The payment services regime was introduced under the UK Payment Services Regulations 2009 on 1 November 2009, which implemented PSD1. At that time, its main impact was on traditional products such as current accounts, credit cards, money remittance and merchant acquiring. Since then, the range of payment products and PSPs on the market has diversified, particularly in the areas of digital and mobile banking, e-money and mobile payments – and the application of payment services regulation has broadened accordingly.
To reflect the rapid expansion of the payments market, the regulatory regime was updated by PSD2, which was required to be implemented in all EU Member States by 13 January 2018. In addition to capturing the newly regulated payment services of account information services (AIS) and payment initiation services (PIS), together often referred to as third-party payment services provided by third-party providers (TPPs), PSD2 has widened the territorial scope of the payments conduct of business regime and introduced detailed security requirements and access rights for TPPs, which are likely to have a substantial impact on account providers. PSD2 was implemented in the UK by the PSRs. We discuss some of the main areas of change below.i Overview
In the following paragraphs, we summarise some of the main obligations on PSPs.Regulated payment services
The PSRs regulate the following activities:
- executing funds transfers, for example, transfers to or from a payment account (such as a current account or e-money account), or placing or withdrawing of cash on such accounts, or money remittance services involving transfers that are not from or to an account;
- issuing payment instruments (e.g., payment cards or potentially apps in mobile phones);
- acting as merchant acquirers or some other forms of payment processor (a definition of 'acquiring of payment transactions' was introduced for the first time in PSD2, which means that some payment processors who previously had unregulated relationships with merchants may now have regulated relationships, and have to seek authorisation accordingly); and
- acting as a TPP, by – in broad terms – providing access to account information (i.e., AIS) or initiating payments at a customer's request from their account held with a third party (i.e., PIS).
There are also a number of exemptions from those regulated payment services, perhaps most notably the following.
The commercial agent exemption is available for 'payment transactions between the payer and the payee through a commercial agent authorised in an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee'. There has been much discussion over whether and when online marketplaces (and other payments providers) should be able to rely on this exemption, with the general sense being that it will now be harder to fall within scope of the exemption.
The limited network exemption most notably applies to:
services based on specific payment instruments that can be used only in a limited way and meet one of the following conditions . . . (ii) are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer; [or] (iii) may be used only to acquire a very limited range of goods or services.
This exemption lends itself to products such as certain fuel, restaurant or store cards – although some providers have sought to rely on it for broader networks of service providers, or wider ranges of goods and services, so requiring an exercise of judgement (and potentially engagement with local regulators) as to how far it is appropriate to do so.Authorisation and passporting
Where a PSP provides a regulated payment service in the UK, and an exemption does not apply, the PSP needs to be suitably licensed by the FCA or another relevant authority including in another EEA country. Typically, the PSP will be licensed as a bank, EMI or payment institution, or registered as an AISP.
The PSRs set out the licensing regime for payment institutions and registration regime for AISPs. Licensed payment institutions are required to maintain a certain level of regulatory capital, and to safeguard customer funds (although safeguarding is not applicable to PIs only providing PIS, as they do not handle customer funds). There are number of options for how to safeguard, with the most common method being to put funds received from or for customers (or matched amounts) in a ring-fenced bank account. Although this is the most common way to safeguard, it does often raise a number of operational challenges, and some PSPs will accordingly look to alternative safeguarding options such as safeguarding insurance (although this can be expensive and hard to obtain).
AISPs (providing only AIS and not other regulated payment services) are not subject to the full licensing regime; rather they are subject to a lesser registration regime, the most notable feature of which is the need to hold professional indemnity insurance against the risks of conducting their activities. Similar insurance also needs to be held by payment institutions and EMIs who provide PIS.
Other key areas of focus under the licensing regime are: the robustness of a payment institution's systems and controls, particularly its IT systems; and the need for any functions outsourced by a payment institution – including intra-group outsourcings – to be appropriately overseen by the payment institution and to meet a number of other requirements (some of these requirements also apply to AISPs).
As well as payment institutions being permitted to provide regulated payment services, they can also provide credit in limited circumstances, for example, by issuing credit cards, but may need to obtain additional consumer credit permissions under the FSMA in order to do so.
A payment institution authorised in one EEA state (such as the UK) can use its licence in all other EEA states – the passporting regime. This means that, once authorised in one EEA jurisdiction, a payment institution does not need fresh licences to provide payment services in other EEA states, although it may need to comply with other local law requirements.
Finally, a small payment institution regime also exists but with restrictions on total monthly transaction amounts, and without the ability to passport.Conduct of business requirements
As well as the licensing regime for payment institutions, the PSRs set out extensive conduct requirements for all PSPs when providing payment services – including banks and EMIs, as well as payment institutions and (to a lesser extent) AISPs. How those requirements apply depends on whether or not a transaction is executed in an EEA currency (such as the euro or sterling) and whether one or both of the payer's PSP and payee's PSP are operating from a location in the EEA.
PSPs have to provide pre-contract and transactional information to customers. In some cases, the information needs to be 'provided' in a 'durable medium', which raises a number of challenges as to how and when information is provided or stored.
The PSRs govern the time frames in which payments must be executed, after being initiated by a customer, in order to reduce the scope for PSPs to retain float (i.e., to keep hold of funds for their own purposes rather than putting them at the disposal of their customers).
For transfers in euros (and domestic transfers in the domestic currency, such as sterling transfers within the UK), the payer's PSP usually needs to ensure that cleared funds are received by the payee's PSP by the end of the business day after the transfer was initiated. For other transfers in EEA currencies within the EEA, up to four business days are usually permitted.
Once the payee's PSP receives cleared funds, it must immediately put them at the disposal of the payee (except for certain currency conversions involving non-EEA currencies).
Departures from those rules apply most notably for internal transfers (where the same PSP is acting for both payer and payee), which need to be executed immediately; and for card payments, where there is a usually a basis for delaying putting funds at the disposal of the payee (i.e., of the merchant taking payment).
The PSRs also have detailed provisions as to the rights and liabilities of customers and PSPs; in particular, PSPs need to re-credit unauthorised transactions to customers' accounts (with limited scope for making customers liable for them), and are also ordinarily liable for misexecution of transactions, for example if they are sent to the wrong payee or not sent at all. These requirements bring important protections to customers, whose rights were – prior to introduction of PSD1 – less well defined in these areas, with delayed refunds of unauthorised transactions having been a particular concern of regulators.
The PSRs also set out detailed and rigorous requirements on payments security and access for TPPs (which we discuss below), and constraints on certain charges and charging practices. Of particular note was the introduction of a new general prohibition on surcharging by payees (typically merchants) when they are paid by consumers, with non-consumer payments being limited to cost.
The conduct of business requirements in the PSRs apply to payment services provided not only to consumers but also to business customers, although non-consumers (other than micro-enterprises and charities) can be asked to opt out of many of the conduct requirements.ii Third-party payment services
Two new third-party payment services were introduced by PSD2, namely PIS and AIS, each of which involves a PSP that does not handle funds providing customers with services in relation to payment accounts offered by third-party PSPs, where those payment accounts are accessible online.
A PIS is an 'online service to initiate a payment order at the request of the payment service user with respect to a payment account held at another [PSP]'. It is anticipated as a 'software bridge between the website of the merchant and the online banking platform of the payer's account servicing [PSP] in order to initiate internet payments on the basis of a credit transfer', and in practice is likely to include services that allow customers to pay online merchants directly from their bank accounts rather than using credit or debit cards. Such payments might typically be routed through domestic payment systems (such as the faster payment service in the UK) and may offer merchants the benefits of payments clearing to their accounts more quickly, more cheaply and with less risk of being reversed back to the customer, by comparison to card scheme payments such as Visa or MasterCard. However, it remains to be seen whether such payment methods are as advantageous to customers.
An AIS is:
an online service to provide consolidated information on one or more payment accounts held by the payment service user with another payment service provider or with more than one payment service provider, and includes such a service whether information is provided (a) in its original form or after processing; (b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user's instructions.
They are likely to include account aggregation services, such as Money Dashboard, which offer customers a single place in which to view information for a number of different payment accounts offered by multiple PSPs.
TPPs are entitled to have (at their customers' request) mandatory access to payment accounts or payment account data, on non-discriminatory terms, to enable delivery of their payment initiation and account information services. The European Commission adopted a Delegated Regulation in November 2017 setting regulatory technical standards, based on regulatory technical standards drafted by the EBA with some amendments (discussed further below), covering the basis on which the account providers and TPPs will securely communicate with each other in order to facilitate delivery of those third-party services, and which will come into effect after a transitional period probably likely to end in the second quarter of 2019.
The new provisions are intended to encourage introduction of new, competing services. The example of how PIS may benefit merchants has been given above; in the case of AIS (potentially offered in conjunction with PIS), there is an opportunity for TPPs to obtain transactional data, provide customers with added value services and potentially cross-sell them other products.iii Security
The other major impact of PSD2 has been to introduce detailed and rigorous security requirements, by comparison to PSD1. The new regime includes:
- a requirement for PSPs to establish a framework of appropriate mitigation measures and control mechanisms to manage the operational and security risks relating to the payment services they provide, and to submit a comprehensive assessment of such operational and security risks to their regulators on an annual basis;
- obligations around notification of any major operational or security incident to regulators and, if the incident could have an impact on the financial interests of customers, obligations to also notify customers without undue delay of the incident and of all measures that they can take to mitigate the adverse effects of the incident; and
- a requirement for customers to undergo strong customer authentication when, for example, accessing their payment accounts or initiating electronic payment transactions. Strong customer authentication requires payers to authenticate themselves to their PSPs using 'two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others'. Failure to apply strong customer authentication can affect a PSP's liability for unauthorised transactions.
The European Commission's Delegated Regulation referred to above also sets regulatory technical standards on the application of strong customer authentication. Banks and other PSPs will have to put in place the necessary infrastructure for strong customer authentication at the end of a transitional period, probably likely to end in the second quarter of 2019. The regulatory technical standards allow for exemptions from strong customer authentication in recognition of the fact there may be alternative authentication mechanisms that are equally safe and secure.iv Passporting after Brexit
Following the Brexit vote on 23 June 2016, one of the major questions facing the payments industry is whether, and if so how, passporting rights will operate once Brexit is implemented. This will depend on what outcome is negotiated for Brexit: in particular, if the UK stays in the single market (or possibly negotiates a similar arrangement, such as equivalence or mutual recognition of financial services licences), then a UK payment institution or AISP (or indeed bank or EMI) authorisation may continue to serve in other EEA countries and vice versa. At the time of writing, however, it is difficult to assess whether such an outcome is likely or not, with some of the latest announcements indicating that the United Kingdom may seek to stay in the single market for a transitional period after Brexit takes effect and have some form of equivalence thereafter, but we must emphasise that the outcome is uncertain as it will depend on political negotiations that are yet to take place.