We explain the background to the new Payment Services Regulations and consider how businesses can prepare for implementation.

This article was first published by Lexis PSL on 15 August 2017. 

Original news

PSDII transposition bans card charges from January 2018, LNB News 19/07/2017 42

The government has announced that the transposition of the recast Payment Services Directive (PSDII) will outlaw additional card charges on transactions. Dubbed ‘surcharging’, many businesses including airlines and takeaway apps charge customers to make payments by card. The government said that while many industries absorb the cost and do not pass it on to customers, the rules will bring an end to surcharging entirely.

The Payment Services Regulations 2017, SI 2017/752 (PSRs) are the statutory tool used by HM Treasury and Parliament to transpose and implement the majority of the provisions of PSDII into UK law. The other provisions of PSDII (including in respect of authorising and supervising payment service providers in the UK) are to be effected by the Financial Conduct Authority (FCA). In drafting the PSRs, HM Treasury has utilised the copy-out approach where possible while retaining certain of the Member State derogations that were exercised in the UK as part of the implementation of the original Payment Services Directive 2007/64/EC.

The original Payment Services Directive (brought into force in the UK under the Payment Services Regulations 2009, SI 2009/209) was fairly forward-looking at the time, but many felt it acted as a blunt instrument when its provisions were applied to some of the more modern payment services that have been made available in the market since it came into effect – particularly in relation to online and mobile payments. As such, PSDII was proposed as a means of bringing the original Payment Services Directive up to date with market developments and, where possible, to look to effectively capture future developments in the payment industry.

The high level aims of PSDII are:

  • bring regulation up to date with developments in the market for payment services
  • increase innovation and improve market access for payment service providers
  • drive down the cost of services
  • make payments safer and more secure
  • improve consumer protection.

PSDII was approved by the European Parliament and Council in late 2015 and came into force on 13 January 2016. Market participants affected by the provisions will be required to comply with the majority of the requirements from 13 January 2018 and, to coincide with that deadline, the PSRs were laid before Parliament on 19 July 2017.

What are the most significant differences between the new Regulations and the Payment Services Regulations 2009?

In broad terms the key differences between the Payment Services Regulations 2009 and the PSRs are around:

  • the scope of the regulations
  • consumer protection
  • security.

On scope, the PSRs introduce two new regulated payment services, being payment initiation services and account information services. These are effectively ancillary service providers that do not control an individual’s payment account (which is held with a separate payment services provider). The inclusion of this type of payment services has been heralded as a ‘game changer’ as there are already a number of entities looking to make use of the new powers. To explain, ancillary service providers will be able to initiate a payment order at the request of a payment service user. This allows entities with whom an individual may interact (say a social network provider or a mobile payments provider) to be able to facilitate payments between users on the user’s instruction.

Meanwhile, account information service providers will be able to obtain data from a user’s account held with another provider (typically a bank) in order to provide financial insights (see Cleo, Yolt and MoneyHub) or even bespoke financial education (as Nudgg are hoping to do).

On consumer protection, the PSRs will increase consumers’ rights by:

  • covering one-legged payments where the sender or receiver is located outside the European Economic Area (EEA) and, additionally, where payments are made with non-EEA currencies
  • capping surcharging for a user’s use of a payment instrument covered by the Interchange Fee Regulation (EU) 2015/751 for both cross-border (at 0.2% of the transaction value for debit card transactions) and domestic (at 0.2% of the annual weighted average transaction value) card-based payments, and
  • a requirement for payment service providers to put in place dispute resolution mechanisms which require the provider to respond to payment complaints within 15 business days of receipt.

On security, the PSRs will require payment institutions who are applying for authorisation as such to provide identify, classify and carry out a risk assessment of its functions, processes and assets, as well as include ‘strong customer authentication’, a higher standard than under the original Payment Services Directive.

Do the criminal offences differ from those contained in the Payment Services Regulations 2009?

The criminal offences in the PSRs are broadly in line with the offences contained in the Payment Services Regulations 2009.

What actions should firms caught by the new Regulations carry out ahead of commencement?

The PSRs will, by design, affect the entire payment services industry and apply to both authorised firms and a range of other businesses providing related services. If they have not already done so, businesses which provide payment services should engage with PSRs as well as related FCA and HM Treasury papers to better understand how their businesses will be affected. Firms may in particular need to consider their:

  • authorisation requirements
  • reporting requirements, and
  • ongoing compliance procedures

The PSRs introduce additional authorisation requirements for payment services providers, such as payment institutions and e-money institutions. To ensure compliance under the PSRs, such firms will need to apply for re-authorisation from the FCA. Additionally, the PSRs limit the extent of existing exclusions so that certain businesses (such as platforms) may now require FCA authorisation. In particular, firms must now be authorised before they can provide account information services (AIS) and payment initiation services (PIS).

Additional reporting requirements are being introduced under the PSRs to facilitate regulator supervision. Firms should be reviewing their existing reporting processes and ensure that they are updated to include additional requirements around complaints, fraud and operational/security incidents reporting (among others). The FCA has recently released a consultation on changes to firm reporting which firms should read for a more detailed understanding of these changes.

The PSRs introduce many procedural changes to firms’ business practices. Firms will need to review and update their compliance practices to make sure that, for example, they comply with PSR requirements on complaints handling, changes to capital requirements or additional regulations governing security of electronic payments. The FCA is in the process of updating its rules around conduct of business and dispute resolution with which firms will need to ensure continued compliance.

What advice should lawyers be giving their clients?

The PSRs will have a pervasive effect across the payment services industry. Clients which provide payment or related services should be advised to engage with the PSRs and to ignore them at their peril. Primarily, lawyers should advise such clients to review their internal processes and ensure they are up to date with PSR requirements. Authorised firms should be reminded to apply for re-authorisation before 13 April 2018 while other businesses (such as AIS or PIS providers) will need to apply for authorisation. The key, as ever, will be for firms and affected businesses to be proactive and ready for these changes.

Interviewed by Alex Heshmaty