Search This Blog

Tuesday, 16 January 2018

New To Payments? Try PSD2 Customer Authentication and Communication Standards!

If you are among the new entrants to the regulated payments space you should know that, in a bit to captivate and inspire a generation, the European Banking Authority has published the final 'regulatory technical standards' for payment user authentication and the secure communication of payments data. The standards should take effect in the second half of 2019, but the authorities are keen for regulated payment service providers (PSPs) to adopt them as soon as possible. They are written in legalese, but I've summarised them below in a bid to get them straight in my own head.  Grab a coffee before proceeding!

Strong customer authentication 

PSPs must know they are dealing with their own customer by applying strong customer authentication. This is subject to certain permitted exemptions outlined below. PSPs must also protect the confidentiality and the integrity of each customer's personalised security credentials. Their security measures must be documented, periodically tested, evaluated and audited by auditors with expertise in IT security and payments and operationally independent within or from the PSP.
Broadly, authentication must be based on two or more elements of 'knowledge' (password/PIN), 'possession' (card/device) and 'inherence' (fingerprint/iris scan). 

These elements must be subject to measures designed to prevent disclosure (in the case of knowledge) , replication (in the case of possession) and resistance against unauthorized use of device or software (in the case of inherence). 

The breach of one element must not compromise the reliability of the others. Certain measures must also mitigate the risk that a multi-purpose access device has itself been compromised. 

Credentials and Code

Authentication credentials must be masked when displayed and not fully readable as they are being entered; not stored in plaintext; and must be protected from unauthorized disclosure. 

PSPs must document how they encrypt credentials or render them unreadable. 

The creation, processing and routing of credentials must be done in secure environments that accord with industry standards. 

Specific requirements govern the process of associating the user with credentials; delivery; authentication of devices and software; and the renewal, destruction, deactivation and revocation of credentials.

Authentication must result in the generation of an authentication code that is only accepted once by the PSP when the payer uses it to: access the payer’s payment account online, initiate an electronic payment transaction or to carry out any action through 'a remote channel which may imply a risk of payment fraud or other abuse'. 

No information on any of the authentication elements can be derived from the disclosure of the authentication code; nor can it be possible to generate a new authentication code based on the knowledge of any previous code. The code must not be able to be forged. 

Where the authentication has failed to generate an authentication code, it must not be possible to identify which of the authentication elements was incorrect. 

No more than 5 failed authentication attempts can take place consecutively before the authentication tool is blocked, either temporarily (based on certain factors) or permanently (after a warning). The user has 5 minutes of inactivity after being authenticated before access must time-out. 

Dynamic linking!

The payer must be made aware of both the amount of the proposed payment transaction and of the proposed payee. The authentication code must also be ‘dynamically linked’ (specific to) the amount and the payee. Any change to the amount or the payee must result in the invalidation of the authentication code  that was generated. 

PSPs must ensure the confidentiality, authenticity and integrity of the amount of the transaction and the payee throughout all of the phases of the authentication; as well as the information displayed to the payer including the generation, transmission and use of the authentication code.

Transaction monitoring

PSPs must monitor interaction with their customers to detect unauthorised or fraudulent payment transactions, taking into account elements which are typical of the user when normally using the credentials and, at a minimum, the following risk-based factors: 
  • lists of compromised or stolen authentication elements; 
  • the amount of each payment transaction; 
  • known fraud scenarios in the provision of payment services; 
  • signs of malware infection in any sessions of the authentication procedure; and
  • where the access device or software is provided by the PSP, a log of the use of the device or software and the abnormal use of the device or software. 
Exemptions from strong customer authentication

The permitted exemptions (subject to transaction monitoring, and quarterly assessments to be shared with the FCA on request) are: 
  • checking the balance or the last 90 days of transactions without entering sensitive payment data; 
  • a contactless payment of up to €50, a series of up to €150 or 5 consecutive contactless payments; 
  • payment at an unattended parking or transport ticket terminal;
  • the payee is included in a list of trusted payees (unless adding to or changing the list); 
  • recurring payments (after authenticating for the first);
  • transfers between the users’ own accounts with the same PSP; 
  • a remote electronic payment of up to €30, consecutive payments of up to €100 or 5 consecutive remove electronic payments; 
  • commercial payment processes or protocols where the FCA is satisfied they guarantee at least the same level of security as under PSD2; 
  • low risk remote electronic payment transactions (based on certain risk factors) where: 
o the fraud rate is below the relevant reference rate; 
o the amount is below a specific threshold; and 
o the PSP’s real time risk analysis hasn’t identified certain specified problems. 

Secure communcations

A PSP's communication sessions must be protected against the capture of authentication data transmitted during authentication, and against manipulation by unauthorised parties based on certain communication standards. These include secure identification of payer’s and payee’s devices; traceability of both the transactions and the interaction with the user and other participants in transactions; and a secure access interface between payer and online payment accounts. 

The access interface must allow for access by the user’s chosen account information service providers (AISPs) and payment initiation service providers (PISPs), although access by AISPs and PISPs can be facilitated via a dedicated interface that meets certain requirements. 


The End.

Saturday, 13 January 2018

Payment Services #.0: When Payments Finally Become Less Visible

Today marks the dawn of new payments regulation under the second Payment Services Directive (PSD2). Yawn, you say. But, unusually for a technology-based industry, the experience for customers should outstrip the hype. Is this Payment Services 2.0? 3.0? 4.0?  Who cares? After all, "paying" for something or "checking your balance" should not be an activity all on its own. It should be just a small part of something else you're in the middle of doing. In other words, it's what you won't see that should make all the difference...

You might not deal with your bank anymore when paying or checking statements

New “payment initiation services” will mean you can use a separate service provider to make payments from your bank account or other payment accounts, without logging-in to your payment account provider's systems.

New “account information services” will combine the information from all your payment accounts and display it to you in one place. You could also permit that information to be sent to others (e.g. a lender, a comparison website or professional adviser). 

Not only will such services cut the amount of time you spend logging-in to different providers. They'll also make it easier for you to gather your financial information, understand and control your financial affairs and make payments from a range of accounts. 

You won't see retailers charging you for the privilege of paying them

From now on, nobody can add a charge based purely on how you pay them. So all their profit will be in the price of the goods or services you buy, not the extras. 

The UK has typically gone further than other EU countries to apply this to every type of consumer payment method. So, any contract term requiring such a 'surcharge' will not be enforceable. In fact, there will be an implied requirement to refund the excess. Or you could initiate a chargeback via your debit/credit card issuer, or make a claim against your credit card issuer under section 75 of the Consumer Credit Act. 

In addition, any extra charge for using a commercial payment method must be limited to the supplier's cost of accepting that type of payment. Again, no room for extra margin here.

You won't realise that big loyalty schemes are now policed by the FCA

Retail loyalty schemes, such as gift cards, fuel cards and other ‘limited network’ programmes, will need to be registered with the Financial Conduct Authority if the value of their transactions meets or exceeds €1 million (or the GBP equivalent) in any 12 month period.

The intention is to safeguard customer funds that are paid into wider schemes, as with any other e-money or payment service.

The FCA must then decide if the scheme really is a ‘limited network’ that's entitled to an exclusion from e-money and payments regulation. 

If not, then the retailer may have already committed an offence by offering the scheme in the first place.

The retailer also commits an offence if it fails to notify the FCA within 28 days after reaching the €1 million threshold. So retailers should check the status of their loyalty programmes well before then!

You will see less delay in handling your complaints 

The time for processing customer complaints has been cut from 8 weeks to 15 business days. This increases the pressure on payment service providers to operate much more efficiently, so they have fewer complaints and find it easier and less costly to solve any problems you do have. 

You won't see the increased security

You won't see all the standards-setting and development work that's going on behind the scenes to make all of this happen in a far more secure way than payment services have worked before.

The new regulations bring mandatory technical standards for better ways to make sure customers are who they claim to be, and for the different types of payment service providers to work together where you need them to do so.

So, finally, "payments" will become less visible... if you know what I mean.

Saturday, 6 January 2018

Can You Use P2P Loans to Provide Finance To Others?

The FCA and others have become concerned that some people or firms may be borrowing money on peer-to-peer lending platforms and using that money to provide finance to others without being authorised to do so, rather than borrowing solely to finance their own activities. 

So the Treasury proposes to clarify when a person or business can borrow on a P2P lending platform without needing to be authorised to 'accept deposits' by amending the 'business test' for deposit-taking as explained here.

For the sake of argument, let's just accept that a 'loan' can be a "deposit"; that borrowing on a P2P lending platform can involving "accepting" a deposit; and no potential exemptions apply. The question is whether this is being done "by way of business".

The current test merely says that a borrower will not be 'accepting deposits by way of business' if the borrower doesn't hold himself out as accepting deposits on a day-to-day basis; and any deposits are accepted only on "particular occasions".

This is considered too vague to be helpful in the P2P lending context, so the government proposes to add a specific carve-out for the situation where:
  • the acceptance of deposits is facilitated by an authorised P2P lending platform;
  • the borrower is not a bank or 'credit institution' (as they are already in the business of accepting deposits) or other type of regulated person (who would need to add the permission to accept deposits);
  • the borrower is not carrying on the business of accepting deposits (which is obviously kind of circular, but another provision will say that if the borrower uses the capital or interest on the funds solely to finance other business activity carried on by the borrower (not a third party), this will be evidence that the borrower is not carrying on the business of accepting deposits);
  • the borrower does not hold himself out as accepting deposits on a day to day basis, other than as facilitated by the P2P lending platform.
The key element in the context of borrowing on a P2P lending platform is that the borrower's use of the loan proceeds is to finance that person or firm's own activities, as opposed to being used to provide finance to others.

Of course, this post is for information purposes only and does not constitute legal advice.

Wednesday, 3 January 2018

Central Points of Contact: Erosion of Home State Control Under PSD2 Passports?

One of the great benefits of the old Payment Services Directive (PSD) was that a firm only had to deal with the regulator in its home member state. If the regulator in another member state wanted to complain about a service supplied to its citizens under a 'passport', then that host state regulator had to call the home state regulator.  This was particularly important given that different EEA member states have different interpretations of some aspects of the PSD.

But the new PSD2 allows each host state to require a firm operating locally through branches or agents to appoint a local "central point of contact" if they meet one or more criteria specified by the European Banking Authority
  • if the firm has 10 or more agents located in the host state, which the firm relies on for passporting under the 'right of establishment' (not on a 'cross-border service' basis);
  • if the total [value/number] of payment transactions carried out by the firm in the host state in the last financial year through local agents (including cross-border service agents, so long as there are at least 2 agents operating under the right of establishment), exceeds [EUR 3 million/100,000], including transactions initiated under its payment initiation service.
Firms which trigger any one of the criteria in a host member state must notify the local regulator within 30 days (otherwise, the local regulator wouldn't necessarily know). The EBA will hold a central register of firms with local 'central points of contact'.

Each central point of contact must be able to facilitate certain reporting obligations, as well as communications with, and visits by, host state authorities.  

This is intended to improve co-ordination among regulators, though it seems a lot of trouble to go to in when they can already pick up the phone. 

More concerning, however, is that it also paves the way for host states to enforce their own different interpretations of PSD2...

Lifting the Lid on UK Banks' Current Account Services

In a belated effort to improve competition for personal and business current accounts, new rules require banks to publish data on account opening, service availability and major incidents from 15 August 2018. Data on account-opening and debit card replacement will have to be published from 15 February 2019. Banks will need to start recording and measuring the time taken to open accounts and to replace a debit cards from 1 October 2018. Comparison sites are also likely to publish the data.

The measures exclude 'premium' customers who receive a better level of service linked to minimum credit balances or monthly deposits, and who represent fewer than 20% of customers. Otherwise, their experience could distort the picture of services that typical customers get.

The rules cover banks with more than 70,000 relevant personal current accounts or 15,000 business current accounts (held by ‘banking customers’) per brand. Other firms not required to publish the data may do so, in which case they should comply with the same rules to aid comparison (but are not in breach of any rules if they do not). 

Thursday, 7 December 2017

Are UK Retailers Ready for The Ban On Payment Charges To Customers?

As mentioned previously, UK retailers won't be able to charge their customers a fee for using most forms of payment from 13 January 2018, and must refund any charges that violate the ban or limit. Certain surcharges within the scope of the regulations will remain permissible, but must not exceed the actual costs incurred in accepting the relevant payment method.

Customers will have teeth. Any contractual term requiring payment of a problem fee will be unenforceable to the extent of the excess charged, and will be treated as requiring the excess to be repaid. These rights can be enforced in the courts or alternative dispute resolution schemes. Customers might also initiate chargebacks for the excess amounts via their card issuer (or make a claim against the issuer under section 75 of the Consumer Credit Act).

Local Trading Standards authorities will have to consider complaints they receive from payers concerning prohibited charges, and must then decide whether to apply for an injunction or any other appropriate relief or remedy against the relevant payee or to accept undertakings to avoid court action. They must also notify the Competition and Markets Authority of any undertakings or the outcome of proceedings taken, which will be publicised for their reputational impact.

In addition, the authorities may seek enforcement orders under the Enterprise Act 2002. Where there is collective harm, the court can restrain continued or repeated conduct. 

I should add that the above restrictions apply to any "payee", not just retailers, as well as to bank transfers and direct debits in euros. They also cover business “payers”, not just consumers. However, excluded from the ban are charges for using commercial payment instruments - issued to businesses, public sector entities or the self-employed and limited to use for business expenses where the payments are charged directly to their account. But charges for using those must only cover the cost to the retailer of using that specific payment instrument.

The restrictions have been introduced in The Consumer Rights (Payment Surcharges) Regulations 2012 by the Payment Services Regulations 2017.

Update on 15.12.17: The government has now published its revised guidance on the Regulations, taking into account the ban introduced from 13 January 2018, as well as how to calculate appropriate surcharges where they are expressly permitted.

Wednesday, 22 November 2017

FCA Launches PSD2 Navigator

The Financial Conduct Authority has always led its EU counterparts in explaining its approach to regulating payment services, and continues to do so in spite of Brexit. 

The FCA had already published its "Approach" document for the new Payment Services Regulations 2017 (incorporating its approach to supervising the Electronic Money Regulations 2011) and has now launched a higher level web page to help navigate the impact and benefits of the new regulations.

This will be of most help to firms offering the new "account information services" and "payment initiation services", as well as retailers operating loyalty programmes that transact over €1 million in any 12 month period starting from 13 January 2018 and various other exclusions.

It is important to consider at the outset, however, whether your firm is offering payment services as a regular occupation or business.