UK Changes To Strong Customer Authentication and Payments Guidance

The FCA is consulting on some noteworthy changes to certain technical aspects of payments regulation and related guidance. Responses to the questions relating to contactless payments should be answered by 24 February 2021, and on the other aspects of the consultation by 30 April 2021. If you need assistance on any of these issues, please let me know.

Specifically, the FCA is changing the regulatory technical standards applicable to strong customer authentication (SCA) to: 

• create a new SCA exemption in Article 10A so that a customer's payment account provider (ASPSP) does not need to require the customer to reauthenticate every 90 days when accessing account information through an account information service provider (AISP or TPP);
• limit the scope of the existing Article 10 exemption to when the customer accesses their information directly;
• add a requirement where a TPP continues to accesses account information where the customer does not actively request, the TPP will need to reconfirm the customer’s explicit consent every 90 days and disconnect access/stop collecting data if a customer fails to re‑confirm their consent.
  
• require certain ASPSPs to allow access by TPPs to payment accounts via 'dedicated interfaces' rather than modifed customer interfaces for personal and SME ‘current accounts’ ("payment accounts" under the Payment Account Regulations) and credit card accounts held by consumers or SMEs.
• require that the technical specifications and testing facility only be made available to TPPs from the launch of new products and services, rather than 6 months in advance and that the requirement for a fallback interface should only take effect six months after launch.
• allow ASPSPs to rely on exemptions from setting up a fallback interface granted by home state competent authorities;
  
• amend the threshold at which SCA must be applied to a single payment from £45 to £100-£120 and the threshold value for cumulative contactless payments from £130 to £200.

In addition, the FCA will amend its guidance in the "Approach Document" on how it supervises SCA to be consistent with the above changes and with existing EBA and European Commission guidance as follows:

• SCA would need to be reapplied where the final amount of a payment is higher than the original amount authorised, so long as the final payment is reasonably within the amount the customer agreed to when authorising the payment and not higher by more than 20% and the customer has agreed to the possibility before authorising the original amount. 
• the payee’s PSP (e.g. merchant acquirer) should be liable where it triggers an SCA exemption and the transaction is carried out without applying SCA, so (other than where the
  payer has acted fraudulently) the payer’s PSP would refund the customer and be entitled to reimbursement by the payee’s PSP.
• for the purpose of what can be used to satisfy two of the three SCA authentication factors (knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)): a device could only be used as evidence of 'possession' where there is a reliable means to that the device is actually in the customer's possession; static card data cannot satisfy either the 'knowledge' or 'possession' factor; behavioural biometrics may satisfy the 'inherence' factor (as they ‘relate to physical properties of body parts, physiological characteristics and behavioural processes created by the body.
  and any combination of these) but not other individual properties, such as spending patterns.
• the fraud rate calculation used to anyalyse whether transaction risk is low enough to justify the exemption from SCA should only include unauthorised or fraudulent remote electronic transactions for which the PSP was liable, and no other types of transactions (unlike the calculation for payments fraud reporting under REP017).
• the corporate exemption is applicable to cards or payment instruments that are ‘only
  available to payers who are not consumers’, i.e. only available to corporate customers.
• the authentication elements the customer uses to access their payment account online (including via a mobile) may be reused if they then initiate a payment within the same online session), so a customer could authenticate the payment only one extra element where the firm relies on the account log-in password, for example (as long as the dynamic linking element is linked to the SCA element used when the payment is initiated).
• merchant-initiated transactions: transactions initiated by the payee only, without any involvement from the payer, are not in scope of SCA. While card‑based payments generally imply an action by the payer and are considered as 'transactions initiated by the payer, through the payee',
  where a payer has given a mandate to the payee/merchant for a transaction, or series of
  transactions, made using a card or other payment instrument then the payments
  initiated pursuant to this mandate are outside of the scope of SCA  That includes payments made under continuous payment authorities such as a subscription for a streaming service, but SCA is required to set up the mandate.
• in order to monitor the contactless exemption thresholds, firms use a counter that is either host‑based, on a device (which won't count offline transactions); or chip‑based, on the physical card, (which will count both online and offline transactions), but in either case firms should consider the risk of unauthorised or non‑compliant contactless transactions being made and monitor the effects of the option in practice.
  
• clarify that ASPSPs must share with payment information service providers (PISPs): the name of the account holder (if the name is shown to the customer in their online account); and the account number and the sort code (if these are shown to the customer after they make a payment). 
• reflect the fact that ASPSPs must accept at least one other electronic means of identification issued by an independent party, in addition to eIDAS certificates (Article 34 of the SCA‑RT). 
  

The FCA will also amend its guidance in the "Approach Document" on how it more generally supervises the regulation of e-money and payment services to: 

• make the temporary Covid19 guidance on safeguarding permanent and to extend guidance on risks and controls relating to the insurance method of safeguarding to the guarantee method of safeguarding;
  
• include guidance on the Treasury's proposed special administration regime for e-money and payment institutions;
  
• reflect the extension of the FCA’s Principles for Businesses to the provision of payment services and issuing of e‑money by certain PSPs and e‑money issuers;
  
• reflect the application of certain communication rules and guidance in the Banking Conduct of Business Sourcebook (BCOBS) to communications with payment service and e‑money customers and the communication and marketing of currency transfer services;
• clarify the FCA's expectations on notifications under the electronic communications exclusion (ECE) and limited network exclusion (LNE) including more detail on the types of information expected as part of a firm’s notification and the types of firms that may be able to benefit from the LNE;
• update certain reporting requirements;
• reflect changes following EU withdrawal and the end of the transition period, and the application of our rules and guidance to firms in one of the temporary permission schemes designed to replace passporting as the basis for EEA-based EMIs, PIs and RAISPs to continue operating in the UK for 3 years after the end of the transition period. 

If you need assistance on any of these issues, please let me know.

Is Your Financial Services Provider Ready For A #NoDeal Brexit?

With a 'No Deal' Brexit now central to Tory government strategy, it's critical to ensure the right financial contingency plans are in place for a 'cliff edge' exit with no transition period from 29 March 2019. Unfortunately, however, the European Banking Authority says it is seeing "little evidence of financial institutions communicating effectively to their customers on how they may be affected by the UK withdrawal" and those institutions' Brexit arrangements. So customers have to question their providers about those arrangements. Here's a quick guide to steps those institutions might take, depending on whether they are based in the UK or elsewhere in the EEA... if you do not receive credible, satisfactory commitments to service continuity from existing providers within the next few weeks, you should set-up alternative and/or back-up relationships as soon as possible.

EEA-based firms supplying services into the UK

These firms will have a short window ahead of Brexit day in which to seek temporary regulated status:

• temporary permission to continue operating in the UK for a limited period after Brexit if they currently passport into the UK under the Financial Services and Markets Act 2000 (FSMA) or the e-money or payment services regimes;
• temporary recognition if they are third country central counterparties; or
• temporary registration if they are EU-registered trade repositories. 

If EEA-based firms carry out operations in the UK after Brexit in reliance on EU legislation without entering into these temporary regimes, they may be carrying on regulated activities in the UK without appropriate permissions, which would be a criminal activity and/or mean they cannot meet their contractual obligations.

EEA firms that do not gain full authorisation through the temporary regimes can only continue to carry out new business to the extent necessary to 'run-off' pre-existing contractual obligations in the UK for five years (15 years for firms performing obligations under insurance contracts). They cannot undertake new business or agree new contracts with UK customers. A "supervised run-off" arrangement applies to those firms with a UK branch, firms who enter a temporaty regime but exit it without UK authorisation and firms that hold top-up permissions before Brexit. A "contractual run-off" regime will apply to firms without a UK branch that do not enter a temporary regime or do not hold a top-up permission; and will apply for the purposes of winding down UK regulated activities in an orderly manner.   Firms with a UK establishment will retain their existing membership of the Financial Services Compensation Scheme. 

A run-off regime for payments firms and e-money firms that do not enter the temporary regime or leave it without full UK authorisation will apply for five years, either on a supervised or contractual basis (though the FCA can require supervised run-off for firms to demonstrate they are safeguarding client funds). 

A run-off regime will apply for non-UK Central Counterparties that are eligible for, but do not enter, the temporary recognition regime, for a period of one year starting on exit day. If a non-UK CCP entered the temporary recognition regime but exits it without the necessary permanent recognition, the Bank of England will determine a non-extendable period for recognition up to a year. 

There will also be a run-off regime for trade repositories that are removed from the temporary registration regime without the necessary permissions to continue to provide services to UK firms, for a non-extendable period of one year, unless the FCA sets a shorter period. 

UK firms dealing with EEA residents

The FCA has suggested that UK financial services providers consider the following questions ahead of Brexit. If the answer is 'Yes' to any of them, then the service provider should understand the legal basis for that scenario and whether another basis is necessary after Brexit - including additional regulatory permissions or a new subsidiary with the right authorisation or agency and necessary permissions in a remaining EEA member state. 

• Do you currently provide any regulated products or services to customers resident in the EEA? For example, you might provide financial advice to EEA based customers. Or you might have insurance contracts either with EEA based customers or which cover risks located in the EEA which require regulatory permission in that country in order to be serviced. 
• Do you have customers or counterparties based in the EEA, including UK expatriates now based in an EEA country? 
• Are you marketing financial products in the EEA? This includes products marketed on a website aimed at consumers in the EEA. 
• Do you have agents in the EEA or interact with any intermediary service providers in the EEA? For example, you may use an insurance intermediary to distribute products into the EEA. 
• Does your firm transfer personal data between the UK and the EEA or vice versa? 
• Does your firm have membership of any market infrastructure (trading venues, clearing house, settlement facility) based in the EEA? 
• Are you part of a wider corporate group based in the EEA, or does your firm receive any funding from an entity in the EEA? 
• Do you outsource or delegate to an EEA firm or does an EEA firm outsource or delegate to you? 
• Are you party to legal contracts which refer to EU law? 

There will now be insufficient time for any provider to get a new authorisation in another EEA member state, and even setting up an agency relationship would be very tough to do within the next few months.

Firms should be informing clients about issues such as:

• the implications of Brexit on the specific services they provide and the implications for the relationship between the client and the firm;
• the actions taken by the firm to prevent or detect problems, including how they will deal with client inquiries, changes in competent authorities or protection under national compensation schemes;
• the implications of any corporate restructuring, including changes to contractual terms or contract transfers;
• other impact on contractual and/or statutory rights, including the right to terminate existing contracts and cancel new contracts, and any rights of recourse and how to pursue them. 

If you do not receive credible, satisfactory assurances of service continuity post-Brexit from existing providers within the next few weeks, you should set-up alternative and/or back-up relationships as soon as possible.

UK To Give EEA Firms 3 Years Temporary Permission Post-Brexit

The UK proposes to grant temporary permissions to EEA firms currently operating in the UK under EU financial services 'passports' to continue their UK activities, for three years after Brexit day. 

HM Treasury states that the regime will ensure that: 

• EEA firms can continue to carry out business as before, writing new contracts and servicing existing contracts entered into before exit day for the temporary period after exit day;
• EEA firms have appropriate time to prepare for and submit applications for UK authorisation and complete any necessary restructuring; and
• The PRA and the FCA can manage the expected applications for UK authorisation from EEA firms in a smooth and orderly manner.

The draft regulations are here and the explanatory information is here.

The FCA has published its own webpage on how it will implement the temporary permission regime (TPR).

Firms wishing to use the TPR must notify the FCA online between early January 2019 and at a date (not yet specified) prior to exit day. Such firms will be allocated a period within which they must submit their application for UK authorisation. The FCA expects the window to be October to December 2019 and the last to be January to March 2021. The FCA intends to consult in autumn 2018 on the rules that will apply to firms and funds in the TPR and a policy statement and final rules early in 2019.