To some, 13 January and the implementation of the second Payment Services Directive (PSD2) will be a significant milestone in their business’s path. They will be joining the community of the regulated financial services sector, which means that their owners and managers take on significant additional liability and are subject to a new level of scrutiny. They will have to meet certain standards and requirements ranging from the information they must give their customers to the type of insurance they must hold (in the case of the payment initiation and account information service providers) to how they treat client money (for authorised payment and e-money institutions and small e-money institutions).
Once they see their entry in the Financial Services Register they can enjoy a very real sense of achievement having secured an authorisation, or registration, in time to avoid having to stop business.
For existing payment and e-money institutions, the date marks the implementation of the new systems and controls that they have been working on over the past while. For example:
- new terms and conditions incorporating the changes to the conduct of business rules in parts 6 and 7 will come into effect;
- references to the old 2009 legislation, in marketing material and elsewhere, will be replaced with references to the new Payment Services Regulations 2017;
- the revised incident assessment and protocols will go live to meet the requirement to report major incidents to the FCA;
- complaints will have to be sifted so that those that are PSD/EMD complaints can be dealt with in 15 business days; and
- complaints handling data will be collated for reporting to the FCA in due course.
Some of the conduct of business rule changes seem relatively minor but could have a major impact in certain cases. For example, the change in the scope to include payments where only one payment service provider is within the EEA means that, among other requirements, the immediate refund rule in cases of unauthorised transactions will now apply even if the payment was made to a payee beyond the EEA. While this is not a brand new obligation, the extension of scope will give payment service providers that make high value payments beyond the EEA a renewed interest in ensuring the security of the way their clients give them payment instructions.
Other changes still to come
However, 13 January is just one in a series of important dates. The Payment Services Regulations 2017 implements most of the directive in the UK but there are other instruments that form the full package, some of which have not even yet been finalised.
In December, the European Banking Authority (EBA) published an opinion to member state competent authorities on the transition from the existing directive to the new because of the 12 Technical Standards and Guidelines for which it is responsible, only three will be delivered on the implementation date.
- The regulatory technical standards (RTS) on passporting that set out the framework for cooperation and exchange of information between competent authorities.
- The Guidelines on authorisation and registration under PSD2, which will be very familiar to all existing firms as they apply for re-authorisation, as well as new applicants.
- The Guidelines on the minimum amount of professional indemnity insurance required by payment initiation service providers and account information service providers.
More guidelines and rules to come
Of the outstanding nine mandates, the EBA expects three EBA Guidelines to become applicable during the first quarter of 2018 with the rest following on unknown dates whether because the development hasn’t been completed or, as is the case with technical standards, the next stage is in others’ hands. The RTS on strong customer authentication and open access is a special case because PSD2 specified that it would not apply until 18 months after it entered into force. The date of application is expected to be in September 2019 and the time between now and then is known as ‘the fuzzy period’.
The fuzzy period
The EBA’s opinion on what should happen for account information and payment initiation service providers during the fuzzy period chimes with the expectations set out by the government and the FCA in their joint communication in July. Payment and e-money institutions that offer online payment accounts will be prepared for the following.
- They must allow access of registered and authorised account information and payment initiation service providers to accounts, except for reasonably justified and duly evidenced reasons related to unauthorised or fraudulent access or payments. This means they can’t block “screen scraping” (where the firm logs in to an account as if they are the user) unless they already offer another access route.
- They don’t have to provide this alternative access route where the account information and payment initiation service providers can communicate with them securely until 18 months after the RTS enters into force.
- They mustn’t discourage their clients from using registered or authorised account information and payment initiation service providers.
- They can expect that account information and payment initiation service providers are transparent and open about their activities, even though, legally, they are under no obligation to do so.
Of wider interest, we will be interested to see the impact of the legislation on:
- banks offering payment accounts to payment and e-money institutions;
- merchants and other payees that have been passing on the cost of accepting payment by credit card; and
- the FCA given their increased responsibilities.
Under regulation 105, credit institutions must be proportionate, objective and non-discriminatory (POND) in their decision as to whether to offer a payment or e-money institution, or applicant for either status, a payment account. On enquiry, the credit institution has to provide the criteria for assessing whether to offer an account and be consistent in applying the criteria. All refusals and withdrawals by credit institutions must be notified to the FCA. It seems unlikely that this will have the effect of significantly increasing access to bank accounts for this sector but increasing transparency rarely has no impact; it will be interesting to see what impact it has.
While the ban on surcharging is contained in the Payment Services Regulations 2017, it is tucked away in Schedule 6 because it is effected by an amendment to Consumer Rights (Payment Surcharges) Regulations 2012. Some payment service providers apply surcharges where they accept payments by credit card but the impact of the change extends beyond the payments sector to retail and financial services more generally. The differential in cost of payment is a fact; from now on some consumers will have to subsidise other consumers’ having a choice of how they pay.
The FCA is one of the few organisations that I have worked for that does not want to expand its remit! Nonetheless, its powers keep extending and with PSD2 it has a new population of firms plus new responsibilities such as monitoring major incidents, confirming whether certain businesses are outside the scope of regulation and considering the additional information provided by existing firms to justify re-authorisation under the new regime. These responsibilities have necessitated recruitment into the supervision team, which will now include a dedicated payments supervision team, and the authorisations team (not least because we secured James Borley, the former FCA PSD2 accountable executive and head of payment services authorisation team as our Director of Assurance!). This has to be good news for the payments sector as more scruitny raises standards and therefore trust. That being said, though, one of the biggest challenges for existing firms now is to secure re-authorisation by 12 July and the corresponding challenge for the FCA will be what to do with any firms that aren't reauthorised in time.
If you would like any help to understand the implications of PSD2 on your business, please get in touch.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.