Global menu

Our global pages

Close
Payment Matters: No. 43

Payment Matters: No. 43

  • United Kingdom
  • Financial institutions - Payment services

09-10-2019

Welcome to the latest edition of Payment Matters, our popular payment services briefing which rounds up payments sector news from the UK, Europe and beyond.

This edition includes:

1. The Financial Conduct Authority (FCA) has announced a 6 month transitional period for Open Banking in the UK

2. The FCA agrees implementation periods for the application of SCA

3. Industry developments regarding the implementation of Confirmation of Payee (CoP)

4. Authorised Push Payment fraud – Faster Payments fraud levy

5. The EBA Working Group publishes latest set of clarifications regarding the use of APIs

6. Industry developments regarding the amended cross-border payments Regulation

7. The Payment System Regulator (PSR) publishes updates on its approach to conducting profitability analysis and plan of work for a review into the acquiring market  

8. The PSR issues data use response paper

9. The European Payments Council issues Brexit “no-deal” impact information on SEPA transactions

10. US Federal Reserve announces plans for real time payment system

For past editions of Payment Matters, please visit our dedicated hub here >

1. The Financial Conduct Authority (FCA) has announced a 6 month transitional period for Open Banking in the UK

The FCA expressed its concerns in relation to the ability of some third party payment providers (TPPs) to continue to provide their services after the application date of the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (RTS) due to the state of readiness of the industry.

To prevent disruption to customers and TPPs, the FCA has agreed an adjustment period of six months (until 14 March 2020) where the regulator won’t take enforcement action for failing to provide access to payment accounts available online via an API or a modified customer interface.

What this means for you?

ASPSPs, who did not have all of their payment accounts accessible via APIs on or before 14 June 2019, should continue to enable TPPs to access payment accounts available online via existing screen-scraping channels. This means not applying strong customer authentication (SCA) to access accounts online during this period.

For ASPSPs who intend to use modified customer interfaces to provide access (rather than APIs), the FCA has also acknowledged that these firms may choose not to apply SCA during the adjustment period.

During the adjustment period, firms should also note that:

• TPPs should use eIDAS certificates (or an equivalent certificate) to identify themselves during the adjustment period;

• Where it is not possible for TPPs to identify themselves (e.g. access is provided via traditional screen-scraping methods), TPPs should remain transparent about their identity when interacting with ASPSPs (although the FCA has not confirmed how this will work in practice);

• ASPSPs have until 14 March 2020 to build a contingency mechanism or to obtain an exemption from the requirement to build a contingency mechanism; and

• ASPSPs are required to tell TPPs how they can access accounts during the six month adjustment period (and the FCA encourages the use of the Open Banking Implementation Entity’s transparency calendar for this purpose).

2. The FCA agrees implementation periods for the application of SCA

The FCA has also agreed extension periods in relation to the application of SCA to online banking and e-commerce transactions due to the state of readiness of the industry in advance of the preceding 14 September deadline.

It follows that ASPSPs now have until 14 March 2020 to implement SCA for online banking in certain circumstances without the FCA taking enforcement action.

The FCA has also confirmed it will not take enforcement action against firms for failing to apply SCA to e-commerce transactions for a period of 18 months where there is evidence that the firm has taken the necessary steps to comply with the agreed plan.

You can find details of the agreed plan in the context of e-commerce transactions here.

What this means for you?

Many institutions have welcomed the extended implementation periods in light of the last minute guidance from the European Banking Authority (EBA) on what constitutes compliant SCA factors (e.g. static card details cannot be used as a possession factor and OTPs cannot be used as a knowledge factor).

However, the implementation periods have also resulted in a number of additional questions across the industry given there is now disconnect between the application date of the legal requirements under the PSRs and regulatory enforcement across the industry in the UK.

For example, one of the key points being considered in the industry is where this leaves PSPs in respect of refunding unauthorised transactions where SCA has not been applied to the relevant payment transaction.

This is based on the fact that, from 14 September 2019, there are separate legal obligations under law to: (i) apply SCA to payment transactions; and (ii) bear liability for unauthorised transactions where the payer’s PSP should have applied SCA but failed to do so.

The legislation suggests that ASPSPs would need to update their policies and procedures to provide a refund where there do not apply SCA (i.e. during the implementation periods) but the FCA is not taking enforcement action for a failure to apply SCA.

3. Industry developments regarding the implementation of Confirmation of Payee (CoP)

As previously reported in Payment Matters, the Payment Systems Regulator (PSR) has published a specific Direction requiring the largest banks and building societies to implement CoP for Faster Payments and CHAPS payments from 31 March 2020.

Directed PSPs must respond to CoP requests from 31 December 2019 and send CoP requests to the payee’s PSP for Faster Payments and CHAPs payments from 31 March 2020 (in line with the specific Direction).

We are also aware that other market participants (i.e. non-directed PSPs) are voluntarily complying with these timescales to offer advanced protections for their customers, although there will no doubt be many institutions who are not in a position to do so and will wait until directed to do so by the PSR (if applicable).

What this means for you?

For those institutions implementing CoP in the imminent future, we are aware that others are considering the following points as part of the CoP implementation process:

• are changes to terms and conditions necessary in light of the new CoP process (e.g. amends to clarify that PSPs will use the payee’s name to initiate the payment transaction, particularly if terms currently note that the payee’s name won’t be used to initiate the payment);

• if changes are required to terms and conditions, would the two months’ notice period under Regulation 50 of the PSRs apply;

• how will CoP be implemented in the Open Banking journey (i.e. will the check be completed in the ASPSP’s domain or the TPP’s domain and who is responsible for completing the check), although we understand that Open Banking payments are not in scope of phase one of CoP which is coming into play in March 2020.

Please note directed PSPs must send a written report to the PSR detailing how they propose to introduce CoP and exemptions can be obtained from the PSR if PSPs have exceptional grounds.

Please contact us if you would like to discuss any of the above points when you are considering how to implement CoP.

4. Authorised Push Payment fraud – Faster Payments fraud levy

Pay UK is being pressured to introduce a fee on all transactions to fund reimbursement of fraud victims. The levy would see a fixed fee of 2.9p imposed on every Faster Payments Scheme transaction and is supported by a number of credit institutions whose reimbursement reserves are becoming significantly reduced. The objective of the levy is to replace the reserves supplied by such banks which constitute the current fund for fraud victims.

The new reimbursement model would apply in the case of authorised push payment (APP) fraud (i.e. where an individual is tricked into authorising a bank transfer to an account controlled by a fraudster, but where the sending bank, receiving bank or individual are not deemed to be at fault).

All Faster Payments transactions of more than £30 would be subject to the levy, as long as the bank or payment provider has already made 100,000 transfers. The 2.9p fee would only be set for the first year, with future amounts to be determined by the amounts paid out since the introduction of the fee.

As part of the voluntary code of conduct on APP fraud, if the paying or receiving bank is deemed to be at fault it must reimburse the customer. In cases where the victim’s conduct meets the definition of “gross negligence”, they cannot claim reimbursement. Most UK financial institutions have signed up to the voluntary code.

Potential issues

Under the plan, customers of financial institutions that have not signed up to the code will still be able to pursue reimbursement out of the fund, but will have to do so via the Financial Ombudsman Service rather than directly from their bank. Direct members of Faster Payments will be subject to the new fee even if they have not signed up to the code of conduct.

It is also possible that the current plan would disproportionately affect indirect participants of Faster Payments, where firms access the system via a sponsor institution. There is no guarantee that their sponsor institution will choose not to pass on the cost of that levy to the PSPs they sponsor, despite the fact that the customers of such PSP’s would be unable to benefit from the code and the fund, as the transactions fall out of scope.

What this means for you?

We understand that Pay.UK is due to present the findings of its call for information by the end of November, when it will make a decision on UK Finance’s proposal. If approved, the new rules could come into force as early as January 2020. We, therefore, recommend that financial institutions review and understand their obligations under the new code (if applicable) and PSPs sponsored on to FPS should consider the impact to their business model of such a levy being passed on to them.

5. The EBA Working Group publishes latest set of clarifications regarding the use of APIs

The EBA has published its responses to the latest round of issues raised by participants of the EBA Working Group on APIs under PSD2.

These issues covered include commentary on:

• machine-readability of the central register of the EBA under PSD2;

• measurement of response times of the dedicated interface;

• identification of TPPs through “guestbook approaches”;

• data that can be accessed by TPPs;

• documentation of contingency mechanisms; and

• the availability of, and reliance on, eIDAS certificates.

You can find details of the latest feedback here.

What this means for you?

Based on feedback throughout the industry, we are aware that of particular interest in the latest round of feedback includes the commentary regarding the use of “guestbook” approaches to identify TPPs.

The approach requires TPPs to register at a central point (the “guestbook”) by providing their eIDAS certificate but the subsequent and separate steps taken after registration would not able ASPSPs to identify the TPP or check whether the TPP has performed the guestbook entry at the time of accessing the ASPSPs’ online channel.

On this basis, the EBA confirmed that such approaches are not compliant methods of identifying TPPs under the RTS as they does not enable ASPSPs to rely on eIDAS to identify the TPP at the time access takes place. The EBA also suggests that the approaches would impose a condition for the identification of the TPPs that does not have any legal basis in PSD2 or the RTS (i.e. the initial registration).

On this basis, any PSPs considering using the “guestbook” approaches should re-evaluate the solution to ensure compliance with the RTS (particularly as the FCA has said that after 14 March 2020, failure to comply with the requirements will be subject to full FCA supervisory and enforcement action as appropriate).  

6. Industry developments regarding the amended cross-border payments Regulation

As previously reported in Payment Matters, the amended Regulation on cross-border payments includes a new requirement to ensure that charges levied by a payment service provider (PSP) on a payment service user in respect of a cross-border payment in euros must be the same as the charges levied by that PSP for corresponding national payments of the same value in the national currency of the Member State where the PSP is located (the equivalence rule).

The Regulation also includes new requirements regarding the transparency of currency conversion charges which are applied to card based payment transactions and credit transfers (although, subject to the outcome of Brexit, these do not come into force until 2020 and 2021).

The equivalence rule summarised above is due to come into force on 15 December 2019.

What this means for you?

Given the deadline for implementing the equivalence rule is fast approaching, we recommend PSPs undertake a review of their current charging structures/policies to identify any charges which may need to be amended or removed in advance of the 15 December 2019 implementation deadline.

This requires detailed analysis of firms’ current practices to identify whether the charges relate to currency conversion (which are outside the scope of the equivalence rule), or whether it’s a charge for a cross border payment irrespective of currency conversion (e.g. standard flat fee for sending money in euros to another country).

Consideration of what would constitute an equivalent charge for an equivalent domestic transaction in sterling is also important. For example, industry participants are considering whether they can benchmark cross-border euro payments against payments processed through UK payment systems such CHAPS or the Faster Payments scheme.

We would also suggest firms consider reviewing their terms and conditions and charges/tariff documentation to consider if charges are required and, if so, whether the two months’ notice period under the PSRs would apply.

Please note, however, it is worth considering that the UK Government have stated that they do not propose to retain this regulation post-Brexit and therefore, given that the Brexit transitional period is due to end on December 2020, UK PSPs may not need to change to their practices in relation to the aspects coming into force after that date.

7. The Payment System Regulator (PSR) publishes updates on its approach to conducting profitability analysis and plan of work for a review into the acquiring market

On 22 July 2019, the Payment Systems Regulator (PSR) provided an Update on its work plan in relation to the market review into the supply of card-acquiring services, which was launched in January 2019.

Further to the indicative timetable set out in its final Terms of Reference (ToR), the PSR has pushed back publication of its interim report to Q1 2020. The PSR has said that the original timetable was impacted by the need to consider additional issues raised in the submissions it received to date, together with the onboarding and due diligence of the appointed consultants assisting in the PSR’s analysis.

The updated plan of work in relation to the market review and publication of interim report by the PSR is as follows:

Phase

 

Activity

Timing

Information gathering and analysis

Collect evidence and information from market participants

 

Until end October 2019

Conduct merchant survey

August and September 2019

 

Analysis of evidence and information gathered

 

Until end December 2019

Interim report

Publish interim report

 

Q1 2020

Final report

Conduct hearings

 

Q2 2020

Publish final report

 

Q3 2020

In addition, on 18 September 2019, the PSR published an Update on its approach to assessing the profitability of card-acquiring services, as part of its ongoing market review.

Following the consultation from July to August 2019 on the approach to conducting a profitability analysis, the PSR concluded that the Gross Profit Margin (GPM) approach, together with other evidence gathered in the market review, is more likely to provide useful analysis for its understanding of how competition is working in the card-acquiring sector, and whether the supply of card-acquiring services is working well for merchants and consumers. The PSR no longer intends to use Return on Capital Employed (ROCE) as an alternative means of assessing profitability.

What this means to you?

The decision of the PSR to drop any approach to assessing profitability on the basis of ROCE is a welcome move given the challenges this would have presented for businesses that have relatively low levels of tangible assets. This could have resulted in more complexity and significantly more resources being deployed by both the acquirers and the PSR. An approach to the assessment of profitability on a GPM basis would appear therefore to be a step in the right direction. However, whilst this may be a more cost-effective approach for the market analysis, it will nonetheless present its own challenges and the PSR will need to be cautious about whether this approach is able to produce a meaningful measure of profitability on which it can rely as an indicator of how competition is working.

As the PSR now enters into the final stages of its information and evidence gathering exercise parties have a window of opportunity to engage with the PSR to further direct its thinking and to influence its provisional findings before it moves to publication of its interim report in early 2020. Parties should therefore ensure that they take the time before year end to provide input, in particular to assist the PSR with its understanding of the complex issues under review.

8. The PSR issues data use response paper

The PSR has issued its September 2019 response paper to its June 2018 discussion paper on how data is used in payment systems. The PSR is interested in the new opportunities for PSPs and end users in creating new business models, improving access, creating competition and innovation. The PSR is also considering the application in the detection of financial crime and protection of end users.

Most of the issues discussed are in direct relation to GDPR and the challenges data processors will face when dealing with payment data. The Visa Developer Platform and Mastercard Developers are raised as examples of ways for third parties to access data. Consideration was given to anonymising data so that GDPR would not apply.

The PSR identified three key areas of concern:

• the reluctance of some to share data attached to their payments;

• limited access to data about transactions for potential providers of new services; and

• the additional benefits granted by additional data attached to transactions.

To address these areas the PSR asked for views on:

• data in the payment industry: the types of payments data and the different ways data can be classified;

• payments data usage: where payments data could be used to generate benefits, and the different ways that firms use data;

• end users’ willingness to share data: limits on innovation due to reluctance to share data;

• access to scheme-wide datasets: allowing firms access to scheme-wide data to develop overlay service and combat fraud and financial crime; and

• realising the benefits of enhanced data: considering investment costs and barriers.

The PSR concluded that the move to the New Payments Architecture (NPA) provided an opportunity to build a data-sharing capability into the NPA. The PSR is working with Pay.UK in potentially giving access to synthetic NPA scheme-wide data for testing. They are also looking into the feasibility of giving access to real NPA scheme-wide data.

What this means for you?

The PSR has decided to not require regulated payment systems operators to open access to scheme-wide data because of the lack of well-defined use cases. However, with the move to NPA the PSR and Pay.UK are considering giving access to NPA scheme-wide data to firms to help them develop new or improved products.

It is currently too early to determine what this entails, whether you will need to provide data subject to GDPR or whether data will need to be anonymised.

9. The European Payments Council issues Brexit “no-deal” impact information on SEPA transactions

The European Payments Council has issued a note outlining the operational implications of a “no-deal Brexit” on Single Euro Payments Area Credit Transfer and SEPA Direct Debit transactions.

If a “no-deal Brexit” occurs on 31 October 2019, the UK would leave the European Union immediately without a transitional period. Consequently, consumers, businesses and public bodies would have to respond immediately to the various changes created by a “no-deal Brexit”. However, the UK would maintain its participation in the Single Euro Payments Area (SEPA) payment schemes.

From a payments perspective, in case of a “no-deal Brexit”, as of 1 November 2019 the UK will have to be considered as a non-European Economic Area Single Euro Payments Area country (like currently Andorra, Guernsey, Isle of Man, Jersey, Monaco, San Marino, Switzerland and Vatican City State).

What does this mean for you?

For SEPA transactions to be executed or settled as of 1 November 2019, involving a UK-based SEPA scheme participant, the EPC strongly advises that the full address details of the originator or debtor, as appropriate, should be included within the transaction information. Additionally, the bank identification code (BIC) of the beneficiary bank or debtor bank should also be included when explicitly requested. Failure to include these details may lead to R-transactions (i.e. where the transaction cannot complete) for the recipient.

The EPC also recommends that SEPA scheme participants should identify, as soon as possible, customers with incoming and outgoing cross-border SEPA transactions involving a UK and an EEA payment account and inform all customers concerned about the need to provide extra SEPA transaction data. 

10. US Federal Reserve announces plans for real time payment system

The Federal Reserve Board has announced that it will develop a new faster payments service called FedNow. The new settlement system will provide real time payments and be available 24/7, with plans to launch in 2023 or 2024. The system will be managed by the Federal Reserve Banks, which plan to modernise the United States’ payment system and establish a safe and efficient foundation for the future.

The Clearing House already provide The Real-Time Payments (RTP) network, the existing inter-bank faster payments system privately built and maintained by the largest financial institutions in the US. The RTP network is, as the name implies, a real time payment system that allows payments to be made 24/7. It is already in use by the US’s financial institutions and is used for bill payments, cash management, P2P and emergency disbursements. Full access and implementation is expected for financial institutions by 2020.

The Federal Reserve’s decision to create FedNow will put it in direct competition with RTP but will launch 3 to 4 years later.

What this means for you?

At this stage it is not possible to say whether FedNow will have a significant impact on RTP or what the intentions of the Federal Reserve are, although it is likely that RTP will be well-established by the time FedNow is implemented.

The Federal Reserve was open for comments for around 90 days from publication of the announcement.

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings