Global menu

Our global pages


Payment Matters: No. 31

Payment Matters: No. 31
  • United Kingdom
  • Financial services
  • Financial services - Payment services


1. Euro Retail Payments Board - Final Report on Payment Initiation Services

The Euro Retail Payments Board’s Working Group has published its final report on Payment Initiation Services. The Working Group, established in November 2016, was tasked with defining “a common set of technical, operational and business requirements for the development of an integrated market for payment initiation services.” The Working Group has had to balance the differing requirements of banks and third party payment providers with the latter wanting greater flexibility to develop their business models and the former concerned about unauthorised and fraudulent access to customers’ accounts.

The report is available here. Key points to take away from the report are:

  • re-direction models would “limit the payment initiation service provider in the innovative design of its customer interfaces.” As a result, the Working Group has stated that PSUs should not be required to access an ASPSP’s website as part of the authentication process;
  • further work will be needed on the subject of consent;
  • there should be one or a few common interfaces and European approaches are to be preferred over national initiatives. Due to this desire, the Working Group has been analysing the similarities between various European API initiatives including Open Banking in the UK; and
  • if ASPSPs want to rely on the fallback exemption, their API will need to be available for testing six months before the end of the 18 month period in the regulatory technical standards.

What this means for you?

The Working Group has worked closely with the European Banking Authority to deliver its final report in relation to payment initiation services. Firms should consider the report’s findings and keep a close eye on further developments. The report’s findings in relation to redirection are particularly interesting given the addition of wording into Article 32 of the final version of the regulatory technical standards suggesting that redirection could in some circumstances be considered an obstacle to the provision of PIS and AIS. Please contact Richard Jones or Ruth Fairhurst if you would like to discuss this in more detail.

2. Regulatory technical standards on strong customer authentication and common and secure communication under PSD2 adopted by European Commission

The European Commission has now adopted the technical standards for strong customer authentication and common and secure communication under the revised Payment Services Directive (PSD2). The Regulation and accompanying Annex is available here.

In accordance with Article 98 of PSD2, the regulatory standards set out:

  • the requirements for strong customer authentication, security measures to be complied with and common and secure standards of communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers;
  • technical standards which ensure an appropriate level of security for payment service users and payment service providers, safety of funds and personal data, competition between payment service providers, technology and business-models neutrality and the development of additional means of payment; and
  • exemptions based on the level of risk involved in the service provided, the amount of recurrence of the transaction, or both and the payment channel used for the execution of the transaction.

The regulation will now be considered by the European Council and the European Parliament. If approved, the Regulation will enter into force the day after its publication in the Official Journal, taking effect 18 months after that date with the exception of Articles 30(3) and 30(5) which will come into force 12 months after the date that the standards enter into force.

What this means for you?

As widely reported across the industry, the draft regulatory technical standards have been heavily consulted on as the EBA has had to balance feedback from third party payment providers looking to develop their innovative business models, against banks who have raised concerns about the security of their customer’s data because of fraudulent or unauthorised access. In particular, the regulatory technical standards have been critiqued in relation to the method of access for third party payment providers (i.e. traditional screen scraping or dedicated interfaces).

The final version largely remains unchanged but particular points of interest on this topic are:

  • traditional screen scraping is prohibited so third party payment providers will not be able to gain access without identifying themselves as a third party.
  • screen scraping+, where third party payment providers are required to identify themselves, will be permitted.
  • banks can develop dedicated interfaces to provide access to third party payment providers but it must also create a contingency solution to allow screen scraping+ where 5 consecutive access requests are not responded to within 30 seconds.
  • a bank’s dedicated interface must not create obstacles for payment initiation and account information service providers. In particular, the final regulatory standards provide that obstacles may include ‘imposing re-direction to the account servicing payment service providers authentication or other functions.’

We recommend that all payments businesses take time to consider the revised text and analyse what changes they will need to make in order to comply with the regulatory standards. We are aware that a number of payment service providers within the industry are already developing dedicated interfaces to use as a secure method of providing access to third parties but firms should consider if the revised text impacts the current design (particularly in relation to the EBA’s comments in relation to re-direction). Firms should also begin developing solutions to ensure it has effective mechanisms in place to meet the strong customer authentication requirements.

Please contact Richard Jones or Ruth Fairhurst if it would be useful to discuss what changes your firm will need to make over the next 18 months in order to comply with the regulatory technical standards (which are expected to come into force in September 2019).

3. European Banking Authority publishes its recommendation in relation to the transitional period

The European Banking Authority has issued an opinion on how payments businesses should comply with their legal obligations under the revised Payment Services Directive (PSD2) in the anticipated transitional period where the relevant legal instruments, which the EBA has been tasked to develop under PSD2, have not entered into force before 13 January 2018. In particular, the EBA states that:

  • certain requirements will not apply until the regulatory technical standards apply (in line with Article 115(4) of PSD2). This means, for example, that AISPs and PISPs cannot be required to identify themselves or to communicate data securely as defined under PSD2;
  • AISPs and PISPs may access customer’s accounts without being blocked (unless there are reasonably justified and duly evidenced reasons for doing so) using existing methods such as screenscraping;
  • PSPs should be encouraged to comply with the regulatory technical standards as soon as possible;
  • the existing EBA guidelines on security of internet payments will not be repealed in full on 13 January 2018. Instead, they will gradually be superseded by PSD2 specific legal instruments or other acts;
  • delayed transposition in a host Member State cannot be used to prevent a legal entity from submitting a passporting notification in the Member State where that entity is authorised and where PSD2 has been transposed on time, or prevent an entity from carrying out activities in that Member State; and
  • payment service providers in Member States that have not transposed PSD2 by 13 January 2018 but have already been authorised under PSD1 (and have obtained a valid passporting notification) may continue to provide payment services in the Member States for which they are already authorised.

The EBA has also suggested that it will consider extending its existing Q&A tool on PSD2 to support the transitional process and, if possible, this will be available in Spring 2018.

What this means for you?

Firms should consider the position that they have taken in relation to third party access during the transitional period (before the regulatory technical standards apply) in light of this EBA Opinion. We also suggest that firms now turn their attention to consideration of the final regulatory technical standards issued in November 2017. Please contact Richard Jones or Ruth Fairhurst if it would be helpful to discuss how you can develop compliant operational processes during the transitional period.  

4. EBA releases final RTS relating to the central register under PSD2

The European Banking Authority (EBA) has published its final draft regulatory technical standards and implementing technical standards on the EBA electronic central register.

The regulatory technical standards (“RTS”) set out the procedures which competent authorities must follow when inputting information into the central register and the process for users to access such information. The implementing technical standards (“ITS”) detail the information that will be contained on the register (for example, details of account information service providers, payment and electronic money institutions and their agents and foreign branches).

As widely reported, the draft regulatory technical standards were heavily scrutinised as the EBA had previously said a machine-readable register, which would allow users to automatically extract information to check whether a third party was authorised and not acting fraudulently, would be too complex and costly. The EBA has, however, since acknowledged that the automated retrieval of information would benefit users and unregulated access to the central register could be a security risk.

The register will therefore now allow competent authorities such as the FCA to provide information to the EBA more frequently than once a day. It will also allow for the EBA register to process and validate automatically transmitted information as soon as possible (and at the latest by the end of the same business day) and for users to download the register content manually and automatically. The EBA has also clarified that it will not include credit institutions in the register as they are not part of the pre-defined list of institutions pursuant to their mandate under Article 15(5) of PSD2.

This final draft will now be scrutinised and subject to approval from the European Commission, European Parliament and European Council. The guidelines are available here.

What this means for you?

The register will not be available from 13 January 2018 as the EBA can only develop the register after adoption of the RTS and ITS. However, firms should now give close consideration to how they will incorporate the use of the register into their operational processes when checking whether a third party provider is authorised.

Payment Service providers will also be keen to gain a better understanding of how the register, in particular how the new EBA solution to download the register in real-time will work in practice and what benefits the new solution will offer (e.g. preventing fraudulent access in real-time). We, therefore, recommend that firms monitor the progress of the technical standards at a European level to gain an understanding of what is required in order to retrieve information from the EBA register.

If you would like more detail on the EBA register, or providing access to third parties generally under PSD2, please contact Richard Jones or Ruth Fairhurst.

5. FCA updates PSD2 passporting webpage

The FCA has opened its passporting gateway for applications from payment initiation service providers and account information service providers wishing to provide these services in another member state on or after 13 January 2018.

What this means for you?

Firms planning on providing payment initiation services and account information services in another EEA member state, on or after 13 January 2018, can now submit their passporting application (subject to having already obtained their authorisation as a third party payment provider). This means any firms planning on offering payment initiation services and account information services for the first time will need to be authorised before they apply for the right to passport into another Member State.

The FCA also notes that existing payment and electronic money institutions will need to complete their authorisation and variation of permission applications before applying to passport and that they are required to apply for re-authorisation under PSD2 before 13 April 2018. If an application is not received by this deadline then the firm’s existing authorisation, passports and agents will be removed after 13 July 2018.

Please contact Richard Jones or Ruth Fairhurst if you need assistance with your authorisation and/or passporting application(s).

6. EBA publishes security measures under PSD2 guidelines

The European Banking Authority has published its final guidelines on security measures for operational and security risks of payment services under the revised Payment Services Directive (PSD2). The guidelines have been developed in co-operation with the European Central Bank and are designed to help payment service providers put in place sufficient security measures to mitigate operational and security risks.

The EBA has also decided to further clarify and detail some of the scrutinised elements of the draft guidance. In particular, the final guidelines clarify the meaning of ‘proportionality’ and explain that it is necessary to consider the size of the payment service provider and the nature, scope and complexity of the particular services offered by a payment service provider when deciding the precise steps a payment service provider needs to take in order to comply with the guidelines. The final guidelines also clarify that the EBA is not regulating certification processes of security measures.

The guidelines are available here.

What this means for you?

The guidelines take effect from 13 January 2018 and Member States must inform the commission within two months if they do not intend to comply with the guidelines. We are not aware of any intentions of the FCA to disapply the guidelines and we, therefore, recommend that firms now consider taking appropriate actions to implement the guidelines relating to:

  • operational and risk management frameworks;
  • security breaches/threat detection, prevention and monitoring;
  • business continuity;
  • procedures for assessing risks;
  • regular testing of security measures;
  • reporting of issues; and
  • building awareness of Payment Service Users on minimising security risks.

The guidelines have been drafted so that payment services providers can apply them in a way that adapts to the changing risk landscape and currently unknown threats and vulnerabilities. The EBA has not shared the risk assessment which it carried out in order to understand such threats and vulnerabilities and develop the guidelines but this ultimately seems sensible given that such analysis could be used by fraudsters.

7. Consumer Rights (Payment Surcharges) Regulations 2012

The Consumer Rights (Payment Surcharges) Regulations 2012 (as enacted) have been amended by the Payment Services Regulations 2017 as part of the implementation of the revised Payment Services Directive. The amendments, which come into effect on 13 January 2018, limit and/or prohibit surcharging in relation to a wide variety of transactions, including non-card payments.

In December 2017, the Department for Business, Energy & Industrial Strategy issued guidance on these developments. In particular, the guidance confirms that “for most retail payments, the regulations ban merchants from charging a fee in addition to the advertised price of a transaction on the basis of a consumer’s choice of payment instrument (for example, credit card, debit card or e-money).”

The UK has also extended the prohibition beyond what is prescribed at a European level to cover non-card payments. The guidance also confirms that applying a discount to one particular payment instrument over another which effectively creates a surcharge will be prohibited as well.

What this means for you?

Payment service providers may see merchants looking to negotiate lower fees to recover any losses they may incur because of the prohibition and/or limitations on surcharging. The prohibition on surcharging now may also impact on the uptake of payment initiation services as an alternative payment method for the purchase of certain goods and services, considering the difference in the costs of using the different payment methods should not now be an issue.

8. FCA’s sandbox – third cohort announcement

The Financial Conduct Authority has announced that 18 firms have been accepted into the third regulatory sandbox cohort. The accepted submissions cover a range of sectors and areas, including blockchain based payment services, RegTech propositions, general insurance, anti-money-laundering controls, and biometric digital ID and know your customer verification.

What this means for you?

The sandbox provides an opportunity for firms to test innovative products, services or business models in a live market environment while ensuring appropriate protections are in place. Payments businesses of different natures will, therefore, be keen to test new products/services and identify the next potential innovative product to enter the market. For businesses which are not currently involved but are interested in the next cohort, the application process for the fourth sandbox also remains open until 31 January 2018 (with the next testing phase to commence in June 2018).

9. FCA policy statement and final rules on information relating to the provision of current account services

The Financial Conduct Authority has issued a policy statement in relation to information which providers of current accounts (personal and business) will be required to publish in order to help customers compare services from different providers. The Policy Statement (PS17/26) is available here.

The policy statement, PS17/26, outlines the feedback received on the consultation that ran earlier in 2017 and sets out final rules that the information providers of both personal and business current accounts are required to give. In particular, the FCA has set out proposed changes to its regulatory Handbook which require firms that accept deposits (banks and building societies) and provide payment accounts (typically personal current accounts and business current accounts) to publish the following information:

  • how and when services and helplines are available;
  • contact details for help, including for 24 hour helplines;
  • how long it will take to open a current account;
  • how long it will take to have a debit card replaced;
  • how often the firm has had to report major operational and security incidents; and
  • the level of complaints made against the firms.

The service information which the FCA will require firms to publish is designed to build on and complement the core service quality metrics that the Competition and Markets Authority will require the largest firms to publish from August 2018.

What this means for you?

The development is of interest to any organisations offering comparison services as well as providers of personal and business current accounts. The information requirements come into force on 15 August 2018 (as detailed in the Banking (Information about Current Account Services) Instrument 2017 (FCA 2017/78). This means providers of personal and business current accounts will need to publish information on their service availability, helplines and numbers for operational and security incidents from 15 August 2018.

What’s more, the Policy Statement provides that form 15 February 2019 firms will be required to publish account opening and debit card replacement metrics. In order to achieve this 2019 deadline, firms will be required to start recording data on the amount of time taken to open accounts and to replace a debit card from 1 October 2018.

10. Payment Systems Regulator consults on tackling payment scams

Authorised push payment (“APP”) fraud is the second largest payment fraud type in the UK, behind card fraud. Between January and June 2017, 19,370 APP fraud cases, with a total value of £101,191,645, were reported, however, just £25,217,791 of that sum was returned to victims.

On 7 November 2017, the Payment Systems Regulator (“PSR”) released a report and consultation which:

  • reflects on what the PSR and the industry have achieved in recent months, to reduce harm to consumers targeted by APP fraudsters.
  • proposes a consultation to introduce a ‘voluntary contingent reimbursement’ model, where PSPs (either paying or receiving) would reimburse victims of APP fraud if the PSP did not meet required standards. Consumers would also need to meet a requisite level of care to be eligible for reimbursement.

The PSR highlighted that UK Finance’s 16-step ‘best practice standards’, for all PSPs to follow when responding to APP scams, will be fundamental in making such progress. UK Finance’s PSP members have agreed to fully implement these standards by Q3 2018. The PSR is asking PSPs for feedback on the effectiveness of these standards and what changes should be made to improve them.

The PSR also reported on the industry’s progress around information sharing between PSPs, particularly in respect of what customer data can be shared when dealing with APP scams. While the PSR stated more still needs to be done, it acknowledged that this was not all down to PSPs, and legislative would be needed to continue to make positive progress.

What this means for you?

The PSR has sought industry’s comments on the efficacy of UK Finance’s best practice standards and its intention to introduce a voluntary contingent reimbursement model. It will shortly report on whether UK Finance should amend the best practice standards, and whether the contingent reimbursement model is appropriate and should be taken forward.

It is encouraging to see that the PSR continues to drive progress for protecting consumers from APP fraud, and realises that this significant issue should not be the sole responsibility of PSPs. As payment services technology rapidly develops, as well as adhering to the agreed standards being consulted on, it will be increasingly important for PSPs to anticipate how fraudsters can exploit this technology and to continuously develop measures to protect its customers from payment fraud.

Please also contact Richard Jones or Ruth Fairhurst if you would like a copy of our 2018 financial services regulatory horizon scanner.