Global menu

Our global pages


Payment Matters: No. 37

Payment Matters: No. 37
  • United Kingdom
  • Financial services and markets regulation
  • Financial services
  • Financial services - Payment services


The Authorised Push Payment (“APP”) Scams Steering Group publishes interim Contingent Reimbursement Model (“CRM”) for consultation

On 28 September 2018, the APP Scams Steering Group (“Steering Group”) published its interim CRM for consultation. The CRM is a voluntary code designed to set out the circumstances when the victims of APP scams would get their money back and whether it might come from their payment services provider (“PSP”) or the PSP that received money on behalf of the fraudster.

The interim CRM has three overarching provisions:

  • to reduce the occurrence of APP fraud
  • to increase the proportion of customers protected from the impact of APP fraud, both through reimbursement and through the reduction of APP fraud
  • to minimise disruption to legitimate payment journeys

To that end, the interim CRM provides a series of general expectations and standards which PSPs are expected to meet in their roles as payer and/or payee PSP. These general expectations and standards relate to PSPs’ measures to detect, prevent and respond to APP scams. They include, for example, the implementation of effective warnings, the gathering of fraud statistics, and the use of Confirmation of Payee. They also include ways that PSPs can justifiably refuse to reimburse customers who have been defrauded.

The Steering Group’s consultation is open for feedback until 15 November 2018. The Steering Group will consider the consultation responses and make any final adjustments to the CRM, which should be implemented in early 2019.

What this means for you?

Until a final CRM is agreed and published, the draft CRM is not “in force”. However, retail banks represented on the Steering Group have individually committed to start work towards implementing the standards of the draft code during the consultation period.

PSPs should read carefully the draft CRM and, if they intend to subscribe to the final CRM, ensure that their processes and procedures are in-line with the overarching principles, general expectations and standards expected of PSPs under the CRM. PSPs should also familiarise themselves with the circumstances in which they can justifiably refuse to reimburse customers who have been defrauded, keeping in mind their obligation to treat customers fairly (PRIN 6) and the possibility that the PSP’s terms and conditions might require the firm to meet a higher standard than the interim CRM.

The Financial Conduct Authority (“FCA”) consults on its approach to the final Regulatory Technical Standards and European Banking Authority (“EBA”) guidelines under the Revised Payment Services Directive (“PSD2”)

On 17 September 2018, the FCA published a consultation (CP18/25) on its approach to the final regulatory technical standards (RTS) and EBA guidelines under PSD2. The FCA proposes a number of amendments to its Approach Document on its role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 and its Handbook. The key themes of the consultation relate to secure communications between account servicing payment service providers (“ASPSPs”) and third-party providers (“TPPs”), the application of Strong Customer Authentication ("SCA") and reporting requirements. Some of the proposals include:

  • confirmation that the FCA expects ASPSPs seeking an exemption from the requirement to develop contingency mechanisms to apply to the FCA by June 2019
  • confirmation that firms wishing to rely on the corporate exemption relating to the application of SCA do not need to notify the FCA in advance of using the exemption
  • a proposal to update SUP 16 to replace the existing REP017 form to reflect the EBA Guidelines on fraud reporting;
  • a proposal to refer to the development of the Contingent Reimbursement Model in the revised Approach Document, suggesting that the FCA supports the work of the industry in relation to APP scams
  • where as a result of an APP scam a payment has been pushed into the wrong account, a proposal to require PSPs to cooperate with the payer’s PSP for the recovery of the transferred funds (i.e. Regulation 90 of the PSRs 2017 will apply)

Subject to the outcome of this consultation, the FCA expects to publish the final changes to the Approach Document and Handbook by January 2019. The FCA anticipates that this will give firms sufficient time to implement and change existing operations to ensure compliance with the RTS by 14 September 2019.

What this means for you

There has been wide industry debate regarding the FCA’s approach to the implementation of the RTS since the RTS was published in the Official Journal. It is apparent that the FCA will be closely applying the EBA’s approach (as set out in the EBA’s Opinion and Guidelines on the implementation on the RTS) but the consultation provides further details on how the FCA proposes to regulate firms during and after the implementation period. We strongly advise all payment institutions, registered account information service providers and credit institutions to review the consultation and provide feedback by the deadline on 12 October 2018. If you are considering responding to the FCA and would like to discuss any of the proposals, please contact us and we would be happy to discuss this in more detail.

The Open Banking Implementation Entity (“OBIE”) publishes Open Banking Standards version 3.0

The OBIE has published version 3 of the Open Banking Standards. As expected, the update builds significantly on the previous version of the Standards (dated March 2018). In particular, the OBIE has noted that the new Standards “offer account providers a well-supported route to PSD2 compliance.” The previous versions primarily covered current accounts to ensure compliance with the CMA Order, whereas the new standards cover all products with payment capabilities, including credit cards, pre-paid cards and e-wallets.

What this means for you?

ASPSPs which are currently using, or intending to use, the Open Banking model to provide TPPs access to customer’s payment accounts should now align their practices with the newly published Standards, alongside verifying that the relevant parts of the Standards will allow them to meet their obligations under PSD2 and the RTS. If you are considering using the Open Banking model to provide access, or you are a third party wanting to gain access via the Open Banking model, please contact us and we would be happy to discuss this in more detail.

HM Treasury plans for the on-shoring of Financial Services post-Brexit

The Government has issued draft Statutory Instruments in relation to the ‘on-shoring’ of financial services legislation to prepare for the UK’s withdrawal from the EU. The Statutory Instruments are currently in draft form and are likely to be subject to change but the Government has issued an Explanatory Note explaining some of the key changes. These include:

  • retaining the SEPA regulation (subject to a small number of changes as the UK will access SEPA as a third country rather than an EU Member State)
  • amending the PSRs 2017 so that transactions in Euros with another member of the SEPA area are treated as two leg transactions (Part 7 of the PSRs will continue to apply)
  • implementing a Temporary Permissions Regime (“TPR”) for payment institutions (similar to the temporary regime announced for FSMA regulated firms (e.g. credit institutions)
  • removal of provisions requiring UK supervisory bodies to cooperate and share information with EU authorities (although the domestic framework for cooperation already allows for information sharing where necessary)
  • removal of the EU’s Cross-Border Payments Regulation as it would become inoperable in its current form and compliance is not a requirement for third-party membership to SEPA

Draft versions of the Payments and Electronic Money (Amendment) (EU Exit) Regulations 2018 and the Credit Transfers and Direct Debits in Euro (Amendment) (EU Exit) Regulations 2018, together with an Explanatory Note, can be found here.

What this means for you?

The Statutory Instruments are of relevance to all PSPs as, if agreed, they may impact your existing processes. For example, if the UK exits without obtaining a deal with the EU, based on the existing draft, PSPs will be required to take advantage of the proposed TPR to continue to function while putting in place plans to establish a UK subsidiary to offer services in the UK at the end of the TPR (which is due to expire three years from the exit date). HM Treasury proposes to lay the Statutory Instruments before Parliament in the Autumn. We, therefore, expect to obtain additional detail on the Government’s approach as the proposals are debated.

The FCA consults on the proposed new Payment Services and Electronic Money (Principles for Business and Conduct of Business) Instrument 2018

On 1 August 2018, the FCA published a consultation on general standards and communication rules for the payment services and e-money sectors. The key proposals outlined by the FCA in the consultation include:

  • extending the application of the FCA’s Principles for Businesses so that they apply to payment institutions, electronic money institutions, registered account information service providers and credit institutions
  • widening the scope of the promotion and communications rules in Chapter two of the FCA’s Banking Conduct of Business Sourcebook (“BCOBS”) to cover wider categories of FCA-regulated business
  • the addition of new rules and guidance in BCOBS to ensure that firms do not mislead consumers when they are advertising payment services that involve currency conversions

What this means for you?

If you are a payment institution, electronic money institution, registered account information service provider or credit institution, you should consider the consultation closely as the changes will require you to make changes to your existing operations. For example, firms will be required to comply with the Principles of Business which set out how firms should treat consumers, run their business and interact with regulators. This includes (amongst other factors) considering integrity, market conduct, conflicts of interest and the customer’s interests. Institutions will also be required to ensure that all communications with consumers are ‘fair, clear and not misleading’ and prevent communicating exchange rates in a way that gives the impression that a particular rate will apply when it is not likely to be available. We, therefore, recommend that you take the time to review the consultation and provide feedback by 1 November 2018. The FCA expects to publish a Policy Statement on the proposed changes in January 2019.

For additional information on this matter, please refer to our article dated 15 August (available here).

The European Parliament’s Committee on Economic and Monetary Affairs consider recent proposals in relation to cross-border payment charges

The European Parliament’s Committee on Economic and Monetary Affairs met to consider the most recent draft report in relation to cross-border payment charges on 29 August 2018. We understand that the Committee members raised similar concerns to the European Council, including criticism of the original plans to draft secondary rules on currency conversion practices for cross-border card transactions and the implementation of price caps. Parliamentarians will undertake a final vote on the implementation of the proposals on 5 November.

What this means for you?

Interestingly the UK Government has proposed to dispense with the Cross-Border Payments Regulation upon withdrawal from the EU. The Government suggests that applying the Regulations to cross-border Euro payments to the EEA would place obligations on UK PSPs which they could not fulfil as they require cooperation from PSPs within the EEA. In our view, this means that there is an element of uncertainty regarding the impact of the proposed changes to the Cross-Border Payments Regulation within the UK. The Government has noted in its Explanatory Note that it will examine the final version of the Regulation post-negotiations and re-consider its approach but, at this stage, it appears unlikely that HM Treasury will decide to retain the existing Regulations. We expect to obtain additional detail upon completion of the final vote in November.

The Financial Ombudsman issues a newsletter regarding authorised payment fraud

The Financial Ombudsman has issued a newsletter summarising its approach to authorised payment fraud, providing insight into when it expects banks to take responsibility for the fraudulent scams. In particular, the Ombudsman has considered its interpretation of ‘gross negligence’ in the context of recent case studies where PSPs have refused to provide a refund on the grounds that the customer has acted with gross negligence.

For example, the Ombudsman has ordered PSPs to provide refunds in the following circumstances:

  • a customer had responded to a fraudulent text message providing details to allow fraudsters to authorise a payment. The text message appeared in the same chain as genuine messages from the bank and the process was very similar to the bank’s genuine process
  • a customer inputted her security details into a fraudulent website which appeared to be identical to the bank’s online banking platform
  • a customer disputed that they had withdrawn cash from an ATM as she had not shared her pin with anyone. The disputed transactions had been made 30 miles from the complainant’s house, at separate cashpoints a mile or so apart – just before and just after midnight. The customer tried to obtain CCTV to prove she did not withdraw that cash but it was erased before she could obtain a copy as the bank had given her incorrect details regarding the location of the withdrawals
  • a customer claimed that they did not receive their card and PIN in the post but the same details had been used to authorise payments form the account

What this means for you?

A key rationale for institutions refusing to provide a refund when a customer complains about an unauthorised transaction is where the customer has acted with ‘gross negligence.’ This reflects the position outlined in the Payment Services Regulations 2017 but it is often challenging for institutions to prove that the customer has acted with gross negligence given the complexity of APP scams. The Ombudsman newsletter appears to reinstate the challenges which PSPs face in proving ‘gross negligence’ in complex scenarios, particularly given the increased sophistication of criminal activity.

We recommend that PSPs consider the outcome of the published case studies carefully to determine if they should make any changes to how they treat victims of payment fraud whilst we await the outcome of the FCA’s recent consultation on APP scams and the consultation of the Contingent Reimbursement Model. Interestingly, the FCA proposes to amend its Approach Document on its role under the PSRs 2017 and the Electronic Money Regulations 2011 to confirm that it is supportive of the work led by industry to facilitate the recovery of funds in cases involving fraud, including the efforts to develop a ‘Contingent Reimbursement Model'.

The Global Financial Innovation Network consults on plans to implement a ‘global sandbox’

The new Global Financial Innovation Network has published a consultation requesting feedback on the new ‘global sandbox.’ The Network (which includes the FCA and 11 other financial regulators and regulated organisations) is requesting feedback on the draft mission statement for the sandbox and the proposed functions of the new sandbox. The proposed focus of activity includes a space to enable global institutions to collaborate to enhance innovation, provide a forum for discussions, joint policy work and a testing environment for cross-border solutions.

What this means for you?

A global sandbox could promote the success and developments of the financial services industry by allowing space for knowledge sharing and access to support from multiple regulators in the design and supervision of test models and give global institutions an opportunity to test products in multiple jurisdictions. We, therefore, recommend that you review the proposed mission statement and provide feedback prior to the deadline of 14 October 2018.