Much of our time is, and seems always to have been, spent trying to interpret exactly what the regulations or, more importantly, the Regulator is expecting. A leading question asked by many compliance officers is, 'what do they expect of my company?'. This is often where the compliance consultant comes in.
The advent of PSD2 was envisaged as a driver for new technologies and services, opening doors for flexible and innovative players in the payments ecosystem offering services that did not exist or, at least, had not been regulated until now.
However, with PSD2 now fully implemented in the UK, but with an authorisations clock still ticking, we need to address what the Regulator ultimately expects from businesses. Let’s not speak in code though; by ‘the Regulator’ we mean the FCA. Coming fresh from the FCA, where I spent six years in charge of the authorisations function for payment and e-money institutions and was central to the preparations for PSD2, I am perhaps uniquely placed to comment on FCA’s expectations. That said, as an ‘ex-regulator’ that unique insight begins to erode every day. So, I had better say my piece while it is (in my own opinion at least) still of some value and currency.
Please don’t, though, expect any bombshell revelations; some of the detailed inner workings of the FCA are necessarily restricted and I remain bound by confidentiality. Still, in addition to what is already in the public domain, I can give you a glimpse of what you might expect.
What is the Regulator looking for in terms of re-authorisations?
Let’s begin with the health warning for those firms who need ‘re-authorisation’ or a ‘re-registration’, because if you get the timing wrong, it really doesn’t matter what you put in your application. Firms authorised as Payment Institutions and E-Money Institutions before 13 January 2018, must submit their application for re-authorisation by 13 April 2018. Even then, the firm is running a risk if it submits its application too close to the 13 April deadline.
Firstly, the FCA has three months to deal with a complete application but, if not all the information is provided, the FCA can take longer to determine the application i.e. up to 12 months from receipt. The trouble is, if these applications have not been determined by 13 July 2018 (not by coincidence three months after the 13 April deadline) then the firm will have to cease providing payment services/issuing e-money beyond that date, and will be struck off the Financial Services Register. The FCA surely does not want firms to be in that position, but has no discretion or forbearance to offer, given that this cliff-edge is enshrined in PSD2 itself.
Secondly, and based on my experience of legislative implementations across many years, impacted firms do tend to submit applications towards the end of an application period, causing a spike in work for the regulator. Whilst the FCA has increased its headcount in anticipation of such a spike, and will no doubt do so again if necessary, such an occurrence may, nevertheless, effectively clog up the system and prevent FCA from determining all applications in time.
Similar is true for those firms that are ‘registered’ as Small Payment Institutions (‘SPIs’), although the corresponding deadlines for SPIs are 13 October 2018 and 13 January 2019. The trouble is, there are twice as many SPIs as there are Authorised Payment Institutions and E-money Institutions so, in theory the impact could be twice as bad.
In terms of the re-authorisation, the FCA’s starting point is –according to its own Approach Document - that the firm already meets the conditions of authorisation under PSD1 or, more accurately, the Payment Services Regulations 2009 (or, in the case of E-money firms, the Electronic Money Regulations 2011). What the FCA now needs to capture is that information that is newly introduced by PSD2. Helpfully, in terms of transparency, the FCA has extracted the relevant new requirements from the EBA’s Guidelines for Authorisations and reproduced them in a re-authorisation application form (we won’t re-open the debate in this blog as to whether these Guidelines are excessive or disproportionate!).
Very generally speaking, for the new information sought the FCA is expecting the applicant firm to provide a description of these new areas, such as IT systems, security measures, business continuity, but proportionate to its business; one size definitely does not fit all. The only policy document that really does need to be provided is the firm’s security policy document. Whilst this may be a new requirement, it is likely that much of the prescribed content may already be in existence in other documents. But it is probably the area that might receive most scrutiny by the FCA; the FCA will not plug into your systems and undertake penetration testing, but it will go through your security policy with a fine-tooth comb to assess its reasonableness, given the firm’s size, structure and services.
Another word of warning though; whereas the FCA will be looking to focus on the new stuff, they do need to satisfy themselves that the firm meets all the conditions of authorisation under PSD2. That means, for example, that you will be expected to still have a safeguarding account. Whilst the FCA may be a leviathan of a regulator, its various constituent parts do in fact – contrary to popular belief - talk to each other. So, if you have notified the FCA of the loss of your safeguarding account, do not presume that any lack of action (to date) will mean the authorisations team will allow the situation to continue. Technically, you don’t meet the conditions of authorisation under current legislation, so would clearly not be able to be re-authorised under the new.
We would hope that the FCA would do itself a favour, given the volume of applications it faces, and not revisit the rest of the original authorisation, such as the payment services for which authorisation was originally granted.
What about new authorisations?
So, with all this gloom and doom surrounding the re-authorisation process, is seeking authorisation for the first time any easier?
Well, the immediate problem is that these applications will be competing with the reauthorisations for the FCA’s attention and resources. It would seem sensible to me for the FCA to prioritise those businesses currently trading, to avoid a situation where firms need to cease providing these services and (potentially) disadvantaging consumers. Otherwise though, the forms are clear and faithfully reflect the helpful/unhelpful (delete as appropriate!) EBA Guidelines. But the information requirements, as alluded to for re-authorisations, are extensive.
The responses need not be extensive though. The FCA is (or, should be) looking to apply the proportionality that EBA was unable or unwilling to, and will expect information that reflects the business and scale being undertaken by the payment/e-money institution.
I'll comment more in my next blog about FinTechs and the likely constraints on FCA's supervisory response.
If you would like any help to understand how PSD2 and the changing regulatory landscape may impact your business, please get in touch.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.