The UK Financial Conduct Authority (FCA) has released Consultation Paper CP 18/25 (the Paper, available here) which provides guidance on the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (RTS) issued under the second Payment Services Directive (PSD2).
The Paper focuses on the two key sets of rules under the RTS:
1. On strong customer authentication (SCA) and
2. On secure and open means of communication (generally referred to as "open banking" or "TPPs getting access to payment accounts").
Each is considered below in more detail.
1. What is SCA and what does the Paper say about it?
Under PSD2, SCA requires payment service providers (PSPs) to authenticate customers by using at least two 'factors'. These factors are knowledge (e.g. a password), inherence (something inherent to the customer, e.g. a fingerprint) and/or possession (e.g. possession of a token generator). The RTS further specify the requirements of SCA and the scenarios under which certain transactions can be exempted from SCA.
The Paper consults on a new chapter 20 concerning SCA to be added to the FCA's Payment Services and E-Money Approach Document (Approach Document). This new chapter generally follows the RTS and the Opinion on the implementation of the RTS issued by the European Banking Authority (EBA) last June and includes the following clarifications (amongst others):
- Not all card-based payments qualify a "payments initiated by the payer", therefore subject to the SCA requirement. "… card-based continuous payments … (sometimes referred to as merchant-initiated transaction) … are imitated by the payee (eg the merchant) …" and therefore not subject to the SCA requirements (except a unique SCA at the time of setting-up this continuous payment). Therefore a recurring payment from a card to e.g. a utility provider for example (same amount every month) or to a telco (different amount every month, based on consumption) is not subject to the SCA requirements (except a unique SCA at the time of set-up).
- In line with the EBA Opinion, the FCA indicates that the two factors of the SCA process need to be from separate categories (knowledge/possession/inherence). Note that this is not actually required by the definition of SCA contained in the PSD2, and therefore this interpretation is debatable.
- All PSPs are encouraged to adopt the real-time fraud analysis approach described in Article 18 of the RTS, whereas legally only PSPs making use of the transaction risk analysis (TRA) set out in Article 18 of the RTS are required to perform such real-time fraud analysis.
- Mail Order and Telephone Order (MOTO) transactions are not subject to the SCA requirement, however the FCA encourages PSPs to apply them on a voluntary basis.
- Information printed on a card (i.e. PAN, CVV, expiry date) does not constitute a strong factor ("although may be evidence of the possession of the card, alongside use of an entirely separate factor").
- In the scenario when an amount was pre-authorised (i.e. blocked) on a card (e.g. upon checking-in to a hotel), in the event that the final amount is higher than the pre-authorised amount (e.g. due to mini-bar consumption), the PSPs must re-apply SCA for the final amount (unless an exemption is available).
- It clarifies the scope and conditions of certain exemptions to SCA, e.g.
- the payment account information exemption (and the associated 90-day limit during which the customer can access its account balance and transactions pertaining to the last 90 days, without SCA): the SCA requirement for accessing a payment account online and for initiating a payment are separate, and therefore an SCA performed in relation to the former action cannot be "recycled" in order to comply with the SCA requirement in relation to the latter action.
- the contactless payments at point of sale, and in particular the alternative between cumulative monetary amount or cumulative number of consecutive transactions without SCA: the FCA indicates that "it may be preferable" to choose or the other "to use in all cases", rather than alternating from one to the other, perhaps in real-time based on velocity checks.
- secure corporate payments exemption: no requirement to inform the FCA in advance of using this exemption, which seems to depart from the wording of Article 17 of the RTS ("… where the competent authorities are satisfied…").
2. What does the Paper say about secure and open means of communication?
One of the key changes under PSD2 is the opening up of payment accounts, typically maintained by banks, to AISPs and PISPs (known collectively as Third Party Providers (TPPs)). The RTS require so-called Account Servicing Payment Service Provider (ASPSPs), essentially banks, to provide TPPs with access to a technical method allowing them to communicate with the ASPSP, either to obtain details of the payment account and/or to initiate a payment from that account. Access must be provided in line with the RTS by 14 September 2019.
As with SCA, the paper incorporates into its Approach Document most of the requirements from the RTS and guidance from the EBA opinion. The Paper details requirements relating to the use of qualified certificates, the daily access restrictions applying to AISPs, and other technical requirements.
It confirms the ability of Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP) to rely upon the SCA of the relevant bank, and that a nSCA based on the so-called "redirection" model does not create an obstacle per se, and is therefore not illegal per se.
The FCA follows the view expressed in the EBA Opinion that a PISP is entitled to a "yes" or "no" in terms of whether sufficient funds are available, which is not expressly provided for in PSD2 (only card-based payment instrument issuers (CBPIIs) or "decoupled card issuers" are entitled to this information pursuant to PSD2).
One of the more substantial points that the Paper considers is the exemption from the contingency mechanism or "fallback". The contingency mechanism requires ASPSPs offering a "dedicated interface" (typically referred to as an API) to provide a backup interface to its infrastructure for use by AISPs and PISPs in case the dedicated interface fails. ASPSPs are exempt from this requirement if they can meet certain criteria and the Paper sets out how the FCA plans to assess applications to rely upon this exemption. The FCA expects to receive applications by no later than 14 June 2019.
3. Other issues addressed in the Paper
PSPs are required to provide the FCA with certain statistics relating to fraud. Following final guidelines on fraud reporting issued by the EBA in July 2018, the Paper proposes to amend the prescribed form which PSPs must submit. The FCA also proposes to require that, for most PSPs, this form is submitted every six months rather than annually (as currently required).