UK Extends Payment Processing Times Where Authorised Push Payment Fraud Is Suspected - Updated

The UK's second and far more significant recent departure from the EU directive on payment services (PSD2) involves extending the time limit on processing a payment order where it's been authorised by the payer but their payment service provider (PSP) reasonably suspects that it's been initiated after fraud or dishonesty by someone else (which could include the actual payee, of course), known as 'authorised push payment (APP) fraud'. The draft regulations are available here. If you need any help with implementing or evaluating the impact of the new processes, including updating service terms and conditions, please let me know.

The PSP must form its suspicion and explain to the payer the reasons for the delay and anything required of the payer to help the PSP to decide whether to execute the payment (if lawful to do so, and not 'tipping-off' under money laundering regulation) by the end of the next business day after receiving the payment order (the usual time limit for processing). 

The PSP then has up to 3 more business days to investigate before processing (or not). 

Regardless of whether the payment order is executed, the PSP is liable to the payment service user, for any charges for which the user is responsible and any interest which the user must pay, as a consequence of a delay to the execution of a payment order in reliance on this new right.

This new right is limited to authorised, UK-only, GBP transactions (but not those initiated through a payee, like a direct debit). 

The related policy note explains that comments are due in to the Treasury by 12 April. Tthe goal is to bring these changes in to support the Payment Systems Regulator's rules on reimbursements for APP fraud from October. The regulatory amendments have since been made and will take effect on 30 October 2024.

This post is for general information purposes and is not legal advice. If you need any help with implementing or evaluating the impact of the new processes, including updating service terms and conditions, please let me know.

Payment Service Termination Changes: Full of Sound and Fury, Signifying Nothing

As a result of Farage's hissy fit over no longer meeting the commercial criteria for being a Coutts customer, the Tories clearly felt they had to do something. Well, here it is: 90 days' (instead of 2 months') notice to terminate a payment service contract that has no end date 'for convenience', with an obligation to explain and say how to complain. There are predictable exceptions, and this does not affect other grounds for contract termination or terminating/freezing an account/transaction. Yet more public funds have had to be wasted on a right wing conspiracy theory/culture war than solving an actual problem. Think Rwanda. Comments on this earth-shattering proposal are due by 14 April 2024 and the regulations might be laid before the General Election, or not... ;-)

As if they needed spelling out (as they would each render provision of the payment service unlawful in any event), the exceptions to having to give 90 days' notice of termination for convenience are stated to be: 

• there's a requirement to cease activities under specific money laundering regulations; 
• the related payment account turns out to be operated by a 'disqualified person' (under the Immigration Act); 
• if the payment service provider reasonably believes a payment service provided under the contract is being/likely to be used in connection with a serious crime; 
• if the FCA, Treasury or the Secretary of State lawfully require it; or 
• if the payment service provider reasonably believes that the payment service user has committed an offence in connection with the user’s provision of goods or services to a third party.

A tale truly worthy of Macbeth's soliloquy.

UK Review of the Payment Services (and E-money) Regulations

The Treasury is calling for evidence to assist in its review of the Payment Services Regulations 2017. This also necessarily involves consideration of the Electronic Money Regulations 2011, since e-money institutions are subject to both. Those regulations implemented corresponding EU directives that are also being reviewed (which the Treasury ignores). You have until 7 April 2023 to submit responses to the UK process. Please let me know if you would like assistance.

Of course, 'elephant in the room' is whether the UK regulations should remain harmonised with the EU directives that they implemented, particularly as most UK payment service providers will have EEA aspirations, at least, if not their own regulated firms within the trade bloc. Indeed, the UK review will seem eerily familiar to many, because the European Commission embarked on its own review of the second Payment Services Directive (PSD2) in May 2022; and in July the European Banking Authority proposed numerous changes that I summarised for Ogier Leman in Ireland, including the merger of PSD2 and the second E-money Directive (EMD2). I suspect the UK review is timed to coincide with likely changes arising from the EU's review process. The timing might not work perfectly, so the UK might make any changes that seem settled or non-controversial in the EU process, then mop up the rest in due course.

The UK government believes that its e-money and payment services regulation should address: 

• 'authorised push payment' (APP) fraud; 
• whether 'strong customer authentication' requirements are too prescriptive and should be 'outcome-based' including delaying payments where APP fraud is suspected to allow for communication with a potentially affected customer;
• the use of cryptoassets or cryptocurrencies as payment methods.

There is no mention of the European Commission or EBA proposals relating to the review of PSD2 and EMD2, let alone consideration of whether those proposals should be addressed in the UK. I guess that is left to the rest of us to consider and submit.

The UK has already made changes to its insolvency regime to cater for the more orderly and efficient wind-down of payment and e-money institutions, as this was something that the EU directives did not really address (aside from the 'pooling' provisions relating to safeguarded funds). The UK government is also inviting evidence on whether these additional arrangements are adequate (and the EBA has urged greater clarity on wind-down arrangements under the EU directive(s).

The government persists in its tediously jingoistic claims that the UK somehow pioneered 'Open Banking' through the API requirements proposed by the Competition and Markets Authority in 2016 (among other remedies to improve competition for retail banking). However, that happened three years after the specific open banking requirements were proposed in the first version of PSD2. In fact, such 'open data' and 'midata' initiatives were fully developed by 2012 common across Europe and, indeed, globally within the context of the World Economic Forum, as I posted at the time. It cites unspecified plans to ‘develop’ and ‘progress’ such services through a Joint Regulatory Oversight Committee after the CMA found that its mandated Open Banking Implementation Entity was improperly managed and lacked corporate governance.

While omitting a focus on whether banks unfairly withhold payment accounts from innovative financial services businesses, the consultation also includes highly irregular claims that the government is concerned about whether payment service providers might be terminating customer relationships in reaction to the customers' right wing, 'libertarian' political views. The paper concedes that there is no evidence at all that this is a genuine issue, merely citing assertions from a Conservative MP based on speculation by a conservative pundit about why PayPal might have regarded his accounts as suspicious. That such nonsense has found its way into a Treasury consultation paper is deeply worrying. It smacks of the false claims about Channel 4's activities by the then Culture Secretary, ironic given the government's decision to boycott and later sell Channel 4 in reaction to what it believed was unwarranted scrutiny of its activities by journalists. Just as the government has been forced to row back on the sale of Channel 4, it would seem unwise to politicise payment services regulation...

Though maybe the drafts-person was fully aware of the irony in referring to the 'Daily Sceptic' and the 'Free Speech Union' in the context of better ways to combat APP fraud.  

Card Acquiring Remedies for SMEs

After finding that the UK card acquiring market was not working for businesses with a turnover of £50 million, you might have expected that the Payment Systems Regulatory would have come out with some pretty heavy remedies. While apparently simple, however, these remedies should strike at the heart of the problems, as previously discussed:

• Summary boxes containing key, bespoke information on price and non-price factors must be sent/displayed individually to each merchant for use in connection with... 
• New online quotation tools, which acquirers must provide to help merchants compare all available offerings. 
• Trigger messages must also be sent/displayed to prompt merchants to shop around, timed to coincide with the expiry of minimum contract terms or, where contracts are indefinite, provided at least once every 30 calendar days. 
• Lease/hire contracts for point-of-sale (POS) terminals must be limited to an initial term of 18 months, after which they should be terminable on a maximum of one-month's notice.

The regulator has directed 14 firms to implement the changes to POS terminal contracts from January 2023, and the remedies for summary boxes and trigger messages from July 2023. 

The independent sales organisations (ISOs) of those firms must also ensure they are compliant with the requirements. 

The PSR will monitor compliance and the impact of the remedies to determine whether any further action is required. 

I've advised merchants of all sizes and card acquirers, ISOs and payment facilitators; and these initiatives should aid the work required to search for the right acquiring service and organise a switch. 

If you need assistance, please let me know.

New Insolvency Rules for UK E-money and Payment Institutions

The Payment and Electronic Money Institution Insolvency (England and Wales) Rules 2021 (SI 2021/1178) will come into force on 12 November 2021 (there is an explanatory memorandum). The new rules provide detailed operating provisions to support the special administration process for payment institutions and electronic money institutions governed by The Payment and Electronic Money Institution Insolvency Regulations 2021 (SI 2021/716) which came into effect on 8 July 2021 (there is also an explanatory memo relating to those regs).

Amongst other provisions, the new rules: 

• Require insolvency practitioners to provide a reasonable notice period before a claims bar date comes into effect. 
• Clarify the full hierarchy of expenses. 
• Require notice of a bar date to be given to all persons whom the administrator believes to have a right to assert a security interest or other entitlement over the relevant funds. 
• Require the special administrator to engage closely with payment systems operators during the special administration. 

The Government consultation response explains the evolution of this legislation.

'Slight Delay' To EU Crowdfunding Regulation

The European Securities and Markets Authority has written to the European Commission urging clarificiation of some important interpretation issues relating to the EU Crowdfunding Regulation and suggesting a 'slight delay' to the proposed implementation date of 10 November 2021. ESMA says the delay would ensure that all the key technical standards are available to applicants and national authorities. I have summarised the letter for Leman Solicitors.  

Let me know if you need assistance with any application for authorisation.

 

Payment and E-money Institution Insolvency Regulations Take Effect On 8 July

As covered in December, the Payment and Electronic Money Institution Insolvency Regulations 2021 were passed on 17 June and take effect on 8 July 2021.

While the Regulations mainly deal with an insolvency scenario, it’s worth noting there is also provision for the Financial Conduct Authority to seek a special administration merely where that is ‘fair’ (see Regulation 9(1)(b) and 9(3)). This might assist in cases where the institution is solvent but otherwise proving difficult.

Please let me know if I can help.

UK Changes To Strong Customer Authentication and Payments Guidance

The FCA is consulting on some noteworthy changes to certain technical aspects of payments regulation and related guidance. Responses to the questions relating to contactless payments should be answered by 24 February 2021, and on the other aspects of the consultation by 30 April 2021. If you need assistance on any of these issues, please let me know.

Specifically, the FCA is changing the regulatory technical standards applicable to strong customer authentication (SCA) to: 

• create a new SCA exemption in Article 10A so that a customer's payment account provider (ASPSP) does not need to require the customer to reauthenticate every 90 days when accessing account information through an account information service provider (AISP or TPP);
• limit the scope of the existing Article 10 exemption to when the customer accesses their information directly;
• add a requirement where a TPP continues to accesses account information where the customer does not actively request, the TPP will need to reconfirm the customer’s explicit consent every 90 days and disconnect access/stop collecting data if a customer fails to re‑confirm their consent.
  
• require certain ASPSPs to allow access by TPPs to payment accounts via 'dedicated interfaces' rather than modifed customer interfaces for personal and SME ‘current accounts’ ("payment accounts" under the Payment Account Regulations) and credit card accounts held by consumers or SMEs.
• require that the technical specifications and testing facility only be made available to TPPs from the launch of new products and services, rather than 6 months in advance and that the requirement for a fallback interface should only take effect six months after launch.
• allow ASPSPs to rely on exemptions from setting up a fallback interface granted by home state competent authorities;
  
• amend the threshold at which SCA must be applied to a single payment from £45 to £100-£120 and the threshold value for cumulative contactless payments from £130 to £200.

In addition, the FCA will amend its guidance in the "Approach Document" on how it supervises SCA to be consistent with the above changes and with existing EBA and European Commission guidance as follows:

• SCA would need to be reapplied where the final amount of a payment is higher than the original amount authorised, so long as the final payment is reasonably within the amount the customer agreed to when authorising the payment and not higher by more than 20% and the customer has agreed to the possibility before authorising the original amount. 
• the payee’s PSP (e.g. merchant acquirer) should be liable where it triggers an SCA exemption and the transaction is carried out without applying SCA, so (other than where the
  payer has acted fraudulently) the payer’s PSP would refund the customer and be entitled to reimbursement by the payee’s PSP.
• for the purpose of what can be used to satisfy two of the three SCA authentication factors (knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)): a device could only be used as evidence of 'possession' where there is a reliable means to that the device is actually in the customer's possession; static card data cannot satisfy either the 'knowledge' or 'possession' factor; behavioural biometrics may satisfy the 'inherence' factor (as they ‘relate to physical properties of body parts, physiological characteristics and behavioural processes created by the body.
  and any combination of these) but not other individual properties, such as spending patterns.
• the fraud rate calculation used to anyalyse whether transaction risk is low enough to justify the exemption from SCA should only include unauthorised or fraudulent remote electronic transactions for which the PSP was liable, and no other types of transactions (unlike the calculation for payments fraud reporting under REP017).
• the corporate exemption is applicable to cards or payment instruments that are ‘only
  available to payers who are not consumers’, i.e. only available to corporate customers.
• the authentication elements the customer uses to access their payment account online (including via a mobile) may be reused if they then initiate a payment within the same online session), so a customer could authenticate the payment only one extra element where the firm relies on the account log-in password, for example (as long as the dynamic linking element is linked to the SCA element used when the payment is initiated).
• merchant-initiated transactions: transactions initiated by the payee only, without any involvement from the payer, are not in scope of SCA. While card‑based payments generally imply an action by the payer and are considered as 'transactions initiated by the payer, through the payee',
  where a payer has given a mandate to the payee/merchant for a transaction, or series of
  transactions, made using a card or other payment instrument then the payments
  initiated pursuant to this mandate are outside of the scope of SCA  That includes payments made under continuous payment authorities such as a subscription for a streaming service, but SCA is required to set up the mandate.
• in order to monitor the contactless exemption thresholds, firms use a counter that is either host‑based, on a device (which won't count offline transactions); or chip‑based, on the physical card, (which will count both online and offline transactions), but in either case firms should consider the risk of unauthorised or non‑compliant contactless transactions being made and monitor the effects of the option in practice.
  
• clarify that ASPSPs must share with payment information service providers (PISPs): the name of the account holder (if the name is shown to the customer in their online account); and the account number and the sort code (if these are shown to the customer after they make a payment). 
• reflect the fact that ASPSPs must accept at least one other electronic means of identification issued by an independent party, in addition to eIDAS certificates (Article 34 of the SCA‑RT). 
  

The FCA will also amend its guidance in the "Approach Document" on how it more generally supervises the regulation of e-money and payment services to: 

• make the temporary Covid19 guidance on safeguarding permanent and to extend guidance on risks and controls relating to the insurance method of safeguarding to the guarantee method of safeguarding;
  
• include guidance on the Treasury's proposed special administration regime for e-money and payment institutions;
  
• reflect the extension of the FCA’s Principles for Businesses to the provision of payment services and issuing of e‑money by certain PSPs and e‑money issuers;
  
• reflect the application of certain communication rules and guidance in the Banking Conduct of Business Sourcebook (BCOBS) to communications with payment service and e‑money customers and the communication and marketing of currency transfer services;
• clarify the FCA's expectations on notifications under the electronic communications exclusion (ECE) and limited network exclusion (LNE) including more detail on the types of information expected as part of a firm’s notification and the types of firms that may be able to benefit from the LNE;
• update certain reporting requirements;
• reflect changes following EU withdrawal and the end of the transition period, and the application of our rules and guidance to firms in one of the temporary permission schemes designed to replace passporting as the basis for EEA-based EMIs, PIs and RAISPs to continue operating in the UK for 3 years after the end of the transition period. 

If you need assistance on any of these issues, please let me know.

Payment FinTechs Beware: Banking Law Is Riding The New Payment Rails

Recent cases in the UK have applied English banking law to  non-bank accounts that hold customer funds, including the payment accounts of 'fintech' e-money and payment institutions. These cases effectively require the extension of a firm's anti-fraud and/or anti-money laundering programme to guard against the fraudulent misappropriation of a corporate customer's funds by the customer's own directors or other mandate holders. Equally, corporate customers should also be aware that they will need to treat their accounts with non-bank institutions like bank accounts, if they do not already, and be ready to respond promptly and clearly when transactions are queried. If you have concerns in this area, please let me know.

Acting in good faith

Traditionally, banks have been required to execute their customers' instructions promptly, and where a bank acts in good faith and a loss occurs, the customer must bear that loss (Bank of England v Vagliano Bros [1891] AC 107). 

Quincecare Duty

But a bank must not executing a customer’s order if, and for so long as, the bank has reasonable grounds (though not necessarily proof), for believing that the order is an attempt to defraud the customer (Barclays Bank plc v Quincecare Ltd, [1992] 4 All ER 363). If it were to go ahead, the bank may be liable for the customer's loss. 

This "Quincecare duty" protects a company from its funds being stolen by management or staff who've been permitted by the company to operate the company's bank accounts in the ordinary course of business. 

In this type of case (unlike in some other scenarios) the courts tend not to attribute the employee's fraudulent acts to the company, because that would leave the company unprotected from the fraud (Singularis Holdings Ltd (in official liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, where the firm was not actually a deposit-taking bank). 

Extending this to fintech firms

More recently, the High Court (in Hamblin v World First Ltd [2020] 6 WLUK 314) has made a preliminary ruling which extends all of this law firmly into fintech territory. The court held that: 

• an action for breach of statutory duty could be brought under the Payment Services Regulations 2017 where the regulations impose a duty for a limited class of the public and there is a clear parliamentary intention to confer a private right of action for breach on members of that class (certain principles derived from EU law should also be considered at the trial);
• it was arguable that a claim for a breach of the customer's mandate could be estopped (prevented) where the payment service provider acted in in good faith, even if the account holder had no directors (!) and was in fact under the control of fraudsters, but it was also observed that the service provider's internal documents relating to the opening of the account could affect the outcome...;
• it was arguable that the acts of fraudsters who misappropriated funds from the company account should not be attributed to the company, so as to give the company protection from the fraud (Singularis);
• similarly, a person has 'standing' to bring such claims in the form of a 'derivative action' against a payment provider on behalf of the corporate customer (effectively standing in the shoes of the corporate customer) where that person paid funds to the corporate customer in a way that made the company a trustee (due to its knowledge of the payment and the receipt of funds on trust or as a result of a fraudulent scheme) and where the company as trustee has committed a breach of trust, or in other exceptional circumstances such as fraud. 

Practical Steps  

These cases highlight the importance of having good customer on-boarding and account opening processes/records, as well as 'transaction monitoring' processes - both of which are otherwise required by the anti-money laundering regime in any event. 

A payment service provider should be in a position to know that a corporate customer has no directors, as well as the nature of its business and the purposes for which customers are asked to make payments to its accounts. The service provider must also be able to recognise activity on its customer's payment accounts that is unusual, in order to determine whether it is an attempt to misappropriate funds, as well as whether it is suspicious from a money laundering or terrorist financing perspective. Triggers for suspicion or being 'on notice' of potential for fraud or misappropriation of funds include where the customer is in financial difficulties; there is a breakdown in relations among directors, or directors and shareholders; or the customer has suffered significant security breaches and so on. 

As with suspicious activity from a money laundering perspective, once suspicion or 'notice' is triggered, it must be investigated. Explanations for activity should be sought and should receive appropriate scrutiny (not simply believed and filed); and decisions to proceed or not should be made and documented. Of course this process must be balanced against the need to avoid 'tipping-off' and/or to file a suspicious activity report where appropriate; and the firm should document where those legal and compliance requirements prevents further "Quincecare" related work to resolve whether funds are being misappropriated. 

Equally, it is incumbent on corporate account holders to monitor the activity on their own payment accounts, inform the service provider of changes to the nature of their business or solutions to potential 'trigger' problems; and to be ready to respond promptly and clearly to queries from banks and other account providers. Not only should those steps help ensure their funds are not misappropriated, but it should also help avoid a situation where a confused service provider needlessly interrupts the flow of genuine transactions.

If you have concerns in this area, please let me know.

EU Regulation of Cross-border Crowdfunding Services

The EU Parliament is about to adopt a crowdfunding regulation that will enable 'European crowdfunding service providers' (ECSPs) to help businesses raise funding directly from investors across the EU more easily than they can today. The regulation calls for the related funds flows to be handled under payment services regulation, and adds operational and prudential requirements related to lending and investment in securities. I have covered the regulation in more detail for Leman Solicitors in Ireland, as the EU regulation will be of little use to UK-based platforms owing to Brexit and the end of passporting, even where the regulation applies.

Since helping start Zopa, the first peer-to-peer lending platform, in 2005 I've acted for many peer-to-peer lending platforms and some crowd-investment platforms in the UK, as well as advising in relation to e-money and payment services since 1999. If you have plans in this area, please get in touch.

 

FCA To Issue Extra Guidance To E-money and Payments Firms On Safeguarding Customer Funds

The Financial Conduct Authority has issued a consultation on its proposed further guidance to firms issuing electronic money and other payment services on how they should avoid their customers' funds being taken by creditors if the firm goes under. Comments are required by 5 June 2020, and the final guidance will be sent to firms' chief executives by the end of June. 

The FCA asks four specific questions:

• ‘Do you agree that we should provide additional guidance on safeguarding, managing prudential risk, and wind-down plans? If not, please explain why.’

• ‘Do you agree with our proposed guidance on safeguarding? If not, please explain why.’

• ‘Do you agree with our proposed guidance on managing prudential risk? If not, please explain why.’

• ‘Do you agree with our proposed guidance on wind-down plans? If not, please explain why.’

Please let me know if you would like help understanding or responding to the guidance.

Equivalence Is No Solution For Most UK Financial Services Accessing The EEA

At the end of 2020, any UK financial firms operating in the EEA under a 'passport' will lose that right. They must either get a new subsidiary authorised in an EU/EEA country and passport from there, or get the subsidiary registered as an agent etc of a local firm with the right passports. Meanwhile, there are calls for the UK government to ask the EU to declare that UK financial regulation is "equivalent" to standards under EU law, so UK firms can continue to access the single market under UK rules. Here's why nobody should wait for that.

The UK has no 'right' to equivalence, even if it can demonstrate a basis for it.

Equivalence is at the discretion of the European Commission, so political considerations can affect the outcome and timing.

Equivalence can be withdraw at any time without any right of appeal (ask the Swiss).

Only two areas of EU financial regulation allow for equivalence - MiFID (2,250 firms as at August 2016) and AIFMD (212 firms).  In particular, an equivalence finding is not available for deposit-taking (102 banks), insurance (220 firms), insurance distribution (2,758 firms), e-money issuers (66) or other payment services providers (284).

While there have been calls within the EU for a broader framework, the European Commission has considered it and explained that this would be "extremely difficult".

Relying on equivalence would also require the UK to align with EU regulation in the relevant area, with no say in shaping the rules. The UK government is sending mixed messages on this point, having repeatedly said that it is against alignment while repeatedly claiming that it wants future trade arrangements (e.g. a 'Canada deal') that would require it. Johnson is probably hoping that his voters won't understand the magic trick, but everybody else does. Either way, the government is along way from being able to help the Commission work through an "extremely difficult" equivalence process.

You're on your own. The only viable option is to set up a subsidiary in the EU27 and passport from there. 

 

Let me know if I can help, either in the UK or in Ireland/EEA - particularly on e-money and payment services.

UK Delays Anti-fraud Measures For Banking And Payments

It seems payments legislators wrote checks the industry couldn't cash... The UK's Financial Conduct Authority has announced a delayed ‘migration plan’ for phasing in compliance with the Strong Customer Authentication requirements by March 2020 for internet banking and March 2021 for e-commerce transactions, instead of 14 September 2019. The FCA made a separate announcement for consumers.

Update: The FCA has also written to the CEOs of payment service providers it supervises, commending the plan from the trade body, UK Finance for meeting the deferred timeline. This will see SCA phased-in from Feb 2020 for merchants who are ready, with support from the card schemes in driving the adoption of the 3D Secure protocol (3DS 2.1/2) from March/September 2020.

This follows the guidance issued in June by the European Banking Authority that EU national regulators could agree specific migration plans (although I'm not sure the EBA expected industry-wide delays!).

The FCA says that it will not take enforcement action against payment service providers if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan. 

At the end of the 18-month period, the FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA. 

It will be interesting to see how much progress is really made in the next 6 to 18 months...

EBA Gives Some Leeway On SCA

There has been increasing concern that the e-commerce world won't be ready for the introduction of "strong customer authentication" (or two-factor authentication) for electronic and remote payments on 14 September 2019. The checks apply to electronic and remote payments, which include payments online, as well via mobile devices, kiosks or other machines. It is feared many aren't aware of the new checks or the potential that checks will lead to failed or abandoned transactions, causing a hit to retailers' and payment service providers' revenues. The European Banking Authority now says local financial regulators may provide limited additional time to payment service providers to introduce compliant processes “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users" on that date. 

Specifically, the PSPs must have agreed a migration plan with their regulator and execute it "in an expedited manner." The regulator should monitor the execution of the plans "to ensure swift compliance..." 

The opinion also contains tables listing the types of features that will (or, in marginal cases, will not) constitute compliant elements for the purpose of SCA (two of either "inherence", "possession" or "knowledge" - i.e. what the customer is, what the customer possesses, or what the customer knows).

There is also guidance on how to satisfy the additional requirements for "dynamic linking" (to ensure the SCA elements link the transaction to an amount and the specified payee when initiating the transaction) and that the SCA elements be independent of each other.

The EBA issued an earlier opinion and a Q&A on how all this applies, but it remains to be seen how many retailers are aware of the new requirements at all, let alone the potential impact on customer experience and 'conversion' (customers dropping out at the payment step when asked to complete one or more additional authentication steps).

Whether payments are affected depends on whether PSD2 applies - some may be out of scope based on currency or location, while others may be within the scope of PSD2 but excluded. There is then a question whether the transaction is interpreted to be one caught by the SCA requirement. Is it remote or electronic and initiated by the payer (rather than being a 'merchant initiated transaction')? Even transactions that are in scope may not be caught if the issuer (not the merchant or acquirer) of the payment instrument/account applies any of the potential exemptions:

Low-value transactions: up to €30 per transaction (limit of five separate transactions or €100);

Recurring transactions: e.g. subscriptions for the same amount and payee (SCA applied to the first transaction);

Whitelisted: payers can add payees to a whitelist of trusted beneficiaries with the issuer, but payees can't request this;

Corporate payment processes: dedicated process for non-consumers, approved by the regulator (member states may exclude micro-enterprises as consumers);

Contactless: up to €50 (limit of five separate transactions or €150 without an SCA check);

Unattended terminals: only for paying transport fares or parking fees;

Low-risk of fraud: as determined by the issuer, depending on its average fraud levels for the relevant acquirer (not by merchant/channel), with different limit for cards and credit transfers.

The FCA will apply the SCA standards in the UK even if Brexit occurs.

Extension of FCA Principles And Marketing Rules To Payment Service Providers

From 1 August, the Financial Conduct Authority will begin to enforce its Principles of Business and certain rules on marketing and communications against the payment service providers that it regulates.

The FCA explained its approach in a policy statement earlier this year, but it was likely put off as a summer project, and Brexit will have been a distraction for many. At any rate, chapters 2, 3 and the rules in Annexes A-C are the key parts to read.

Some Key Points

Because many PSPs also provide unregulated services that are allied to their regulated activity (e.g. gateway services and other "technical services" as well as unregulated foreign exchange and e-commerce services), it's important to note that the FCA's high level Principles will also apply to unregulated activities that are "connected" to regulated e-money or payment services. The FCA is refusing to clarify exactly what that means, since the list is long, and this may lead to 'regulatory creep' to the extent PSPs err on the side of caution. 

Equally, a PSP's compliance with the Principles (and even the marketing rules) can be affected by the activities of other group companies - e.g. faulty centralised fraud or risk management systems or other outsourced support services; or misleading ads for an unregulated service that is deemed to be "connected" with the PSP's regulated service.

The FCA is particularly anxious about the misleading promotion of currency transfer services (and 'connected' foreign exchange services, even if unregulated).

The FCA does not care that there is overlap with other advertising and communications requirements - as there is for banks (the 'new' rules on marketing and communications are created by applying the FCA's existing Banking Conduct of Business (BCOB) rules to PSPs). But the FCA does confirm that these rules cannot cut across EU-derived regulations (wither Brexit?).

Next Steps

The extension of the Princples and the marketing rules to PSPs means they will likely need to update various in internal policies and procedures, e.g. those dealing with: 

• Governance (reporting lines and responsibilities to control operational risks);

• Marketing and communications (the policy and procedures for sign off on your ads and communications to ensure they are clear, fair and not misleading) particularly for payment services involving currency transfer services - and any "connected" unregulated activities; and

• Treating Customers Fairly (with appropriate cross references to other policies). 

That summer project starts now!

Is Your Financial Services Provider Ready For A #NoDeal Brexit?

With a 'No Deal' Brexit now central to Tory government strategy, it's critical to ensure the right financial contingency plans are in place for a 'cliff edge' exit with no transition period from 29 March 2019. Unfortunately, however, the European Banking Authority says it is seeing "little evidence of financial institutions communicating effectively to their customers on how they may be affected by the UK withdrawal" and those institutions' Brexit arrangements. So customers have to question their providers about those arrangements. Here's a quick guide to steps those institutions might take, depending on whether they are based in the UK or elsewhere in the EEA... if you do not receive credible, satisfactory commitments to service continuity from existing providers within the next few weeks, you should set-up alternative and/or back-up relationships as soon as possible.

EEA-based firms supplying services into the UK

These firms will have a short window ahead of Brexit day in which to seek temporary regulated status:

• temporary permission to continue operating in the UK for a limited period after Brexit if they currently passport into the UK under the Financial Services and Markets Act 2000 (FSMA) or the e-money or payment services regimes;
• temporary recognition if they are third country central counterparties; or
• temporary registration if they are EU-registered trade repositories. 

If EEA-based firms carry out operations in the UK after Brexit in reliance on EU legislation without entering into these temporary regimes, they may be carrying on regulated activities in the UK without appropriate permissions, which would be a criminal activity and/or mean they cannot meet their contractual obligations.

EEA firms that do not gain full authorisation through the temporary regimes can only continue to carry out new business to the extent necessary to 'run-off' pre-existing contractual obligations in the UK for five years (15 years for firms performing obligations under insurance contracts). They cannot undertake new business or agree new contracts with UK customers. A "supervised run-off" arrangement applies to those firms with a UK branch, firms who enter a temporaty regime but exit it without UK authorisation and firms that hold top-up permissions before Brexit. A "contractual run-off" regime will apply to firms without a UK branch that do not enter a temporary regime or do not hold a top-up permission; and will apply for the purposes of winding down UK regulated activities in an orderly manner.   Firms with a UK establishment will retain their existing membership of the Financial Services Compensation Scheme. 

A run-off regime for payments firms and e-money firms that do not enter the temporary regime or leave it without full UK authorisation will apply for five years, either on a supervised or contractual basis (though the FCA can require supervised run-off for firms to demonstrate they are safeguarding client funds). 

A run-off regime will apply for non-UK Central Counterparties that are eligible for, but do not enter, the temporary recognition regime, for a period of one year starting on exit day. If a non-UK CCP entered the temporary recognition regime but exits it without the necessary permanent recognition, the Bank of England will determine a non-extendable period for recognition up to a year. 

There will also be a run-off regime for trade repositories that are removed from the temporary registration regime without the necessary permissions to continue to provide services to UK firms, for a non-extendable period of one year, unless the FCA sets a shorter period. 

UK firms dealing with EEA residents

The FCA has suggested that UK financial services providers consider the following questions ahead of Brexit. If the answer is 'Yes' to any of them, then the service provider should understand the legal basis for that scenario and whether another basis is necessary after Brexit - including additional regulatory permissions or a new subsidiary with the right authorisation or agency and necessary permissions in a remaining EEA member state. 

• Do you currently provide any regulated products or services to customers resident in the EEA? For example, you might provide financial advice to EEA based customers. Or you might have insurance contracts either with EEA based customers or which cover risks located in the EEA which require regulatory permission in that country in order to be serviced. 
• Do you have customers or counterparties based in the EEA, including UK expatriates now based in an EEA country? 
• Are you marketing financial products in the EEA? This includes products marketed on a website aimed at consumers in the EEA. 
• Do you have agents in the EEA or interact with any intermediary service providers in the EEA? For example, you may use an insurance intermediary to distribute products into the EEA. 
• Does your firm transfer personal data between the UK and the EEA or vice versa? 
• Does your firm have membership of any market infrastructure (trading venues, clearing house, settlement facility) based in the EEA? 
• Are you part of a wider corporate group based in the EEA, or does your firm receive any funding from an entity in the EEA? 
• Do you outsource or delegate to an EEA firm or does an EEA firm outsource or delegate to you? 
• Are you party to legal contracts which refer to EU law? 

There will now be insufficient time for any provider to get a new authorisation in another EEA member state, and even setting up an agency relationship would be very tough to do within the next few months.

Firms should be informing clients about issues such as:

• the implications of Brexit on the specific services they provide and the implications for the relationship between the client and the firm;
• the actions taken by the firm to prevent or detect problems, including how they will deal with client inquiries, changes in competent authorities or protection under national compensation schemes;
• the implications of any corporate restructuring, including changes to contractual terms or contract transfers;
• other impact on contractual and/or statutory rights, including the right to terminate existing contracts and cancel new contracts, and any rights of recourse and how to pursue them. 

If you do not receive credible, satisfactory assurances of service continuity post-Brexit from existing providers within the next few weeks, you should set-up alternative and/or back-up relationships as soon as possible.

FCA Updates Payment Services Approach On Customer Authentication, Gift Cards

The FCA has today published its policy statement explaining changes to the Approach document following the consultation on Strong Customer Authentication and some other revised guidance in September (although the links to the actual revised Approach Document don’t appear to be working correctly at the moment).

Notwithstanding the confusion created by the proposed changes to the guidance on the "limited network exclusion" to exclude gift cards from the scope of PSD2 (no doubt partly due to the obligation to register programmes that exceed €1m in transactions in any 12 month period), the FCA confirms the guidance as follows:

store cards – for example, a ‘closed-loop’ gift card, where the card can only be used at the issuer’s premises or website (so where a store card is co-branded with a third party debit card or credit card issuer and can be used as a debit card or credit card outside the store, it will not benefit from this exclusion). On the other hand, in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them.

The FCA explains this interpretation in the latest policy statement (at para 6.15) as follows:

"The change we have made to clarify that retailers issuing their own gift cards should not have to notify, is based on the issuer and the retailer being the same person. If the issuer is not the retailer, but the card would be used to purchase goods and services from that retailer, it is possible that the card would be considered a payment instrument under the PSRs 2017 and the limited network exclusion test would be relevant. We already give relevant guidance in PERG Q40 on such instances."

For convenience, the limited network exclusion provides as follows (with the paragraph (k)(i) being the limb which gift card programme operators - and the FCA - have historically assumed applied to avoid gift cards being subject to e-money and payment services regulation):

(k) services based on specific payment instruments that can be used only in a limited way and meet one of the following conditions—

(i) allow the holder to acquire goods or services only in the issuer's premises;

(ii) are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer;

(iii) may be used only to acquire a very limited range of goods or services; or

(iv) are valid only in a single EEA State, are provided at the request of an undertaking or a public sector entity, and are regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers which have a commercial agreement with the issuer.

This overlooks the fact that while the retailer may have already received the funds or value from the purchaser of the gift card/account (potentially via a payment service provider under a regulated payment transaction), yet the "holder" is often a different person who is later using the gift card/account balance as a means of acquiring goods or services (albeit that transaction may only be accounted for in the retailer's accounting system without being processed via a third party payment provider).

While the FCA's view may be factually and logically correct (particularly from a VAT standpoint), and will no doubt come as a relief to retailers who would otherwise have to register programmes, it involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate to catch other payment methods - particularly in relation to card payments, for example. The FCA's guidance should therefore confirm the step-by-step rationale as to why a "payment order" is therefore not initiated; how the gift card scenario falls outside the definitions of "payment transaction"; and why neither the gift card holder nor the retailer/issuer are a "payer" or "payee" respectively. But I suspect that may open a can of worms...

The FCA's view also represents a key area of potential divergence from EU payments law in the Brexit context, to the extent that the Commission and EEA regulators may well decline to adopt the FCA's interpretation. The Central Bank of Ireland, for example, includes "prepaid gift card to buy cinema tickets" in the list of programmes that fall within the limited network exclusion. The FCA does not seem to be concerned that the same programme that regulators insist must be registered in, say, France - and therefore surface in the European Banking Authority's register of large limited networks - would not be registered at all in the UK. That wider uncertainty creates confusion and the potential for "regulatory creep" as firms might take action beyond what is required by the FCA in order to avoid it - such as shutting programmes, outsourcing or applying to register unnecessarily (at least from a UK standpoint). 

The sooner such scope for confusion at EEA level is removed, the better.

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.