New requirements for secure communication among payment service providers
The European Banking Authority’s Regulatory Technical Standards (RTS) on common and secure communication (CSC) and strong customer authentication (SCA) were published in the Official Journal on 13 March 2018.
Regarding CSC, this means that:
- Account Servicing Payment Service Providers (ASPSPs) that operate payment accounts that are accessible online must have in place at least one access interface that meets the requirements in the RTS by 14 September 2019.
- These ASPSPs must also make the interface technical specifications available to appropriately authorised or registered TPPs and provide a testing facility for connection and functional testing for TPPs six months before the market launch of the interface – that is, by 14 March 2019.
- The interface must allow the TPP to identify itself towards the ASPSP, so the existing practice of TTP access without identification (sometimes referred to as ‘screen scraping’) will no longer be allowed in relation to online payment accounts from 14 September 2019.
New requirements for strong customer authentication among PSPs
The RTS on SCA referred to above means that from 14 September 2019 onwards, PSPs will be required to apply SCA when initiating or executing (acquiring in the context of card payments) electronic payment transactions within the EEA (subject to any applicable exemption).
The EBA has stated that the RTS on SCA apply only on a best-effort basis for cross-border transactions with one leg out of the EEA.
5th Anti-Money Laundering Directive: extending anti-money laundering legislation to cryptocurrency exchanges and custodian wallet providers
Bringing virtual currency exchange platforms and custodian wallet providers under the scope of the 4th Anti-Money Laundering Directive as “obliged entities” means they will be subject to the same obligations as other firms (such as banks and payment institutions) to implement preventive measures relating to customer due diligence, including “know-your-customer” procedures, and report suspicious activity to domestic financial intelligence units.
Member States are required to bring into force the laws, regulations and administrative provisions necessary to comply with the 5th Anti-Money Laundering Directive by 10 January 2020, however, it is possible that UK regulators will choose to implement the reforms sooner than that.
New transparency requirements for PSPs
From 31 October 2018, PSPs (including banks, electronic money issuers, UK authorised payment institutions, and UK small payment institutions, as well as EEA-authorised payment institutions operating in the UK on a cross-border services basis, or through a local branch) will be required to comply with key transparency requirements under the Payment Accounts Regulations 2015 where they offer a ‘payment account’ (as defined in the regulations). They will be required to:
- use the terms on the final UK list of most representative services linked to a payment account and subject to a fee; and
- provide consumers with a pre-contractual fee information document and an annual statement of fees.
In Focus: Brexit
Is any new EU legislation expected to come into force and effect before the end of the transition period?
Certain of the RTS on SCA will come into effect before the end of the proposed transition period. Given their importance, it is likely that the UK government will seek to incorporate the standards into UK domestic law.
In addition to the EU’s anti-money laundering measures (such as the 4th and 5th Anti-Money Laundering Directives), there are four key pieces of existing EU payments legislation that would need to be incorporated more fully into UK domestic legislation if the UK leaves the EU on 29 March 2019 without a transition period in place:
- the Second Payment Services Directive (PSD2);
- the Second E-money Directive;
- the Cross-border Payments Regulations; and
- the Interchange Fee Regulations.
It is currently proposed that this ‘on-shoring’ of EU legislation will be achieved through the publication of statutory instruments under the European Union (Withdrawal) Act 2018.
In the event of a transition period post-Brexit, it is expected that these SIs would be “paused” by a further Bill (the “Withdrawal Agreement and Implementation Bill”).
Is a new regulator needed, or do additional powers to be given to an existing regulator?
The UK government plans to delegate powers to the Bank of England, the Prudential Regulation Authority, the Financial Conduct Authority and the Payment Systems Regulator to make the required changes to on-shored Binding Technical Standards and regulatory rulebooks to ensure that there is a complete and robust legal framework for financial regulation in the UK in the event of a failure to agree a transition period.
The UK government and FCA propose to consult upon a temporary permissions regime that would allow incoming EEA APIs and EMIs to continue providing services in the UK for a time-limited period after the UK has left the EU, even if there is no implementation period.
Firms wishing to continue carrying out business in the UK in the longer term will also be able to use this period to obtain full authorisation (or recognition) from UK regulators without disruption to their business.
The FCA has stated that it will set out separate details in due course for EU entities that currently access or do business in the UK through means other than an EU passport.
Is there an existing “equivalence” or “recognition” regime for recognising Third Country regulatory regimes?
The UK is currently part of the geographical scope of the SEPA schemes due to its EU membership.
If the UK remains in the EEA post-Brexit or the UK implements requirements equivalent to the criteria for participation in the SEPA schemes, UK PSPs are likely to be able to continue their participation in the schemes post-Brexit.
In the latter scenario, it is likely that the European Payments Council would need to assess and confirm any functional equivalence of the UK’s legal framework with EU law and consult with the Commission in order to make any final determination in respect of the UK’s SEPA membership.
If the UK’s SEPA membership is preserved after the transition period, this will mean that UK PSPs can continue to interact with counterparts in other SEPA countries on current terms.
Does current UK government policy mean that (subject to the terms of a future trade agreement between the UK and the EU) material changes to regulation or enforcement are likely post-Brexit?
Within the payments sector, it is expected that the UK will largely follow the EU regulatory regime.
What should businesses be doing now to prepare for Brexit?
If your firm is a retailer, you should determine:
- the location of your headquarters and your payment processing centre;
- the location of your consumers – are they mainly inside the UK or mainly outside the UK?; and
- the location of your acquirer.
The answers to these questions will determine the impact of Brexit and may bring into question the location of your headquarters and your payment processing arrangements.
Any PSP that relies on passporting rights to passport its services from the EU27 into the UK will need to consider whether any of its activities are regulated for the purposes of the Financial Services and Markets Act 2000, whether it will need to be authorised by the FCA in order to continue to provide those services post-Brexit, and whether it may need to set up a branch or a subsidiary in the UK in order to apply for the necessary FCA permission.
Dates for the Diary
|12 July 2018||Deadline for FCA to have approved the additional information provided by UK authorised payment institutions, e-money institutions or small e-money institutions under PSD2 in order continue providing payment services on or after 13 July 2018.|
|13 August 2018||Deadline for responding to the European Banking Authority’s consultation paper on the conditions to be met under Art 33(6) of the RTS on SCA and CSC.|
|13 October 2018||The latest date for small payment institutions to make their application to the FCA and provide any relevant new information requested in order to continue providing payment services on or after 13 January 2019.|
|31 October 2018||PSPs required to comply with key transparency requirements under the Payment Accounts Regulations 2015 where they offer a ‘payment account’ (as defined therein).|
|14 March 2019||Deadline for all ASPSPs that operate payment accounts that are accessible online to make the interface technical specifications available to appropriately authorised or registered TPPs and provide a testing facility for connection and functional testing for TPPs.|
|14 September 2019||Deadline for all ASPSPs that operate payment accounts that are accessible online to have in place at least one access interface that meets the requirements in the PSD2 RTS.|
|14 September 2019||Deadline for all PSPs to have implemented PSD2’s SCA in full, including the exemptions available under the EBA RTS.|