UK FCA Consults on Changes to Strong Consumer Authentication, Dedicated Interfaces, and Guidance on Payment Services

On January 28, 2021, the UK Financial Conduct Authority (FCA) published Consultation Paper CP21/3, “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual” (Consultation Paper). This follows the FCA’s announcement in its 2020-21 business plan that payment services were one of its main supervisory priorities¹ and its temporary guidance of July 9, 2020, on prudential risk management and safeguarding in light of the COVID-19 pandemic (Temporary COVID Guidance).

The FCA is proposing amendments to:

1. the UK onshored versions of EU technical standards on strong customer authentication (SCA) and common and secure methods of communication (UK SCA-RTS);
2. its Approach Document on Payment Services and Electronic Money (Approach Document); and
3. its Perimeter Guidance Manual (PERG).

Temporary COVID Guidance

The FCA has proposed to make permanent most of its Temporary COVID Guidance, including on safeguarding, prudential risk management, and wind-down plans. It plans to do this by incorporating the relevant guidance into its existing Approach Document. However, firms should review the Approach Document changes, as the provisions incorporated from the Temporary COVID Guidance are not identical in all cases.

Safeguarding

As originally noted in the Temporary COVID Guidance, the FCA has confirmed that an electronic money institution (EMI) or a payment institution (PI) required to safeguard customer funds should have a written acknowledgement from its safeguarding bank or custodian to demonstrate that the bank or custodian has no interest in, recourse against, or right over the relevant funds or assets in the safeguarding account. In its Payments and E-Money webinar on January 21, 2021 (the January Webinar), the FCA noted that it had observed deficiencies in acknowledgement letters, including that some letters had not been signed and that appropriate signing authority was not in place.

The FCA is also proposing to make permanent provisions in the Temporary COVID Guidance requiring PIs and EMIs subject to annual account audits under the Companies Act 2006 to arrange specific annual audits of their compliance with safeguarding rules under the UK Payment Services Regulations 2017 (PSRs) and UK Electronic Money Regulations 2011 (EMRs) (as applicable).

The FCA has provided new guidance for PIs and EMIs using the “insurance or comparable guarantee” method of safeguarding. This includes a requirement that the insurance policy or comparable guarantee must pay out for the full amount of any claim regardless of how the relevant insolvency event occurs (including if the firm is at fault). The additional guidance also states that firms using this safeguarding method must maintain a designated safeguarding account with a credit institution for the full term of the insurance policy or comparable guarantee. In other words, even if a firm is not using the segregation method of safeguarding, it will generally need to comply with the same requirements as a firm that does.

Prudential risk management

The FCA is also proposing to make permanent provisions in the Temporary COVID Guidance requiring EMIs and PIs to carry out liquidity and stress testing to assess their exposure to severe business disruptions and the potential effects. These tests are intended to help firms assess whether they have adequate liquidity and capital resources as well as identify any required changes to their systems and controls.

Further, the FCA has confirmed its position set out in the Temporary COVID Guidance that it expects the senior management or governing body of an EMI or PI to document, review, and approve — at least annually — the design and results of the firm’s stress testing.

The FCA also proposes to introduce the following as best practices for firms in relation to regulatory capital and liquidity arrangements:

• to deduct any assets representing intragroup receivables from the firm’s own funds; and
• not to include uncommitted intragroup liquidity facilities.

These aim to reduce a firm’s dependence on, and exposure to, its group affiliates (i.e., to ensure that there is an adequate level of financial resources within each individual regulated entity at all times to absorb losses). EMIs and PIs that rely on intragroup arrangements, such as a central group treasury function, for their capital and liquidity needs could be significantly affected by this guidance.

Wind-down plans and capital requirements

The FCA plans to implement new permanent guidance on prudential risk management and wind-down planning. Some of the new guidance derives from the Temporary COVID Guidance and reflects the FCA’s increasing focus on financial soundness and resolvability of nonbank payment service providers.

As part of satisfying the FCA that EMIs and PIs have effective risk management procedures, the FCA requires such firms to have a wind-down plan to manage their liquidity, operational, and resolution risks. The plan should cover both solvent and insolvent wind-down scenarios and should be proportionate to the size and nature of the firm. Where the firm is part of a group, the firm should ensure that the wind-down plan considers how it would manage the relevant risks on a solo basis — that is, without assuming support from group affiliates. The FCA introduced the requirement for PIs and EMIs to have a wind-down plan in its Temporary COVID Guidance and is now proposing to make this a permanent requirement.

In its January Webinar, the FCA noted that wind-down plans should include realistic triggers to start a solvent wind-down and that these should normally be based on capital considerations. It emphasized the need for firms to include realistic estimates of the costs of a wind-down, including staff retention and redundancy costs and any costs related to early termination of contracts with customers and suppliers.

UK SCA-RTS

The FCA has identified what it describes as “barriers to successful competition and innovation in the UK payments landscape” posed by the requirements in the UK SCA-RTS. It has proposed several amendments to the UK SCA-RTS to address these, including the following:

• 90-day re-authentication. The FCA has proposed to create a new exemption from SCA so that customers do not need to reauthenticate every 90 days when accessing account information through an account information service provider.
• TPP access. The UK SCA-RTS requires account servicing payment service providers (ASPSPs) to establish interfaces through which third-party providers² (TPPs) can access customer payment accounts in a secure manner. In accordance with Article 31, ASPSPs have the option to enable access via a dedicated interface or a modified customer interface (MCI). Due to certain reported issues with the use of MCIs, the FCA is proposing to mandate the use of dedicated interfaces (such as application programming interfaces or APIs) by ASPSPs. The FCA’s proposal applies only in respect of personal and SME current accounts on the basis that it anticipates a reasonable prospect of TPP demand in relation to these.
• Technical specifications and testing facilities. Under Article 31 of the UK SCA-RTS, account providers are required to make a testing facility available and provide interface technical specifications six months before new products and services are launched. The FCA has proposed to amend this requirement so that the technical specifications and testing facility need be made available to TPPs only from the launch of new products and services. In addition, the FCA has proposed that the requirement for a fall-back interface should only take effect six months after launch (rather than from the launch date). The stated aim of this proposal is to allow ASPSPs time to develop such an interface or request an exemption to the requirements to have one.

Guidance on SCA

The FCA has also proposed new guidance stating that where the amount of a payment is not known in advance, SCA would not need to be reapplied where the final amount is higher than the original estimated amount to which the customer agreed when authorizing the payment, as long as this is not more than 20% above the estimated amount originally authorized.

Further, the FCA has noted that since it last updated the Approach Document, the European Banking Authority (EBA) and the European Commission have published various Q&A responses and opinions on SCA. The FCA has stated it agrees with, and plans to incorporate, the following EU guidance into the Approach Document:

• SCA elements. The EBA’s June 2019 opinion on the elements of strong customer authentication under the second Payment Services Directive clarified that information displayed on a payment card, such as the card verification number (known as the “CVV”), cannot be used as a knowledge or possession element for the purposes of SCA. The FCA’s stated position under its existing guidance is that the information printed on a card can be used as evidence of possession of a card, alongside use of a knowledge factor (such as a password or onetime passcode). However, the Consultation Paper indicates that the FCA now plans to adopt the EBA’s more conservative position on cards.
• Transaction risk analysis. The FCA plans to formally adopt EBA guidance stating that fraud rate calculations for transaction risk analysis (Article 18 of the SCA-RTS) should include only unauthorized or fraudulent remote electronic transactions for which the payment service provider was liable, and no other types of transaction.
• Corporate exemption. The FCA also plans to formally adopt EBA guidance stating that the corporate exemption under Article 17 of the SCA-RTS is applicable to physical or virtual card payments (as well as other payment instruments) provided that those cards are “only available to payers who are not consumers.” In other words, the cards should be used only to make payments from corporate customers, although they may be used by employees or agents of the corporate customer on its behalf.
• Authentication code. Further, the FCA plans to formally adopt EBA guidance stating that the authentication elements customers use at the time they access their payment accounts online (including via a mobile) may be reused if they then initiate a payment within the same online session. This means that a customer could authenticate a payment with one element only, while the firm relies, for example, on a password the customer used when logging into the account.
• Merchant-initiated transactions. The Commission confirmed that transactions initiated by the payee only, without any involvement from the payer, are not in scope of SCA. Card-based payments imply an action by the payer and are considered as transactions initiated by the payer, through the payee, to which SCA applies. However, where a payer has given a mandate to the payee for a transaction, or series of transactions, made through a card (or other payment instrument), then the payments initiated pursuant to this mandate are merchant-initiated transactions and therefore outside the scope of SCA. The Commission has explained that setting up the mandate with the customer through a remote channel should be subject to SCA.

Brexit-related updates

The FCA has proposed changes to the Approach Document to reflect the UK’s exit from the European Union (Brexit) and the end of the transition period on December 31, 2020. Brexit triggered a significant onshoring of legislation to ensure that the UK continued to have a functioning financial services regulatory regime. Broadly speaking, the proposed amendments incorporate changes made under the relevant European Union (Withdrawal) Act 2018, including the Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018, and related FCA guidance. For example, the FCA is proposing to include additional guidance reflecting the obligation on ASPSPs to accept from TPPs at least one other electronic means of identification issued by an independent party, in addition to eIDAS certificates issued pursuant to EU law. The proposed changes to the Approach Document also reflect the change in territorial scope of the PSRs brought about by Brexit-related legislation.

The Temporary Permissions Regime (TPR) enables firms established in the European Economic Area (EEA) that had previously relied on EU regulatory “passports” into the UK to continue providing regulated services in the UK within the scope of their former passports for up to three years while they seek full UK authorization. The Financial Services Contracts Regime allows EEA firms that had previously passported into the UK but are not in the TPR (or that subsequently leave the TPR) to continue servicing UK contracts entered into before the end of the Brexit implementation period (or the time they leave the TPR) in order to conduct an orderly exit from the UK market. The FCA’s proposed amendments to the Approach Document include certain guidance for firms relying on these regimes.

Further, the FCA has clarified that while the broad range of non-legislative material produced by the European Supervisory Authorities, including the EBA, has not been incorporated into UK law, it remains relevant to the FCA and firms and to the guidance in the Approach Document. In particular, the FCA has stated that it expects firms to continue to apply EBA guidelines to the extent that they remain relevant, interpreting them in light of Brexit and related legislative changes.

Limited network exclusion

The FCA proposes to amend its guidance on the scope of application of the PSRs³ to include additional provisions on the types of products that may benefit from the limited network exclusion (LNE) at Schedule 1, Part 2, paragraph 2(k) of the PSRs. Among other changes, the FCA has confirmed that payment instruments that can be used on online marketplaces are unlikely to benefit from the LNE. This is on the basis that “the scale of the operation and the very broad range of the goods and services that can be sold or the sellers that can sell through such marketplaces mean that instruments that can be used on them are unlikely to be sufficiently limited.” This could have significant implications for certain online marketplaces that issue gift cards or provide e-wallets to their customers.

The FCA has also indicated that the following would not be considered as sufficiently “limited” to fall within the LNE:

• payment instruments that can be used to acquire goods and services within more than one limited network;
• payment instruments that can be used to acquire an unlimited range of goods and services; and
• instruments that can be used in a network of service providers that is continuously growing.

Next steps

The FCA has requested responses to questions relating to contactless payments (not covered in this update) by February 24, 2021, and for all other aspects of the consultation by April 30, 2021. After the consultation closes, the FCA will consider the feedback and publish finalized technical standards and guidance.

Firms should consider the impact the proposals may have on their business and whether to respond to the Consultation Paper, either individually or through a trade association.

¹ See further our Update of May 4, 2020.

² For these purposes, the term “third-party provider” includes (i) card-based payment instrument issuers; (ii) payment initiation service providers; and (iii) account information service providers.

³ At PERG 15.