Payments View – September 2024

After the bumper Summer edition of Payments View, this was expected to be an APP scam focused update. That was until the FCA dropped CP24/20 which proposes fundamental changes to the UK safeguarding regime – so while this edition is short on length it’s long on impact for the payments sector...

This edition also covers:

• Overhaul of the safeguarding regime
• Countdown to APP scam rules
• Update on FCA’s proposals for more public enforcement
• Open Banking implementation roadmap – “full completion” confirmed by CMA
• Expansion of VRPs – PSR proposals confirmed
• Why payments firms should pay attention to DORA
• Consumer Duty good and bad practices update

As always, don’t hesitate to reach out to us if you would like to discuss any of the developments in this edition.

Overhaul of the safeguarding regime

The FCA has published Consultation Paper CP24/20 which proposes wholesale changes to the way in which payment and e-money firms safeguard relevant funds, with the aim of bolstering ‘consumer’ protection. Industry has been expecting the consultation following the FCA’s engagement over the last year or so.

The background to the proposals highlights the increasing use and reliance on non-bank providers of payment services, and the apparent need for more robust safeguarding practices across the sector. The FCA sees this as particularly crucial given past shortcomings of the identified safeguarding practices, as highlighted in the FCA's 2023 portfolio letter, which expose customers to significant risks. The proposed changes are structured in two phases:

• an interim phase – focusing on increasing compliance and reporting under the current regime; and
• a final end-state – with the most significant change (amongst many others) being the proposal to impose a statutory trust on relevant funds. This shift - contrary to the current position post-Ipagoo - which the FCA has long believed should exist, will bolster the legal segregation of client funds and afford greater protection against competing claims from general creditors during insolvency.

The interim phase, preceding the full implementation of a statutory trust, focuses on bolstering existing safeguarding practices by firms by enhancing record-keeping and reconciliation procedures. This includes mandatory preparation of a resolution pack and a new monthly regulatory return. Beyond these, firms will also be required to implement additional safeguards when investing in secure liquid assets, as well as considering the diversification of providers (including safeguarding banks).

The end-state focuses on changes based on the current CASS-style regime and which will have significant structural changes for many firms - the FCA proposes implementing prescriptive rules for receiving relevant funds, including requiring direct receipt into designated safeguarding accounts in all circumstances as well as bringing agents and distributors under closer scrutiny which will require the use of ‘own funds’ by firms when meeting their safeguarding obligations.

There are a large number of other changes that firms will need to consider (with multiple new sections of the FCA handbook). Adapting to these rules will be a significant project for firms. We’ll be reaching out over the next few months to help unpick the proposals and what they mean in practice.

The FCA is seeking feedback on this consultation paper, with a deadline of 17 December 2024. In terms of timing, we can expect a final policy statement in the first half of next year, with the interim phase coming into force after 6 months and the end-state coming into force after a year.

Countdown to APP scam rules

We don’t need to remind anyone in the payment’s world of the incoming rules on APP scams - despite mounting concerns about the impact they will have on the industry the rules requiring the reimbursement of eligible APP scams over FPS and CHAPs are, at time of writing, still coming into effect next week.

While many firms are well on their way to finalising approaches to the regime’s new requirements (or have scoped themselves out entirely), the PSR and Pay.uk have been equally busy in refusing to engage with industry and finalising key elements of the regime, namely:

• The PSR’s policy statement (and most pertinently further guidance) on the identification of APP scams compared to civil disputes – here our main observation is that the guidance makes clear that every assessment is likely going to turn on the facts of the alleged scam, with a broad swathe of information suggested as relevant in any determination by the PSR.
• The PSR’s recent announcement that the maximum level or reimbursement for faster payments is £85,000 – this is not really a concession given the PSR believe this will still allow for 99% of APP claims to be covered and point out that any shortfall can potentially be recovered through a FOS claim.
• The FCA’s guidance consultation on APP fraud and enabling a risk-based approach to payment processing (GC24/5) and where the proposal will allow PSPs to delay processing outbound payment transactions to them to adopt a “risk-based approach” to preventing APP fraud from the current ‘D+1’ requirement to a maximum time of 4 business days.

Beyond these direct updates we also wanted to flag the following updates from both:

• The FCA - with speeches on both frameworks for effective fraud prevention measures and their outcomes-based approach to tackling financial crime.
• The FOS - on the more general topic of firms' approach to responding to complaints including what firms could be doing better, or differently, when responding.

We are speaking with a large number of clients on the regime so do let us know if you’d also like to discuss.

Update on FCA’s proposals for more public enforcement

It seems an age since the Spring when the financial services industry, practitioners, media and even senior politicians commented on (and had concerns about) the FCA’s proposals to make public the details of their enforcement investigations. If you’d like a refresher on the FCA’s position in March, our webinar with Therese Chambers is available on demand.

Therese recently gave a speech at the AFME Annual European Compliance and Legal Conference which is interesting in a number of respects, but particularly for the update in relation to CP24/2.

This began by reiterating the reasons for the FCA’s desire to be more transparent about its investigations. So far, so familiar. There was, however, an update on next steps, with the FCA having reviewed more than 130 responses to CP24/2(!). Key takeaways:

• Unsurprisingly, it seems likely that the FCA will proceed with some version of the proposals set out in CP24/2.
• The FCA is not proposing a “sudden switch” to a world in which all investigations are announced and has heard “loud and clear” that “the criteria we consulted on were too high level and lacked specificity”.
• The FCA will consider the potential impact of announcement on the firm and the market. This is a noteworthy shift from the initial proposal in CP24/2, which expressly did not consider the impact on firms.
• This Autumn, the FCA will “intensify” its external engagement and will meet with “trade associations, firms, those on all sides of the debate”.
• It seems that this engagement will have two key substantive areas of focus:
  • Developing a more defined public interest test. The FCA intends to provide more detail on how that could work in practice, including by publishing case studies “examining how the criteria might apply and what announcements could look like” as well as “more information on the numbers of cases that might be affected”.
  • Giving firms more time to “provide their views on whether, what and when” the FCA makes an announcement. How this would look in practice remains to be seen, but one can see that a test similar to that for Warning Notice Statements might be something the FCA has in mind.

The speech concluded by noting that the FCA considers the case for greater transparency remains strong but that (in our view softening the FCA’s approach) “it needs to be seen within the vital context of a focused number of cases likely to deliver the greatest deterrence, and deliver much faster.”

Open Banking implementation roadmap – “full completion” confirmed by CMA

The next phase of Open Banking in the UK has been under discussion between the various regulatory bodies involved. By way of an update, OBL (Open Banking Limited) has published a letter on the “remaining Roadmap items”.

Aside from making the point that implementation has taken longer than anticipated, the letter notes that, as the CMA has now determined the Roadmap to be complete, OBL will continue to fulfil its obligations under the Order, including:

• monitoring of standards conformance, performance and availability, and enforcement where necessary;
• maintenance of the standards; and
• making the standards widely available through reasonable promotion of Open Banking in the retail banking markets including support for industry adoption.

The development of Open Banking beyond the scope of the original CMA Order is being taken forward by the Joint Regulatory Oversight Committee (the work of whom we’ve updated on previously).

Expansion of VRPs – PSR proposals confirmed

Another key initiative we’ve seen from the UK regulators on opening up new payment functionality within the UK eco-system has been the drive for a development of variable recurring payments (VRPs). The PSR has recently published a response to its consultation paper (CP23/12) on expanding VRPs into new use cases, through a "phase 1" roll-out that would initially enable VRPs for payments to regulated financial services, regulated utilities sectors and local and central government.

From the response, it appears that pricing structures around any VRPs remain a contentious point across stakeholders and industry, but the PSR does continue to believe that a multilateral agreement may be an efficient way of managing relationships between involved firms (noting that there are also questions over who could operate such a system). A point which jumped out to us was that (based on the PSR’s belief that wide-spread support for VRPs will be essential in any effective development), the PSR will continue to consider whether mandated participation is necessary, and how to identify firms it might mandate.

Why payments firms should pay attention to DORA

Whilst many firms will be aware, we wanted to flag that firms doing business in Europe will want to the Digital Operational Resilience Act (“DORA”) on their radar. DORA is a pivotal piece of legislation for the financial sector within the European Union, designed to bolster the operational resilience of financial entities against Information and Communication Technology (“ICT”) disruptions and is intended to ensure that financial entities can withstand and recover from ICT disruptions. The Act entered into force on 16 January 2024 and will apply in full from 17 January 2025.

It's important for payments firms to be aware of their obligations as the penalties under DORA are substantial and aim to ensure compliance by imposing daily fines. Organisations found to be noncompliant by the relevant regulatory authority could face a periodic penalty payment of 1% of their average daily global turnover from the previous year, for a duration of up to six months, until they achieve compliance. The criteria for determining when compliance has been “achieved” remains unclear, raising questions about how this penalty system will integrate with other financial compliance frameworks.

Financial entities, are obligated to create a robust ICT risk management framework. This involves identifying, categorising, and documenting ICT-related business activities, alongside managing ICT incidents. They are also expected to develop information security policies, incident detection systems, ICT business continuity plans, backup solutions, and plans for managing and communicating about ICT incidents. Financial entities must also provide ICT training for their employees as well as carrying out periodic testing of key ICT systems and applications including, in particular, threat led penetration testing.

Consumer Duty – update on good and bad practices

The FCA continues to demonstrate that compliance with the Consumer Duty is a key, ongoing focus with the latest update covering insights from the first year of the implementation of the price and value outcome which is intended to help firms improve the way they think about fair value assessments.

In this, the FCA’s key messages to firms are that:

• Outcomes of the Consumer Duty should be considered holistically
• Effectively identifying target markets helps in assessing impacts on different customers
• An analysis of cross-subsidies, where relevant in a firm's business model, can be helpful in identifying where different consumer groups may be at risk of not receiving fair value
• Evidence is vital in fair value assessments, but firms should be proportionate in their approach
• Prompt action should be identified and taken if fair value assessments show consumers are at risk of not receiving fair value

While this update is quite consciously broad (although focusing primarily on cash savings, GAP insurance and platform cash), it is a helpful insight into the scope of the FCA’s expectations and the practices identified – good and bad – may be useful counterpoints to firms’ board reports produced in July.