Global menu

Our global pages


Payment Matters: No. 32

  • United Kingdom
  • Financial services
  • Financial services - Payment services


Payment Accounts Directive (“PAD”) and Payment Accounts Regulations (“PARs”) Legal Update

There have been a number of key developments in the payment account space during the first few weeks of 2018, including the publication of a Delegated Regulation and Implementing Regulations in the Official Journal.

The PAD and PARs introduce a requirement to standardise terms and definitions to describe the key services that are linked to payment accounts and subject to a fee. Member States previously submitted their provisional lists to the EBA and following a public consultation, the EBA standardised the terms and definitions that appeared on the majority of the national lists. The European Commission has since adopted the EBA’s regulatory technical standards as a Commission Delegated Regulation which has now come into force following its publication in the Official Journal.

The PARs require any payment service provider ("PSP") that offers a payment account to provide its consumers with a Fee Information Document (“FID”) and Statement of Fees (“SOF”). Schedule 1 and 2 of the PARs require PSPs to ensure that its FID and SOF comply with any implementing technical standards adopted by the European Commission regarding the standardised presentation format of the FID and SOF. Following a consultation period with the European Banking Authority, the European Commission has now adopted two Implementing Regulations which set out the obligations regarding the standardised presentation format and common symbols of the FID and SOF. These Implementing Regulations have been published in the Official Journal.

What does this mean for you?

The obligation to provide standardised FIDs and SOFs comes into force six months after the FCA publishes the linked services list in accordance with regulation 3 of PARs. As suggested above, the FCA has 3 months from the publication of the European linked services list to produce the national list, although it has announced that it expects to publish the national list in April 2018. Assuming the FCA meet its suggested timeframes, this means that the obligations in respect of FIDs and SOFs are likely to take effect in quarter four of 2018 (although the impact date has not been determined yet).

On this basis, we recommend that providers of payment accounts should now review the finalised implementing standards to ensure that its documents meet the prescriptive requirements set out within the regulations. This will ensure that providers are well equipped to meet their obligations to provide a FID and SOF in quarter four of 2018 (although the date has not yet been set). In order to fall within the definition of a ‘payment account’, an account must enable a customer to:

  • place funds in the account
  • withdraw cash from the account
  • execute payment transactions to third parties, including credit transfers
  • receive payment transactions from third parties

Firms should also analyse the finalised European list of key services that are linked to payment accounts as the FCA is required to integrate the European list into its own national list (expected to be published in April 2018). Firms are also expected to use the terms on the final list within six months after publication by the FCA.

Interestingly and in line with the PAD/PARs theme, the HM Treasury issued a report last year demonstrating that over 900,000 new basic bank accounts were opened from July 2016 to June 2017, taking the overall total for such accounts open to nearly 5 million. This demonstrates that the obligation upon the nine largest current account providers to offer basic bank accounts that are fee-free for standard operations has been a popular development in the market.

European Central Bank Member delivers speech on the regulatory technical standards under the revised Payment Services Directive (“PSD2”)

Yves Mersch, a Member of the Executive Board of the European Central Bank, delivered a speech at the European Banking Federation’s Executive Committee meeting in Frankfurt on 22 February 2018.

Mersch’s speech focuses on the implementation of the regulatory technical standards on strong customer authentication and common and secure open standards of communication (“RTS”) which we understand will be published on 7 March, having received approval from European Authorities. Mersch encouraged PSPs to implement the RTS as soon as possible to mitigate any security threats in the retail payments market (rather than waiting 18 months until PSPs are obliged to transpose the security obligations detailed in the RTS). For example, Mersch suggested “the implementation of strong customer authentication with dynamic linking of the authorisation to the specific amount and payee will help deter man-in-the-middle attacks” both in the long term and in the interim period if adopted in advance of the 18 month deadline.

Mersch also encouraged banks to strive towards a single standardised dedicated interface in line with the European Commission’s previous comments that a standardised interface is their preference as it would encourage competition across the market. He also raised concerns about some banks’ plans to modify their own proprietary customer interfaces rather than develop a dedicated interface. Although the latter would be within the remit of the RTS, it would not, in his opinion, “meet the market needs of efficient and pan-European provision of payment initiation services.” On this basis, the Executive Board Member encouraged banks to join and contribute to the European Commission’s API Evaluation Group which has recently started work.

Finally, with regards to TPPs, Mersch also suggested that it is paramount that third party payment service providers (“TPPs”) are authorised/registered as soon as possible. In particular, he commented on the importance of cooperation between TPPs and banks through the testing and use of access interfaces at an early stage.

What does this mean for you?

We are aware that a number of providers of payment accounts within the industry are already taking steps to provide a secure method of access. In line with Mersch’s speech we suggest that all providers of payment accounts now begin to consider their access solution (including the access solution being developed by the Open Banking Implementation Entity based on a redirection model). A fragmented approach will not go down well with European lawmakers and will lead to PSPs moving further away from the integrated European access which was envisaged for TPPs. The ECB has made it clear that the initiatives currently developing standardised specifications for application programming interfaces (“APIs”) should join forces and agree on one common technical specification so that all European TPPs can base their systems on one or a few technical API standards and bank specific solutions will of course move the market further away from that goal. We are currently working with many account providers to provide strategic advice on the best long term solutions to build and what that solution needs to look like.

We also encourage PSPs to join and feedback into the European Commission’s API Evaluation Group to gain a greater understanding of the current pan-European market views on the standardisation of dedicated interfaces. Similarly, firms should also begin developing solutions to ensure effective mechanisms are in place in respect of strong customer authentication. As suggested in the Executive Board Member’s speech, the sooner firms adopt strong customer authentication, the more comfortable they will be that their systems can effectively enhance the security of the retail payments space.

Please contact Richard Jones or Ruth Fairhurst if it would be useful to discuss what changes your firm will need to make over the next 18 months in order to comply with the RTS (which are expected to come into force on 9 September 2019). See our article entitled “EBA and EC correspond on regulatory standards under PSD2” for details of concerns raised by the EBA on the final RTS.

 European Banking Authority ("EBA") and European Commission correspond on regulatory standards under PSD2

On 26 January 2018, Andrea Enria of the European Banking Authority published a letter to the European Commission in relation to the RTS.

The EBA welcomed the Commission’s timely adoption of the RTS but raised concerns about the “significant changes” contained in the final version of the RTS that the Commission adopted on 27 November 2017. The EBA challenged the Commission’s decision to make these changes without consulting with the EBA as they impose extra administrative and operational burdens on PSPs as well as competent authorities. The EBA also suggested that the changes adopted by the Commission leave “significant room for interpretation and increase the risk of un-level playing fields.” For example, the obligation upon account servicing payment service providers to ensure that its interface is designed and tested ‘to the satisfaction of the PSPs that seek to access the accounts’ is of particular concern because it makes the eligibility for the exemption to a legal requirement of one category of payment provider contingent on the ‘satisfaction’ of another without specifying how competent authorities and the EBA are to monitor this.

In response, the European Commission published a letter to the EBA on 13 February 2018. The Commission acknowledged the need to keep supervisors fully on board with any developments but commented that the amendments to the RTS took account of previous feedback received from the EBA and member state officials. In response to the EBA’s particular concerns regarding the increased administrative burdens and the room for interpretation, it was noted that neither the Commission or the EBA were in a position to anticipate all issues with APIs and outline all solutions directly within the RTS. The Commission suggested that it will be left to market players (banks, TPPs and payment services users) to work together to consult and provide feedback on the adoption of the RTS. The Commission also suggested that the best way to assist national supervisors is to work with the national competent authorities in dealing with issues and to ensure full participation in any market wide meetings and discussions examining API standards.

What does this mean for you?

We are aware that a number of PSPs found it difficult to interpret some of the amendments adopted by the European Commission in its adopted text which was published in November. For example, the potential issues with using the redirection model of access and the obligations to ensure that interfaces are built to the satisfaction of third parties intending to use it to access customer’s accounts.

It is clear that these views have been shared across the industry as the European Banking Authority has challenged the European Commission on the lack of clarity and how this may lead to various interpretations across the market but seemingly the RTS will be published on March 7th without further clarity. We are currently working with PSPs to map the PSD2 RTS against current operational processes to identify where the key compliance questions and gaps are. Please get in touch with Richard Jones or Ruth Fairhurst if you would like assistance with this exercise.

European Central Bank Member speaks on European retail payments market developments

On 15 February 2018, Yves Mersch, European Central Bank Executive Board Member, delivered a speech in Paris on the developments of instant payment solutions in the European retail payments market.

Mersch’s speech centred around the launch of instant payments in Euro in November 2017 and the subsequent move towards the development of real-time instant payments in the European retail payments market. Mersch recognised that there has already been significant developments in this respect. For example, SEPA Instant Credit Transfers and the scheduled implementation of Target Instant Payment Settlement services in November 2018 to ensure the pan-European reach of instant payments.

However, Mersch called on the industry to take further advantage of this move by developing innovative end-user solutions to enable businesses and consumers to benefit from instant payments in any payment situation. For example:

  • the development of point-of-sale instant payments providing immediate and final payment to merchants just like cash
  • the development of e-commerce instant payments to allow consumers to initiate an instant payment from an online shopping environment which allows the merchant to instantly receive confirmation that the payment has been executed

What does this mean for you?

Mersch noted that PSD2 provides a stable legislative framework for the development of innovation in this field. In particular, it was noted that the work of both the European Retail Payments Board and the European Commission API Evaluation Group are fundamental to the success of these developments. We, therefore, recommend that PSPs monitor the progress of these groups closely in order to ensure that you stay at the forefront of any innovative developments concerning the introduction of instant payment solutions.

Financial Conduct Authority consults on wider access to the Financial Ombudsman Service for small businesses

On 22 January 2018, the Financial Conduct Authority published a Consultation on the widening of access to the Financial Ombudsman Service for small businesses. The consultation is a follow up to a 2015 discussion paper looking at SMEs as users of financial services.

The services of the Financial Ombudsman are currently only available to individuals and

micro-enterprises. However, the FCA Consultation proposes to extend the services of the Ombudsman to “approximately 160,000 additional SMEs, charities and trusts.” The FCA propose to do this by amending its Handbook to:

1. include a new category of eligible complainants called ‘small businesses.’ The FCA intend to define ‘small businesses’ up to the following threshold:

  • annual turnover of less than £6.5m
  • annual balance sheet total of less than £5m
  • fewer than 50 employees

2. enable charities with income up to £6.5m and trusts with net assets up to £5m at the time they make a complaint to a firm to become eligible complainants; and

3. introduce rules that will make a guarantor a new category of eligible complainant. This will allow those who have provided a security or guarantee for a micro enterprise or small business to refer a complaint to the Ombudsman whether or not they are also a ‘micro-enterprise’ or a ‘consumer’.

What does mean for you?

This consultation will be directly relevant to providers of regulated and unregulated financial services, including advisers to SMEs, credit providers and intermediaries dealing with SMEs.

The FCA has asked for feedback on whether the proposed size thresholds and criteria for small businesses are appropriate, in addition to comments on whether providers agree with the additional proposed changes to the FCA’s Handbook. The FCA has also asked for feedback on whether the changes should come into effect on 1 December 2018 and whether they should only apply to complaints made to a firm about the firm’s actions, or failure to act, which occur from 1 December 2018 (or if a transitional period should be invoked). With regards to businesses not covered by the FCA’s new proposals, the FCA is also seeking feedback on any comments in relation to access to redress and how this could be achieved without the need for changes to legislation.

Firms should now review the consultation and collate their feedback in order to respond to the FCA’s specific questions regarding the extension of scope of the Financial Ombudsman’s services. Please note the deadline for providing this feedback is 22 April 2018 and the FCA expect to publish its final Policy Statement on this matter in Summer 2018.

EBA issues national registers of payment and electronic money institutions under PSD2

The EBA has published the national registers of payment and electronic money institutions registered under PSD2. The national registers are available centrally on the EBA’s website here. The European electronic central register which the EBA is required to develop, maintain and operate in accordance with PSD2 is under development.

What does this mean for you?

We assume that the EBA has incorporated each Member State’s national register in a central place for use whilst it is developing the European central register. The national registers are updated on a regular basis and PSPs and users can now easily access the various national registers to identify whether an entity is authorised or registered payment and electronic money institutions at a national level.

EBA guidelines on operational and security risks under PSD2

We previously reported that the EBA has published its final guidelines on security measures for operational and security risks of payment services under PSD2; Member States had two months from publication to determine whether they accepted the guidelines or not.

The FCA has since confirmed that it will comply with the guidelines in the UK and that it expects firms to do so with effect from 13 January 2018. For example, firms wishing to apply for authorisation or registration (and PSPs re-applying) should take into account the guidelines in their applications when including a description of the measures they intend to take in order to comply with regulation 98(1) of the PSRs 2017.

The FCA is also consulting this month on its approach to applying the Guidelines and its expectation on PSPs’ future reporting requirements in 2018. The FCA is proposing to add an extra chapter 18 to its Approach Document, which is intended to explain some of the factors that it expects PSPs to take into account and include in their assessments when complying with the EBA guidelines. It is also proposing to direct PSPs to report to it at least annually via a new form which they have included in an Appendix to the consultation. Additionally, on 15 January 2018, the EBA published translations of its guidelines into the EU official languages.

What does this mean for you?

We recommend that firms now feed into the FCA on the consultation as the agreed guidance will provide key insight as to how the FCA expects firms to adopt the Guidelines in the UK. However, the FCA has emphasised that their guidance will not replace, and must be read alongside, the EBA guidelines. Interested parties have six weeks to respond to the consultation.

The FCA goes global (global sandbox and collaboration with the US)

The FCA has added a new webpage to the regulatory sandbox section of its website in which it seeks views on the merits of creating a global sandbox. The FCA's sandbox only permits firms to conduct tests in the UK but many aspects of the industry are now global.

The webpage notes that the FCA undertakes a significant amount of international engagement and cooperation in connection with innovation, and has signed nine bilateral cooperation agreements with other jurisdictions which encourage greater dialogue between regulators. However, the FCA does not currently offer firms the opportunity to participate in a joint sandbox programme with other regulators. A global sandbox could potentially allow firms to conduct tests in different jurisdictions at the same time and allow regulators to work together and identify and solve common cross-border regulatory problems, through tests. Under such a model, testing could span two or more jurisdictions.

On a related note, the FCA has also teamed up with the United States CFTC to collaborate on a framework for financial technology, innovation and regulation. Both regulators have created specific bodies dedicated to fintech initiatives, namely LabCFTC and FCA Innovate. The cooperation agreement between the two parties will focus on sharing information regarding market trends and developments.

What does this mean for you?

Recent industry developments, including the implementation of PSD2, have promoted innovation and competition in the payment services market. As a result, we are likely to see many more new business models operating in this space, both in the UK and globally. A global sandbox could promote the success and developments of these opportunities by allowing space for knowledge sharing and allowing businesses to benefit from having access to support from multiple regulators in the design and supervision of their test models. In particular, the FCA states that the global sandbox could:

1. address pre-identified challenges by allowing regulators and businesses to work together to define where common problems exist in relation to regulatory problems that cross jurisdictional boundaries and collaborate to find solutions;

2. support specific firms with cross border ambitions by allowing firms who have ambitions to grow in different markets to bring their idea to market more quickly and easily, creating more effective competition; and

3. seek to address policy and regulatory challenges by, for example, joining up on events and/or papers on emerging trends and challenges to leverage the diverse experience of participating regulators and firms, and work toward consistent approaches.

The FCA are now seeking feedback on the specific questions set out on their website here. We, therefore, recommend that businesses take the time to review the FCA’s recommendations and provide feedback as soon as possible. Please note the FCA will consider all feedback received and expects to provide a further update this month.

Payment Systems Regulator (“PSR”) publishes consultation outcome in relation to authorised push payment scams (APP scams)

We previously reported that the PSR had published a consultation on its approach to APP scams and was seeking feedback on the introduction of a voluntary contingent reimbursement model (CRM) and the efficiency of the UK Finance’s best practice standards.

The regulator has since published its consultation outcome on 28 February, concluding that:

1. the development of a CRM is the most effective and appropriate way to prevent and reduce the significant harm that APP scams cause to consumers, and to maintain confidence in UK interbank push payment services; and

2. it is not necessary to make changes to the Best Practice Standards at this time, although it will monitor how the standards work in practice and, if appropriate, may look to make changes in the future.

With regards to the introduction of a CRM, the PSR has concluded that it is appropriate to develop an industry code setting out the rules for a CRM, including the standard of care expected of PSPs and consumers. In order to implement this code, the regulator will appoint a steering group of representatives from different stakeholder groups to develop the industry code.

What does this mean for you?

It is encouraging to see that the PSR recognises the importance of adopting a representative steering group to develop an appropriate CRM as soon as possible (with plans to appoint key stakeholders this month).

The consultation response suggests that the steering group will aim to issue an interim code for public consultation by the end of September 2018. At that time, the interim code will likely become part of the relevant considerations that the Financial Ombudsman Service (FOS) takes into account in determining consumer complaints about APP scams, although the final code will not be published until early 2019.

We, therefore, recommend that businesses now monitor the progress of the steering group which the PSR plans to develop this month and, where applicable, feedback on any discussion points in advance on the public consultation in September 2018.

Committee on Payments and Market Infrastructure publish cross-border retail payments report

The Committee on Payments and Market Infrastructures published a report on 16 February 2018 looking at the challenges facing the cross-border retail payments market. The report analyses survey results from over 100 PSPs as well as feedback from stakeholder workshops. Selected report findings include:

1. cross-border retail payments are usually slower, pricier and less transparent than domestic retail payments;

2. front-end users generally have a choice over their selection of PSPs dependent on the user’s circumstances and requirements (supply side front-end); and

3. for back-end users there is minimal choice over the back-end clearing and settlement methods available with service providers experiencing difficulties with messaging, clearing and settlement of cross-border payments. Suggestions for improvements here could include an improved traditional correspondent banking system and greater interoperability between domestic payment infrastructures and also closed-loop proprietary systems.

The report concludes that having more diversity of back-end clearing and settlement arrangements could result in cross-border retail payments that are quicker, cheaper and more transparent.

What does this mean for you?

As part of the continued industry focus on innovation and the globalisation of the payments market, firms may see alternative models to the traditional correspondent banking settlement system including the linking of domestic payment infrastructures; the closed-loop proprietary system; and solutions based on peer-to-peer distributed ledger technology.

Draft EU FinTech Action Plan

The European Commission has published a draft FinTech Action Plan which calls for the development of a number of targeted initiatives for the EU to embrace digitalisation of the financial sector after a consultation last year. The draft plan highlights a number of steps, including:

1. investigation into the barriers which are reducing information sharing on cyber threats by way of a public-private workshop and consideration on how to fix this;

2. collaborative working between the three European supervisory authorities to improve consistency across financial sectors around ICT security and governance requirements and issue appropriate guidance;

3. analysis of the advantages and disadvantages of building a cross sector cyber threat testing framework for significant market participants; and

4. setting up of a EU FinTech Lab in which supervisory authorities and national regulators can engage with fintech firms in a ‘neutral, non-commercial space.’

What does this mean for you?

The calls for change across Europe come as more new payments models are entering the market. It is good to see that the European authorities recognise the importance of cyber-security, whilst developing innovation and competition in the market. Greater harmonisation and targeted initiatives to encourage fintech adoption are very sensible but there are number of challenges which will need to be considered as thinking in this area develops, including considering where the licensing of fintechs is actually required (if there are differences across jurisdictions (for example in relation to crowdfunding)) and the impact Brexit may have on such initiatives.