FCA release final approach document for the Implementation of the revised Payment Services Directive (PSD2)
On the 13th January 2018, the Payment Services Directive 2 (PSD2) will be transposed into UK law. This follows a number of consultations and changes since the first PSD was implemented on the 1st November 2009.
PSD2 is an EU-wide regulation following in the footsteps of SEPA (Single Euro Payments Area) with the aim of revolutionising payments and modernising our current payments industry. Its key objectives are to lower risk and fraud, improve customer experience, enhance competition and drive innovation.
The approach document issued on the 19th September by the FCA focused on its delivery of the Payment Services Regulations (PSRs) reflecting the PSD2 regulation, providing firms with much-needed direction on how our UK competent authority views the delivery of the PSRs. The majority of these will be delivered by January 2018, with some other articles reaching into late 2019 due to the need for further technical standards.
In its path to this approach document, the FCA recently undertook two consultations, one focused on the approach document and handbook changes, and another on the authorisation and reporting forms.
The first consultation focused on how the FCA, as the nominated competent authority for PSD2 in the UK, would monitor and oversee this ’maximum harmonisation’ regulation, something which the UK payments industry felt was very late in happening, and could lead to the late delivery of PSD2.
The latter had the objective of allowing the industry to comment on the FCA’s proposed approach to authorisation and registrations forms, reporting and record keeping.
The regulations aim is to enhance payments, reducing friction in the transaction whilst delivering a safer and more secure environment. This new environment would be extended through greater competition, enabling third parties to enter the value chain, and giving these new entrants access to data - data which in today’s world is only available and accessible by the consumer (of the data) and the financial institution where the data is held.
In the final approach document the FCA highlights a number of key points:
- Its key objectives for PSD2 are a) focusing on security and risk for the consumer, and b) enhanced competition in the interest of the consumer
- Consumer protection (whether real time or post transaction) has always played a key role in PSD2, and the FCA highlights the following:
- The security of payments will be enhanced by new requirements on PSPs (Payment Service Providers). These requirements will seek to mitigate the risks that can arise as a result of new technology. Strong Customer Authentication (SCA – also known as two-factor authentication), once introduced, has the potential to protect consumers accessing their payment accounts from the risk of fraud or abuse
- Where things do go wrong, customer complaints under PSD2 will now need to be resolved within 15 working days, more quickly than is currently required. Customers’ exposure to liability will also be reduced where they have suffered losses
- In its drive for effective competition the FCA puts focus on the revolutionary element of the regulation, data sharing with Third Party Providers (TPPs), Account information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), stating:
- The arrival of TPPs through AISPs and PISPs will drive necessary competition
- The driver of the AISP and PISP competition with be through the Competition and Markets Authority’s (CMA) Open Banking programme, where nine UK banks and building societies are mandated to develop new standards for sharing customer data
Complaints - Under PSD2, payment service providers must give a full response to complaints that involve rights and obligations under PSD2 within 15 working days. If there are exceptional circumstances, this is extended to a maximum of 35 days and the firm must send the payer a holding letter in the interim.
Strong Customer Authentication - PSD2 requires SCA, which is also known as two-factor authentication. Payment service users will need to use SCA whenever they access their payment accounts online, make an electronic payment or carry out any action through a remote channel which may carry a risk of fraud or abuse. SCA is made up of two or more elements, including knowledge (something you know, such as a password), possession (something you have, such as a card or mobile device) or 'inherence' (something you are, such as a fingerprint or voice recognition).
Assessments of operational and security risks measures - At least every year, PSPs must send their competent authorities an updated and comprehensive assessment of the operational and security risks to their payment services. They must also include information on the effectiveness of the mitigation measures and control mechanisms they have brought in.
Incident reporting - PSPs must notify their competent authorities as soon as possible if they become aware of a major operational or security incident. When the competent authority receives this notification, they will be required to give the European Banking Authority (EBA), the European Central Bank (ECB) and any other relevant authorities in the member state relevant details.
Consideration for firms
Most medium to large corporates in the UK will have some awareness of PSD2, and it is likely that the majority of these firms will have a full-scale programme in progress to address the changes necessary to be compliant by January 2018.
The FCA approach document will bring assurance to those firms whose programmes began 24/36 months ago, and have to-date been working to assumptions as to what the FCA and HM Treasury would provide as guidance.
There are a number of considerations for firms as a result of the document:
- It is important that all firms, whether existing or new to payments, understand the impact of the regulation, not only to their processes, but also what this will mean to their customers
- Compliance cannot be achieved by addressing the Open API access alone, which will meet the CMA order but only some of PSD2 Articles
- Full compliance with PSD2 must be treated in a broader sense, including conduct assessment, security and fraud risks, policy review, consumer impact and a reconsideration of the firm’s strategy / operating model
- Complaints now need to be managed within a shorter period, so it is likely that a new process will be necessary
- All companies need to review their incident management process to align this to the new rules confirmed by the FCA
- Terms and Conditions will need to be re-written to take account of the new AISPs/PISPs
The changes delivered from PSD2 will impact not only established financial institutions, but all firms providing financial services, including but not limited to fintechs, challenger banks, foreign banks and insurance and telephone/mobile operators.
The degree of impact will be measured by the services offered, but it is recommended that all firms providing some financial services carry out a PSD2 readiness review to establish impact, risk and primarily readiness. The 13th January is only three months away, and compliance with the regulation is non-negotiable.