UK FCA Updates Rules and Guidance for Payment Service Providers

In January 2021, the UK Financial Conduct Authority (FCA) consulted on changes regarding:

• the UK onshored versions of EU regulatory technical standards on strong customer authentication (SCA) and common and secure methods of communication (UK SCA-RTS)
• its Approach Document on Payment Services and Electronic Money (Approach Document)
• its Perimeter Guidance Manual (PERG)

On November 29, 2021, the FCA published PS21/19, “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual,” which summarizes the feedback the FCA received and sets out its responses and final rules and guidance.

SCA-RTS

The FCA proposed changes to the UK SCA-RTS to “remove the barriers … to the continued growth of open banking and support competition and innovation in the sector.” The changes to the UK SCA-RTS include:

• 90-day re-authentication. The FCA has established a new exemption from SCA so that customers do not need to reauthenticate through their account servicing payment service provider (ASPSP) every 90 days when accessing account information through a third-party provider (TPP), such as an account information service provider or a payment initiation service provider. Instead, TPPs need to reconfirm a customer’s consent every 90 days. SCA will continue to be required when customers first decide to connect their account to a TPP service. The change is intended to save consumers time and reduce friction.

• Payment account access. The UK SCA-RTS requires ASPSPs to establish interfaces through which TPPs can access customer payment accounts in a secure manner. ASPSPs currently have the option to enable access via a dedicated interface or a modified customer interface (MCI). The changes to the UK SCA-RTS require certain ASPSPs to enable TPPs’ access to customer account information for personal and small and medium sized entity current accounts (or other payment accounts with equivalent functionality). These changes aim to remove barriers that some TPPs have argued are created by use of MCIs. The FCA has clarified that it would not consider “an interface that requires a TPP to access the information through a screen (known as ‘screen scraping’) to be a dedicated interface.” The FCA expects firms to make the necessary changes within 18 months.

• Fallback interfaces. The UK SCA-RTS requires ASPSPs that have developed a dedicated interface to adapt their customer interface for use by TPPs if the dedicated interface becomes unavailable (known as the ‘fallback interface’). Previously, an ASPSP was required to have in place a fallback interface from the time it launched the relevant payment product, unless it was able to rely on an exemption. The changes to SCA-RTS permit ASPSPs to have in place a fallback interface no later than six months after launch. The intention behind the change is to allow ASPSPs time to develop the fallback interface if they are unsuccessful in applying for an exemption.

• Testing facilities. Previously, the UK SCA-RTS required ASPSPs to make interface testing facilities available for TPPs six months before new products involving the relevant payment accounts were launched. The FCA now requires that testing facilities be made available to TPPs from the launch of new products and services, rather than six months in advance.

Guidance on SCA

The FCA has also updated its Approach Document to implement new guidance on the authentication elements for SCA (relating to possession, inherence, and knowledge), the corporate exemption and merchant-initiated transactions.

• SCA elements. The FCA stated that it considers “that the [European Banking Authority] guidance on the inherence authentication element may be unnecessarily restrictive and not accurately reflect the meaning of inherence.” The FCA considers that inherence can be defined as a characteristic attributable to a person regardless of whether it relates to a physical property of the body (e.g., a fingerprint) or a behavioral biometric/characteristic (e.g., identifying a user by the way they type or their shopping patterns). As a result, the changes to the Approach Document clarify that behavioral biometrics and characteristics may constitute a valid inherence element for the purposes of SCA. However, the FCA has adopted the European Banking Authority’s view that static card data can neither constitute a knowledge factor nor a possession factor.

• Corporate exemption. The FCA has clarified that the corporate exemption from SCA at Article 17 of the SCA-RTS applies to legal persons initiating electronic payment transactions only. It has stated that firms that want to rely on an exemption in respect to accessing online account information may consider whether they meet the requirements of Article 10 of the SCA-RTS (accessing certain payment account information without disclosure of sensitive payment data).

• Merchant-initiated transactions. The FCA has confirmed that transactions initiated by the payee only, without any involvement from the payer, are not in scope of SCA. While merchant-initiated transactions are outside the scope of SCA, where a price increase is outside the scope of the initial mandate or agreement, a new mandate will need to be set up or else the price increase would be an unauthorized transaction. The FCA has clarified that SCA will need to be applied if a new mandate is set up through a remote channel.

Safeguarding

Pending the FCA’s appeal against the decision in the recent High Court judgement¹ relating to safeguarding by an electronic money institution (EMI), the FCA has decided not to state in the revised Approach Document that safeguarded funds held under the segregation method are held on trust for payment service users. This appears to be its interim position for both e-money and other payment services. The FCA has also updated its template bank acknowledgement letter for safeguarding accounts but has stated that firms that already have a safeguarding acknowledgement letter based on the previous template will not be expected to get a new one.

Separately, the FCA has continued to emphasise the importance of safeguarding audits. The FCA has noted that if an e-money or payments firm is required to arrange an audit of its annual accounts under the Companies Act 2006, it should arrange a safeguarding audit and ensure that this work is completed as soon as possible. The FCA noted that it expects firms to have made “significant progress with their safeguarding audits,” given that the relevant guidance was published over a year ago. The FCA has also stated that an additional audit will be required when a firm changes its business model in a manner that materially affects its safeguarding arrangements. The FCA states that “[t]his would apply, for example, to an EMI that starts carrying on payment services unrelated to issuing e-money.”

The FCA has noted that institutions will need to be careful to avoid giving customers misleading impressions about how much protection they will receive from safeguarding requirements. Further, institutions should avoid suggesting to customers that the relevant funds they hold for them are protected by the UK Financial Services Compensation Scheme.

Prudential risk management

The FCA has introduced new guidance on prudential risk management, which reflects the FCA’s continued focus on the financial soundness of non-bank payment service providers. The FCA had introduced the following best practices for firms in relation to regulatory capital and liquidity arrangements

• to deduct any assets representing intragroup receivables from the firm’s own funds, to reduce exposure to intragroup risk
• not to include any uncommitted intragroup liquidity facilities in its liquidity assessments

EMIs and payment institutions (PIs) that rely on intragroup arrangements for their capital and liquidity needs should consider how they could be affected by this guidance.

The FCA requires EMIs and PIs to carry out stress testing to analyze their exposure to a range of severe business disruptions or the failure of one or more of their major counterparties. The results of these tests should then be used to inform decisions around adequate liquidity and capital resources and to identify any changes or improvements required to systems and controls.

Further, the FCA has confirmed that it expects the senior management or governing body to document, review, and approve – at least annually – the design and results of the firm’s stress testing. The FCA has noted that firms should also carry out stress testing more frequently if it is appropriate to do so in light of substantial changes in the market or macroeconomic conditions. If the firm is a member of a group, it should carry out stress testing on a solo basis, taking into account risks posed by its membership of its group.

Wind-down plans

The FCA has provided additional guidance in the Approach Document to clarify its expectations in relation to wind-down plans, including guidance on the steps it expects firms to take when developing wind-down plans. A plan should show how the firm will manage liquidity, operational, and resolution risks and consider how the business would be wound down under different scenarios. Where relevant, a wind-down plan should be based on reliable, stress-tested financial data.

Limited network exclusion

PERG has been updated to provide further examples of payment instruments that may fall within scope of the “limited network exclusion.”

The FCA has confirmed that payment instruments that can be used on online marketplaces are unlikely to benefit from the limited network exclusion. This is because the “scale of the operation and the very broad range of the goods and services that can be sold or the sellers that can sell through such marketplaces mean that instruments that can be used on them are unlikely to be sufficiently limited.”²

The FCA has further indicated that the following would not be sufficiently “limited” to fall within scope of the limited network exclusion:

• payment instruments that can be used to acquire goods and services within more than one limited network
• payment instruments that can be used to acquire an unlimited range of goods and services
• specific-purpose instruments that become general-purpose
• instruments that can be used in a network of service providers that is continuously growing

Brexit-related updates

The FCA has also amended its Approach Document to clarify reporting and notification requirements for firms providing regulated payment services or issuing electronic money pursuant to the UK’s Brexit-related temporary permissions regime. While this is not a change in law, firms in the temporary permissions regime should review the relevant requirements and ensure that they are submitting the relevant reports and notifications while operating under the regime.

Next steps

Payment service providers operating in the UK should consider how the finalized rules and guidance may affect their business. In particular, firms should proactively review and, where necessary, update their compliance policies and procedures. UK EMIs and PIs should also assess their prudential risk management arrangements and wind-down plans to ensure that these are appropriate in light of the new FCA guidance.

¹ Ipagoo LLP (in administration) [2021] EWHC 2163 (Ch).

² The set of exclusions at paragraph 2(k) of Schedule 1 of the UK Payment Services Regulations 2017, which apply to certain payment instruments that can be used only in a limited way and meet certain conditions.