How UK law is changing under PSD2
The revised Payment Services Directive (PDS2) was published in the Official Journal of the EU nearly two years ago. Its passage to adoption had not been smooth, and neither has its route to implementation, not least because of controversy over a number of the key EU Level 2 requirements and technical standards. In this article, Andrew Barber and Emma Radmore of Womble Bond Dickinson (UK) LLP outlined, in an article published in Compliance Monitor how UK law and regulation is set to change, and highlight the key effects of the new measures.
As with all EU measures coming into effect before Brexit, the UK attitude is to comply fully, and take all necessary measures to do so. As PSD2 is a Directive, it needed to be transposed into UK law, and Treasury and FCA have followed the now normal approach of copy-out which makes the best use of derogations and exemptions to mean as little change as possible for UK firms.
UK implementation is through the Payment Services Regulations 2017 (PSRs). These were made in July, with certain enabling provisions taking effect over the following months. The bulk of the PSRs take effect on 13 January 2018.
Scope of PSD2
To set the context, PSD2 applies to all payment institutions (including registered institutions), credit institutions and e-money institutions, as well as specific and centralised functions. There was limited ability to exempt certain institutions, such as credit unions. This article focuses on the three main types of payment services provider (PSP) highlighted above. It does not go into detail on the specifics of the new regulated payment service activities of Account Information Services (AIS) and Payment Initiation Services (PIS) – both of which newly fall within the scope of regulation to ensure security for users.
The exemptions in PSD2 are similar, but critically in a couple of respects not identical to, PSD1. The key changes identified by the UK government were:
- To address the way in which the exemption for electronic communications networks and service operates. This exemption allows lower value payments to be exempt, if they meet an individual €50 and monthly cumulative per subscriber €300 limit. The Government wondered how this could operate if cascaded down through intermediaries, and how intermediaries could manage if they could fall within the exemption for some parts of their business, but not for other parts
- The "limited network" exemption, a feature of PSD1 (and the second electronic money directive) and which, under PSD2, has been clarified to state it works only for a very limited range of goods and services, and also requires providers who use it to notify their supervisory authority if the value of transactions entered into over the previous year exceeds €1m
- The commercial agent exemption, which under PSD2 applies narrowly so it covers only transactions where the agent is acting on behalf of one side of the transaction – thereby no longer allowing platform models to benefit from it
- Among other changes in scope are the change that applies transparency and conduct of business requirements to both payments to and from third countries where one payment service provider (PSP) is in the EU, and transactions in non-EU currencies where one leg of the transaction is in the EU (and for this purpose it is irrelevant where the transaction is cleared and settled). This differs from the PSD1 model which applied these only where both PSPs were in the EU and the transaction was in an EU currency.
The net effect is that all PSD1 PSPs continue to be covered by PSD2, while some entities that were not covered by PSD1 (providers of AIS and PIS) and, some that benefited from PSD1 exemptions which no longer apply because PSD2 has narrowed them, are newly covered.
The PSRs revoke and replace almost all of their 2009 predecessor and cover:
- the FCA's duty to keep a register of authorised and small payment institutions, registered account information service providers, agents of all these, of notifications under the limited network and electronic communications networks exemptions and notifications required from exempt bodies
- the authorisation application process, applications for variation, and the conditions applicants must meet in order to become authorised. This part also sets FCA's timescales for determining applications (3 months for a complete application, 12 months otherwise), and FCA's powers to vary, cancel or place requirements on a person's authorisation
- the process for registration as a small payment institution, and the conditions applicants must meet.
- Authorised payment institutions
- Capital requirements
- Safeguarding requirements
- Accounting information
- Outsourcing notifications and conditions for outsourcing
- Passporting notifications (inwards and outwards).
- Provisions applicable to authorised payment institutions and small payment institutions
- Record keeping and retention
- Permitted additional activities
- Use of payment accounts
- Use of agents, and requirement for agents to be registered with FCA
- Reliance on others for performance of operational functions
- Duties to notify FCA of changes in circumstance.
- Requirements for providers of services that are not payment services
- Notification requirements for users of the limited network exclusion
- Notification requirements for users of the electronic communications exclusion.
- Information requirements for PSPs, including
- When information requirements apply
- Application to regulated credit agreements
- Disapplication of some requirements to low-value payment instruments
- Information that is:
- Required before concluding a single payment service contract
- Required after initiation of a payment order
- Required after receipt of a payment order
- Required for the payee after execution
- Required for framework contracts, both before and during the contract
- Related to termination of framework contracts
- Required before an individual payment transaction under a framework contract
- Required for the payer and payee on individual payment transactions.
- Communication of information
- Charges for information
- Currency conversion
- Other requirements – for example, on account information service providers and on ATM withdrawal charges.
- Rights and obligations in relation to provision of payment services
- Permitted charges
- Consent and withdrawal of consent
- Confirmation of fund availability
- Access to payment accounts for payment initiation services and account information services
- Limits on the use of payment instruments and access to payment accounts
- Obligations of users
- Obligations of PSPs in relation to payment instruments
- Notification and rectification of unauthorised or incorrectly executed payment transactions
- Evidence on authentication and execution of payment transactions
- Liability of PSP, payer or payee for unauthorised payment transactions
- Payment transactions where the transaction amount is not known in advice
- Refunds and requests for refunds for payment transactions initiated by or through a payee
- Receipt of payment orders
- Execution of payment transactions – receipts, refusals and revocations of payment orders, amounts transferred and amounts received
- Execution time and value dates
- Liability for incorrect unique identifiers, non-execution or defective or late execution, charges and interest and rights of recourse
- Miscellaneous rights and obligations, such as personal data use, operational and security risks, incident reporting, authentication and dispute resolution.
- Access to payment systems and bank accounts
- the ban on restrictive rules on access to payment systems
- indirect access to designated systems
- access to bank accounts.
- The FCA
- Its functions and role, including its supervisory and enforcement powers and its ability to give guidance.
- The Payment Systems Regulator
- Its functions, its right to give directions, make guidance and impose penalties.
- General provisions such as
- A ban on contracting out of statutory requirements
- Making it a criminal offence to provide payment services without proper authorisation, or falsely claiming to be a payment services provider or exempt
- The consequences of misleading FCA or the Payment Systems Regulator
- Liability of officers of bodies corporate for corporate offences
- Duties of co-operation.
- Payment services
- Activities which do not constitute payment services
- Information to be included in authorisation applications
- Capital requirements
- Information for framework contracts
- Powers in relation to restricting entry into credit agreements
- Changes in other laws
- Application to Gibraltar.
The PSRs seem so wide ranging and, in many respects, so prescriptive, one might wonder what remains for FCA rules to cover. The answer is, quite a lot. FCA's finalised "made rules" and its new Approach Document put much flesh on the bones the Treasury created. Major changes have been made to several parts of the FCA Handbook.
The Glossary: this is updated to introduce many new defined terms including for account information services, what "digital content" means, and terms relevant to payment initiation services. Many other terms are amended to reflect the PSD2 definitions.
SYSC: A new section is added to SYSC (SYSC 9.2), to provide record keeping rules specific to credit institutions that provide account information or payment initiations services.
BCOBS: BCOBS is amended, but possibly not as significantly as some might have expected, reflecting the fact that much of what was there before will suffice to make firms PSD2 compliant. New sections have been added, specifically on security of electronic payments, and to the existing rule on non-execution or defective execution of payments. A transitional provision also gives firms 18 months from the date on which the RTS adopted under article 98 PSD2 on authentication have come into force.
SUP: SUP 15 will have new notification requirements within SUP 15.8 for credit institutions that provide account information services (AIS) or payment initiation services (PIS), and a new section SUP 15.15 will cover notifications under the PSRs. SUP 16.13 is also embellished in respect of PSR requirements, and SUP 16.15 is amended in respect of requirements on e-money institutions. There are also new forms and explanatory notes for their completion, including on the Payments Fraud Report form and the Authorised or Small Electronic Money Institutions Questionnaires. There are transitional provisions covering the dates on which certain parts of some forms should be completed and when the forms must be filed.
DISP: A new rule has been added to confirm application of the complaints reporting directions to a firm that provides payment services or issues e-money in respect of complaints from payment services users and complaints from e-money holders that are eligible complainants, and also to set out how the rules apply to payment services providers that are not firms. There is a new section for payment services and e-money complaints reporting in the complaints data publication rules section, and an attendant new form. FCA has also produced a chart showing which DISP rules apply in respect of which business types. DISP 3 has also been amended to confirm the jurisdiction of FOS for Electronic Money Regulations 2011 (EMR) and PSR complaints.
EG: EG has been updated to update references and set out FCA's powers over EEA authorised payment institutions.
PERG: Finally, FCA has significantly updated PERG chapters 3A (Guidance on the scope of the Electronic Money Regulations) and 15 (Guidance on the Scope of the Payment Services Regulations).
Regulatory Technical Standards (RTS)
As is increasingly the case with EU legislation, the level 1 Directive is supported by a set of detailed RTS made by the European Banking Authority (EBA). The UK regulators will apply these as part of their regulation of payment services. Some of the RTS are mechanical and were uncontroversial – but even so, not all are finalised and approved. Others have proved more controversial and are still not finalised. All this means there may be more need for change, if the final guidelines address an issue in a way that is not consistent with FCA's approach. In particular:
- The only RTS which have been finalised and translated into official languages are those on authorisation and registration under PSD 2 and those on stipulation of the minimum amount of PII cover
- Guidelines on major incident reporting and on procedures for complaints of alleged infringements of PSD2: these are in final form
- RTS on passporting are in final form and with the Commission, and EBA is currently consulting on RTS for co-operation between supervisors of passporting institutions
- RTS on strong customer authentication and common and secure communication: EBA had finalised these in February, but the Commission raised several concerns with which EBA did not agree. We still await adoption
- Guidelines on operational and security risk measures, on fraud reporting, on central contact points and on the EBA register: EBA consultations on these have closed over the past few months.
Forms and Notifications
FCA has been gradually publishing a whole raft of new and updated forms and notifications. The new forms for authorisation or registration under the PSRs, or the EMRs as amended by the PSRs, have been available for use since mid-October. Key changes from the previous forms include the need for applicants to provide information on:
- Procedures for incident reporting
- Processes in place to file, monitor, track and restrict access to sensitive payment data
- Principles and definitions applied to collecting statistical data on performance, transactions and fraud
- Arrangements for business continuity and how the plans are tested and reviewed
- Security policy, which will include risk assessment and mitigation measures to adequately protect payment service users against identified risks, including fraud and illegal use of personal and sensitive data
- Description of the checks carried out on agents and branches
- Details of PII cover where firms are required to hold it.
There are also new forms for individuals responsible for the management of e-money or payment institutions. FCA's application pages include forms for new applicants, for currently authorised and registered firms needing to make notifications and for firms needing to apply for variations of permission. There is also a page dedicated to the new activities of account information service providers (AISPs) and payment initiation service providers (PISPs), and "account servicing PSPs", who provide payment accounts to customers that are accessible online, and who will need to give AISPs and PISPs access to the accounts. FCA has confirmed its role in ensuring all AISPs and PISPs are properly authorised or registered and has created a new optional, no-capital, status of "registered account information service provider" for those that carry on only AIS services. The pages link to the current EBA guidelines.
FCA has also confirmed the transitional arrangements for firms that are already authorised or small payment or e-money institutions. All e-money institutions must provide new information to FCA by 13 April 2018 to ensure they can continue to provide payment services after 13 July. Small payment institutions have until 13 October 2018 to provide information that will allow them to continue with their services after 13 January 2019.
Time is now clearly of the essence. Those firms needing to become newly authorised or registered, or to seek a variation of permission should have applied by now in order to be able to carry on their business after 13 January. Those that need to provide information to FCA have a little more leeway and can focus on changes to their organisational requirements, policies and procedures that the new PSRs and changes to FCA rules require.
Follow updates on PSD2 and other regulatory developments on our regulatory newsite FIN.