The second Payment Services Directive (PSD2), which took effect earlier this year, provides new rights to account information service providers (AISPs) and payment initiation service providers (PISPs) to access payment accounts and payment account information held by banks and other account servicing payment service providers (ASPSPs) where customers consent to such access.
The detailed requirements on that access are contained in regulatory technical standards on ‘strong customer authentication and common and secure open standards of communication’. The standards were written into EU law in March, but the majority of the provisions will not apply until 14 September 2019. In June, the EBA issued an opinion and additional guidance on aspects of the standards in an effort to further clarify firms' responsibilities.
According to the new standards, ASPSPs must either enable third party access to the data through the same interfaces they use for interacting with customers, or alternatively develop a new 'dedicated interface' for that purpose.
A range of safeguards are outlined in the standards to ensure that the access rights of AISPs and PISPs are respected, including that ASPSPs provide a fallback option to ensure AISPs and PISPs can exercise their access rights where the main interface they use is down or underperforming. However, ASPSPs do not have to provide a fallback if they benefit from an exemption.
The FCA has now proposed draft new rules on the 'contingency mechanism exemption' which could apply to the more than 1,000 ASPSPs that currently operate in the UK. The proposals, alongside a raft of other measures relevant to firms' compliance with UK payment services laws, are open to consultation until 12 October.
"We propose to require ASPSPs to submit an exemption request form with specific information in order for us to make an assessment," the FCA said. "Subject to the outcome of this consultation, the process will be available from January 2019."
"Those seeking to be exempt by 14 September 2019 should consider how long they might need to develop a contingency mechanism in the event that an exemption request is rejected. We would expect to receive exemption requests by 14 June 2019. This would allow enough time for us to assess a request. We aim to take no more than one calendar month to assess an exemption request. Should a request be unsuccessful, the ASPSP would then have two months to develop a contingency mechanism. We encourage firms to contact us well before submitting the exemption request in order to minimise the chances of it being unsuccessful," it said.
The FCA said firms with multiple dedicated interfaces, such as those with a different interface for each brand within a group, should submit an exemption request for each individual dedicated interface.
The regulator said it plans to review applicant ASPSPs' interfaces against 'open banking' standards on testing when assessing their eligibility for an exemption.
ASPSPs will generally not be considered for an exemption unless they have "provided operational dedicated interfaces that have been used by [third party providers] with customers for three months". It means ASPSPs will have to have made "technical specifications and testing facilities available" to those businesses by "no later than 14 March 2019", it said.
"If it is not practically possible to do so fully in advance of September 2019, ASPSPs should be able to show that they have taken steps to encourage the use of the interface and publicised the availability of the testing facilities for a minimum of three months before seeking the exemption," the FCA said.