UK Review of the Payment Services (and E-money) Regulations

The Treasury is calling for evidence to assist in its review of the Payment Services Regulations 2017. This also necessarily involves consideration of the Electronic Money Regulations 2011, since e-money institutions are subject to both. Those regulations implemented corresponding EU directives that are also being reviewed (which the Treasury ignores). You have until 7 April 2023 to submit responses to the UK process. Please let me know if you would like assistance.

Of course, 'elephant in the room' is whether the UK regulations should remain harmonised with the EU directives that they implemented, particularly as most UK payment service providers will have EEA aspirations, at least, if not their own regulated firms within the trade bloc. Indeed, the UK review will seem eerily familiar to many, because the European Commission embarked on its own review of the second Payment Services Directive (PSD2) in May 2022; and in July the European Banking Authority proposed numerous changes that I summarised for Ogier Leman in Ireland, including the merger of PSD2 and the second E-money Directive (EMD2). I suspect the UK review is timed to coincide with likely changes arising from the EU's review process. The timing might not work perfectly, so the UK might make any changes that seem settled or non-controversial in the EU process, then mop up the rest in due course.

The UK government believes that its e-money and payment services regulation should address: 

• 'authorised push payment' (APP) fraud; 
• whether 'strong customer authentication' requirements are too prescriptive and should be 'outcome-based' including delaying payments where APP fraud is suspected to allow for communication with a potentially affected customer;
• the use of cryptoassets or cryptocurrencies as payment methods.

There is no mention of the European Commission or EBA proposals relating to the review of PSD2 and EMD2, let alone consideration of whether those proposals should be addressed in the UK. I guess that is left to the rest of us to consider and submit.

The UK has already made changes to its insolvency regime to cater for the more orderly and efficient wind-down of payment and e-money institutions, as this was something that the EU directives did not really address (aside from the 'pooling' provisions relating to safeguarded funds). The UK government is also inviting evidence on whether these additional arrangements are adequate (and the EBA has urged greater clarity on wind-down arrangements under the EU directive(s).

The government persists in its tediously jingoistic claims that the UK somehow pioneered 'Open Banking' through the API requirements proposed by the Competition and Markets Authority in 2016 (among other remedies to improve competition for retail banking). However, that happened three years after the specific open banking requirements were proposed in the first version of PSD2. In fact, such 'open data' and 'midata' initiatives were fully developed by 2012 common across Europe and, indeed, globally within the context of the World Economic Forum, as I posted at the time. It cites unspecified plans to ‘develop’ and ‘progress’ such services through a Joint Regulatory Oversight Committee after the CMA found that its mandated Open Banking Implementation Entity was improperly managed and lacked corporate governance.

While omitting a focus on whether banks unfairly withhold payment accounts from innovative financial services businesses, the consultation also includes highly irregular claims that the government is concerned about whether payment service providers might be terminating customer relationships in reaction to the customers' right wing, 'libertarian' political views. The paper concedes that there is no evidence at all that this is a genuine issue, merely citing assertions from a Conservative MP based on speculation by a conservative pundit about why PayPal might have regarded his accounts as suspicious. That such nonsense has found its way into a Treasury consultation paper is deeply worrying. It smacks of the false claims about Channel 4's activities by the then Culture Secretary, ironic given the government's decision to boycott and later sell Channel 4 in reaction to what it believed was unwarranted scrutiny of its activities by journalists. Just as the government has been forced to row back on the sale of Channel 4, it would seem unwise to politicise payment services regulation...

Though maybe the drafts-person was fully aware of the irony in referring to the 'Daily Sceptic' and the 'Free Speech Union' in the context of better ways to combat APP fraud.  

FCA Irons Out Brexit Wrinkle For UK Open Banking

'Open banking' enables you to use certain 'account information' and 'payment initiation' service providers (TPPs) to extract your payment data or initiate payments from your payment accounts with banks and other payment service providers (ASPSPs). There are 2 million users in the UK. Open Banking was driven by UK competition law enforcement against banks who were hogging access to payment account data; and by changes to the EU Payment Service Directive as a result of similar concerns across Europe. A key feature of the Open Banking regime is that TPPs' systems must authenticate themselves using a certificate that complies with an EU identity regime (eIDAS), from which Britain excluded UK based TPPs by leaving the EU. The FCA has now come up with the quick fix described below to try to support the continuity of Open Banking after 31 December... 

In July, the European Banking Authority confirmed that eIDAS certificates issued to UK-based TPPs by EU trust providers will be revoked on 31 December, even though UK law would recognise them as valid under its new UK eIDAS Regulation. 

The FCA does not have the ability to delay the revocation of eIDAS certificates; there is no scope within eIDAS to issue UK-only certificates; and there are not yet any UK trust providers qualified to issue eIDAS certificates under the new UK eIDAS Regulation. 

That means TPPs in the UK will no longer be able to access their customer’s payment account data held with their account service payment service providers (ASPSPs) after 31 December without a further change to UK eIDAS requirements, so the FCA has amended them to allow for the use of an alternative form of authentication certificate.

As a result of the recent changes, UK ASPSPs must now accept at least one other electronic form of identification issued by an independent third party, in addition to continuing to accept eIDAS certificates. 

The additional form of identification must:

• be a digital certificate issued by an independent third party upon identification and verification of the payment service provider’s identity;
• include the name of the TPP as well as information on the competent authority the TPP is authorised or registered with, and the corresponding registration number (Firm Reference Number (FRN));
  
• be revoked as soon as the TPP is no longer authorised to conduct TPP activities. 

An ASPSP must: 

• verify the authorisation status of the TPP in a way that would not create any obstacles to TPP access;
• satisfy itself of the suitability of the independent third party issuing the certificate;
• specify publicly which means of identification it accepts to ensure TPPs are aware (e.g. on the Open Banking Implementation Entity (OBIE) transparency calendar or on their website).

To ensure continuity of service and enable TPPs to use the existing 90-day reauthentication cycle, the FCA will allow ASPSPs to accept a certificate obtained from a provider of an API programme that does not meet the amended requirements until 30 June 2021, so long as:

• TPPs have also presented a compliant certificate, as described under the amended requirement, to that non-qualifying API programme;
  
• that API programme verifies the certificate; and 
• continues checking, on behalf of the ASPSP, the status of the TPP’s compliant certificate. 

So, a legacy OBIE certificate may be used during that period, provided that the TPP has presented a valid certificate to the OBIE. 

The FCA has removed the need for the certificate to include the address of the TPP and issuer; the need for revoking the certificate if identity information is unverifiable; and the need for a certificate to be amended (as, technically, a certificate can only be revoked). 

ASPSPs must: 

• assess the need for any changes to their systems and processes and implement any necessary changes by 31 December, and tell TPPs which alternative certificate they will accept as early as possible. 
• continue accepting valid eIDAS certificates. This includes for UK firms until their certificates are revoked, even after 31 December where applicable; as well as for EEA-based firms that benefit from the UK's Temporary Permission Regime to continue providing their services in the UK after Brexit.
  

TPPs whose eIDAS certificate is likely to be revoked must have an alternative certificate(s) as soon as possible ahead of 31 December.

Open Finance: The FCA's Call For Input

The FCA has called for suggestions by 17 March 2020 as to how it can support more open access to customers’ financial data. A few thoughts here, with an article to follow in the coming weeks...

The major stumbling blocks, as ever, are genuine customer problems/demand and supplier appetite, which tend to be focused quite narrowly; and who gets access to the data and for what purpose. 

One suspects that the Nirvana of a single consumer 'dashboard for everything' remains a long way off. We’ve seen broad-based initiatives before, like the UK government’s ‘midata’ programme from 2011. Key challenges remain customer identity and authentication on a broad scale, as opposed to channels more closely aligned with specific customer activities. In July 2019 the Government Digital Service and the Department for Digital, Culture, Media & Sport were still calling for evidence of how the Government can support improvements in identity verification and the development (and secure use) of digital identities generally. 

Yet there have been genuine advances around more defined customer activities. The FCA itself cites the second payment services directive and related standards designed to open up the payments market, for instance. These were partly a response to strong demand for new, unregulated services that were already providing access to current account data and enabling the remote initiation of bank transfers. Those competing to provide these services were encountering a distinct lack of co-operation from the current account providers (mainly banks). Specific regulation was forthcoming and has duly helped account information and payment initiation services proliferate and scale. But regulation did not itself catalyse either the demand or the services themselves. 

At any rate, it will be interesting to see whether the FCA receives evidence of other existing but nascent 'open finance' type services whose growth is genuinely stymied by issues that can be resolved by regulation. Whether such use-cases are sufficiently distributed across the range of day-to-day activities in which customers are engaged to constitute generally 'open finance' will be interesting to discover but of secondary importance. 

Of course, the elephant in the room is who will have access to all the data and for what purpose. In this respect, it would be particularly interesting to know when the FCA and PRA will begin to actually audit the use of artificial intelligence by financial services providers, rather than merely survey the industry on a self-disclosure basis. If they're true to form, we'll see a few major train wrecks first...