Payments View - December 2023

We hope you all had a relaxing Christmas break. Those of you in need of reading materials to get through the gloomy winters evenings now the festivities are done are in luck as this month's Payments View covers:

• The FCA's refreshed Regulatory Initiatives Grid
• Final policy statement on APP fraud
• Consultation on Access to Cash
• The PSR's interim report on cross-border interchange fees
• Questions over the UK's proposals for a retail CBDC
• Another speech on the incoming APP fraud proposals
• Open Banking Update: JROC progress and SEPA API
• Dutch consultation on sub-merchant good practices

As always, don't hesitate to reach out to us if any would be useful to discuss.

FCA Regulatory Initiatives Grid

The latest Regulatory Initiatives Grid has been published. The FCA updates the Grid twice a year to set out the details of regulatory initiatives relevant to the financial services sector which are planned for the next 24 months. We've pulled out a few items we think should be on your radar from a payments perspective:

• The much delayed safeguarding proposals have a date (albeit vague) with a consultation paper expected "to be published in H1 2024" and related "Policy Statement and final rules expected to be published in H2-2024 subject to consultation and relevant legislative changes being made by Treasury".

• Allowing a "risk-based approach" to payments over next year, with proposals "to allow payment service providers to delay the processing of a payment when there is a reasonable suspicion that the payment is fraudulent". This obviously ties into the wider APP scam reimbursement requirements and attempts to address fraud, but does, to our eyes, raise concerns over maintaining the UK's international competitiveness.

• It'll be a busy year for Open Banking, with engagement proposed every quarter next year, including possible CPs from both the FCA and PSR and specifically focused on A2A payments and VRPs.

• BNPL regulation might be back on the agenda - with this referenced in the introductory overview alongside the Consumer Duty as a means of increasing value for money. However, digging into the detail, there is still no specific date for next steps suggested, instead the Grid only notes that "Treasury is considering stakeholder feedback and will publish a consultation response setting out next steps when it is finalised. Secondary legislation to bring BNPL into the perimeter will be laid when Parliamentary time allows."

• Similarly, CCA reform more broadly may be planned, with "a detailed consultation document seeking views on an array of policy issues" proposed for H2 2024.

• A further call for input is planned on Big Tech's entry into retail finance - continuing on the FCA's paper earlier this year and, interestingly, framing the firms as 'data gatekeepers'.

• A consultation planned for later next year in respect of outsourcing.

• APP fraud implementation, with a cluster of further consultations and policy confirmations ahead of the implementation of the reimbursement requirement. In a related, but slightly more concrete, milestone - confirmation of payee for phase 2 firms comes into force from October.

• Draft legislation is expected next year to restrict the ability of PSPs to terminate framework contracts - increasing the notice period and introducing explanatory requirements.

Industry concerns not addressed in APP fraud policy statement

Another key update this month is the PSR's Christmas gift to PSPs, being the finalised policy statement on APP fraud reimbursement. Unfortunately, the hoped for pragmatic approach to aspects of the policy which was raised in extensive industry engagement, hasn't materialised and it remains broadly unchanged since the proposals earlier this year.

Some adjustments have been made, although not to key issues like the maximum cap, so the 'final score' is:

• The consumer standard of caution will require customers to (a) have regard to interventions made by their sending PSP or by a competent national authority, such as the police (b) promptly report frauds not more than 13 months after "the last relevant payment was authorised" (c) respond to any reasonable and proportionate requests for information made by their PSP and (d) in a change, consent to the PSP reporting to the police on the consumer's behalf or request the consumer directly report the details of an APP scam to a competent national authority.
• The level of the excess has been set at a maximum of £100, but this may be varied by the sending PSP.
• The maximum level of reimbursement sticking at £415,000, although this might be up for review.
• The start date of the policy having been pushed to 7 October 2024, as discussed previously in Payments View.

As we have been saying, we foresee this being a significant implementation project for the industry (especially for smaller PSPs) and we would not be surprised if the next year saw Faster Payments becoming, as a reasonable mitigation to protect firms, a much slower service with more friction and significantly reduced limits for consumers.

Access to Cash: New Rules for Retail Banks

In December the FCA published its consultation on Access to Cash with its proposed access to cash rules and guidance. As a reminder the FCA has been tasked by the government and through FSMA 2023 with establishing a new regulatory regime which seeks to ensure reasonable provision of cash deposits and withdrawal services for personal and business current accounts across the UK (see Payments View - September for more background).

The FCA and HMT do not dispute the positives of the shift from cash to digital payments and that it is driven by consumer demand, new technologies and the cost of accepting cash payments but they consider mandatory rules are needed to manage the pace and impact of the shift so that consumers and small businesses that are heavily dependent on cash are supported.

The proposed new rules apply to retail banks that provide current accounts and have been designated by HMT. The main requirement on designated firms will be to carry out a cash access assessment in certain circumstances.

• The proposed trigger events (with some exceptions) are:

  • Closures of, or material reductions / changes to the provision of cash access services at, an existing facility; and

  • Receipt of a cash access request from a person with a sufficient interest.

• A cash access assessment must be completed within 8 weeks and comply with the FCA's rules on process. The FCA is consulting on a transitional period to allow designated firms three months to carry out an assessment when the rules first come into force.

• The results of a cash access assessment must be published on the designated firm's website.

• Where its conclusion is that additional cash access services should be provided, designated firms must act without unreasonable delay and provide additional cash access services within three months.

Other requirements under the proposed rules include notification requirements, a periodic review requirement and information requirements. The rules are intended to be flexible and allow the regime to adapt to consumers' and businesses' evolving needs. Therefore the rules around the process for the cash access assessment are outcomes focused and designed to facilitate a robust examination of a range of factors to determine if any identified deficiencies are likely to significantly impact consumers and businesses in the area.

Given the associated cost of operating individual assessment processes, the rules envisage - and it's the FCA's expectation - that most firms will participate in 'cash coordination arrangements' operated or managed by a 'designated coordination body' that has been designated by HMT. A 'designated coordination body' is responsible for carrying out the assessment on a participating designated firm's behalf and its compliance will also constitute the designated firms compliance with the rules. Note that any requirements not met by a designated coordination body must be met by the participating designated firm.

The consultation is open until 8 February 2024 and the FCA expects to publish final rules and its Policy Statement in Q3 2024.

Should the PSR cap cross-border interchange fees?

The PSR kicked off its review into cross-border interchange fees in October 2022 and published its interim report in mid-December - the final report is expected in Q1 2024.

The review was triggered by Mastercard and Visa's decision to increase interchange fees fivefold for card-not-present transactions between the UK and EEA which became possible after Brexit. This means every time a consumer uses an EEA-issued Mastercard or Visa debit or credit card for online transactions within the UK, an outbound IF is paid to the EEA issuer by the UK acquirer. The higher costs are usually recovered by passing them on to the merchant and eventually the consumer. The impact on UK businesses in 2022 from the increase is estimated to be £150-200 million. The PSR has reviewed the market to determine the rationale behind the increase and to understand the impact on UK users.

In short, the PSR thinks intervention might be appropriate and is considering:

• An initial time-limited cap - likely returning IFs to the level pre-Brexit; and
• Implementing a permanent cap once it has developed a suitable methodology.

The time-limited cap would immediately address the lack of effective constraints on how IF levels are set and the cost on UK acquirers and merchants resulting from the IF hike. The PSR then intends to develop an appropriate and proportionate methodology to quantify the costs on merchants between accepting alternative payment methods that can be used to calculate a figure which is a proxy for a competitive IF.

The PSR is seeking feedback on its provisional findings and proposed interventions until 31 January 2024. In particular, it encourages issuers, acquirers, card scheme operators, businesses and cardholders to feed-in.

Treasury Committee asks if there's a 'point' to UK CBDC

The House of Commons Treasury Committee published their (pointedly titled) report 'The digital pound: still a solution in search of a problem?' in December concerning the implementation of a retail Central Bank Digital Currency ("CBDC") or 'digital pound'. The Committee calls for the further work on the proposals (which we covered in a special edition of Payments View) to address data privacy and financial stability concerns. Chair of the Treasury Committee, Harriett Baldwin, has also commented that "while we support the Bank of England's plan to continue working on the design of a potential retail digital pound, I would urge them to proceed with caution and maintain a genuinely open mind as to whether one is actually needed."

The Committee's main concern seems to be the new risks a retail CBDC could pose to the UK's financial stability "without careful management", suggesting that the UK economy may be more susceptible to bank runs if people are able to switch large amounts of bank deposits into digital pounds quickly in times of market turmoil, alongside concerns about the proposal's previous estimates that a digital pound could increase the interest rates on bank loans by at least 0.8 percentage points. To mitigate these risks, the report suggests that an even smaller limit is placed on the value of retail digital pounds each individual is initially allowed to hold (the proposal is currently £10,000-£20,000) - which, from our perspective, would significantly reduce the utility and uptake of any digital pound.

The report also raised concerns about potential misuse of consumers' data by the user-facing firms that would manage consumers' digital pound wallets (PIPs), highlighting "that the commercial use of this data could form a key part of the business model for wallet providers, in a way that it doesn't for banks". Finally, the report cautioned against a retail digital pound exacerbating financial exclusion by accelerating the demise of physical cash which many in the UK still rely upon - with access to cash being a key area of focus for the government and regulators.

PSR calls for great social media firm action and transaction limits to address APP fraud

Chris Hemsley spoke at the 1LoD Fraud Risk Event on the incoming APP fraud reimbursement requirements and "about what is needed now, in order to get ready for this change". Mr Hemsley noted that the proposals were "a world-first, and some will find it harder to adapt" - we agree, although perhaps do not share the PSR's view that "[other regulators] will be following down this path".

The speech did stretch a little further than the public proposals that we've discussed at length in Payments View to date, for example it is interesting to see much more public calls from the PSR (mirroring a lot of the payments industry) that "social media and telecoms firms can (and should) no-doubt do much more to prevent APP fraud". Similarly, Mr Hemsley suggested that a key way that firms can mitigate their risk is to deploy "sensible transaction limits" - although, as with the suggestions in the Regulatory Initiatives Grid that firms should consider slowing down Faster Payments, it seems an unusual move when considering the pressure to ensure the UK's competitiveness to push firms towards offering more limited functionality to consumers. In the same manner as Chris Hemsley's closing remarks in the speech, one imagines that, instead, the best way to tackle fraud should be "continuing the good work to tackle fraud by preventing it in the first place".  

Open Banking Update: JROC progress and SEPA API

The Joint Regulatory Oversight Committee ("JROC") has published a progress updateon Open Banking alongside a response to the Variable Recurring Payments ("VRP") Working Group's blueprint for non-sweeping VRPs (i.e. payments between a customer and a business). The latter recommends that payments to:

• regulated utilities;
• regulated financial services; and
• central and local government

should be the first step in creating wider uses for VRP and Open Banking payments. These were selected because they were understood to be less complex to implement and will require fewer additional protections because of those already present through regulation of the sectors. Extending this recommendation to include payments to regulated financial services firms will be a helpful step forward and they have all been suggested by the Working Group as they "bear a strong similarity to the sweeping me-to-me transfers already being offered by the market". The recommendations suggest that payment to e-commerce merchants were a further "stretch use case".

As part of this, firms have been encouraged to give their views (open till 2 Feb 2024) on what is needed for the commercial model which will allow for the rollout of non-sweeping VRP. Other next steps for Open Banking in the UK will be for Pay.UK and Open Banking Limited to work towards delivering the functional enhancements and dispute mechanism that have been highlighted as key in the delivery of non-sweeping VRP next year.

And in Europe, the SEPA Payment Account Access scheme ("SPAA"), for 'premium APIs' for Open Banking (i.e. offering functionality beyond the minimum regulatory requirements of PSD2), has taken its next step towards increasing A2A functionality and allowing banks to monetise open banking services. The scheme adherence pack has been published with the EPC moving towards getting the scheme up and running by setting up a scheme directory, defining a billing mechanism, and launching a pilot in due course.

Dutch consultation on sub-merchant good practices

Our Dutch colleagues have highlighted a consultation from the Dutch Central Bank (De Nederlandsche Bank, "DNB") specifically of interest to the interest of payment and e-money institutions that provide payment services to clients that partner with sub-merchants.

The good practices that have been consulted on provide guidance to such payment and e-money institutions on how to manage risks related to the provision of payment services to such clients. In particular, the good practices touch upon

• the coverage of different risk scenarios related to sub-merchants institutions' systemic integrity risk analysis (SIRA);
• the adoption of a customer due diligence policy by institutions related to (clients with) sub-merchants; and
• the making of adjustments to institutions' transaction monitoring systems to tailor these to situations involving sub-merchants.

The consultation ends on 25 January 2024.

News Flash

• The FCA has put out an overview report on their findings of their retail banking Consumer Duty multi-firm work. The report looks at actions that firms have taken for customers in financial difficulty, such as those dealing with bank accounts of deceased or incapacitated customers, fraud and security breaches, business current accounts and/or mortgages for debt consolidation.

• The PRA is consulting on operational resilience, focused on critical third parties to the UK financial sector, with responses requested by 15 March 2024. This comes alongside TheCityUK's recommendations in the same vein.

• The PSR has published its cycle 2 APP fraud data reporting guidance for PSPs.

• An interesting retrospective report on the "2023 banking turmoil and deposit insurance systems" was published by the International Association of Deposit Insurers, covering potential implications and emerging policy issues.