- amendments to the technical standards on strong customer authentication (“SCA”) and common and secure methods of communication (the “secure SCA-RTS”);
- updates to its published guidance in its Approach Document on Payment Services and Electronic Money updates (the “(“Approach Document”); and
- additional guidance to be added to the FCA’s Perimeter Guidance Manual (“PERG”).
These changes will be of interest to:
- credit institutions providing payment services and/or issuing e-money;
- payment institutions;
- e-money institutions;
- registered account information services providers;
- firms subject to the temporary permissions regime (the “TPRs”), which enables relevant firms and funds which passport into the UK to continue operating in the UK at the end of the transition period;
- the financial services contracts regime, which provides a limited period of time during which EEA passporting firms can continue to service UK contracts entered into prior to the end of the transition period, in order to wind down their UK business in an orderly fashion; and
- Gibraltar firms providing payment services in the UK.
AMENDMENTS TO THE SCA
The Approach Document sets out the regulators’ approach to the Payment Services Regulations 2017 (“PSRs”) and the Electronic Money Regulations 2011 (“EMRs”), which implemented the Second Electronic Money Directive and the revised Payment Services Directive (“PSD2”), respectively. These pieces of EU legislation aimed to reduce fraud while opening up payment markets to new entrants, making increased security standards a key part of this legislation.
The Approach Document in the UK acts as a guide for payment services firms and e-money issuers. The FCA propose the following three changes to the guidance in the Approach Document:
- Strong customer authentication
The FCA is set to update the Approach Document in light of:
- various European Banking Authority (“EBA”) and European Commission Q&A responses and opinions on SCA, published up to 31 December 2020, including for example: the clarification from the EU Commission that where there is a fraudulent or unauthorised transaction, a payee’s payment service provider should be liable where it triggers an exemption, and the transaction is carried out without applying SCA. Therefore, other than where the payer has acted fraudulently, the payer’s payment service provider would refund the customer and would then be entitled to be reimbursed by the payee’s payment service provider; the clarification from the EBA that the corporate exemption is applicable to (physical or not) card payments (as well as other payment instruments), provided those cards are “only available to payers who are not consumers” (i.e. only available to corporate customers); and
- the judgment and conclusions on contactless card payments in the recent DenizBank case by European Court of Justice (the “ECJ”). In DenizBank AG v Verein für Konsumenteninformation (Case C 287/19) [EU:C:2020:322]the ECJ has handed down an opinion on a preliminary reference concerning the application of the revised PSD2 to cards with near-field communication (“NFC”) functionality (commonly referred to as contactless cards). This opinion indicates that NFC functionality of a personalised multifunctional payment card must be classified as a payment instrument (i.e. separate to the card’s other payment instruments). Therefore, the possibility of tacit acceptance of changes to a framework agreement must be strictly interpreted and may not be applied to changes to the essential elements of that framework agreement (such as those relating to the addition of NFC functionality in a payment card).
The FCA also proposes to make changes to its guidance on dynamic linking, a process which requires a customer’s authentication of a payment instruction to be linked to a specific payee and a specific amount. The view of the FCA is that the SCA would not need to be reapplied where the final amount is higher than the original amount authorised. To make sure that the final payment is reasonably within the amount the customer agreed when he/she authorised the payment, the payment should not exceed 20% of the amount originally authorised, without further SCA being performed. The FCA believes this is a reasonable amount and expects business to have made consumers aware that the price could go up and consumers to have agreed to such a possibility before authorising the original amount.
- Safeguarding and prudential risk management
The FCA is proposing to make permanent its (previously) temporary guidance on safeguarding and prudential management. In May 2020, given the exceptional circumstances of the pandemic, the FCA published a short consultation on coronavirus and safeguarding customers’ funds. It proposed additional temporary guidance to strengthen payment and e-money firms’ prudential risk management and arrangements for safeguarding customers’ funds. On July 2020, the FCA published its circumstances Temporary Guidance, taking into account the feedback it received.
- Other changes to the Approach Document
The FCA has taken this opportunity to make general updates to several areas and proposed the following:
- an extension of the FCA’s Principles for Businesses to the provision of payment services and issuance of e-money by certain payment services providers and e-money issuers;
- the extension of certain communication rules and guidance under the Banking Conduct of Business Sourcebook (“BCOBS”) to communications with payment service and e-money customers;
- a clarification of FCA expectations on notifications under the limited network exclusion and electronic communications exclusion, which exclude certain activities from the scope of the PSRs and the EMRs, subject to meeting certain conditions;
- general updates to reporting requirements, information sharing from ASPSPs to third party providers, and eIDAS (electronic IDentification, Authentication and trust Services, an EU regulation on electronic identification and trust services for electronic transactions in the European single market established by EU Regulation 910/2014, as incorporated into EU law by the EU Withdrawal Act 2018) general certificates;
- onshoring changes made to legislation, regulatory rules and guidance applicable to payment services and the issuance of e-money to reflect the UK’s exit from the EU. Chapters 2 (Scope), 8 (Conduct of business requirements) and 10 (Safeguarding) in the Approach Document are most affected; and
- the Approach Document has also been updated to address how PSRs, EMRs, its rules and guidance apply to firms with transitional authorisation or who are in the regime for contractual run-off.
AMENDMENTS TO PERG
The Perimeter Guidance Manual gives guidance about the circumstances in which authorisation is required, or exempt person status is available, including guidance on the activities which are regulated under the Financial Services and Markets Act 2000 (the Act) and the exclusions which are available. PERG 15 offers guidance on the scope of the Payment Services Regulations 2009.
The FCA intends to amend PERG 15 to provide additional guidance on the types of products that may benefit from the limited network exclusion, and to give guidance on its expectations of firms that benefit from the electronic communications exclusion. For example, PERG 15 would clarify that the exception would not likely apply to online marketplaces, because the operation and the very broad range of goods and services that can be sold to the sellers that can sell through such marketplaces mean the instrument that can be used on them are unlikely to be sufficiently limited; and that it will likely apply to team-related cards, that can only be used at a specific stadium or team’s website.
AMENDMENTS TO THE SCA-RTS
The EU Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (“EU-RTS”) forms part of EU law and supplements the PSD2. Following the UK’s withdrawal from the EU, amendments to the PSRs require firms to comply with the SCA-RTS, which is made by the FCA, instead of the EU-RTS. The SCA-RTS is substantially the same as the EU RTS. However, the FCA states that, following discussions with the industry, trade bodies and responses to its recent call for input on open finance (a consultation to explore the opportunities and risks arising from open finance), it has identified barriers to successful competition and innovation in the UK payments landscape, and consequently it is proposing to make the following changes:
- increasing the single and cumulative transaction thresholds for contactless payments from £45 to £100 (or potentially a maximum of £120) and from £130 to £200 respectively;
- potentially adding a new exemption from SCA when customers access their account information through an information provider;
- mandating the use of dedicated interfaces (such as application programming interfaces) by account payment service providers (“ASPSPs”) to facilitate third-party provider access to retail and SME customers’ payment accounts;
- changing requirements for publishing interface technical specification, availability of testing facilities, and fallback mechanisms by account providers; and
- treating ASPSPs with deemed authorisation under the TPRs as exempt from the requirement to set up a fallback interface, where the ASPSP has an exemption from its home state competent authority.
These changes are detailed in Appendix 2 of the Consultation Paper.
Comments on the changes proposed by the FCA on contactless payments closed on 24 February 2021. For all other aspects of the Consultation Paper, the deadline for comment is 30 April 2021.
After this period has elapsed, the FCA will consider the feedback and publish finalised technical standards and guidance.
For more information, and any guidance or advice on e-money and electronic payments,Cleveland & Co External in-house counselTM, your specialist outsourced legal team, are here to help.