UK Finance Industry Guidance on Strong Customer Authentication under PSD2

 

One of the major aims of PSD2 is to reduce fraud in electronic payments. One of the core measures to achieve this aim is the requirement in Article 97 PSD2 (regulation 100, Payment Services Regulations 2017), which mandates the application of strong customer authentication (SCA) in specified scenarios. Article 97 PSD2 has been implemented in the UK through the PSRs 2017 and regulation 100 in particular. There are some very slight differences of wording, for example, the UK PSRs 2017 refer to “user” rather than “payer”, but these do not affect the substantive aspects of the requirements, rather they make them clearer and more accurate.  Click here to read the full document.

 

Funds Transfer Regulation – ‘How to’ interpretative guidance

 

In 2015 the updated Funds Transfer Regulation (FTR) (also known as the Wire Transfer Regulation) was published. In 2017, the Council of the European Supervisory Authorities (ESAs) published their guidance for the FTR, with an implementation date of 16 July 2018. UK Finance engaged with its members on the issue of interpretation and compliance. It was clear that there were a number of areas where firms felt that there could be more clarity for the market.

There were also areas where firms were taking different approaches with regard to how to implement the FTR requirements. This led to a lack of harmonisation that increased the volume of stopped and rejected payments, and led to inconsistent treatments.  Click here to read the full document.

 

Payment Services Directive 2 and Open Banking

 

What is the Second Payment Services Directive (PSD2)?

The Second Payment Services Directive (PSD2) is a fundamental piece of payments related legislation in Europe, which entered into force in January 2016. PSD2 is the product of a review of the original Payment Services Directive and requires payment service providers (PSPs) to make a significant number of changes to existing operations. The Directive requires that all Member States implement these rules as national law by 13 January 2018, with the exception of certain rules around strong customer authentication and secure communication, implementation of which will run to a different timetable.

PSD2 is a significant evolution of existing regulation for the payments industry. It aims to increase competition in an already competitive payments industry, bring into scope new types of payment services, enhance customer protection and security and extend the reach of the Directive.


Why is PSD2 important?

PSD2 is an important step towards a Digital Single Market in Europe, which aims to make the EU’s single market fit for the digital age. The new measures will also ensure that all PSPs active in the EU are subject to supervision and appropriate rules. There will be wide-reaching implications for a range of parties including banks, other PSPs, FinTechs and customers.


What changes does PSD2 make?

PSD2 will set out a common legal framework for businesses and consumers when making and receiving payments within the European Economic Area (EEA) – which comprises the 28 European Union Member States plus Norway, Iceland and Liechtenstein – and outside the EEA.

The PSD2 text makes it clear that customers have a right to use what are termed Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) where the payment account is accessible online and where they have given their explicit consent. These changes reflect the market growth in e-commerce activities and use of internet and mobile payments as well as the rise of new technological developments and a trend towards customers having relationships with multiple account providers. This will make internet and mobile payments easier and help customers to manage their accounts and make better comparisons of deals.

The other key changes introduced by PSD2 can be grouped into four main but overlapping themes: market efficiency and integration; consumer protection; competition and choice; and security. Some more specific changes include:

  • Extension of scope to all currencies and one-leg payment transactions
  • Changes to the scope of the exclusions
  • Passporting, authorisation rules and supervision of payment institutions
  • Consumer protection
  • New providers and new payment services
  • Operational and security risk management and incident reporting
  • Requirements for strong customer authentication and secure communication


What are the timelines?

PSD2 must be transposed into national law by Member States by 13 January 2018, which means that the majority of the legal provisions will apply from that date.

However, PSD2 empowers the European Banking Authority (EBA) to develop a number of guidelines and technical standards, including a mandate (under Article 98) to deliver regulatory technical standards (RTS) on strong customer authentication and secure communication, implementation of which will run to a different timetable.


Where is UK Finance involved?

PSD2 is a major piece of legislation for the UK and it is important that it is considered alongside all the other regulatory and strategic initiatives in play. Many of the requirements and changes in the evolving landscape interrelate; the end result needs to be an efficient, competitive and safe payments market for customers and PSPs alike. UK Finance is well placed to support the industry as it embarks on the implementation of PSD2.

UK Finance will continue to lead the critical work to ensure a coordinated approach to implement PSD2 requirements and secure the best outcomes for UK customers and the market. This is being achieved by working closely with our members, the wider industry and key stakeholders – both domestically and European wide.


Background to Open Banking

In August 2016, the Competition and Markets Authority (CMA) published the final report for its retail banking Market Investigation. The CMA has set out a package of remedies aimed at increasing innovation and improving competition.

This included a requirement for the nine largest current account providers to make available to authorised third parties:

  • Standardised product and reference data (by 31 March 2017);
  • With customer consent, secure access to specific current accounts in order to read the transaction data and initiate payments (by January 2018).

This information will be shared through an open Application Programming Interface (API) framework which will prioritise customer protection. The Open Banking Implementation Entity will develop API Standards allowing two different pieces of software from different financial institutions to interact and exchange data.


What is Open Banking?

The introduction of ‘open banking’ in the UK will transform banking as we know it. Customers will have the option to share information about how they operate their bank account with organisations that will work to deliver an enhanced banking experience, for example  by offering comparison and switching services to help customers identify the best financial products for them.

 

For more information please see:

Card terminal security and accessibility

UK Finance, EMA, FDATA and techUK publish voluntary guidelines for PSD2 to help better protect customers

Open Banking and PSD2: the lowdown

Attachments