At the end of January, the FCA released its consultation paper (CP21/3) setting out the changes it proposes to make to the SCA-RTS, its 'Payment Services and Electronic Money – Our Approach' document (the Approach Document) and PERG.
Those who have followed discussions in the payments industry over the past year or so will find that many of these changes come as no surprise, but whether that is the case or not, banks, TPPs, PIs and EMIs alike are going to have to grapple with what this means for them if and when the new rules and guidance come into force.
So, aside from dealing with Brexit, what other changes are the FCA proposing? We discuss some of the key points for firms below.
- Strong Customer Authentication
REMOVING THE 90-DAY LIMIT FOR AIS
Many firms will be familiar with the exemption in Article 10 SCA-RTS, which enables firms to allow their customers access to information on their account balance and limited transaction history for a 90-day period without having to go through strong customer authentication (SCA) each time.
Although the requirement aims to limit the risk of unauthorised access to customer data, it has caused a headache to some AISPs, who have struggled to retain customers as the requirement to re-apply SCA every 90 days imposes too much friction to the customer journey and therefore, negatively impacts the customer experience. The FCA is also concerned about customer detriment where an AISP is no longer able to refresh the account information once the 90-day limit has expired, which risks users making financial decisions based on outdated account information.
To tackle this, the FCA proposes to introduce a new exemption in Article 10A that removes the 90-day time limit specifically when the customer accesses their account using an AISP. Meanwhile, the existing Article 10 exemption will only apply when a customer is accessing their account(s) directly with their ASPSP.
There are, however, some strings attached: when an AISP accesses customer data when the customer is not present, it will need to re-confirm the customer's explicit consent to the provision of the service every 90 days.
The FCA have sought to delicately balance the need to ensure secure access to customer data with the desire to reduce friction in customer journeys and facilitate the open banking ecosystem. No doubt these changes will be welcomed by AISPs who will have greater scope for providing a more seamless customer journey, without the need to regularly hand-off to an ASPSPs platform. Even in the customer not-present context, an AISP will be able to manage the consent process entirely within their own platforms and can, in doing so, customise their own user friendly journey. However, for those customer not present services (e.g. provision of some financial management services) there will inevitably remain an element of friction in the customer journey and risk that the analytics being carried out become out of date as a result. The AISPs providing these services will need to think how to engage with customers at regular intervals to obtain their explicit consent to the ongoing provision of the service. Account providers will need to amend their technical API infrastructure to enable ongoing access to AISPs.
In addition, the FCA have retained their guidance in their Approach Document which explains that ASPSPs are not required to check the terms of the ongoing consent provided by the customer, nor are they able to seek confirmation of that consent (see para 17.133 of draft Approach Document). Therefore, ASPSPs are also likely to want to consider the impact of this change from a liability perspective even if, as the FCA has stated, the risk of unauthorised access to data remains low given the authorised status of the TPPs. All of this will also need weaving into any consent dashboard processes. Consequently, we expect further discussions on this proposed change.
CONTACTLESS LIMITS TO BE INCREASED
The FCA proposes to increase the contactless limits in Article 11 SCA-RTS from £35 to £100 (or £120) per individual transaction and from a cumulative value of £130 to £200 before SCA needs to be applied. Interestingly, this is first major deviation from the EU's SCA-RTS, separating the UK cards market infrastructure from EU Member States. However, as the FCA has pointed out, the proposals would bring the UK more into line with other countries such as Australia, Canada and Singapore.
Firms will recall that it was only recently that the industry decided to increase the contactless limit to £45; this was driven in part by the increased use of contactless as a payment method, but also to help cardholders comply with social distancing measures by removing the need to use the chip and PIN pad in a greater number of transactions. On the whole, this change appears to have been well received and, we understand, has not resulted in a real increase in the risk of fraudulent use of the card.
If the limits are increased by the FCA, there is of course no requirement on issuers or others in the industry to adopt this change, and it remains within the discretion of the issuer what limit they want to impose in order to manage their fraud risk exposure. Although, on the whole, we think that the industry will be supportive of moving in that direction, such a change requires the financial services industry to work closely with the retail sector. This is because, for the limits to be changed, the software on card machines will need to be updated. We suspect, as before, many retailers will all require a gradual roll out period in order to update their systems, particularly given current restrictions and the fact that changes have only just been made.
Responses to the FCA's questions on the contactless limits are due before 24 February 2021 so no doubt we will know the outcome of this discussion very shortly.
Among the other helpful clarifications in the Approach Document is the FCA's confirmation that customers will not need to go through SCA again if the final amount of a payment is higher than the original amount they consented to. As a reminder, whenever a customer makes a remote electronic payment transaction, the customer must be made aware of the exact amount of the payment and the identity of the payee – the authentication code generated for that particular transaction is then dynamically linked to that payment information. However, if the final amount of the payment then changes, the customer must go through SCA again. This presents some awkward challenges in certain use cases such as online grocery shopping, where it is common that the exact amount of the transaction is not known in advance. For example, customers are well accustomed to the practice of individual items in their shopping basket being substituted before delivery, which may result in small changes to the amount they are charged.
Going forwards, the FCA confirms that SCA will not need to be re-applied where the final amount of the payment is higher than the original amount the customer authorised, provided that the final amount is within the customers' reasonable expectations and merchants make customers aware of the fact that the amounts may change. The FCA makes it clear that any increase to the amount above 20% would not compliant with its expectations. This is likely to come as a relief to some online retailers who are still working towards the SCA managed roll out timelines.
- Open Banking
Dedicated interface to be mandated for certain providers
All ASPSPs currently have two options for providing TPPs with access to their customers' payment accounts, being either through the means of a dedicated interface or a modified customer interface (an MCI). However, the FCA has now proposed that any ASPSP providing a payment account within the meaning of Art 2(1) of the Payment Account Regulations 2015 (PAR), accounts that fall within the PAR definition but are held by SMEs, and credit card accounts held by consumers and SMEs, will be required to develop a dedicated interface to enable TPP access. This definition of payment account under PAR is narrower in scope than the definition of payment account under PSR, meaning that the FCA is aiming to impose the use of dedicated interfaces for those accounts which it deems likely to be subject to the greatest TPP demand.
Of course, this will not impact on all ASPSPs (small PIs and small EMIs are excluded) and, even then, it will only affect firms who have previously opted for a modified customer interface. Nevertheless, this is likely to be a big ask for those ASPSPs with some not-insubstantial costs attached. Consequently, the FCA have given firms up to 18 months to implement this change.
Timing changes for specification documents, the testing facility and the fall-back mechanism
Driven by a concern from some in the industry around competition, the FCA has decided to remove the requirement on firms to publish their technical specifications and provide TPPs access to a testing facility 6 months prior to the launch of their interface; instead firms will only be asked to do so at the same time as it is launched. In addition, ASPSPs will now have 6 months from the point of launch to put in place the fall-back mechanism if they have not applied for an exemption.
This is anticipated to assist newcomers to the market, who otherwise may be in the position of having to delay the launch of new products and services or have felt their ability to innovate was being impeded. The additional time frame to build a fall-back mechanism may also help those firms that have developed new interfaces with their application for exemption, giving them more time to evidence requirements such as wide usage.
Firms are reminded of the changes that have already come into existence around the use of alternatives to eIDAS certificates. Many will recall that this was prompted after an announcement late last year from the EBA that eIDAS certificates issued to UK TPPs would be revoked after 31 December 2020. Article 34 of the SCA-RTS has now been updated to impose new requirements on ASPSPs to accept alternative certificates in addition to eIDAS certificates, and Chapter 17 of the Approach Document is proposed to be updated accordingly. This change was introduced without a temporary transitional arrangement.
In July 2020, the FCA released temporary guidance for APIs and EMIs on their compliance with the requirements relating to safeguarding customer funds. Although the advice was targeted to address the perceived increase in risk to firms as a result of coronavirus, the overall theme of the guidance was clear; the FCA felt that a number of firms were falling short of the requirements and further clarification of the rules was needed to reduce prudential risk.
The FCA is now proposing to make its temporary guidance permanent by including its recommendations in the Approach Document. In particular, the FCA focuses on the need for firms to:
- clearly document their reconciliation processes and ensure that funds are safeguarded without delay;
- ensure that customers are aware that their funds are not protected under the Financial Services Compensation Scheme;
- have robust governance arrangements, with an expectation that firms that need to arrange annual audits of their accounts also arrange audits of their compliance with their safeguarding arrangements whenever they make material changes to their business model that may impact on these arrangements;
- consider the additional risks that might arise when using alternative safeguarding methods such as an insurance policy or comparable guarantee. More specifically, the FCA highlights the need for those firms to ensure there is adequate headroom in any insurance policy or guarantee to capture any reasonable increases to the amount of funds being safeguarded. Firms must also ensure insurers are aware that their policies must allow for full payout irrespective of how the shortfall in safeguarded fund arises; and
- implement sufficient governance and controls to manage prudential risk, which includes stress testing to analyse the risk of severe business disruptions, liquidity risk management arrangements and documented wind-down plans.
The updated guidance is also relevant to credit institutions and custodians that provide client accounts to APIs and EMIs – they are reminded that they will be asked to provide an acknowledgement letter confirming that they have no interest in, recourse against, or right over the relevant funds in any safeguarding account they may hold. The FCA confirms its view that these funds must be treated as held on trust.
The FCA remains concerned about payment and e-money firms' prudential risk management in light of mounting economic pressure. This will be an undoubted focus for the FCA going forward and firms should be ensuring they have conducted a review of their arrangements.
- Exclusions - LNE and ECE
The FCA is also updating Q40 and Q40A PERG to clarify the parameters of the Limited Network Exclusion (LNE) and the Electronic Communications Exclusion (ECE), pursuant to which firms may only be required to notify the FCA (rather than be authorised or registered) to provide payment services. In the proposed revisions to PERG, the FCA clarifies that:
- under the LNE, there is an overarching requirement that the payment instrument can only be used in a limited way. Rather than providing firms with an arbitrary number of how many participants there can be in the network, the FCA provides some indication of what it would not consider to be 'limited', such as a network of participants that was continuously growing in number;
- firms cannot simply rely on contractual clauses to demonstrate they have complied with the limited network requirement – they will need to put in place functional restrictions in order to ensure the network is limited in practice;
- the ECE is available to purchases made through communications networks such as smart TV or set-top boxes and not just mobile phones; and
- firms relying on the ECE as part of a 'cascade' (e.g. where they are an intermediary benefiting from another provider's exclusion) will only be able to rely on it where the conditions for the ECE have been satisfactorily met by the first provider in the chain.
To the extent that firms relying on the LNE or the ECE were not already aware of this additional guidance (the FCA had previously communicated this in their Dear CEO letter in December 2019), firms may find it useful to revisit their arrangements to ensure that they remain within the scope of the exclusions.
Last but not least, the FCA has made a number of changes to the SCA-RTS and the Approach Document to reflect the UK's departure from the EU, and in particular to reflect the post-Brexit revisions to the PSRs and the FCA's Temporary Permissions Regime (TPR).
The Brexit amendments to the scope of the PSRs produced a pretty complex set of arrangements. Whilst the FCA has done a decent job to try to explain these, there are areas that we believe may be open to a different view due to the complexity of the arrangements.
In relation to the TPR, the FCA has taken a pragmatic approach to those firms including:
- removing the requirement on TPR firms to put in place a fall-back mechanism where the firm is already exempted by its home state competent authority; and
- exempting TPR firms from any new requirement to develop a dedicated interface if they have instead developed an MCI.
Many firms will also be relieved to see that the FCA has blessed a significant proportion of the existing guidance that has been issued by the EBA pre-Brexit, including clarifying that it agrees with the EBA's views that:
- static card data does not constitute a knowledge factor or a possession factor for the purposes of SCA; and
- firms may re-use one of the authentication elements for SCA, such as the password, when a customer initiates a payment during the same online session. This is provided that firms comply with all of the other requirements of dynamic linking.
- What happens now?
The FCA's consultation period remains open until 30 April 2021 except for in the case of the questions on contactless cards, which firms must respond to before 24 February 2021. However, this may not be the last of the changes we see to the Approach Document over the coming months - the FCA has indicated that there may be further updates once it has decided its take on the ECJ's recent judgment on DenizBank (we issues a separate Briefing on this case), and also to reflect any changes that arise out of HM Treasury's consultation on the special administration regime for PIs and EMIs that is being developed.