Global menu

Our global pages

Close

Payment Matters: No. 36

Payment Matters: No. 36
  • United Kingdom
  • Financial services and markets regulation
  • Financial services - Payment services

31-07-2018

FCA and PSR Regulation 105 protocol issued

On 20 July 2018 the Payment Systems Regulator ("PSR") issued a protocol between it and the Financial Conduct Authority ("FCA") on the enforcement of Regulation 105 of the Payment Services Regulations 2017.

Under regulation 105 credit institutions to provide banking facilities to payment institutions, e-money institutions and registered account information service providers on a proportionate, objective and non-discriminatory basis. The PSR and FCA are both competent authorities for the purposes of this Regulation and the protocol sets out how the two will work together in exercising their powers to monitor and enforce compliance with Regulation 105. The protocol outlines the role of each authority; describes a range of general co-operation principles and sets out the approach to receiving and sharing notifications and complaints. The protocol covers the investigation of non-compliance and how this should be dealt with.

What this means for you?

Under the protocol each authority will act independently and remain responsible for its own decisions in relation to the enforcement of Regulation 105. Ultimately the principles set out in the protocol highlight that the FCA and the PSR will be working closely together in order to ensure compliance with the Regulation. Given the amount of conduct issues relating to phase 1 of PSD2, we are aware that this regulation may not have been given detailed focus by all of the credit institutions which are required to comply.

There is now a heightened attention that both authorities appear to be paying to this regulation and the fact that payment institutions are very aware of the new requirements, it is imperative that credit institutions consider their approach to providing access to bank accounts in compliance with this regulation. Any failure to do so will put them under the spotlight with both the FCA and the PSR and may lead to a full investigation of a credit institution’s conduct. Having clear criteria in place to apply when access requests come in and ensuring that the criteria is proportionate, objective and non-discriminatory will be key. Operational processes will also need to be in place to inform (i) those requesting services of the criteria and (ii) the FCA when access is denied or withdrawn.

RTGS Renewal Programme

The Real-Time Gross Settlement infrastructure ("RTGS") payment service is owned and operated by the Bank of England. It is an accounting system that allows eligible institutions to hold reserves balances at the Bank. The Bank has run a Proof of Concept ("POC") to understand how renewed RTGS could support settlement for systems operating on innovative payment technologies, such as Distributed Ledger Technology ("DLT"). The aim is to ensure that the RTGS can accommodate new technologies that provide sterling payment services.

The POC

The primary aims of the POC were to determine whether the planned prefunded settlement functionality would enable settlement platforms using innovative technology, in particular DLT, to access central bank money in the renewed RTGS service, and what additional functionality the renewed RTGS service would need for this.

The POC used a cloud-based RTGS service, which is separate from live Bank systems. No live data was used, and no access to live RTGS was given. POC participants were able to interact with this service through an application programming interface ("API"). During the test the participants acted as both a payment scheme and as an RGTS member using that payment scheme. Participants were able to move funds between accounts and fund and defund collateral accounts. When funding and defunding it was important to ensure balances in RTGS and the payment scheme were fully aligned. Payments were then made within the participant’s payment scheme, resulting in net exposures between RTGS members which couldn’t exceed the level of funds held by the members’ in RTGS. The participant then originated a settlement message from the scheme to settle net exposures. Participants interacted with the POC in different ways.

Based on feedback from the POC, the RTGS Renewal Programme will:

• consider how different account structures could be used in the renewed RTGS service;

• investigate whether the renewed RTGS service can provide and consume acceptable forms of cryptographic proofs. Cryptographic proofs are a means of ensuring trust in systems and between parties: and

• continue to engage with Fintech firms to understand how technology developments and approaches to payment systems will change the demands on RTGS.

What this means for you?

The fact that the Bank has run a DLT POC demonstrates increasing regulatory acceptance of this technology, and a willingness to incorporate it into payment infrastructures. The POC is symbolically important, given that, perhaps because of the technology’s origins, concern had been raised previously regarding its proper place in the financial system. Although its use by the Bank is still relatively immature, the capacity for secure, transparent movement of value means it is likely to become increasingly attractive, and it may be, in the long term, the technology becomes ingrained as a vital part of the UK economic framework.

EBA publishes final PSD2 fraud reporting guidelines

On 18 July 2018 the European Banking Authority (the “EBA”) published the final fraud reporting guidelines under the revised Payment Services Directive (the “Guidelines”).

The Guidelines have been created in co-operation with the European Central Bank and have been through numerous iterations since the initial consultation paper in respect of the Guidelines was issued by the EBA in August 2017 in response to industry feedback. Amendments to the Guidelines since the first draft was published include:

• removal of an obligation to report “high-level data” quarterly and an in-depth annual summary, replaced with and obligation to report a uniform set of data on a semi-annual basis;

• relaxation of country by country data requirements;

• alignment with related fraud reporting requirements, in particular with the ECB Regulation on payment statistics;

• clarification that only gross fraud needs to be covered; and

• clarification that transactions where the payer is the fraudster do not come within the definition of a fraudulent payment transaction.

It should be noted that the EBA did not extend the remit of the Guidelines, as had been previously suggested, to include account information service providers.

The Guidelines take effect on 1 January 2019.

What this means for you?

The aim of the Guidelines is to ‘contribute to the objective of PSD2 to increase the security of retail payments in the EU’. The Guidelines require PSPs across the 28 EU Member States to collect and report data on fraudulent payment transactions using a consistent methodology, definitions and data breakdowns.

Although the Guidelines are not legally binding unless adopted by a Member State, it is relatively rare that a Member State would choose not to adopt EBA guidelines at it requires the Member State to justify why it has chosen not to abide by them.

Institutions should review the guidelines (taking account of the reviewed scope) and ensure that the appropriate reporting lines are put in place internally in order to enable them to comply by 1 January 2019. Following this date, PSPs will be expected to provide the required data on a semi-annual basis. However the Guidelines foresee an exception to this rule for small Payment and Electronic Money Institutions, whereby they will only be required to report annually with a half-yearly breakdown.

The EBA will now publish translations of the Guidelines into the official EU languages on their website.

EC recommends removal of transparency requirements from cross-border payments draft

The Council of the European Union published an ‘I’ Item Note on 25 June 2018 updating a Commission proposal amending the existing cross-border payments regulation. A key update is the removal of transparency requirements on card issuers in the draft. This is in line with the industry demands in response to the initial draft.

The EU ambassadors subsequently agreed on the Council’s negotiating stance for taking the proposal forward and negotiations with the European Parliament will start as soon as the Parliament is in a position to do so. On 16 July 2018 the European Economic and Social Committee of the Council issued a positive opinion on the proposals and encouraged speedy implementation.

What this means for you?

A key rationale behind the u-turn is due to claims that the transparency requirements overlapped with the information obligations in PSD2.

Under the most recent draft, card issuers would instead be required to show customers charges as the difference between the total amount of the transaction in the currency of the payer’s account, and the transaction amount if the ECB latest reference exchange rate was applied. There is no longer the additional burden on issuers that offer currency conversion after the transaction has taken place.

FCA plans to help fraud victims recover losses

The FCA, in conjunction with the Financial Ombudsman Service (“FOS”), opened a consultation on 26 June 2018 aiming to update the complaints handling rules and assist victims of authorised push payment (“APP”) fraud. The aim of the changes is to reduce the harm experienced by consumers that have fallen victim to APP fraud where the receiving PSP did not do enough to prevent or respond to it.

The consultation proposes to apply the FCA’s complaint handling rules in DISP to complaints brought by a payer in relation to an alleged failure of a receiving PSP in a payment transaction to prevent or respond to an alleged APP fraud. The proposals will also allow victims of APP fraud access to the FOS for complaints of this nature.

In addition, the FCA has asked for feedback as to whether it should bring complaints relating to regulation 90(3) of the PSRs 2017 into the Financial Ombudsman’s jurisdiction. This relates to the requirement on the payee’s PSP to co-operate with the payer’s PSP to recover funds involved in a payment transaction where incorrect details have been provided by the payer.

What this means for you?

This consultation is the latest in a package of measures to assist victims of APP scams. Later this year, we are also expecting to see publication of the draft industry code setting out the rules for a contingent reimbursement model and a further consultation from the FCA requiring PSPs to report data on complaints about alleged APP fraud that they receive. The treatment of victims of APP scams is a challenging area and one where complaints are often complex in nature. PSPs will need to consider the impact on complaints handling teams of dealing with these complaints in line with DISP.

In addition to the work on APP scams, the FOS has also requested feedback on whether stakeholders would like it to widen its voluntary jurisdiction to also cover other types of fraud related complaints and if so, what type of complaints should be included. Depending on feedback, the FOS intends to open a separate consultation on this topic.

The FCA intends to make its final rules on the matter in November 2018 to take effect from 1 January 2019. The consultation period closes on 26 September 2018. We would suggest that all PSPs respond to the consultation and consider the consultation in the context of the wider work on APP scams which is currently ongoing.

FCA issues revised version of payment services and e-money approach document

The FCA has published version 2 of its approach document on payment services and electronic money (dated 5 July 2018) to include new guidance on the requirements on operational and security risk requirements under the revised PSD2.

The FCA has also published a final revised version of the operational and security risk reporting form (REP018).

The FCA has updated its webpage on the reporting requirements for PSPs and e-money issuers (EMIs) to reflect these changes.

The FCA consulted on the changes to the approach document and form, as well as related changes to its rules in chapter 16 of the Supervision manual (SUP 16.13: reporting under the PSRs), in chapter 5 of its 20th quarterly consultation paper (CP18/6), feedback to which was set out in chapter 3 of Handbook Notice 56 (see Legal update, FCA Handbook Notice 56).

What this means for you?

The changes to the approach document are relevant to all PSPs and reflect changes due to PSD2, the market and feedback from consultations.

The key changes in the approach document are:

• new guidance in chapters 13 (Reporting and notifications); and

• revisions to chapter 18 (operational and security risks)

The FCA has also made a number of other minor changes to chapters 3, 4, 5, 10 and 15 of the approach document in order to clarify the FCA’s guidance or to reflect legislative changes. All of the amendments are shown in tracked changes.

In summary, the FCA is requiring all PSPs to comply with the EBA's guidelines on operational and security risk under PSD2 and to report to the FCA at least annually on their operational and security risk assessment and their assessment of the adequacy of the resulting mitigation measures and control mechanisms. This should be in accordance with the method and form specified in the Supervision Manual (SUP 16.13.9 – 16.13.17).

The details of the assessment and mitigation measures to be included in the report should be those set out in the EBA guidelines and include:

• a list of business functions, supporting processes and information assets supporting payment services provided and classified by their criticality;

• risk assessment of functions, processes and assets against all known threats and vulnerabilities;

• description of security measures to mitigate security and operational risks identified as a result of the above assessment;

• conclusions of the results of the risk assessment and summary of actions required as a result of this assessment;

• summary description of methodology used to assess effectiveness and adequate of mitigation measures and control mechanisms;

• assessment of adequacy and effectiveness of mitigation measures and control mechanisms; and

• conclusions of any deficiencies identified as a result of the assessment and proposed corrective actions.

UK Card Acquiring Market Review

In light of retail industry complaints, the PSR has announced a market review into the card acquiring market. The review will consider the competitive landscape for the supply of card-acquiring services to ensure that the market is favourable to consumers.

The PSR’s proposed review has been prompted by several key concerns raised by stakeholders, including:

(i) that the interchange fee caps introduced by the Interchange Fee Regulation have not resulted in acquirers passing on savings to merchants;

(ii) lack of transparency around fees merchants pay to accept card payments;

(iii) barriers to switching acquirers;

(iv) scheme fees charged by card scheme operators favouring large acquirers; and

(v) significant increases in the scheme fee portion of the fees that merchants pay to acquirers.

In order to explore the above concerns, the PSR is proposing to examine how competition operates in the supply of card-acquiring services by acquirers and payment facilitators (despite the FCA for many years not acknowledging the role of payment facilitators in its regulatory guidance), with a focus on the supply of these services in relation to MasterCard and Visa. The PSR is also proposing to consider the role that ISOs play as a channel for acquirers to sell their services.

Its proposed scope will focus on card acquiring services rather than being broad enough to cover alternative payment types offered by an acquirer (e.g. payment initiation) but will include analysis of ancillary services to the extent they impact card acquiring (eg the provision of terminals) and generally assess whether merchants have credible alternatives to card acquiring. It will also examine which firms provide acquiring services and what market share they have, as well as how competition between acquirers for business works in practice.

The draft terms of reference (“ToR”) identify barriers to entry or expansion in card-acquiring services, barriers to switching or obtaining information on acquirers, and the availability of services that facilitate merchant decision-making, as specific issues of interest on which the PSR will focus.

What this means for you?

The PSR has published a list of consultation questions to facilitate feedback on the draft ToR and the consultation closes on 14 September 2018. The PSR will continue scoping the market review in parallel to the consultation and it will continue to liaise with other authorities, including the FCA. The PSR intends to publish final ToR for the market review by the end of 2018. The market review timetable will be set out in the final ToR.

If the market review identifies detriments to service-users the PSR may take a range of actions to address this, including: carrying out an investigation into a potential breach of the Competition Act 1998, making a market investigation reference to the CMA, making general or specific directions, requiring operators of a regulated payment system to establish or change their operating rules, or issuing guidance.