Payments View February 2024

Ahead of our usual programming, in an exciting development we have just launched our test access to Payments Reviewer, our new cross-border due diligence tool. Payment Reviewer uses custom-built technology to display and explain the regulations of payment services, remittance, execution issuing cards, offering e-money around the world in a clear and user-friendly way. As with our main Navigator platform, Payments Reviewer will update quarterly to ensure you keep on top of legal and regulatory developments.

We can provide you with a demo of the online instance of the platform and then test access for two weeks - if you'd like me to get this sorted for you, do just let me know.

Even with February being the shortest month, this edition of Payments View is one of our longest for a while, with plenty of updates across the UK and EU including:

• FCA consultation on new approach to publicising enforcement actions
• Pay.UK's industry solution for APP scams will not be ready for Day 1 of reimbursement requirement
• 'Good and bad practice' for Day 2 Consumer Duty
• FCA data on its financial promotions enforcement
• APPG report on de-banking
• 'Business as usual' approach suggested by Labour's financial plan
• Regulators' approach to cost-benefit analysis and regulatory accountability
• SEPA Instant Euro proposal adopted
• European ruling on scope of e-money
• PSD3/PSR Update: ECON adopts draft reports
• Report on 2023 stocktaking of Big Tech direct financial services provision in the EU
• FCA update on reducing and preventing financial crime
• Bank of England's proposals to enhance Real Time Gross Settlement system

As always, don't hesitate to reach out to us if you would like to discuss any of the developments in this edition.

FCA consulting on new approach to publicising enforcement actions

Historically FCA enforcement actions have been focused, relatively discrete affairs, with very little made public or commented on until the regulator's investigations have been resolved. However, a new consultation paper published by the FCA proposes to drastically depart from this, with the regulator planning to specifically name firms under investigation on the basis of a "public interest" test regarding sharing information. The hope is that this will not only encourage witnesses and whistleblowers to come forward but also make sure the FCA has "the maximum impact in deterring misconduct and crime".

This consultation paper has been accompanied by a speech on the FCA's evolving enforcement approach as well as the regulator directly briefing the FT. This proposed change in approach should not be underestimated and reflects both a greater willingness of the FCA to flex its ever-increasing 'outcomes-based' remit (as seen with the Consumer Duty and financial promotion enforcement) and a marked change in the purpose of its enforcement action towards communicating what their plan is for the market.

We should emphasise that the plan is to specifically name firms and not individuals. Enforcement cases concerning individuals are highly sensitive and there are specific legal considerations for individuals. It should also be noted that the complexity around managing regulatory disclosures and protecting personal data is a hot topic at the moment. We are helping a number of firms form a strategy here and discuss this in our January SMCR View, please reach out if this is something you are considering. 

The consultation is open until 16 April.

Industry solution for APP scams will not be ready by Day 1

Following the PSR's confirmation of the final policy on PSPs to address APP fraud (covered in December), next steps in the policy's implementation have shifted to Pay.UK as operator of Faster Payments. This month, Pay.UK have published their first implementation update on the 'end to end' industry data sharing solution, following their RfP last October.

Although confirmation of an industry solution should be welcome news for firms, they will still need to consider how to meet the requirements for 'Day 1' as the industry-wide solution will not be in place until 'Day 2' ("as soon as possible") after the start of the reimbursement requirement. For the 7 October implementation deadline, Pay.UK will provide a 'central directory' of contact details for other PSPs and each PSP will need to have in place their own internal solution for both the reimbursement communications and the (separate and incoming) compliance monitoring requirements.  These individual 'Day 1' solutions will then be replaced entirely by the industry-wide solution when it is ready.

A few further points that jumped out to us were that:

• Pay.UK will be submitting their proposals for the compliance monitoring process to the PSR on 5 April, with the final publication due 7 June. The PSR published a letter, both (i) asking for Pay.UK to (informally) give them sight of these proposals in March and (ii) noting that as SD19 does not give Pay.UK the power to require the provision of data or information from PSPs, the PSR will consult in April 2024 on a direction that will require all PSPs in scope of the reimbursement policy to report data to Pay.UK;

• industry onboarding for the 'Day 1' solution will take place in July-September;

• Pay.UK set out a list of other areas where they are aware the industry thinks require attention and have suggested guidance and best practices will be included in operational documents to address these - there are very few areas not included on the list, so it's important to keep a look out to see what's published on this front; and

• Pay.UK ran workshops every Friday in February, firms who missed these and are looking to engage may want to contact APPReimbursement@wearepay.UK.

These procedural updates come as more and more banks and payment firms raise concerns that the origination of scams are not being properly addressed, with social media firms being firmly pushed into the spotlight (the recent Treasury Select Committee oral evidence of Revolut, TSB and Santander being noteworthy).

We are currently running dedicated training sessions for firms on what they can be doing now. If you need help with your to do list as well as information on scoping let us know if it would be helpful to talk about this.

Good and bad practice' for Day Two Consumer Duty

For those in scope of the Consumer Duty, the FCA's recent implementation guidance and speech by Sheldon Mills will both be of interest. The good practices highlighted in the former are particularly useful, with the FCA specifically highlighting firms who:

• Accelerate business changes to deliver better customer outcomes. For example, some firms have paid more attention to service level metrics for call abandonment rates, root-cause analysis of complaints and customer satisfaction surveys, taking action to improve standards.

• Ensure responsibility for good customer outcomes is understood and owned across the business - not just by risk and compliance teams but also by those involved from product design through to post-sale support.

• Increase focus on the customer at Board level, with firms' senior leadership teams giving serious consideration to what the Duty means for them at a practical and cultural level. Here the FCA highlight that there is a risk of bad practices where the Duty is primarily driven by programme teams or risk and compliance colleagues and isn't discussed at Board level.

• Update staff bonus structures to ensure that incentivisation is in line with the aims of the Duty.

• Develop new data and metrics to better understand their customers. Introduce appropriate governance so that action is taken where problems are identified.

The guidance sets out a similar level of good practice for each of the four outcomes as well as setting out good practices dealing with vulnerable customers.

FCA sets out data on its financial promotions enforcement

One of the defining features of the FCA's current supervision and enforcement strategy is the marked increase in how active it has been on financial promotions (particularly those regarding high-risk investments and crypto). The FCA's 2023 retrospective on the financial promotion data highlights this - not only showing the significant increase in the number of promotions required to be amended or withdrawn (up 16.6% on last year) but also on the increasing use of the consumer warning list (with 21% more alerts being issued against unauthorised firms and individuals).

The heart of the FCA's message is that they "remain concerned about the levels of compliance with the financial promotions rules", with concerns raised about high-risk investments being promoted on social media and cryptoasset promotions in particular.

We are also aware of robust conversations being had between the regulator and payment firms who provide services to cryptoasset firms - in short, the FCA following through on its comments to the industry in the September Final Warning letter.

The FCA has also published its 2023 Q4 data focusing again on financial promotions relating to cryptoassets with over 1,000 promotions amended or withdrawn.

An Iranian, a Russian, a bookie and a yacht-broker all walk into a bank - and are promptly asked to leave" APPG's report on de-banking

Questions around an alleged industry-wide culture of de-banking captured headlines last year, particularly following the news story on Nigel Farage, the FCA's intervention and report last summer (which, incidentally, did *"not suggest that accounts have been closed because of the political beliefs or views lawfully expressed by account holders"*), and the proposed changes to how firms can terminate framework contracts.

Following this the 'APPG for Fair Business Banking' has published a report suggesting that, because of what they see as the "blanket de-risking of customer portfolios" by banks, a "radical re-assessment" is required. The report suggests that "access to banking facilities [should] be a fundamental right, akin to a utility" and that the focus of banks "on reputation is as extraordinary as it is troubling". It also makes a number of significant recommendations, including that:

• "the regulator must reverse its position on reputation and issue guidance that requires banks to disregard [their own reputation] - in all cases other than unlawful conduct - when providing access to the financial system";

• a 'Basic Bank Account' for small businesses should be mandated and regulators should act as a "buffer" to protect the confidentiality of such banking relationships, if required; and

• the proposed further protections (of increasing notice periods to 90 days) should extend to "all accounts" and Treasury's proposal for banks to be able to decide what information should be provided to customers should be reconsidered.

It is interesting to consider how the report's suggestions would fit within the framework of existing restrictions and guidance on preventing unfair de-banking and the role all parties need to play in preventing money laundering and financial crime. More widely on this topic, and for those who didn't catch them last summer, we recorded two podcasts on de-banking which can be found here: DSARs and Debanking and Debunking Debanking.

The APPG also recently published a separate report on the UK's system of compensation and redress schemes, calling for the establishment of a standing independent body (co-funded by the private sector) and a Financial Services Tribunal to address what they see as a fragmented landscape.

'Business as usual' approach suggested by Labour's financial plan

Whilst we're not part-time political pundits at Payments View HQ, we wanted to highlight that the prevailing message of Labour's Financing Growth plan is one of continuity, not change.

Increasing consumer protections, resurrecting BNPL regulation, the next phase of Open Banking, mandatory reimbursement of APP fraud, allowing delays for suspicious payments, and the UK CBDC have all been key features of the last few years of Payments View. They therefore seem to be in no danger of being packed up into the current government's removal van, if defeated in the next election. One of the less obvious suggestions which caught our eye are the plans to streamline the regulatory rulebook to align with the Consumer Duty. This would mean removing rules which have been made redundant by the new requirements and would take place following 'extensive industry engagement'. We are genuinely fascinated to see what this would look like in practice.

Regulators' approaches to cost-benefit analysis and regulatory accountability

One for the real regulatory nerds but as part of its attempts to uphold public trust and transparency, the FCA has introduced guidance setting out the approach and methodologies of cost-benefit analysis ("CBA") in the formulation of policy measures. This document provides a thorough examination of the FCA's underlying principles regarding CBA, the estimation of benefits, and introduces revisions to the FCA's Standardised Cost Model. On 6 February 2024, the PSR released a similar justification for its CBA framework, underscoring the significance of transparency and the verification of policies, including CBAs, through substantiated empirical evidence.

While these publications focus on reassuring stakeholders of the robust assumptions and metrics that underpin the research models employed, as well as the methodologies for data collection and analysis - both qualitative and quantitative - the regulators also acknowledge inherent limitations within these models. These include the challenge of quantifying uncertainty and non-financial impacts, such as the valuation of time and well-being effects; the propensity of the current CBA model to favour remedial interventions over preventative measures; and underpinning models on assumptions that introduce bias or inaccuracies.

This concerted move towards greater transparency emerges amidst potential scrutiny from various stakeholders, particularly concerning the metrics applied to assess proportionality. An illustrative case is the anticipated scrutiny towards the APP scam reimbursement rules. Under this scheme, PSPs are expected to compensate victims of APP fraud up to £415,000, barring limited exceptions. The key recommendation from the Future of Payments Review Report was for the PSR to review the costs and benefits of the mandatory reimbursement rules 12 months after implementation to understand the impact of any additional friction in the payments process and how this compares internationally, as well as the impact on fraud rates. In the current climate, it is increasingly important for regulators to sustain public confidence and uphold accountability in policy development.

SEPA Instant Euro proposal adopted

Earlier this month the European Parliament adopted the new regulations updating the rules for the Single Euro Payments Area ("SEPA") rules which we first flagged in the November edition of Payments View ensuring instant processing of credit transfers across the EU and benefiting retail clients and businesses, particularly SMEs. The regulation stipulates that banks and PSPs make credit transfers affordable and instant, with funds being received within ten seconds at any time, and the payer notified of the transfer's success within the same timeframe.The regulation was adopted by a large majority and will be enforced 20 days after its publication in the EU Official Journal. PSPs in the euro area then have 9 months to prepare for receiving and 18 months for sending instant credit transfers in euro.

For non-euro EEA states offering euro transactions, there is a longer transition period and a derogation for payments outside business hours due to liquidity concerns. PSPs must implement strong fraud detection and prevention measures, offering immediate, free recipient identity verification services. Clients can set limits on instant transfers and claim compensation from PSPs for financial losses due to unfulfilled fraud prevention duties. PSPs must also screen clients for sanctions related to money laundering and terrorist financing. Charges for instant credit transfers in euro cannot exceed those for standard euro transactions.

To be [e-money] or not to be [e-money], that is the question'. New European ruling on scope of EMD*

If it looks like e-money, walks like e-money and consists of customer funds being retained in an account for longer than the time required for the execution of payment transactions - what is it? Well, 'still not e-money' in the EU, according to a recent CJEU judgment concerning a dispute between the Bank of Lithuania ("BoL") and payments fintech ABC Projektai.

This ruling follows the withdrawal of ABC Projektai's licence by BoL on (amongst others) the grounds that ABC Projektai received customer funds without a specific payment purpose and retained them for (at times) several months without transferring the funds to the accounts of the recipients of those payments. The CJEU was therefore asked - where received funds are not immediately accompanied by a payment order and therefore remain available on a payment account operated by that institution, does this "constitute a payment service provided by that payment institution or a transaction consisting in the issuance of electronic money"?

The CJEU ruled in favour of this constituting payment services, not the issuance of e-money, due to a number of elements, including:

• the temporal mechanics of certain regulated payment services (including placing funds on an account, direct debits and credit lines);

• that the 'D+1' safeguarding timings expressly address that there may be a delay in the holding and onward transmission of funds; and

• that there is, in the court's opinion, a difference between a 'mere claim' on an institution because of an entry on a payment account and the 'storing' of funds as issued e-money with that institution that has been "converted into a monetary asset separate from the funds received" - and it is at "the very least necessary that there be a contractual agreement between the user and the electronic money issuer under which those parties expressly agree that the issuer will issue a separate monetary asset up to the monetary value of the funds paid by the user".

The CJEU is rarely asked to interpret the Electronic Money Directive, and although this judgment will give EU payments firms some comfort on their ability to hold funds for an extended period of time, it blurs the line between payment services and e-money which could cause bigger issues in the long run.

PSD3/PSR1 Update: ECON adopts draft reports

The European Parliament's Economic and Monetary Affairs Committee has adopted the PSD3 and PSR drafts. Next on the path (likely lasting at least two years) will be that the European Parliament is expected to vote on both texts during the first plenary session to be held on 10 and 11 April. Navigating the European Parliament elections will then be the order of the day, with negotiations between the European Parliament and Council to be held during (or even after) these. Some other key points from the press release are that:

• a number of core definitions are to be updated to allow EU regulators to keep pace with new forms of payment services, including expanding definition of 'payment account'; to be an account used for both sending and receiving funds to and from third parties;

• all undertakings intending to provide payment services or electronic money services will have to apply for authorisation, providing a business plan, the types of payment services proposed, a winding up plan as well as detail on security, data and governance controls (existing payment and e-money institutions will not have to seek a new authorisation under the directive, but would follow a simplified process with their competent authority);

• customers should be able to opt out from data sharing with third parties when a PSP processes their payments; and

• customers should be informed about all charges, prior to the initiation of a payment transaction in a clear, transparent and accessible manner.

Whilst no immediate steps are required to firms' operations, PSD3 will be a huge change for all firms operating across Europe. If you are looking to get started with your own scoping, don't hesitate to reach out to us.

Report on 2023 stocktaking of Big Tech direct financial services provision in the EU

Similar to the UK, the EU is focusing attention on the role that Big Tech plays in the provision of payment services as seen with the European Supervisory Authorities ("ESAs") report on the 2023 stocktaking of direct financial services provided by Big Tech in the EU (the "Report"). The Report summarises the findings of the 2023 stocktake and identifies potential opportunities and risks associated with the entrance of Big Tech companies, such as Amazon, Google and Meta, into financial services.

The review showed that Big Tech subsidiaries currently licensed to provide financial services pursuant to EU law mainly provide services in the payments, e-money and insurance sectors and, in limited cases, the banking sector and identifies:

• Big Techs' capacity to leverage common data pools and infrastructures that may help them gain a competitive advantage in markets;

• that the entrance of Big Tech in financial services gives rise to opportunities and risks stemming from their intragroup dependencies (risks including operational resilience and cybersecurity risks and the potential for data abuse and mishandling of consumer data);

• key opportunities to offer technologically superior services and offer better services at lower prices; and

• supervisory and regulatory issues identified by the NCAs - such as poor visibility of intragroup connections, poor notification practices, creating challenges in terms of monitoring and ensuring compliance, and challenges in identifying supervisory counterparts.

As an immediate next step, the Report anticipates the creation of a "multi-faceted data matrix". The matrix is aimed at providing a dynamic and more granular framework for mapping the activities of Big Tech, not only capturing their role as direct financial service providers, but also utilising other data sources to track the relevance of Big Tech to the EU financial sector (e.g., as technology providers and gatekeeper platform providers). In light of the findings set out in the Report, these actions will be taken forward by European Forum for Innovation Facilitators as part of its 2024 agenda.

In the UK, the FCA has turned its attention to the competition impacts of the entry of Big Tech companies in the financial services sector. The FCA published a Discussion Paper on this topic in October 2022 and a Feedback Statement in July 2023. In November 2023, the FCA ordered a Call for Input on the potential competition impacts stemming from the data asymmetry between Big Tech companies and other firms in the financial services industry.

FCA's update on reducing and preventing financial crime

Tackling financial crime is a priority for the FCA and was called out 18 months ago in its three-year strategy. This month the FCA updated the industry on progress and also identified four areas to focus on. For each of these areas the FCA has included a case study of good practice by firms and suggested questions for firms' boards to be asking. Understandably the FCA expects payments firms to be prioritising improving fraud prevention measures with the incoming reimbursement requirements.

Progress

• Fraud prevention: the FCA has been working with industry and partners to improve fraud prevention measures. The priorities have been tackling recognised investment fraud and APP fraud. Most of the work listed relates to the former but the FCA does call out that it is working with the PSR to support the new reimbursement rules for APP fraud, as well as, with Treasury and the PSR on the legislative and regulatory changes necessary to enable firms to slow payments where they suspect fraud.

• Money laundering and sanctions: the FCA has been working with the National Economic Crime Centre to leverage data and drive improvements in regulated firms. The FCA is taking a robust and proportionate approach to authorisation applications and firms with insufficient controls are being refused.

• Collaborative approach: the FCA has sought to engage the private sector and cites its APP TechSprints, Dear CEO letter to payment firms in March 2023 and accompanying webinar.

Areas of focus

• Data and technology: the FCA highlight that systems and controls need to keep up with increasing sophistication from criminal groups and the impact of AI as it becomes more widespread. The FCA's case study promotes firms using behavioural biometrics to tackle APP fraud. We note that better fraud prevention measures are also what the PSR's new reimbursement rules are driving at.

• Collaboration: firms should work across sectors to address all weaknesses in the system. By the FCA working collaboratively with Big Tech firms to only permit 'paid for ads' for financial services, recognised investment fraud dropped significantly in 2023. The FCA expects intelligence sharing between PSPs to increase when Pay.UK and UK Finance's Enhanced Fraud Data system is implemented (indicated by the FCA to be in 2024).

• Consumer awareness: the FCA recognises that investments in preventing unauthorised fraud by firms has had a significant impact and the focus now needs to be on reducing the volume of APP fraud. Educating and supporting consumers to spot signs of fraud is regarded as vital by the FCA.

• Metrics: understanding the impact fraud prevention measures are having is key to understanding effectiveness. Being transparent about the outcomes of fraud prevention measures should increase consumer confidence in these measures. The FCA expects the PSR's reimbursement rules will drive innovation in anti-fraud measures, as well as result in firms being more focused on outcomes and better at data collection.

Bank of England's proposals to enhance Real Time Gross Settlement system

The BoE is seeking feedback on access to the Real Time Gross Settlement ("RTGS") system and is proposing enhancements in four areas. Through these enhancements the BoE wants to drive innovation, increase access to central bank money settlement and improve the environment for cross-border payments - in line with the G20 roadmap. The enhancements continue the BoE's efforts to support innovation and promote competition. The BoE considers itself to be in a strong position currently as (i) the RTGS system is in the final stages of being renewed to improve resilience, access, interoperability and user functionality, (ii) the RTGS was expanded to non-bank payment service providers ("NBPSPs") in 2017 and (iii) omnibus accounts have been supported since 2021. The four priority areas are:

1. Enhancing the BoE /FCA process for consideration of NBPSPs seeking access: the supervisory assessment that has been in place since 2017 has resulted in several NBPSPs being onboarded. The proposed changes require firms to be authorised and carrying on regulated activities for at least nine months. Furthermore, the FCA will require a s166 assessment ahead of providing a non-objection to the firm's RTGS access and firms that receive access will be considered for enhanced supervision by the FCA. The intention is that the assessment will be more focused and efficient.

2. Understanding demand of foreign banks for access to RTGS to support payment system settlement: the BoE has indicated why it thinks foreign banks do not pursue direct access and is asking stakeholders for views. Reasons include, costs, valuable relationships with sponsors and software developments that may lower costs to comply with technical requirements in the future.

3. Clarifying requirements for Financial Markets Infrastructures (FMIs) to access RTGS: FMIs that apply have different business models, settlement models and are at different stages of maturity. Publishing requirements and expectations should help to streamline the process. The BoE is also considering introducing a discretionary mobilisation stage for FMIs that are start-ups or less mature firms.

4. Reviewing the CHAPS value threshold: CHAPS is highly tiered with 38 direct participants and several thousand indirect participants. The BoE has identified the risks and benefits it sees with changing the 2% threshold and is undertaking further analysis. To inform this analysis, it would like feedback from industry stakeholders.

The BoE's discussion paper demonstrates a commitment to balancing greater access to RTGS against the risks of providing access to payments firms that are not operationally and financially sound. To help it find this balance it would like to hear from a broad range of stakeholders. The deadline for responses is 30 April 2024 and the BoE aims to publish a response within 12 months.

News Flash

• Capital One to acquire Discover Financial uniting two of the US's largest credit card companies. The deal must be approved by antitrust regulators and is expected to close in late 2024 or early 2025.

• The Council of the EU and European Parliament representatives had reached agreement on Frankfurt as the seat for the new Anti-Money Laundering Authority who will take a unified lead in the prevention of financial crime across the EU.

• EMI Nvayo has lost its battle in the Upper Tribunal against the imposition of almost total restrictions by the FCA. The judgment itself makes interesting reading and highlights the importance of ensuring proper systems and controls around AML and KYC, as well as the lack of stability that EMIs face regarding the provision of their safeguarding accounts (Nvayo contended that almost all of its safeguarding accounts had been closed by its banking partners as a result of the matters under investigation by the FCA).

• The government has responded to the Law Commission's review of the SARs regime, across all 19 recommendations.

• The FSB has criticised the FCA's access to cash proposals (covered in Payments View), calling them "unambitious"

• UK fintech investment was down 34% in 2023 and, disregarding 2020 as an outlier year, means that UK fintech investment in 2023 is at its lowest levels since 2017.

• Responses for the FCA's stablecoin paper closed this month - do let us know if you'd like to discuss our views.

• Pay.UK published their response to the PSR's call for views on VRPs and the PSR have published a short thought piece on making VRPs a reality

Paysafe have published their Future of Payments trends report.