UK Changes To Strong Customer Authentication and Payments Guidance

The FCA is consulting on some noteworthy changes to certain technical aspects of payments regulation and related guidance. Responses to the questions relating to contactless payments should be answered by 24 February 2021, and on the other aspects of the consultation by 30 April 2021. If you need assistance on any of these issues, please let me know.

Specifically, the FCA is changing the regulatory technical standards applicable to strong customer authentication (SCA) to: 

• create a new SCA exemption in Article 10A so that a customer's payment account provider (ASPSP) does not need to require the customer to reauthenticate every 90 days when accessing account information through an account information service provider (AISP or TPP);
• limit the scope of the existing Article 10 exemption to when the customer accesses their information directly;
• add a requirement where a TPP continues to accesses account information where the customer does not actively request, the TPP will need to reconfirm the customer’s explicit consent every 90 days and disconnect access/stop collecting data if a customer fails to re‑confirm their consent.
  
• require certain ASPSPs to allow access by TPPs to payment accounts via 'dedicated interfaces' rather than modifed customer interfaces for personal and SME ‘current accounts’ ("payment accounts" under the Payment Account Regulations) and credit card accounts held by consumers or SMEs.
• require that the technical specifications and testing facility only be made available to TPPs from the launch of new products and services, rather than 6 months in advance and that the requirement for a fallback interface should only take effect six months after launch.
• allow ASPSPs to rely on exemptions from setting up a fallback interface granted by home state competent authorities;
  
• amend the threshold at which SCA must be applied to a single payment from £45 to £100-£120 and the threshold value for cumulative contactless payments from £130 to £200.

In addition, the FCA will amend its guidance in the "Approach Document" on how it supervises SCA to be consistent with the above changes and with existing EBA and European Commission guidance as follows:

• SCA would need to be reapplied where the final amount of a payment is higher than the original amount authorised, so long as the final payment is reasonably within the amount the customer agreed to when authorising the payment and not higher by more than 20% and the customer has agreed to the possibility before authorising the original amount. 
• the payee’s PSP (e.g. merchant acquirer) should be liable where it triggers an SCA exemption and the transaction is carried out without applying SCA, so (other than where the
  payer has acted fraudulently) the payer’s PSP would refund the customer and be entitled to reimbursement by the payee’s PSP.
• for the purpose of what can be used to satisfy two of the three SCA authentication factors (knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)): a device could only be used as evidence of 'possession' where there is a reliable means to that the device is actually in the customer's possession; static card data cannot satisfy either the 'knowledge' or 'possession' factor; behavioural biometrics may satisfy the 'inherence' factor (as they ‘relate to physical properties of body parts, physiological characteristics and behavioural processes created by the body.
  and any combination of these) but not other individual properties, such as spending patterns.
• the fraud rate calculation used to anyalyse whether transaction risk is low enough to justify the exemption from SCA should only include unauthorised or fraudulent remote electronic transactions for which the PSP was liable, and no other types of transactions (unlike the calculation for payments fraud reporting under REP017).
• the corporate exemption is applicable to cards or payment instruments that are ‘only
  available to payers who are not consumers’, i.e. only available to corporate customers.
• the authentication elements the customer uses to access their payment account online (including via a mobile) may be reused if they then initiate a payment within the same online session), so a customer could authenticate the payment only one extra element where the firm relies on the account log-in password, for example (as long as the dynamic linking element is linked to the SCA element used when the payment is initiated).
• merchant-initiated transactions: transactions initiated by the payee only, without any involvement from the payer, are not in scope of SCA. While card‑based payments generally imply an action by the payer and are considered as 'transactions initiated by the payer, through the payee',
  where a payer has given a mandate to the payee/merchant for a transaction, or series of
  transactions, made using a card or other payment instrument then the payments
  initiated pursuant to this mandate are outside of the scope of SCA  That includes payments made under continuous payment authorities such as a subscription for a streaming service, but SCA is required to set up the mandate.
• in order to monitor the contactless exemption thresholds, firms use a counter that is either host‑based, on a device (which won't count offline transactions); or chip‑based, on the physical card, (which will count both online and offline transactions), but in either case firms should consider the risk of unauthorised or non‑compliant contactless transactions being made and monitor the effects of the option in practice.
  
• clarify that ASPSPs must share with payment information service providers (PISPs): the name of the account holder (if the name is shown to the customer in their online account); and the account number and the sort code (if these are shown to the customer after they make a payment). 
• reflect the fact that ASPSPs must accept at least one other electronic means of identification issued by an independent party, in addition to eIDAS certificates (Article 34 of the SCA‑RT). 
  

The FCA will also amend its guidance in the "Approach Document" on how it more generally supervises the regulation of e-money and payment services to: 

• make the temporary Covid19 guidance on safeguarding permanent and to extend guidance on risks and controls relating to the insurance method of safeguarding to the guarantee method of safeguarding;
  
• include guidance on the Treasury's proposed special administration regime for e-money and payment institutions;
  
• reflect the extension of the FCA’s Principles for Businesses to the provision of payment services and issuing of e‑money by certain PSPs and e‑money issuers;
  
• reflect the application of certain communication rules and guidance in the Banking Conduct of Business Sourcebook (BCOBS) to communications with payment service and e‑money customers and the communication and marketing of currency transfer services;
• clarify the FCA's expectations on notifications under the electronic communications exclusion (ECE) and limited network exclusion (LNE) including more detail on the types of information expected as part of a firm’s notification and the types of firms that may be able to benefit from the LNE;
• update certain reporting requirements;
• reflect changes following EU withdrawal and the end of the transition period, and the application of our rules and guidance to firms in one of the temporary permission schemes designed to replace passporting as the basis for EEA-based EMIs, PIs and RAISPs to continue operating in the UK for 3 years after the end of the transition period. 

If you need assistance on any of these issues, please let me know.

FCA Updates Payment Services Approach On Customer Authentication, Gift Cards

The FCA has today published its policy statement explaining changes to the Approach document following the consultation on Strong Customer Authentication and some other revised guidance in September (although the links to the actual revised Approach Document don’t appear to be working correctly at the moment).

Notwithstanding the confusion created by the proposed changes to the guidance on the "limited network exclusion" to exclude gift cards from the scope of PSD2 (no doubt partly due to the obligation to register programmes that exceed €1m in transactions in any 12 month period), the FCA confirms the guidance as follows:

store cards – for example, a ‘closed-loop’ gift card, where the card can only be used at the issuer’s premises or website (so where a store card is co-branded with a third party debit card or credit card issuer and can be used as a debit card or credit card outside the store, it will not benefit from this exclusion). On the other hand, in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them.

The FCA explains this interpretation in the latest policy statement (at para 6.15) as follows:

"The change we have made to clarify that retailers issuing their own gift cards should not have to notify, is based on the issuer and the retailer being the same person. If the issuer is not the retailer, but the card would be used to purchase goods and services from that retailer, it is possible that the card would be considered a payment instrument under the PSRs 2017 and the limited network exclusion test would be relevant. We already give relevant guidance in PERG Q40 on such instances."

For convenience, the limited network exclusion provides as follows (with the paragraph (k)(i) being the limb which gift card programme operators - and the FCA - have historically assumed applied to avoid gift cards being subject to e-money and payment services regulation):

(k) services based on specific payment instruments that can be used only in a limited way and meet one of the following conditions—

(i) allow the holder to acquire goods or services only in the issuer's premises;

(ii) are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer;

(iii) may be used only to acquire a very limited range of goods or services; or

(iv) are valid only in a single EEA State, are provided at the request of an undertaking or a public sector entity, and are regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers which have a commercial agreement with the issuer.

This overlooks the fact that while the retailer may have already received the funds or value from the purchaser of the gift card/account (potentially via a payment service provider under a regulated payment transaction), yet the "holder" is often a different person who is later using the gift card/account balance as a means of acquiring goods or services (albeit that transaction may only be accounted for in the retailer's accounting system without being processed via a third party payment provider).

While the FCA's view may be factually and logically correct (particularly from a VAT standpoint), and will no doubt come as a relief to retailers who would otherwise have to register programmes, it involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate to catch other payment methods - particularly in relation to card payments, for example. The FCA's guidance should therefore confirm the step-by-step rationale as to why a "payment order" is therefore not initiated; how the gift card scenario falls outside the definitions of "payment transaction"; and why neither the gift card holder nor the retailer/issuer are a "payer" or "payee" respectively. But I suspect that may open a can of worms...

The FCA's view also represents a key area of potential divergence from EU payments law in the Brexit context, to the extent that the Commission and EEA regulators may well decline to adopt the FCA's interpretation. The Central Bank of Ireland, for example, includes "prepaid gift card to buy cinema tickets" in the list of programmes that fall within the limited network exclusion. The FCA does not seem to be concerned that the same programme that regulators insist must be registered in, say, France - and therefore surface in the European Banking Authority's register of large limited networks - would not be registered at all in the UK. That wider uncertainty creates confusion and the potential for "regulatory creep" as firms might take action beyond what is required by the FCA in order to avoid it - such as shutting programmes, outsourcing or applying to register unnecessarily (at least from a UK standpoint). 

The sooner such scope for confusion at EEA level is removed, the better.

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

Shifting Sands: The FCA Considers Gift Cards Outside The Scope Of PSD2

The sands are shifting under the legal status of gift cards, as the UK's Financial Conduct Authority consults on guidance that removes them from the scope of e-money and payments regulation altogether, rather than deeming them to be excluded as "limited networks". This interpretation would at least remove the need for large gift card programmes to be registered with the FCA, but also suggests a divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation. Ultimately, it is unclear whether a gift card programme might yet somehow fall within the regulated scope but still benefit from an exclusion.

What's a "gift card"?

Gift cards have always represented the advance purchase of goods or services from the retailer who issued the card. Sometimes the value is recorded on the card (or voucher) itself, sometimes it is represented by a credit to a specific account for the card or named customer in the retailer's IT system. In either case, such value is considered 'closed loop'. There is a subtle difference between this and paying for a specific item in advance. But in both cases, the retailer has been able to treat the funds paid by the purchaser as its own funds, so that the customer has always taken on the risk of the retailer going bust before the value could be redeemed or the specific item was delivered (think Farepak and Wrapit).

Gift cards vs "E-money"

Electronic money, on the other hand, requires you to first 'load' value to a device or account (or 'e-wallet') which the "issuer" then enables you to use to pay for purchases at a range of retailers who either participate on the issuer's proprietary platform, or who accept the issuer's 'prepaid debit cards' via the major card schemes. In this sense, e-money is 'open loop'. Here, the customer is taking the risk that the e-money issuer might go broke before the customer can spend the e-money with the retailers. The risk of this has always been considered much greater than the risk of an individual retailer's insolvency, so financial regulators were given powers to control e-money issuance to try to eliminate that risk. The first electronic money directive in 2000 ("EMD") therefore obliged e-money issuers to hold sufficient capital to avoid insolvency and to keep the cash corresponding to their customers' e-money balances separate from the issuer's own cash. They defined "electronic money" as being stored value that is accepted as a means of payment by an entity other than the issuer, thereby excluding 'closed loop' stored value that is issued and spent or redeemed with the the same entity. 

Exemptions for "limited networks"

The closed/open loop distinction was carried through into the first payment services directive in 2007 ("PSD") by explicitly excluding from the definition of "payment services" any "services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services". This provision became known as the "limited network exemption".  

That exemption was effectively endorsed in 2009, when the second e-money directive ("EMD2") defined "electronic money" by reference to the value being used for the purpose of making payment transactions under the PSD, rather than accepted by an entity other than the issuer.  The reference to the PSD thus automatically picked up and relied on the limited network exemption. 

In 2010, the Treasury proposed an obligation for retailers to segregate their gift card funds, but failed to attract any support. The limited network exemption then evolved into a narrower "limited network exclusion" by 2015 under the second payment services directive ("PSD2"), yet Question 40 of the FCA's Perimeter Guidance still cites "a closed loop gift card" as benefiting from that exclusion.  

In addition, PSD2 requires limited networks which transact more than €1m in any 12 month period to be registered with the local financial regulator, which then has a duty to determine whether the limited network exclusion actually applies to it. The first 12 month period expires on 13 January 2019, with registration due on 10 February. This has obliged retailers to begin tracking the size of their loyalty programmes to determine if and when they need to register, and the consequences of a finding that the programme is not excluded. In essence, the retailer could find itself prosecuted for having operated an e-money and/or payment service without either being authorised or registered as an agent an authorised firm (subject to any 'due diligence defence').

Gift cards now out of scope altogether?

In its latest consultation, however, the FCA proposes to change its stated view by removing the gift card example from Q40 and instead stating:

"... in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them."

But does that analysis extend to server-side stored value that can only be spent with the issuer? It is also at odds with the fact that VAT is not assessed on gift card purchases to avoid duplication, since VAT will in any case be levied on the actual purchase of items from the retailer in due course (let's ignore 'breakage', where the consumer leaves a balance that the retailer eventually takes to revenue). 

Wider consequences?

While this may be factually and logically correct, and might come as a relief to some large retailers, it otherwise creates confusion and "regulatory creep" as firms take action beyond what is required in order to avoid uncertainty - such as shutting programmes, outsourcing or applying to register unnecessarily. It involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate particularly in relation to card payments, for example. It also represent a key area of potential divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation - the Central Bank of Ireland, for example, includes gift cards in the list of programmes that fall within the limited network exclusion. 

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.