Following the EBA’s public consultation proposing changes to the Guidelines on major incident reporting under the Payment Service Directive, the revised Guidelines were published on 10 June 2021. The new Guidelines are available here and will apply from 1 January 2022.

    What this means for you?

    The revised Guidelines have the potential to reduce the burden on PSPs as they introduce changes to some of the original classification criteria and introduce a new criterion on the breach of security of network or information systems. The new criterion focuses on malicious actions that have compromised network or information systems related to the provision of payment services. The EBA has also removed unnecessary steps from the reporting process, introduced greater timescales for submitting the final report and simplified the report to be submitted. Overall, the EBA suggests that the changes are estimated to result in a reduction of reportable incidents by more than 10%.

    5.    The FCA publishes guidance for firms on the fair treatment of vulnerable customers

    The FCA has issued its final guidance on the fair treatment of vulnerable customers. The guidance addresses the characteristics of vulnerability that leave consumers susceptible to harm when regulated firms do not act with the appropriate levels of care. The guidance is available on the FCA’s website here.

    What this means for you?

    The guidance sets out the actions that firms should take to treat vulnerable customers fairly. Examples include:

    ·       Understanding the needs of vulnerable customers – understand the impact of vulnerability on the needs of consumers in their target market and customer base, by asking what types of harm or disadvantage customers may be vulnerable to, and how this might affect the consumer experience and outcomes.

    ·       Skills and capability of staff – ensure frontline staff have the necessary skills and capability to recognise and respond to a range of characteristics of vulnerability

    ·       Taking practical action – taking vulnerable consumers into account at all stages of the product and service design process, including idea generation, development, testing, launch and review, to make sure products and services meet their needs, and make sure all communications and information about products and services are understandable for consumers in their target market and customer base.

    ·       Monitoring and evaluation – implementing appropriate processes to evaluate where they have not met the needs of vulnerable consumers, so that they can make improvements.

    More detail on the required actions, as well as examples of how firms can put them into practice and case studies showing good and bad practice, can be found in the guidance (here). We, therefore, recommend that all firms familiarise themselves with the final guidance and put in place operational processes to ensure that each of the requirements are actioned when dealing with vulnerable customers.

    6.    The FCA and PSR issue joint statement on access to cash in the UK

    On 13 May 2021, the FCA and PSR released a joint statement (here) regarding the use of cash and the need to maintain and protect the access to cash regardless of increased infrastructure costs. This follows the research it has recently completed with the University of Bristol regarding the declining use of cash and the availability of wider banking services.

    The statement makes it clear that the FCA and PSR intend to continue working with consumer bodies, the government and their regulated firms to ensure service standards are met for all consumers. The FCA also intends to publish a follow up report on the UK’s cash infrastructure that will reflect the learnings from the research conducted with the University of Bristol and the PSR is expected to publish its annual review of Specific Direction 8 (SD8) soon.

    What this means for you?

    It is clear that certain sections of our community will continue to rely heavily on physical cash rather than fintech-based transactional solutions. Several users of cash could also qualify as vulnerable customers creating a complex matrix for providers of cash and other payment methods to negotiate. Retail providers of cash will need to acknowledge these requirements and develop workable solutions to accommodate such customers going forward.

    7.    The Bank of England’s discussion paper on central bank digital currencies (CBDCs) and stablecoins

    On June 7 the Bank of England (BoE) published its discussion paper on systemic stablecoins and a UK CBDC (available here). This is a follow up to its previous discussion paper on CBDCs from March 2020 as well as the expectations of the BoE’s Financial Policy Committee (FPC) for stablecoins as set out in its report of December 2019.

    In addition to considering how digital money should be regulated, the paper also considers policy objectives and the role of money in society generally. Implications for macroeconomic stability are also considered.

    To be an effective method of payment, the BoE is adamant that stablecoins must be fully interchangeable with other forms of money in existence and therefore need to be regulated. It is proposing that it would have oversight of systemic stablecoins whilst the FCA would maintain responsibility for conduct and consumer protection.

    The BoE is particularly concerned about systemic risks posed by stablecoins including a CBDC and wants its remit to cover any firm within the payment chain where they constitute a critical link. This is regardless of their status or how they would otherwise be regulated.

    What this means for you?

    The BoE views the paper as the basis for engendering further dialogue between itself, payment tech providers and the wider community. With various models for CBDCs being rolled out, developed or researched by the majority of the world’s central banks (86%) it is not likely that CBDCs will become irrelevant in the near future. This is especially so given China is pressing ahead with its plans to have a widely used digital yuan in circulation imminently.

    China has indicated that it sees CBDCs as a way of maintaining monetary policy including public trust, as well as countering the growth of crypto-currencies and the perceived threats to financial stability that they may cause. Other major economies may have little choice but to follow suit if one of the world’s super powers presses ahead with its plans especially at a time when the use of physical cash has plunged since the onset of Covid and its variants.

    The European Union is due to make an announcement on CBDCs in the next few weeks which will undoubtedly influence the acceleration or otherwise of CBDC roll-outs.

    Responses to the BoE discussion paper can be made up to 7 September 2021.

    8.    The PSR has published its proposed new 5 year strategy

    The PSR has published its proposed new 5 year strategy (available here). The PSR has identified four strategic outcomes that it wants to help bring about in the next five years:

    • Ensure users have continued access to the payment services they rely upon and support effective choice of alternative payment options.
    • Ensure users are sufficiently protected when using the UK's payment systems, now and in the future.
    • Promote competition in markets and protect users where that competition is not sufficient, including a) between payment systems within the UK and b) in the markets supported by them.
    • Ensure the renewal and future governance of the UK's interbank payment systems supports innovation and competition in payments.

    What this means for you?

    The PSR is now seeking feedback from the industry on its proposed new strategy and the deadline for responding is 10 September 2021. In addition to obtaining formal written feedback, the PSR is arranging a series of engagement events to listen to and understand the views of its stakeholders. Utilising this open dialogue with the regulator in advance of the deadline will be a good way for institutions to provide feedback on any areas of concern and/or improvement to help formulate the new strategy. You can engage in this open dialogue with the PSR by giving feedback online, through blogs, stakeholder conversations and other events. For more information, please view the PSR’s website here.

    9.    The Competition Market Authority (CMA) publishes feedback received regarding UK Finance’s “Future Entity” to replace the Open Banking Implementation Entity (OBIE)

    The CMA ran a consultation from 5 March 2021 to 29 March  regarding the future of OBIE following the publication of UK Finance’s phase 2 follow-up report (Open Banking Futures: Blueprint and Transition Plan). The CMA is now analysing the feedback received and intends to publish a policy statement as soon as possible. However, in the meantime, the CMA has published all of the feedback received from a variety of respondents (available here).

    What this means for you?

    The structure of the “Future Entity” will have a significant impact on all parts of the UK Open Banking ecosystem. A structure needs to be set up which ensures accountable leadership, sufficient resourcing, equitable funding and that all stakeholders are represented rather than any part of the ecosystem having too much influence. Separate monitoring is also being considered in order to ensure compliance with the regulatory standards. The stakeholder engagement we have seen so far needs to continue.  The market must now lead the development of open products and services and help competition flourish in a cost effective and agile way.

    10. The Open Banking Implementation Entity (OBIE) has publishes the latest Open Banking standard

    On 31 March 2021, the OBIE published Version 3.1.8. of the OBIE standards for Open Banking (available here).

    What this means for you?

    The key change from this updated version relates to the addition of Variable Recurring Payment (VRP) functionality. VRPs allow customers to securely instruct and manage payments via open banking. OBIE has also published a series of documents designed for firms looking to implement this latest version of the OBIE standards. 

    11. Germany to implement ‘travel rule’ for  crypto assets transfers

    On 26 May 2021, the German Federal Ministry of Finance has launched a public consultation on the draft of the “Crypto Assets Transfer Regulation” (Kryptowertetransfer-Verordnung) on enhanced AML requirements for the transfer of crypto assets. According to the German Federal Ministry of Finance, anonymity (sic!) is one of the main risks of crypto assets for misuse for criminal and terrorist purposes. A potentially higher risk of money laundering and terrorist financing exists due to the lack of information on the parties involved in the crypto asset transaction, in contrast with the situation with money transfers.

    Therefore, the German Federal Ministry of Finance intends to introduce a regulation stipulating that parties involved in a transfer of crypto assets shall provide information on the originator and beneficiary. As in the case of money transfers, it should be possible to track transactions in relation to beneficiaries in order to prevent misuse for money laundering or terrorist financing purposes. This will also enable checks on individuals affected by sanctions and a more risk-oriented approach by the service providers involved. 

    The regulation is intended to implement the standards of the Financial Action Task Force (FATF, Recommendation 15 - Interpretive Note 7b, so-called "travel rule" for crypto assets). It also states that details of the beneficiary or originator of a crypto asset transfer must be gathered and retained if the transfer is made from or to an electronic wallet that is not managed by a crypto custodian (a self-managed electronic wallet or "unhosted wallet").

    The regulation is meant to implement current FATF recommendations in relation to AML. Moreover, information tracking may also become relevant in order to detect the circumvention of sanctions.

    What this means for you?

    Once the regulation comes into force, this will have a significant impact on banks and financial institutions, including crypto custodians. The regulation provides for enhanced AML and documentation requirements, especially with regard to transfers from or to unhosted wallets. Compliance with the travel rule will also require technical implementation efforts. Comments on the draft of the regulation may be submitted by email to VIIA5@bmf.bund.de by June 14, 2021.

    12. ECON report: ECB to regulate EU stablecoins

    In light of the ongoing legislative process to adopt an EU regulation on Markets in Crypto-assets (‘MiCA’), the European Parliament's Committee on Economic and Monetary Affairs (‘ECON’) recommends changes to the Commission’s MiCA proposal that would strengthen the powers of both the European Central Bank (‘ECB’) and national central banks to regulate the issuance of stablecoins in the EU.

    According to the Commission’s MiCA proposal, the issuance of stablecoins, i.e. (payment) tokens that maintain a stable value by referencing either:

    ·       a basket of reserve assets, e.g. several FIAT or crypto-currencies and/or commodities (asset-referenced tokens, ‘ARTs’); or

    ·       a single FIAT currency (e-money tokens, ‘EMTs’)

    in the EU will require prior authorisation by national competent authorities (‘NCAs’).

    According to the amendments proposed by ECON:

    ·       the decision on whether to authorise EMTs should fall to the ECB. Applications should be refused if the ECB cannot exclude a threat to financial stability or monetary sovereignty in the euro area;

    ·       regarding ARTs, NCAs would have to refuse the authorisation, inter alia, if the ECB delivers a negative opinion because of monetary policy considerations.

    What this means for you?

    The proposed amendments would provide extensive supervisory powers to the ECB in relation to large scale stablecoin projects on grounds of monetary policy concerns. EMoney Institutions (‘EMIs’) issuing blockchain/DLT based e-money (e.g. ‘Euro tokens’) will have to analyse the impact of a potential supervision by the ECB. Stablecoin issuers operating in both the EU and the UK additionally need to assess the results of HM Treasury’s consultation on the regulatory approach to crypto-assets and stablecoins.

    13. Tunisia’s Digital Payment System - Ensuring Payment Security without hindering the Development of Digital Payments

    Below we consider the operation of Tunisia’s recently established digital payment system and its regulatory framework.

    Tunisia’s digital payment system operates under the exclusive oversight of the Central Bank of Tunisia ("BCT"). The BCT is required by its charter to ensure the stability soundness and efficiency of payment systems1.

    The oversight function is intended to comply with international norms and standards by preserving:

    • the security, stability, soundness, efficiency and effectiveness of payment systems; and
    • the quality of the payment means made available to users.

    The Payment Systems have as their objectives:

    • Making available payment services at a reduced cost;
    • The creation of new and more accessible payment channels;
    • Supporting national efforts to improve financial inclusion for those that have been excluded from traditional banking services; and
    • The integration of interregional payment systems.

    BCT’s supervision has created confidence in Tunisia’s payment systems and reassurance for consumers by among other things, ensuring the security and integrity of payment transactions in the jurisdiction. It’s oversight has been complemented by supervision provided by other government agencies including the National Electronic Certification Agency, which is responsible for granting authorisation to service providers to participants in Tunisia’s payments systems.

    There are concerns however that by creating  a climate of security and confidence in digital payments via the imposition of stricter prudential and governance requirements, the development of digital payments could be hindered.

    Whilst law n°2016-48 of 11 July 2016, relating to banks and financial institutions represents a giant step towards the digitalisation of payments, the restrictions it imposes could be a deterrent for many of candidates wanting to operate as a payment institution.

    A legal entity wishing to obtain an approval from the BCT as a payment institution will be subject to (i) capital requirements (a minimum share capital of 5 Million Dinars, a civil liability insurance or a bank guarantee covering this value), (ii) governance (a governance system including a specialized audit and risk committee, and quotas for the number of board members and employees) and (iii) technological requirements (an adequate information system, a system for recording operations, a security system for operations and the protection of personal data, a business continuity plan (BCP)).

    The above-mentioned requirements are not dissimilar to what is required in numerous other jurisdictions but represent a significant hurdle to Tunisia’s fledgling fintech market. They have been described as being onerous, protective and also restrictive, however the right balance should be found.

    For example, we note that complying with the technological requirements, will involve:

    • Setting up an information system that meets regulatory constraints including security systems, recording and processing operations, and data protection;
    •  Acquiring a web and mobile solution for remote payments which offers a modern and intuitive interface for ensuring instant access to accounts and monitoring of payment operations; and
    • Establishing sound technological partnerships to take full advantage of the new technologies available.

    What this means for you?

    Security and trust in respect of digital payments is a difficult balance and one that the government via the BCT continues to guarantee.

    Despite the regulation appearing to be burdensome, there are signs that the banking and digital climate is beginning to change.

    One payment institution has already obtained authorization from the BCT and commenced operations. It is one of several including a virtual wallet platform (V-Wallet) that have since filed applications with the BCT.

    These types of institutions can provide access to financial services for those previously excluded from the banking system. They will become a strategic tool in absorbing cash from the informal sector and will hopefully encourage its integration into the country’s formal economy. These payment institutions are proposing to offer their services to the ‘unbanked’ community for very low financial costs and in effect will constitute an extension of the banking sector.

    The developments in Tunisia represent the burgeoning digital payments markets that are establishing themselves across the Middle East. With the aid of progressive lawmakers taking on board several of the latest regulatory developments occurring globally in payments, the region’s previously cash-based economies are rapidly transforming themselves into digital payments growth centres.


    For more information on any of these matters, please get in touch with your Eversheds Sutherland contact or our Payments lawyers


    1.  articles 33 nouveau and 33 bis of Organic Law n° 58-90 of 19 September 1958 related to the creation and organisation of the BCT


    In the latest edition of Payment Matters, we discuss the implications from developments and updates from the last three months that you should be aware of, and the potential impact on your business. This edition includes developments in Open Banking, PSD2, EU cross-border payments, and the ECB-backed drive for Instant Payments.