PSD2 – Are you Ready?

With the clock ticking, and just over a month until the changes to the regulation of payment services and e-money come into force, the revised regime will see a significant change to the way in which payment services and e-money are regulated.

All businesses which undertake any payment services or e-money activities should consider whether they are impacted by the changes – the chances are, they will be. Certain businesses will need to become registered or authorised for the first time. All existing payment institutions and e-money institutions will need to be re-registered or re-authorised. Firms should act now.

The key areas of change are:

• significant restrictions on existing negative scope exclusions;
• firms wanting to rely on certain negative scope exclusions will be required to register with the FCA;
• new categories for account information service providers (AISP) and payment institution service providers (PISP) who will fall within the scope of regulation for the first time;
• all existing authorised and registered payments services providers and electronic money service providers will need to apply to be re-authorised and re-registered; and;
• handbook changes.

As such, any business involved in payment services or electronic money, whether authorised, registered or unregulated, will need to consider the extent of the impact of the PSR on its business. Currently unregulated businesses should also note that criminal sanctions apply where businesses do not take the appropriate steps re: notification, registration or authorisation.

Key changes

Negative scope exclusions

PSR has applied some significant restrictions on existing negative scope exclusions which will result in a larger number of businesses being caught by the PSR. There are four key changes:

• commercial agents: the exemption will only apply where commercial agents involved in the transaction act in favour of only one of the two parties (payer or payee) and not for both. In addition, permission to act on behalf of either party must now be given via an agreement to negotiate or conclude the sale of purchase of goods or services on behalf of the payer or payee but not both.
• electronic communications: the digital download exemption has been replaced with the electronic communications exemption which applies to transactions made through a provider of electronic communications services or networks for a subscriber to the service or network (e.g. telecommunications operators):
  • to purchase digital content and services in voice technology; or
  • made by or through an electronic device and charged through the bill as part of a charitable activity or to purchase tickets. In relation to both, to be able to rely on the electronic communications exemption, an individual payment transaction must not exceed £40, while the total value of payment transactions for a single subscriber must not exceed £240 monthly. Where a business intends to rely on this exemption, it should provide notification to the FCA and will be required to provide an annual report prepared by an auditor certifying that the transaction limits set out above have not been exceeded.  As such, any businesses intending to rely on this exclusion will have to have appropriate systems and controls in place to ensure that the limits are not exceeded. Businesses who are likely to exceed these limits, even infrequently, will need to seek the appropriate authorisation.

• limited network exclusion: the definition of a network has been reduced significant. Businesses which intend to rely on this exclusion, may still be required to provide notification to the FCA if the value of payment transactions executed was more than £1 million in the preceding 12 months. This is an ongoing obligation and places a requirement on the business to notify the FCA if it exceeds the payment threshold. Once notification has been made, the FCA will require this to be updated annually.

Businesses who currently rely on any of these negative scope exclusions, should ensure that they remain outside of regulation. Where notification to the FCA is required, businesses should note the following timelines:

1. Businesses which currently rely on the firms operating under the electronic communications exclusion will have to notify the FCA by 13 January 2018, or before they commence the provision of such services.
2. Those operating under the limited network exclusion will have to notify the FCA from 13 January 2019.

In both cases, those wishing to notify earlier can make notifications now.

New to regulation

Payment Initiation Service (PIS): an online service which accesses a user’s payment account to initiate the transfer of funds on their behalf with the user’s consent and authentication. Payment initiation services provide an alternative to paying online using a credit card or debit card. Businesses that provide payment initiation services must be authorised and must have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services).

Account Information Service (AIS): an online service which provides consolidated information on payment accounts held by a payment service user with payment service providers. These services already exist in the UK, however, PSD2 will bring them within the scope of regulation; ensure that AISPs can receive access to payment accounts and place requirements on them to ensure security for users.

For firms that only carry on account information services, there is an option to become a ‘registered account information service provider’. These providers will have no capital requirements and will need to meet fewer conditions than authorised firms.

Both AISPs and PISPs will have to hold professional indemnity insurance (PII).

Firms that need to become authorised or registered as a result of these changes have been able to submit applications to be registered or authorised since October 2017. Firms that are unregulated and carrying out AIS or PIS activities and are new to the market will have to be authorised or registered if they wish to carry on business from 13 January 2018.

Existing registered and authorised payment and e-money institutions

The authorisation changes will not be solely relevant to new firms who have never been authorised before.  The PSR will require all existing:

• Authorised payment institutions (API)
• Electronic money institutions (EMI)
• Small payment institution (SPI) and;
• Small electronic money institution (SEMI) to apply to be re-authorised or re-registered.

Existing APIs and EMIs will need to provide additional information by deadlines set out in the PSRs and must meet the conditions for authorisation (including the new conditions) if they wish to continue to provide payments services after the transitional period has ended.

Under the draft PSRs, existing APIs will need to submit the following additional “PSR Schedule 2” information to the FCA (or confirm via the application process that the material has already been submitted):

• Procedures for incident reporting
• Processes in place to file, monitor, track and restrict access to sensitive payment data
• Principles and definitions they apply for collecting statistical data on performance, transactions and fraud
• Arrangements for business continuity and the procedure for testing and reviewing these plans
• Security policy, including risk assessment and mitigation measures to adequately protect payment service users against identified risks, including fraud and illegal use of sensitive and personal data
• Description of checks on agents and branches
• Professional indemnity insurance held (for firms that propose providing account information or payment initiation services).

Existing SPIs and SEMIs will need to provide the same information as would be required for a business applying for registration for the first time. It should also be noted that SPIs and SEMIs cannot provide AIS or PIS. Businesses that intend to do so, will need to apply to be fully authorised.

All existing APIs, EMIs, and SEMIs will need to provide any new information to the FCA before 13 April 2018 in order to continue operating on or after 13 July 2018.

SPIs must make their applications no later than 13 October 2018 if they intend to continue providing payment services on or after 13 January 2019.

The application window is open.

FCA Handbook changes

Businesses who are/intend to be authorised should take note of the following additional changes to the FCA Handbook.

Complaints handling rules

• Complaints: complaints under the jurisdiction of the Financial Ombudsman Service extended
• Timing: complaints will be required to be dealt with within 15 business days (35 in exceptional circumstances)

Supervision manual

Qualifying holdings and change in controllers notifications to be aligned with FCA general requirements for payment services firms.

Regulatory Reporting – there are new/additional reporting obligations in relation to:

• Complaints
• The existing API return, FSA056, will be modified.  Questions added, resulting in an increase of 19 questions. The revised questions cover the authorised PI’s income, safeguarding arrangements, the value and volume of payment services activity, access to payment systems
• Fraud reporting
• Close Links and Controllers Reports

The FCA approach document to payment Services

The PSR brings about a number of changes to conduct of business requirements for payment services providers covering a wide range of issues:

• Information requirements
• Statements
• Rights and obligations in relation to the provision of payment services.