fscom News and Events

PSD2 - further inside the regulator

[fa icon='calendar'] 19-Mar-2018 17:40:38 / by James Borley posted in PSD2, E-money, FCA, Payment services, FINTECH, cryptocurrency

[fa icon="comment"] 0 Comments


Drawing on my experience of heading up the Payment Services Authorisations Team at the FCA for many years, I spoke last week (http://blog.fscom.co.uk/psd2-a-glimpse-inside-the-regulator) about the FCA’s expectations for authorisations and re-authorisations, and offered some insight into how they might approach the challenges brought about by PSD2. I now explore the risks inherent in firms wishing to ‘upgrade’ their licences, the new entrants under PSD2 and the FCA’s approach to supervision.

Licence upgrades

Recently, it has emerged that the FCA may not be as ‘proportionate’ as one might expect, certainly when it comes to firms taking the PSD2 re-authorisation requirements as an opportunity to instead ‘upgrade’ their licence e.g. an authorised payment institution (API) seeking to become an authorised e-money institution (AEMI). Whilst it may be reasonable to assume that a well-completed AEMI application submitted in good time ought to have been able to be determined ahead of the 13 April deadline for re-authorisation submissions, the FCA is only now advising such firms to also submit an application for re-authorisation as an API. Whilst I understand the legislative requirement here and that the firm runs the risk of not being able to continue to provide payment services beyond 13 July 2018 if the AEMI application has not been determined by then, it is entirely disproportionate to require the firm to complete (and pay for) a second application which will largely be identical to the first, given they are both based on the EBA Guidelines for Authorisation. Note that this situation also applies to small e-money institutions wishing to become AEMIs and, to a lesser extent by virtue of longer timescales, to small payment institutions applying to become APIs.

One would hope that the obvious – and proportionate – solution would be for the firms in question to submit a shell application for re-authorisation, with all answers to the application questions being cross-referenced to the first application, where relevant. One would also hope that the application fee is waived; why should the firm expect to pay for a licence it doesn’t want and for an application that has, essentially, already been submitted?

What about FinTechs?

The expectation, or perhaps simply a generalisation, is that FinTechs will be entering the market through the new services introduced by PSD2, account information services and/or payment initiation services (AIS and PIS respectively). Whilst this may not be entirely true, there is no denying that these services are underpinned by new technology or interfaces, which often come to market as financial apps. More pertinently, these services are new to regulation. As such, the FCA itself has to quickly try to understand the business models at play. To help them in this effort, the FinTech should try to present their business model and the customer journey as clearly and simply as possible.

That is not to say that all firms (FinTechs or not) undertaking AIS/PIS need to seek registration with the FCA just yet. There is a transitional ‘fuzzy period’ hidden at the back of the PSD2 text which allows firms who were already doing this business before 12 January 2016, to continue to do so without the need for registration, until the introduction of regulatory technical standards on Strong Customer Authentication and Common and Secure Communication (the fabled ‘RTS’ that has dominated much of PSD2 discussion). However, absence of a registration with FCA means that these firms are not entitled to plug in to Open Banking or, indeed, any API or interface provided by another online account service provider. This is all set out in last year’s helpful joint communication from HM Treasury and the FCA here: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/630135/Expectations_for_the_third_party_access_provisions_in_PSDII.pdf

What does the FCA expect in terms of ongoing requirements?

In many respects, PSD2 changes little in terms of compliance. However, the FCA has introduced changes to the FSA056 reporting return (to reflect the changes to the qualifying items that can be used as capital resources) and additional reports covering, for example, complaints handling, fraud reporting, controllers and close links, and incident reporting. There are also new notifications required in respect of, among other things, major operational or security incidents.

With more information coming its way, it is unsurprising that the FCA has set up a new Payments Department within its Retail Banking Supervision directorate. This department is now gearing up to assess the payments ecosystem and has already embarked on a series of visits to firms to better understand the business models operating within that ecosystem. It is true that supervision under PSD1 was entirely reactive (e.g. based on complaints or other intelligence about firms being notified to the FCA), but it seems that supervision under PSD2 may be an entirely different proposition, reflecting that payments touch almost every consumer in the UK and warrants more scrutiny and understanding than afforded it previously. That said, FCA has c.56,000 firms to supervise across industry verticals, with more on the way with Claims Management Companies coming under FCA supervision in 2019 (and, maybe, cryptocurrencies in the near future – see Karen Vickers’ helpful blog on this http://blog.fscom.co.uk/bringing-cryptocurrency-to-the-front-line). It would be understandable, therefore, if FCA’s supervisory budget didn’t quite stretch as far as it might want in this sector.

What will be a FinTech's most important challenges and concerns in relation to PSD2?

If we assume that most of the interest will be focussed on AIS and PIS, then systems security will clearly be pivotal. In the run-up to PSD2 implementation, the banks were prophesying ‘cybergeddon’ or widescale cyber attacks on AIS/PIS firms which would impact them and, more importantly, the security of their customers’ money and data. This was their reaction to PSD2 opening up the market and increasing competition. A successful cyber attack on an AIS or PIS would make their case for them. But, let’s not forget, firms offering AIS (and, to a far lesser extent, PIS) are already out there, and there has been no cyber catastrophe to speak of. For the FinTech it is important to have robust systems and security policies and to be clear what happens if there is a breach. Certification under Cyber Essentials, the government-backed scheme to help firms protect themselves against cyber attacks and other online threats, is one way a FinTech can satisfy itself, its customers, and the FCA, that it has taken appropriate steps to ready itself for the coming storm.

If you would like any help to understand how the changing regulatory landscape may impact your business, please get in touch.

Get in touch

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate

Read More [fa icon="long-arrow-right"]

PSD2 - a glimpse inside the Regulator

[fa icon='calendar'] 13-Mar-2018 14:20:11 / by James Borley posted in PSD2, E-money, FCA, Compliance, Payment services

[fa icon="comment"] 0 Comments


Much of our time is, and seems always to have been, spent trying to interpret exactly what the regulations or, more importantly, the Regulator is expecting. A leading question asked by many compliance officers is, 'what do they expect of my company?'. This is often where the compliance consultant comes in.

Read More [fa icon="long-arrow-right"]

How are the third party providers (TPPs) faring under PSD2?

[fa icon='calendar'] 09-Mar-2018 09:14:44 / by Alison Donnelly posted in PSD2, E-money, FCA, Payment services

[fa icon="comment"] 0 Comments

It’s been five months since the FCA’s doors opened to applications from the new payment service providers, often referred to as third party providers (TPPs), and two months since they could appear on the Register so it’s a good time to ask how many have seized the opportunity presented by the second payment services directive (PSD2).

The answer is: ‘not so many’.

Read More [fa icon="long-arrow-right"]

A new year; a new payments landscape?

[fa icon='calendar'] 12-Jan-2018 23:40:13 / by Alison Donnelly posted in PSD2, E-money, FCA, Payment services

[fa icon="comment"] 0 Comments


To some, 13 January and the implementation of the second Payment Services Directive (PSD2) will be a significant milestone in their business’s path. They will be joining the community of the regulated financial services sector, which means that their owners and managers take on significant additional liability and are subject to a new level of scrutiny. They will have to meet certain standards and requirements ranging from the information they must give their customers to the type of insurance they must hold (in the case of the payment initiation and account information service providers) to how they treat client money (for authorised payment and e-money institutions and small e-money institutions).

Read More [fa icon="long-arrow-right"]

MiFID II: stay focussed and keep perspective

[fa icon='calendar'] 02-Jan-2018 22:08:06 / by Alison Donnelly posted in FCA, Compliance

[fa icon="comment"] 0 Comments

The second Markets in Financial Infrastructure Directive (MiFID II), and its accompanying regulation the Markets in Financial Infrastructure Regulation (MiFIR), are set to take effect tomorrow (3 January 2018) – some four and a half years after first being approved by the Council of the European Union (and after a year-long delay intended to allow for the development of the complex technical infrastructure required by firms for compliance with the incoming changes).

Read More [fa icon="long-arrow-right"]

There's an ICAAP to fit everyone; so wear it!

[fa icon='calendar'] 16-Aug-2017 15:19:32 / by Alison Donnelly posted in E-money, FCA, Compliance, Payment services, ICAAP, BIPRU, IFPRU

[fa icon="comment"] 0 Comments

Last year, the FCA sent a 'Dear CEO' letter about ICAAP. For those who don't know, the ICAAP is a process a firm follows to assess the risks it’s facing currently and in the foreseeable future and calculate an amount of capital it should hold as a buffer against those risks.

The letter was a warning that the exercise shouldn't be a quick totting up of sums without any real engagement in the process. It went only to IFPRU investment firms, though BIPRU firms also have to do ICAAPs. Payment and e-money institutions don't have to do an ICAAP but as those who are tackling their re-authorisation application know, PSD2 places strong emphasis on understanding and managing risks. 

Read More [fa icon="long-arrow-right"]

Countdown to PSD2: what do payment service providers have to do? 

[fa icon='calendar'] 28-Jun-2017 20:20:24 / by Alison Donnelly posted in PSD2, E-money, FCA, Compliance, Payment services

[fa icon="comment"] 0 Comments


In six months’ time, the second Payment Services Directive (PSD2) will be implemented in the UK. And while we don’t yet have finalised implementing documents, progress is being made on what the realised directive will look like. 

Read More [fa icon="long-arrow-right"]

Safeguarding guidance: FCA update

[fa icon='calendar'] 16-May-2017 17:22:02 / by Alison Donnelly posted in E-money, FCA, Payment services

[fa icon="comment"] 0 Comments

The FCA’s proposed interpretation of the safeguarding obligation is causing serious concern in the industry. Under the new guidance, payment and e-money institutions will be expected to match the value of payments they make on behalf of their clients from their own funds because they will have to both keep the value in a safeguarding account and remit it to the payee.

Read More [fa icon="long-arrow-right"]

FX forwards: in or out of scope under MiFID II?

[fa icon='calendar'] 13-Apr-2017 18:03:15 / by Alison Donnelly posted in FCA, Compliance, FINTECH

[fa icon="comment"] 0 Comments

For years, the UK charted a lonely but pragmatic course with its interpretation that deliverable FX forwards are not investment instruments. UK payment and e-money institutions can offer such products without requiring authorisation under the Financial Services and Markets Act 2000 (FSMA) while counterparts elsewhere in the EEA had to be regulated. The implementation of MiFID II in January 2018 will, among other things, confirm the UK’s position but the new definition is a little tighter than what we are used to in the UK and payment and e-money institutions must consider whether they want to remain unregulated.

Read More [fa icon="long-arrow-right"]

Crisis management under PSD2: what you need to know

[fa icon='calendar'] 31-Mar-2017 23:53:29 / by Alison Donnelly posted in PSD2, E-money, FCA, Payment services

[fa icon="comment"] 0 Comments


The technical glitch that left thousands of customers of high profile fintech start-ups without access to their money last month should act as a major wake up call to payment services providers across the UK.

Read More [fa icon="long-arrow-right"]