On 19 December 2018, the Financial Conduct Authority (FCA) published Consultation Paper 18/44 which proposed to make Regulatory Technical Standards for Strong Customer Authentication and common and secure open standards of communication, for the purposes of contingency planning in the event of a no-deal Brexit (Consultation Paper). The FCA also published Policy Statement 18/24 setting out its final approach on these Regulatory Technical Standards under the second Payment Services Directive (PSD2) (Policy Statement).
The EU Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (SCA-RTS), developed by the European Banking Authority under PSD2, came into force on 14 March 2018 and will apply from 14 September 2019. The FCA consulted on new rules and guidance to implement these standards in September 2018.
The SCA-RTS are designed to ensure security and safety of electronic payments, while at the same time enhancing competition and innovation in the payments sector. They establish strict anti-fraud measures and require payment services providers to follow a specific process when verifying a customer’s identity in the case of electronic payments, known as Strong Customer Authentication (SCA). At the same time the SCA-RTS sets out a way that Account Servicing Payment Service Providers (ASPSPs), who are typically banks, can communicate with Third-Party Payment Service Providers (TPPs) in order to ensure that the latter can access securely customers’ accounts with the customer’s consent.
The Policy Statement
In its Policy Statement the FCA provided clarification on a number of requirements under PSD2 and the SCA-RTS which will need to be satisfied by Payment Service Providers (PSPs). These are summarised below:
- ASPSPs providing online payment accounts will need to ensure by 14 March 2019 that they have access interfaces and testing facilities in place to allow TPPs to access accounts and test their software and applications.
- ASPSPs, who are building dedicated interfaces for TPP access may be exempted from putting in place a ‘contingency mechanism’, from 14 September 2019 should the interface meet certain tests. The FCA will be receiving the relevant exemption requests from January 2019. The FCA ‘strongly’ encourages firms to be proactive and submit their requests before 14 June 2019, warning that submissions past this date may result in failure to comply with their obligations by September 2019. DLA Piper can assist with such submissions.
- From 14 September 2019 PSPs must ensure compliance with SCA requirements. PSPs wishing to benefit from the ‘corporate payment’ exemption under SCA-RTS must provide the FCA with information from an operational and security risk assessment submitted at least three months before the date that they intend the exemption to apply.
- From 1 January 2019 PSPs are required to record fraud statistics under the fraud reporting guidelines produced by the EBA. The FCA is providing a 6 month transitional period in this regard.
The FCA also announced its intention to publish rules on reporting complaints about authorised push payment fraud, which are part of the FCA and Payment Systems Regulator’s work to tackle scams where customers unknowingly authorise payments to fraudsters.
The Consultation Paper
The FCA hopes that its Consultation Paper will address some of the uncertainties regarding the application of the SCA-RTS, given the UK’s planned exit from the EU on 29 March 2019. Certain provisions of the SCA-RTS will be applicable from 14 March 2019, while other provisions will only become effective on 14 September 2019. This timing risks creating a gap in the UK regulatory framework in the event of a ‘no-deal’ Brexit. To avoid disruption and uncertainty for firms that have made considerable investments to prepare for the approaching deadlines and to protect consumers, the FCA is proposing to make Regulatory Technical Standards (UK RTS) substantially similar to the SCA-RTS, with minor changes to ensure that they operate effectively within the UK framework.
Through its Consultation Paper, the FCA has indicated that the UK RTS will cover all relevant issues, including clarification on the requirements for SCA and the permitted exemptions; the rules to ensure confidentiality and integrity of personalised security credentials of payment service users; and the requirements for common and secure open standards of communication. This means that PSPs still need to put systems and processes in place as required under the SCA-RTS, according to their current planning.
The consultation will remain open until 19 February 2019. The FCA is planning to publish its final rules in the form of a policy statement in April 2019.