The revised Payment Services Directive (PSD2) will take effect from 18 January 2018 and will be implemented into UK law via the Payment Services Regulations 2017 (PSRs). It is widely seen as an opportunity to further develop the payments landscape within both the UK and across Europe.
The 2017 PSRs, which are currently in draft form, contain new provisions in relation to authorisation which firms need to check carefully. For firms that must apply for authorisation or registration for the first time, and for existing firms who need to apply for re-authorisation (and re-registration), the FCA will start accepting applications from 13 October 2017. This means all impacted firms should already be now thinking about what they need to do, and when. A failure to comply with the new authorisation and registration requirements within the FCA's stated timelines means those firms will not be able to continue doing business and they will be removed from the Financial Services Register.
"Our proposals are designed to ensure that the aims of PSD2 are realised in the UK, and that we can effectively monitor and enforce compliance with the PSRs 2017. We seek to advance, where relevant, our statutory objectives, in particular promoting effective competition in the interests of consumers, and securing an appropriate degree of protection for consumers."
Implementation of the revised authorisation requirements of Payment Services Directive, Financial Conduct Authority, 2017
Who is impacted?
The new authorisation requirements only impact existing and new Payment Institutions (PIs) and E-money Issuers as well as those who are currently providing or wish to provide Account Information Services (AIS) and/or Payment Initiation Services (PIS) – existing credit institutions such as banks and building societies are not subject to these changes being introduced by the PSRs and there are no new authorisation requirements being imposed on them.
The FCA have tweaked their approach to how firms will be authorised under the 2017 PSRs. While the process is expected to be largely similar to the current process, the requirements of the PSRs mean that the FCA will expect firms to provide a greater amount of information on their business and the services they wish to provide. For the new types of payment services being regulated - businesses who wish to provide AIS and PIS must demonstrate that they possess professional indemnity insurance or a comparable guarantee that adequately covers these activities. The European Banking Authority (EBA) is currently consulting on the minimum level of cover to be in place.
Lighter touch regime for Account Information Service businesses
For those businesses who are only providing Account Information Services, they do not need to be authorised, but must be registered with the FCA. They can apply for registration via the Registered Account Information Service Providers (RAISP) process. The conditions for registration are set to be far less extensive than the authorisation regime for PIs and e-money issuers and applicants will not need to provide as much information to the FCA. For example, Account Information Services Providers (AISPs) will not have to provide information relating to statistical data collection. The EBA continues to consult on exactly what information will be required and the FCA will develop their approach to reflect the finalised EBA Guidelines.
Additional information requirements for new small PI and E-money institutions
For small payment and e-money institutions, the FCA proposes to ask applicants for new information (set out below) in addition to what they are currently required to provide, so there will also be some changes for those types of businesses under the new regime. Note also that all e-money institutions will not be permitted to automatically start offering PIS and AIS unless they apply to the FCA to have this restriction removed from their permissions.
The re-authorisation and re-registration process
The authorisation changes will not be solely relevant to new firms who have never been authorised before. The FCA requires existing authorised firms, namely existing PIs and E-Money Issuers, to become re-authorised under the PSRs and provide the same new information set out below as firms who are applying to be authorised for the first time.
Existing small PIs and e-money must also be re-registered.
Under the draft PSRs, existing PIs and e-money institutions (and small payment and e-money institutions) will need to submit the following additional "PSR Schedule 2" information to the FCA (or confirm via the application process that the material has already been submitted):
- The firm's procedure for monitoring, handling and following up security incidents;
- A description of the firm's information security policy;
- How the firm files, monitors, tracks and restricts access to sensitive payment information; and
- The strategy the firm employs in collecting statistical data on performance, transactions and fraud.
Timelines, Windows and Deadlines
- The FCA application "window" opens on 13 October 2017. From that date, the FCA can consider applications for authorisation and registration (and re-authorisation and re-registration) from firms in scope.
- Under current proposals, existing authorised PIs, EMIs and small EMIs will have to provide this new information about their business as described above to the FCA before 13 April 2018 if they wish to continue operating on or after 13 July 2018.
- Small PIs will need to provide the same new information to the FCA before 13 October 2018 if they wish to continue operating on or after 13 January 2019.
So, for the majority of existing businesses in scope that need to be re-authorised or re-registered, they will have a relatively short window from 13 October 2017 until 13 April 2018 to submit new information about their business to the FCA. Firms should not underestimate the time it may take for them to confirm their internal approaches, document these, make changes to existing policies and procedures and other firm documentation, obtain key signoffs from key business and control function stakeholders and submit to the FCA before 13 April 2018. This exercise may provide to be further complicated by other legislative changes which firms will be implementing around the same time and over the next 12 months, such as the EU GDPR so project teams will need to ensure they are aligned where there is an overlap.
For those firms who are authorised by the FCA during the period 13 October 2017 and 13 January 2018 and have started providing payment services, they will need to provide the new information required by the PSRs to the FCA by 13 April 2018.
Next steps
While all of the above is at the FCA's consultation stage, it is vital the firms begin to prepare for the changes being introduced by the PSRs. They should not underestimate the time it may take them to bring all of the required information together, including the new information specifically required by the PSRs, and submit this to the FCA before the deadlines.
Addleshaw Goddard's Financial Regulation team combining both lawyers and experienced risk and compliance professionals can discuss what requirements apply to your business, help you to identify what changes you will need to make and guide you through the process. Please do not hesitate to contact us.