Spotlight: the payments framework in United Kingdom

All questions

Payments

i Overview

Payments were first subject to UK regulation in 2009 when the original Payment Services Regulations were introduced, which implemented the first European Payment Services Directive (PSD1).³¹ After 2009, the use of digital and mobile banking, as well as other innovative payment services, significantly increased. This rendered PSD1 somewhat out of date and inadequate for the constantly evolving payments industry. As discussed above, this led to the regime being subsequently replaced in 2018 by PSD2 and the PSRs, which were designed to accommodate changes in technology and consumer behaviour.

Conduct of business requirements

Both PSD1 and PSD2 contain detailed conduct of business requirements for PSPs. For example:

1. PSPs must give specific pre-contract information before either entering into a framework contract for multiple payments (such as a current account agreement) or executing a single payment);³²
2. PSPs must also give or make available transaction information – for example, in the form of monthly statements;
3. payments must arrive with the payee within a specific time. This is usually by the end of the business day after the payer instructs the payment but can be longer if the payment is outside the EEA or in a non-sterling currency.³³ There are also value-dating requirements that apply to the payee's PSP once they receive the funds from the payer's PSP;³⁴
4. there are detailed provisions surrounding liability for unauthorised transactions and those incorrectly executed by the PSP;³⁵ and
5. changes to, or termination of, a framework contract for payment services is subject to minimum time frames.³⁶

Although the PSRs apply to all payers and payees, corporate customers can 'opt-out' of certain provisions.³⁷ In addition, the scope of the regime has been amended in the light of Brexit, with payments outside the UK being treated differently from those that are wholly within the UK, although some payments in euros within the UK and EEA will still be subject to many of the requirements.

PSD2 changes

PSD2 introduced two new payment services: payment initiation services (i.e., initiating payments from a customer's online account)³⁸ and account information services (providing aggregated information across a range of online accounts).³⁹ These are collectively referred to as 'third-party payment services' offered by 'third-party providers' (TPPs).

Under PSD2, TPPs are entitled to access online payment accounts to provide payment services. This is commonly done through an application programming interface (API) through which the payment account provider gives automatic access to the TPP provided it has the customer's consent, although other methods of access are also permitted. This new requirement led to most payment account providers undertaking complex and expensive IT projects in the months before PSD2 came into force to build APIs and give TPPs the required access.

PSD2 also introduced new security requirements for payments. Enhanced requirements apply when:

1. the customer accesses their payment account online;
2. initiates an electronic payment transaction; or
3. carries out an action through a remote channel, which could lead to a risk of payment fraud or 'other abuses'.⁴⁰

In these scenarios, PSPs must apply 'strong customer authentication' (SCA). This requires a two-factor process, where the customer must authenticate themselves using two or more of the following factors:

1. knowledge (something the customer knows);
2. possession (something the customer possesses); or
3. inherence (something the customer is).

These must be independent factors so that a breach of one does not compromise the other. A failure to implement SCA means that the relevant PSP could be liable for unauthorised transactions occurring as a result. The Regulatory Technical Standards (RTS), which lay down detailed requirements for SCA, contain a number of exemptions.⁴¹ For example, the 'transactional risk exemption' allows PSPs to forgo SCA where the payment can be shown to pose a low level of risk.⁴² Similarly, the 'trusted beneficiary' exemption allows PSPs to not apply SCA where the payee is included in a list of trusted payees who have been previously paid with SCA applied.⁴³

Again, the requirement to implement SCA was complex and costly for both PSPs and merchants, with new technical infrastructure being required and customer journeys being rewritten. It also means that many previously 'speedy' payment journeys are now more arduous and time-consuming for customers. This has led to many PSPs and merchants placing increased reliance on the RTS exemptions to make the customer journey as smooth as possible.

ii Recent developmentsPSR: final decision on remedies in card-acquiring services market review

In October, the PSR published a policy statement⁴⁴ containing its final decision on remedies arising from its card-acquiring market review, with three specific directions to put the remedies into effect. The specific directions are given to the 14 most significant providers of card-acquiring services to the merchants that the regulator is looking to protect. The three directions are:

1. Specific Direction 14, requiring providers of card-acquiring services to provide information to merchants;
2. Specific Direction 15, requiring providers of card-acquiring services to provide prompts to merchants; and
3. Specific Direction 16, limiting the length of POS terminal contracts.

All remedies will apply to the directed providers, their associated companies and any independent sales organisations with which they have a contract to provide services to merchants. The PSR will keep the companies directed under review and may extend the mandate by directing Mastercard and Visa to mandate all acquirers that are members of their schemes to adopt the remedies, if necessary.

The remedies addressing price transparency (summary boxes and online quotation tools) and the indefinite nature of some contracts (trigger messages) will apply to the directed providers in respect of their merchant customers with card turnovers of up to £50 million.

The remedy addressing POS terminals and POS terminal contracts will apply to the directed providers in respect of their merchant customers with card turnovers of up to £10 million, reflecting the findings in its final report.

The 14 directed providers must implement the remedy relating to POS terminal contracts from January 2023 and the two remaining remedies from July 2023. In addition, the independent sales organisations of the directed providers must be compliant with the requirements set out in the relevant directions. The PSR will monitor compliance with the directions and the impact of the remedies to decide whether any further action is required.

PSR: terms of reference for card fees market review

As part of its 2021 card-acquiring services market review, the PSR analysed the fees that acquirers pay to card payment systems and found that both scheme and processing fees paid by acquirers to Mastercard and Visa had increased significantly between 2014 and 2018. A substantial proportion of these increases were not explained by changes in the volume, value or mix of transactions. As a result, the PSR decided to launch two market reviews into card schemes – one on scheme and processing fees, and one on UK–EEA consumer cross-border interchange fees. Following consultations on the draft terms of reference in June, the PSR published the final terms of reference for the reviews in October 2022.⁴⁵

The final terms of reference confirm that the review into scheme and processing fees will focus on Mastercard and Visa schemes, and will be based on data collection for the period 2017 to 2022. The cross-border review will focus on understanding the rationale behind the increases in interchange fees for Mastercard and Visa's consumer UK–EEA card transactions since Brexit, and the impact on UK businesses and consumers.

The PSR plans to publish a report setting out interim conclusions on card scheme fees in Q4 2023 and a final report (including remedies) in Q2 2024, and interim conclusions on cross-border interchange fees by Q3 2023 and a final report in Q4 2023.

HMT: regulation of stablecoins

In April 2022, HMT published its response⁴⁶ to its 2021 'UK regulatory approach to cryptoassets and stablecoins: Consultation and call for evidence'⁴⁷ on the regulatory approach to cryptoassets and stablecoins, and the use of distributed ledger technology. The response explains that regulation of stablecoins is a priority because of the potential for them to be used for mainstream payments (unlike certain other cryptoassets, which are often used for investment purposes). HMT, therefore, intends to deal with this as part of its 'Phase 1' of legislative change.

Although draft legislation has not yet been published, HMT makes clear that stablecoins will be regulated using the existing e-money and payments framework in the UK, with certain amendments and a possible new definition of the term 'payment cryptoasset'. This will be designed to catch stablecoins that stabilise their value by reference to fiat currencies but not those pegged to investments or other financial instruments. HMT also proposes to introduce a new regulated custodial activity to allow appropriate supervision of third-party wallet providers and exchanges, and ensure that the customer-facing entity is liable to end users.

Shortly after the consultation response was published, the first draft of the UK Financial Services and Markets Bill was published and introduced to Parliament. This brings 'digital settlement assets' (which is a broader category than stablecoins) into the UK regulatory perimeter and gives HMT the power to establish an FCA authorisation and supervision regime. Although there is no firm timeline for introducing new legislation, it appears to be high on HMT's list of priorities and, given that HMT now has the power to legislate, there is expected to be some movement in this area during 2023.

HMT: consultation on the PARs

As part of a package of reforms announced by the UK Chancellor on 9 December 2022, HMT is consulting on the customer information requirements in the PARs.

In particular, the government queries whether many of the information requirements (including the related format and content requirements) set out in Part 2 and Schedules 1 and 2 of the PARs (aimed at improving the comparability of fees connected with payment accounts) are all either less necessary in a UK context or too prescriptive. For example, Part 2 of the PARs requires payment service providers to provide customers with a fee information document, statement of fees and a glossary of terms used in the FCA's linked services list.

The consultation, therefore, asks for input on the positive and negative impacts of these requirements. By way of example, the consultation notes that the format requirements in the PARs may limit the flexibility that firms have to provide information in a way that would be more helpful for customers. The consultation also queries whether customers in the UK need the information provided under the PARs because, compared with EU countries, UK current accounts generally have fewer fees and charges in relation to normal account usage.

The consultation will remain open for 10 weeks and will close at 11pm on 17 February 2023.