The FCA has recently published two key documents detailing how it will implement the Second Payment Services Directive and the Second Electronic Money Directive: Policy Statement 17/19 and its Approach Document under the Payment Services Regulations 2017 (PSRs) and the Electronic Money Regulations 2011.
The documents are welcome guidance for firms seeking to finalise their implementation procedures in time for 13 January 2018 – whether those firms act as account servicing payment service providers (ASPSPs), payment initiation service providers (PISPs) or account information service providers (AISPs). With the publication of the documents, the FCA has clarified its position on a number of key issues for the industry, including the scope of certain exclusions (specifically the commercial agent exclusion and the limited network exclusion), the process for authorisation for PISPs and AISPs, and its expectations for the provisions of third-party access to payment accounts by credit institutions in accordance with Regulation 105 of the PSRs.
As 13 January 2018 draws closer, we have been working with a broad range of firms as they seek to complete the consumer-facing and system-build elements of their PSD II projects. Key issues that we see arising across the industry are as follows:
- how credit institutions address the open access provisions under Regulation 105, particularly with regard to the language to be inserted into framework agreements to confirm:
- how consent is to be provided in respect of payment orders commenced via PISPs and AISPs;
- how consent is to be obtained from customers where ASPSPs receive a request from a PISP, AISP or a card-issuing servicing provider (CISP) to confirm available funds on a payment account; and
- what language ASPSPs should incorporate into a framework agreement to protect against liability that may arise from the actions of a PISP, AISP or CISP.
- how ASPSPs can explore opportunities to provide additional, complementary services and product offerings to existing customers that allow them to compete with AISPs and others in an increasingly crowded market of firms providing information on activity of payment service users.
- how firms obtain the relevant consent to access, process or retain the personal data of a payment service user for the purposes of providing payment services as required under Regulation 97 of the PSRs, including how firms combine this requirement with their existing implementation planning for the General Data Protection Regulation which will be effective as of May 2018.
- how credit institutions implement appropriate interim solutions to the storage and processing of data connected to payment transactions in the context of open banking and third party access whilst awaiting the implementation of the European Banking Authority’s final technical standards on strong customer authentication.
If you have any queries as to the nature and scope of any of the provisions of the PSRs, or as to how Policy Statement 17/19 might impact your existing PSD II implementation project, please do not hesitate to contact Imogen Garner at Imogen.Garner@nortonrosefulbright.com or Albert Weatherill at Albert.Weatherill@nortonrosefulbright.com.