PSD2: what the regulator expects
James Borley, fscom, Director/Head of Assurance, London, 5 March 2018
When he is trying to make sense of regulatory guidelines, a compliance officer spends much of his time trying to work out what the regulators expect of his company. This is certainly the case with the European Union's massive Payment Services Directive, mark 2.
The advent of the European Union's second payments directive is expected to promote new technology and services. It is going to allow flexible and innovative companies in the payments ecosystem to offer services that do not yet exist or have not been regulated until now.
However, with PSD2 now fully in force in the UK, we need to work out what the regulators ultimately expect from businesses. Let us not speak in code, though; by ‘the regulators’ we mean the Financial Conduct Authority.
Re-authorisation
Coming fresh from the FCA, where I spent six years in charge of the authorisations function for payment and e-money institutions and worked at the heart of the UK's preparations for PSD2, I am fairly well placed to comment on the FCA’s expectations, so what is it looking for in terms of re-authorisations?
Let us begin with a health warning for firms that require a ‘re-authorisation’ or a ‘re-registration.’ The sad truth is that if they time things wrongly, it does not matter what they put in their applications. Firms that were authorised as Payment Institutions and E-Money Institutions before 13 January must submit their applications for re-authorisation by 13 April. Even then, they are running risks if they do so too closely to the deadline.
The FCA has three months to deal with a complete application but, if it does not receive all the information, it can take longer than that - in fact it can take up to 12 months from receipt. This could be a disaster for an errant firm. If the FCA has not 'determined' (a word found throughout SUP 10A.13, the part of the rulebook that deals with applications for approval) such a firm's application by 13 July 2018 (and it is no coincidence that this date is three months after 13 April), that firm will have to cease to provide payment services/issue e-money beyond that date and will be struck off the Financial Services Register. The FCA does not want firms to be in that position, but has no discretion or forbearance to offer, given that this particular 'cliff edge' is enshrined in PSD2 itself.
Secondly, at least according to my long experience of laws coming into force, firms do tend to submit applications towards the end of the available period, thereby causing a spike in work for the regulators. The FCA has increased its headcount in anticipation of such a spike, but it may still clog up the system and prevent the regulators from 'determining' all applications in time.
Something similar is true for those firms that are ‘registered’ as Small Payment Institutions, although the corresponding deadlines for SPIs are 13 October this year and 13 January next. The trouble is that there are twice as many SPIs as there are authorised Payment Institutions and E-money Institutions, so the disruption could be twice as bad.
In terms of the re-authorisation of a firm, the FCA’s starting point is that it must already meet the right conditions for authorisation under PSD1 or the Payment Services Regulations 2009 (or, in the case of e-money firms, the Electronic Money Regulations 2011). The FCA now needs to capture information that is newly introduced by PSD2. It has extracted the relevant new requirements from the European Banking Authority’s Guidelines for Authorisations and has reproduced them on a re-authorisation application form. (We shall not re-open the debate in this article about whether these guidelines are excessive or disproportionate!)
Generally speaking, the FCA is expecting the applicant firm to provide a description of the new areas about which it wants information. These include IT systems, security measures and business continuity.
The only policy document that the firm has to provide is its security policy document. This may be a new requirement, but it is likely that much of the prescribed content may already be in existence. This is probably the area to which the FCA is going to pay the most attention. It will not plug into your systems and undertake penetration testing, but it will go through your security policy with a fine-tooth comb to assess its reasonableness, always making allowances for the firm’s size, structure and services.
Let me issue another word of warning. The FCA might have new stuff to look at, but it still has to satisfy itself that the firm meets all the conditions for authorisation under PSD2.
For example, it still expects the firm to have a safeguarding account. It may be a leviathan of a regulator, but its constituent parts are nevertheless quite good at communicating with each other. If you have notified the FCA of the loss of your safeguarding account and it has not taken any action against you to date, do not take this to mean that the authorisations team will allow the situation to continue. Technically speaking, you do not meet the conditions of authorisation under the present law, so you are not elegible for re-authorisation under the new one.
What about new authorisations?
With all this doom and gloom surrounding the re-authorisation process, is it any easier to seek authorisation for the first time?
The immediate problem is that these applications will be competing with the re-authorisations for the FCA’s attention and resources. It would seem sensible for the FCA to deal first with businesses that are already trading, to avoid a situation where firms have to cease to provide these services and (potentially) disadvantage consumers. Otherwise, the forms are clear and follow the EBA guidelines faithfully but the information requirements, as alluded to for re-authorisations, are extensive.
The responses need not be extensive, though. The FCA is trying to apply the proportionality that the EBA was unable or unwilling to apply and will expect information in line with the size of the business in question.
What about FinTechs?
The expectation here, or perhaps it is simply a generalisation, is that financial technology companies will be entering the market through the new services introduced by PSD2, account information services and/or payment initiation services (AIS and PIS respectively).
Although this may not be true in all cases, there is no denying that these services are underpinned by new technology or interfaces, which often come to market as financial apps. More pertinently, these services are new. Knowing this, the FCA itself has a short amount of time in which to try to understand the business models at play. To help it in this effort, the FinTech should try to present its business model and the 'customer journey' as clearly and simply as possible.
That is not to say that all firms (FinTechs or not) that undertake AIS/PIS need to seek registration with the FCA just yet. There is a transitional ‘fuzzy period’ hidden at the back of the PSD2 text which allows firms that were already doing this business before 12 January 2016 to continue to do so without the need for registration, until the introduction of regulatory technical standards on "Strong Customer Authentication and Common and Secure Communication" (the fabled ‘RTSs’ that dominated many discussions about PSD2 before it came into force). However, firms that are not registered with the FCA are not entitled to plug in to 'open banking' (which allows customers to tell banks to share financial data with properly regulated third parties) or, indeed, any API or interface provided by another online account service provider. This is all set out in last year’s helpful joint communication from HM Treasury and the FCA here:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/630135/Expectations_for_the_third_party_access_provisions_in_PSDII.pdf
What does the FCA expect in terms of continuing requirements?
In many respects, PSD2 changes little in terms of compliance. However, the FCA has introduced changes to the FSA056 reporting return (to take into effect the changes to the qualifying items that can be used as capital resources) and additional reports covering, for example, complaints handling, fraud reporting, controllers, close links and incident reporting.
With more information coming its way, it is unsurprising that the FCA has set up a new Payments Department within its Retail Banking Supervision directorate. This department is now preparing to assess the payments ecosystem and has already embarked on a series of visits to firms to better understand the business models operating within that ecosystem. It is true that supervision under PSD1 was entirely reactive (e.g. based on complaints or other intelligence about firms that came into the FCA's hands), but it seems that supervision under PSD2 will be an entirely different proposition, taking into account the fact that payments touch almost every consumer in the UK.
Priorities for FinTechs
What will be a FinTech company’s most important challenges and concerns in relation to PSD2? If we assume that it is bound to pay most attention to AIS and PIS, then systems security will clearly be pivotal. In the run-up to PSD2's implementation, the banks were prophesying ‘cybergeddon’ or widescale cyber-attacks on AIS/PIS firms which, in turn, would affect them and, more importantly, the security of their customers’ money and data. This was their reaction to PSD2 opening up the market and increasing competition. A successful cyber-attack on an AIS or PIS would make their case for them. Let us not forget, however, that firms that offer AIS (and, to a far lesser extent, PIS) are already out there and there has been no cyber-attack to speak of.
For the FinTech, it is important to have robust systems and security policies and to be clear about what happens if there is a breach. Certification under Cyber Essentials, the government-backed scheme to help firms protect themselves against cyber-attacks and other online threats, is one way in which the FinTech can satisfy itself, its customers and the FCA that it has taken appropriate steps to ready itself for the coming storm.
On top of this there is, of course, the General Data Protection Regulation which cuts across everything and not just payments/PSD2, and the implementation of the RTS. These are, perhaps, topics for another day.
* James Borley can be reached at james.borley@fscom.co.uk