In six months’ time, the second Payment Services Directive (PSD2) will be implemented in the UK. And while we don’t yet have finalised implementing documents, progress is being made on what the realised directive will look like.
E-money and payment institutions will have to undertake a comprehensive impact assessment of their existing situation against the new requirements. Given the broad nature of the changes, the impact assessment will have to involve a number of stakeholders in the business. This exercise will identify the gaps and these can then be compiled into actions allocated to individuals with target dates to form a roadmap to PSD2-readiness. Some of the key areas that will have to be considered in the impact assessment are summarised below.
Management of operational and security risk
Regulation 98 of the draft PSRs 2017 requires that each payment service provider maintains a risk management framework to manage the operational and security risks of their payment services business.
The European Banking Authority (EBA) is charged with producing guidelines that the FCA is expected to supervise against. Draft guidelines were published for consultation in May. There are eight guidelines covering:
- risk assessment;
- business continuity;
- testing of security measures;
- situational awareness and continuous learning; and
- managing the relationship with the payment service user.
The consultation closes on 7 August with finalised guidelines due in November.
Regulation 99 places an obligation on payment service providers to notify the FCA when they become aware of a major operational or security incident. The EBA’s draft guidelines set out the criteria for assessing which incidents are major, the type of information that has to be reported to the FCA and how often.
The draft guidelines were published in December, consulted upon until March and the finalised guidelines should be available in the summer.
Conduct of business requirements
The conduct of business requirements are contained in parts 6 and 7 of the draft PSRs 2017. There are a number of adjustments made to the existing rights to information and the rights and obligations of payment service providers and payment service users. For example, payment service users that make payments from the EEA to beneficiaries outside of the EEA will be entitled to receive specified information before the contract is agreed, before the payment is made and after each payment. Part 7 also outlines the obligations payment service providers have when dealing with the new categories of payment service providers: payment initiation service providers (PISPs); account information service providers (AISPs); and third party card-issuing payment service providers (TPCPSPs).
Payment and e-money institutions will have to amend their terms and conditions and must ensure they alert their customers to the changes at least two months before they come into effect.
The timeframe for dealing with complaints arising from the rights and obligations set out in parts 6 and 7 (the conduct of business requirements) will change from the current eight weeks to fifteen business days and payment service providers are expected to have arrangements with an alternative dispute resolution service for complaints made by businesses. Complaints handling procedures and customer-facing information will have to be adapted accordingly.
Strong customer authentication
Regulation 100 requires payment service providers to apply strong customer authentication where a payment service user directly or through an account information service provider:
- accesses its payment account online;
- initiates an electronic payment transaction; or
- carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
This requirement does not have to be implemented until 18 months after the EBA’s regulatory technical standards (RTS) have been finalised, expected to be April 2019 at the earliest. The draft RTS, click here for the most recent version, set out the requirements for strong customer authentication, dynamic linking, risk mitigation, independence of the elements plus the various exemptions that could be applied and the circumstance in which those exemptions become applicable.
The RTS on strong customer authentication also sets out the requirements for the common and secure open standards of communication that will be used by the new categories of payment service providers (PISPs, AISPs and TPCPSPs) to communicate with the account servicing payment service providers. E-money and payment institutions that offer payment accounts that are accessible online will have to comply with the RTS 18 months after they are finalised, which, as noted above, should be April 2019 at the earliest.
There are additional reporting requirements that will be applicable for payment and e-money institutions under the new regime.
- The FCA has proposed to apply the complaints reporting rule to payment and e-money institutions.
- There will be a reporting return for statistical data on fraud relating to payments.
- The existing regulatory returns (FSA056, FSA057, FSA059 – FSA062 and FSA064) will be amended with further questions added to enable the FCA to improve their supervisory approach. The FCA has proposed that authorised payment institutions will have to submit the annual close links and controller reports.
- Further reporting returns covering operational and security risk assessments and incident reporting are likely to be added, though the FCA has not yet consulted on these.
Grandfathering and new applications
As I set out in an earlier blog, existing authorised payment institutions and authorised and small e-money institutions will be able to grandfather into the new regime. They will have to provide the FCA with additional information in order to be approved to continue to carry on regulated activities after 12 July 2018. Small payment institutions will have until 12 January 2019 to be re-registered.
We expect the FCA to publish a consultation on the new application forms in early July with the final forms becoming available in September and the gateway for applications opening on 13 October.
The roadmap to PSD2 readiness
Preparation will involve the input of stakeholders from across the business, for example, senior management, risk, information security, IT, customer service, legal and compliance. Many details are still to be confirmed but alerting stakeholders to the implications and timeframes now will smooth the transition to the new regime. If you would like help to assess the impact of PSD2 on your firm and to get ready for implementation, please get in touch.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.