Payments View - June 2023

With Henley in full swing and the start of Wimbledon just around the corner we hope you are getting into the swing of summer and have a relaxing break on the horizon. For now, we have another packed edition of Payments View to help you keep up to date with key developments.

If any of these topics spark further questions, please don't hesitate to reach out to us.

EU Payments Reform - PSD3, Open Finance and Digital Euro

Hot off the press this week, the European Commission has put forward a number of key financial services policy proposals covering the:

• Third Payment Services Directive ("PSD3") and Payment Services Regulation ("PSR1"). The proposals here are focused on a restructuring of PSD2 to strength harmonisation and enforcement across the bloc. The current payment services are to be rationalised and e-money institutions will be integrated as a sub-category of payment institutions (alongside a new definition of "electronic money services" to cover the issuance of e-money, maintenance of payment accounts storing e-money units and transfer of e-money units). The draft also includes proposals on a new requirement to have a winding-up plan, amending the Settlement Finality Directive to add PIs to the list of firms that may participate directly in the payments system, and further guidance on safeguarding requirements;

• regulation on a framework for financial data access. As part of the development of open banking/finance, customers are to be given a new access right in respect of their financial data with a new category of authorised firm (financial information service providers) being one of the eligible parties able to access and process this data. In-scope financial institutions will also need to provide a dashboard that allows customers control over third parties accessing their data; and

• legislative framework to support the establishment of the digital euro. Here, like the UK approach earlier this year, the proposal makes clear that no decision has been made on whether a digital euro will be developed. The proposal does, however, call the development "necessary to supplement cash and adapt the official forms of the currency to technological developments, so that the euro can be used as a single currency, in a uniform and effective manner across the euro area." While the proposal would establish the legal framework for the digital euro (and provides a good degree of detail on the policy considerations), it will ultimately be for the European Central Bank to decide if and when to issue the digital euro.

These are obviously key developments for those engaged in payments and e-money services in Europe with the proposals optimistically expected to take around 18 months to travel through the EU legislative process, but with plenty of further engagement expected. We will be following development closely but if you are interested in talking through the detail of these proposals, or how they might affect you, please do reach out to us.

Next Steps for Open Banking Confirmed

The Joint Regulatory Oversight Committee ("JROC") has set out its "ambitious programme" of work in respect of the next phase of Open Banking in the UK. These next steps are focused around the six key themes set out in its recommendations in April, with Open Banking Limited being asked to lead on the first four:

1. levelling up availability and performance - particularly on the data collection framework for the relevant APIs;

2. mitigating the risks of financial crime - covering a wide range of data collection and analysis, financial crime prevention tools for TPPs and ASPSPs as well as "API based data sharing";

3. developing proposals for dispute processes (updated from 'ensuring effective consumer protection if something goes wrong') - focused on a Q4 2023 gap analysis;

4. improving information flows to third party providers and end users - where the current error codes and messages are under review, with a desire for consistent and definitive messaging regarding payment statuses;

5. promoting additional services - where non-sweeping variable recurring payments ("VRP") remains the PSR's focus here. Here, a VRP Working Group will be established, chaired by the PSR, the primary objective of which will be to develop a blueprint for the implementation of non-sweeping VRP by the end of September 2023 with an expectation that the phased roll-out of these products will begin before the end of the year; and

6. finalising the design of the future entity - where another working group (the Future Entity Working Group) will be established, chaired by the FCA, and given the primary objective to analyse and develop the options and design for the future entity, including recommendations in relation to its role, the structure, funding and governance.

Terms of reference for both working groups (VRP and Future Entity) have been published with outputs due from both in September.

Also of interest for the sector, the JROC has published a paper setting out the high-level principles for banks and registered third parties to follow when agreeing a premium API commercial model. The paper sets out that fees and charges for premium APIs should:   

1. Broadly reflect relevant long run costs;

2. Incentivise investment and innovation in premium APIs;

3. Incentivise take up of open banking by consumers and businesses and use of network effects;

4. Treat TPPs fairly; and

5. Be transparent.

APP Fraud Policy Statement published - changes from consultation

After consulting on proposed changes to address growing authorised push payment ("APP") fraud in the UK (which we have covered at length in previous editions of Payments View) the PSR has published its policy statement on the incoming mandatory reimbursement requirement.

Some key changes from the PSR's September 2022 consultation proposals (CP22/4) include:

• the removal of the £100 minimum threshold and the inclusion of a 'cap' / maximum level of reimbursement for APP fraud claims (by value), but with further consultation proposed on both of these points;
• an extension of the time limit for sending PSPs to reimburse customers - within five business days rather than 48 hours - along with the ability for PSPs to 'stop the clock' to gather additional information from victims or to assess customer vulnerabilities.

Whilst no further clarity has been provided on the meaning of 'gross negligence' (which will act as an exception to the reimbursement requirement) additional PSR guidance will be consulted on in Q3 2023 and published in Q4 2023 (ahead of the requirement's proposed implementation). Following some very public concerns around the 'independence' of Pay.UK, the PSR is now also issuing a General Direction under section 54 FSBRAtoall PSPs, requiring them to comply with the scheme rules established by Pay.UK.

For further detail you can find our insights article on the Policy Statement here. We also attended the PSR's policy statement discussion roundtable where there were interesting points raised on the liability shift mechanics; please do reach out if you had any questions on this topic.

The PSR has separately published the industry feedback to its consultation which proves to be interesting reading on the "polarised views on how the proposals would impact consumers" and Chris Hemsley has given a speech on the new requirement. Industry group UK Finance has published a short, somewhat direct statement calling the proposals as a whole a "missed opportunity in tackling the scourge of fraud" and calling for more responsibility to be assigned to social media and telecoms companies in stopping it.

EBA Consultation Paper: customer due diligence, money laundering and terrorist financing guidelines

The European Banking Authority ("EBA") has published a consultation paper setting out a number of proposed changes to its guidelines on customer due diligence ("CDD") as well as the factors credit and financial institutions should consider when they assessing money laundering and terrorist financing risk associated with business relationships and occasional transactions under the MLD. The consultation proposes to extend the scope of the guidelines to cryptoasset service providers ("CASPs") and:

• highlights risk factors that reflect the specific features of cryptoassets and CASPs. These proposed risk factors (set out in the draft at clause 21.3) and the mitigants, if adopted, should also be considered by in-scope institutions when entering into a business relationship;
• emphasises the need for secure remote onboarding tools to be used by credit and financial institutions;
• provides further guidance for credit and financial institutions when entering into business relationships with CASPs established in a third country; and
• provides sector-specific guidance for CASPs explaining factors that increase and reduce money laundering and terrorist financing risk CASPs should consider when assessing risks.

The EBA also intends that these proposals will be further complemented with amendments to the guidelines to prevent the abuse of fund transfers. The consultation closes on 31 August 2023.

Separately, and as readers working or interested in the crypto industry will be very aware, the FCA has published PS23/6, "Financial promotion rules for cryptoassets", which marks a key step in the regulation of cryptoassets in the UK. Our detailed Insight article on the topic can be found here.

Please don't hesitate to reach out to us and make sure to also subscribe to our sister Crypto View newsletter.

UK Government Commits to CBDC Legislation - if required - plus response from PSR

Following the UK government's publication of the consultation paper for a Digital Pound (a UK, retail CBDC which we covered in a special edition of Payments View), Jeremy Hunt has written to the Treasury Select Committee and Economic Affairs Committee to provide a short update.

This update, whilst maintaining the government's position that (i) no decision has been taken to introduce a CBDC and (ii) it is not clear whether any such digital pound would require primary legislation, it does confirm that "the Government commits to introducing primary legislation before launching a digital pound". This is an interesting development for those watching the space and suggests positive steps towards CBDC's development, without quite coming close enough to confirm it.

Separately, the PSR have set out their thoughts on the consultation - broadly welcoming the potential introduction of a digital pound (particularly highlighting the ways in which it could align with the PSR's current work on open banking, access to cash and A2A payments - all of which we have covered previously in Payments View) but also setting out their own specific considerations for the next stage of development.

The consultation itself is just about to close for comments (unless, of course, you are reading this edition of Payments View as the highlight of your weekend - in which case it closed on Friday 30 June).

Preparations for the Consumer Duty

The Financial Ombudsman Service ("FOS") have published articles on the Consumer Duty alongside a speech by Abby Thomas, which make interesting reading in light of the upcoming July deadline. The FOS has set out how they are preparing for complaints involving the Consumer Duty, noting that whilst the Duty is "underpinned by concepts of fairness and reasonableness, similar to the fair and reasonable standard we judge complaints against already" they are expecting complaints in relation to the Duty to take some time to come through to them.

The FCA has set out how the Duty applies to the payments sector and we are advising firms across the sector. In addition to supporting firms with their Board assurance activities, we're also advising on Consumer Duty policy development and implementation health checks. Take a look at our full menu of services containing templates, guidance notes and training materials we have built as a cost-effective solution to your Consumer Duty implementation. Please do reach out if useful to have a quick chat.

Middle East: Central Bank of Kuwait's Updates E-Payment Regulations

The Central Bank of Kuwait ("CBK") has taken steps to modernise the regulation of electronic payment and settlement in the jurisdiction, as well as publishing new regulation surrounding Buy Now Pay Later.

Under the new regulations, new licensable activities have been set out, broken down into e-payment, e-money, e-payment service operations, and Buy Now Pay Later services. Firms looking to engage in these activities will be subject to revised licensing requirements and restrictions which are dependent on the firm's size and the nature of activities in question. In a key development for the FinTech industry in particular, previously small and medium enterprises could only obtain licenses as e-payment service providers by way of acting as an agent of larger companies, but this restriction has now been repealed. In addition, and in another interesting step forward, the CBK has introduced Kuwait's first regulations governing Buy Now Pay Later services - mirroring other jurisdictions who are seeking to more clearly define the regulatory perimeter of this sector.

Ireland: CBI sets out audit requirements on safeguarding for PI/EMI firms

Finally, in a quick jump across to Ireland, we wanted to highlight that the CBI has issued a Safeguarding Notice on audit requirements under the Irish PSR/EMRs. This follows a Dear CEO letter from January which flagged the requirement for PIs and EMIs authorised in Ireland, highlighted weaknesses and risks, and specified that an audit of compliance with the safeguarding requirements under the PSR/EMR (as appropriate) should be carried out.

The notice provides guidance for firms on the elements required for this, as well as the linked attestations by the Board of Directors and auditor. Firms in question will need to submit a report to the Central Bank by 31 October 2023.

News Flash

• The European Commission has published its report (delayed since 2019) to the European Parliament and the Council of the EU on the application of the Payment Accounts Directive ("PAD"). In an interesting show of divergence from the UK (where the Edinburgh Reforms have, to date, been significantly less positive) the Commission's review concluded that PAD has:​
  • helped to create transparency/comparability of payment account fees, despite some fragmentation and duplication as a result of local implementation;
  • ensured that consumers have access to basic accounts, but take-up varies between member states and there may be different reasons for this; and
  • enabled all EU consumers to easily switch accounts domestically. ​
• The Financial Services and Markets Bill has completed the last of its Lords stages, with a third reading (where no changes were proposed) being held on 19 June 2023. The Bill now returns to the House of Commons for consideration of the Lords amendments, which is the final stage before Royal Assent of the Bill. The Government has published these and UK Finance has set out a helpful overview for those interested in the Bill's progress.
• The FOS has published data on its top five 'most complained about products', with current accounts (26,039 complaints) and credit cards (14,504) topping the list since April last year. Interestingly, whilst the number of FOS complaints for both has remained broadly stable since 2021/22 the FOS' uphold rate has decreased for both products - with the rate for current accounts falling from 51% to 40%.
• The OBL has published the Open Banking Standard v.3.1.11 which includes corrections to certain specifications and new wallet functionality, the details of which can be found here.
• The PSR has published a helpful note for POS providers in respect of the new requirements on Specific Direction 16, including clarification from the regulator as to whether certain categories of handsets, card readers, soft/smart POS etc fall within the contractual requirements.
• The JMLSG has received ministerial approval for its guidance materials published in March 2023, November 2022 and August 2022.
• The European Payments Council ("EPC") has published version 3.1 of the Single European Payments Area ("SEPA") Request-To-Pay ("SRTP") scheme rulebook (EPC014-20). The EPC explains that this version of the rulebook includes some clarifications about the use of market application programming interfaces to ensure interoperability between the SRTP scheme participants and two additional datasets related to the redirect option to be aligned with related implementation guidelines.
• The ESAs has published for consultation four draft RTS and one set of draft ITS in relation to DORA in respect of ICT risk management, major ICT-related incident reporting and ICT third-party risk management.
• Mastercard has launched a global plan to recycle credit cards (for both its own and competitors) as it looks to address the environmental impact of the near 26 billion cards in circulation.
• And finally, in a key development as part of the Bank of England's RTGS Renewal programme, the Bank has successfully migrated CHAPS to ISO 20022 - the latest global financial messaging standard. Users are unlikely to need to change the way they send CHAPS or cross-border payments for no but should start to see options to add further information or specific references (such as invoice numbers) with CHAPS payments towards the end of this year.