The open banking requirements under the Payment Services Directive (EU) 2015/2366 (“PSD2”) are now in force, under which an account servicing payment service provider (“ASPSP”) must grant an authorised third party service provider (“TPP”) access to certain payment accounts on the basis of the relevant customer consent. PSD2 also sets out the strong customer authentication (“SCA”) requirements for electronic payments which, albeit much wider in scope, have an important bearing within the open banking framework.
This article aims to summarise the current status of these requirements and update our previous articles, focusing on operational issues with the regulators’ registers for both TPP identification and liability allocation between an ASPSP and a TPP.
The open banking and SCA requirements technically went live on 14 September 2019. However, given their significant impact on the payment industry, the Financial Conduct Authority (“FCA”) has set certain transitional arrangements in place. In summary, these are:
(i) an “adjustment period” ending on 14 March 2020 during which non-compliance with the requirements relating to TPP access interface will not be enforced against; and
(ii) a transition period ending on 14 March 2021 during which non-compliance with the SCA requirements for online e-commerce payments will not be enforced against.
There are certain conditions that firms must meet before they may take advantage of such transitional arrangements.
As regards the TPP access interface requirements, while it is generally understood that the quality of ASPSPs’ API interface is not yet ideal throughout the EU, it is not clear which other EU member states (if any) have transitional arrangements equivalent to the UK’s adjustment period. With respect to the SCA transition period, most other EU member states have elected to follow the no-enforcement period of 15 months (ending on 31 December 2020) proposed by the European Banking Authority (“EBA”).
This means that there could be issues with cross-border access requests and/or payments between the UK and another EU member state. For example, if a TPP in another member state where there is no transition period for access interface and which thus would already have its eIDAS certificate for identification purposes (as required by PSD2) requests access to an account at a UK ASPSP, the UK ASPSP (within the adjustment period) may not be able to accept that eIDAS certificate. Accordingly, that TPP may have to follow the bespoke identification procedures put in place by the UK ASPSP.
In the context of online cross-border payments, a UK TPP may have to implement different SCA procedures after 31 December 2020 as UK ASPSPs will still be within the 18-months transition period whereas ASPSPs in other member states may have run out of their 15-months period.
The continuing uncertainty on Brexit may add further complexity in such cross-border scenarios.
We have previously discussed some of the difficulties that ASPSPs may face in verifying the identity of a TPP including issues with using the relevant national and EBA registers for such verification purposes. For further information, please see the previous article.
In addition to those issues already discussed, another situation warrants further consideration. This is where a TPP’s authorisation has been suspended by its home regulator. Contrasted with the situation where a TPP’s authorisation is cancelled, this is much more complex.
As previously discussed, when a TPP’s authorisation is cancelled, there may be a delay between the cancellation and the regulator updating its register and communicating that information to the relevant qualified trust service provider (“QTSP”) to cancel the TPP’s eIDAS certificate. The delay could affect an ASPSP’s ability to verify the TPP’s authorisation status correctly, although that delay should generally be short (as one would expect a regulator should normally act with diligence).
However, where a TPP’s authorisation is merely suspended (wholly or partially) in the sense that it is not allowed to engage in the regulated activities subject to the suspension but it remains an authorised firm, the issue could become more challenging. In the UK, such suspension is by way of the FCA imposing restrictions on the firm and such restrictions are buried rather deep in the FCA register.
Say a UK TPP’s authorisation is suspended (e.g. it is restricted from providing a particular service such as account information service or it is restricted from engaging in any payment services). The headline search result of the FCA register would still show the firm as authorised. One has to go through at least three steps before one can confirm whether the firm is subject to any restrictions and what those restrictions are.
Further, the EBA central register of all the payment/e-money firms in the EU does not appear to show any information on such suspension. Thus, the UK TPP that has been suspended by the FCA would still be shown on the EBA register as a fully authorised TPP with no restrictions attached.
While it is clear that the national registers should take precedence in cases of discrepancies because the EBA register is based on information provided by national regulators and the EBA disclaimer also states that information on the central register has “no legal significance”, it does not seem ideal that discrepancies of this nature should be allowed. It could create much confusion and calls into question the objective of having an EBA central register.
Liability and Dispute
We have also previously discussed some of the issues surrounding liability allocation between an ASPSP and a TPP under the PSD2 open banking framework. These issues arise primarily from the absence of any detailed dispute resolution mechanism under PSD2 as between ASPSPs and TPPs. There are overarching principles, such as an ASPSP may pursue a TPP where the TPP is at fault (or vice versa), but there are no operational details under PSD2 as regards how that should be conducted.
Please see the previous article for more information.
In addition to those issues previously discussed, another scenario may also potentially raise difficulties for ASPSPs and TPPs with respect to dispute resolution. This is where e.g. Firm A (be it the ASPSP or TPP) had its authorisation cancelled and a customer now challenges Firm B (be it the TPP or the ASPSP) alleging that it dealt with Firm A for a historic transaction while Firm A’s authorisation was already cancelled. So, Firm B now needs to prove the historic authorisation status of Firm A prior to the cancellation.
In the UK, the FCA register contains information on all currently and previously authorised firms. Where a firm is no longer authorised, it will be shown as such on the FCA register including the date of the firm ceasing to be authorised.
However, that may not be the case in other EU member states. If a national register does not include such historic information, Firm B in the above example may have difficulty to prove Firm A was indeed authorised at the time of the challenged transaction. While Firm B may reach out to the relevant regulator for information, it would depend on each regulator as regards (i) whether the regulator would respond and (ii) how long it would take for the regulator to respond. It would seem to be burdensome if either firm has to keep record of the other’s information on the relevant register (e.g. a screenshot) each time they interact with each other.
Similar considerations should be given to situations where a firm (ASPSP or TPP) is declared insolvent or otherwise wound up and the other side (TPP or ASPSP) may be unable to obtain any remedy with respect to liabilities prior to such events.
While these may be risks of a general nature rather than issues specifically arising from the open banking regime, they are exacerbated in the open banking context. The PSD2 open banking regime seems to regard regulatory authorisation as the only relevant risk between the two sides. However, other risks such as those discussed here do not disappear simply because one is an authorised entity. These risks are typically dealt with via contract in a bilateral commercial relationship. But that contractual tool is prohibited under PSD2 (at least, with respect to the account information service and the payment initiation service) and at the same time there is no detailed statutory mechanism to cover the gap.
While some of the issues with respect to the open banking and SCA requirements are rather complex and would take efforts from all participants in the industry including the regulators to be appropriately addressed, they are not insurmountable. It is hoped that appropriate solutions will be ironed out during the transitional periods. It is also worth noting that both the FCA and the EBA have stated that there would be no further delay/transition for these requirements.