Payment Services Regulatory News

Compliancy Services Directors
Our Directors and Consultants share their insights and opinions on the important regulatory issues facing the UK Payment Services sector.

 

Featured Articles


Stay informed with our Monthly Newsletter


Regulatory Updates

Click to Expand

EBA Incident Reporting Guidelines under PSD2
27th August 2017 - European Banking Authority

These final guidelines relate to the classification and reporting of major operational or security incidents, covering both internal and internal events that could be either malicious or accidental.

They apply with effect from 13 January 2018 and apply to all Payment Service Providers. They provide that PSPs should classify as major all operational or security incidents that fulfil one or more “Higher impact level” or 3 or more “Lower impact level” criteria.

The guidelines also set out the notification process, including an incident report template (in Annex 1 to the Guidelines) which specifies that the forms should be updated on an incremental basis as information becomes available.

The process for initial, interim and final reports are also set out, as is the need for PSPs to ensure that the responsibilities and processes for incident reporting are set out in the firm’s general operational and security policy.

The EBA has amended the thresholds for notification and replaced Level 1 & Level 2 with ‘Lower impact level’ and ‘Higher impact level’. They say that cumulative versus alternative thresholds, where applicable, introduce proportionality. This allows the striking of an important and necessary balance between both smaller and larger payment service providers, so the EBA has made the necessary amendments to the Guidelines to highlight where and when PSPs should take them into account simultaneously or not.

They have increased the value threshold for transactions affects from €1 million to €5 million, which, while welcomed, seems unlikely to significantly reduce the level of overreporting that many respondents feared.

The EBA has also amended the reporting template following comments that it was not clear, and has extended the deadline for making the initial report to the FCA from 2 hours to 4 hours, which should make the reporting more manageable for firms. However, they have also clarified that major incidents resolved within the deadline to submit the initial report should also be notified, albeit that the initial report may also constitute the last intermediate report and, potentially, the final report.

Login to the online compliance management system to read the full detail.

FCA CP17/22 Draft Authorisation and reporting forms for PSD2
13th July 2017 - Financial Conduct Authority

The FCA say that they propose to:

• direct that PSPs follow the European Banking Authority’s (EBA) Guidelines to notify them of major operational or security incidents, which is a new requirement under PSD2. Guidance is proposed in SUP on how this notification should be made through Connect.

• update the capital returns for authorised PIs and EMIs to reflect new PSD2 requirements around how own funds can be met. The FCA is also providing a flow chart to help authorised PIs, authorised EMIs and small EMIs navigate the relevant parts of the CRR when calculating own funds. This will be set out in the Approach Document (and is provided in Appendix 3).

• make rules requiring records to be kept by banks and building societies on their account information services and payment initiation services business. The consultation also sets out draft perimeter guidance on the definition of account information service and payment initiation service. For credit institutions, the FCA are proposing that they notify them before commencing these services. The FCA are proposing a new record keeping rule in SYSC for credit institutions carrying out these services, requiring them to keep records on:

o the number of different payment accounts that the credit institution has accessed for the purposes of providing account information services

o the number of customers who have used the credit institution’s account information services

o the number of payment accounts that the credit institution has accessed for the purposes of providing payment initiation services

o the number of payment transactions the credit institution has initiated when providing payment initiation services.

 

• specify the forms to be used by:

–– businesses seeking registration as a small PI or small EMIs

–– existing small PIs and small EMIs seeking re-registration in accordance with PSD2

–– existing authorised PIs and authorised EMIs seeking re-authorisation in accordance with PSD2

–– PIs and EMIs wishing to change the regulatory permissions they hold or to remove a requirement .

These forms give the best indication of the required information to be provided for re-authorisation or re-registration. The forms do allow for firms to indicate when the information has been previously provided to the FCA, but in many cases it will need to be updated to reflect the current position.

• make amendments to Chapter 3 (authorisation and registration), Chapter 9 (capital resources and requirements), and Chapter 13 (reporting and notifications) of the Approach Document to reflect the above.

Login to the online compliance management system to read the full detail.

Draft Guidelines on the security measures of payment services under PSD2
5th May 2017 - European Banking Authority

These guidelines focus strongly on communication channels, security of systems and devices and look to protect payment service users’ data, sensitive payment data and personalised security credentials. The guidelines will require firms to review governance and business continuity arrangements, carry out risk assessments, review protection measures, have in place detection processes to identify intrusions, have a testing regime in place, put in place training for staff on this topic and review their customer communications and reporting mechanisms.

These are not inconsequential matters and will require significant management time and resource to address. While this is a consultation, it seems unlikely that the final version will be significantly different from the proposals.

Firms should therefore review the guidelines and consider the changes needed to become compliant.

 

The guidelines cover the following:

1. Governance

a. The setting up of a documented operational & security risk management framework, including a security policy and risk appetite, assignation of key roles & responsibilities and procedures;

b. Three lines of defence (or equivalent) & regular audit of security measures

c. Building in of security measures to outsourcing agreements#

2. Risk assessment

a. Identification of functions processes and assets and regular review. This should include an inventory of information assets for payment services

b. Classification of business functions, supporting processes and information assets in terms of criticality

c. Regular documented risk assessments

3. Protection

a. Data & systems integrity & confidentiality –including segregation of duties & “least privilege”.

b. Physical security

c. Access control – physical and logical

4. Detection

a. Continuous monitoring & detection

5. Business continuity

a. Business continuity management – plans & mitigation measures

b. Scenario based continuity planning

c. Testing of business continuity plans

d. Incident management & crisis communication

6. Testing of security measures

7. Situational awareness and continuous learning

a. Threat landscape and situational awareness

b. Training & security awareness programs

8. Payment service user relationship management

a. Payment service user awareness on security risks

b. Payment service user secure communication and reporting procedures

Login to the online compliance management system to read the full detail.

PSD2 – FCA & PSR Guidance Consultation
13th April 2017 - Financial Conduct Authority

The consultation notes the following changes:

• Chapter 2 - Changes to the perimeter Changes to exclusions, notification requirements for come excluded providers Notably, this states that mobile applications (apps) can be payment instruments

• Chapter 3 – Authorisation & Passporting New authorisation & registration requirements for new and existing authorised payment institutions, small payment institutions, authorised e-money institutions and small e-money institutions. Change in approach to changes in qualified holdings and close links. New requirements for passporting. Deadline for API re-authorisation 13 July 2018; for SPIs re-registration by 13 January 2019

• Chapter 4 – Conduct of business, including complaints handling Includes proposed changes to BCOBS and DISP in terms of complaints handling to reflect the PSD2 complaints regime.

• Chapter 5 - Regulatory reporting Complaints reporting, fraud reporting, changes to existing reporting and proposal that authorised payment institutions submit annual controllers and close link reports. Note extension of complaints record rule in DISP to Payment Institutions and E-Money Institutions & increase of scope in forms FSA056 7 FSA 057 & new EMI form.

• Chapter 6 – Payment Service Providers’ access to payment account services Joint consultation with the Payment Systems Regulator on the requirement for credit institutions to provide access to accounts for other PSPs on a “POND” (Proportionate, Objective & Non-discriminatory) basis.

• Chapter 7 – Account information services and payment initiation services & confirmation of availability of funds Guidance on how such access is to be provided by ASPSPs (Account Servicing Payment Service Providers). Importantly, the proposed Approach Document contains guidance on what “accessible online” means in this context. Joint consultation with the Payment Systems Regulator.

• Chapter 8 – The FCA’s approach to supervision under the PSRs 2017 & EMRs

• Chapter 9 – Consequential changes & other revisions to the Approach Document Note that there is a proposed new chapter on Financial Crime in the Approach Document.

• Chapter 10 – The Payment Systems Regulator’s Approach Direct & Indirect Access to payment systems for PSPs, ATM withdrawal charges & enforcement approach

Login to the online compliance management system to read the full detail.

Draft Regulatory Technical Standards on Strong Customer Authentication
23rd February 2017 - European Banking Authority

Article 98 of PSD2 (2015/2366) requires the European Banking Authority to develop, in close co-operation with the ECB draft Regulatory Technical Standards specifying the requirements of strong customer authentication, the exemptions from these requirements , the requirements with which security measures will have to comply in order to protect the confidentiality and integrity of payment service users’ personalised security credentials and the requirements for common and secure open standards of communication between account servicing payment service providers (such as banks, building societies and e-money institutions), Payment Initiation Service Providers, Account Information Service Providers, payers, payees and other payment service providers. This consultation follows a discussion paper issued by the EBA in December 2015 and the consultation on the draft Regulatory Technical Standards in August 2016. The RTS comes into force 18 months after its adoption by the European Commission.

Login to the online compliance management system to read the full detail.

HM Treasury Consultation on Implementation of PSD2
2nd February 2017 - Her Majesty's Treasury

These regulatons will impact on all existing payment service providers as well as bringing new entites into regulation

Login to the online compliance management system to read the full detail.

Consultation Paper on draft Guidelines on major incidents reporting under the PSD2
7th December 2016 - European Banking Authority

Login to the online compliance management system to read the full detail.

Consultation: Information to be provided for the authorisation as payment/e-money institutions
3rd November 2016 - European Banking Authority

The guidelines set out detailed requirements are set out under the following headings: • General Principles

• Identification Details

• Programme of operations

• Business Plan

• Structural organisation

• Evidence of initial capital

• Safeguarding measures

• Governance arrangements and internal control mechanisms

• Procedures to monitor, handle and follow up on security incidents and security-related customer complaints (New requirements)

• Process to file, monitor, track and restrict access to sensitive payment data (New requirements)

• Business continuity arrangements (New requirements)

• The principles and definitions applicable to the collection of statistical data on performance, transactions and fraud (New requirements)

• Security policy document (New requirements) • Internal control mechanisms re AML/CFT

• Identity and suitability assessment of persons with qualified holdings

• Identity and suitability assessment of directors and persons responsible for management of payment institution

• Identity of statutory auditors and audit firms

• Professional indemnity insurance etc. for payment initiation services and account information services (New requirements for new category)

There are similar provisions regarding e-money institutions.

Login to the online compliance management system to read the full detail.

Survey for payment service providers
12th October 2016 - Payment Systems Regulator

The survey will inform the PSR's actions in respect of indirect access, so it may have an important bearing on future access.

Login to the online compliance management system to read the full detail.

Markets in Financial Instruments Directive II implementation Consultation Paper
29th September 2016 - Financial Conduct Authority

The Financial Conduct Authority (FCA) has published its third Consultation Paper on the implementation of the revised Markets in Financial Instruments Directive (MiFID II).

The proposals pick up on several of the themes of FCA recent work in the UK on retail and wholesale conduct issues. They also reflect areas that the FCA have worked on to promote competition and market integrity.

Login to the online compliance management system to read the full detail.

EBA consults on technical standards on fee terminology and disclosure documents
22nd September 2016 - European Banking Authority

Under the Payment Accounts Directive the EBA are tasked with developing Technical Standards to facilitate consumers in comparing the costs of payment accounts offered by different providers.  The Technical Standards include standardised terms for what have been identified as the most commonly offered payment account services as well as standrised formats for two disclosure documents that must be offered by providers of payment accounts to consumers:

  • The pre contractual Fee Information Document ("FID"); and
  • the post contractual periodic Statement of Fees

There is also a standard symbol to be used on these documents.

This is a consultation on the proposals, with the end date for comments being 22 December 2016.  There is also a public hearing on 21 November.

Login to the online compliance management system to read the full detail.

A new RTGS service for the United Kingdom: safeguarding stability, enabling innovation
16th September 2016 - Bank of England

The consultation sets out 5 key strategic drivers for change in RTGS:

• First, the new RTGS service must be capable of responding to the changing structure of the financial system;

• Second, the new RTGS service must recognise that payment system users want simpler and more resilient pathways for their payments;

• Third, the new RTGS service must be capable of interfacing with a range of new technologies being used in the private sector, including distributed ledgers, if/when they achieve critical mass;

• Fourth, the new RTGS service must remain highly resilient to the increasingly diverse range of threats to continuity of service; and

• Fifth, the new RTGS service must have the capacity to support the future evolution of regulatory and monetary policy tools.

Login to the online compliance management system to read the full detail.

PSR MR15/2.3 – Final report: ownership and competitiveness of infrastructure provision
28th July 2016 - Payment Systems Regulator

The PSR's final findings are

  • There is no effective competition for the provision of UK payments infrastructure for Bacs, FPS and LINK.
  • The lack of competitive procurement exercises by the operators is a barrier to entry that prevents potential providers from competing.
  • The UK payment systems' bespoke messaging standards are acting as a barrier to entry for new infrastructure providers into the UK market.
  • Because of the joint control that the four largest VocaLink shareholder payment service providers exercise over both the operators and VocaLink, the current ownership and governance arrangements reduce the level of competition for the provision of central infrastructure.

Their proposed remedies are:

  • Competitive procurement exercises are undertaken for the provision of infrastructure services
  • Divestment by the four largest VocaLink shareholder PSPs of their interest in VocaLink
  • A common international messaging standard for Bacs and FPS

Comments are invited by 22 September.

Login to the online compliance management system to read the full detail.

Separation of payment card schemes and processing entities under Article 7 of Regulation 2015/751
27th July 2016 - European Banking Authority

The Interchange Fee Regulations mandate the separation of payment card schemes (such as Visa and MasterCard) from their processing entities, where the schemes also offer processing services to merchants. The EBA were mandated to provide Regulatory technical Standards that must be met for such separation to be deemed to be sufficient. These cover accounting, organisational and decision making processes.

Login to the online compliance management system to read the full detail.

Market review into the supply of indirect access to payment systems – Final Report
21st July 2016 - Payment Systems Regulator

The PSR have confirmed their conclusions from their interim report issued earlier this year, that competition in the supply of indirect access appears to be producing some good outcomes, but have specific concerns about the quality of access, limited choice for some PSPs and barriers to switching. They comment that they are seeing dvelopments that, combined with their work on access, may help addess these concerns and are focusing their efforts on encouraging those rather tha intervening directly.

The one significant change is that rather than waiting 12 months to review progress they have now decided to incorporate an overview of developments in the indirect access market into their ongoing annual review of access and governance of regulated payment systems, the next report of which is exepcetd in early 2017.

Login to the online compliance management system to read the full detail.



 

New Broad Street House 35 New Broad Street London EC2M 1NH

Tel: 020 7060 4499 Email: info@compliancy-services.co.uk

Copyright © 2015 Compliancy Services Ltd     Company Registration Number: 04954156

Registered Office: 69 Hermitage Road, Hitchin, Hertfordshire SG5 1DB

Please note that calls may be recorded for training and monitoring purposes