EBA opens consultation under revised PSD2

On 12 August 2016, the European Banking Authority (EBA) published a consultation paper on draft regulatory technical standards on strong customer authentication (SCA) and common and secure communication under the revised Payment Services Directive (PSD2).

The publication of these draft technical standards follows on from a discussion paper issued late last year, which received a number of responses, and sets out a harmonised framework designed to ensure security for both consumers and payment service providers (PSPs).

The draft technical standards contained in the consultation paper sets out (as per Article 98 of PSD2) the following:

  • The requirements for strong customer identification, security measures to be complied with and common and secure standards of communication between account servicing PSPs, payment initiation service providers (PISPs), account information service providers (AISPs), payers, payees and other PSPs.
  • Technical standards which ensure an appropriate level of security for payment service users and PSPs, safety of funds and personal data, competition between PSPs, technology and business-model neutrality and the development of additional means of payment.
  • Certain exemptions, based on the level of risk involved in the service provided, the amount or recurrence of the transaction, or both and the payment channel used for the execution of the transaction.

Feedback on the consultation is required by 12 October 2016.

What this means for you

The publication of the consultation paper will allow the industry to feedback concerns and known issues relating to customer authentication and secure communication prior to the publication of the final regulatory technical standards.

Some of the key takeaways from the publication are as follows:

  • it’s up to banks to define their own communication interfaces with AISPs and PISPs. There will be no defined, interoperable standard for these interfaces, with the EBA stating that it decided not to set a universal standard as “the future RTS must not prescribe the use of a specific industry standard of internet communication”;
  • the EBA has decided to include an exhaustive list of exemptions from SCA (notably excluding a risk based exemption), including: contactless card payments under €50 (where the cumulative value of previous consecutive contactless payment transactions does not exceed €150); card not present transactions under €10 (where the cumulative value of previous consecutive contactless payment transactions does not exceed €150); and payments to a payee that the payer has explicitly whitelisted;
  • card acquiring PSPs must require payees to support strong customer authentication for all payment transactions (impacting existing processes such as Amazon’s one click model);
  • AISPs must be provided with the same information from payment accounts and associated payment transactions which has been made available to customers when directly accessing the information online, (provided that this information does not include the display of sensitive payment data (“SPD”). This leads to questions of what constitutes SPD and how redaction will take place; and
  • EBA is mandated to review and update the regulatory technical standards on a regular basis in order to take account of innovation and technological developments. This at least means that the standards will not be set in stone until PSD in its entirety is again amended but what constitutes “a regular basis” is not defined.

EBA publishes draft guidance on separation of payment card schemes and processing entities

On 21 July 2016, the European Banking Authority (EBA) issued its final draft Regulatory Technical Standards on the separation of payment card schemes and processing entities under Article 7(6) the Interchange Fees for Card-Based Payment Transactions Regulation (Regulation (EU) 2015/751) (the Interchange Fee Regulation).

This final draft incorporates amendments identified during the consultation period which ended on 8 March 2016. It aims to facilitate greater competition among processing services providers in support of the overarching objective of the Interchange Fee Regulation, the purpose of which is to create a single market for card payments across the EU.

What this means for you

The requirements for payment card schemes and processing entities covered within this final draft include:

  • the necessity for accounting processes to enable production of annual separated profit and loss accounts and for these to be reviewed by an independent and certified auditor;
  • the need to operate separate workspaces; and,
  • processes to ensure independence of senior management, management bodies and staff.

Further to this, guidance is provided relating to the use of shared services and shared information management systems, handling sensitive information, a code of conduct and the separation of annual operating plans.

The final draft will now be submitted to the European Commission for endorsement.

Spotlight: PSD2 and your communications strategy

We are regularly asked how we can help an institution to organise its communications strategy when there is an abundance of upcoming regulatory change with overlapping requirements and timescales. We know how vital it is to plan a strategy carefully in order to minimise the impact on customers and drive cost efficiencies. In this month’s Spotlight feature, we outline some key areas of upcoming regulatory change to provide clarity on the interplay of those areas with PSD2 and how the interaction with PSD2 may inform your comms strategy.

Payments Accounts Regulations (PARs)

What the PARs?

The PARs introduce measures that payment service providers (PSPs) must comply with regarding comparability of fees, account switching and offering access to payment accounts with basic features.

When do the PARs come into force?

Most provisions come into force on 18 September 2016. Regulations 6 to 12 (which relate to comparability of fees) come into force six months after the FCA publishes the “linked services list” (which sets out the key services that are linked to a payment account and subject to a fee, with terms and definitions for each service). The FCA will publish that list within three months of the European Commission adopting regulatory technical standards which are currently being prepared by the European Banking Authority. The FCA currently anticipates that Regulations 6 to 12 will come into force in early 2018.

How do the PARs interact with PSD2?

Both sets of legislation will require changes to terms and conditions. Under the PARs, PSPs will need to change their contractual, commercial and marketing information to incorporate the new terminology. PSPs will also need to change their terms and conditions and associated collateral in a number of ways in order to comply with PSD2.

How does this inform your comms strategy?

Some products will fall into the scope of the PARs and PSD2 (e.g. retail current accounts). The majority of provisions of PSD2 come into force in January 2018 so, depending on how the timescales for the PARs play out, institutions may wish to notify customers of changes to terms and conditions for those products to accommodate PSD2 and Regulations 6-12 of the PARs at the same time.

EBA guidelines on the security of internet payments (EBA Guidelines)

What are the EBA Guidelines?

The EBA Guidelines set out a framework for the security of internet payments. For example, they introduce the requirement to use strong customer authentication as a tool to manage security risks.

When do the EBA Guidelines come into force?

The EBA Guidelines were published by the EBA in December 2014. They have been applicable in the majority of Europe since 1 August 2015. In the UK, the FCA responded to the EBA Guidelines stating that, whilst they are fully supportive of the EBA Guidelines, they did not have the power to make PSPs comply with the EBA Guidelines without legislative change. Instead, the FCA stated that it remains of the view that it is reasonable to incorporate the detail of the EBA Guidelines (or equivalent guidelines issued under PSD2) into its supervisory framework in line with the timetable for PSD2.

How do the EBA Guidelines interact with PSD2?

The EBA Guidelines contain numerous requirements which overlap with the requirements in PSD2 (e.g. the introduction of strong customer authentication). The EBA Guidelines will ultimately be replaced by the EBA regulatory technical standards on strong customer authentication and secure communication, which the EBA is required to develop under Article 98 of PSD2. Those regulatory technical standards are currently in draft form and subject to a consultation. See this month's article on the SCA consultation.

How does this inform your comms strategy?

Institutions can focus on the requirements under PSD2 and the timescales associated with those requirements as the EBA Guidelines will not be implemented in the UK in advance of that date.

Regulation on interchange fees for card-based payment transactions ((EU) 2015/751) (the Interchange Fee Regulation)

What is the Interchange Fee Regulation?

The Interchange Fee Regulation caps interchange fees which are paid by merchant acquirers to card issuers.

When does the Interchange Fee Regulation come into force?

The Interchange Fee Regulation was published in the Official Journal of the EU on 19 May 2015. It entered into force on 8 June 2015, with the exception of Articles 3, 4, 6 and 12, which entered into force on 9 December 2015, and Articles 7, 8, 9 and 10, which entered into force on 9 June 2016.

How does the Interchange Fee Regulation interact with PSD2?

The main overlap relates to surcharging. The Interchange Fee Regulation does not change the existing position on surcharging but it has to be read alongside PSD2. PSD2 provides that Member States must ensure that merchants do not surcharge in relation to cards which are covered by the interchange fee caps. In cases where surcharging is permitted, the charges must not exceed the costs borne by the PSP Members States also retain a discretion to prohibit or limit surcharging altogether.

PSD2 and interchange projects cannot be considered independently although the Interchange Fee Regulation does not alter the position on surcharging for the use of payment instruments (e.g. cards) on its own. PSPs are already prohibited from preventing surcharging or offering a reduction for the use of particular payment instruments so the key area for consideration will be, in Member States where surcharging is permitted, around the new requirement to ensure that surcharging does not take place for cards covered by the scope of the Interchange Fee Regulation.

General Data Protection Regulation ((EU) 2016/679) (GDPR)

What is GDPR?

GDPR reforms EU data protection law and will significantly impact how organisations collect and process personal information. For more information on privacy and data protection, see our GDPR: Regulation (EU) 2016/679 page.

When does GDPR come into force?

GDPR was published in the Official Journal of the EU on 27 April 2016. Brexit aside, the reality is that organisations will have to comply with GDPR by 25 May 2018.

How does GDPR interact with PSD2?

With institutions being required to share data with new types of regulated third parties under PSD2 (e.g. payment initiation service providers, account information service providers), institutions need to consider the impact of GDPR alongside the PSD2 provisions which require such data sharing. GDPR (and indeed the current DP regime under Directive 95/46/EC) governs data sharing, including by requiring fairness and lawfulness. Fairness is about ensuring affected individuals have notice about the ways in which their personal data is shared with others (even where that is required by law or regulation). Lawfulness is about ensuring one or more “conditions” applies to justify the sharing – such as compliance with laws and regulations. The principles of data adequacy/data proportionality are also key, meaning data should only be shared as strictly necessary for the relevant purpose (here, compliance with PSD2) and should never be shared on a “nice to have” basis.

How does this inform your comms strategy?

PSD2 will come into force before institutions have to comply with GDPR, but only by a few months. In light of this, institutions will need to consider compliance with GDPR as part of their PSD2 projects.

CMA Review

What is the CMA Review?

The CMA Review introduces a number of remedies to tackle competition concerns including a requirement on certain institutions to develop an open API banking standard, reduce barriers to current account switching and alerts for customers relating to their overdraft usage.

What timescales apply to the CMA Review?

All of the proposed remedies are required to be in place by summer 2018, although certain remedies are due to be in place by Q1 2017 (including the first stage of the release of information under the API remedy and the development of comparison services for small businesses).

How does the CMA Review interact with PSD2?

There is a clear overlap relating to the development of an open API standard, as institutions will also be required to give access to certain regulated third party service providers (e.g. payment initiation service providers) under PSD2 through the use of APIs. Further, the obligation to disclose information under the CMA Review goes further than disclosing information to the new regulated providers, extending to passing information to other trusted intermediaries which customers consent for their information to be passed to.

How does this inform your comms strategy?

For those institutions that need to put in place the open API banking standard under the CMA Review, they need to consider this alongside their obligations relating to third party service providers under PSD2. Careful consideration needs to be given to the draft regulatory technical standards under PSD2 relating to secure communication. See our article on the SCA consultation and the requirements under the CMA Review at this stage to ensure that any projects to change systems/IT dovetail with each other and so that cost efficiencies can be found where possible.