The gateway for PSD2 applications opens today. About 500 authorised payment institutions and e-money institutions and 150 payment initiation and account information service providers are expected to submit applications to the FCA over the next few months in order to be authorised by 13 January (in the case of payment initiation and account information service providers) or re-authorised by 12 July in the case of those firms already authorised.
My team of experts are assisting many of those firms to compile their application and get ready for the implementation of the Payment Services Regulations 2017 (PSRs). Here’s some of the questions we’re commonly asked and our answers.
Why do I have to get re-authorised?
The PSRs requires that certain information is provided in an application, including a procedure for handling security incidents, a description of how you deal with sensitive payment data and details of how you collect and use statistical data on performance, transactions and fraud. If these weren’t included in your original application (and they probably won’t have been because the standards for handling major security incidents, for instance, was only finalised in July) then you have to submit now.
Might my application be rejected? If so, what happens then?
If you do not meet the required standards by 12 July 2018, your application will not be approved in time and your authorisation will lapse. You will not be allowed to provide payment services (and, in the case of e-money institutions, issue e-money) after this date unless you are authorised; a firm that carries on providing regulated services without approval may be committing a criminal offence.
If the FCA were to decide to refuse your application, they will give 28 days’ notice for you to make a representation in person or in writing. If the FCA still wish to refuse they will issue a decision notice which can be contested at the Upper Tribunal (Financial Services). If a further 28 days passes without a referral, then the FCA will issue a final notice.
Aside from the application, is there anything else we have to do to be ready for 13 January?
Yes, you must ensure that you are ready to implement the changes to the conduct of business rules, which may include updating your framework contract to include the secure procedure by which you will contact your customer in the event of suspected or actual fraud or security threats. Other changes may have to be made depending on how detailed your framework contract is and whether you provided a different contract to clients who were only using you to make payments outside of the EEA.
Payment institutions will have to update their status disclosure, once re-authorised, to reflect the new legislation.
Customers should be given at least two months’ notice of any changes to the framework contract, although this could be done by way of a note to all your customers rather than the reissuance of the full document.
There are a number of minor changes to the conduct of business rules but the most significant is the timeframe in which complaints about conduct of business rules (referred to as PSD complaints) must be handled. From 13 January, such complaints should be dealt with within 15 business days instead of the current eight weeks. Complaints handling procedures and customer-facing information will have to be adapted accordingly.
Firms will also have to make available on their website, and through any branches and agents, an European Commission ‘user-friendly’ document listing consumers' rights under the directive and related EU law. The document is expected to be available from early in the new year.
There will be some differences to the reporting returns from January, including new forms for reporting how complaints were handled and the level of payment fraud so you will have to develop a process for collecting the right data.
Do we have to provide open access to account information service providers and payment initiation service providers?
If you offer online banking services, for example, the ability for your customers to log on to a secure portal to view information and give you payment instructions, then it is likely that the requirement to open up your customers’ accounts to payment initiation service providers and account information service providers will apply. It applies even if you are a payment institution, though in practice, you should not receive payment initiation requests because you should never hold funds for your customers over which there is not already a payment instruction.
You do not have to provide a method by which account information and payment initiation service providers can access the accounts until the relevant Regulatory Technical Standards become applicable, which is now expected to be in September 2019. However, if you voluntarily offer the open access before then, from the date of applicability onwards you will only be allowed to deny access in cases where you have reasonable evidence that access is unauthorised or fraudulent.
Do we have to have strong customer authentication in place?
If the open access requirements apply to you (you offer online banking services) then it’s likely you will also have to introduce strong customer authentication when the Regulatory Technical Standards become applicable (likely to be September 2019). While still subject to change, this version of the standards sets out the requirements such as dynamic linking, risk mitigation, independence of the elements plus the various exemptions that could be applied and the circumstance in which those exemptions become applicable.
The only changes made to the legislation in respect of the safeguarding requirement are that:
- the option to not safeguard funds for a transaction of less than £50 has been removed; and
- provisions that enable non-bank payment service providers to effectively safeguard client funds in a settlement account with the Bank of England have been added.
However, the FCA has confirmed its new guidance on safeguarding in its approach document. This guidance expects firms to safeguard until funds have been paid to the beneficiary’s payment service provider. For some corridors and in some cases, this will mean that the payment or e-money institution will have to use own funds to make the payment while the customer’s funds remain in the safeguarding account with the EEA-authorised credit institution.
Most firms have already begun to compile their application and make the necessary amendments but the level of change and detail required should not be underestimated. This is particularly the case for payment institutions who were not required to provide anywhere near as much detail as an e-money institutions did at application stage. The window of time to secure re-authorisation, or authorisation in the case of payment initiation and account information service providers, is relatively short. If you would like help to prepare for the new payment services regime or advice on any regulatory matter, please get in touch.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.