How are the third party providers (TPPs) faring under PSD2?

It’s been five months since the FCA’s doors opened to applications from the new payment service providers, often referred to as third party providers (TPPs), and two months since they could appear on the Register so it’s a good time to ask how many have seized the opportunity presented by the second payment services directive (PSD2).

The answer is: ‘not so many’.

At last count, only 20 firms have signed up: two are new entrants providing both payment initiation services (PIS) and account information services (AIS); 16 are registered to provide only account information services and only two existing non-bank payment service provider, an e-money institution and a payment institution, have got permission to offer either or both services.

Given that at one point the FCA estimated there would be between 150 and 200 new TPPs and the incentives to become authorised or registered early (guaranteed right of access to accounts and information as well as the reputational benefits of being both approved by the FCA and first off the block) the current population of only 20 is underwhelming.

So, who are the third party providers?

In an earlier blog, I explained that a payment initiation service is ‘an online service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider’. While consumers in the UK are relatively unfamiliar with payment initiation services, they are much more common elsewhere in the EEA (they initiate 55% of payments made in the Netherlands).  Their value comes from enabling merchants to accept credit transfers for payment for goods or services, because they can confirm that the payment was initiated and funds are on their way, thereby providing a competitively priced alternative to payment by card.

The four UK PISPs provide:

  • credit management services to small and medium-sized businesses (Ardohr trading as CreDec);
  • a money platform (Bud Financial);
  • an API (application programming interface) (Truelayer); and
  • the service mentioned above – the alternative to card payments for online merchants (Rapid Transfer, a brand of Skrill, which is owned by Paysafe).

An account information service is ‘an online service to provide consolidated information on one or more payment accounts held by the payment service user with another payment service provider or with more than one payment service provider, and includes such a service whether information is provided—

(a) in its original form or after processing;

(b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user’s instructions’.

This service fits very clearly into an earlier government’s agenda of giving customers access to their own data in the expectation that new providers would emerge who would use the data to increase choice and competition (see midata).

Examples of the 19 firms with the account information service permission range from the fintech start-up Emma, the app that helps consumers understand, and keep on top of, their finances to the longer-established Funding Options, a marketplace for business finance.

What opportunities have been created?

While the population in the UK is still small at only 20 so far (there are none, as yet, in Ireland), the range of firms highlighted above shows the potential for far-reaching change in future.

Leaving the way open for innovation was one of the drivers for the relatively brave decision taken by the Commission to bring these businesses into regulation and to effectively give them the stamp of the regulator’s approval. As a payments policy specialist at the FCA, I worked on developing the negotiating position in the early days of PSD2 . The FCA is rarely keen to extend its remit but it was evident that it would be hard to resist the clear will to face down the strong objections from the banks, who presented significant worries that these firms were a security risk. It’s noteworthy that at the same time we set our face against recognising cryptocurrency wallets as e-money products because we did not want to lend cryptocurrency the credibility that comes with FSA/FCA authorisation. (As an aside, the FCA continues to take this position, see the Chief Executive, Andrew Bailey’s comments from December.)

But despite its reluctance to extend its remit, the FCA takes a positive approach to new players. At fscom, we undertake numerous applications each year (our team is currently exceptionally busy with a significant number of the re-authorisation applications ahead of the 13 April deadline) and we’re often asked how difficult it is to achieve authorisation. While there may be probing questions from the FCA’s authorisation team, and let’s recognise the significant pressure they are under at present to process more than 500 re-authorisations before July, they are open and receptive to well-reasoned answers that demonstrate that the conditions of authorisation are met.

What about the challenges?

There are, of course, challenges too. There is a steep learning curve for anyone finding themselves newly within the regulatory perimeter. These new players will have to wade through the intricacies of the various EBA documents on IT and information security, particularly since the FCA is taking a specialist look at this area. They will have to figure out how the anti-money laundering, sanctions and counter-terrorist financing obligations apply to their business model and make the appropriate adaption to systems and controls.

Equally, they will have to settle into their relationship with the regulator who will also be finding its feet on the new business models and how the newly formed payments supervision team will supervise them.  

There is also uncertainty, still, on how the European rules on open access will work in practice. One major issue is how firms will be able to easily and quickly authenticate the regulatory status of third party providers, particularly since there is no central database of providers, as yet. Other concerns centre around the processes for applying strong customer authentication and how each Member State will interpret and enact the standards. 

Also, as the PSD1 cohort of new players found out, reputation, compliance and relationships with key partners means everything in this business. While third party providers do not have to have safeguarding accounts, they do have to have professional indemnity insurance to cover liability in the case of a security breach or unauthorised transaction, and it’s likely that the insurance companies will become a proxy regulator, just as the banks have for the traditional payment and e-money institutions, by requiring, at least annually, assurance that the systems and controls are sufficient. And of course, liability and security are major issues in earning the trust of consumers and their payment providers. One rogue firm and the sector will be tarred with the same brush.

And so…

It is still early days for third party providers in the UK and Ireland but it seems obvious we are on the edge of significant change in the way we understand payment services. Many firms are exploring the opportunities that are being presented and others are dreaming big plans for how they can solve the next big problem or meet the next big need.

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.

Related Posts