Final UK Regulations Implementing #PSD2

The UK government has today announced its final approach to implementing the new Payment Services Directive (PSD2), along with the final version of the Payment Services Regulations 2017. A final assessment of the impact of the new regulations is yet to be published. The FCA is expected to finalise its guidance on its approach to supervising PSD2 - along with application forms and so on - by September, and to accept applications for authorisation/registration from October 2017 to meet the implementation deadline of 13 January 2018.

It turns out that the responses to the consultation in February have only persuaded the government to change a few aspects of its approach to implementation (explained below). But it seems from the summaries that many responses didn't account for the fact that the government's hands have been tied since 2015, when the UK agreed the final version of PSD2 at EU level. As it's a maximum harmonisation directive, member states can only depart from PSD2 where it specifically allows them to. The ship has sailed (albeit with some awkward passengers on board, as explained in my own response). For the most part, implementation is now a question of how the FCA interprets the language in its application to the real world, which it consulted on in April. This does not suggest any lack of 'sovereignty', just a failure to influence EU negotiations (assuming those affected took the opportunity to engage at that time).

Ban on surcharging

One area of departure from the government's initial plan is to prohibit retailers from charging customers any additional amount for using any type of payment method/instrument.

The original idea was only to ban surcharging for the use of cards covered by the Interchange Fee Regulation (as required under PSD2), as well as cross border bank transfers and direct debits in euros (under the Single Euro Payments Area regulations); and limit the surcharges for other payment methods to the direct cost borne by the retailer for making them available.

But the government has opted instead for a blanket ban on businesses surcharging consumers for using any type of payment method, on the basis that it: 

"will create a level playing field between payment instruments and create a much clearer picture for consumers in which they know the full price of the product/service they are purchasing upfront and [can be] confident that there will be no additional charges when they come to pay [with] any payment instrument they choose to use. A blanket ban will also be much easier to enforce than the current position in which merchants are able to pass on costs (but the consumer has no easy way of assessing what these are).

Meanwhile, the government says it will "assess the scale" of claims that interchange fees for card payments have been rising again.

Scope of account information services

PSD2 introduces a new “account information service” which basically involves providing information from one or more payment accounts held by the user with one or more other payment service providers.

Initially, the list of services the government said it believed might constitute account information services included some services of a much broader in nature:

"• price comparison and product identification services;

• income and expenditure analysis, including affordability and credit rating or credit worthiness assessments...

[and] might include accountancy or legal services, for example” (para 6.30)."

This provoked concern that the government's interpretation was too broad and overlooked the requirement that an account information service would need to be conducted by way of business in its own right, rather than merely as an ancillary part of a wider service. Examples of services that the government says that respondents were concerned about include: 

"banks’ corporate functions; price comparison websites; accountants; financial advisors; legal firms; and Credit Reference Agencies (CRAs). Many of these services are currently provided via a contractual relationship between service providers, users, and ASPSPs, often referred to as Third Party Mandates (TPMs)."

The government now confirms, however, that:

"many uses of these mandates are likely to be outside of the scope of the PSDII. Examples could include power of attorney, where the services are unlikely to be undertaken ‘in the course of business’."

In addition, the FCA has already suggested this narrower view, based on the 'business test' in its own consultation on how it proposes to supervise PSD2.

Next steps

The FCA is expected to finalise its guidance on its approach to supervising PSD2 - along with application forms and so on for the various types of authorisation/registration - by September, and to accept applications for authorisation/registration from October 2017.

How The UK Will Introduce #PSD2

The UK Treasury has published its plans for implementing the new Payment Services Directive (PSD2), which must be done by 13 January 2018.  We have until 16 March 2017 to comment on the draft regulations.  No doubt we will also soon hear what how the FCA will approach its supervisory role.

I've previously covered the key differences between PSD2 and the current directive, and there are many areas for differing interpretation...

I will share my thoughts on the current consultation in the coming week(s).

Update: a copy of my submission to the Treasury consultation is here.

Will Regulatory Technical Standards Slow The Pace Of Payments Innovation?

Under the new Payment Services Directive (PSD2), the European Banking Authority (EBA) is tasked with producing 'regulatory technical standards' to be followed by those with certain obligations, including how payment service providers (PSPs) must authenticate customers and communicate with each other. But it seems this process and the standards themselves are acting as a brake on innovation and related investment.

The EBA consulted on its proposed regulatory technical standards for authentication and communication between August and October, with a revised set due in the coming months.

PSD2 requires PSPs to apply "strong customer authentication" where "the payer... accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses."

But two big issues raised by PSD2 are (1) how each type of payment is initiated; and (2) who actually initiates it.

The EBA believes card payments are initiated by the cardholder as payer, but fudges the issue somewhat by requiring the card acquirers (i.e. the PSP of the merchants) to require their merchants to support strong authentication for all payment transactions. The added complication is where a payment transaction is initiated by the payee, but the payer's consent is given "through a remote channel which may imply a risk of payment fraud or other abuses".

There is a view, however, that card payments are among those that are in fact initiated by the payee (the merchant), who is not in fact the 'payee' of the cardholder at all but is paid by the card acquirer to which the merchant submits its transactions. The cardholder just pays the card issuer. This is all bound up in fundamental problems with the definitions of "payment transaction", "payer" and "payee" in both the PSD and PSD2; and the fact that card acquiring works through a series of back-to-back contracts that do not involve any direct contract between the buyer and the seller at all concerning payment processing. Indeed, a challenge for the UK's implementation plans is that there is a Court of Appeal decision which supports this view. 

In these respects, PSD2 appears to set up a 'legal fiction', which (despite taking a somewhat purposive approach in the 'fudge' explained above) the EBA appears to insist on in language at the end of its consultation paper: "all the requirements under consultation apply irrespective of the underlying obligations and organisational arrangements between" the various types of PSP, payers and payees. In other words, we have a weird situation where the law and related standards are to be applied regardless of how payment systems and processes really work.

Not only can this lead to situations where, for example, some banks insist that the PSD does not cover card acquiring, but it can also cause over-compliance to avoid doubt and other restraints on innovation.

While distinctions concerning how payments are inititiated and by whom might seem to matter less in the context of security measures to be adopted by PSPs - since everyone is interested in reducing financial crime - it is absolutely critical in the context of software and services that contribute in any way to payments being "initiated" and whether the suppliers or users of such software and services must be authorised as "payment initiation service providers" or perhaps even as the issuers of payment instruments. 

It will be very interesting to see how the Treasury proposes to address these problems in transposing PSD2 itself, although it's more likely the FCA will be left to explain how to comply, assuming the Treasury declines to take a purposive approach to EU law and simply copies the language of PSD2 into UK law (a process known as 'gold-plating').

There are numerous other glitches in the technical standards that have been identified by respondents, too numerous to mention here, but which it is hoped will be reconsidered in the next version - not that such standards should ever be considered as 'final' or set for all time. Indeed, an overarching problem seems to be that in the EBA's attempts to drag our legacy payments infrastructure into the 21st century, insufficient attention has been given to existing and potential alternative security technology - even in cases where incumbents are seeking to leapfrog the limitations of legacy systems.

Meanwhile, a year has slipped by since PSD2 was approved and the standards themselves are only due to take effect in October 2018 'at the very earliest', by which time they are likely to be thoroughly out of step with commercially available technology. 

While old systems may need to be accommodated to some degree, surely the pace of payments innovation should not be tied to the slowest animals in the herd?

ECB Moves To Kill Innovation in Payment Services

Last July, the European Commission proposed a new Payment Services Directive (PSD2), which was voted on in committee on 20 February. Apparently it was passed with certain changes, which have not yet been published. However, it's worth noting that earlier in February the ECB published its proposed changes to the draft directive, which are discussed below in a post that I've been trying to finish for the past 3 weeks (sorry). The Parliament is due to vote in plenary on 2 April. PSD2 will take effect 2 years after it is adopted.

The ECB's stated concern is to help the development of the payment services market. Yet readers in common law countries will be struck by the irony in its proposal to regulate on matters that the industry could otherwise agree contractually. So, rather than allowing for flexible contractual solutions, the ECB wants a rigid code that won't take effect for 2 years and will take many more to change. In addition, the ECB wants "further business rules, including technical and operational arrangements" to be "defined through the creation of a payment scheme."

But we can ill afford the pace of innovation and competition in payment services to be dictated by the glacial speed of the EU legislative process or the snail's pace at which established players form new trade organisations and agree standards. I mean, it took a decade to force UK banks just to implement Faster Payments.

The ECB's approach is of course typical of the civil law attitude to innovation and entrepreneurship, which is at odds with the vital role that contracts play in shaping markets, particularly in a global context. In common law countries we are free to act unless the law restricts us. The law follows commerce. Contracts therefore provide the rails on which entrepreneurial activity runs. Meanwhile, the citizens of civil law countries wait for their lawmakers to define how they may act - in continental Europe, commerce follows the law. Contracts should be used sparingly, if at all, to supplement civil law codes. As a result, entrepreneurship and innovation from outside the scope of existing law is viewed by continental Europeans as being rather dodgy, as are global contractual terms of service that transcend national laws and treaties. Europeans consider that governments should agree international rules through treaties, not the likes of you and me at the click of a mouse. So it's no surprise that so much global innovation thrives in common law markets, as illustrated by the growth of e-commerce. The European Commission's comment on amendments to the commercial agents' exemption in PSD2 is a case in point:

"The ‘commercial agent’ exemption has been amended to only apply to commercial agents which act on behalf of either the payer or the payee, and not to those which act for both payer and the payee. The exemption under the current PSD has increasingly been used with regard to payment transactions handled by e-commerce platforms on behalf of both the seller (payee) and the buyer (payer). This use goes beyond the purpose of the exemption and should thus be further circumscribed."

What UK officials make of all this is unclear. The Cabinet Office and the Treasury have held at least one workshop with some representatives of challenger businesses in the UK financial technology sector. But we have not seen whether and, if so, how those discussions have translated into UK policy. Meanwhile, the House of Commons European Scrutiny Committee has complained of receiving very little detail on the Treasury's position on PSD2, and only seems to have entertained submissions from MasterCard, the UK Cards Association and a few charities (see section 8 of its recent report).

Against this background, you might wonder if there's much point in caring about PSD2, and I suspect that is the point of government bureaucracy: to bore and frustrate everyone into submission - including many of those who are paid good money to participate directly. So let's call it sick fascination. At any rate, here's a quick summary of the ECB's proposals (none of which resolves the gobbledygook in Articles 67-68 and 72-75, by the way):

1. Payment access/initiation services: when you use a separate service to check the balance in one of your payment accounts or initiate a payment, you will not be able to allow the third party service provider ("TPP") to use your log-in details for the payment account you want to check or make a payment from. The TPP and your payment account servicer provider ("ASP") will need to figure out another way to interoperate using a European standard interface specified (eventually) by the European Banking Authority. 

2. Direct debit refunds: for privacy reasons (apparently), direct debit refunds should not be conditional on whether goods or services have already been consumed. Instead there should be an unconditional refund right for 8 weeks for all direct debits, except in relation to goods and services listed by the European Commission as items that 'debtors and creditors' can agree upon as not being subject to a refund. There is no suggestion that this will be consistent with consumer cancellation rights for distance sales. Note also the use of 'debtors and creditors' by the ECB in its explanation, when PSD2 refers to 'payer' and 'payee'. This highlights a problem with definitions in the PSD generally, where it is assumed that the payee and creditor (e.g. a merchant or the issuer of a bill) are the same when often they are not, a point the ECB has missed in trying to define the "acquiring of payment transactions" (see 5 below).

3. Territorial scope:  the scope provisions of the PSD and PSD2 are overly simplistic, given the range of situations involving payment transactions outside the EEA and the potential for a single transaction to be governed by the law in multiple jurisdictions. The ECB amendments not only fail to clarify these issues, but also increase the pressure on the interpretation by applying the customer disclosure and contractual requirements, as well as provisions relating to the supply and use of payment services.

4. Network and Information Security Directive: The ECB says this directive should not apply directly, but supervisory bodies may take that directive and any related guidance into account when assessing payment service providers' management of information security. Which means that they will have to comply with the NISD, in effect, but won't realise that's what they are doing because they didn't follow the tortuous passage of PSD2 through the EU quagmire.

5. Definitions: The ECB has recommended some additional definitions to clarify the application of PSD2. In particular, “acquiring of payment transactions” is defined to mean:

"a payment service provided by a payment service provider contracting with a payee to accept and process the payee’s payment transactions initiated by a payer’s payment instrument, which result in a transfer of funds to the payee; the service could include providing authentication, authorisation, and other services related to the management of financial flows to the payee regardless of whether the payment service provider holds the funds on behalf of the payee;"

Yet the issue of whether merchant acquiring is covered by the PSD lies entwined in the definitions of "payment transaction", "payer" and "payee"; mistakenly equating buyers with payers and merchants with payees; mistaken assumptions about exactly how payments are intitiated and by whom; and the fact that acquiring is actually achieved through a series of back-to-back contracts between principals that does not involve a direct contractual relationship between the buyer and seller at any point. There's even a Court of Appeal decision to this effect. But, again, that's clearly lost on officials.

The result? Slow, creeping, incremental change in payment services. Not exactly fertile ground for what you would genuinely call "innovation".

Will EU Red Tape Kill Store Cards And Loyalty Schemes?

Following my earlier SCL article on PSD2, I've had a few more thoughts on the European Commission's proposals aimed at ‘limited network’ services, such as retail store cards, gift cards, fuel cards and loyalty programmes. Remember, the Commission wants the changes agreed by Spring 2014, and Member states will have two years to implement them. It will be another five years before the Commission revies the effect of the changes, so this is the last chance to rectify the mistakes in PSD1 and avoid more in PSD2...

You will recall (no doubt) that the PSD exempts payment transactions based on payment instruments accepted only within the issuer's premises or certain 'limited networks'. Such instruments are also exempt from the definition of 'electronic money' in EMD2 by reference to the PSD exemption. While this exemption survives under PSD2, operators will be obliged to notify the regulator if the average of their transactions in the preceding 12 months exceeds €1m per month. The regulator may then disagree that the exemption applies. This catches 'closed loop' stored value and other instruments such as retail store cards, gift cards, fuel cards and loyalty programmes. Yet, as discussed previously here and here when the UK Treasury considered self-regulation to ring-fence funds in this area, there is no evidence of any harm to consumers in such scenarios, compared to the collapse of retail pre-payment schemes such as those offered by Farepak or tour operators which appear not be caught.

Here are my additional thoughts:

1. Other than simply the volume/value, there seems to be implied an additional basis on which a regulator might decide that a service which otherwise fell within limited network exemption below the threshold average of €1m per month would no longer qualify when it reached that threshold. What basis would that be?


2. If the regulator were to disagree that the limited network exemption under PSD2 applies, is the service provider automatically guilty of an offence without any possibility of an orderly transition to full authorisation or finding an authorised payment institution or PSD agent to operate the service?


3. Similarly, if the regulator were to disagree that the limited network exemption under PSD2 applies to a ‘closed loop’ stored value service, does that amount to a decision that the exemption from the definition of “electronic money” under EMD2 would also cease to apply to that service? If so, a service provider who was lawfully operating within the exemption below the volume threshold would suddenly find itself in breach of both PSD2 and EMD2, again without any possibility of an orderly transition to full authorisation or finding an authorised e-money institution to operate the service.


4. Outcomes such as those in scenarios 2 and 3 above seem to conflict with the privilege against self-incrimination and may be otherwise unacceptable from a public policy standpoint (e.g. the avoidance of retrospective regulation). Practically speaking, this mechanism could also drive every service provider with a programme operating anywhere near the volume threshold to approach the regulator for an indication of whether it’s programme would, if it reached the threshold, be deemed in breach. However, even doing that would open up a similar risk that the regulator may disagree that the exemption applies, with the ugly consequences that may follow. Accordingly, we may find that the operators of all limited network payment schemes apply for authorisation, or use an authorised firm to operate their schemes merely as a precaution against the possible commission of an offence. Or they cancel their programmes altogether. 

Surely such 'regulatory creep' is not the intention...?

The Future of EU Payments Regulation?

I thought it would only ruin the Summer. But it's taken me until Autumn to get my head around the European Commission's plans for a new Payment Services Directive, or 'PSD2' (nope, that's not the train). I'm told that leaves falling from the local trees is purely coincidental and not some kind of arboreal reaction to the complexity.

At any rate, my review of the proposals is now up on the SCL website, along with my earlier article on how card acquiring really works.

If you receive payments by direct debit or you operate an online marketplace, gift card programme, loyalty scheme, mobile/digital wallet, bill payment service, telecoms network, payment initiation service, account information service or a small payment institution you should be particularly concerned. Existing institutions will need to work carefully through the detail.

All will need to take the time to explain to the Commission how their services actually work, and how the regulations might unduly constrain innovation and competition.

The Commission aims to get the changes adopted by Spring 2014, and Member states will have two years to implement. The Commission is giving itself a further five years to review its effectiveness, so it will be along time before we have another opportunity to rectify the mistakes...

Image from EuropeanBusinessReview.