The planned new payment services regulations (113-page / 2.20MB PDF) account for measures set out in the revised Payment Services Directive (PSD2), which was finalised by EU law makers in late 2015. PSD2 must be implemented into national laws across the EU by 13 January 2018. The UK will implement the Directive despite moving forward with plans to exit the EU.
In a consultation paper (49-page / 417KB PDF) on its plans, the Treasury said it intends to "finalise and lay the final implementing legislation in Parliament in early 2017 to provide industry with as much time as possible to adjust to any changes required". The Treasury consultation is open until 16 March.
Reflecting the requirements of PSD2, the new UK regulations will set out rules for banks and other payment service providers (PSPs) as well as, for the first time, payment initiation service providers (PISPs) and account information service providers (AISPs) – such as businesses that allow customers to access information from their payment accounts in one place – which have emerged into the payments market in recent years as technology has advanced.
Under PSD2, PSPs must give PISPs access to their customers' accounts so as to facilitate transactions ordered at the customers' request. However, in return, PISPs must observe a number of data security obligations and take on certain liabilities in relation to any unauthorised transactions they are responsible for.
PSD2 also requires PSPs to open up access to the accounts they manage on behalf of a customer where an AISP has obtained the "explicit consent" of that customer for such access. Like PISPs, AISPs also face data security obligations.
In addition to rules on customer authentication, facilitating third party access to accounts and account information, data security and liability, PSPs must also abide by a range of requirements relating to transparency over account services and charges, major operational or security incident reporting and complaint handling, amongst other things.
In its consultation paper, the Treasury referred to the fact that the PSD2 rules on access to accounts through AISPs and PISPs sit alongside the UK's open banking initiative, which has been ordered by the Competition and Markets Authority (CMA). The Treasury paper explained that the PSD2 reforms differ from the measures that banks must implement under the CMA's order.
"Users will have the right to use AISPs and PISPs in relation to all online payment accounts [under PSD2], the Treasury said. "Online is taken to mean any account which is accessible by the user on the internet through any device, including a computer, a mobile phone, or an application on a mobile phone. The following types of accounts likely to fall within the definition: personal current accounts; business current accounts; credit card accounts; flexible savings accounts; e-money accounts."
"This definition goes broader than the CMA remedy, which applies only to personal and business current accounts. However, as the CMA note, there is likely to be value in including all payment accounts within the development of the open banking API standard," it said.