Arguably the most revolutionary aspect of PSD2 was the introduction of account information and payment initiation services. The regulation of these ‘third party providers’ (TPPs) along with the mandated access requirements applicable to ‘account servicing payment service providers’ (ASPSPs) operating payment accounts which are “accessible online”, has the potential to open up the banking information and online payment space. With this in mind, and with over 4 months having elapsed since the UK’s implementation of PSD2, we reflect on the current industry landscape and pick out some key developments and themes.
The FCA announced that, as of 1 March 2018, it had received applications from 59 firms for the two new regulated activities (account information and payment initiation services). At the time of publication there are 25 FCA registered or authorised providers: 20 registered account information service providers and 5 authorised for both payment services.
You can view the FCA register of TPPs here.
Information and consent
One of the key themes highlighted by industry and the regulator is around consumer understanding, choice and control over how their data is used. The FCA has stressed in its Approach Document the need to provide the payment service user with sufficient information as to the nature of the service to allow the user to understand what they are consenting to.
We have supported a number of clients through the authorisation and registration process and it would certainly appear that the focus on information and consent has been carried through to the application assessment stage: the FCA has been keen to understand the customer journey in detail and how applicants (particularly account information service providers) propose to comply with the explicit consent requirement.
Communication and access standards
The EBA’s Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Secure Open Standards of Communication were published in final form in the Official Journal on 13 March 2018. While much of the focus and negotiation has been on exemptions from SCA, the RTS also specify the standards for TPP access and the deadlines for compliance. Amongst other things, this means that:
- ASPSPs that operate payment accounts that are accessible online must have in place at least one access interface that meets the requirements in the RTS by 14 September 2019.
- These ASPSPs must also make the interface technical specifications available to appropriately authorised or registered TPPs and provide a testing facility for connection and functional testing for TPPs 6 months before the market launch of the interface, i.e. by 14 march 2019.
- The interface must allow the TPP to identify itself towards the ASPSP, so the existing practice of TTP access without identification (sometimes referred to as ‘screen scraping’ or ‘direct access’) will no longer be allowed in relation to online payment accounts from 14 September 2019.
Certain of the conduct rules in PSD2 around access, identification of the TPP and secure communication apply only once the RTS come into effect. As highlighted above for example, screen scraping without the TPP identifying itself to the ASPSP is still technically permitted until 14 September 2019.
In order to help smooth the transition and to increase consumer protection around screen scraping, UK Finance, the Financial Data and Technology Association (FDATA), the Electronic Money Association and techUK have jointly published voluntary guidelines and encouraged market behaviours under PSD2, which they urge all industry players to adopt and integrate into their own practices. In particular, the guidance encourages firms to make use, as far as possible, of Open Banking APIs (see below) or PSD2-compliant APIs that an ASPSP has exposed to the market as far as possible. The FCA has flagged the fact that using an API reduces the potential harm from cyber-attacks because there is no need for the TPPs to use or retain users’ credentials.
The ‘Open Banking API’ was established as a solution to fulfil one of the remedies mandated by the Competition and Markets Authority (CMA), which obliged 9 of the biggest banks and building societies (the “CMA9”) to release personal and business account data sets.
The scope of the CMA’s retail banking order is narrower than the access requirements under PSD2, but it is envisaged that the Open Banking API will serve as a means of providing a standardised PSD2-compliant access interface. To this end, we note the proposed extension of the CMA9 specification for Open Banking APIs from personal and business accounts, to all the payment accounts covered by PSD2, i.e. credit cards, e-money wallets and some types of online savings accounts, as well as voluntary participation by other non-CMA9 ASPSPs. It is interesting to note that the Open Banking roll-out has “successfully proven the account data access functionality of the Open Banking system” but that “it has not been possible to test the Payments functionality to the same degree”. This is reflected in the list of TPPs registered by the FCA, which so far are overwhelmingly account information service providers.