The EU's second Payment Services Directive (PSD2), which took effect earlier this year, provides rights to account information service providers (AISPs) and payment initiation service providers (PISPs) to access payment accounts, like current accounts, and statement details, as well as other account information, held by banks and other ASPSPs where customers consent to such access.
PSD2 is implemented in the UK by the Payment Services Regulations (PSRs) 2017, although the detailed requirements around third party access are contained in regulatory technical standards on ‘strong customer authentication and common and secure open standards of communication’, or SCA-RTS, which were drawn up by the European Banking Authority (EBA).
In a new paper setting the approach it will take to regulating under the PSRs, and the Electronic Money Regulations, the Financial Conduct Authority (FCA) clarified that the rights that AISPs and PISPs have under the PSD2 regime cannot be controlled by contract. However, it said that contracts between ASPSPs and AISPs or PISPs can be put in place to provide for additional rights to either party or to apportion liability between them.
"An ASPSP is prohibited from requiring a PISP or an AISP to enter into a contract with it before complying with its obligations under regulations 69 and 70 of the PSRs 2017 and under the SCA-RTS," the FCA said (276-page / 3.15MB PDF). "In our view, this means that access should not depend on the AISP or PISP agreeing to any specific arrangements with the ASPSP (e.g. payment or liability arrangements). Similarly, ASPSPs requiring or suggesting to AISPs or PISPs that a contractual arrangement is required would not be permitted."
"In our view, this does not, however, prohibit the parties from putting contractual arrangements, or arrangements to address liability between them, in place if they both wish to do so (provided this is not a pre-condition of access set by the ASPSP)," the FCA said.
"For example, AISPs and/or PISPs may wish to enter into contractual arrangements with an ASPSP for access: on more favourable terms than required under the PSRs 2017 and the SCA-RTS (e.g. entering into a contract to allow a greater frequency of access to the payment account than prescribed in the SCA-RTS); or to data or functionality which are not covered by the scope of the PSRs 2017 (e.g. access to information on non-payment accounts)," it said.
The FCA has also set out, in detail, how ASPSPs should treat the payment orders received from PISPs, and the kind of information which ASPSPs are required to provide to AISPs.
"To give some examples, we would expect the following sorts of information to be made available via an AISP: information relating to the account, including the name(s) of the account holder(s) and the account number; combined with transaction data, which should be provided to the same level of granularity and cover the same time periods as is available to the customer when they access their account directly," the FCA said.
"In our view this does not, however, extend to analysis of any transaction data which an ASPSP provides or makes available to its customers, such as an additional paid for service," it said.
Under the PSD2 regime, ASPSPs must either enable third party access to the data they hold through the customer's normal online banking websites, or alternatively develop a new 'dedicated interface' (API) for that purpose.
A range of safeguards are outlined in the SCA-RTS to ensure that the access rights of AISPs and PISPs are respected, including that ASPSPs provide a fallback option to ensure AISPs and PISPs can exercise their access rights where the normal interface they use is down or underperforming. However, ASPSPs do not have to provide a fallback if they benefit from an exemption.
In its approach document, the FCA outlined its scheme for assessing ASPSP applications for exemption.
The latest paper is the third version of the FCA's approach document, which was previously updated in July 2017 and September 2018. As well as concerning chapter 17 on payment initiation and account information services, the newest updates principally concern chapter 20 on authentication requirements.
The FCA offered guidance on the two-factor authentication requirements that providers of payment services must comply to verify the identity of the payment service user and provide for security in payments.
Factors must derive from two of three categories: something known only to the user, held only by the user or inherent to the user. In addition, each component must be independent of each other. The FCA's approach document provides guidance on the degree of separation which qualifies as 'independence', and recommends the use of 'dynamic' validation features such as single-use passcode generators.
The guidance also serves as a reminder that payment for products on merchant websites, whether using a portable device or PC, falls within the scope of payment services and so is subject to two-factor authentication obligations.
Rory Copeland of Pinsent Masons, the law firm behind Out-Law.com, said many online merchants will have to implement additional security features to accord with the FCA's new guidance. He said this would "further tilt the balance in favour of emerging open banking providers".
There are exceptions to the two-factor authentication requirement, however. This is includes where retailers provide for contactless card payments.
PSPs must comply with the FCA guidance by 14 September 2019, which is the date that the majority of the SCA-RTS take effect.
Banking and payments law expert Tony Anderson said: "After little interest in and understanding of open banking from the general public to date, it is hoped that the FCA's approach will increase participation by payment service providers, merchants and consumers. There are substantial opportunities to be utilised by these participants."