Payment Services Regulatory News

Compliancy Services Directors
Our Directors and Consultants share their insights and opinions on the important regulatory issues facing the UK Payment Services sector.


Featured Articles

Stay informed with our Monthly Newsletter

Regulatory Updates

Click to Expand

Draft Guidelines on the security measures of payment services under PSD2
5th May 2017 - European Banking Authority

These guidelines focus strongly on communication channels, security of systems and devices and look to protect payment service users’ data, sensitive payment data and personalised security credentials. The guidelines will require firms to review governance and business continuity arrangements, carry out risk assessments, review protection measures, have in place detection processes to identify intrusions, have a testing regime in place, put in place training for staff on this topic and review their customer communications and reporting mechanisms.

These are not inconsequential matters and will require significant management time and resource to address. While this is a consultation, it seems unlikely that the final version will be significantly different from the proposals.

Firms should therefore review the guidelines and consider the changes needed to become compliant.


The guidelines cover the following:

1. Governance

a. The setting up of a documented operational & security risk management framework, including a security policy and risk appetite, assignation of key roles & responsibilities and procedures;

b. Three lines of defence (or equivalent) & regular audit of security measures

c. Building in of security measures to outsourcing agreements#

2. Risk assessment

a. Identification of functions processes and assets and regular review. This should include an inventory of information assets for payment services

b. Classification of business functions, supporting processes and information assets in terms of criticality

c. Regular documented risk assessments

3. Protection

a. Data & systems integrity & confidentiality –including segregation of duties & “least privilege”.

b. Physical security

c. Access control – physical and logical

4. Detection

a. Continuous monitoring & detection

5. Business continuity

a. Business continuity management – plans & mitigation measures

b. Scenario based continuity planning

c. Testing of business continuity plans

d. Incident management & crisis communication

6. Testing of security measures

7. Situational awareness and continuous learning

a. Threat landscape and situational awareness

b. Training & security awareness programs

8. Payment service user relationship management

a. Payment service user awareness on security risks

b. Payment service user secure communication and reporting procedures

Login to the online compliance management system to read the full detail.

PSD2 – FCA & PSR Guidance Consultation
13th April 2017 - Financial Conduct Authority

The consultation notes the following changes:

• Chapter 2 - Changes to the perimeter Changes to exclusions, notification requirements for come excluded providers Notably, this states that mobile applications (apps) can be payment instruments

• Chapter 3 – Authorisation & Passporting New authorisation & registration requirements for new and existing authorised payment institutions, small payment institutions, authorised e-money institutions and small e-money institutions. Change in approach to changes in qualified holdings and close links. New requirements for passporting. Deadline for API re-authorisation 13 July 2018; for SPIs re-registration by 13 January 2019

• Chapter 4 – Conduct of business, including complaints handling Includes proposed changes to BCOBS and DISP in terms of complaints handling to reflect the PSD2 complaints regime.

• Chapter 5 - Regulatory reporting Complaints reporting, fraud reporting, changes to existing reporting and proposal that authorised payment institutions submit annual controllers and close link reports. Note extension of complaints record rule in DISP to Payment Institutions and E-Money Institutions & increase of scope in forms FSA056 7 FSA 057 & new EMI form.

• Chapter 6 – Payment Service Providers’ access to payment account services Joint consultation with the Payment Systems Regulator on the requirement for credit institutions to provide access to accounts for other PSPs on a “POND” (Proportionate, Objective & Non-discriminatory) basis.

• Chapter 7 – Account information services and payment initiation services & confirmation of availability of funds Guidance on how such access is to be provided by ASPSPs (Account Servicing Payment Service Providers). Importantly, the proposed Approach Document contains guidance on what “accessible online” means in this context. Joint consultation with the Payment Systems Regulator.

• Chapter 8 – The FCA’s approach to supervision under the PSRs 2017 & EMRs

• Chapter 9 – Consequential changes & other revisions to the Approach Document Note that there is a proposed new chapter on Financial Crime in the Approach Document.

• Chapter 10 – The Payment Systems Regulator’s Approach Direct & Indirect Access to payment systems for PSPs, ATM withdrawal charges & enforcement approach

Login to the online compliance management system to read the full detail.

Draft Regulatory Technical Standards on Strong Customer Authentication
23rd February 2017 - European Banking Authority

Article 98 of PSD2 (2015/2366) requires the European Banking Authority to develop, in close co-operation with the ECB draft Regulatory Technical Standards specifying the requirements of strong customer authentication, the exemptions from these requirements , the requirements with which security measures will have to comply in order to protect the confidentiality and integrity of payment service users’ personalised security credentials and the requirements for common and secure open standards of communication between account servicing payment service providers (such as banks, building societies and e-money institutions), Payment Initiation Service Providers, Account Information Service Providers, payers, payees and other payment service providers. This consultation follows a discussion paper issued by the EBA in December 2015 and the consultation on the draft Regulatory Technical Standards in August 2016. The RTS comes into force 18 months after its adoption by the European Commission.

Login to the online compliance management system to read the full detail.

HM Treasury Consultation on Implementation of PSD2
2nd February 2017 - Her Majesty's Treasury

These regulatons will impact on all existing payment service providers as well as bringing new entites into regulation

Login to the online compliance management system to read the full detail.

Consultation Paper on draft Guidelines on major incidents reporting under the PSD2
7th December 2016 - European Banking Authority

Login to the online compliance management system to read the full detail.

Consultation: Information to be provided for the authorisation as payment/e-money institutions
3rd November 2016 - European Banking Authority

The guidelines set out detailed requirements are set out under the following headings: • General Principles

• Identification Details

• Programme of operations

• Business Plan

• Structural organisation

• Evidence of initial capital

• Safeguarding measures

• Governance arrangements and internal control mechanisms

• Procedures to monitor, handle and follow up on security incidents and security-related customer complaints (New requirements)

• Process to file, monitor, track and restrict access to sensitive payment data (New requirements)

• Business continuity arrangements (New requirements)

• The principles and definitions applicable to the collection of statistical data on performance, transactions and fraud (New requirements)

• Security policy document (New requirements) • Internal control mechanisms re AML/CFT

• Identity and suitability assessment of persons with qualified holdings

• Identity and suitability assessment of directors and persons responsible for management of payment institution

• Identity of statutory auditors and audit firms

• Professional indemnity insurance etc. for payment initiation services and account information services (New requirements for new category)

There are similar provisions regarding e-money institutions.

Login to the online compliance management system to read the full detail.

Survey for payment service providers
12th October 2016 - Payment Systems Regulator

The survey will inform the PSR's actions in respect of indirect access, so it may have an important bearing on future access.

Login to the online compliance management system to read the full detail.

Markets in Financial Instruments Directive II implementation Consultation Paper
29th September 2016 - Financial Conduct Authority

The Financial Conduct Authority (FCA) has published its third Consultation Paper on the implementation of the revised Markets in Financial Instruments Directive (MiFID II).

The proposals pick up on several of the themes of FCA recent work in the UK on retail and wholesale conduct issues. They also reflect areas that the FCA have worked on to promote competition and market integrity.

Login to the online compliance management system to read the full detail.

EBA consults on technical standards on fee terminology and disclosure documents
22nd September 2016 - European Banking Authority

Under the Payment Accounts Directive the EBA are tasked with developing Technical Standards to facilitate consumers in comparing the costs of payment accounts offered by different providers.  The Technical Standards include standardised terms for what have been identified as the most commonly offered payment account services as well as standrised formats for two disclosure documents that must be offered by providers of payment accounts to consumers:

  • The pre contractual Fee Information Document ("FID"); and
  • the post contractual periodic Statement of Fees

There is also a standard symbol to be used on these documents.

This is a consultation on the proposals, with the end date for comments being 22 December 2016.  There is also a public hearing on 21 November.

Login to the online compliance management system to read the full detail.

A new RTGS service for the United Kingdom: safeguarding stability, enabling innovation
16th September 2016 - Bank of England

The consultation sets out 5 key strategic drivers for change in RTGS:

• First, the new RTGS service must be capable of responding to the changing structure of the financial system;

• Second, the new RTGS service must recognise that payment system users want simpler and more resilient pathways for their payments;

• Third, the new RTGS service must be capable of interfacing with a range of new technologies being used in the private sector, including distributed ledgers, if/when they achieve critical mass;

• Fourth, the new RTGS service must remain highly resilient to the increasingly diverse range of threats to continuity of service; and

• Fifth, the new RTGS service must have the capacity to support the future evolution of regulatory and monetary policy tools.

Login to the online compliance management system to read the full detail.

PSR MR15/2.3 – Final report: ownership and competitiveness of infrastructure provision
28th July 2016 - Payment Systems Regulator

The PSR's final findings are

  • There is no effective competition for the provision of UK payments infrastructure for Bacs, FPS and LINK.
  • The lack of competitive procurement exercises by the operators is a barrier to entry that prevents potential providers from competing.
  • The UK payment systems' bespoke messaging standards are acting as a barrier to entry for new infrastructure providers into the UK market.
  • Because of the joint control that the four largest VocaLink shareholder payment service providers exercise over both the operators and VocaLink, the current ownership and governance arrangements reduce the level of competition for the provision of central infrastructure.

Their proposed remedies are:

  • Competitive procurement exercises are undertaken for the provision of infrastructure services
  • Divestment by the four largest VocaLink shareholder PSPs of their interest in VocaLink
  • A common international messaging standard for Bacs and FPS

Comments are invited by 22 September.

Login to the online compliance management system to read the full detail.

Separation of payment card schemes and processing entities under Article 7 of Regulation 2015/751
27th July 2016 - European Banking Authority

The Interchange Fee Regulations mandate the separation of payment card schemes (such as Visa and MasterCard) from their processing entities, where the schemes also offer processing services to merchants. The EBA were mandated to provide Regulatory technical Standards that must be met for such separation to be deemed to be sufficient. These cover accounting, organisational and decision making processes.

Login to the online compliance management system to read the full detail.

Market review into the supply of indirect access to payment systems – Final Report
21st July 2016 - Payment Systems Regulator

The PSR have confirmed their conclusions from their interim report issued earlier this year, that competition in the supply of indirect access appears to be producing some good outcomes, but have specific concerns about the quality of access, limited choice for some PSPs and barriers to switching. They comment that they are seeing dvelopments that, combined with their work on access, may help addess these concerns and are focusing their efforts on encouraging those rather tha intervening directly.

The one significant change is that rather than waiting 12 months to review progress they have now decided to incorporate an overview of developments in the indirect access market into their ongoing annual review of access and governance of regulated payment systems, the next report of which is exepcetd in early 2017.

Login to the online compliance management system to read the full detail.

Current Account Switch Service Application for designation under the Payment Accounts Regulations
21st June 2016 - Payment Systems Regulator

The Payment Accounts Regulations 2015 (Sections 14 & 15 and Schedule 3) require banks offering current accounts to consumers to have in place a system to meet the regulations account switching requirements. Alternatively they can comply by being participants in a system which has been designated by the competent authority (the Payment Systems Regulator) as being appropriate.

Most banks in the UK are signed up to Bacs' Current Account Switching Service ("CASS") so it was always assumed that Bacs would apply for CASS to be designated. It is highly likelyy that designation will be granted.

Login to the online compliance management system to read the full detail.

FCA Business Plan 2016/2017 : Wholesale Financial Markets.
5th April 2016 - Financial Conduct Authority

In 2014/15 the FCA conducted The Fair and Effective Markets Review (FEMR) assessment working alongside the Bank of England and the Treasury to look into the way in which wholesale fixed income, currencies and commodities operate.

Following the review, 21 new recommendations were made, as well as providing general advice and assistance.

Financial markets are heavily affected by the increasing uncertainties around international economies which therefore affect investor decision making and also prudential and conduct considerations.

Login to the online compliance management system to read the full detail.


New Broad Street House 35 New Broad Street London EC2M 1NH

Tel: 020 7060 4499 Email:

Copyright © 2015 Compliancy Services Ltd     Company Registration Number: 04954156

Registered Office: 69 Hermitage Road, Hitchin, Hertfordshire SG5 1DB

Please note that calls may be recorded for training and monitoring purposes