Back in October last year, fscom director Alison Donnelly wrote a blog on the FCA’s consultation on new rules for payment and e-money institutions. As explained in that blog, due to FCA concern with how some e-money and payment institutions have communicated with their customers in the past, certain sections of the FCA Handbook are being applied to payment and e-money institutions.
Following the consultation period, the FCA issued a policy statement including the legal instruments making the necessary amendments to the Handbook to apply the selected rules to payment and e-money institutions. Thankfully, the FCA changed their original proposal not to afford an implementation period, and so the rules are now due to come into force on 1 August 2019. This gives firms just under three months to finalise their preparations.
Having given the background and potential implications of the changes in our blog last October, I want to briefly discuss the substance of the new changes and consider the actions firms will need to take prior to 1 August.
Principles for Businesses - The Changes and The Implications for Payment and E-Money Institutions
The high-level FCA principles for businesses (“the Principles”) will now be extended to payment and e-money institutions. For most firms however, even though the Principles have not technically applied previously, they will already be practically applying them to their business. Indeed, many of the Principles are already expressed in different provisions of the EMRs and PSRs. For example, Principle 10 on arranging adequate protection for clients’ assets already finds expression in the safeguarding provisions of the PSRs and EMRs.
The extension of the Principles does, however, provide a wider net for FCA enforcement action. Given their high-level nature, breaches of the Principles are easier to allege, prove and penalise, allowing the FCA significantly more discretion in taking enforcement action. So, while for example it would be hoped that firms already seek to comply with Principle 6 on treating customers fairly, its extension will give the FCA greater scope for enforcement action, particularly where the alleged unfair treatment of customers does not also constitute a breach of the PSRs or EMRs.
While the FCA gives reassurance in the policy statement that “the Principles should be applied in a way which is appropriate and proportionate to firms”, its supervisory and enforcement discretion is nonetheless significantly increased.
A recent example of FCA enforcement for breaches of the Principles is the case of Carphone Warehouse. The FCA issued a “Final Notice” in March and fined the firm over £29 million for breaches of Principle 3 (Management and control), Principle 6 (Customers’ interests) and Principle 9 (Customers: relationships of trust). The breaches were in relation to the sale of mobile phone insurance.
One failure noted by the FCA was a failure by sales consultants to give suitable advice to customers as to whether the insurance product met their needs. This was compounded by insufficient management oversight, seen for example in the lack of effective response to high rates of cancellation of the insurance product.
Examples such as this illustrate how broad-based principles equip the FCA to effectively target and penalise firms for inadequate systems and controls and unfair treatment of customers.
Indeed, a perusal of the enforcement notices on the FCA website reveals the large extent to which the regulator relies on the Principles in its enforcement actions.
While some comfort can be taken by firms from the FCA’s reassurance on proportionality, and from the fact that the Principles largely represent best practice that most firms will already follow, the potential supervisory impact of this extension should be noted.
BCOBS 2 – Product Description Wording, Use of Currency Converters and Fee Information
Beyond the Principles, the FCA has additionally applied rules contained in BCOBS 2 to payment and e-money institutions. While e-money and payment institutions are already subject to the Consumer Protection from Unfair Trading Regulations 2008 (CPRs), BCOBS 2 contains more specific communication rules.
For example, certain words are singled out in relation to product descriptions, including “guaranteed”, “protected” or “secure”. Firms can only use these and similar words in product marketing where they do so in a fair, clear and not misleading manner.
In addition, following on from FCA concern about the misleading use by firms of currency converters, particularly the use of the interbank rate, the new rules make clear that where an exchange rate is presented that the customer cannot avail of in practice, the inclusion of a disclaimer will not necessarily prevent the rate being misleading.
Further requirements include the need to take into account the target audience of the communication, the “information needs” of the recipient and to make sure that comparisons with competitors can be substantiated.
Importantly there are also new requirements about the fee information to be presented to customers.
Communications ‘To Do’ List Before 1 August 2019
Payment and e-money institutions would be best advised to thoroughly review their websites, terms and conditions, standard customer correspondence and other promotional material against these new requirements to ensure that they will not be in breach on 1 August. The FCA has shown an increasing concern regarding communication practices in recent years and this, combined with a better-resourced and mobilised Payments Supervision Department, means that the FCA is more likely now to scrutinise firm websites for compliance.
We are hosting a RegBite on Wednesday 22 May where we will go into more detail on the substance of the new rules, including case studies, and next steps for firms ahead of the 1 August deadline. So come along to the RegBite and ensure you are adequately prepared for the deadline!
If you would like to speak further to us on the new rules, or if you would like an external review of your website and other communications in light of the new rules, please do not hesitate to contact fscom for further information.
All payment service providers must take action to establish whether these additional requirements apply to them. We have some helpful blogs to explain the basics and are keen to work through the details with you.
Open banking: not just for banks
All payment and e-money institutions should consider whether they too are account servicing payment service providers. Read more here: http://blog.fscom.co.uk/open-banking-not-just-for-banks-0
Strong customer authentication
All payment and e-money institutions should consider whether they will have to apply strong customer authentication. You can read about the basics here: http://blog.fscom.co.uk/strong-customer-authentication-under-psd2-the-basics
If you do have to apply SCA, you'll want to minimise the amount of times you have to make your clients go through SCA, so find out more about the exemptions here: http://blog.fscom.co.uk/strong-customer-authentication-the-exemptions
If you intend to use the corporate exemption, we can help you assure that your systems are up to the expected standard of security. Remember, you have to provide evidence in your REP018 by 14 June.
And finally, SCA is more complicated than simply two-factor authentication (2FA). Find out more here: http://blog.fscom.co.uk/strong-customer-authentication-not-as-simple-as-just-2fa
If you need any help understanding the obligations, please get in touch.