Payment Matters 27: Europe and beyond

• United Kingdom

• Financial services - Payment services

16-01-2017

• EBA publishes draft RTS on cooperation and exchange of information for passporting
• EBA public hearing presentation released
• EBA consultation on guidelines for reporting operational and security incidents under PSD2
• EPC publishes SEPA Instant Credit Transfer Scheme Rulebook
• EBA updates ECON on strong customer authentication and common and secure communication
• EPC updated SEPA rulebooks
• ECB publishes SIPS Regulation consultation

EBA publishes draft RTS on cooperation and exchange of information for passporting

On 14 December 2016 the European Banking Authority (EBA) published the final draft technical standards (the final draft RTS) on cooperation and exchange of information for passporting under PSD2.

This final draft RTS sets out a harmonised framework for cooperation and exchange of information between Competent Authorities to facilitate cross-border provision of payment services in the EU internal market. The RTS also addresses some of the concerns that had been raised by the industry during the consultation period.

What this means for you

The final draft RTS on cooperation and exchange of information for passporting are relevant to all payment institutions and e-money institutions that carry out business in more than one EU member state and to their agents and distributors. The technical standards will ensure that information about such institutions is exchanged consistently between national authorities of the home and host member states.

Following the close of the consultation period, the EBA considered all responses and where appropriate changes to the draft RTS have been incorporated. The final draft RTS should be considered by all affected organisations.

The final draft RTS are accompanied by a cost-benefit analysis and impact assessment. The EBA believes that the standards designed will establish an effective regime of passport notifications for providers of payment services and e-money, will reduce the burden of compliance for institutions and contribute to the efficient and effective cooperation between competent authorities. The EBA expects that the notification requirements will generate incremental benefits (i.e. greater administrative efficiencies with competent authorities, rather than incremental costs).

EBA public hearing presentation released

A presentation delivered on 12 December 2016 at the European Banking Authority’s public hearing on draft EBA Guidelines on Authorisation and Registration under PSD2 has been published.

Delivered by Dirk Haubrich and Laura Diez Pérez (Consumer Protection, Financial Innovation and Payments, EBA) as part of the consultation process, the presentation provides:

• an introduction to the EBA, its role under PSD2 and the purpose of public hearings
• an overview of the EBA’s mandate and approach to and objective of the guidelines under PSD2
• highlights of the draft guidelines
• details of next steps

The consultation period closes on 3 February 2017.

What this means for you

The purpose of the public hearing on 12 December 2016 was to allow interested parties to ask questions about the draft EBA Guidelines on Authorisation and Registration under PSD2. The EBA was given a mandate to issue these guidelines under article 5(5) of PSD2. Prior to issuing the draft guidelines, the EBA had asked industry and the 28 national authorities to identify the issues experienced with authorisations and registration under PSD1 which they would like addressed under PSD2.

The presentation sets out the keys questions asked in the consultation and confirms next steps. The EBA will consider responses to the consultation during February to May 2017 and will publish the final guidelines in summer 2017. The guidelines will apply from 13 January 2018 and therefore need to be followed for all authorisations granted from that day onwards.

EBA consultation on guidelines for reporting operational and security incidents under PSD2

The European Banking Authority (EBA) issued a consultation paper on 7 December 2016, highlighting draft guidelines on major incidents reporting under PSD2. The draft guidelines have been developed in tandem with the European Central Bank (ECB) and set out:

• the criteria for classifying operational or security incidents as major
• the template to be used by payment service providers (PSPs) when notifying them to the Competent Authorities (CAs) and
• the indicators CAs need to use when assessing the relevance of such incidents

The aim of the draft guidelines is to support the objectives of PSD2 to strengthen the integrated payments market across the European Union. Ensuring consistency under the legislative framework, promoting equal conditions for competition and the provision of a secure framework for the payments environment and to protect consumers.

Feedback on the draft guidelines is requested by 7 March 2017.

What this means for you

The EBA was given a mandate to publish guidelines under article 96 of PSD2. Prior to publishing the draft guidelines, the EBA sought input from the national banking supervisors and central banks. That exercise confirmed the need for a common approach.

The draft guidelines are therefore designed to set out a common and consistent approach to reporting as well as creating a transparent framework for notifications by PSPs of major security or operational incidents within scope of PSD2. The EBA has produced the draft guidelines with the aim of preventing PSPs from becoming “overburdened” with reporting obligations whilst at the same time seeking to create “undue distortions between the smaller and the bigger players…”

The final guidelines will be published after the consultation closes.

EPC publishes SEPA Instant Credit Transfer Scheme Rulebook

The European Payments Council (EPC) published the first rulebook on the SEPA Instant Credit Transfer Scheme on 30 November 2016. This rulebook will come into force on 21 November 2017.

The pan-European scheme aims to eliminate the risks of lack of interoperability between national euro payment solutions.

The key characteristics of this scheme include:

• money will be available in the account of the payment beneficiary in less than 10 seconds
• transfers of up to 15,000 euros can initially be made
• credit transfers in euro are covered
• potential scope to cover 34 European countries
• optional – payment service providers (PSPs) can comply as receivers only or both as receiver and originator of instant credit transfer transactions
• the scheme is based on the existing SEPA credit transfer scheme to ease implementation

What this means for you

This Scheme is designed for euro transactions and is a separate scheme, although payment accounts held at PSPs operating within SEPA, do not have to be denominated in euro. The geographical scope of the Scheme spans 34 countries which are within the current scope of SEPA schemes and is built on the foundation of the existing SEPA Credit Transfer scheme.

The Scheme is optional and PSPs operating within SEPA are not obliged to adhere to the Scheme. However, any PSPs that do wish to adhere to the Scheme will have access to the required adherence documents in January 2017. There will be a register of participants which lists those taking part in the Scheme.

PSPs will have one year to get ready to process the first Scheme transactions in November 2017, which is the starting date of the Scheme. An annual participation fee will be announced in due course.

EBA updates ECON on strong customer authentication and common and secure communication

The Chair of the European Banking Authority (EBA), Andrea Enria, delivered an update on progress with the Regulatory Technical Standards (RTS) for strong customer authentication and common and secure communication under the revised Payment Services Directive (PSD2) on 29 November 2016.

Speaking to ECON, Committee on Economic and Monetary Affairs of the European Parliament, Enria gave a round up of activities so far and also reflected that different objectives of PSD2 leading to competing demands required the EBA and the European Central Bank (ECB) to make difficult trade-offs.

Enria commented that following the summer 2016 consultation a significant number of requests for clarification and concerns had been received. Those concerns included points relocating to:

• monetary thresholds for exemptions to strong customer authentication
• the prescribed interface within the RTS for accessing the payment accounts of a bank
• the exemptions for when payment service providers need not apply strong customer authentication

Given the level of feedback the EBA expects not to meet the original 13 January 2017 deadline for the RTS set out in PSD2. The RTS will likely be submitted a month or so later but given the number of significant issues raised, further delay is a definite possibility.

What this means for you

Andrea Enria considers the challenges for the EBA in developing the RTS within such a short timeframe to be “formidable”. The EBA recognises that it is having to balance competing demands ranging from the facilitation of innovation to the further enhancement of the single EU market in payments and the demand for customer convenience and user friendliness.

When the EBA submits the final RTS to the EU Commission at the beginning of 2017, it is also planning to publish a feedback table in which the EBA will provide feedback to the responses received. The EBA will seek to summarise each of the 260 concerns and questions raised and make clear whether that feedback has led the EBA to amend the RTS. Where the feedback does not relate to the RTS but relates to PDS2 more broadly, the EBA is working with the Commission on how best to communicate any required clarification.

The EBA is in the process of considering the responses to the monetary thresholds for exemption to strong customer authentication. It will seriously consider whether it needs to make changes to these thresholds in light of the feedback received. The EBA will also consider whether the RTS is inconsistent with the text of PSD2 regarding the exemptions for strong customer authentication. Feedback suggests that the draft exemptions have been too narrowly defined and do not allow for any “risk-based analysis”.

The update makes clear that the EBA remains interested in hearing the views of the European Parliament on the interface which the account information and payment initiation service providers will have to use for accessing the payment accounts of a bank as the draft RTS is silent on the meaning of “direct access”.

EPC updated SEPA rulebooks

The European Payments Council (EPC) have announced the publication of new editions of the SEPA Credit Transfer (SCT), the SEPA Direct Debit (SDD), Core (SDD Core) Scheme Rulebooks and the SEPA Direct Debit Business to Business (SDD B2B) scheme rulebooks. These new versions will come into force in November 2017 so all scheme participants have a year to adapt their systems.

What this means for you

The EPC SEPA schemes are used by thousands of PSPs in Europe. Therefore, all participating PSPs should take note of the new rulebook versions to ensure that they will be compliant with the new scheme rulebooks in readiness for November 2017.

The main update to the rulebooks for all three schemes, is the obligation for scheme participants to accept at least, but not exclusively, customer-to-bank (C2B) SEPA payment message files based on the EPC’s C2B SEPA scheme Implementation Guidelines. Customers will still have a choice either to continue using their existing C2B payment message file set-up or to opt for the EPC’s C2B payment message file. Nevertheless, the scheme participants will have to be technically capable of supporting C2B payment message files based on the EPC specifications.

ECB publishes SIPS Regulation consultation

The European Central Bank (ECB) published a consultation paper on 3 January 2017 presenting amendments to the SIPS Regulation, which is the common name for the Regulation on oversight requirements for systemically important payment systems.

There are four payment systems that fall under the Regulation; TARGET2, EURO1, STEP2-T and CORE(FR). The Regulation aims to ensure the efficient management and smooth operation of systemically important payment systems in the euro area and is subject to review every two years. The amended SIPS Regulation outlines clearer requirements on liquidity risk mitigation and new requirements on cyber resilience and assigns additional powers to the competent authorities.

What this means for you

This consultation is relevant to systemically important payment systems (SIPS) operators and should be considered by participants within SIPS as the proposed changes affect the oversight requirements for SIPS.

The Governing Council reviewed the general application of the SIPS Regulation under the power conferred by Article 24 of Regulation (EU) No 795/2014. The review took account of the findings of the first comprehensive assessment of SIPS. The assessment found that certain matters required some clarity or improvement and, in view of its findings, made some amendments to the SIPS Regulation to ensure that the highest oversight standards were being applied.

It was generally agreed by the Governing Council that there was a need to substantially improve the mitigation of liquidity risk and to allow for the smooth functioning of SIPS, participants will need adequate tools to effectively manage their liquidity. The amendments also require that assets held by a SIPS operator to cover general business risk, should be segregated from the assets held for daily business operations.

The management of cyber risks has grown in importance since the publication of the SIPS Regulation in 2014, and to ensure effective operational risk management, new specific requirements are included in the draft amended SIPS Regulation to mitigate cyber risks. Two additional tools are included for competent authorities so that they can exercise their oversight powers effectively. One of these tools is to have the power to require a SIBS operator to appoint an independent expert to perform an investigation or independent review of the SIPS’s operation.

The deadline of the consultation ends on 20 February 2017 and a template for comments is provided on the ECB’s website.