Posted: 20th July 2017
First published on Thomson Reuters Regulatory Intelligence in July 2017
Further to the new strategy for the UK payments industry, published by the Payment Strategy Forum at the end of last November, several other key documents have been released in recent months.
These, collectively, set the scene for the UK payments landscape over the coming years and set out the changes the industry will need to adopt:
- HMT’s consultation on the implementation of the Second Payment Services Directive (PSD2) in the UK
- The publication of the European Banking Authority (EBA)’s final draft Regulatory Technical Standards for strong customer authentication and secure communication under PSD2 and their subsequent linked consultation on security measures for operational and security risks under PSD2
- The Payment System Operator Delivery Group’s (PSODG) report setting out a recommended delivery plan for the consolidation of the operators of three of the UK’s payment systems
- The Bank of England’s (BoE) publication (post-consultation) of the blueprint for its replacement Real-Time Gross Settlement system
Simplified Access AND Enhanced Functionality
A core tenet of the November UK Payment Strategy document was to achieve simplified access to the UK’s payment systems and, within that, the proposal that the key UK retail payment systems should be consolidated in one form or another. For the past few months, the PSODG has been considering various options to achieve its goal. Its published proposal will result in the consolidation of the Bacs, Faster Payments and Cheque and Credit Clearing operating companies into a single entity by the end of 2017.
The benefit arising from this should not be underestimated. At present, a new Payment Service Provider (PSP) must contract with and meet the on-boarding and day-to-day operating rules of each Payment System Operator. Moving forward, there will just be one single entity to contract with and, in due course, a single set of rules and technical connectivity requirements. The underlying systems will, for the moment, remain separate but, in line with the UK Payment Strategy, the New Payment System Operator (NPSO) will take on responsibility for the development of the UK’s new retail payment architecture (NPA) from the end of this year. As such, within a few years, there will be one Payment System Operator and one principal Retail Payment System for firms to connect to.
The theme of simplification of access continues with the BoE blueprint. Firstly, the Bank has announced that it will be taking on the responsibility of bringing in-house the presently devolved operation of the country’s High-Value Payment System (currently operated by CHAPS Clearing Company). This will take place during 2017 and, again, should simplify the day-to-day relationship and operating requirements between the PSPs and the BoE itself.
Linked to this, the BoE has confirmed its intent to broaden the eligibility criteria for access to settlement accounts to include Non-Bank Financial Institutions (NBFIs). This is a key step to broadening direct participation in the UK payment systems given it is a requirement (of all the payment systems) that participants must hold an underlying settlement account at the BoE.
As per the UK Retail Payment Strategy, the BoE also announced its intent to move its replacement Real-Time Gross Settlement system (RTGS) to the ISO 20022 messaging standard and to support access to RTGS via third-
party technical aggregators. With respect to the latter, a similar initiative is already being implemented for access to Faster Payments and, with access to the country’s High-Value Payment System following suit, it should provide new entrants to the banking market with considerably more straightforward connectivity than has been available to date.
In terms of other end user functionality, the new RTGS system will be designed to be capable of near 24x7 operation during business days, with short settlement windows potentially available at the weekend. Forward-dated and timed payments will also be available with functionality present to facilitate the tracking of payments.
The recently published documents now provide a far deeper insight into how PSD2 will be implemented in the UK and what will be required of PSPs in the UK and Europe.
In its consultation, HMT indicated its desire to build upon the existing UK Payment Services Regulations in order to reduce the cost for businesses and consumers. In summary, the consultation:
- Confirms that the regulations will affect transactions where only one “leg” takes place within the EU (previously both transaction “legs” had to be in the EU for the original Payment Services Directive to apply)
- Places an obligation on PSPs that provide indirect access to payment systems that they should do so in a proportionate, objective and non-discriminatory manner
- Sets out enhanced requirements regarding the provision of information to payment service users (PSUs) by both PSPs and payment initiation service providers (PISPs)
- Fully promotes on the grounds of enhanced competition those aspects of PSD2 in relation to the rights of payers to use services provided via third-party firms (PISPs and account information service providers - AISPs), instead of their own PSP. This not only places obligations upon customers’ existing PSPs (now known under PSD2 as account servicing payment service providers - ASPSPs), but also on the third parties
- Confirms that HMT expects the Open Banking API standard (already mandated by the Competition and Markets Authority on the nine largest UK banks) should be the framework that underpins third parties’ communication with ASPSPs
- Provides comprehensive proposals around consent, authentication and communication between the payer, their ASPSP and third-party providers that the payer may wish to utilise. In particular, ASPSPs must provide third parties with access to the same information and functionality as is available to the customer when accessing their account online. HMT has indicated that access should be available from January 2018, even though the backing Regulatory Technical Standards (RTSs) would not be in effect by that point
- Provides insight into liabilities under PSD2 whereby the account servicing PSP would be responsible for refunding customers for unauthorised transactions even if they have been initiated via a third-party provider
The EBA’s recently published consultation on security measures for operational and security risks sets out an obligation on PSPs to “establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to the payment services they provide”. Furthermore, “PSPs shall provide to the competent authority on an annual basis, or at shorter intervals as determined by the competent authority, an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures implemented in response to those risks”. Within the UK, the competent authority will be the FCA. Unsurprisingly, many of the controls set out in the measures would be recognised as those appropriate for addressing cyber-related threats
Finally, the EBA’s publication in February of the final draft of the RTSs sets out the detailed technical requirements backing the need for strong customer authentication and secure communication. The former will now apply for remotely-initiated transactions above 30 Euros (or local equivalent). The latter abolishes the former practice of third-party access without identification (or “screen scraping”). The final version of RTS also now require that account servicing PSPs that use a dedicated interface will have to provide “the same level of availability and performance as the interface offered to, and used by, their own customers, provide the same level of contingency measures in case of unplanned unavailability, and provide an immediate response to payment initiating service providers on whether or not the customer has funds available to make a payment”.
Collectively, the changes summarised in these publications – together with other pending regulatory requirements (e.g. the new General Data Protection Regulations (May 2018) and, for the largest UK clearing banks, the requirements to ring-fence their retail activities (January 2019)) – mean the wider UK payments industry is facing a once-in-a-generation period of change.
With a mandatory implementation deadline for PSD2 which is only months away, it is essential that firms that are affected by these changes are already progressing down their implementation path. If this has not already commenced then it needs to do so with near immediate effect.
For firms who may choose to take advantage of the competitive opportunities arising from simplified payment system access and / or third-party access, again, near immediate planning should be taking place. The impacts of the changes are far-reaching; technology, product, customer information provision, complaint handling and regulatory compliance reporting are just a number of the areas affected.