Regulatory Bulletin: Revised Payment Services Directive (PSD2)

By admin | FinTech | 0 Comments

Revised Payment Services Directive (PSD2)

WHAT is it?

 The second Payments Services Directive (PSD2) represents a significant evolution of the regulation applying to the European payments industry and has been drafted to take account of the ever-increasing pace of technological development in this area. It aims to build on the provisions of the first PSD, maintaining much of the regime as-is whilst widening the scope and extent of the rules with the aim of providing increased security and opening up the industry to technological innovation.

Most of the granular requirements of PSD2 apply to European banks, who will now be required to open up their IT infrastructure to allow third-party Payment Service Providers (PSPs) access to their proprietary payment systems.

WHO will it affect?

All existing PSPs will be affected. This includes banks, building societies, credit card issuers, e-money institutions, and other types of payments institution such as money remitters (except certain types of firm which will benefit from an exclusion, as we have outlined below).

The legislation will also affect providers of payment accounts which can be accessed online (e.g. current accounts or e-money accounts) which are not regulated already. A number of new types of firm will also come under the scope of the legislation – see below for more details.

WHEN does it come into force?

PSD2 was introduced on December the 23rd, 2015; the Directive dictates that all Member states implement this piece of regulation into national law by January the 13th, 2018. The UK has drafted and passed the Payment Services Regulation, which transposes the PSD2 provisions into national law

WHAT are the key focus areas?

Aims

PSD2 retains the same benefits that PSD introduced into the European market, such as improved economies of scale, enhanced competition and greater transparency, however it also aims to improve customer protection and security, and make the single market fit for technological developments.

Changes in territorial scope since the PSD

PSD currently only applies if the PSP of both the payer and payee are located within the EEA and the transaction is in euro, sterling or another non-euro Member state currency (except value dating and immediate availability provisions which apply to ‘one-leg out’ transactions)

PSD2 will apply to ‘one-leg out’ transactions and all currencies, whether in Euro or no, meaning the legislation will apply in all instances where payments are being made or received in the EEA – even if the counterparty is located in a third country.

Exclusions from PSD2

Not all providers of payment service are caught under PSD2. Certain types of firm can benefit from exemptions, meaning they will not have to be FCA-authorised as a PSP and do not have to comply with the specific provisions in PSD2.

  • The Commercial Agent Exclusion. This applies to agents who act as a third party agent to a payer or a payee (but not both) to conclude the sale and purchase of goods and services. Many types of sales agent would be caught by this exclusion.
  • The Limited Network Exclusion. This applies to providers of limited network payment instruments (eg: gift cards). Firms that benefit from this exclusion will have to inform the FCA if their transactions exceed €1 million in a 12 month period and provide descriptions of their activities. On the receipt of these descriptions the FCA decides if the firms are still exempt or not.
  • The Electronic Communications Network Exclusion –transactions provided by electronic communication network providers, which are charged to a subscriber’s bill and are subject to thresholds.

All firms benefiting from this exclusion must provide the FCA with description of their activities and an annual audit opinion that their customer’s transactions fall within the limits of the exclusion.

A full list of exclusions and activities that are not considered payment services under PSD2 can be found in Part 2 of the UK Payment Services Regulations 2017.

New regulated services.

PSD2 is set to bring two new types of firm under the scope of regulation for the first time: Account Information Service Providers (AISPs) and Payment Information Service Providers (PISPs).

Account Information Service Providers are defined as operators of “an online service which provides consolidated information on payment accounts held by a payment service user with payment service providers”. These services, which are often used by users to keep an eye on their finances and allow third parties such as investment advisors to check how much they are saving, already exist in the UK. PSD2 will bring AISPs within the scope of regulation, ensuring that they can receive access to payment accounts and comply with regulations to ensure security for users.

PISPs are operators of “an online service which accesses a user’s payment account to initiate a transfer of funds on their behalf with the user’s consent and authentication”. These represent an alternative to paying online using a credit or debit card. These services are not widely used for online payments in the UK, but are popular in other European countries. Again, PSD2 brings these firms within the scope of regulation for the first time.

The FCA has made clear that AISPs which provide account information only will not have to undergo Part IV authorisation with the FCA, but will be subject to a light-touch registration regime and will be exempt from many of the specific provisions applicable to regulated PSPs, such as capital requirements.

However PISPs must seek full authorisation from the FCA and will be subject to an initial €50,000 regulatory capital minimum (which may be higher if the PISP intends to provide other kinds of payment service.

Both firms must hold professional indemnity insurance (PII). Read the FCA’s approach to these firms here and the EBA guidelines on levels of PII here.

 

Authorisation and registration requirements for new and existing firms

New applicants:

Prospective PSPs applying under Payment Service Regulation (PSR) and e-money institutions applying under Electronic Money Regulation (EMR) will have to provide additional information to what they already provide, which includes information about:

  • Procedures for incidents and customer complaints reporting, including details of:
  • Individuals responsible in assisting customers at the time of the incident;
  • The contact point for customers including name and e-mail address;
  • Monitoring tools used to mitigate those security incidents;
  • Processes for protecting sensitive payment data, including the details of:
  • A list of data that is considered sensitive;
  • Procedures in place to authorise to access that data;
  • The right to access policy, details of back-up infrastructures;
  • Unless the applicant is intending to provide PIS only, the description of how the data is collected and used;
  • The IT systems employed for security measures;
  • Methods they employ for sourcing data on performance, transactions and fraud, including the details of:
    • The type of data collected in relation to customers, type of service, instruments, jurisdiction and currencies;
    • The means, purpose, frequency and scope of collection in terms of parties concerned, including branches and agents;
    • Organisational measures and methods used to prevent fraud and reporting lines in case it happens;
  • Procedures for business continuity (including how they review these plans), including the details of:
    • Business impact analysis;
    • The identification of IT systems, back-up sites and key recovery software;
    • Explanation of how the application will deal with significant disruptions of their business
  • Security policy document: risk assessment and mitigation measures to protect the end user against those risks fraud, illegal use of personal and sensitive data), including the details of:
    • A detailed risk assessment of the payment service(s);
    • A description of the IT systems, including the architecture, business + support IT systems;
    • An exhaustive list of authorised external connections such as partners, service providers, employees;
    • Physical security measures and mechanisms of the data centre of the applicant;
    • Any relevant information relevant to the risks arising from the specific activities of the applicant;
  • Information about checks on agents and branches;
  • Professional indemnity insurance held for AIS and PIS providers.

Existing firms

Existing payment and e-money institutions are allowed to operate with their current authorisation before the 12th of July; firms that wish to continue offering their service after the 12th of July 2018 need to provide the above information before the 13th of April 2018.

In case of small PSPs, these firms must re-apply and provide all relevant information before the 13th of October 2018 if they wish to carry on their activities after this date they.

The information on how to provide the FCA with above-listed documents, the process of seeking authorisation will be provided by the FCA after the implementation or regulation by the Treasury on the FCA website’s authorisation page.

Passporting under PSD2.

Under PSD2, the firms with agents in another Member state may need to provide “Central Contact Point” (the PSD2 confers an option on host Member States to require those PIs and EMIs to appoint a central contact point in their territory. The objective of such a contact point is to ensure adequate communication and information reporting in the host Member State in accordance with PSD2 and to facilitate the supervision by the competent authorities of the home and host Member State) within that state if they have passported under the ‘right of establishment’.

They might also have to provide periodical reports to the host state.

The FCA will publish information on when the firms that want to passport should apply at a later date.

Consumer Protection.

Key changes introduced under PSD2 to improve consumer protection:

  • Limiting payer’s liability when unauthorised transactions take place

Under PSD2, the payer’s liability for unauthorised transactions is capped to €50. Payers will, however, be liable in cases of fraud, gross negligence or failing to notify their PSP without unnecessary delay on becoming aware of the loss.

  • Transactions which have been made incorrectly

Under PSD2 PSPs are the ones responsible for accuracy and timeliness of payments, it also states that payers are entitled to claims for refunds through their Account Servicing Payment Services Provider (ASPSP), whether or not there are other PSPs involved in a transaction. These ‘other’ PSPs will be liable to the payer’s ASPSP.

Each PSP’s liability is limited to their area of competence.

Payers have a maximum of 13 moths to inform their PSP about an incorrect transaction.

In case a payer has provided the PSP with the wrong ID, the payee’s PSP is now required to ‘cooperate’ in order to recover losses.

  • Complaints handling

PSPs must give full response to complaints within 15 days. If there are exceptional circumstances, this time limit is extended to 35 days and the firms must send the payer a holding letter in the meantime.

  • Strong customer authentication (SCA)

This is also known as two-factor authentication. Payment service users will need to use SCA whenever they access their accounts online, make an electronic payment or carry out any actions, which carry risk of fraud or abuse.

The two elements of SCA are:

  • Knowledge (eg: password)
  • Possession (eg: credit card) or ‘inherence’ (finger print or voice recognition)

These elements must be independent from one another so that one of them being breached doesn’t compromise the integrity of another.

The EBA is responsible for developing technical standards for SCA.

Reporting under PSD2.

  • Reporting payments fraud

Statistical data on fraud should be sent by the PSPs through competent authorities to the EBA and ECB every year at least.

  • Reporting security measures for assessment

PSPs must send an updated assessment of the operational and security risks and information about effectiveness of the mitigation and control methods they employ to the competent authorities every year.

  • Reporting from inward passporting firms

Member states may require PSPs that have agents or branches in their territories to report to them on their activities in their territories.

  • Reporting incidents

PSPs must notify EBA and ECB (and any other relevant Member State authorities) through informing competent authorities of any major operational or security incident as soon as they become aware.

Existing PSPs and EMIs: Re-authorisation and re-registration requirements

  • Deadlines

There is additional information that existing PSPs must provide the FCA if they wish to continue providing payment services in the future. The information to provide is set out above and in the Payment Services Regulation 2017.

Existing PIs and EMIs should also notify the FCA if there are any changes to information they have already provided that is relevant to the conditions under which they were originally authorised.

Deadline to provide the new information: 13th of April 2018 (for authorised PIs, EMIs and small EMIs to continue operating after the 13th of July 2018)

Deadline to provide the new information: 13th of October 2018 (for small PIs to continue operating after 13th of January 2019)

  • Includes information specified in paragraphs 6,7,9, and 10 of Schedule 2 to the draft PSRs 2017
  • When companies can start applying

Applications can be made starting 13th of October 2017. More information on the application/information process can be found on this page.

Please note: there is no right to appeal if an existing PI or EMI fails to provide additional information

  • Applications still in progress

Any applications for authorisation and registration under PSRs 2009 which are still in progress will be treated as applications under PSRS 2017 and the FCA will notify such businesses should any additional information be required from such firms.

If these firms receive authorisation or registration between the 13th of October 2017 and 13th of January 2018, they will need to provide the additional information by the 13th of April 2018.

  • Passporting for existing PIs and EMIs

It is envisaged that holders of existing passporting permissions will not have to change these or re-apply for new permissions following the implementation of PSD2. The FCA has provided more information on this page and at chapter 6 of its draft Payment Services and Electronic Money approach document.

  1. Under PSD2 there are changes in regard to:
  2. The passporting notification process
  3. The information to be provided in the application to exercise passporting rights to the Home State
  4. The rights of Host state
  5. Reporting requirements

WHAT do firms need to do to comply?

  1. Business owners should familiarise themselves with different categories of PSPs and have a clear understanding under what category they fall. This especially is important for firms that provide/plan to provide AIS and PIS;
  2. Staff should be made aware of the updated list of documents that firms need to provide the FCA with and the dates as stated in section 2(ii);
  3. Compliance teams need to look into the processes which are already in place and where data is being and will need to be captured;
  4. Especially, staff should pay attention to the deadlines by which these documents need to be sent to the FCA;
  5. Firms which have agents in other member states must make sure that they are complying with passporting rules under PSD2;
  6. Both staff members and customers should be made aware of the updated consumer protection law:
  • Complaints handling is now restricted in terms of time, as firms have 15 days to respond to those complaints
  • Payers have a maximum of 13 moths to inform their PSP about an incorrect transaction
  • The two-factor authentication should be in place for customers to access their online accounts
  1. Staff should be familiarised with the new reporting standards
  • Statistical data on fraud and assessment of the operational and security risks should be sent to the FCA once a year
  • Reporting incidents should be done timely to both EBA and ECB
  1. Firms with agents and branches in the territories of other EEA Member States should familiarise themselves with local reporting standards as individual Member States will require detailed information about firms’ activities;
  2. Existing PIs and EMIs can start applying for re-authorisation and re-registration starting 13th of October 2017;
  3. Firms will need to ensure they are well within the deadlines, since there are no rights to appeal if a deadline is missed.

WHAT can we do to help?

The FinTech Compliance team have considerable expertise in payment services regulation and have successfully authorised many payment services and e-money firms in the past. We are intimately familiar with the requirements of PSD2 and we can assist with all aspects of the notification, authorisation and implementation process for affected firms. In particular, we can help with:

  • A bespoke scoping exercise to determine your firm’s obligations under PSD2 and whether your business model will come under its ambit;
  • Assistance with a PSD2 implementation project, bringing all your policies, procedures and governance arrangements into compliance with PSD2 and making all the requisite notifications to the FCA;
  • Training for firms on their new requirements;
  • Providing a fully compliant suite of policies, procedures and documentation to cover the new consumer protection measures.

Please do not hesitate to contact us to via telephone at +44 (0) 207 100 4058, or visit our Contact page on our website if you require more information on PSD2 or you would like to engage our assistance.