The UK's Financial Conduct Authority (FCA) has set out its planned approach to regulating the market for payment services under the new Payment Services Directive (PSD2).
PSD2 was finalised by EU law makers in late 2015 and came into force in early 2016. The Directive needs to be implemented into national laws across the EU by 13 January 2018.
Earlier this year the UK Treasury opened a consultation on draft legislation designed to implement PSD2 in the UK. The consultation on the draft new Payment Services Regulations (PSRs 2017) closed on 16 March, but final regulations have still to be published.
The FCA has, however, published its plans (219-page / 3.04MB PDF) for overseeing the new UK regulations under PSD2, as well as UK e-money regulation, including planned changes to its Handbook. Its proposals are open to consultation (277-page / 2.75MB PDF) until 8 June. The FCA said it expects to issue its finalised plans in the autumn.
Payments law and technology expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "The FCA has a track record of consulting openly and taking on board views around this approach document. The onus is now on the industry to clarify issues around the intricacies of UK business models."
One of the issues that the FCA has addressed in its draft approach document concerns steps payment service providers (PSPs), payment initiation service providers (PISPs) and account information service providers (AISPs) will have to take to address security issues during the period that the new PSD2 laws are in effect but new regulatory technical standards on strong customer authentication and secure communication, developed by the European Banking Authority (EBA), are not yet fully in force.
Within PSD2 initially due to come into force nationally on 13 January next year, a transitional period will apply (estimated at around 12 months after January) before some of the new regulatory technical standards on strong customer authentication and secure communication begin to apply.
The FCA said, though, that, even during the transitional period, AISPs and PISPs are "required to transmit personalised security credentials through safe and efficient channels".
"In this regard, we expect CBPIIs (card-based payment instrument issuers), AISPs and PISPs to ensure, for example, that they have taken all reasonable measures to guard against the risk of the personalised security credentials being extracted from their systems or caught in transit in a usable form and that systems are in place so that personalised security credentials cannot be accessed by employees," the FCA said.
PSD2 has been framed in a way that allows PISPs and AISPs to obtain access to payment accounts so as to provider account holders with services that they consent to. The legislation therefore addresses the interactions between account servicing PSPs (ASPSPs) and PISPs and AISPs and sets out various obligations each of those types of businesses must meet.
There are some circumstances in which ASPSPs can prevent AISPs or PISPs from accessing customer accounts. In its draft approach paper, the FCA said, though, that firms will need to notify it "of their denial of access and the grounds for denial" and that it would "assess these reports and take such measures as we consider to be appropriate".
Under the final regulatory technical standards on strong customer authentication and secure communication, PSPs will be obliged to put in place at least one communication interface through which PISPs and AISPs are able to access payment account information in line with their rights under PSD2. PSPs can facilitate the third party access through the same interfaces they use for engaging with customers, or through a separate "dedicated interface".
The FCA's draft approach paper said that, prior to the new standards coming into force, ASPSPs are "not required to provide another alternative means of access to those payment accounts", but "must not block or obstruct the use of AIS and PIS for the accounts they are servicing".
The FCA said: "ASPSPs are free to provide multiple interfaces for access, provided at least one of these complies with the PSRs 2017 (including the SCA-RTS when it becomes applicable)."
The regulator also said that firms in the payments market "may find it helpful" to take account of the open banking standards being developed by industry, under an order of the UK's Competition and Markets Authority (CMA), when reviewing how to provide for access rights under PSD2.
Contact an adviser
