The European Union’s second Payment Services Directive (PSD2) came into force on 13 January 2016 and Member States have until 13 January 2018 to transpose it into national law. In February of this year, the UK Government published the consultation paper ‘Implementation of the revised EU Payment Services Directive II’ to invite views on its approach towards implementing the Directive (the Consultation). Feedback from the Consultation was published on 19 July 2017 (the Response).
PSD2 will be implemented in the UK by way of the Payment Services Regulations 2017 (the Regulations). Draft Regulations were published as part of the Consultation, with the final form legislation being published alongside the Response and laid before the UK Parliament on 19 July 2017.
Some of the main points to be taken from the Response:
a. The scope of the FCA’s powers
Some respondents to the Consultation raised concerns that the Financial Conduct Authority (the FCA), who is the competent authority responsible for authorising and supervising payment service providers under the payment services regime, does not have broad enough powers to sufficiently regulate specific areas of PSD2. The UK Government has concluded that there is some merit in extending the FCA’s rule-making powers to enable it to:
i. combat poor practice among firms regulated under both PSD2 and the E-money Directive,
ii. protect consumers, and
iii. ensure that all firms providing payment services are held to the same standard. In particular, the case for extending the FCA’s existing powers to make conduct rules for firms regulated under the Financial Services and Markets Act 2000 has been examined in relation to PSD2 and the E-Money Directive.
Several hundred respondents raised concerns about the transparency of overseas transfer fees and requested that firms display the amount of money that they make from the exchange rate. On the basis that PSD2 requires firms to be transparent about
i. any fees for overseas money transfers, and
ii. the exchange rate that businesses and consumers are provided with, the UK Government has confirmed that it does not intend to provide further provision for this in the Regulations. It notes, however, that PSD2 specifically prohibits non-transparent pricing methods and that it expects firms to bear this in mind when disclosing information to customers.
c. Monthly statements
PSD2 includes an option for Member States to require that payment services providers provide information on their transactions to payees and payers at least once a month, free of charge and on paper or another durable medium. While the UK Government intends to mandate that all customers are provided with a monthly statement on a durable medium, payment service providers will be entitled to provide customers with a choice as to whether they wish to receive such a statement in respect of framework contracts.
d. Access to third party providers
As explained in our earlier article (PSD2: The Basics), Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) have been brought within the scope of the payment services regime for the first time. To facilitate a customer’s ability to use AISPs and PISPs for all online payment accounts, PSD2 requires that banks (and other payment institutions that operate and manage a customer’s bank account) provide PISPs and AISPs with access to a customer’s online payment account so as to provide them with the same functionality (in respect of PISPs) or account information (in respect of AISPs) as would be available to the customer. The Response clarifies that only ‘equivalent’ access is required. As such, a PISP will only be entitled to initiate a payment (and therefore have an equivalent right of access) where the relevant customer is also entitled to initiate a payment from their online account.
e. The transition period
Although the Regulations will come into force on 13 January 2018, certain provisions will not become effective until the European Banking Authority’s regulatory technical standards on Strong Customer Authentication and Common and Secure Communication (EBA RTS) come into force (anticipated to be on or around October 2018). In relation to this transition period, the Response clarifies that:
i. all registered or authorised PISPs or AISPs must be provided with access to a customer’s account from 13 January 2018, unless there is an objective reason not to do so (such as fraud). Prior to the coming into force of the EBA RTS, PISPs and AISPs can access a customer’s account by using the customer’s login details or via secure application programming interfaces.
ii. firms operating as PISPs and AISPs before 12 January 2016 can continue to perform the same activities without being registered or authorised after 13 January 2018, until such times as the EBA RTS come into force. A PISP or AISP cannot, however, access a customer’s online account unless it is registered or authorised under the regime.
iii. all new PISPs or AISPs, or those established after 12 January 2016, will need to be registered or authorised under the regime from 13 January 2018.
iv. the UK Government is live to concerns that professional indemnity insurance, which is a requirement for authorisation under the regime, may not currently be available to all PISPs or AISPs. HM Treasury and the FCA are working with market participants and the insurance industry to address this issue.
f. The General Data Protection Regulation (GDPR)
i. The UK Government recognises that there is a need to provide clarity on the inter-play between PSD2 and the GDPR, which applies from May 2018. It is working with the FCA and the Information Commissioner’s Office to ensure that a pragmatic approach is taken in this regard.
ii. Respondents to the Consultation highlighted the need for further clarity as to what constitutes ‘sensitive payment data’. This is defined in PSD2 as “data which can be used to carry out fraud”, and all applications for authorisation must contain a description of the firm’s internal processes for filing, monitoring, tracking and restricting such data. While the Response notes that it is ultimately a question for the relevant ASPSP to consider whether data is of such a nature that it could be used to carry out fraud, it confirms that further detail will be provided in the FCA’s draft approach document, which will be finalised in due course.