Interactive timeline

These guidelines (EBA GL/2014/12) set out the minimum requirements for security of internet payment services. They define strong customer authentication as two-factor authentication (as a minimum), but allow payment service providers (PSPs) offering acquiring services for card-based internet payments to use alternative authentication measures for pre-identified categories of low-risk transactions.

The guidelines were intended to provide a uniform approach to the security of internet payments across the EU until the implementation of PSD2 – they will be in force until the application of the EBA's Regulatory Technical Standards on strong customer authentication and common and secure communication under PSD2 (expected to be October 2018 at the earliest).

The Open Banking Working Group (OBWG) was set up at the request of HM Treasury primarily to deliver a framework for the design and development of an open Application Programming Interface (API) standard in UK banking, focussing on personal and business current accounts.

Its initial scope of work included defining:

• the scope of the open API standard;
• the scope of data to be covered by the open API standard and open data;
• the rules on data access and permissions (to accord with data protection and other regulatory and legislative obligations); and
• the security parameters and framework around data release, permissions and use, especially the vetting process and procedure for 3rd party access

The OBWG was directed to consider the implications of concurrent regulatory initiatives in the UK (including PSD2), and align where practicable.

Directive (EU) 2015/2366 on payment services in the internal market (PSD2) updates the EU framework for payment services under the current Payment Services Directive (2007/64/EC). Key changes include:

• introducing two new payment services to cover the activity of third-party payment service providers: payment initiation services and account information services;
• improving the security of payment services by bringing about major changes to the way that payment service providers (PSPs) authenticate payments; and
• enhancing the transparency of payment services through greater information provision and pricing restrictions for international payments.

The OBWG report sets out a detailed framework for delivering open banking in the UK.

The Open Banking Standard is promoted as a guide to "how open banking data should be created, shared and used by its owners and those who access it". It recommends the use of open APIs to provide open access to open data (eg market information, banking product information) and shared access to private data, like customer data. Access to private data should be facilitated only where bank account holders have given "informed consent". Open APIs will be available under a free licence and will encourage existing standards and structures to be re-used.

The recommendations will be carried out by a purpose-built Open Banking Implementation Entity.

Before the FCA starts to update its guidance for PSD2, it has sought views on whether the guidance has kept pace with market developments and the growth in payment services. The guidance consists of its payment services approach document and chapter 15 of its Perimeter Guidance manual (PERG), published in 2009 as part of PSD1 implementation.

There will be further proactive engagement with relevant stakeholders over the coming months (eg via the FCA PSD2 Stakeholder Liaison Group). An FCA consultation on revised PSD2 guidance is due in Q1/Q2 2017. HM Treasury is also due to consult on PSD2 implementing regulations in 2016.

The eIDAS Regulation ((EU) No 910/2014) on electronic identification and trust services for electronic transactions in the internal market establishes a new legal structure for electronic identification, signatures, seals and documents throughout the EU. It replaces the Electronic Signature Directive (Directive 1999/93/EC) and creates specific electronic signature types that are recognised across the EU.

The EBA's draft RTS on strong customer authentication and common and secure communication under PSD2 mandate that payment system participants will authenticate each other using certificates issued by a qualified trust service provider (QTSP). A QTSP is a certification authority that meets the stringent requirements of the eIDAS Regulation (eg rules on security and liability) and has been granted qualified status by the relevant supervisory body in the Member State.

For the EBA's requirement to work there will need to be QTSPs by the time the RTS come into force – no provider has been designated so far. The EBA has flagged this as an issue in its consultation paper on the draft RTS and asked for specific feedback on its approach.

In its update (MS14/2.4) to its Cash Savings Market Study following its Policy Statement published in December 2015 (PS15/27) on measures to improve competition, the FCA sets out its latest thinking on remedies including a "convenience remedy" involving adoption of account aggregation services so that customers can view and manage their savings and other accounts in a single place. The FCA has indicated they will deal with this through PSD2 implementation (as PSD2 covers a new payment service of account information services).

However, as many cash savings accounts will not be payment accounts, it is currently unclear whether this will apply to them or be brought in through the FCA's Retail Banking Conduct of Business Handbook (BCOBS).

The Open Banking Development Group (OBDG) has been set up by the Open Data Initiative (ODI) to "drive innovation around an open banking standard on a UK and international basis". The ODI highlights that any open banking standard needs to be supported by a broad community that embraces an open environment.

Building on the work already carried out by the Open Banking Working Group, the OBDG aims to create a global community of open banking leaders that will play an important role in shaping any open banking initiatives. This will include the EBA's regulatory technical standards for PSD2 and the CMA's remedies following its retail banking market investigation.

Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive) represents the first EU-wide rules on cybersecurity.

It includes risk management and incident reporting obligations for "operators of essential services" and digital service providers. Each Member State has until 9 November 2018 to identify the operators of essential services with an establishment in its territory – this will include credit institutions that meet a defined set of criteria. A credit institution that is subject to PSD2 and the NIS Directive will need to take account of the risk management and incident reporting obligations under both.

According to the UK Competition Markets Authority (CMA) in its final report, competition for personal customers and SMEs in the retail banking sector is not working as well as it should be, with so-called 'challenger' banks struggling to win market share off the UK's more established players. It does not believe the banks' size and number are the problem. Rather, the low level of switching between banks is caused by customers' inability to easily access, assess and act on information regarding the cost of their banking. In response, the CMA has proposed a "wide-ranging" package of remedies which aim to better inform and engage customers, prompting and giving them more confidence to switch.

The CMA's "central reform" is to mandate that the UK's nine largest banks develop 'open application program interfaces' (APIs), enabling banks to share customer data with each other and FinTech businesses. It is hoped that this "Open Banking revolution" will remove information asymmetries, encourage innovation and boost competition. The CMA believes that Open Banking will also allow banks to fulfil their information-sharing obligations required under PSD2.

The draft regulatory technical standards (RTS) (EBA-CP-2016-11) have been developed under Article 98 of PSD2, which requires the EBA to issue regulatory technical standards ensuring an appropriate level of security for customers and payment service providers.

The requirements cover strong customer authentication, enhanced protection of customers' security credentials, and common and secure open standards for communications between the various types of providers in the payments sector.

Article 5(4) of PSD2 mandates the EBA to issue guidelines addressed to the competent authorities in member states on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance (PII) or other comparable guarantee to be held by undertakings that will apply for authorisation to provide payment initiation services (PIS) and/or registration to provide account information services (AIS).

As PIS and AIS were not subject to PSD1, they were not necessarily supervised by competent authorities and were not required to comply with PSD1. This raised a series of legal issues, such as consumer protection, security and liability as well as competition and data protection issues. Therefore PSD2 aims to respond to these issues by setting out specific conditions for providers of PIS and AIS, including requirements they have to fulfil when applying for authorisation and/or registration.

Article 5(5) of PSD2 mandates the EBA to issue guidelines on the information to be provided to the competent authorities in the application for authorisation of payment institutions. 

The type of information requested from applicants varies depending on the different nature of the payment service provider. The Guidelines are therefore structured into three separate sections for payment institutions, AISP, and electronic money institutions respectively.

The information requirements specified in the draft Guidelines include: details on the applicant’s programme of operations; its business plan; evidence of initial capital; the measures taken for safeguarding payment service users’ funds; the applicant’s governance arrangements and internal control mechanisms; the procedures in place to monitor, handle and follow up a security incident and security related customer complaints and to file, monitor, track and restrict access to sensitive payment data; and the identity, and evidence of the suitability, of persons holding qualifying holdings and of persons responsible for the management of the payment institution.

The final guidelines will be published after the end of the consultation period.

Article 96(3) of PSD2 mandates the EBA, in close cooperation with the ECB, to issue guidelines addressed to payment service providers on the classification and notification of major operational or security incidents, and to competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.

The draft guidelines specify (i) the criteria for classifying operational or security incidents as major, (ii) the template to be used by payment service providers when notifying them to the competent authorities and (iii) the indicators that competent authorities need to use when assessing the relevance of such incidents.

In its report on the Open Banking Standard, the Open Banking Working Group sets out its intention to launch a viable product for an Open Banking API based on open data by the end of 2016 and personal account transaction data included on a read-only basis starting from the beginning of 2017.

The deadline has been set by Article 98(4) of PSD2.

The Commission will have 3 months to decide whether to endorse the RTS (Article 10(1) of Regulation (EU) No 1093/2010). Where the Commission intends not to endorse or to endorse in part or with amendments, the draft RTS are sent back to the EBA and the EBA then has 6 weeks in which to amend them on the basis of the Commission’s feedback and resubmit.

Power is delegated to the Commission to adopt the RTS. The RTS will come into force on the date of publication in the Official Journal of the EU.

This deadline has been set by Art 5(4) of PSD2.

According to the UK Competition and Markets Authority (CMA) in its final report (August 2016), competition for personal customers and SMEs in the retail banking sector is not working as well as it should be.

The CMA's "central reform" is to mandate that the UK's nine largest banks develop 'open application program interfaces' (APIs), enabling banks to share customer data with each other and FinTech businesses. It is hoped that this "Open Banking revolution" will remove information asymmetries, encourage innovation and boost competition. The CMA believes that Open Banking will also allow banks to fulfil their information-sharing obligations required under PSD2.

Part 2 of the Order relates to open API standards and data sharing, and provides for the creation of an Implementation Entity which will develop, agree, implement, maintain and make widely available without charge open and common banking standards for read only open access to data, and common standards for both read and write access, allowing third parties to initiate a payment on behalf of a customer. Following consultation, the CMA amended this part of the Order to clarify the importance of consistency with PSD2.

HM Treasury is consulting on UK implementation of PSD2, including draft Payment Services Regulations 2017, for a short 6 week consultation period ending on 16 March 2017.

The consultation paper states that the Government aims to finalise and lay the final implementing legislation in Parliament in 'early 2017 to provide industry with as much time as possible to adjust to any changes required'.  The FCA issued a consultation on PSD2 revisions to the guidance in its Payment Services Approach Document and its Handbook rules on 13 April 2017 (closing 8 June 2017).

Article 100(6) of PSD2 mandates the EBA, after consulting the European Central Bank (ECB), to issue guidelines, addressed to national competent authorities, on the complaints procedures to be taken into consideration to ensure and monitor effective compliance with PSD2. 

The draft guidelines govern the process relating to complaints that payment service users and other interested parties, including consumer associations, can submit to competent authorities (CAs) with regard to PSPs’ alleged infringements of the PSD2. In particular, the draft guidelines specify:

• the requirements for the channels to be used by complainants to file their complaints;

• the information that CAs should request from complainants when complaints are submitted to them; and

• the information CAs should include in their responses to complaints.

 The proposed guidelines also require CAs to:

• make an aggregate analysis of the complaints received;

• document their internal complaints procedures; and

• make information related to their procedures for complaints of alleged infringements of PSD2 publicly available.

 The draft guidelines apply only to complaints addressed to CAs about alleged infringements of PSD2 and do not cover other issues that payment service users or other interested parties may complain about. They also do not cover the role of CAs in ADR procedures for the settlement of disputes between payment service users and PSPs.

The consultation closes on 16 May 2017.

The final draft regulatory technical standards (RTS) (EBA/RTS/2017/02) have been developed under Article 98 of PSD2, which requires the EBA to issue regulatory technical standards ensuring an appropriate level of security for customers and payment service providers.

The requirements cover strong customer authentication, enhanced protection of customers' security credentials, and common and secure open standards for communications between the various types of providers in the payments sector.

The changes from the previous draft of the RTS (August 2016) should not come as a surprise to the industry. They will nevertheless require detailed consideration to determine both the impact and the intention behind them (including over 100 pages of the EBA's reaction to consultation responses).

The final draft RTS will now be submitted to the European Commission for adoption, following which they will be subject to scrutiny by the European Parliament and the Council.

Under PSD2, the RTS will be applicable 18 months after its entry into force, which suggests November 2018 at the earliest. In its final report on the RTS, the EBA comments that the "intervening period provides the industry with time to develop industry standards and/or technological solutions that are compliant with the EBA’s RTS."

The CMA's Retail Banking Market Investigation report requires nine named institutions to release and make available certain reference and product information through an open API by this date. After that, these organisations have to maintain this data as open data.

The open data will be:

• prices, charges, terms and conditions and customer eligibility criteria (for loans) for all personal current account and business current account products (including overdrafts) and SME lending products, and
• certain Reference Data specified by the CMA, including ATM and branch locations and branch opening hours

The FCA has published a consultation (CP17/11) on PSD2 revisions to the guidance in its Payment Services Approach Document and its Handbook rules.

The proposed PSD2 updates include changes to:

• the FCA Payment Services Approach Document;
• the FCA Handbook (including the Banking: Conduct of Business sourcebook BCOBS); and
• the FCA Perimeter Guidance Manual (PERG).

The Payment Systems Regulator has also published a separate draft Approach Document on the aspects of the draft UK implementing regulations, the Payment Services Regulations 2017 (PSRs 2017), for which it is solely responsible.

The consultation for both Approach Documents is being co-ordinated through the FCA and closes on 8 June 2017. The FCA intends to publish its final rules and revised Approach Document in a Policy Statement in Q3 2017, after HM Treasury finalises the PSRs 2017, so that it can take into account any further changes to the implementing legislation.

The FCA's proposed changes would take effect from 13 January 2018, unless stated otherwise in the consultation paper.

A further FCA consultation on matters related to the EBA mandates under PSD2 (such as the Regulatory Technical Standards on strong customer authentication and common and secure communication) will be issued in mid-2017 and the proposals finalised in autumn 2017, subject to progress on the various EBA workstreams.

The FCA intends to publish its final rules and revised Approach Document in a Policy Statement in Q3 2017, after HM Treasury finalises the PSRs 2017, so that it can take into account any further changes to the implementing legislation.

A further FCA consultation on matters related to the EBA mandates under PSD2 (such as the Regulatory Technical Standard on strong customer authentication and common and secure open standards of communication) will be issued in mid-2017 and the proposals finalised in autumn 2017, subject to progress on the various EBA workstreams.

The FCA intends to publish its final rules and revised Approach Document in a Policy Statement in Q3 2017, after HM Treasury finalises the PSRs 2017, so that it can take into account any further changes to the implementing legislation.

A further FCA consultation on matters related to the EBA mandates under PSD2 (such as the Regulatory Technical Standard on strong customer authentication and common and secure open standards of communication) will be issued in mid-2017 and the proposals finalised in autumn 2017, subject to progress on the various EBA workstreams.

Article 95(3) of PSD2 mandates the EBA, in close cooperation with the ECB, to issue guidelines with regard to the establishment, implementation and monitoring of the security measures, including certification processes where relevant. The Guidelines are addressed to both competent authorities and payment service providers (PSPs).

PSD2 requires PSPs to establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks arising from the payment services they provide, and has mandated the EBA to specify the details of these requirements.  In particular, the draft guidelines cover:

• the governance of the operational and security risk management framework;
• the risk management and control models;
• outsourcing;
• the identification, classification and risk assessment of functions, processes and assets; and
• the protection of the integrity of data, systems and confidentiality, physical security and asset control.

In addition, the draft guidelines propose requirements in relation to the monitoring, detection and reporting of security incidents and risks, business continuity management, scenario-based continuity plans, incident management and crisis communication, the testing of security measures, and situational awareness and continuous learning.

In order to ensure that the security measures implemented by the PSPs are well communicated to payment service users (PSUs), the guidelines also cover the management of the relationship with PSUs.

There is a public hearing on the draft guidelines at the premises of the EBA on 20 June 2017.

The consultation closes on 7 August 2017.

Read our FIsion blog post on the draft guidelines for further information.

On 31 May 2017, the EBA published a letter (dated 24 May 2017) from the European Commission, in which it stated its intention to amend the EBA's draft final Regulatory Technical Standards (RTS) on strong customer authentication and common and secure open standards of communication under Article 98(4) of PSD2. The text of the draft RTS, with the Commission's proposed amendments, was attached to the letter.

On 1 June 2017, the EBA published the revised draft RTS on its website. The substantive changes proposed relate to the following issues:

• New exemption for certain corporate payment processes: The Commission proposes a new exemption to apply when firms use dedicated payment processes or protocols for legal persons initiating payment transactions where the competent authorities can establish that those processes or protocols achieve the high levels of security of payments intended under PSD2. This has been included under the new Article 17.
• Contingency measures: The Commission stated that in the event of unavailability or inadequate performance of the dedicated communication interface to be used by PISPs and AISPs, banks should offer secure communication through the user-facing interfaces as a contingency measure. Under the revised draft, this will be triggered if the dedicated interface is unavailable for more than 30 seconds.
• Transaction risk exemption audits: As the transaction risk analysis exemption relies heavily on a sophisticated risk analysis methodology, the Commission wants an audit of the methodology to ensure objectivity in the application of the exemption between different providers.
• Fraud reporting by PSPs: The Commission believes that to effectively monitor fraud rates used for the transaction risk exemption, the EBA should not only rely on the high-level, aggregated data reported by competent authorities in accordance with Article 96(6) of PSD2, but should also have access to individual fraud data and reports from the PSPs.

The EBA has 6 weeks in which to respond to the Commission's proposals but they are expected to have their opinion finalised by 20 June 2017 and re-submitted by the end of the month. The Commission will then either adopt the RTS with any further amendments it deems necessary or reject it.

See our FIsion blog post on the Commission's proposals for more information.

On 29 June 2017, the EBA published its Opinion on the European Commission's proposals to amend the draft final RTS on strong customer authentication and secure communication under PSD2 (published by the EBA on 1 June 2017). The EBA also published the text of the draft RTS showing its proposed further amendments.

The EBA disagrees with three of the Commission's four proposed amendments on the basis that it would negatively impact the fine trade-off and balances previously found in the original RTS, specifically:

• Statutory audit for exemption based transaction risk analysis: The EBA is of the view that requiring a 'statutory audit' and the limitation to external auditors is unlikely to ensure and guarantee the quality and independence of the audit that the Commission is aiming to achieve. It may also impose disproportionate new requirements on a number of PSPs.
• Corporate payments exemption (when they use dedicated payment processes or protocols): Rather than adding a new exemption, the EBA suggests adding a new category under the transaction risk analysis exemption for specific payment transactions for payers that are not consumers, without a monetary threshold, providing that the fraud rate is equivalent to or below a specific reference fraud rate.
• Requirement to report the outcome of monitoring and the methodology used to calculate the fraud rate for transaction risk analysis to the EBA as well as national competent authorities: Whilst the EBA agrees that being able to access disaggregated data would be helpful for the limited purpose of reviewing the way in which the transaction risk analysis exemption has been working, it has suggested some drafting changes to clarify the extent of PSPs' reporting requirements.

See our FIsion blog post on the EBA's proposals for more information.

It is now for the Commission to make the final decision on the text of the RTS and to adopt the standards as a delegated Act in the Official Journal of the EU. During the adoption process, the EU Council and EU Parliament have a scrutiny right. Once the RTS have been published in the Official Journal, they will enter into force the following day and will apply 18 months after that date.

In order to facilitate the supervision of payment institutions (PIs) and electronic money institutions (EMIs) providing cross-border payment services in another Member State through agents under the right of establishment, PSD2 confers an option on host Member States to require those PIs and EMIs to appoint a central contact point in their territory. The objective of the contact point is to ensure adequate communication and information reporting in the host Member State in accordance with PSD2 and to facilitate the supervision by the competent authorities of the home and host Member State.

The draft RTS aim to ensure that, where host Member States choose to require the appointment of a central contact point, this request is proportionate to the aims pursued by PSD2. In addition, the RTS provide legal certainty as to the circumstances under which the appointment of such contact points is considered appropriate, as well as to the functions they should provide.

The RTS have been drafted in accordance with Article 29(5) of PSD2, which requires the EBA to specify the criteria to be applied when determining, in accordance with the principle of proportionality, the circumstances when the appointment of a central contact point is appropriate, and the functions of those contact points, pursuant to Article 29(4) of PSD2.

The consultation closes on 29 September 2017. There will be a public hearing on the draft RTS at the EBA on 4 September.

Article 5(4) of PSD2 mandates the EBA to issue guidelines addressed to the competent authorities in member states on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance (PII) or other comparable guarantee to be held by undertakings that will apply for authorisation to provide payment initiation services (PIS) and/or registration to provide account information services (AIS).

As PIS and AIS were not subject to PSD1, they were not necessarily supervised by competent authorities and were not required to comply with PSD1. This raised a series of legal issues, such as consumer protection, security and liability as well as competition and data protection issues. Therefore PSD2 aims to respond to these issues by setting out specific conditions for providers of PIS and AIS, including requirements they have to fulfil when applying for authorisation and/or registration.

The guidelines will apply from 13 January 2018.

Article 5(5) of PSD2 mandates the EBA to issue guidelines on the information to be provided to the competent authorities in the application for authorisation of payment institutions (PI).

While Article 5 refers only to authorisation as a PI, some of the requirements apply also to those payment service providers that provide account information services (AIS) only. These providers do not require authorisation, but only registration. When registering, they will be subject to only some of the requirements under Article 5(1) of PSD2. Article 3 of Directive (EU) 2009/110 (EMD) provides that Article 5 applies to electronic money institutions (EMI) mutatis mutandis. EMI can either provide e-money services only, or payment services in addition to e-money services.

The EBA has published a final report containing final guidelines on the information to be provided by applicants intending to obtain authorisation as a PI or EMI, or to register as an account information service provider (AISP), under PSD2. The final guidelines specify the detailed information and documentation that applicants need to submit to national authorities for the purposes of the authorisation or registration process. The type of information requested from applicants varies depending on the type of service(s) an applicant intends to provide. Therefore, the guidelines are structured as four separate sets:

• guidelines on the information required from applicants for authorisation as PIs for the provision of services 1 - 8 of Annex I to PSD2;
• guidelines on the information required from applicants for registration as AISPs for the provision of only service 8 of Annex I to PSD2 (that is, account information services);
• guidelines on the information required from applicants for authorisation as EMIs; and
• guidelines regarding the assessment of completeness of the application.

Having reviewed and assessed the responses received to its November 2016 consultation on the draft guidelines, the EBA identified several issues and requests for clarification by respondents including the level of detail of the guidelines, the application of proportionality, and the transitional provisions. Respondents also requested that the EBA further clarify the scope of the guidelines. Taking this feedback into account, the EBA has streamlined the guidelines compared to the draft version on which it consulted. It has also further clarified the scope of the four separate sets of guidelines, as well as the application of proportionality for the purpose of the guidelines.

The final guidelines will be translated into the official languages of the European Union. Competent authorities will have two months from the publication date of the translation to notify the EBA of whether or not they comply or intend to comply with the guidelines, and, if not, to provide reasons for non-compliance.

The deadline is set by Article 95(3) of PSD2, which requires the EBA to issue guidelines in relation to the establishment, implementation and monitoring of the security measures that payment service providers (PSPs) are required to put in place.

Under PSD2, PSPs will have to establish appropriate mitigation and control mechanisms to manage the operational and security risks relating to the payment services they provide. This has to include effective incident management procedures. These guidelines will complement the EBA's regulatory technical standards (RTS) on strong customer authentication and secure communication.

Note that guidelines are not the same as binding regulatory technical standards. Article 16 of Regulation (EU) No 1093/2010 (under which the guidelines will be issued) states: "The competent authorities and financial institutions shall make every effort to comply with those guidelines and recommendations." However, the European Commission will review how the guidelines are being applied, and it has the power under PSD2 to direct the EBA to produce binding regulatory technical standards around security measures. 

On 13 July 2017, the FCA published Consultation Paper CP17/22: Revised Payment Services Directive (PSD2) implementation: draft authorisation and reporting forms. The FCA describes this as a 'small follow-up Consultation Paper on authorisation, registration and reporting forms' under PSD2 after the main PSD2 implementation consultation CP17/11 (April 2017).

In CP17/22, the FCA is consulting on some changes to its Handbook to introduce new reporting and record keeping requirements for PSPs. It is also consulting on some registration and authorisation forms to be used by payment institutions and e-money institutions to reflect new authorisation and registration requirements under PSD2. This includes forms for existing payment institutions and e-money institutions who will need to be re-authorised or re-registered under PSD2.

The consultation closes on 18 August 2017 and the final forms will be published in September 2017. A Policy Statement is expected in Q3 2017.

There is a dedicated webpage for the consultation.

On 19 July 2017, HM Treasury published the final form Payment Services Regulations 2017 (SI 2017/752), together with an explanatory memorandum and transposition table.

HM Treasury also published its response to its February 2017 consultation on implementing PSD2, and a joint paper with the FCA on expectations for the TPP access provisions in PSD2. 

Market participants will need to comply with the majority of the requirements in the Regulations from 13 January 2018. 

Article 15(1) of PSD2 requires the EBA to develop, operate and maintain an electronic central register that contains information as notified by competent authorities.  Article 15(4) of PSD2 confers a mandate on the EBA to develop draft regulatory technical standards (RTS) setting technical requirements on the development, operation and maintenance of the electronic central register and on access to the information contained therein. Article 15(5) of the PSD2 mandates the EBA to develop draft ITS specifying the details and structure of the information to be contained in the register, including the common format and model in which this information is to be provided by competent authorities.

The register ‎will include information about payment and electronic money institutions, account information service providers, their agents and branches, which are authorised or registered in Member States. The register aims at ensuring transparency of the operation of these institutions in the EU, enhancing cooperation between the competent authorities in Member States and ensuring a high level of consumer protection.

The EBA has published a consultation (EBA/CP/2017/12) on the required draft RTS and ITS.

The proposed RTS set out requirements relating to:

• access to the register by its various users;
• provision of information by national authorities to the EBA and validation of that information;
• safety, availability and performance of the register;
• responsibilities of the EBA concerning the management and maintenance of the register;
• search of information in the register and the display of search results.

The EBA's proposed approach is a technological solution that will support both manual log in and automated transmission processes by national authorities to register data with the EBA.

The proposed ITS specify the type and format of information that will be contained in the register for:

• payment and electronic money institutions and their agents;
• exempted payment and electronic money institutions and their agents;
• branches of payment institutions, electronic money institutions and account information service providers providing services in a host Member State;
• account information service providers and their agents;
• providers of services based on specific payment instruments that can be used only in a limited way; and
• providers of electronic communication networks executing payment transactions or providing services in addition to electronic communications services.

A public hearing on the draft RTS and ITS will take place at the EBA premises on 4 September 2017.

The consultation closes on 18 September 2017.

Article 96(3) of PSD2 confers a mandate on the EBA to develop, in close cooperation with the ECB, guidelines addressed to payment service providers (PSPs) on the classification and notification of major operational or security incidents, and to competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.

The finalised guidelines (EBA/GL/2017/10) set out the criteria, thresholds and methodology to be used by PSPs to determine whether an operational or security incident should be considered major and, therefore, should be notified to the competent authority in the home member state:

• The EBA has further defined the criteria, reviewed one of the thresholds, extended the deadline for the first report, streamlined the amount of information to be provided at that stage, and generally clarified the information to be provided in each of the reports.
• More specifically, the guidelines provide the template that PSPs are required to use for this notification, and the reports they have to send during the lifecycle of the incident, including the timeframe for doing so.
• To ensure that current practices are reflected as much as possible, the guidelines allow for the possibility that PSPs delegate their incident-reporting obligations to a third party, provided that a number of conditions are met.
• The guidelines also give PSPs the possibility of reporting their incidents through a service provider in a way that is consolidated with other affected PSPs, provided that the incident originates within that service provider.

The guidelines will apply from 13 January 2018.

The EBA has published a consultation paper (EBA/CP/2017/13) on draft Guidelines on reporting requirements on statistical data on fraud under Article 96(6) PSD2.

The first part of the Guidelines sets out requirements applicable to all PSPs, with the exception of AISPs, while the second part introduces requirements that are applicable to all competent authorities in the EU.

The Guidelines include:

• a definition of ‘fraudulent payment transactions' for the purpose of the data reporting under the Guidelines;
• periodic reporting requirements on payment transactions and fraudulent payment transactions; and
• the methodology for collating and reporting data, including data breakdown, reporting periods, frequency and reporting deadlines.

The technological aspects of the reporting format and means of communication are left to the discretion of the competent authority.

PSPs are expected to provide high-level data on a quarterly basis and more detailed data on a yearly basis. The level of data breakdown will depend on the payment instrument used and the payment service provided. Competent authorities are expected to provide the EBA and ECB with aggregated data following the same data breakdown used by individual PSPs.

A public hearing on the draft Guidelines will take place at the EBA premises on 5 October 2017.

The deadline for the submission of comments is 3 November 2017.

On 13 July 2017, the FCA published Consultation Paper CP17/22: Revised Payment Services Directive (PSD2) implementation: draft authorisation and reporting forms. 

The consultation closes on 18 August 2017 and the final forms will be published in September 2017. A Policy Statement is expected in Q3 2017.

There is a dedicated webpage for the consultation.

The FCA has published a policy statement (PS17/19) containing final form updates to its Payment Services Approach Document, Handbook and Perimeter Guidance Manual (PERG) to reflect PSD2 and the UK implementing regulations, the Payment Services Regulations 2017 (PSRs 2017).

Following industry feedback to its 2016 Call for Input on the existing guidance, responses to its April and July 2017 consultations and publication of the final form PSRs 2017, the FCA's revised Approach Document also:

• combines FCA guidance on payment services and e-money into one document;
• provides clarifications on existing guidance as well as new guidance on dealing with legislative and regulatory changes introduced since publication of the current Approach Document, including UK implementation of the Payment Accounts Directive; and
• takes into account amendments for recent technological and other market developments, such as new technologies and business models.

The changes also cover new directions for those providers whose activities do not constitute regulated payment services business, referred to as excluded services.

In addition, the Payment Systems Regulator (PSR) has published a separate new Approach Document on the aspects of the PSRs 2017 for which it is solely responsible.

Most of the FCA's changes will take effect from 13 January 2018.

The FCA application period for those firms which will need to become registered or authorised for the first time as a result of PSD2, as well as existing payment institutions and e-money institutions which will need to be re-registered or re-authorised, begins on 13 October 2017.

Article 100(6) of PSD2 mandates the EBA, after consulting the European Central Bank (ECB), to issue guidelines, addressed to national competent authorities, on the complaints procedures to be taken into consideration to ensure and monitor effective compliance with PSD2.

The guidelines govern the process relating to complaints that payment service users and other interested parties, including consumer associations, can submit to competent authorities (CAs) with regard to PSPs’ alleged infringements of the PSD2. In particular, the guidelines specify:

• the requirements for the channels to be used by complainants to file their complaints;
• the information that CAs should request from complainants when complaints are submitted to them; and
• the information CAs should include in their responses to complaints.

The guidelines also require CAs to:

• make an aggregate analysis of the complaints received;
• document their internal complaints procedures; and
• make information related to their procedures for complaints of alleged infringements of PSD2 publicly available.

The guidelines apply only to complaints addressed to CAs about alleged infringements of PSD2 and do not cover other issues that payment service users or other interested parties may complain about. They also do not cover the role of CAs in ADR procedures for the settlement of disputes between payment service users and PSPs.

The Guidelines will be translated into the official EU languages and published on the EBA website. The deadline for competent authorities to report whether or not they comply with the Guidelines will be two months after the publication of the translations. They will apply from 13 January 2018.

Article 29(6) of PSD2 requires the EBA to specify the framework for cooperation and exchange of information between competent authorities of the home Member State and of the host Member State in accordance with Title II and to monitor compliance with the provisions of national law transposing Titles III and IV.

The aim is to enhance supervision of payment institutions operating across borders.

The EBA has published a consultation (EBA/CP/2017/16) on the required draft RTS.  The draft RTS:

• specify the procedure for the requests and replies for cooperation and exchange of information between competent authorities, including the specific features that they shall have in terms of single contact points, language, standardised forms and timelines;
• set out the periodical reporting requirements, divided into two sets of information, which host competent authorities can request from payment institutions operating in their territories via agents or branches; and
• clarify the type of information as well as the templates to be used by payment institutions when reporting to the competent authorities of the host Member States on the payment business activities carried out in their territories.

The consultation closes on 5 January 2018.

Under the final RTS on strong customer authentication and common and secure communication under PSD2, the European Commission has developed a compromise solution allowing TPPs to use the interfaces made available to the customer (screen-scraping+) as part of a contingency mechanism if the banks' dedicated interfaces do not perform as required.

Although much of the RTS has remained unchanged, the amendments contained in the final position will have substantive effects on both banks (and other ASPSPs) and TPPs. Take a look at our more detailed commentary on the final RTS here.

The EU Council and Parliament now have 3 months to object to the RTS (unless they have both informed the Commission of their intention not to raise objections). If neither institution objects, the RTS will be published in the Official Journal of the EU and will enter into force on the following day. It will apply 18 months after that date, so this is likely to be September 2019 at the earliest.

The deadline has been set by Article 115 of PSD2.

The impact of Brexit is unknown currently.

The deadline has been set by Article 96 of PSD2, under which a payment service provider (PSP) must notify a major operational or security incident "without undue delay" to the competent authority.

The guidelines on incident reporting will be addressed to:

(a) PSPs on (i) the classification of major operational or security incidents that PSPs have to notify, (ii) the content and format of notifications (including standard notification templates) and (iii) the procedures for notification; and

(b) competent authorities on the criteria for how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities.

Once adopted, the guidelines have to be reviewed at least every 2 years.

The CMA's Retail Banking Market Investigation report requires the nine named institutions to make personal and business current account transaction data available through open APIs by this date.

In its report setting out the Open Banking Standard, the UK Open Banking Working Group (OBWG) states its intention that the full scope of the Open Banking Standard (including business, customer and transactional data) should be reached by 2019. 

The final RTS were issued on 27 November 2017, to be followed by a 3-month consultation with the European Parliament and Council. This means that the RTS are likely to be published in the Official Journal of the EU in February/March 2018, with the RTS becoming applicable from September 2019.

Under PSD2, Members States must ensure the application of the security measures referred to in Articles 65 (Confirmation on the availability of funds), 66 (Rules on access to payment account in the case of payment initiation services), 67 (Rules on access to and use of payment account information in the case of account information services) and 97 (Authentication) from 18 months after the date of entry into force of the RTS (the date of publication of the final RTS in the Official Journal of the EU).