The summer saw a number of regulatory developments relevant to authorised payment institutions (APIs) and E-money institutions (EMIs). In this article, we round up six of the most important developments.
- 1. FCA extension of Handbook rules to APIs and EMIs
On 1 August 2018, the FCA published "General Standards and Communication Rules for the Payment Services and EMoney Sectors" (CP18/21) to consult on proposals to extend its Principles for Business (the Principles) and certain communication rules to APIs, EMIs and Registered Account Information Service Providers (RAISPs) where they are not already regulated by the Financial Services and Markets Act 2000 (FSMA).
The Principles - The Principles are high level standards setting out the fundamental obligations which currently apply to FSMA authorised firms. The FCA proposes to extend them to APIs, EMIs and RAISPs as well as to credit institutions providing payment services which are not connected to their regulated activities. The extension, which aims to remove differences in the regulatory requirements on firms (and ultimately the treatment of customers), will increase the obligations of these firms and expose them to a greater risk of regulatory enforcement. Although the FCA considers that APIs and EMIs should be complying with the Principles as good practice, work will be needed to embed the Principles and ensure appropriate monitoring.
FCA’s Banking Conduct of Business Sourcebook (BCOBS) - The FCA plans to extend the application of certain communication rules and guidance in BCOBS, Chapter 2 to communications with payment services and e‑money customers. For in-scope communications, firms will need to include the name of the provider of the service, ensure the communication is accurate and does not emphasise benefits without also giving an indication of any relevant risks, and does not disguise or diminish important information or warnings.
There are also proposals to introduce rules and guidance on the promotion of currency exchange transfer services applicable to payment services and the issuance of e‑money involving a currency conversion.
The consultation is open until 1 November 2018. We expect the policy statement and final rules to be published in January 2019. Subject to consultation responses, the rules could apply immediately.
- 2. European Banking Authority (EBA) consultation "Guidelines for outsourcing arrangements"
On 22 June 2018, the EBA launched a public consultation on draft Guidelines on outsourcing arrangements (the Guidelines). It aims to harmonise the framework for outsourcing across firms, including APIs and EMIs.
The Guidelines apply to APIs and EMIs. This is a significant extension in scope as none of the existing EBA materials on outsourcings, which the Guidelines replace, apply to APIs or EMIs.
The Guidelines are very detailed, addressing outsourcings, material outsourcings and even other service provision arrangements. They set out specific requirements for the governance of outsourcing arrangements, the contract, conflicts of interest, business continuity and internal audit functions. There are elevated requirements for outsourcings of a technological nature or where the service provider is outside the EEA. APIs and EMIs will need to look at their existing outsourcing processes and introduce or enhance risk assessments and ongoing monitoring and controls in respect of outsourced service providers. This will need to include a review of existing contracts to consider whether they are fit for purpose in the context of the new requirements the Guidelines set out for APIs and EMIs.
The consultation has closed. The EBA will provide final Guidelines after considering responses.
- 3. FCA Consultation on "Approach to final Regulatory Technical Standards and EBA guidelines under the revised Payment Services Directive (PSD2)" (CP18/25)
On 17 September 2018, the FCA published CP18/25. It focuses on changes it plans to make to its Approach Document in light of the regulatory technical standards for strong customer authentication and common and secure open standards of communication (SCA-RTS) but also makes a broader suite of amendments to existing rules and guidance in the FCA Handbook and Approach Document.
The FCA is proposing changes to its Approach Document to reflect the final SCA-RTS. It is also consulting on the requirements for fraud reporting, reflecting the requirements published by the EBA, as well as new complaints reporting rules about authorised push payment fraud. There is much to discuss here but you should also be aware that:
- The FCA also proposes changing guidance on authorisation. In the process, it sets expectations for the threshold criteria including, for example, professional indemnity insurance for provision of AIS / PIS by stating what it should cover (see 3.6.1 of the draft Approach Document).
- There are some unexpected proposed changes to PERG to: (1) clarify the FCA's expectations on AISPs that are or appoint agents; (2) include e-commerce platforms that provide escrow services as an example of a type of e-commerce platform that is likely to be in scope of the PSRs; and (3) clarify that closed loop gift cards are not considered to be payment instruments (though the rationale behind this position may be subject to debate in the consultation process).
The consultation is open until 12 October 2018. We expect the policy statement and final rules to be published in early 2019.
In our view, the additional guidance on authorisation should be read as setting the FCA's expectations for the ongoing business of all APIs and EMIs (in addition to those currently in the authorisation process). Authorised firms will need to look through these amendments and make sure that their business meets these expectations.
- 4. Authorised Push Payment (APP) Fraud
On 26 June 2018, the FCA published "Authorised push payment fraud – extending the jurisdiction of the Financial Ombudsman Service" (CP18/16) to consult on proposed changes to DISP. The changes will allow APP fraud complaints to be made to the Financial Ombudsman Service (FOS).
On 28 September 2018, the APP Scams Steering Group published a draft voluntary code (the Code) designed to help stop APP scams from happening and protect consumers when they do.
Extension of FOS jurisdiction to APP fraud - If the draft rules are adopted, the FOS will be able to consider complaints where either (1) a payer intended to transfer funds to a certain person, but was deceived into transferring the funds to a different person; or (2) a payer transferred funds to another person for what they believed were legitimate purposes but were in fact fraudulent. This means that firms will be subject to FOS, will have to follow the more time-consuming and costly FOS process and may have to pay redress in APP fraud cases (if a wrongdoing on the firm's part is found).
APP Scams Steering Group, Code - The main onus is on the payer's PSP. The Code requires it to take reasonable steps to prevent APP fraud for example, by providing warnings, including a confirmation step for the payer ("Confirmation of Payee") and, if necessary, delaying payments. These steps must be proportionate to the customer and there are obligations to identify at-risk customers and tailor steps accordingly. The requirements on the payee's PSP, focus on initial customer due diligence to prevent accounts from being used to launder the proceeds of fraud.
The payer's PSP is also responsible for the reimbursing the customer where the customer has taken a level of care with their payment activities (i.e. following the PSP's instructions/guidance). However, in the circumstance where the PSP has not failed to meet the required standard of care, the steering group has not been able to resolve the question of who should meet the cost of reimbursements and so is working to identify a sustainable funding mechanism. In addition, the question of reimbursement where neither the PSP nor the customer has met the level of care set out in the Code is still under consultation.
Note also that CP 18/25 proposes to extend complaints reporting rules to cover APP fraud.
The CP18/16 consultation has closed. We expect the policy statement to be published in Q4, with final rules to take effect from 1 Jan 2019.
The APP Scams Steering Group's consultation is open until 15 November 2018. We expect the final voluntary Code to be agreed and implemented in early 2019.
- 5. Market review into the supply of card-acquiring services
In July 2018, the Payment Systems Regulator (PSR) issued Draft Terms of Reference for a market review into the supply of card-acquiring services.
The PSR plans to investigate concerns that competition is not working well in the card-acquiring market. In particular, that: (1) savings from the interchange fee cap are not being passed on to merchants; (2) there is a lack of transparency around the fees paid by merchants to accept card payments; and (3) there are barriers to the substitution of acquirer service providers.
The consultation on the terms of reference has closed. The PSR plans to publish the final terms by the end of the year along with a planned timetable of work for the review. A market review is a time consuming exercise for participants and we expect that merchant acquirers (and other market participants) will receive significant requests for data and information about their business.
- 6. Brexit
HM Treasury published a draft Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (the draft SI). It amends the E-Money Regulations 2011 (EMRs) and Payment Services Regulations 2017 (PSRs) and establishes a temporary permissions regime for EEA APIs, RAISPs and EMIs, each to take effect in the event of a hard Brexit.
Contingency for hard Brexit - The draft SI makes a number of technical changes to the EMRs and PSRs to remove references to EU legislation, EU institutions and the EEA generally. Importantly, the concept of what a one leg / two leg transaction is will not change and so the application of PSR conduct of business requirements will stay the same.
Authorisation - At 11pm on 29 March 2019, the UK will leave the EU and the legal basis on which EEA APIs, RAISPs and EMIs operate in the UK will change. The draft SI introduces a temporary regime to allow EEA APIs and EMIs to continue to operate seamlessly, for an initial period, if there is no transitional deal with the EU. Relying on the transitional provisions involves notifying the regulator and following tailored rules during the temporary period (which could be up to three years) before obtaining an UK authorisation.
If you are relying on a passport and are not decided on your approach to authorisation, please get in touch.