Global menu

Our global pages

Close
Payment Matters: No. 35

Payment Matters: No. 35

  • United Kingdom
  • Financial institutions
  • Financial institutions - Payment services

25-06-2018

EBA issues RTS implementation Opinion

The European Banking Authority ("EBA") has released an Opinion in relation to the implementation of the Regulatory Technical Standards for strong customer authentication and common and secure communication (the “RTS”) based on a number of common queries it has received from market participants. Some of the key recommendations include confirmation that:

  • Account information service providers ("AISPs") can access the maximum amount of data available to payment service users regardless of the electronic channel used to access the account (i.e. if additional data is available through an online banking platform than is available through a mobile app, the AISP should be able to access the information which is available via the online banking platform regardless of the channel used by the payment service user);
  • Payment initiation service providers ("PISPs") have the right to initiate the same transactions that the account servicing payment service provider ("ASPSP") offers to its own payment service users (e.g. instant payments, batch payments, international payments, recurring transactions and future-dated payments);
  • The authentication elements (knowledge, possession and inherence) for strong customer authentication (“SCA”) need to belong to two different categories;
  • The payee’s PSP (the acquirer) can decide to apply certain SCA exemptions (contactless payments at POS, unattended terminals for transport and parking, recurring transactions, low-value transactions and transaction risk analysis) but the payer’s PSP (the issuer) will always make the ultimate decision on whether or not to accept or apply an exemption to SCA. If the payer’s PSP does not agree with the payee’s PSP decision, it may wish to revert to applying SCA if technically feasible or decline the initiation of the transaction;
  • The trusted beneficiary exemption (also known as “white listing”) is not limited to credit transfers and may apply to cards through the payer’s PSP, upon the payer’s confirmation. The payee’s PSP cannot apply this exemption and a payee cannot have such a list (e.g. cards on file);
  • The re-direction authentication model is not an obstacle to AISPs and PISPs providing their services but it may be an obstacle if the ASPSP implements redirection in a manner which is restrictive or obstructive for AISPs or PISPs; and
  • When determining which method to use for the purpose of carrying out authentication, all methods of SCA provided to the payment service user need to be supported when an AISP or PISP is used. This means which method, or combination of methods used, will depend on the authentication procedure it offers to its own payment service users as if they differ this will constitute an obstacle to the provision of payment initiation and account information services.

For further details of the specific recommendations, please see the EBA’s opinion on its website here.

What does this mean for you?

The EBA’s Opinion is addressed to competent authorities to assist with their supervisory responsibilities in relation to the implementation of the RTS but the EBA does note that the Opinion should prove useful for all PSPs, payment schemes, technical service providers and industry initiatives (including the API initiatives that have been emerging across the EU to support the implementation of the RTS). Please note the Opinion is not legally binding but it provides guidance on the EBA’s approach in relation to some of the key industry concerns which institutions should consider as they begin to develop or amend interfaces and infrastructures to support the implementation of the RTS from 14 September 2019.

If you need assistance or advice on your approach to implementing the RTS, please contact us and we would be happy to discuss these key issues and other considerations we are seeing in the market.

EBA consults on Guidelines clarifying fall back exemption

The RTS introduces a requirement to allow AISPs, PISPs and CBPIIs (“TPPs”) to make use of the interfaces made available directly to payment service users for authentication and communication where the dedicated interface for TPP is not available to the same level of availability, performance and support as the interface available to payment service users directly.

There is an exemption to this requirement to implement contingengy mechanisms where an ASPSP uses a dedicated interface to provide access to TPPs, provided that, following consultation with the EBA, the relevant competent authorities are satisfied that the dedicated interface meets certain conditions.

As a result of the lack of certainty regarding this exemption, the EBA has published a consultation in relation to draft guidelines which the competent authorities should take into account when deciding to grant an exemption. By way of example, the Guidelines provide:

  • ASPSPs shall have in place the same service level objectives, targets, out of hours support, monitoring and contingency plans as it has in place for the interfaces used directly by its payment service users. This includes, as a minimum, the implementation of KPIs relating to the uptime of all interfaces and all planned and unplanned downtime of all interfaces;
  • ASPSPs shall establish processes to identify and assess how the dedicated interface performs when it is subjected to an extremely high number of requests from PISPs and AISPs, including the completion of adequate stress testing which takes into account the capability to support access by multiple firms, requests for large volumes of data and other key factors;
  • ASPSPs shall provide the competent authority with a summary of the methods of access chosen and where the ASPSP has put in place only one method of access, an explanation of the reasons why this method of access is not an obstacle to the provision of services and how it will support all authentication methods provided by the ASPSP to its customers;
  • ASPSPs should make available to TPPs the technical specifications for the dedicated interface on their website and make available a testing facility for the dedicated interface in line with the RTS;
  • In order to demonstrate that the dedicated interface has been widely used for at least three months to fall within the exemption, ASPSPs must provide the relevant competent authority with a summary as to the availability of the technical specification and the testing facility made available to market participants and take all reasonable steps necessary for the interface to be operationally used. This shall include reporting the total number of TPPs which have (or have applied for) the relevant authorisation and that have made use of the testing facility, in addition to the number of TPPs using the dedicated interface.

In relation to the consultation with the EBA, the draft Guidelines suggest that the competent authority shall submit to the EBA an assessment form (in the form set out in Annex 1 of the consultation) for each request that they intend to grant. It, therefore, follows that competent authorities shall not take any decision in relation to the application until the earlier of receiving the EBA’s comments on the request, or one month from the date that the competent authority consulted the EBA. Upon receipt of the EBA’s feedback, the competent authority should consider the EBA’s comments when taking any decision on the request (but there is no specific requirement to implement the EBA's decision). For completeness, the Guidelines also suggest that the competent authority should submit the assessment form to the EBA each time it refuses to grant an exemption under Article 33(6).

For further details of the draft Guidelines, please review the EBA’s consultation on its website here.

What does this mean for you?

If you are considering seeking permission from the FCA (or equivalent competent authority) to be exempt from the having to build contingency access mechanisms, there are some helpful draft clarifications in the consultation which will impact on how you go about obtaining the exemption. For example, the Guidelines have confirmed that in order to demonstrate that the dedicated interface has been widely used by TPPs, the ASPSP will need to report to the FCA the total number of TPPs which have (or have applied for) the relevant authorisation and that have made use of the testing facility, in addition to the number of TPPs using the dedicated interface. The Guidelines also clarify that ASPSPs can include the three month period of wide usage within the six month testing facility period under Article 30(5).

We, therefore, suggest that you review the Guidelines and, where applicable, provide feedback on the draft Guidelines before the consultation closes on 13 August. Further information on how to respond is available on the EBA’s website here.

FCA issues statement on EBA’s Opinion and draft Guidelines

Following the publication of the EBA’s Opinion and draft Guidelines on the RTS, the FCA issued a statement on 22 June to confirm that it supports the views of the EBA and, if the final version of the Guidelines is the same as the draft, it expects to comply with the Guidelines.

The FCA also plans to consult on the necessary changes to its guidance as a consequence of the RTS, the EBA’s Opinion and draft Guidelines during the summer. The consultation will outline the process for obtaining the exemption from having to build a contingency access mechanism and the information requirements which firms will have to satisfy to enable the FCA to assess whether they have satisfied the exemption requirements.

Before the consultation period begins, the FCA has also stated that:

  • It encourages ASPSPs to provide dedicated access to TPPs using APIs and where standardised APIs align with PSD2 requirements to use the standardised solutions;
  • ASPSPs who choose not to use a dedicated interface (i.e. they decide to use a form of screen scraping to enable access to payment accounts) should ensure that the interface still meets the various requirements under the RTS. For example, the obligations relating to access interfaces (Article 30), certificates (Article 34), security of communication sessions (Article 35), data exchanges (Article 36) and other wider RTS requirements.
  • ASPSPs will need to make available technical specifications, provide support to TPPs and offer a testing facility by 14 March 2019 (although the FCA recommends that ASPSPs do not wait until this date);
  • ASPSPs should submit timely requests to the FCA if they want to benefit from the exemption from having to build a contingency access mechanism as the FCA needs time to complete an assessment. The FCA also confirmed that it cannot grant a partial exemption and it will provide opportunities for ASPSPs to engage with the FCA before submission of the request.

What this means for you?

The FCA has encouraged firms to consider the EBA’s views set out in the Opinion and the draft Guidelines. This is of particular importance now that the FCA has confirmed that it will comply if the final version of the Guidelines remains the same as the draft. We, therefore, recommend that all institutions review the Opinion and Guidelines to gain a greater understanding of when the exemption will be granted. This will also put you in a better position to respond to the FCA’s consultation on any changes to its guidance as a result of the implementation of the RTS during the summer.

EBA adds PSD2 support tools onto website

On 22 June 2018 the EBA released additional support tools relating to the revised Payment Services Directive. In particular, the EBA has updated its online Interactive Single Rulebook to include all final Technical Standards and Guidelines associated with PSD2 and it has also extended its coverage of PSD2 into the Q&A tool.

What this means for you?

You will now be able to review all the EBA's final Technical Standards and Guidelines associated with the PSD2 by navigating through the Directive on an article by article basis via the EBA’s website. For all additional queries relating to the Directive and the EBA’s work in relation to the Directive, institutions are also encouraged to use the Q&A tool available here to support the consistent and effective application of the EU regulatory framework. Anyone asking a question will be required to include detail on what they believe the answer should be and include arguments supporting their view or the question will not be accepted. Responses will not be legally binding and it is envisaged that most questions will be answer within two to four months and will appear on Fridays between 12pm and 1pm (EET).

The Open Banking Implementation Entity announces planned updates to the existing API standards

As reported in the previous edition of Payment Matters, the Open Banking Implementation Entity (“OBIE”) has suggested that the recent OBIE roll-out scheme has successfully proven that the account access data functionality of the API templates is effective. However, despite the OBIE’s reported success, it is noted that full access requirements mandated by the RTS have not yet been met by the OBIE, particularly in relation to payment initiation services as third parties have complained about the quality and usability of the existing APIs. As a result, the OBIE has announced that new versions of the API standard templates will be released and implemented by the UK’s nine largest banks (CMA9) during the next couple of months.

What this means for you?

The OBIE has suggested that the revised templates will expand upon the existing scope from current accounts to other products such as credit cards and e-money account. When the revised templates are released, it will also be interesting for industry participants to see if the OBIE has got any further in relation to some of the key industry debates regarding the compatibility of the OBIE templates with the RTS. Recent industry debates on this matter include : (i) the method of authentication to be used by the OBIE API (i.e. redirection, embedded, decoupled); (ii) the requirement to register with OBIE and whether this could be considered to be an obstacle to the provision of services; and (iii) whether the final ‘authorisation’ stage is compliant with PSD2 as it involves account servicing payment service providers replaying the terms of the consent with the TPP to the customer and seeking their confirmation to proceed with the payment.

If you are considering using the Open Banking model to provide third party payment providers access to customer’s payment accounts, or you are a third party wanting to gain access via the Open Banking model, please contact us and we would be happy to discuss this in more detail.

Industry concerns raised over the number of payment institutions who have missed the FCA’s re-authorisation deadline

Authorised Payment institutions and electronic money institutions wishing to continue to provide payment services after 12 July 2018 are required to be re-authorised under PSD2. The FCA set a deadline for the re-authorisation/re-registration of existing payment institutions or e-money institutions of 13 April 2018, requiring institutions to comply with the new information requirements and authorisation conditions under PSD2. It has, however, been reported that only 295 payment institutions have met the deadline for re-authorisation despite the fact that the FCA’s register of regulated companies currently shows a total of 384 authorised payment institutions are currently active in the UK.

What this means for you?

If you are a payment institution that requires re-authorisation but you have missed the 13 April deadline, we recommend that you contact the FCA immediately to discuss the status of your business. The FCA has previously noted that any firms that miss the April deadline will not be able to continue to provide payment services on or after 13 July 2018. If required, please contact us and we can assist you with the necessary interaction with the FCA.

The European Commission consults on amendments to Regulation 924/2009

The Europoean Commission proposes to amend Regulation 924/2009 to:

  • Provide that charges levied by a PSP on a payment service user in respect of cross-border payments in Euro shall be the same as the charges levied by that PSP on a payment service user for corresponding national payments of the same value and in the official currency of the payment service user’s Member State;
  • Require PSPs to inform payment service users of the full cost of currency conversion services prior to the initiation of a payment transaction so payment service users can compare alternative currency conversion options and their corresponding costs;
  • Implement a maximum charge for currency conversion services during the transitional period before the regulatory technical standards come into force.

What this means for you?

There has been a lot of industry debate in relation to whether this proposal is consistent with PSD2 and workable in practice. For example, the equivalent obligations to disclose charges and the applicable exchange rate under PSD2 only apply to dynamic currency conversion but the proposal potentially extends this obligation to card issuers who are now querying how they will provide an exchange rate offer at the point of sale given that currently there is a delay between the initiation of the payment and the actual conversion.

We do, however, understand there has been a further compromise proposed by the European Council which would, if agreed, remove the obligation on issuers although it is of course not certain whether the final legislation will reflect this position. We expect to obtain additional detail on the approach of the European Council in due course but reaching agreement on the text by the target date of January 2019 may now be unlikely.

Advocate General hands down an opinion on the interpretation of "payment account"

The Supreme Court in Austria has sought a request for a preliminary ruling in relation to the interpretation of a “payment account” under Directive 2007/64 EC. In response, the Advocate General has now handed down its opinion to the European Court of Justice to determine whether an ‘online direct savings account’, whereby customers can independently make deposits and withdrawals by way of telebanking but must always carry out those transfers through another account held in the customer’s name (the ‘reference account’), is to be classified as a payment account.

By way of background, the Advocate General opinion notes that the reference account is a current account opened in Austria, but does not have to be held with the same banker (i.e. the bank which operates the online direct savings account does not need to operate the reference account). The customer is able to decide, without any restriction or notice (and without any negative effects on interest) when it wishes to transfer monies between the online direct savings account and the reference account (including the value of the transaction). In addition, the opinion notes that although transfers are only possible between the online direct savings account and the reference account, the customer is not prevented from having access to the account at any time and it does not need to involve the payment service provider to access the account of money in the online direct savings account.

On this basis, the Advocate General has considered the arguments put forward by each of the respective parties (i.e. the applicant’s argument that the determining factor is the customer’s ability to undertake transactions on his own initiative at any time and the defendant’s argument that payment accounts involve the possibility of interacting directly with third parties as part of undertaking payment transactions) and concluded that the determining factor is whether or not the relevant account allows for direct participation in payment transactions with third parties (i.e. can the customer transfer money to a third party directly from the account in question). If this is not the case and an intermediate step is required in which the money is transferred (in this scenario from the online direct savings account to the reference account), the account cannot be considered to be a payment account.

What this means for you?

The referral of this matter by the Austrian Court has enabled the European Court of Justice to consider the definition of a ‘payment account’ for the first time. It is interesting to see that the Advocate General has determined that the ability to transfer monies to third parties from the account in question is fundamental in determining whether an account is to be classified as a payment account, particularly as, in our experience, the European Court of Justice tends to give a high degree of weighting to the Advocate General’s opinion. We, therefore, recommend that all institutions review the European Court of Justice’s final decision on this matter and, if applicable, consider whether you need to reconsider the labelling of your accounts.

PSR provides an update on authorised push payment scam work

On 21 June 2018 the Payment Systems Regulator issued an update explaining the work it is doing to prevent payment fraud, in particular, authorised push payment scams. There is little by way of systematic or structured protection for customers currently in place to combat this type of fraud. The report outlines the measures, mainly led by UK Finance and the New Payment System Operator, in place or expected to make life more difficult for the criminals responsible but easier for consumers who fall victim to fraud.

Prevention measures include:

  • consumer education and awareness
  • improvement of sanctions data quality
  • confirmation of payee processes
  • ‘know your customer’ data sharing

Consumer measures after the fraud occurs include:

  • best practice standards
  • transaction data analytics
  • financial crime information and data sharing

Lastly, in relation to outcome, follow-up and reimbursement, the measures suggested are the contingent reimbursement model and collection and publication of scam statistics.

What this means for you

As part of cutting payment fraud and making a customer’s experience better when it has taken place, a wide variety of initiatives have begun or are in the pipeline from the NPSO or UK Finance for the 12 months, which will lead payment services providers having to follow certain new processes. For example, UK Finance have developed a best practice standard that banks will follow when a victim reports an APP scam and there will be guidelines to follow relating to identity verification to make it harder for fraudsters to open accounts which are used for fraud. In addition, a steering group (consisting of representatives from consumer groups and PSPs) is working on a model to establish the circumstances in which a victim of a scam would be reimbursed. The model is still intended to encourage consumers to be vigilant but will be looking to incentivise PSPs to use measures to help prevent APP scams at the same time.

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings