As an early Christmas present the FCA published their final Approach to Payment Services and Electronic Money, setting out how they intend to regulate under the Payment Services Regulations 2017 (‘PSRs’) and the Electronic Money Regulations 2011 (‘EMRs’).
The update mainly focuses on two areas:
1. Providing new Guidance on authentication and secure communication under PSD2; and
2. Some minor changes to clarify guidance or reflect legislative change.
For those not familiar with the above terminology, authentication refers to the procedure where a Payment Service Provider (‘PSP’) verifies to the identity of a payment service user or the validity of the use of a specific payment instrument. As an electronic service it is important to ensure that the user is legitimate and that their identity is verified. In addition, PSPs must ensure that before any activity is undertaken that the user has given their consent for their account to be accessed.
Interestingly, the protections set out in Regulation 100(1) of the PSRs require stringent authentication for requests received from both consumers and businesses, adding a layer of protection which will be particularly beneficial from SMEs who are more vulnerable to financial shocks and difficulties.
While certain activities such as paying a credit card bill over the phone or making an order are out of scope of Regulation 100 of the PSRs, it’s important to remember that firms are required to comply with anti-financial crime requirements and have sufficient processes in place to protect customers.
Innovation in authentication
The increase in using biometrics as customer verification will allow PSPs to benefit from potentially more secure ways of checking the identity of the customer and benefit from an increased level of security, but there are also a number of barriers for customers who can’t or won’t use biometrics.
In particular, customers who are older or less engaged with new technology are likely to be wary of the use of biometrics, or struggle to understand how they work and whether or not they are safe. Firms would be wise to think about alternative ways of authentication for those customers for whom biometrics are not an option.
Need an exemption to the regime?
Some firms will be able to request an exemption to the regime, such as ASPSPs from the obligation to provide a contingency mechanism The FCA is accepting those requests now and will continue to accept and assess them until 14 June 2019. Firms wishing to apply for an exemption are encouraged to discuss this with the FCA in advance of submitting the request and do this emailing firstname.lastname@example.org
And of course… Brexit
The FCA has published further information for emoney providers and PSPs in relation to the Temporary Permissions Regime (‘TP’). Firms who wish to access the TPR, allowing relevant firms and funds who currently passport into the UK to continue operating in the UK if the passporting regime falls away abruptly when the UK leaves the EU will need to register with the FCA between 7 January and 28 March 2019.