Global menu

Our global pages

Close
Payment Matters: No. 41

Payment Matters: No. 41

  • United Kingdom
  • Financial institutions
  • Financial institutions - Payment services

30-05-2019

1. Strong customer authentication deadline rapidly approaching

2. The API evaluation working group publishes its latest round of clarifications

3. The European Banking Authority clarifies fraud rate rules

4. European banks express concerns regarding the implementation of fraud reporting requirements

5. Confirmation of payee deadline extended

6. Regulation amending regulation on cross-border payments published in the Official Journal

7. Preliminary ruling on interpretation of Articles 2 and 58 of the Payment Services Directive (PSD)

8. The Financial Conduct Authority publishes Duty of Care feedback statement

9. The European Central Bank publishes a report on card payments in Europe


1. Strong customer authentication deadline rapidly approaching

There is now significant concern within the payments industry that the market will not be ready to fully and correctly implement strong customer authentication (SCA) by the deadline of 14th September 2019.

Despite the regulatory technical standards (which set out SCA obligations) being finalised in March 2018, there has been a lot of uncertainty in numerous areas and the European Banking Authority (EBA) is still clarifying a number of significant issues via its online Q&A tool at this late stage.

In the e-commerce space, there is also a lack of awareness of what is happening in September amongst smaller merchants and a concern, by those that are aware, that online retailers will face a much larger number of transaction declines.

A significant aspect of the readiness of the industry will be the implementation of 3D Secure which is currently not close for many in the retail sector and, even where it has been implemented, there are questions over how to put through certain types of transactions, the process when 3DS does not work and worries over the additional friction in the customer journey.

We are aware that conversations are happening with regulators at national and European levels to analyse data and consider whether anything can be done to assist with a smooth transition to the new regime.

What this means for you?

The whole payments sector wants a seamless buying experience for customers whilst ensuring high levels of security. Online merchants and payment providers will need to ensure that they are able to manage the PSD2 requirements when they come into force in September 2019.

While many payment service providers (PSPs) have been working on the implementation of this process since at least March 2018, it is clear that certain issues have only recently been clarified by the EBA and other issues which effect implementation are still not clear.

For PSPs, this means that build and risk decisions are having to be made without complete certainty of what is required and retailers are being left wondering how different issuers will interpret certain issues (such as what can be processed as MOTO and MITs). In the coming weeks, what happens with the various European regulators may determine whether PSPs and retailers still find themselves in that position.

2. The API evaluation working group publishes its latest round of clarifications

The European Banking Authority (EBA) API evaluation working group has published its latest round of clarifications in response to the issues raised by members of the working group.

The latest clarifications include confirmation that:

• where a third party payment provider (TPP) has outsourced certain activities to agents or technical service providers (TSPs), there is no legal requirement to include the name of the agent or TSP in the eIDAS certificate and the TPP remains liable for the acts of such agents and TSPs in any event;

• competent authorities may use the evidence provided by an account servicing payment service providers (ASPSP) relating to data obtained for the same interface in other Member States when considering whether the condition of wide usage has been met;

• given eIDAS certificates do not contain information on passporting, ASPSPs are not legally required to check any passporting information related to the TPP requesting access to online payment accounts;

• in the same way as for the testing facility, any dedicated interface should offer the use of eIDAS certificates prior to 14 September 2019 (particularly as it may contribute to meeting the conditions to get an exemption from the obligation to build a fallback mechanism).

You can find details of these clarifications here.

What this means for you?

The clarifications published by the API working group are of an informational nature and have no binding force in law but we recommend that all firms take these into account when finalising their API build, in addition to existing finalised guidance from the EBA and the relevant competent authorities, as the clarifications may influence the decisions of competent authorities (particularly as the FCA has closely aligned its guidance with other European guidance, such as the EBA Opinion).

3. The European Banking Authority clarifies fraud rate rules

The European Banking Authority (EBA) has clarified in its Single Rulebook Q&A that payment service providers (PSPs) which operate across multiple member states should calculate fraud rates at legal entity level for the purposes of the TRA exemption (which will apply to the new strong customer authentication requirements in force from 14 September 2019).

In its response to the Q&A, the EBA state that this data cannot be provided at branch level, given that branches do not operate as a separate legal entity. This is even the case where a PSP as a legal entity operates in each member state via a separate branch. Subsidiaries, however, do hold separate legal status and so this data should be calculated at subsidiary level.

The EBA also notes that this differs from the requirements under the EBA’s separate fraud reporting guidelines which require reporting at branch level for statistical purposes.

What this means for you?

PSPs will need to ensure that they are able to collate and provide fraud data at both a legal entity level regardless of how many member states the PSP operates in, and a branch level for the purposes of the two different EBA fraud calculation requirements.

4. European banks express concerns regarding the implementation of fraud reporting requirements

On the 9 April 2019, representatives of a number of banks with operations in the EU signed a letter addressed to the European Banking Authority (EBA) and the European Central Bank (ECB) setting out concerns regarding the implementation of the new fraud reporting measures under the revised Payment Services Directive (PSD2). Concerns have arisen over the lack of consistency regarding the implementation of the EBA’s fraud reporting guidelines as national competent authorities have interpreted the requirements differently. The group also suggest that payment service providers (PSPs) should not be required to run two separate implementation programmes to satisfy the EBA fraud reporting guidelines and the revised European Central Bank Regulation on Payments Statistics that will come into force from 2021. You can find a copy of the letter here.

What this means for you?

PSPs who operate in different jurisdictions may find that they are having to comply with different interpretations of the fraud reporting requirements for each jurisdiction which may lead to operational difficulties and a lack of harmonisation. We, therefore, recommend that firms review the letter and pay close attention to any response or follow up from the EBA on this matter, particularly as the letter calls for full alignment of the reporting content and format, the start and end dates of each reporting period and the applicable submission deadlines.

5. Confirmation of payee deadline extended

The Payment Systems Regulator (PSR) has published its latest consultation paper on the implementation of confirmation of payee (CoP) following the proceeding consultation which was subject to a lot of industry debate due to the challenging implementation dates proposed by the regulator.

The PSR is now proposing to issue a regulatory direction which will require the six largest banks in the UK to implement the technology to respond to any CoP request by 31 December 2019 and send CoP requests by 31 March 2020.

The PSR has also confirmed that the new proposed direction only relates to transactions that start and end at UK-based accounts and that happen exclusively over the Faster Payments or CHAPS payment system. International payments and other payment methods (e.g. BACS) will not fall within the scope of the direction.

What this means for you?

The new proposed regulatory deadline offers an extension from the initial proposal for the six largest UK banks and the PSR has also pulled back on the number of financial institutions required to implement CoP under regulatory directions.

This will be welcomed by the majority of firms as the industry criticised the initial proposed timescales given the conflicting regulatory deadlines in relation to the implementation of the RTS and Brexit, the lack of awareness of the details of the CoP scheme, the complexities of the technical build and the inability to outsource the build given the fact that the specifications were not readily available.

We understand that the PSR has already consulted with various market participants regarding the proposed timescales to reach the new proposed dates but the regulator is seeking formal feedback on the consultation by 5 June 2019.

We, therefore, recommend that all payment service providers (particularly the six largest banks which will be subject to the regulatory direction) take the time to review the consultation and provide feedback, with particular focus in relation to the proposed timelines as the PSR will be interested in the potential barriers which firms may face in meeting the proposals within the suggested timeframes.

6. Regulation amending regulation on cross-border payments published in the Official Journal

Regulation (EU) 2019/518, amending the Regulation on cross-border payments (924/2009), has been published in the Official Journal of the EU (OJ).

This regulation includes requirements relating to:

• charges levied by a payment service provider (PSP) on a payment service user in respect of a cross-border payment in euros must be the same as the charges levied by that PSP for corresponding national payments of the same value in the national currency of the Member State where the PSP is located; and

• the transparency of currency conversion charges which are applied to card based payment transactions and credit transfers

The Regulation on cross-border payments came into force on 18 April, and will apply from 15 December 2019, with some exceptions. For example, certain obligations relating to the obligations upon the payers’ PSPs to send electronic messages to a customer after receipt of certain payment orders will not come into effect until 19 April 2021.

What this means for you?

We recommend that all PSPs review the Regulation in detail and begin putting in place processes to ensure compliance with the relevant obligations by 15 December 2019. However, it is worth noting that the UK Government have stated that they do not propose to retain this regulation post-Brexit and therefore, given that the Brexit transitional period is due to end on December 2020, UK PSPs may not need to change to their practices in relation to the aspects coming into force after that date.

7. Preliminary ruling on interpretation of Articles 2 and 58 of the Payment Services Directive (PSD)

The European Court of Justice handed down its preliminary ruling in Mediterranean Shipping Company (Portugal) - Agentes de Navegacao SA v Banco Comercial Portugues SA on 11 April 2019 in the context of unauthorised direct debit payment transactions.

In this case direct debits were paid, initiated and executed by the payer on an account which the payer did not hold and where the account holder did not consent to these direct debits. The ruling, therefore, confirms that:

• Article 2 of PSD must be interpreted to the effect that ‘payment services’ includes the execution of direct debits, initiated by the payee, on a payment account of which it is not the holder, where the holder of the account debited does not consent to those direct debits.

• Article 58 must be interpreted to the effect that the notion of ‘payment service user’, for the purposes of that article, includes the holder of a payment account on which direct debits were executed without its consent.

Article 58 of the PSD was replaced by Article 71 of PSD2. The two provisions are broadly the same, as are the other key provisions and definitions on which the ECJ relied. This case may therefore provide a helpful interpretation of the equivalent provisions and definitions under PSD2.

What this means for you?

We are now starting to see more European payment services case law and this is another development in the interpretation of the PSD. It would, of course, not make any practical sense to exclude customers and accounts based on a narrow reading of the directive’s definitions as it would potentially remove customer rights which are clearly appropriate to apply. However, payment service providers should review their current refund procedures and policies regarding direct debit payments to ensure that they are in line with this interpretation.

8. The Financial Conduct Authority publishes Duty of Care feedback statement

The Financial Conduct Authority (FCA) published a feedback statement on 23 April 2019, which sets out the responses to the discussion paper ‘A Duty of care and potential alternative approaches’ from July 2018. Both of these reports look at whether the FCA’s regime and powers afford the appropriate protection to consumers, while balancing the needs of firms.

In the statement, the FCA sets out a range of opportunities to enhance the level of consumer protection. These could include:

• reviewing how the regulatory framework is applied, including how the Principles are used in their supervisory and enforcement functions; and

• introducing new or redrafted Principles to make firms’ obligations to consumers as clear as possible – this may include bringing in a formal Duty of Care or a private right of action where Principles are breached.

There may also be consideration towards bringing in a statutory duty, but this will need to be debated further, and ultimately enacted by Parliament.

What this means for you?

The FCA is expected to deliver its next steps in the Autumn once it has considered these options further. In the meantime, we recommend that payment service providers review the feedback statement and consider how some of the proposals may impact them if they were implemented. For example, how a statutory would be able to be applied across the industry given the wide variety of services and consumer relationships in the financial services industry.

9. The European Central Bank publishes a report on card payments in Europe

On 17 April 2019, the European Central Bank (ECB) published a report analysing the existing and future landscape of the card payment sector in Europe. The publication highlights that card payments have enjoyed huge growth but both merchants and cardholders would benefit from the harmonisation of practices and technical standards which a Single Euro Payments Area (SEPA) would afford to the sector. In particular, the ECB suggests that a SEPA for cards would help resolve restrictions on merchants accepting certain cards, a lack of interoperability between cards and terminals, and reduce the number of cardholders who are confused by different payment experiences across Europe.

What this means for you?

It is clear that the ECB is keen to encourage market players to participate in conversations regarding the implementation of a SEPA for card payments. We would, therefore, recommend that all PSPs review the report in detail, particularly card market players who should pay close attention to any calls for action from the ECB and proactively involve themselves in any discussions or consultations that are opened up.

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings