Drawing on his experience of heading up the Payment Services Authorisations Team at the UK's Financial Conduct Authority for many years, this renowned expert explores the risks inherent in firms' desires to 'upgrade' their licences in the run-up to the EU's second payment services directive or PSD2, examines the new entrants to the market and lays out the FCA’s approach to supervision.

Let us begin with licence upgrades. It has emerged recently that the FCA may not be as ‘proportionate’ as one might expect in this area, certainly when it comes to firms taking the PSD2 re-authorisation requirements as an opportunity to ‘upgrade’ their licences instead. This might happen in the case of an authorised payment institution (API) seeking to become an authorised e-money institution (AEMI).

Duplication of effort

Although it may be reasonable to assume that a well-completed AEMI application that was submitted in good time should be processed or 'determined' before the deadline (13 April) for re-authorisation submissions, the FCA is only now telling every firm that wants to do this to apply also for re-authorisation as an API. Although I understand the legislative requirement here and know that the firm runs the risk of not being able to continue to provide payment services beyond 13 July if the regulator has not 'determined' its AEMI application by then, it is entirely disproportionate for the FCA to require it to complete (and pay for) a second application which will largely be identical to the first, especially as both applications are based on the European Banking Authority's Guidelines for Authorisation. Note that this situation also applies to small e-money institutions that want to become AEMIs and, to a lesser extent by virtue of longer timescales, to small payment institutions that are applying to become APIs.

One would hope that the obvious – and proportionate – solution would be for each of the firms in question to submit a shell application for re-authorisation, cross-referencing all its answers to the application questions to the first application, where relevant. One would also hope that the FCA will waive the application fee - why should the firm expect to pay for a licence it does not want and for an application that it has, essentially, already submitted?

What about FinTechs?

The FCA expects, or perhaps simply assumes, that FinTechs will be entering the market through the new services introduced by PSD2, account information services and/or payment initiation services (AIS and PIS respectively). This may not be entirely true, but there is no denying that these services are underpinned by new technology or interfaces, which often come to market as financial apps. More pertinently, these services are new to regulation. The FCA therefore has little time in which to get to grips with the business models at play. To help it in this effort, the FinTech firm should try to present its business model and the 'customer journey' as clearly and simply as possible.

That is not to say that all firms (FinTechs or not) that perform AIS/PIS ought to seek registration with the FCA just yet. There is a transitional ‘fuzzy period’ hidden at the back of the PSD2 text which allows firms that were already doing this business before 12 January 2016 to continue to do so without the need for registration, until the introduction of regulatory technical standards relating to "strong customer authentication" and "common and secure communication" (the fabled ‘RTS’ that has dominated many discussions about PSD2) by the European Union. However, the absence of registration by the FCA disqualifies these firms from plugging in to 'open banking' or, indeed, any API or interface provided by other online account service providers. This is all set out in last year’s helpful "joint communication" from HM Treasury and the FCA.

What does the FCA expect in terms of continuing requirements?

In many respects, PSD2 changes little in terms of compliance. However, the FCA has introduced changes to the FSA056 reporting return (to take account of PSD2's changes to the EU's list of 'qualifying items' that firms can use as capital resources) and to additional reports that it wants firms to make about such things as fraud, controllers and close links, incidents and the handling of complaints. It also requires new notifications in respect of, among other things, major operational or security-related incidents.

With more information coming its way, it is unsurprising that the FCA has set up a new Payments Department inside its Retail Banking Supervision directorate. This department is now gearing up to assess the payments ecosystem and has already embarked on a series of visits to firms, the better to understand the business models that inhabit that ecosystem. It is true that supervision under PSD1 was entirely reactive (e.g. based on people sending complaints or other intelligence about firms off to the FCA), but it seems that supervision under PSD2 may be an entirely different proposition. That said, the FCA has about 56,000 firms to supervise, with more on the way. Claims Management Companies will come under its aegis in 2019 (and, maybe, cryptocurrencies in the near future). It would be understandable, therefore, if its supervisory budget were to be overstretched in this sector.

What should a FinTech firm worry about over PSD2?

If we assume that most of the interest will be focused on AIS and PIS, systems security will clearly be pivotal. In the run-up to the advent of PSD2 on 13 January, the banks were prophesying ‘cybergeddon’ or wide-scale cyber attacks on AIS/PIS firms, threatening their customers’ money and data. This was their reaction to PSD2 opening up the market and increasing competition. A successful cyber attack on an AIS or PIS would, they thought, make their case for them. Let us not, however, forget that firms offering AIS (and, to a far lesser extent, PIS) are already out there and there has been no cyber catastrophe to speak of.

For the FinTech it is important to have robust systems and security policies and to be clear about what happens if there is a breach in security. Certification under Cyber Essentials, the government-backed scheme to help firms protect themselves against cyber attacks and other online threats, is one way in which a FinTech firm can satisfy itself, its customers and the FCA that it has taken appropriate steps to ready itself for the coming storm.

* James Borley can be reached at james.borley@fscom.co.uk