Payments View March 2024

Spare a thought this March for the civil servants of HM Treasury who have, purely going by the contents of this edition of Payments View, worn their fingers down to the bone with the policy notes, draft SIs, consultation papers and more published this month. The result is an interesting mix of innovation in some areas and an entrenchment in others. Covered in this edition of Payments View is:

• Longer settlement time to be allowed for suspected APP scams
• Draft SI published on PSP contract termination changes
• Six month deadline for Annex 1 firms' AML review
• 'FCA not focused on technical breaches of Consumer Duty nor acting retrospectively on motor finance'
• FCA to review firms' treatment of customers in vulnerable circumstances
• FCA scrutiny of growing demand for personal guarantees for small business loans (including loans to corporates)
• Greater 'risk-based approach' to be required under UK MLRs
• HMT proposes 'National Payments Vision'
• MLD4 high-risk jurisdiction list reduced
• Ireland Update - new priorities for payments strategy

Before we start, as reported last month the draft texts for PSD3 (the proposed directive on payment and e-money services) and the PSR (the proposed regulation on payment services) have been adopted. The legislative proposals have been followed by the ECON reports on the texts, which include the adopted legislative texts. For those firms who will need to be keeping an eye on the detail, do let us know if you would like to have a chat about our PSD3 Rulebook - a complete, evolving guide to the massive payments and e-money changes proposed by PSD3 and PSR.

As always, don't hesitate to reach out to us if you would like to discuss any of the developments in this edition.

Longer settlement time to be allowed for suspected APP scams

In response to growing concerns (both from industry and the regulators) over the difficulty in balancing the increasing anti-fraud requirements imposed on payment service providers ("PSPs") with the speed of modern payment systems, changes are being proposed to the D+1 settlement requirement under the PSRs.

HM Treasury ("HMT") has published a Policy Note and draft SI that will allow PSPs to delay the execution of outbound Authorised Push Payment transactions in Sterling by up to four business days where there are 'reasonable grounds' to suspect a payment order from a payer has been placed subsequent to fraud or dishonesty perpetrated by someone else.

HMT welcomes technical comments on the draft SI until 12 April 2024 and intends to lay the instrument before Parliament in the summer. HMT has "accelerated the legislative process" (presumably to address the wider concerns with the mandatory APP scam reimbursement requirement) and is aiming for the rules to take effect at the same time as the reimbursement requirement on 7 October 2024. There will not be any changes made to inbound payments as Receiving PSPs may already delay inbound payments under financial crime legislation therefore HMT does not consider that legislative change is required.

The Policy Note also confirms that the FCA will engage with PSPs over reporting requirements in respect of compliance with the new provisions - details presumably TBC.

Draft SI published on PSP contract termination changes

You know the old saying, 'HMT giveth to UK PSPs (covered above, in the form of a relaxation of the D+1 settlement times) and HMT taketh away (here, with confirmation of increasing the requirements on PSPs terminating a contract for payment services).'

Whilst these proposals have already been widely publicised, HMT has now published its Policy Note and draft SI on a greater 'risk-based approach' to the provision of payment services. The key points remain:

• The notice period for a PSP to terminate a framework contract of an indefinite period will increase from at least two months' to 90 days' notice.

• PSPs must give a "sufficiently detailed and specific explanation" to ensure customers understand the reasons for termination. The information to be provided is not prescribed and it may be acceptable for PSPs to utilise reason codes if the information provided under the reason code is detailed and specific.

• There are limited exceptions where the new requirements will not apply because the PSP may be subject to conflicting legal obligations, including legal obligations related to financial crime.

Interesting changes include:

• The Policy Note gives more colour on the lengths to which PSPs will need to go to give a suitable reason - for example, referring to a breach of an Acceptable Use Policy "without referring to which element of the policy has been breached and why" would be viewed as insufficient for the customer to understand why their contract is being terminated.

• The corporate opt-out will be available but otherwise there is a prohibition on contracting out of the new termination requirements.

• Even where an exception applies, PSPs should consider whether they are still able to apply the notice and reason requirements in full or in part.

• The requirements will apply to all PSPs and framework contracts concluded on or after the date that the changes are brought into effect. Nevertheless, and slightly counterintuitively, although the requirements will not apply retrospectively, HMT expects all users of PSPs "to be treated fairly in a contract termination scenario, which also accords with the FCA's Consumer Duty, as it applies to the closure of customers' accounts".

HMT is inviting technical comments on the draft SI by 14 April 2024 and intends to lay the legislation before Parliament this summer.

We expect the changes to take effect shortly after the legislation is passed so PSPs should be thinking about building and amending processes to manage the impact. In particular:

• Drafting the amendments to customer onboarding documentation;

• Confirming whether the requirement for information to be sufficiently detailed and specific would be met by current processes or whether enhancements should be made; and

• Assessing how the exceptions will be monitored and applied through existing processes.

We expect that the steps taken for implementing the Consumer Duty and the publicity 'de-banking' has had in recent months will mean that at least some of the thinking has been done and some enhancements already made. We would be interested in discussing the impact of these regulations with you and assisting with navigating the cross-over between these changes, the Consumer Duty and the new APP fraud reimbursement requirement.

Six month deadline for Annex 1 firms' AML review

The FCA has sent a clear shot across the bow by writing to CEOs of Annex 1 firms about serious concerns over AML compliance. The Dear CEO letter notes that initial findings from the FCA's recent data-led review of a sample of Annex 1 firms has indicated to them that some firms "are still not getting the basics right". Particularly concerning for the FCA was where sample firms demonstrated:

• Discrepancies between firms' registered and actual activities.  
• Financial crime controls which had not kept pace with business growth.
• A failure to risk assess their own or their customers' activities properly.
• Inadequate resourcing and oversight of financial crime issues and requirements. 

The FCA has made clear that all Annex 1 firms should assess their financial crime controls against the common weaknesses within the next 6 months with prompt action required to redress any gaps identified and the potential for enforcement action by the FCA already on the cards if they do not.

Whilst this letter is only directed to Annex 1 firms, we understand that a number of wider firms in the payments space are using this letter (being a clear indication of the regulator's current focus) as a useful prompt to review their own systems and controls. We'd be very happy to have a chat on the content of the letter if useful.

'FCA not focused on technical breaches of Consumer Duty nor acting retrospectively on motor finance'

Nikhil Rathi has given a speech addressing the FCA's recent regulatory approach - particularly on its high profile consumer protection measures of the Consumer Duty and motor finance. Here, he stressed that the regulator's focus was to deliver for "consumers, markets and competitiveness" as part of the FCA's shift to outcomes-focused regulation.

Most notably for firms, on the Consumer Duty he explained that the FCA is not "setting out to trip firms up by going after technical breaches of the duty" and is focused on the greatest harms - cash savings markets, both in the largest banks and on platforms, insurance products such as premium finance and GAP insurance. As part of this the FCA "looks favourably on firms taking reasonable steps to identify and proactively address concerns, even if mistakes are made".

On motor finance, the FCA says that their actions are not retrospective but that it is aiming to act proactively and thoroughly understand the problem (five years after their first consultation paper on the now banned commission models). Next steps have been telegraphed for the end of September with, more broadly in 2024, guidance being developed for firms covering the FCA's expectations about dealing with identified redress issues more quickly and effectively.

FCA to review firms' treatment of customers in vulnerable circumstances

The FCA has announced that it will be conducting a review into how firms are acting to understand and respond to the needs of vulnerable customers. The FCA made a commitment to undertake market research into the experience of vulnerable customers and their treatment by firms in FS21/4 in order to evaluate the actions taken by firms and whether these have resulted in improvements in the outcomes for vulnerable customers.

The review will consider whether firms are acting to deliver good outcomes for all customers, including those with characteristics of vulnerability and will focus on: (i) firms' understanding of consumer needs, the skills and capability of staff, product and service design, communications and customer service, and whether these support the fair treatment of customers in vulnerable circumstances; and (ii) the outcomes consumers in vulnerable circumstances receive and whether they are as good as the outcomes of other consumers.

The FCA's work will be comprised of consumer research as well as information gathering from firms and consumer representatives, with findings intended to be shared by the end of 2024. It isn't yet clear which firms the FCA will focus on.

This announcement is perhaps not surprising given the FCA's focus on vulnerable customers in its February 2024 examples of good practice and areas for improvement which set out a number of weaknesses that the FCA had identified, including firms failing to track vulnerable customers across multiple product sets, failing to prioritise identification of and support for vulnerable customers and automatically assessing all consumers over a certain age as vulnerable. The output of this review will be interesting given that this is the FCA's first deep-dive into this topic in a Consumer Duty world.

Consumer Credit Corner: FCA scrutiny of growing demand for personal guarantees for small business loans (including loans to corporates)

The FCA has published its response to the Federation of Small Businesses' ("FSB") super-complaint about lenders requiring personal guarantees for business loans to SMEs. The super-complaint was the first of its kind made under section 234C FSMA which gives certain consumer bodies the right to make a "super complaint" where there is a feature or combination of features of a market which is, or may, be significantly damaging the interests of consumers.

Lending to small businesses is typically exempt from the consumer credit regime and is not licensed on the basis that either (1) the business is a corporate; or (2) the business exemption can be relied on for lending above £25,000. However, personal guarantees are increasingly required to support lending facilities.

The FSB requested the FCA to:

• Investigate the scale of lenders requesting personal guarantees;

• Consider asking HMT to bring personal guarantees given by directors and shareholders of limited companies borrowing up to £25,000 into the consumer regime applied to regulated lending.  Strikingly the FSB argued that the market approach to personal guarantees for corporate loans had effectively removed the ability of shareholders and directors to achieve limited liability, with resulting harm to individuals and the wider economy; and

• Consider reviewing the rules in its Consumer Credit Sourcebook (CONC) around guarantees (of regulated loans) to make sure guarantor's receive information during the guarantee period and that they understand the ongoing obligation and how events (e.g. divorce and exit from the board or shareholder register) may affect this.

Where lending is within its remit the FCA proposes to survey lenders to understand the scale of personal guarantees being put in place for SME lending, reviewing relevant Ombudsman decisions, and examining firm policies and procedures to understand lenders' approach to personal guarantees. Further supervisory work and engagement with HMT may follow.  Guarantees being required of limited company directors were found to fall outside the FCA's remit, but the FCA proposes to share findings of harm with governmental and other bodies/committees and this could potentially influence policy on SME lending and on the reform of the Consumer Credit Act 1974.

Greater 'risk-based approach' to be required under UK MLRs

HMT has published an interesting consultation on improving the effectiveness of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the "MLRs"), with potentially substantial changes hinted at.

The proposals appear to be a deliberate move by HMT towards a wider application of a 'risk-based approach' in respect of customer due diligence and a proposed loosening of some of the mandatory CDD requirements which are currently in place - primarily around how firms conduct CDD and the levels of CDD required (with more discretion on the part of firms to decide when to apply standard DD or enhanced DD). This is accompanied by a wider intention to provide greater supervisory support and to align with wider government thinking on fraud prevention.

The consultation itself is an interesting read, particularly the direction taken by HMT on the government's 'keenness' to "reduce any ambiguities in the [MLR] requirements which could result in over-compliance or inconsistent application" of the regime. Specifically, HMT proposes that:

• The CDD triggers are to be re-examined, specifically on whether they are "sufficiently clear and easy to apply, particularly as they relate to non-financial sectors" and that there is the potential for amendments to the regime which would apply (seemingly less restrictive) sector-specific triggers to certain financial thresholds.

• The current scope of 'business relationship' and 'acting on behalf of' could be made more limited, capturing fewer firms.

• Additional guidance relating to digital identity verification is considered with a view to empowering the industry and increasing market confidence in digital identity as a means of verifying customer identity.

• The changes could result in a potential narrowing of the requirement for EDD across the board in respect of specific industry indicators, making specific allowances for the complexities of certain industries (with EDD moving from applying to 'complex transactions' to 'unusually complex transactions'), and potentially entirely removing the requirement to regard PEPs as automatically being subject to EDD. The latter being in line with the FCA's ongoing review of its guidance on PEPs, with revised guidance potentially coming on that front by 29 June 2024.

• There is the potential for a substantial expansion of the customer risk factors that permit SDD - including if there is any sort of regulatory, professional conduct or certain other forms of governmental oversight of the customer and/or source of funds; and

• Aligned with the Economic Crime and Corporate Transparency Act 2023, the new rules will require Companies House to take a more substantive role in tackling economic crime - particularly in respect of information sharing and engagement with enforcement agencies.

Notably, the consultation in many places seeks more generalised feedback from respondents, rather than seeking feedback on specific proposed changes. Accordingly, there is scope for a wider range of outcomes from the consultation process, depending upon the feedback HMT receives.

The consultation closes on 9 June 2024 and HMT's response could be a significant change in the application of the MLRs to firms, as well as their internal compliance processes. In many respects the changes suggest the opportunity for a more nuanced AML/CTF regime in the UK (noting that a number of specific FATF and international requirements will be challenging for HMT to alter too dramatically). That being said, more broadly the proposals to potentially scale back the mandatory CDD requirements of firms could also sit oddly with the FCA's ongoing work on strengthening AML controls and the PSR's anti-fraud steps in respect of APP fraud.

In parallel with this consultation, HMT is running a survey on the cost of compliance with the MLRs. You can see and respond to the survey at the Cost of compliance with the Money Laundering Regulations - survey for regulated businesses.

HMT proposes 'National Payments Vision'

As we're sure you would agree, the highlight of the summer of 2023 wasn't the weather, sports or holidays one might have had, but rather the 108 page Future of Payments Review. Remembering these halcyon days (and responding formally to its key finding that the UK's payments landscape is congested and would benefit from a clear overall strategy) HMT has confirmed that it will indeed be accepting one of its recommendations and will be publishing a National Payments Vision later this year.

We look forward to seeing what this vision entails and hope that elements of the ten other recommendations from the Future of Payments Review continue to be considered by government.

MLD4 high-risk jurisdiction list reduced

A quick update on European changes to MLD4, in that the European Commission has adopted a Delegated Regulation to revise the list of high-risk third countries with strategic deficiencies in anti-money laundering and counter-terrorist financing. This change updates Delegated Regulation (EU) 2016/1675, which identifies countries with AML/CTF weaknesses that pose risks to the EU's financial system with key changes being:

• The removal of Barbados, Gibraltar, Panama, Uganda, and the United Arab Emirates from the list, acknowledging improvements in their AML/CTF regimes, but
• Adding Kenya and Namibia to the list due to identified strategic deficiencies.

The Delegated Regulation will be submitted to the Council of the EU and the European Parliament. If there are no objections, it will become effective 20 days after publication in the Official Journal of the EU - presumably later this year.

Ireland Update - new priorities for payments strategy

Readers tracking payments developments in Ireland may be interested in reviewing the new National Payments Strategy, which seeks to set out a roadmap for the future evolution of the entire payments system, taking account of developments in digital payments, cash usage and how future changes should be made regarding access to cash to ensure an innovative, inclusive and resilient payments ecosystem. The CBI's response to the strategy includes four overarching High-Level Priorities as proposed focus areas through to the end of 2030, being:

1. Coordinated action to realise the benefits of innovation and integration in a European context with the National Payments Strategy aiming to act as a vehicle for driving effective implementation of policy initiatives at EU level. This will particularly focus on those initiatives that aid the development of account-to-account payment solutions.

2. Protecting cash as a means of payment where this choice should be protected for consumers and businesses. The CBI proposes that any future reductions in the cash infrastructure provided by the private sector do not outpace society's needs.

3. Maintaining security and resilience of payments. Here the CBI aligns with the stability/anti-fraud focus of other UK and EU regulators, setting out the National Payments Strategy as an opportunity to put in place initiatives that strengthen measures to prevent fraud, safeguard resilience of individual institutions and strengthen the resilience of the overall payments system, including through system-wide contingency planning.

4. Enhancing data and analytical insights with evidence-based policy making using data and analysis being deemed as critical to driving informed policy decisions.

News Flash

• The FCA has published their 2024/25 business plan setting out their focus for the final year of their three year strategy. This is interesting reading for firms looking to chart the interests of the regulator and their current thirteen public commitments of which the FCA has specifically flagged (1) Reducing and preventing financial crime; (2) Putting consumers' needs first; and (3) Strengthening the UK's position in global wholesale markets.

• The Wolfsberg Group has published a statement on countering terrorist financing.

• The PRA has published a press release announcing that it will launch the new PRA Rulebook website on 10 April 2024.

• UK digital wallets are set to comprise half of all e-commerce spend and nearly a third of POS transaction value by 2027, according to a report from Worldpay.

• The British Business Bank has announced its Northern Powerhouse Investment Fund II providing a £660m fund to small businesses in the North of England.

• HMT published "Building a Smarter Financial Services Regulatory Framework: Next Phase" and revealed it will focus on the following retained EU law next: MiFID, the UCITS Directive, EMIR and AIFMD. To help stakeholders keep track of developments, HMT will use existing communication platforms, such as the Regulatory Initiatives Grid, and the HMT Smarter Regulatory Framework webpage, which contains links to the latest policy papers and SIs which have been published in draft for technical feedback.