On 19 September 2017, the Financial Conduct Authority published two documents setting out its plans for the implementation of PSD2 by 13 January 2018.
The documents consisted of:
- Policy Statement 17/19, outlining the changes to the FCA Handbook to reflect Payment Services Directive 2 (PSD2) (the Policy Statement); and
- Payment Services and Electronic Money – Our Approach, offering finalised guidance on the FCA's Role under the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011 (the Approach Document).
What is PSD2?
PSD2 is an EU Directive (transposed into UK legislation in the PSRs), which sets out various requirements on firms who provide payment services. This includes banks, building societies, e-money and payments institutions, and will also cover account information service providers (AISPs) and payment initiation service providers (PISPs).
As well as promoting increased consumer protection and increasing safety and security, PSD2 aims to open up competition in the payments sector, with a view to driving down costs for consumers. The Policy Statement summarises the responses to the FCA's recent consultation papers CP17/11 and CP17/22. The Approach Document is designed to be a practical guide for firms to refer to when navigating PSD2 and the PSRs.
What do these documents say?
One area where the Policy Statement and Approach Document offer some much needed clarity is the treatment of AISPs. The FCA makes it clear that, whilst more than one business can be "involved in obtaining, processing and using payment account information to provide an online service to the customer", the only business that will require authorisation or registration as an AISP is that which is providing consolidated account information to the end payment services user.
This means those businesses who do not have a relationship with an end customer (like data suppliers acting as middlemen between banks and companies providing account information services) will not need to apply to register as an AISP.
Those firms seeking authorisation as an AISP/PISP will need to have appropriate professional indemnity insurance in place from 13 October 2017.
The FCA also gives some clarity on the relationship between AISPs/PISPs and banks and building societies operating as Account Servicing Payment Service Providers (ASPSPs). Banks and building societies had raised concerns about detriment to customers as a result of AISPs/PISPs accessing their accounts, including fraud and data being used without customer consent.
The FCA makes it clear AISPs should be able to access all information the ASPSP makes available to the customer about the payment account. Banks and building societies should treat a payment order the same whether it is initiated by a PISP, or by the customer. However, the FCA has changed its guidance to recognise data, like a customer's address, is likely to be more appropriately provided by the customer than the bank/building society.
Banks/building societies will not be allowed to stop or discourage customers from using an AISP or PISP, although they can provide factual information to their customers, explaining how AISP and PISPs work. Importantly, banks/building societies will be required to justify to the FCA why they have refused to engage with a PISP or AISP.
The FCA does appreciate AISPs/PISPs are now being brought under the regulatory umbrella meaning its guidance may need to be revisited once the "market has developed".
What do I need to do?
Firms looking to become AISPs or PISPs will need to become registered or authorised for the first time. The FCA is accepting applications from 13 October 2017. However, firms providing account information services or payment initiation services before January 2016 will be able to operate without authorisation or registration until 18 months following the adoption of the EBA’s regulatory technical standards on strong customer authentication and common and secure communication (which is likely to be mid-2019).
Some existing payment institutions and e-money institutions will need to be re-registered or re-authorised. The FCA has written to firms to let them know they need to apply for re-authorisation.
It is important that all firms review the Handbook changes in detail to assess where changes will need to be made in advance of 13 January 2018.