UK Payments Regulation – Changes Are Coming
On 28 January 2021, the Financial Conduct Authority (FCA) published a consultation paper (CP21/3)1 proposing various changes to the UK regulation of payment services and electronic money. Most of the proposed changes relate to clarification or expansion of the existing FCA guidance contained in the document “Payment Services and Electronic Money – Our Approach” (Approach Document). There are also proposed changes to the substantive regulatory requirements.
The consultation closes on 24 February 2021 in respect of the proposed changes to the contactless payment limits (see below); it closes on 30 April 2021 with respect to all other aspects.
We discuss here the key proposals and their potential implications.
Commission Delegated Regulation (EU) 2018/389 On Regulatory Technical Standards For Strong Customer Authentication and Common and Secure Open Standards of Communication (EU RTS), the main secondary EU legislation supplementing the Payment Services Directive (EU) 2015/2366, has been “onshored” (following Brexit) into UK law by way of the Technical Standards on Strong Customer Authentication and Common and Secure Methods of Communication Instrument 2020 made by the FCA (SCA-RTS). The SCA-RTS is essentially the same as the EU RTS, with some minor amendments (e.g., certain EURO monetary thresholds have been changed to their equivalent GBP amounts). The FCA now proposes a few changes to the SCA-RTS, which, if implemented, would make it different from the EU RTS in some key aspects.
Article 11 of the SCA-RTS currently provides an exemption from having to apply strong customer authentication (SCA) to certain contactless payments. In summary, firms may choose not to apply SCA to contactless payments where (i) the individual transaction does not exceed £452 and (ii) the cumulative amount of previous transactions does not exceed £1303 or the number of consecutive transactions since the last time SCA was applied does not exceed five.
The FCA proposes to increase the two limits: from £45 to £100 (and potentially to £120), and from £130 to £200.
K&L Gates Comment
The limits are the regulatory ceilings that must not be exceeded in order to benefit from this exemption, and the FCA says that the increase “would provide the industry with the ability to increase the industry threshold in the future.” In other words, although the regulatory ceilings are being raised, firms have no regulatory obligation to increase the limit for individual transactions, which is currently set at £45 in line with the current regulatory limit (as further context, the current industry limit of £45 was a result of an increase from £30 on 1 April 2020 as part of the industry’s response to the pandemic).
However, the FCA’s rationale for the proposed increase is “to support consumers and merchants during the Covid crisis” and to address the perceived “harm” of consumers having to spend more time on authentication that carries a high risk during the pandemic. Together with the short response deadline (24 February), it seems clear that the FCA will expect the industry to raise the individual contactless payment ceiling and thereby avoid direct consumer-to-merchant contact in the ongoing pandemic.
Article 10 of the SCA-RTS currently exempts a firm from having to apply SCA where a customer merely accesses their account to view limited information (e.g., account balance). However, the firm must apply SCA when the customer accesses the account for the first time and at least every 90 days after that. This 90-day reauthentication requirement applies both when the customers access their account directly and when an account information service provider (AISP), acting for the customers, accesses the account.
Noting that the requirement has proven burdensome to AISPs, the FCA proposes to add a new Article 10A, which will remove the 90-day requirement and which will apply where a customer is using an AISP to indirectly access their accounts. The current Article 10 (and the 90-day requirement) will be retained but only applicable to where customers access their accounts directly.
That is, where an AISP, acting on behalf of a customer, accesses the customer’s account held at another firm (the account holding firm), the account holding firm does not have to reperform SCA every 90 days. The account holding firm, however, must apply SCA when the AISP accesses the account for the first time.
K&L Gates Comment
The change should be welcoming news for fintech firms such as AISPs and should contribute to furthering development of the open banking initiative.
Four Times A Day
Currently, under Article 36(5) of the SCA-RTS, where a customer is not present in the online sessions, an AISP may on its own access the customer’s account no more than four times over a 24-hour period; if the AISP wishes to access the customer’s account more than four times a day, it needs to agree with the account holding firm, in each instance, with the customer’s consent.
The FCA proposes to add a new requirement that the AISP must reconfirm such customer consent every 90 days.
K&L Gates Comment
This does not seem to be hugely controversial, as this 90-day reconfirmation requirement applies only to customer-not-present access. However, it is not entirely clear how this reconfirmation should be performed. Thus, it remains to be seen how much of an impact this would have from an operational perspective.
Under current open banking requirements, account holding firms must grant certain authorized firms (such as AISPs) access to certain payment accounts of the customers. Article 31 of the SCA-RTS provides that an account holding firm may provide such access either by building a dedicated interface (typically, an API) or through its customer-facing interface (e.g., online banking portal) that has been appropriately modified to comply with certain requirements.
The FCA proposes to change Article 31 so that certain account holding firms must build a dedicated interface (i.e., API) in respect of certain specified types of accounts (essentially, current accounts and credit card accounts, for consumers or SMEs). But “small payment institutions,” “small electronic money institutions,” and EEA firms within the Temporary Permission Regime will not be subject to this requirement.
K&L Gates Comment
The nine largest UK banks are already required to establish an API interface, so the impact on them would be minimal.
The types of accounts, as defined for this new requirement, have a broad scope. Further, while “small payment institutions” and “small electronic money institutions” are outside scope, many “authorised payment institutions” and “authorised electronic money institutions” are not particularly large. Therefore, the impact could be significant.
The FCA says it is prepared to give firms an 18-month implementation period. However, the impact seems to be more on cost than timing. Given the varied types of “authorised payment institutions” and “authorised electronic money institutions,” one possible practical solution may be to set some size thresholds for those subject to it.
It appears that almost all the proposed changes to the Approach Document are intended to align the FCA guidance with the interpretation provide in various EU materials such as the questions and answers and opinions issued by the European Banking Authority (EBA). Some of the changes would mark a departure from the current FCA positions.
One example relates to SCA. Firms must perform SCA by using two factors out of three specified categories: knowledge (something known only to the customer, e.g., a password), possession (something held only by the customer, e.g., a token generator), and inherence (something inherent to the customer, essentially, biometrics).
The current FCA guidance in the Approach Document is that static card data (i.e. the information printed on the card) cannot be used as a knowledge factor, but it may be “used as evidence of the possession of a card.” However, the EBA is of the view that static card data cannot be used as a knowledge factor nor can it be used as a possession factor. The FCA intends to align with the EBA view.
K&L Gates Comment
As static card data could not constitute “inherence” either, this means that static card data would not be able to be used for SCA purposes. Therefore, if the change is implemented, UK firms may need to update their authentication processes.
Other proposed changes, primarily to the guidance on the safeguarding requirements, are intended to incorporate into the Approach Document guidance given elsewhere. The FCA provided temporary guidance on safeguarding in July 2020 in the context of dealing with certain issues raised in the COVID-19 pandemic. The FCA now proposes to make the temporary guidance permanent and consolidate it into the Approach Document.
K&L Gates Comment
This means that some of the issues debated during the consultation for the July 2020 guidance would be carried over to the Approach Document. For example, the FCA in the July 2020 guidance takes the view that customer funds are held by firms on trust for their customers. The trust concept may work in the context of payment institutions. However, for electronic money institutions, it seems awkward, given the current definition of e-money, to describe funds used by customer to exchange for (essentially, purchase) e-money as being held on trust for customers. Firms may wish to renew the dialogue with the FCA on this point.
Further, the FCA has added minor adjustments to some of the wording in the consolidation process. For example, the FCA merely said in the July 2020 temporary guidance that it encouraged “small payment institutions” (which are not legally required to safeguard) to consider safeguarding voluntarily. In this consultation, the FCA added that “we view this as best practice.” This may indicate to what extent small payment institutions should consider safeguarding voluntarily.
Chapter 15 of the Perimeter Guidance in the FCA Handbook contains further guidance on the Payment Services Regulations 2017. The FCA proposes to make changes to the guidance therein on the “limited network exclusion” and the “electronic communication exclusion.”
K&L Gates Comment
The changes appear to be primarily clarifying the current guidance. They have expanded the current guidance, e.g., by providing further examples and illustrating some of the practical difficulties. But the substance of the guidance seems to remain the same.
2 This is equivalent to €50 under the corresponding Article 11 in the EU RTS.
3 This is equivalent to €150 under the corresponding Article 11 in the EU RTS.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.