FCA Irons Out Brexit Wrinkle For UK Open Banking

'Open banking' enables you to use certain 'account information' and 'payment initiation' service providers (TPPs) to extract your payment data or initiate payments from your payment accounts with banks and other payment service providers (ASPSPs). There are 2 million users in the UK. Open Banking was driven by UK competition law enforcement against banks who were hogging access to payment account data; and by changes to the EU Payment Service Directive as a result of similar concerns across Europe. A key feature of the Open Banking regime is that TPPs' systems must authenticate themselves using a certificate that complies with an EU identity regime (eIDAS), from which Britain excluded UK based TPPs by leaving the EU. The FCA has now come up with the quick fix described below to try to support the continuity of Open Banking after 31 December... 

In July, the European Banking Authority confirmed that eIDAS certificates issued to UK-based TPPs by EU trust providers will be revoked on 31 December, even though UK law would recognise them as valid under its new UK eIDAS Regulation. 

The FCA does not have the ability to delay the revocation of eIDAS certificates; there is no scope within eIDAS to issue UK-only certificates; and there are not yet any UK trust providers qualified to issue eIDAS certificates under the new UK eIDAS Regulation. 

That means TPPs in the UK will no longer be able to access their customer’s payment account data held with their account service payment service providers (ASPSPs) after 31 December without a further change to UK eIDAS requirements, so the FCA has amended them to allow for the use of an alternative form of authentication certificate.

As a result of the recent changes, UK ASPSPs must now accept at least one other electronic form of identification issued by an independent third party, in addition to continuing to accept eIDAS certificates. 

The additional form of identification must:

• be a digital certificate issued by an independent third party upon identification and verification of the payment service provider’s identity;
• include the name of the TPP as well as information on the competent authority the TPP is authorised or registered with, and the corresponding registration number (Firm Reference Number (FRN));
  
• be revoked as soon as the TPP is no longer authorised to conduct TPP activities. 

An ASPSP must: 

• verify the authorisation status of the TPP in a way that would not create any obstacles to TPP access;
• satisfy itself of the suitability of the independent third party issuing the certificate;
• specify publicly which means of identification it accepts to ensure TPPs are aware (e.g. on the Open Banking Implementation Entity (OBIE) transparency calendar or on their website).

To ensure continuity of service and enable TPPs to use the existing 90-day reauthentication cycle, the FCA will allow ASPSPs to accept a certificate obtained from a provider of an API programme that does not meet the amended requirements until 30 June 2021, so long as:

• TPPs have also presented a compliant certificate, as described under the amended requirement, to that non-qualifying API programme;
  
• that API programme verifies the certificate; and 
• continues checking, on behalf of the ASPSP, the status of the TPP’s compliant certificate. 

So, a legacy OBIE certificate may be used during that period, provided that the TPP has presented a valid certificate to the OBIE. 

The FCA has removed the need for the certificate to include the address of the TPP and issuer; the need for revoking the certificate if identity information is unverifiable; and the need for a certificate to be amended (as, technically, a certificate can only be revoked). 

ASPSPs must: 

• assess the need for any changes to their systems and processes and implement any necessary changes by 31 December, and tell TPPs which alternative certificate they will accept as early as possible. 
• continue accepting valid eIDAS certificates. This includes for UK firms until their certificates are revoked, even after 31 December where applicable; as well as for EEA-based firms that benefit from the UK's Temporary Permission Regime to continue providing their services in the UK after Brexit.
  

TPPs whose eIDAS certificate is likely to be revoked must have an alternative certificate(s) as soon as possible ahead of 31 December.

Brexit-proofing... eIDAS Certificates

The European Banking Authority has just reminded firms to get ready for the end of cross-border activity between the EU and UK. Among other things, for Open Banking this means:

“account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 [the eIDAS Regulation] will be revoked.”

However, as explained by the UK's Information Commissioner, a version of the eIDAS Regulation will take effect in UK law after 1 January 2020 (by virtue of the snappily titled Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019/89). 

This means UK law will continue to recognise EU registered qualified trust service providers, with the intention that UK-based organisations can continue to use EU-based trust services as well as UK-based trust providers. The approved trust providers that appear in the eIDAS trusted list for the UK immediately before the end of the transition period will remain on the list for the new UK scheme after transition ends. But the certificates issued under the UK scheme - or by EU service providers to UK-based firms - will not be recognised in the EU (or EEA).

Of course, it's a practical/commercial issue as to whether EU-based trust service providers will continue issuing certificates to UK firms after Brexit transtion ends…

Boring But Important: UK's Anti-Money Laundering Consultation

The Treasury is consulting on how to implement the fourth Money Laundering Directive into UK law by 26 June 2017, with responses due on 10 November 2016. Draft guidance from the European Banking Authority is also open for consultation. In parallel, a new EU Funds Transfer Regulation will take direct effect, updating the rules on information on payers and payees accompanying the transfer of funds in any currency.

The consultation is important, given that money laundering is also a key enabler of serious and organised crime, estimated by the Home Office to cost us £24 billion a year. Terrorists also tend to use the proceeds of crime as a means to obtain funding, but might also try to obtain finance from (unwitting) legitimate sources.

The current Money Laundering Regulations 2007 cover 150,000 UK businesses, with more likely to be covered due to a lowering of the threshold for eligible transactions in cash (or a series of transactions that appear to be linked) by persons trading goods, from EUR15,000 down to EUR 10,000 (probably about £1000 in 2017 money!); and an extension to include receiving as well as making payments in cash.

With the exception of money remittance, the government is able to exempt from the regulations some persons engaging in certain financial activities on an occasional or very limited basis where there is little risk of money laundering or terrorist financing:

• the financial activity is limited in absolute terms (the proposal is that the total annual turnover from the activity should not exceed £100,000);
• the financial activity is limited on a transaction basis (the proposed maximum threshold per customer and per single transaction, whether the transaction is carried out in a single operation or in several operations which appear to be linked, is £1,000);
• the financial activity is not the main activity of such persons (the proposal is that the activity should not exceed 5% of the total turnover of the natural or legal person concerned);
• the financial activity is ancillary and directly related to the main activity of such persons;
• the main activity of such persons is not an activity referred to in Article 2(1)(3)(a) to (d) or 2(1)(3)(f) of the directive; and
• the financial activity is provided only to the customers of the main activity of such persons and is not generally offered to the public.

The directive requires firms to verify the identity of a customer and any beneficial owner(s) before establishing a business relationship or carrying out a transaction, subject to certain thresholds. But the timing of the verification can be altered: (i) where there is little ML/TF risk and it is necessary so as not to interrupt the normal conduct of business, then verification can be carried out during the establishment of a business relationship - although it shall still be completed as soon as practicable after initial contact; and (ii) an account may be opened with certain institutions provided there are adequate safeguards in place to ensure transactions are not carried out by the customer or on its behalf until the necessary CDD measures are completed.

The directive also requires obliged entities to apply customer due diligence measures to existing customers at appropriate times, using a risk-based approach, as well as to new customers. In particular, such measures should be applied when the circumstances of a customer change, but it is not clear which circumstances are relevant ("e.g. name, address, vocation, marital status etc.") and how a firm would know they had changed. There is a non-exhaustive list of factors in Annex 1 of the MLD that must be taken into account when assessing the risk of money laundering and terrorist financing, raising some uncertainty as to what might constitute an exhaustive list in any given circumstances.

Certain thresholds for implementing customer due diligence apply, but the fact they are expressed in Euros highlights the significant problems posed by the volatility of the pound following the Brexit vote.

Simplified due diligence remains an option, but the list of products currently specified in Regulation 13 is to be replaced by a non-exhaustive list of factors in Annex II of the directive and further guidelines due from the EBA by June 2017 - heralding more uncertainty. In addition, pooled client accounts are no longer mentioned specifically in this context, meaning that the existing explicit option for an institution hosting another firm's client money account (or 'segregated' account or 'safeguarded' account) to apply simplified due diligence in connection with the beneficial owners of the funds in that account will no longer apply.

Enhanced due diligence measures must be implemented in certain circumstances, a non-exhaustive list of which appears in Annex III, with further details in the EBA consultation documents that the Treasury expects everyone to review separately... In fact, there are numerous instances where the various European financial authorities are to draw up regulatory technical standards, so watching that space is very important, as it could act as a brake on innovation.

There has been some increase in the scope of entities that can be relied upon to have conducted customer due diligence, and the Treasury is inviting further suggestions here, particularly to help reduce the regulatory burden. Here it would be very helpful if governments could actually work together to achieve, or at least support, formally 'reliable' ways of verifying the identity of each others' citizens, as envisaged by the eIDAS regulation (there is a single reference to electronic signatures as a means of reducing certain risks, in Annex III).

The new directive is more prescriptive on the internal controls that firms are required to implement, which must vary according to the nature and size of the business concerned. The Treasury is open to suggestions on the thresholds etc., particularly related to a compliance officer and independent audit functions.

There are separate chapters in the consultation specific to gambling, e-money, estate agents, correspondent banking; dealing with politically exposed persons (PEPs); and meeting the requirement for a central register of beneficial owners of corporate and other legal entities incorporated in each member state; as well as reporting, supervision and sanctions for breaches of the regulations.

Worth a read to know what's coming down the 'pike.