Back in October last year, fscom director Alison Donnelly wrote a blog on the FCA’s consultation on new rules for payment and e-money institutions. As explained in that blog, due to FCA concern with how some e-money and payment institutions have communicated with their customers in the past, certain sections of the FCA Handbook are being applied to payment and e-money institutions.
With only four months to go to the final PSD2 implementation date of 14 September 2019, all payment service providers must make sure they are urgently progressing plans to meet the additional regulatory obligations or to confirm that their obligations are met.
Safeguarding is both a simple and important concept. Every payment and e-money institution that I have ever worked with wants to protect their customers’ funds and make sure that, if the worst came to the worst and they became insolvent, either their customers’ payment instruction would be fulfilled or they would have their funds returned to them.
In my previous blogs I have given you the basics of strong customer authentication (SCA) and explained how the exemptions could be used to minimise the disruption experienced by payment service users when making payments or accessing transaction information. In this blog, I will take a closer look at the details of the SCA obligations and explain why it’s not as simple as the much-mentioned two-factor authentication (2FA).
At the time of writing there are 10 days to go until the date (currently) written in UK and EU law on which the UK is scheduled to leave the European Union on March 29, 2019 – Brexit Day.
In anticipation of a ‘no deal’ Brexit, HM Treasury has enabled the FCA (and PRA) to create a Temporary Permissions Regime (TPR) whereby, at its simplest, EEA firms can effectively ‘grandfather’ their passports for a limited period beyond Brexit Day.
This blog seeks both to remind EEA firms of the TPR, and the need and method to enter it, prior to Brexit Day (assuming that the current timetable remains), but also to highlight a couple of pitfalls for payments and e-money firms should they leave such notification to the very last moment.
In my previous blog, I outlined the basic requirements of the new obligation, brought in under PSD2 (the second Payment Services Directive), for all payment service providers to apply strong customer authentication (SCA) in certain circumstances. SCA has to be applied both when accessing payment account information and when initiating a payment transaction meaning that a customer checking their account and then paying a couple of bills would have to go through SCA multiple times in one session, which is far from ideal on the user-experience scale. To avoid this, you, as a payment service provider (PSP) can apply one of nine exemptions, if circumstances permit.
Strong customer authentication (SCA) is a valid attempt by the EU to curb electronic payment fraud, including ‘card-not-present’ fraud. From a glance the concept is fairly simple, it will be a regulatory obligation to apply two factor authentication (2FA) to the electronic payment process. However, it’s not all quite as simple as that as SCA has more requirements than just the frequently touted 2FA. This blog will provide the basics on SCA and subsequent blogs will go into more detail on the exemptions and how SCA differs from simple 2FA.
Several weeks ago, our Managing Director Jamie Cooke wrote a blog which discussed the position of UK-authorised firms with regard to EEA-resident clients. He pointed out that in the case of a ‘No Deal’ Brexit, a passporting UK firm will no longer be able to actively solicit EEA-based clients and discussed the lack of clarity regarding business initiated exclusively at the discretion of EEA-based clients.