For those of us who have been tracking the development of the payment services industry, the story of US-based company Confinity is of particular note. Confinity was established in December 1998 as a company providing cryptographic solutions for handheld devices, which in those days amounted to the Palm Pilot PDA and the (now long forgotten) Apple Newton.
Then, in 1999, Confinity started to develop a payment system built specifically for the internet which would allow people to email money to each other. They called this system PayPal and it revolutionised online marketplace transactions –eventually becoming the de facto payment solution for another rapidly evolving web-business, eBay. Fast forward to the present and PayPal, which reported second quarter revenue of $3.136 billion, has inspired an online financial revolution of sorts where almost every type of financial transaction can now be facilitated by a smorgasbord of start-up and established tech businesses.
Although in business terms 19 years is a long time, especially in the context of the evolution and development of the numerous providers of payment services now available, in regulatory terms the pace of change has proven to be too rapid for legislators to keep up with.
Enter PSD2 which, with grandiose plans to provide a regulatory framework that is intended to be relevant to the latest breed of innovators (including all those who have gone before), and even to create new industries (such as the new categories of PSPs – account information service providers or AISPs and payment initiation service providers or PISPs), is now in the final throes of consultation before the majority of the requirements set out in the legislation will need to be complied with on 13 January 2018.
The latest of these consultative steps has seen the publication by HM Treasury of its Response to the Consultation on the Implementation of the revised EU Payment Services Directive II which looks to enunciate the responses received from industry and consumers to the consultation issued by HMT in February 2017 and to outline how, if at all, government’s approach to implementation will be amended.
So what are the key changes from the points we already know?
Monitoring of spending limits
Whilst industry has generally reacted positively to PSD2, one of the more widely publicised concerns raised by market participants is in respect of the changes that will be made to the scope of the directive. In particular, HMT has confirmed that the majority of respondents to its February consultation paper were worried about their ability to track and monitor the monthly spending of users in accordance with the exemption at Article 3(l)(ii) which takes outside of scope payment transactions which are (a) for the purchase of digital content and voice-based services or (b) performed from an electronic device within the framework of a charitable activity or for the purchase of tickets and which are charged to the users bill, provided in both cases that the cumulative value of those transaction does not exceed €300 per month. Participants’ concerns in this regard revolved (validly) around the cost of developing a system to track a user’s aggregate spending over a monthly period.
By way of response, government noted the concerns of industry but has only proposed to change the regulations to set out the spending limits in sterling as opposed to euros. Government also confirmed that firms looking to benefit from this exemption would be required to submit an audit report at the end of each year to confirm the firm’s compliance with the exemption limits – the final form of which is not yet available.
It was, perhaps, a bit speculative of industry to request any further derogation from the text of PSD2 by the government. Regardless, it is unsurprising to note that a number of market participants are not entirely enamoured by this response, which would seem, on its face, to be a further regulatory compliance cost which will affect smaller businesses hardest.
Monthly statements
Articles 57(3) and 58(3) of PSD2 give Member States an option to require that payment service providers (PSPs) provide information on their transactions to payees and payers at least once a month, on paper or another durable medium. This is a derogation from the default option which requires such statements to be provided on a transaction-by-transaction basis (per Articles 57(1) and 58(1)).
Having reached out to industry to explain that transaction-by-transaction reporting would be the default option under PSD2 and, having received a generally negative response, government has now confirmed that it intends to take up the monthly statement derogation and thereby avoid having to prescribe transaction-by-transaction reporting by default. Recognising also that monthly statements are not always the best reporting option for consumers (and product providers) government has also sought to give consumers a certain amount of choice on how they are to be reported to by confirming that it intends to allow PSPs to include in their framework contract a clause which enables consumers to choose whether they wish to change how they receive statements. In this regard, customers will be able to choose whether:
(a) a statement is actively provided to them every month or made available on request;
(b) any statement is to be provided more frequently than monthly; and
(c) information is provided in an alternative manner which allows the information to be stored and reproduced.
Extending the surcharging ban
A recent theme of European legislation has been, where possible, to set ever more expansive rules limiting the ability of retailers to surcharge their customers for the use of particular payment methods (typically credit cards of American Express charge cards). The effect of this has been to create a large and heterogeneous collection of national regimes throughout Member States – particularly because PSD allowed merchants to request surcharges or offer discounts for particular payment types.
Under PSD2, a default prohibition will be implemented on surcharging for payment instruments where interchange fees are capped under Chapter II of the Interchange Fee Regulation (Regulation (EU) 2015/751). This would capture most consumer debit and credit cards, but excludes three-party card scheme payment instruments and commercial cards (such as American Express).
Having consulted on these provisions, government has noted the desire of a number of respondents to gold-plate these provisions and has confirmed that it will extend the regulations by prohibiting surcharges for all payment instruments. This is excellent news for consumers and will be a direct, tangible, benefit to many.
Open Banking
The overlap between the Open Banking regime and PSD2 is a big topic and worthy of comment in its own right, but for summary purposes only – the provisions of PSD2 most likely to be “game-changing” in their own right are those concerning the creation of two new categories of PSPs, namely account information service providers (AISPs) and payment initiation service providers (PISPs). This has created a whole new eco-system of market participants who will have the opportunity to link up with customers’ bank accounts and provide additional services not otherwise provided by the banks. True, firms were already exploring this market prior to PSD2, but bringing them into the scope of this regulation gave those firms, and others, the legitimacy to proceed (and avoid consumers implicitly breaching their banking terms by providing login details to enable the current use of “screen-scraping” from consumers’ bank accounts).
In the UK, government already had a vision for enhanced competition in the retail banking market and enunciated it through the Open Banking Standard - the outcome of which was the development of the Open Banking Application Programming Interface (API) Standard. This standard, developed with the provisions of PSD2 in mind, provides the framework for how AISP and PISP software accesses and authenticates users’ banking data and how it initiates payments.
This is all well and good, however, the timing of the two parallel agendas (Open Banking on the one hand and PSD2 on the other) has prompted some concern for those firms who are already making use of the Open Banking API Standard but who will only become subject to the PSD2 Regulatory Technical Standards in respect of the operation of their activities once those RTS come into effect (at some point after 13 January).
In response, government has confirmed that AISPs and PISPs operating before 12 January 2016 are able to continue to perform the activities they are already performing outside of regulation in the period between 13 January, but only until the point at which the RTS comes into effect – at which point they would need to register with or obtain authorisation from the FCA. Firms looking to operate in the AIS or PIS space after 13 January will be required to be registered with or seek authorisation from the FCA before they can begin operating.
Power to the FCA
Finally, the FCA will be granted more rule-making powers specifically to address concerns that the current powers available to it under the Financial Services and Markets Act 2000 (FSMA) would not allow it to effectively combat poor practice among firms, protect consumers and ensure that firms providing payment services can be held to an objective standard. How those rule-making powers are utilised by the FCA however remains to be seen.
And what isn’t changing?
As with most consultations at this stage of the implementation process, most of what was originally proposed has been retained. However, in that context it is worth highlighting two noteworthy areas in which government has confirmed that the status quo will remain:
The general approach
Government has confirmed that it considers it appropriate to maintain its proposed approach to implementing PSD2, namely by utilising the copying-out approach, whilst looking to take advantage of derogations where appropriate. Furthermore, government will only gold-plate the provisions of the regulation where there is a strong case for doing so (see, for example, the ban on surcharging).
Transparency of foreign exchange fees
As a result of maintaining the general implementation approach, UK consumers will not benefit beyond the strict drafting of the rules in respect of the charging practices of overseas money transfer providers. Despite several hundred responses to the consultation which complained about the lack of transparency in respect of the fees being made by foreign exchange providers through the exchange rates quoted, government has confirmed that it will go no further than the text of the directive which requires firms to be transparent about any fees for overseas money transfer and the exchange rates that businesses and consumers are provided with. Obviously, this does not expressly require providers to disclose the amount of money that they are making from the exchange rates they offer and, as such, transparency in this context will be, at best, opaque.
Other developments of note
In addition to the above, the implementation of PSD2 has obviously been a priority item on the desks of a number of governmental and FCA employees of late. Of particular note has been the publication by the FCA of a further consultation paper (CP17/22) entitled Revised Payment Services Directive (PSD2) implementation: draft authorisation and reporting forms, which seeks responses to certain proposals by the FCA around record keeping, reporting and the practicalities of firms seeking authorisation under PSD2. The content of the consultation is not particularly explosive, with the proposals largely in keeping with the basic regulatory requirements. This is particularly true in respect of:
(a) incident reporting – which the FCA will implement through its Connect system in accordance with the relevant EBA Guidelines; and
(b) information sought under the authorisation and registration processes for the various types of service providers.
There are, of course, certain areas where the FCA has done some tinkering around the edges of the regulations including:
(a) amending the definition of “own funds” for Payment Institutions and Electronic Money Institutions under regulatory returns – which will be brought in line with the definition in the Capital Requirements Regulation as required; and
(b) requiring credit institutions to provide reporting on the volume of account information services and payment initiation services they carry out.
Statutory implementation – PSRs, FSMA & FCA Handbook
Meanwhile, the legal draftsmen have been busy at work finalising the text of the Payment Services Regulations 2017 (PSRs), which are the primary statutory tool used by HM Treasury and Parliament to transpose and implement the majority of the primary provisions of PSD2 into UK law. The remaining operational provisions will be implemented through changes to FSMA and, by the FCA, through changes to the Handbook.
Closing Comment
With new powers being granted to the FCA and HMT, and Parliament contributing to the size of their collective legislative and regulatory muscle, the latest iteration of the regulatory arena for payment services is beginning to take shape. Slowly but surely the final picture is beginning to emerge in a UK-specific context and, although PSD2 has widely been hailed as a “game changer” by many, the question remains – how quickly will another Confinity come along and render the new regulatory landscape obsolete?
If you have any questions on the matters discussed in this article, please speak to your usual Burges Salmon contact.
This article was authored by Gareth Malna and first appeared in the September 2017 edition of Payments & Fintech Lawyer.