The start of 2018 saw the culmination of significant regulatory changes to the UK's payment services ecosystem. Five months on, we reflect on the new payment services and the developments we have seen in this space, looking at emerging business models for Open Banking (how many firms are developing new payment services) and the transition to strong customer authentication and secure communications.

Background and recap

The second Payment Services Directive (PSD2) took effect on 13 January 2018 and the Competition and Markets Authority (CMA)'s project known as "Open Banking" led the nine largest current account providers (the CMA9) in the UK to open up their data to third party providers (known as TPPs) from 13 January 2018 via a set of secure application programming interfaces (APIs).

The changes aimed to encourage innovation and competition in the payment services space, with the anticipation that: (i) FinTechs would, as TPPs, launch new financial services products linking directly into banks' infrastructure; and (ii) banks would expand their existing service offering to compete. The two new business models contemplated by PSD2 and enabled by Open Banking are:

• Account information service providers (AISPs) – firms who provide consolidated account information to customers (e.g. apps allowing the user to view balances and spending across their online payment accounts all in one place); and
• Payment initiation service providers (PISPs) – firms who offer an online service which accesses a user's online payment account to initiate the transfer of funds on their behalf with the user's consent and authentication (e.g. alternatives to paying using a credit card or debit card).

Where are we now?

How many firms are providing AIS / PIS services?

Since 13 October 2017, the FCA has received applications [1] from 59 firms for the two new regulated activities. On 13 January 2018, the FCA authorised/registered 13 firms to provide the new regulated activities (2 live-market and 11 new to market). Of these, 10 were registered AISPs. Since January, the FCA has authorised/registered at least 19 additional firms for the new regulated activities.

What are they doing?

The FCA reported that the business propositions for AIS/PIS authorisations/registrations included:

• Consumer credit extending the scope of credit reports and credit scores;
• Financial dashboards for consumers;
• Business services providers helping SMEs with financial forecasting and credit transfers; and
• FinTechs providing services such as rounding up a customer’s purchases to the nearest pound and then investing the digital spare change; and storing consumers’ digital loyalty points.

Transition to strong customer authentication and secure communications

The Regulatory Technical Standards on strong customer authentication and common and secure communication (RTS) come into force in the second half of 2019. These aim to provide additional fraud protection to customers. The timeframe means that there is potentially an uncomfortable transition period where services provided by Open Banking APIs are more secure than other business models (i.e. those involving screen scraping).

To this end, on 4 May 2018, UK Finance, the Financial Data and Technology Association, the Electronic Money Association and techUK jointly published guidelines. These aim to increase customer protection around the practice of ‘screen scraping’ (a method of accessing customer data or initiating payments on a customer’s behalf) and to encourage the industry to move towards consistent use of APIs.

Where do we go from here?

Preparing for the RTS

The final RTS will apply from 14 September 2019 [2] and specifies the requirements of strong customer authentication (SCA), exemptions from the application of SCA, requirements to protect the confidentiality and integrity of personalised security credentials and the requirements for common and secure open standards of communication.

From our experience with FinTech and banking clients to date, implementation of the RTS will likely be challenging as affected firms need to decide how to manage compliance across different customer mediums and where to rely on exemptions from SCA. In particular, the criteria for reliance on the exemption from SCA for low risk transactions have the potential to be operationally complex.

Co-ordination of standards across Europe

The deadline for the CMA9 to have in place working APIs for TPPs was the 13 January 2018, though there were some delays in implementation of the technology designed to deliver APIs. The further development of APIs and harmonising API standards is next on the agenda. In the UK, the Open Banking Implementation Entity is leading the way in issuing guidance to participants and hosting forums for discussion. At the EU level, the Berlin Group was set up with the aim of co-ordinating EU payments interoperability standards. PRETA, a subsidiary of EBA Clearing, is also involved and is developing a centralised directory for TPPs.

At a UK level, ongoing industry discussions are being hosted by UK Finance (the association representing the UK banking and financial services sector) around interpretation and application of the RTS, with a view to organisations agreeing a common standard and ensuring certainty around application. Addleshaw Goddard is actively participating in those discussions.

Also watch out for…

On 13 March 2018, HM Treasury launched a call for evidence on the role of cash and digital payments in the new economy. Among other things, it seeks to gather evidence to inform that debate, by exploring how the government can support digital payments.

What have we been doing?

The Payments team at Addleshaw Goddard has been working with a broad range of firms as they seek to either provide these new regulated payment services or enable them through Open Banking APIs. For example:

• We have assisted UK and foreign financial institutions and other clients to assess the impact of PSD2 on their businesses, facilitated the implementation of the directive, helping them to make operational and documentation changes across a wide range of products;
• We have acted for one of the CMA9 to develop its Open Banking approach and architecture as well as a TPP proposition;
• We are co-drafting updates to UK Finance’s industry guidance on PSD2 and attending and advising at the UK Finance meetings on the Regulatory Technical Standards on Strong Customer Authentication; and
• We have also acted for new to market firms seeking authorisation/registration with the FCA and assistance in meeting the regulatory requirements in terms of customer disclosures in the T&Cs and customer journeys.

Key issues that we are seeing across the industry are as follows:

• How the industry as a whole will adopt the RTS. For some of our clients, the implementation process is already underway and is generating challenging operational questions.
• How banks address the open access provisions under PSD2, both now and as APIs develop. For example, how to manage the risk of liability that may arise from the actions of an AISP or PISP.
• How the TPPs explain the services to consumers, particularly in relation to the language used to confirm consent for accessing account information or initiating a payment order.
• How banks can take advantage of opportunities to provide complementary services and products to existing customers that allow them to compete with AISPs and others in an increasingly crowded market.

If you have any questions about the nature and scope of AISP and PISP services, or would like to talk about how these new models could be leveraged for your business, please contact us below.

To download this bulletin in a PDF format, click here

1. This information does not capture firms who provided AIS/PIS since before 12 January 2016 and are covered by the transitional provisions under PSD2.

2. The provisions that relate to the documentation on the technical specifications of and testing facility for banks' dedicated interfaces will apply from 14 March 2019.