The UK Financial Conduct Authority (FCA) has released Consultation Paper CP 18/25 (the Paper, available here) which provides guidance on the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (RTS) issued under the second Payment Services Directive (PSD2).
The Paper focuses on the two key sets of rules under the RTS:
1. On strong customer authentication (SCA) and
2. On secure and open means of communication (generally referred to as "open banking" or "TPPs getting access to payment accounts").
Each is considered below in more detail.
1. What is SCA and what does the Paper say about it?
Under PSD2, SCA requires payment service providers (PSPs) to authenticate customers by using at least two 'factors'. These factors are knowledge (e.g. a password), inherence (something inherent to the customer, e.g. a fingerprint) and/or possession (e.g. possession of a token generator). The RTS further specify the requirements of SCA and the scenarios under which certain transactions can be exempted from SCA.
The Paper consults on a new chapter 20 concerning SCA to be added to the FCA's Payment Services and E-Money Approach Document (Approach Document). This new chapter generally follows the RTS and the Opinion on the implementation of the RTS issued by the European Banking Authority (EBA) last June and includes the following clarifications (amongst others):
2. What does the Paper say about secure and open means of communication?
One of the key changes under PSD2 is the opening up of payment accounts, typically maintained by banks, to AISPs and PISPs (known collectively as Third Party Providers (TPPs)). The RTS require so-called Account Servicing Payment Service Provider (ASPSPs), essentially banks, to provide TPPs with access to a technical method allowing them to communicate with the ASPSP, either to obtain details of the payment account and/or to initiate a payment from that account. Access must be provided in line with the RTS by 14 September 2019.
As with SCA, the paper incorporates into its Approach Document most of the requirements from the RTS and guidance from the EBA opinion. The Paper details requirements relating to the use of qualified certificates, the daily access restrictions applying to AISPs, and other technical requirements.
It confirms the ability of Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP) to rely upon the SCA of the relevant bank, and that a nSCA based on the so-called "redirection" model does not create an obstacle per se, and is therefore not illegal per se.
The FCA follows the view expressed in the EBA Opinion that a PISP is entitled to a "yes" or "no" in terms of whether sufficient funds are available, which is not expressly provided for in PSD2 (only card-based payment instrument issuers (CBPIIs) or "decoupled card issuers" are entitled to this information pursuant to PSD2).
One of the more substantial points that the Paper considers is the exemption from the contingency mechanism or "fallback". The contingency mechanism requires ASPSPs offering a "dedicated interface" (typically referred to as an API) to provide a backup interface to its infrastructure for use by AISPs and PISPs in case the dedicated interface fails. ASPSPs are exempt from this requirement if they can meet certain criteria and the Paper sets out how the FCA plans to assess applications to rely upon this exemption. The FCA expects to receive applications by no later than 14 June 2019.
3. Other issues addressed in the Paper
PSPs are required to provide the FCA with certain statistics relating to fraud. Following final guidelines on fraud reporting issued by the EBA in July 2018, the Paper proposes to amend the prescribed form which PSPs must submit. The FCA also proposes to require that, for most PSPs, this form is submitted every six months rather than annually (as currently required).