The FCA has outlined its approach to implementing key standards under the revised Payment Services Directive.
The FCA has published a statement on its website relating to the European Banking Authority’s (EBA’s) Opinion and draft Guidelines of 13 June 2018 on the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication under PSD2 (the RTS).
The drafting of the RTS, which will apply from 14 September 2019, proved to be one of the most controversial aspects of the revised Payment Services Directive (PSD2) (for background on the RTS, please see Latham’s related Client Alert).
The RTS provide for how account information service providers and payment initiation service providers — commonly referred to as third party providers (TPPs) — should interact with account servicing payment service providers (ASPSPs) such as banks. This is crucial to enabling TPPs to provide their services, which rely on ASPSPs making available certain information regarding a customer’s payment account (with the customer’s consent). In turn, these new services will help to open up the banking sector to new business models.
The RTS require ASPSPs to make account information available to TPPs via either a modified version of the customer interface, or a dedicated interface (such as a secure application programming interface, or API). If an ASPSP decides to implement a dedicated interface, they must also have a “fall-back mechanism” in place, in case the dedicated interface should fail.
The RTS exemption allowing ASPSPs not to build a contingency access mechanism for TPPs, so long as the ASPSP’s dedicated interface meets certain conditions, has proved controversial. National regulators must determine whether or not a particular ASPSP qualifies for the exemption, and the EBA’s draft Guidelines clarify how national regulators should apply this exemption. However, issues associated with the exemption process likely will remain, given that assessment against the conditions requires an analysis of technical features of the interface. Not all national regulators will have the expertise to carry out such assessments.
The FCA indicates in its statement that it is supportive of the EBA’s publications, and expects to comply with the Guidelines (which will apply on a “comply or explain” basis).
The FCA also highlights some key points for market participants to bear in mind in relation to the exemption, including:
- The FCA encourages ASPSPs to take the option of providing a dedicated interface. The FCA would encourage ASPSPs to use standardised APIs (such as those developed by the Open Banking Implementation Entity) as a framework, to the extent that these align with PSD2 requirements.
- ASPSPs must ensure availability of the technical specifications for their interfaces, and provide a support and testing facility, by 14 March 2019 (i.e., they must be ready six months before the RTS apply). The FCA encourages ASPSPs providing dedicated interfaces and planning to apply for the exemption to make the above available before this date.
- ASPSPs must avoid imposing unnecessary requirements (such as additional consent checks, or redirection to the ASPSP’s site for authentication) when designing and implementing their dedicated interfaces. Further, the FCA would not be able to exempt ASPSPs whose implementation creates obstacles to the provision of account information and payment initiation services (for example, if an interface creates delays and friction in the customer journey). But the EBA does stress that the use of what is commonly referred to as “redirection” is not in itself an obstacle.
- All interfaces fall within the scope of the RTS. Therefore, even if an ASPSP is not providing a dedicated interface, they will still have to ensure that the interface meets certain regulatory requirements.
- The FCA is not permitted to grant a partial exemption. ASPSPs will be able to engage with the FCA before submission of an exemption request, which may assist in ensuring the relevant criteria are met.
In terms of timing, the FCA states that it plans to consult on changes to its rules and guidance over the summer to reflect the RTS and related EBA publications. This will include consulting on the FCA’s proposed process for making exemption assessments, and the level of information required for such assessments. The FCA expects that it will be able to start making exemption assessments from early 2019. Although the FCA hopes to make assessments promptly, it encourages ASPSPs to make their requests for exemption on a timely basis.
ASPSPs looking to reduce IT build time and costs will welcome the addition of the exemption to the RTS, and the subsequent guidance on its application. ASPSPs hoping to apply for the exemption should familiarise themselves with the draft EBA Guidelines, and look out for the FCA consultation over the summer. Clearly the FCA wants to encourage strong take-up of open APIs by the industry, but timing is tight for the development of such platforms in accordance with all of the relevant technical specifications.
In parallel with these developments, many ASPSPs (including the main high street banks) are in the process of rolling out their own account information and payment initiation solutions. These ASPSPs want to avoid being left behind as consumer confidence in “over the top” banking and payment services increases. ASPSPs’ strategies in this area are likely to be relevant to their decisions as to whether to request the exemption.