The FCA has revealed how it proposes to implement PSD2 changes to authorisation and reporting. In this article, we examine the FCA's approach and how it might change in light of the EBA's guidelines.
Ever since the second Payment Services Directive (PSD2) came into force on 12 January 2016, both national and European regulators have been grappling with the problem of how best to implement it before the 13 January 2018 deadline.
Recently, both the Financial Conduct Authority (FCA) and the European Banking Authority (EBA) have given greater clarity to how PSD2 will affect the reporting and authorisation requirements for Payment Services Providers (PSPs).
What is PSD2?
PSD2 follows from the initial Payment Services Directive (PSD1) which was designed to allow different types of payment institutions to develop and compete with banks to provide customers with payment services. PSD2 was introduced to update payment services regulation in line with advances in the industry and technology innovations. At the same time, it seeks to reduce the cost of payment services while increasing consumer protections and making payments more secure.
What have the FCA and EBA published?
On 13 July 2017, the FCA issued a consultation setting out its approach to implementing PSD2 changes to the authorisation of PSPs and their reporting requirements to comply PSD2. The consultation includes proposed authorisation and registration forms and, for firms already authorised under PSD1, re-authorisation and re-registration forms.
On 11 July 2017, the EBA similarly published its final guidelines on how member state regulators should implement PSD2 changes to the PSP authorisation. All member state regulators are required to comply with the EBA's guidelines within two months of the guidelines being translated into member state languages. The FCA will therefore need to update its own approach to bring it in line with the EBA's.
Who do these changes concern?
The EBA and FCA’s papers will predominantly concern existing PSPs and anyone interested in providing a payment service. This includes ‘Credit Institutions’ (CIs), such as banks and building societies, ‘Payment Institutions’ (PIs) which broadly offer customers services around payment transfers, money remittance and other merchant services as well as 'E-money Institutions’ (EMIs), which issue customers with electronic money.
What are the FCA’s proposed changes?
- Incident Reporting – Under PSD2, PSPs are required to notify the FCA if they become aware of major operational and security incidents. This is intended to bolster the UK’s cyber-resilience by alerting the FCA to potential threats to the UK’s financial system and enabling the FCA to take any necessary precautions. The FCA intends to amend the provisions in the SUP manual (Appendix 1) so that firms are required to notify the FCA of such threats using the FCA’s Connect System.
- Capital Returns – own funds – The PSD2 does not change the level of capital a firm must hold under PSD2. How capital is calculated has, however, been changed and is now governed by the Capital Requirement Regulations 2013 (the CRR). The CRR contains more deductions than under PSD1 and so some firms may be required to hold additional capital to meet their capital requirements. The FCA has updated the returns to be completed by PIs and EMIs to take these changes into account.
- Record keeping by CIs on account information and payment initiation services – The FCA is proposing to introduce a rule (in SYSC Appendix 1) that credit institutions keep records on the volume of the account information services and payment initiation services they provide. This forms part of the FCA’s initiative to gather data on these new regulated activities to better understand how competition is working in the market. It supports the reporting obligations on PIs and EMIs operating in this area which the FCA has previously consulted on.
Under a previous consultation, the FCA set out the various new requirements that new businesses to payment services will need to meet to become a PI or EMI. The FCA also requires, however, that existing firms are re-authorised or, in the case of small PIs and EMIs, re-registered. In the consultation the FCA produces new PSD2 compliant registration forms for firms seeking registration as small PIs and small EMIs (forms for firms seek full authorisation as PIs and EMIs are set to follow).
The consultation also contains draft re-authorisation and re-registration forms covering the additional requirements on PIs and EMIs brought in under PSD2. Existing PIs and EMIs have under the 13 April 2018 to submit these forms or otherwise cease providing payment services by 13 July 2018.
What do the EBA’s guidelines say?
The EBA’s guidelines give details on the information required by member state regulators to authorise PIs, EMIs as well as account information services providers. The guidelines are thorough and, together with the FCA authorisation forms, will be of interest to both existing and prospective PSPs. These guidelines follow a public consultation and, in light of popular feedback, include changes which the FCA will need to adopt. Broadly speaking, these changes include:
- Level of detail – Some respondents raised the concerns over the guidelines being too detailed so that, among other things, they deter new applicants and increase the regulatory burden on prospective businesses. The EBA has defended the detailed nature of its guidelines, in part to ensure that the same approach is taken by all member state regulators. The EBA has, however, sought to streamline some of the information requirements for PIs so that it is more proportionate to the lower level of risk associated with PI activities compared with CI activities.
- Disproportionality – in the earlier consultation, there was some concern over the fact that the level of information required for small PIs was disproportionate and could potentially deter applicants. The EBA has argued that proportionality is already largely achieved in PSD2 itself. However, the EBA has also accepted that while all applicants must comply with the PSD2 requirements, the level of detail required for applicants may vary depending on circumstances. The EBA has therefore modified its level one guidance so that the level of detail required should be proportionate and adjusted to the services that the applicant will be providing, "namely their nature, scope, complexity and riskiness, and to the institution's size and internal organisation.”
In light of the changes to the EBA guidelines, the FCA may need to further update its authorisation and registration forms. Applicants have until 18 August 2017 to respond to the FCA’s consultation, after which the FCA expects to have its final forms ready and available in September 2017. Applications for authorisation and re-authorisation (or registration) will open later in October this year.