Payment Matters: No. 51

• United Kingdom

• Payment systems and digital commerce
• Consumer
• Financial services - Digital Financial Services
• Financial services - Payment services
• Technology, Media and Telecoms

18-10-2021

Contents (click to jump to an article)

1. Draft Delegated Regulation supplementing Directive (EU) 2015/2366 is currently with the European Commission

2. UK Competition Authority Approves Use of Variable Recurring Payment Sweeping

3. The European Banking Authority publishes clarifications to issues raised in relation to Application Programming Interfaces

4. Open Banking leading to ‘Open Finance’

5. JURI report on proposed cross-border payments Regulation

 

1. Draft Delegated Regulation supplementing Directive (EU) 2015/2366 is currently with the European Commission

Following its consultation in 2017, a draft Delegated Regulation (C(2021) 4273) which is supplementary to regulatory technical standards (“RTS”) of the Payment Services Directive (Directive (EU) 2015/2366) (“PSD2”) was adopted by the European Commission. The amended RTS aims to deliver consistent supervision of payment institutions (“PIs”) and electronic money institutions (“EMIs”) who provide payment services on a cross-border basis in the EU. In particular, it sets out a new framework for co-operation and exchange of information between competent authorities of a payment institution’s and electronic money institution’s home and host Member States (under Title II of PSD2). The RTS also clarifies how Member States’ compliance with transposing Titles III and IV of PSD2 into national law will be monitored.

The draft Delegated Regulation is currently being scrutinised by the Council of the EU and the European Parliament. It is due to come into force 20 days following its publication in the Official Journal of the European Union.

What this means for you?

It is unclear whether the Commission will enforce the Delegated Regulation in part or in full, or whether any amendments will be made to the current draft. However, as per the current draft, RTS will impact:

Payment Institutions

If designated, PIs will have to cooperate and exchange information with competent authorities of Member States in which they provide their services via a branch or an agency (each a ‘host’ member State), and competent authorities of the Member State where they have their head office (a ‘home’ Member State). The RTS will set out the cooperation reporting obligations and include the means and scope of information required by the home and/or host Member State. PIs should keep a watching brief of the Delegated Regulation, and familiarise themselves with the reporting periods and data breakdowns these reports will require.

Electronic Money Institutions

The procedures for supervision of PIs will also apply to EMIs. EMIs may not issue electronic money through agents, but where they provide payment services through branches or agents in host Member States, submission of information for monitoring compliance with national law required of PIs under Titles III and IV of PSD2 will also apply to EMIs. EMIs operating on this basis should keep a watching brief of any amendments to the Delegated Regulation and be prepared for any future reporting conditions on their payment services provision.

Competent authorities

The competent authorities of each Member State will be asked to:

• designate a point of contact to the European Banking Authority (the “EBA”) and competent authorities in other Member States, and produce standardised forms and deadlines for requests and notifications for exchange of information under the RTS, including the language in which it should receive all correspondence;
• confirm with PIs and EMIs (including those with branches or agents in their territories) and the EBA whether they require PIs to report to them periodically on the activities carried out, and what the basis of those reports will be; and
• provide guidance to PIs and EMIs as to on-site inspections of an agent/branch in another host Member State or head office in the home Member State.

Return to top ^

 

2. UK Competition Authority Approves Use of Variable Recurring Payment Sweeping

The Competition and Markets Authority (“CMA”) has told the Open Banking Implementation Entity (“OBIE”) in an open letter that variable recurring payments (“VRPs”) are the most ‘appropriate and proportionate mechanism’ for “sweeping” as part of its evaluation of the functionality.

Sweeping is a generic term for the regular movement of funds between accounts and is proposed by the OBIE as a tool that consumers and businesses can use to manage their finances by automating transfers between their accounts e.g. to pay overdrafts, or move excess funds to high-interest savings accounts. VRPs allow customers to link authorised payment providers (or sweeping service providers (“SSPs”)) to their payment accounts so that they can make payments on behalf of those customers, subject to the Payment Services Regulations 2017 (“PSR 2017”) and OBIE guidance and standards. The CMA notes that the fraud risk for VRPs is not greater than any other payment method.

This smarter version of Direct Debits is the final large piece of functionality to be delivered under the open banking remedies.

What this means for you?

OBIE has been given its choice of deadline for mandating VRPs for the purpose of sweeping and the CMA has said it expects this to be in January 2022. It is anticipated that sweeping will drive greater innovation and competition as firms develop new services that use VRPs to help consumers and SMEs manage their finances. 

SSPs will be expected to develop solutions to facilitate their access to consumer payment account information, perform analysis and calculate consumer funds to be transferred (including determining whether it is in the interest of the consumer to move funds) and then initiate the payment from the payment account to the destination account. SSPs must be FCA-regulated firms and comply with all relevant conduct requirements.

Certain UK current account providers will have to implement VRPs within the next few months and allow access to third party SSPs who are using VRPs to enable their customers to move money between accounts (both internally and externally).

Firms should keep in mind the OBIE’s comments on treating customers fairly, including its guidance for sweeping which sets out important aspects of best practice. Particularly, consent parameters must be appropriately drafted and sufficiently narrow to say that a customer has consented to that transaction as a continuous payment authority in line with the rules in the FCA Handbook and what the PSR 2017 sets out.

Return to top ^

 

3. The European Banking Authority publishes clarifications to issues raised in relation to Application Programming Interfaces

On 30 July 2021, the EBA published responses to a sixth set of issues that had been raised by participants of its application programme interfaces (“API”) under PSD2 Working Group. The Working Group was formed to identify and propose solutions to address challenges market participants face when using APIs introduced by PSD2. This set of responses relate to issues such as authentication with electronic signatures, biometrics and authentication on mobile apps, efforts to prevent social engineering fraud, the ability for payment initiation service providers (“PISPs”) to refuse a payer’s request to initiate a payment transaction, and complexity in the account servicing payment service providers (“ASPSPs”) authentication process.

What this means for you?

The EBA is expected to provide further clarifications to the industry on the responses over the next few months, however, for now they highlight that:

1. Electronic signatures required by ASPSPs instead of, or in addition to, the usual strong customer authentication (“SCA”) procedure in an account information services journey of a payment services user (“PSU”) will not be compliant with the requirements of Article 30(2) of the RTS (Commission Delegated Regulation (EU) 2018/389) on SCA & common and secure communication. Organisations should keep in mind that such electronic signatures should not be used as they are viewed as burdensome and pose a threat to good customer journeys which could otherwise rely on biometric authentication.
2. PISPs should comply with the proposed requirements set out in the EBA Guidelines aimed at reducing the risk of social engineering fraud, including warning PSUs about the risks of this and other types of fraud.
3. PISPs, (as obliged entities under the Anti-Money Laundering Directive (EBA/GL/2021/02) (“AMLD”)), must know their customers and comply with the necessary requirements, including those set out in the AMLD, and adopt security policy and tools for the prevention of fraud. This can be addressed in organisations’ policies and software should be developed based on their business risk models.

Apart from industry challenges, the responses also illustrate and confirm where some areas already have adequate protection in place. For example, after consideration, the EBA found that there is no reason why additional requirements in relation to the ASPSP authentication process should be introduced for ASPSPs in the EU. However, this is something that is to be reviewed in a year’s time.

Return to top ^

 

4. Open Banking leading to ‘Open Finance’

On 17 June 2021, the Open Banking Implementation Entity (“OBIE”) published its first Open Banking Impact Report (the “Impact Report”) based on the Consumer Evaluation Framework newly created by the OBIE. The report analyses the impact of Open Banking and explores how it has delivered on its intended end-user aims, particularly whether its retail consumers and small and medium-sized enterprises have found value in the various Open Banking propositions made available to them.

The data collected by the OBIE shows that there were 109 firms with live Open Banking products in December 2020, which is a 76% increase from December 2019. On average, 3.2 banking services have been launched per month since Open Banking started in January 2018.

In May 2021, just before the Impact Report was published, an independent report by the Taskforce on Innovation, Growth and Regulatory Reform (“TIGRR”) was released applying pressure on the UK to expand Open Banking principles to include a wider range of financial services and products to create ‘Open Finance’. The TIGRR report also called for a scaled-back approach to Anti-Money Laundering (“AML”) obstacles which Open Banking and other fintech services encounter, classing AML risk as very low and ‘virtually non-existent’ in certain Open Banking services such as account information services and payment initiation services.

The OBIE noted that the numbers produced in the report should be read as indicative-only but confirms future data should be more accurate. It aims to deliver a new report every six months, and the next report is expected at the end of the year.

What this means for you?

Due to the success of Open Banking, the OBIE is likely to expand its offering to include Open Finance and increase the range of financial services and products available to the market. Open Finance is an extension of Open Banking data sharing principles, allowing third party providers to access customers’ data across a broader range of financial sectors and products. It is hoped that Open Finance will allow firms to offer customers new services and products on the basis of the data exchanges (such as broader product switching services and personal financial management dashboards), increase competition, and help customers to make better financial decisions. Firms will also be able to use Open Finance to support their back office functions (e.g. the use of new data sets will help improve acceptance of credit, reduce paper and speed up on‑boarding processes). Some of the challenges of Open Finance will naturally include data ethics, consumer protection, and the implementation may be a significant undertaking for smaller firms. We expect further consultation from relevant industry bodies, OBIE guidelines and implementation requirements to be made available to firms. Third party suppliers, banks and building societies should keep a watching brief of the FCA’s publications on Open Finance as it supports the UK Government in considering what legislation will be necessary to allow firms to participate in the uptake of Open Finance.

Return to top ^

 

5. JURI report on proposed cross-border payments Regulation

The European Parliament's Legal Affairs Committee (JURI) published a (JURI) Report on the European Commission’s legislative proposal for regulation on cross-border payments in the EU, namely to consolidate the many amendments made to Regulation (EC) No 924/2009 on cross-border payments in the EU.

JURI’s draft European Parliament legislative resolution will involve codification and replacement of existing regulations without any change in their substance or impact. The European Parliament adopted the proposal in July 2021 in the context of the Single Euro Payments Area (SEPA) and it was published in the Official Journal on 30 July 2021.

What this means for you?

The regulation preserved the content of the acts being codified, confirming the rules on cross-border payments within SEPA and nothing further; the same charges must be applied for domestic and cross-border electronic payment transactions denominated in euros (or in the national currencies of the Member States which have notified their decision to extend the application of this Regulation to their national currency.)

Return to top ^

 

For more information on any of the matters covered in this edition of Payment Matters, please get in touch: