Global menu

Our global pages


Payment Matters: No. 39

  • United Kingdom
  • Financial services
  • Financial services - Payment services


The Financial Conduct Authority (“FCA”) has published final guidance on its approach to the Regulatory Technical Standards (“RTS”) and European Banking Authority (“EBA”) Guidelines under the revised Payment Services Directive (“PSD2”)

The FCA published the updated Payment Services and Electronic Money Approach Document and corresponding Handbook changes on 19 December 2018. The final guidance follows the recent consultation (CP18/25) on its approach to implementing the RTS and its alignment to the EBA guidelines. By way of example, some of the key points arising from the latest version of the guidance include confirmation that:

  • static card details cannot be used as a knowledge factor but they can be used as evidence of possession of the card
  • PSPs can rely on the exemption in Article 13 (‘white listing’) where the list of trusted beneficiaries was created prior to 14 September 2019 without applying SCA to confirm the list
  • there is no reason for account servicing payment service providers (“ASPSPs”) to request SCA more than once when facilitating authentication for a single session to account information service providers or a payment initiation transaction. For payment initiation, obtaining of SCA once is compatible with dynamic linking requirements
  • the testing facility which needs to be ready from 14 March 2019 must enable third party providers (“TPPs”) to test the authentication procedures (although the FCA notes that ASPSPs may not have SCA functionality fully in place)
  • not all payment account products need to be reachable through the testing facility to meet the testing criteria from March 2019
  • payment service providers (“PSPs”) will have a six month transitional period to allow them to comply in full with the new EBA fraud reporting guidelines
  • PSPs will be required to report on data relating to complaints received regarding APP fraud from 1 July 2019
  • the FCA is currently consulting on its approach to the implementation of the RTS in the event of a no-deal Brexit until 19 February 2019

For full details of the finalised guidance, please see the latest version of the FCA’s Approach Document and the FCA’s Policy Statement (available here).

What this means for you?

We strongly recommend all PSPs review the final guidance in detail and begin putting in place processes to ensure compliance with the RTS, particularly as the timelines to achieve compliance with the RTS are notably challenging. We are aware that many institutions have already started their technical build given the challenging timelines but PSPs will need to review the final guidance against any existing plans to ensure compliance.

For those PSPs which are implementing an industry initiative to provide access to third party payment providers (“TPPs”) (e.g. the Open Banking Implementation Entity initiative), they will also be required to ensure that the initiative ensures compliance with PSD2. The FCA has made it clear that although it expects extensive work to have been undertaken to ensure the standards are aligned with PSD2 requirements, it remains the ASPSP’s responsibility to ensure compliance. We, therefore, recommend that you assess any existing initiative standards and guidance against the latest Approach Document to meet the FCA’s expectations.

The EBA has published the final guidelines on the conditions to benefit from an exemption from the fall back contingency mechanism

The EBA published its final guidelines on the conditions to benefit from an exemption from the contingency mechanism under the RTS on 4 December 2018. The guidelines set out the final requirements which ASPSPs must meet before competent authorities can decide whether or not it should grant an exemption. In summary, some of the conditions from the finalised guidelines include confirmation that:

  • it is not in the scope of the RTS to prescribe how KPIs for the customer interfaces should be calculated
  • the distinction between planned and unplanned downtime in relation to the availability of the dedicated interface has been removed from the guidelines
  • there needs to be a plan in place to ensure publication in a way which allows TPPs to compare the availability and performance of both the dedicated and customer facing interfaces
  • stress testing relates to the impact that stresses have on the availability and performance of the dedicated interface and it has been extended to include “extremely” high numbers of requests from TPPs. This means the number of requests must go significantly beyond what the interface is designed for
  • ASPSPs will need to provide evidence to their competent authority that the dedicated interface does not give rise to unnecessary delay or friction for TPPs
  • the FCA may take into account any problems reported by TPPs when deciding whether to grant an exemption

For full details of the conditions to benefit from an exemption to build a contingency mechanism, please see the final EBA Guidelines (available here).

What this means for you?

The regulators have acknowledged that the timelines for meeting the conditions for an exemption are tight as ASPSPs are required to begin testing from 14 March 2019 and ensure that they have complied with the conditions in the guidelines before submitting an exemption request to the relevant competent authority (which the FCA has said should be no later than 14 June 2019).

If you are considering seeking permission from the FCA (or equivalent competent authority), we, therefore, strongly encourage you to review the finalised guidelines in detail and begin the application process as soon as possible. This means you will need to begin putting in place adequate processes to meet the conditions in the guidelines, including, by way of example, defined KPIs and service level targets, testing facilities, evidence of wide usage and adequate plans to publish statistics on the availability of the dedicated interface.

We also encourage you to engage with the FCA as soon as possible before the September 2019 deadline to ensure your application is successful as any ASPSPs who do not receive an exemption will be required to have a fall back mechanism in place on 14 September 2019 in order to ensure compliance with the RTS.

The EBA announces plans to create an Application Performance Initiative (“API”) Evaluation Working Group

The EBA has announced plans to create a new working group to prepare for the application date of the RTS. The group will be chaired by the EBA and it will include national competent authorities, EBA staff, EU institutions and representatives from a range of external stakeholders (ASPSPs, AISPs, PISPs, CBPIIs, API initiatives) and other external stakeholders such as consumers, technical service providers and standardisation bodies. The deadline for submitting expressions of interest to the EBA is today (14 January 2019) and the EBA expects to inform all applicants whether they have been successful on the 4 February 2019. The first meeting of the Group is currently scheduled for the week commencing 18 February.

What this means for you?

The EBA has noted that the aim of the group is to facilitate industry readiness for the application of the RTS and to support the development of high-performing and customer-focused APIs. In particular, the group will aim to identify issues which emerge as the industry is preparing to implement compliant APIs and allow external stakeholders to propose solutions on how those issued could be resolved. We, therefore, recommend that all PSPs closely follow the Group’s progress as any publications which flow from the discussions may assist with answering any unanswered questions, or issues which arise during the API technical build stage.

The EBA has published an Opinion on the use of electronic identification and trust services (“eIDAS”) certificates under PSD2

The EBA has published an Opinion on the use of eIDAS certificates under PSD2. The Opinion seeks to clarify certain issues regarding the use of qualified certificates for electronic seals (“QSealCs”) and qualified certificates for website authentication (“QWACs”), including which certificates should be used and the process for revoking certificates. Some of the key points to note include confirmation that:

  • there are three potential alternative approaches for the use of QSealCs and QWACs, although the EBA recommends that they are used in parallel as this allows TPPs to identify themselves to ASPSPs, ensures communication is secure and ensures that the data submitted originates from the PSP identified in the certificate
  • ASPSPs are the party which chooses the type of certificate to use for the purpose of identification
  • each PSP should decide whether to use single or multiple certificates for each role
  • the roles assigned to payment institutions in eIDAS certificates should be limited to the payment services for which the respective institution is authorised, whereas credit institutions that act as third party providers should be assigned three roles (payment initiation, account information and issuing of card-based payment instruments)
  • competent authorities should consider requesting the revocation of an eIDAS certificate issued to a PSP which has had its authorisation/registration withdrawn/revoked

For full details of the EBA’s guidance, please review the Opinion (available here).

What does this mean for you?

The EBA’s Opinion is addressed to competent authorities to assist with their supervisory responsibilities in relation to the use of eIDAS certificates under PSD2, however the Opinion should prove useful for all PSPs, payment schemes, technical service providers and industry initiatives (such as the OBIE). We, therefore, recommend that you review the Opinion in order to obtain insight into the EBA’s approach (which will inform the FCA’s approach). This is particularly important in the lead up to March 2019 as the EBA and the FCA have confirmed that ASPSPs must make available facilities that enable TPPs to test the ability to exchange certificates as part of the testing facility (although TPPs without qualified certificates prior to 14 September 2019 can still make use of the testing facility).

The FCA has published policy changes in relation to authorised push payment (“APP”) fraud complaints handling

On 14 December 2018, the FCA published policy changes to the Dispute Resolution Sourcebook (“DISP”) in relation to APP fraud complaints handling. The new rules follow on from the FCA’s consultation (CP18/16) on the adequacy of the existing safeguards for those who have been victims of APP fraud and are designed to provide victims of APP fraud with prompt and fair complaints resolution against PSPs. In particular, the FCA has amended DISP to provide that:

  • all PSPs will be required to handle complaints about APP fraud in accordance with the rules in DISP. The Financial Ombudsman Services’ (“FOS”) compulsory jurisdiction and voluntary jurisdiction will also be extended to enable FOS to adjudicate on cases where victims of APP fraud are not happy with the outcome of their complaint to a PSP (provided that the victim is an eligible complainant within the meaning of DISP)
  • payers can now complain to the receiving PSP about its failure to cooperate with the payer’s PSP to recover funds involved in a payment transaction where incorrect details have been provided in accordance with regulation 90(3) of the PSRs 2017. PSPs must handle such complaints in accordance with the DISP rules and such complaints will also be considered by FOS

For full details of the new changes, please see the FCA’s policy statement (available here).

What this means for you?

We recommend that all PSPs now review their existing procedures to ensure that they are handling complaints appropriately, promptly and fairly in accordance with DISP. This includes ensuring you have sufficient resources and capacity to account for the potential increase in the volume of complaints which you will potentially be exposed to as a result of these changes. You will also need to put in place processes to accurately determine whether a complaint received about APP fraud needs to be forwarded to the counterpart PSP.

European Regulators have reached a final compromise text on changes regarding cross-border payments in the Union

The proposed changes to Regulation 924/2009 regarding cross-border payments and currency conversion charges have been subject to a lot of debate since the original proposal was published by the European Commission in March 2018. However, following trilogue negotiations a final compromise text has now been published. The text attempts to reduce charges and improve the transparency and comparability of currency conversion charges. In summary, the text includes the following proposals in relation to some of the key points which have been debated in the industry:

  • charges levied by a PSP on a payment service user in respect of a cross-border payment in euro must be the same as the charges levied by that PSP for corresponding national payments of the same value in the national currency of the Member State where the PSP is located
  • percentage mark-ups must be disclosed to the payer prior to the initiation of a payment transaction and publicly made available in a comprehensible and easily accessible manner on a broadly available and easily accessible electronic platform

Please see the full text (available here) for additional details regarding the proposed changes to the Regulation.

What this means for you?

The next step is for the Permanent Representatives Committee to approve the text with a view to reaching an agreement at first reading with the European Parliament. We recommend that all PSPs review the compromise text and assess what impact the changes will have on their businesses. However, it is worth noting that in the explanatory information to the draft statutory instrument relating to payments and electronic money, the UK Government has confirmed that it does not propose to retain Regulation 924/2009. As such, you may wish to await confirmation of the position post-Brexit before completing a detailed gap analysis.

The FCA plans to conduct a programme of analysis into new payments business models

The FCA published its final report (available here) on the results of its strategic review of retail banking business models on 19 December 2018. As part of the report, the FCA discusses how the payments landscape is changing due to increased competition from businesses such as payment initiation service providers (“PISPs”). In particular, the FCA notes that, in contrast to existing card-based payment methods, there is scope for PISPs to offer an alternative lower cost payment solution to merchants. This is because PISPs can initiate direct bank-to-bank payments using the Faster Payments system, avoiding interchange fees and charges which are traditionally passed on to merchants for accepting card payments from consumers.

What this means for you?

The FCA plans to conduct a programme of analysis to understand the value of these new payments business models, including the different levels of consumer protection offered in comparison to traditional card-based payment methods. We recommend you take this into consideration whilst we wait an update from the FCA which we can expect as more institutions become authorised and payment initiation services are used increasingly throughout the calendar year. We also recommend that you consider the Payment Systems Regulator’s proposed review into acquiring services as the final terms of reference for the market review are expected to be finalised in 2019.