Are you ready for PSD2?

By admin | Uncategorized | 0 Comments

Are you ready for PSD2?

Introduction

The revised Payment Services Directive (PSD2) represents perhaps the most significant evolution of the way payment services are regulated in Europe; in short, it is expected to revolutionise the way we make payments online. In contrast to the majority of financial services legislation passed since 2008, PSD2 represents an opportunity for smaller players: the regulation will break the banks’ monopoly on payments for the first time, requiring them to grant qualified third parties access to account information and payment initiation services.. This was until now only available for large players in the industry.

In the UK 80% of current accounts are under the control of 5 largest banks (HSBC, Lloyds, Barclays, Santander and RBS). On the 13th of January this year they will be required to grant access to these accounts to appropriately authorised payment services firms (AISPs and PISPs). This is the so-called Open Banking initiative, which regulators hope will improve

Additionally, PSD2 requires all existing payment firms to provide their national regulators with more information, and brings more companies within the scope of regulation for the first time.

How will PSD2 change the payments industry?

  1. All existing small Payment Institutions (PIs) and E-money Institutions (EMIs) will have to re-apply for permissions by April 2018 by sending the FCA additional information. We have set this information out below.
  2. There have been changes in scope and exclusions since the original Payment Services Directive (PSD). PSD currently only applies if both the payer and payee are located within the EEA.. PSD2 extends this scope to include transactions where only one of the parties is located within the EEA (so-called ‘one leg’ transactions. The specified exemptions from regulation have also narrowed – read more about this below.
  3. If you are facilitating payments but your activity is excluded from the scope of PSD2, you will need to file a PSD2 exclusion notification form with the FCA. In particular, if your firm falls under the ‘Limited Network exclusion’ and your transactions are over €1 million in any 12 months period you must provide a description of your activities. If your firm falls under the ‘Electronic Communications exclusion’, you must notify the FCA and give full description of activities.
  4. There are two new payment services permissions – AISP and PISP.

AISP is an account information service provider who facilitates an online service which provides consolidated information about payment accounts held by users of the service. PISP is a payment initiation service provider who facilitates an online service which gives access to user’s payment account in order to initiate a payment with the user’s consent and authentication.

I already have a payment services or E-Money license. What do I need to do to continue my activities?

If you already have the license you will need to re-apply by supplying the FCA with the following information:

  • The firm’s internal policies and procedures for controlling and handling security incidents;
  • Firm’s information security policy (this is a particular area of focus for regulators – security policies must be detailed and robust);
  • How the firm records, monitors and restricts access to sensitive payment information;
  • The methods the firm uses to collect statistics on performance, transactions and fraud;
  • Arrangements for business continuity and procedure for testing and reviewing those plans;
  • Security policy including a risk assessment and procedures to mitigate those risks related to provision of payment services, including risk of fraud and improper use of sensitive personal data;
  • Professional Indemnity Insurance (PII) held;
  • Description of checks on agents and branches.

On the 13th of October 2017 the forms were released, and you have until April 2018 to re-apply via FCA Connect.

I would like to become an AISP or PISP. How do I do this?

Existing PSD and EMR (payment services and e-money) firms can apply for a Variation of Permission to add the new activities. This will allow your firm to gain access to user accounts and take advantage of the Open Banking regime.

AISP is not likely to affect regulatory capital requirements, but PISP will make your new regulatory capital €50k minimum (if it isn’t the same or higher already)

For firms not currently regulated:

If you just want to provide account information services, you can apply to become a RAISP. You can do so using FCA Connect. In the application form you will need to provide:

  • Basic information about your firm, such as the name, address, companies house number etc;
  • Main activities of the firm;
  • Business plan;
  • Structure of the organisation;
  • Governance arrangements and internal controls;
  • Procedures to monitor security incidents and security-related complaints;
  • How the firm records, monitors and restricts access to sensitive payment information;
  • Security Policy;
  • Business Continuity plan;
  • Suitability assessment of the directors;
  • PII;
  • Fees and levies to the FCA.

If you want to provide payment initiation, you will have to become an Authorised Payment Institution (API) with additional PISP permissions. This means you must go through the standard authorisation process and are subject to the majority of the FCA’s rules on conduct and capital.

Note that Small Payments Institutions (SPIs) and Small Electronic Money Institutions (SEMIs) cannot add AISP or PISP permissions – they will need to upgrade their license to an API or Authorised Electronic Money Institution (AEMI) respectively.

My company is involved in payments, but we think we could be exempt from PSD2. What do we do?

The directive will still allow certain business activities undertaken by non-banks to remain outside the scope, however the regulatory gap has definitely tightened as the list of activities excluded from the scope of the regulation has changed.

  • The ‘Limited Network Exclusion’: Providers of limited network payment instruments, such as gift cards or public transport cards are excluded from the scope of regulation
  • The ‘Electronic Communications Exclusion’: transactions provided by electronic communication network providers for digital content and voice-based services, tickets or donations to charity which are charged to a subscriber’s bill, subject to per-transaction and cumulative monetary thresholds

To be exempt from the scope of regulation as a commercial agent, you do not need to file any notifications, however for the above two exclusions, you would have to fill out and provide the FCA with PSD2 Exclusion Notification form (which can be found on the main page of the FCA Connect).

In both the forms you would need to just explain what your business is and what services it provides, how the exclusion applies to your firm and the monetary value of transactions you facilitate. For the electronic communications exclusion, you would also need an auditor’s opinion on the transaction value.

What can FinTech Compliance do to help?

At FinTech Compliance, we are working with some of the leading innovative payment services firms to help them get ready for PSD2 and take advantage of the new Open Banking regime. Our experienced and professionally qualified team has a 100% success rate with FCA applications, so if you are looking to get that crucial first mover advantage and ride the wave of the payments revolution, look no further.

Whether you are an existing regulated payments firm, you are looking to get regulated for the first time, or you are not sure whether or not you are within the scope of PSD2, we can help. In particular, we offer the following services:

  • PSD2 re-applications to the FCA
  • AISP and PISP authorisation and Variation of Permission applications
  • Bespoke PSD2 scoping exercises
  • Notice of Exemption applications
  • General product development advice

Call or email us for a free consultation today!