HM Treasury Review and Call for Evidence: Payment Services Regulations 2017 Innovate Finance Response

About Innovate Finance
Innovate Finance is the independent industry body that represents and advances the global FinTech community in the UK. Innovate Finance’s mission is to accelerate the UK's leading role in the financial services sector by directly supporting the next generation of technology-led innovators.
The UK FinTech sector covers businesses from seed-stage start-ups to global financial institutions who embrace digital solutions, playing a critical role in technological change across the financial services industry. FinTech has grown strongly since the Global Financial Crisis of 2007/8, which led to mistrust in traditional banks and coincided with an explosion in the use of smartphones, widespread adoption of the use of apps, the advent of blockchain technology, and significant investment in FinTech start-ups.
FinTech is synonymous with delivering transparency, innovation and inclusivity to financial services. As well as creating new businesses and new jobs, it has fundamentally improved the ways in which consumers and businesses, especially small and medium sized enterprises (SMEs), access financial services.
Introduction
Innovate Finance welcomes the opportunity to respond to HM Treasury's (HMT) review and call for evidence in relation to the Payment Services Regulations 2017 (PSRs).
In preparing this response, we have engaged with challenger banks (including indirect access providers), authorised electronic money and payment institutions, and other payment gateways and platforms.
The FinTech sector is encouraged by the Government re-affirming its commitment to support a flourishing, innovative and internationally competitive payments sector, which places consumer protection at its heart. Innovation in the payments sector is moving at pace, and we note that Government and regulators have set out an ambitious reform agenda over recent months — including how to drive forward Open Banking and how to thoughtfully create a legal and regulatory framework for digital assets.
In order for the UK to remain a world leader in payments innovation, the Government needs to take this opportunity in reviewing the PSRs to futureproof the legal and regulatory framework, in order to ensure that it is agile, proportionate and promotes both innovation and consumer protection.
To deliver these outcomes, we would urge the Government and regulators to collaborate and rationalise and restructure the existing payments legislative architecture — which HMT itself has acknowledged makes it “difficult to flex or update”[1] requirements — and recast this wherever possible in regulatory rulebooks. This would align with the Future Regulatory Framework Review proposals on moving towards a regime where substantive obligations are contained in rules and guidance issued by the regulators, rather than laid down in statute. It would also align with the EU’s direction of travel, where for example the European Banking Authority’s Opinion[2] provides support for a merger of the Electronic Money Directive (EMD) and second Payment Services Directive (PSD2) regimes in the EU into a revamped Payment Services Directive 3 (PSD3) regime. Maintaining complex and overlapping legislative, regulatory and supervisory regimes for the UK payments sector, in circumstances where the EU has decided to consolidate payments regimes, would risk putting the UK at a competitive disadvantage.
We recognise that overhauling the UK’s payments framework will be a significant undertaking. With this in mind, we would urge the Government and regulators to continue to engage with industry to evaluate priorities and focus on areas with the most urgent need for reform in the short term.
In the short term, we recommend that the focus is placed on creating a viable economic and regulatory model underpinning consumer protections for Authorised Push Payment (APP) fraud. The Payment Systems Regulator’s (PSR) proposed uncapped, near strict-liability regime will not reduce the amount of people falling victim to APP fraud as it is centred around remediation and not prevention at source. The remediation burden will fall to the financial services sector even though more than 70%[3] of all APP fraud originates via the tech and telecoms sectors. The projected costs of the mandatory reimbursement regime are a significant barrier for prospective market entrants and pose a threat to the economic viability of existing start-up and scale-up FinTechs in the UK. Mandatory reimbursement costs are estimated to be the equivalent of wiping, at minimum, a tenth of PSPs' revenue[4], undermining competition and the international competitiveness of the UK as a place to start and scale a FinTech business.
Moreover, there is always the possibility that an introduction of an uncapped reimbursement obligation across the payments industry before preventative measures are in place may give rise to moral hazard risks. The swift imposition of liability before the preventative measures are in effect may force payment firms to undertake a large scale and rapid “de-risking” of UK payment end users, resulting in many people losing access to regulated payment services. Remedial measures (reimbursement) must be synchronised with preventative measures. Without this, FinTechs and other banks will be forced to block or slow payments, negatively impacting customer experience and diminishing the benefits of the Faster Payment Service (FPS) that was seen as a UK world-leading, real-time payments rails. Undermining the efficiency and effectiveness of FPS will not only impact the payments sector, it will have detrimental effects on the UK economy at large.
In order to materially reduce the volume of APP fraud and consumer detriment, and mitigate the other risks described above, there needs to be a joined-up, public-private sector approach. We are growing increasingly worried that this joined-up approach has not yet been articulated, and concerns shared by the entirety of the payments sector that were presented to the PSR alongside solutions have seemingly not been acted on. We would urge the Government to liaise with the PSR, industry and other relevant stakeholders to deliver a workable regime that ensures consumers are protected from losing life-changing sums of money while innovation in digital payments can continue to grow with appropriate incentives for all participants in the digital economy to reduce fraud.
We would be pleased to discuss this response in more detail with HMT colleagues and/or facilitate a roundtable discussion with our members and the wider FinTech ecosystem.
Questions and responses
General questions
1. How should the payment services framework (eg PSRs, EMRs, Cross-Border Payments Regulation as amended in UK law) evolve – and what should be the government’s priorities – to better promote the following government objectives for payments regulation:
- Achieving agile and proportionate regulation, which facilitates the international competitiveness of the UK economy through growth and innovation in the UK payments sector
- Ensuring appropriate trust and protection for consumers
- Ensuring the resilience and integrity of the UK's payment market
- Fostering competition, in the interests of consumers
In answering the above, the government would welcome concrete reflections from stakeholders for future policy, rather than the principles which should underpin regulation/regulatory change.
Response:
We see potential benefits in restructuring the framework to align it more closely with other areas of financial services regulation. This would entail moving away from the current architecture of regulation under Regulations — principally, the Electronic Money Regulations 2011 (EMRs) and the Payment Services Regulations 2017 (PSRs) — towards an approach based around the Financial Conduct Authority (FCA) Handbook. When the PSRs and EMRs were originally implemented, the overarching policy objective was to provide for a proportionate approach through subjecting e-money institutions (EMIs) and payment institutions (PIs) to bespoke regimes, which entailed — generally speaking — applying fewer regulatory requirements to such firms than firms regulated under the Financial Services and Markets Act 2000 (FSMA). Over time, however, the distinction that was created originally has been eroded as, for example, the FCA Principles for Businesses were extended to EMIs and PIs, a new Banking: Conduct of Business Sourcebook (BCOBS) was created and extended to PIs and EMIs, and the FCA has also made clear its expectation that PIs and EMIs follow certain of its other Guidance contained within the Handbook (for example, on Wind-Down Planning). The current framework has meant that a single "source of truth" has been lacking for EMIs and PIs, as the FCA has issued guidance contained in disparate places — for example, within the Handbook, its "Approach Document", and other areas of its website (for example, in respect of the safeguarding guidance issued during the Coronavirus pandemic).
Over time, also, other conduct of business standards, often deriving from EU law, have been added to the framework — for example, the Cross-Border Payments Regulation. We have seen the addition of other regulatory frameworks, for example, the framework established under the Financial Services (Banking Reform) Act 2013 which established the Payment Systems Regulator (PSR) which, although ostensibly directed principally at regulation of payment systems rather than PIs, EMIs and other payment service providers (PSPs), has also had an impact on PSPs — for example, in relation to the PSR's card-acquiring market review, and its work on authorised push payment (APP) fraud.
At the time of creating the EMRs and PSRs (and the predecessor Regulations that implemented the Payment Services Directive (PSD) in the UK), there were sound policy reasons for subjecting EMIs and PIs to a bespoke regime that was different — and less burdensome — than the framework under FSMA. However, that original policy objective has been eroded over time as decisions have been taken to extend additional regulatory obligations to the sector, and the resulting development has resulted in a patchwork of different obligations that are contained in different places. This has resulted in an overly complex framework, which would benefit from consolidation.
A further point in support of consolidation derives from the fact that many PIs and EMIs, whether within the same entity or other entities in their corporate groups, provide other services — for example, providing consumer credit — which results in firms being subject to FSMA, in respect of certain activities, and the PSRs/EMRs in respect of different activities. We can expect this issue to be accentuated by the future regime in relation to cryptoassets, on which HM Treasury (HMT) is currently consulting, as firms active in both the payments/e-money and crypto sectors will fall under FSMA for the latter activities but not the former, unless there is reform. The same applies to firms providing Buy-Now Pay-Later (BNPL) services, which are also to be brought under the FSMA framework.
Consolidating the framework for EMIs and PIs under the FSMA framework would:
- Align with the Future Regulatory Framework related proposals on moving towards a regime where substantive obligations are contained in rules and guidance issued by the regulators, rather than laid down in statute;
- Result in a simpler application of regulation to PIs/EMIs who also perform other regulated activities, for example in relation to cryptoassets, or consumer credit;
Enable the regulators to react more quickly to market developments, or adverse effects created by existing regulatory obligations, through changing Rules and Guidance. This process is likely to be considerably more nimble than is the case currently, where changes to substantive obligations under the EMRs and PSRs requires changes to statute; - Enable greater clarity in rule-making. For example, the EMRs and PSRs take a high level approach in some areas — one obvious one being safeguarding. This has arguably created a lack of clarity around interpretation of the requirements when compared, for example, to the equivalent Client Assets Sourcebook (CASS) client money framework for investment firms, which is set down in detailed Rules in the Handbook; and
- Enable greater flexibility with regard to treatment of firms of different size and complexity. For example, the EMRs and PSRs distinguish between full EMIs/PIs and small EMIs/PIs. Under a rules-based regime, it would be easier to create multiple tiers of firms and apply a graduated approach in areas such as, for example, regulatory capital and other prudential requirements, depending on the size, business model and systemic relevance of individual firms.
Of course, a transition to a more rules-based approach will result in additional powers for the FCA, and how the FCA uses those powers will be important — for example, we would urge the FCA to approach the resolution of industry challenges through engagement and outcomes-based collaboration with stakeholders, in order to avoid the imposition of rigid technical solutions. Pursuant to the FSMA framework, however, the FCA is placed under certain obligations regarding consulting on changes to its Rules and Guidance.
In determining the right approach, we support the objectives outlined in (a) to (d) above. Without minimising the importance of any of these objectives, which our members agree are broadly the right ones, we would make particular mention of objective (a) and the importance of any revised framework creating agile and proportionate regulation that facilitates international growth and competitiveness through fostering innovation in the sector. The ability for regulation to be more responsive to developments, through changing more quickly, is perceived as an important advantage of a move towards a regime where substantive obligations are contained primarily in rules rather than statute. For example, in theory at least this should enable the UK to adapt its framework more quickly than the EU, whose regime is based on law rather than rules, noting that the pace of change in the UK since Brexit has so far remained relatively slow.
A transition to a framework based on FSMA need not necessarily mean extending all of the rules applicable to FSMA firms to PIs and EMIs. It should still be possible to retain a proportionate approach, having regard to the risks posed by PIs and EMIs, and the extension of specific elements — for example, the Senior Managers and Certification Regime (SMCR) — should be subject to individual consideration. The FSMA framework is itself sufficiently adaptable and flexible to allow for differentiated treatment between different types of entities, as demonstrated by the differences in Rules that apply to different FSMA firms today, both as to sub-sector and size/complexity. A move to a FSMA-based framework could go hand in hand, for example, with retaining the distinction between EMIs/PIs and Small PIs/EMIs, and would still leave room for decisions not to apply all of the framework (for example, the SMCR) to all firms in the sector.
2. To what extent would you support rationalising and/or removing the distinctions in regulation between payment institutions and electronic money institutions – in effect, combining the two sets of legislation? Would this be easier for the sector to navigate and/or lead to better outcomes?
Response:
Our members see benefit in merging the e-money and payment services regulatory frameworks, into a consolidated model that is underpinned by FSMA as outlined further in our response to Question 1. We note, in this regard, the ongoing Payment Services Directive (PSD2) review in the EU and the European Banking Authority's (EBA) Opinion[5] which is supportive of a merger of the Electronic Money Directive (EMD) and PSD2 regimes in the EU, into a revamped, consolidated Payment Services Directive 3 (PSD3) regime. Maintaining separate regimes in circumstances where the EU has decided to consolidate the regimes would risk putting the UK at a competitive disadvantage.
Under the approach that we have suggested in Question 1, fewer prescriptive requirements would be set down in statute with such requirements contained instead in FCA Rules contained within the Handbook. It would be a matter for the FCA to determine to what extent all of the requirements of the regimes should be merged, and to what extent any separation should be maintained whereby, for example, specific requirements are to be applied to e-money issuance or individual payment services such as merchant acquiring. However, as a general matter, we can see benefits in harmonising the standards between the two regimes. The EBA in its Opinion on PSD2 has identified a number of areas where there are discrepancies between the regimes - for example, in respect of the time periods around safeguarding, or the differential treatment applied as between agents and distributors of e-money. We agree that in such areas, there should be harmonisation as far as possible so that, for example, safeguarding operates in the same way whether the relevant funds being safeguarded relate to e-money that has been issued or unrelated payment services. In the view of our members, the current position whereby - for example - firms must safeguard e-money relevant funds and unrelated payment services relevant funds separately, gives rise to operational friction and additional compliance and other costs without a clear corresponding benefit for e-money holders or payment services users.
We are, accordingly, supportive of a rationalisation of the two frameworks and we think this would be best achieved by consolidating the framework under a model based on FCA rules, with a single set of standards applied as far as possible to firms issuing e-money and providing payment services. Where firms issue e-money and provide unrelated payment services, as far as possible the relevant regulatory obligations applicable to these activities should be subject to harmonisation, unless there is a clear policy reason for differentiating between the two in any individual case. This would, for example, enable firms to safeguard relevant funds that relate to electronic money issuance and unrelated payment services in the same manner, and potentially commingled in the same accounts (as is permitted for investment firms subject to CASS in respect of different investment services).
Harmonisation of authorisation and regulatory capital requirements, in particular, as envisaged by the EBA in respect of the EU framework, would enable UK EMIs and PIs to provide all relevant services under a single authorisation framework, and would help UK firms to remain competitive particularly if the EU decides to take a harmonising approach.
Situating the detailed prudential, safeguarding and conduct of business requirements for EMIs and PIs within consolidated chapters of the FCA Handbook as far as possible will also enable the requirements to be adapted over time, in response to market developments, rather than requiring further legislation. We see this as important in enabling the UK to adapt its regime in a timely manner, including so that the UK can retain its competitive advantage in rulemaking in relation to other jurisdictions.
In the course of consolidating the regimes, we encourage HMT to revisit whether the list of payment services and activities relating to e-money remains defined in the right way, given the way that the framework has been interpreted and has developed over time. The EBA has recommended doing this in respect of the PSD2 review, for example, in delineating between issuing and acquiring activities within the legislation, and in seeking to remove overlap between the various activities. We believe that HMT should use the opportunity of consolidation and reform of the regime to consider whether the current list of activities remains fit for purpose and to ensure that they are suitably tailored to the business models that exist.
This should not, however, lead to the addition of "e-money" to the list of payment services/activities. We think greater consideration is needed to ensure the definition and concept of e-money is preserved in any merger or consolidation. Our members would welcome more language around the fact that the issuance of e-money is not a "payment service", but rather the creation of electronic value that represents a claim against the issuer (as defined in the EMRs). The execution of payment transactions, as listed and defined in the PSRs, enables a transfer of “funds” - this already includes e-money, as "funds" are defined as “banknotes and coins, scriptural money or electronic money”. In the same way as deposits or credit, e-money is therefore a separate financial instrument (a type of 'fund'), and can already be used to execute payments as per the payment services listed in the PSRs. The e-money industry continues to be an essential part of the payments market, which has allowed for the development of innovative payment instruments leading to greater consumer choice and competition. The financial and business impact of making any changes to the concept of e-money would be disproportionate and far-reaching.
Scope and definitions (eg PSRs Parts 1 and 5 and Sch 1, EMRs Part 1)
3. Are (a) the definitions and (b) the scope of the regulated activities in the payments services and e-money framework clear and do they capture the right actors and activities within regulation?
Response:
We consider that there is value in revisiting the definitions and overlap of regulated activities in the payment services and e-money framework.
Whilst we are broadly in agreement with the regulated activities that are currently in-scope of the payment services framework, we do consider that there are areas of uncertainty that may benefit from greater clarity and consideration. Areas where further consideration would be warranted include:
- As already noted in our responses, the payment services framework is now complex and governed by overlaying regulation. This can be seen in particular in the definition of 'payment account' and its different uses. Whilst there are different ways in which the concept of a payment account is used under the PSRs and the Payment Accounts Regulations (PARs), a consideration of whether multiple definitions of the same concept is needed would be welcomed. The PARs definition is narrower than that under the PSRs and we would not recommend that a greater number of payment accounts be brought in-scope of the PARs. Instead, we would encourage HMT and the FCA to reconsider payment accounts further and the scope of this definition.
- A number of activities under the PSRs and what they are intended to cover can cause confusion for new players in the market. In particular, when 'execution of payment transactions' or the 'operation of a payment account' is carried out. Guidance over regulatory expectations on activities requiring licensing has been provided by the FCA but we would encourage a review of the PSRs to take into account whether more specific definitions of regulated activities should be introduced.
- Finally, we also consider payment initiation service (PIS) and account information service (AIS) activities further below.
We note that the EBA has raised similar questions as part of the PSD2 review and would encourage HMT to consider the risks of regulatory divergence as discussed in this response.
Our members have a number of comments and suggestions relating to specific definitions:
Online payment account
The Court of Justice of the European Union (CJEU) decision (Case C 191/17) on the definition of a ‘payment account’ is reasonable, but there should not be any discrimination in the legislation as this unnecessarily restricts customers from accessing their data no matter what type of account it is in.
The solution for this is not to bring more account types into the scope of PSRs, which is and should be limited to payment accounts, but to ensure that any horizontal data access legislation — including the General Data Protection Regulation (GDPR) — is not discriminating against any industry sector or type of data or account. Data owners, both private and corporate, must be able to use their data no matter where and by whom it is stored. If it is accessible online, e.g. via a user interface, this access cannot be restricted to manual use. Automated access by the owner or an authorised third party cannot be blocked independent of the technological nature of that user interface, be it based on application programming interfaces (APIs) or not.
Of course, any account servicing payment service provider (ASPSP) storing and using private or corporate data is free to offer additional, dedicated (and potentially commercial) interfaces, which may allow mutual benefits, but these cannot be given a monopoly status, the account information service provider (AISP) must be able to fallback to user interfaces when necessary.
Furthermore, the CJEU case law explains what a payment account is, but does not say what an ‘online’ payment account is. In the EU, some ASPSPs have been found to offer services that allow their clients to access payment accounts without any strong customer authentication (SCA). ASPSPs take the view that the access to the payment accounts through such services are not ‘online’ access to payment accounts. However, from a technical point of view, this protocol is accessed via the internet. Although this issue has not come up in the UK, there is a need for a clear definition of an ‘online’ payment account, in order to have the same SCA rules applied for the same activities.
Consent
Many of our members consider that the definition for ‘consent’ should be reconsidered in the PSRs. The European Data Protection Board (EDPB) Guidelines on the Interplay between GDPR and PSD2 deny some GDPR options to payment services, such as further processing, which many of our members consider should not be the case. Therefore, every reference to ‘consent’ should be replaced for ‘permission’ in order to stay clear from any unintended interpretations of the regulations.
Sensitive payment data
In the definition for ‘sensitive payment data’, it should be clarified that neither the name or the ‘identifier’ of the account owner fall in scope of the provided definition. The Customer ID is not a personal security credential and should therefore be available to be used for AIS and PIS where needed.
Unique identifier
The definition of a ‘unique identifier’ should not be limited to ASPSP-issued unique identifiers, e.g. International Bank Account Numbers, but also include proxies — even when these are not issued by the ASPSP, such as social security numbers and mobile phone numbers.
Payment transaction
A transaction is most closely related to the execution of a payment, not the initiation of it. It is important to clearly separate the initiation of a payment from its execution, as the former can now also be done by a payment initiation service provider (PISP) (not just by the payer or payee). Therefore, ‘payment transaction’ should be defined as an act that is authorised by the payer or on his behalf or by the payee.
4. Do the exclusions under the PSRs and the EMRs continue to be appropriate (includes limited network, electronic communication, commercial agent etc)?
Response:
Many of our members have raised a number of concerns relating to current exclusions:
- The PSRs have distorted the level-playing field to some extent by not taking account of all actors in the payment chain, such as merchants or the card networks. Some of these actors are essential to deliver the PSRs’ stated outcomes, for instance to improve security and the fight against fraud. We would therefore recommend that HMT reconsider its approach and include all actors in the payment chain within the scope of the PSRs, in relevant areas (and certainly SCA).
- We would also urge HMT to reconsider its approach to the exclusion for technical service providers, to account for the entry into the payments market of actors that have remained unregulated. Indeed, some technical service providers, such as mobile (pass-through) wallets, should be brought into scope of the PSRs as regulated entities, and in particular subject to fair access requirements and the rules on security and fraud prevention (including SCA).
- Many members have raised concerns about significant growth in the usage of electronic communication technologies for payment services, such as Direct Carrier Billing (DCB) services which are payments that are executed through telecom operators. Consumer spending through DCB services is estimated by Juniper Research to grow by almost 50% by 2026, mainly driven by the popularity of mobile gaming and video subscriptions.[6] DCBs are designed to fall outside of the PSRs by restricting payments to a maximum of £50 per transaction and a cumulative value of £300 per month. This means that consumers cannot benefit from enhanced protection against fraud and other abuses or payment incidents when using DCB services. Considering the rapid growth of this market, HMT should ensure that such exclusions such as that of DCB services should be reviewed.
- Many members have observed challenges when it comes to the application of the rules to marketplaces via the commercial agent exemption and we believe it is no longer fit for purpose for business models where the physical and online worlds are blurring, for instance a franchise of fast-food restaurants where a customer can order online (or via QR codes) and eat-in, or a hotel chain with multiple owners. In these cases, the payment flows are unnecessarily complex owing to the requirements of the PSRs. This limits innovation, slows down digitization and ultimately benefits the big players who have the resources to obtain licenses. We would therefore suggest the exemption to be amended to account for these technological innovations.
The regulatory treatment of payment services and e-money (eg PSRs Parts 2-4 and Sch 2-3, EMRs Parts 2-4 and Sch 1-2)
Considered against the government’s objectives for payments regulation (paragraph 14), and referring to paragraph 20 in the government’s accompanying review document:
5. How, if at all, might the framework for the authorisation of payment institutions and electronic money institutions be reformed?
No response.
6. How, if at all, might the framework for the registration of small payment institutions and small electronic money institutions be reformed?
No response.
7. How, if at all, might the registration requirements for account information service providers be reformed?
No response.
8. Does the regulatory framework for payment initiation service providers (PISPs) and account information service providers (AISPs) sufficiently support the growth of this sector, and ensure a level playing field, and fair access to payment accounts, to support competition and growth?
Response:
We consider it is important that PISPs and AISPs continue to be supported through the payment services framework with access to payment accounts and that barriers to the operation of these sectors are minimised. Work undertaken by the FCA to try to reduce barriers to renewal of SCA is welcomed, and we consider that more could be done to support how SCA may create a barrier to these technologies.
More broadly, many of our members consider that there is the potential for further discussion as to whether a more sector agnostic approach to customer data ownership (similar to the regime in Australia) might be beneficial and could replace, in particular, the AISP regime. However, many of our members would be wary of any unintended consequences of reforming data sharing more generally and removing specific access to payment accounts for registered AISPs. Some of our members consider that there should be an overlap in definitions and scope when regulations for Open Finance are introduced to give AISPs enough time to make investments and reap the opportunities, while mitigating risks that jeopardise business continuity by keeping the responsibilities for ASPSPs in place under the PSRs. This is mainly needed to account for the additional investments that will likely be needed in resolving obstacles created by unforeseen and unintended consequences.
However, although the scope of the Australian approach is worth pursuing, some of our members believe that the investment requirement for ASPSPs to ensure that their payment service users (PSUs) can enjoy the services offered by AISPs and PISPs under the PSRs should be zero. Some of our members consider that it is a misconception that the customer interface needs to be ‘modified’ to ensure that AISPs and PISPs can identify themselves or that the information being exchanged is secured. These members believe the customer interface should not be modified in any way. On the contrary, some of our members consider that modifications should be prohibited to ensure equal access to PSUs, AISPs and PISPs. Of course, AISPs and PISPs must remain regulated and obliged to identify themselves, but some of our members consider that this can be achieved without mandating any investments from the ASPSPs.
In addition to the points raised above, some of our members believe HMT should investigate how it could eliminate obstacles or barriers to allow PISPs to deliver on their promise to transform the payments landscape by lowering costs for merchants with virtually no fraud and an opportunity to improve payer experiences by relying on state-of-the-art authentication technologies. To do this, HMT should consider revising the PSRs to:
- Ensure PISPs can access account information prior to finalising a payment initiation service to improve the payer experience by presenting information (e.g. account balance) and at the same time mitigating the risk of non-execution by identifying payment limits and available funds;
- Ensure PISPs can embed the access interface to compete and innovate among each other by creating intuitive user experiences that are best suited for the channel or use cases requested from the PSU without requiring additional investments from the ASPSPs; and,
- Ensure PISPs are notified when the payment status changes by requiring ASPSPs to inform the payer or party initiating a payment on behalf of the payer. Specifically, PISPs currently only receive information about the payment up until the initiation. If a transaction fails post-initiation, PISPs often find out through the merchant. To make PIS an even more competitive proposition, ASPSPs should be required to inform the PISP about the change before, during and after the payment is executed.
Payment Initiation Services (PIS)
Many of our members consider that the current definition for PIS does not accurately describe what PISPs do for their users. Firstly, PIS is a multi-step process, which ends with providing the payment order to the ASPSP at the request of the PSU — which can be both payer and payee.
Furthermore, under Regulation 69(2) the ASPSP must take certain actions where the payer gives the PISP ‘explicit consent for a payment to be executed’. This consent provision should be replaced with ‘Where the payer authorises a payment to be executed [...]’.
Some of our members consider that Regulation 69(2)(a), on the topic of secure communication, should be understood in the context of the information exchange between the PISP and the ASPSP — not the PSU and the ASPSP. These members recommend that HMT should consider clarifying that ASPSPs should not mandate the payer to be redirected to the designated interfaces offered by the ASPSP for the completion of SCA. In their view, doing this would enable PISPs to compete on the payer experience that can be offered through the access interfaces and deliver more innovative services across different online and offline channels.
Finally, Regulation 69(2)(b) on the topic of information provision, could be amended by adding that information should be provided immediately after receipt of the initial payment initiation request, but also when the status of the payment order changes. This way, PISPs will be able to confirm to the payer and the payee about the payment.
Account Information Services (AIS)
When it comes to the current definition for AIS, many of our members consider that the current definition is too narrow. The PSRs Regulation 2 (1) defines AIS as “an online service to provide consolidated information on one or more payment accounts held by the payment service user with another payment service provider or with more than one payment service provider, and includes such a service whether information is provided — (a) in its original form or after processing; (b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user's instructions”.
If AIS are to be re-scoped, HMT may consider defining AIS in a broader manner. For instance, it could be defined as “accessing and processing of the information that is available in the interface(s) offered by a financial service provider with the permission of the payment service user”. This definition could address some of the deficits that currently exist under the PSRs as ASPSPs and AISPs often disagree about what information should be available through a dedicated interface. More importantly, it would allow an AISP to access all information presented in the account, which can include information pertaining to the identity of the PSU and other financial services.
Moreover, this definition does not limit AIS to the delivery of aggregated account information. It leaves room for AISPs to deliver use cases whereby PSUs use account data for value-added services not provided by their ASPSP.
Furthermore, similar to our recommendation for the scope for PIS on the topic of secure communication, Regulation 70(2)(a) should be amended to ensure that the ASPSPs is not allowed to mandate the PSU to be redirected to any designated interfaces.
Authentication
The PSRs Regulation 100 (1) should be amended to clarify that the responsibilities for SCA only apply to ASPSPs. They may delegate/outsource the SCA but retain responsibility under the PSRs.
Furthermore, the current scope for SCA has created unintended complexities for AISPs looking to access account information. The access to account information, without the movement of any money, does not create any measurable risk of fraud. There is no evidence of fraud created that way, and there is no evidence of fraud that was hindered by the introduction of the account access SCA. In fact, AIS has already been de-scoped from the Money Laundering Regulations 2017 (MLRs). Therefore, Regulation 100(1)(a) should be deleted which would also leave room for horizontal data regulations to stipulate the responsibilities that data holders have over protecting the access to information.
As a bare minimum, the rules for SCA should be amended in a way that makes this account access SCA the exception, not the norm, i.e. only applied if a particular access in a particular situation appears to imply a specific risk. This clarifies that SCA does not apply when the PSU is not ‘online’.
When it comes to the performance of SCA for payments in Regulation 100(1)(b), it is the authorisation of the ‘execution’ — not the ‘initiation’ — that should require SCA, and that by the payer towards their ASPSP.
Dedicated interfaces
Some of our members hold the view that a key challenge with the PSRs is that the Regulatory Technical Standards (RTS) have removed all financial incentives for ASPSPs to build high quality APIs. In these members’ view, there is no ‘revenue incentive’ because APIs that give access to payment account information and allow for the initiation of payments are regulated as ‘dedicated interfaces’ to give AISPs and PISP an alternative interface over the customer interface. This means that these APIs cannot be commercialised and need to be available for free. Furthermore, by granting ASPSPs a “fallback exemption”, the FCA has also removed the opportunity for APIs to be driven by a ‘cost incentive’ because AISPs and PISP are prohibited from using the customer interface for access to the payment account once the exemption is granted. Some of our members consider that the wide-spread usage of the customer interface would increase operational costs for ASPSPs. Instead, in their view, the only incentive that ASPSPs have to provide a dedicated interface is a ‘compliance incentive’.
Furthermore, the absence of a contingency mechanism (or fallback) means that ASPSPs have full control over how AISPs and PISPs interact with the dedicated interface with no alternative. In the current model, ASPSPs have a monopoly over the access interface, with control over the PSU’s user experience, the account access by AISPs and the initiation of payments by PISPs.
The RTS Article 33 (7) states that when ASPSPs do not resolve an issue with the dedicated interface within two weeks, the exemption shall be revoked. AISPs and PISPs shall then be allowed to take contingency measures by building a mechanism to gain direct access to the customer interface. Many of our members consider this to create perverse incentives and unintended consequences — i.e. the consequences of a poorly designed dedicated interface could be perceived as falling to the AISPs and PISPs to solve (through investment of their time and other resources). This has knock-on impacts for competition where those AISPs and PISPs are new market entrants and scale-up FinTech firms.
That being said, some of our members believe these issues should be addressed in the PSRs in a different way. HMT should completely remove the notion of “dedicated interfaces” from the RTS altogether. If the only requirement would be for ASPSPs to provide an “access interface” that PSUs, AISPs and PISPs can use to gain access to payment account information and functionalities, there will be a cost incentive for ASPSPs to provide a high-quality API. Some of our members consider that this is because ASPSPs will wish to divert AISP and PISP traffic from the customer interface to dedicated infrastructure. Furthermore, not regulating dedicated interfaces also gives ASPSPs the opportunity to commercialise the access via an API, or offer the access for free of course. This model would allow for an organic and market-driven evolution of not just open banking, but also open finance and other open data initiatives.
9. How, if at all, might the registration requirements or wider regime for agents be reformed?
Response:
The agency regime under the PSRs/EMRs has a number of similarities with the more established appointed representative regime under FSMA. As part of any consolidation of the payments and e-money framework under the FSMA umbrella, it should be considered what consolidation between the appointed representative and payment services/e-money agent regimes might be warranted. We note that the scope of possible services and overall differences in the FSMA versus PSRs/EMRs regimes overall may mean that maintaining separate regimes is needed and we would encourage that careful thought is given to whether an appointed representative regime is appropriate in this sector or whether the regime for agents of PIs/EMIs should preserved in something closer to its current form as part of any broader restructuring.
Information requirements for payment services (eg PSRs Part 6 and Sch 4)
Considered against the government’s objectives for payments regulation:
10. Is the current framework for the provision of information to payment service users effective? If not, how should its scope change?
Response:
In the spirit of rationalising and streamlining the regime applicable to payment services, our members would welcome the consolidation of information requirements applicable to PSPs in a single, consolidated document.
In parallel with this consolidation, many of our members view this review as a good opportunity to consider how better to address the way that contractual terms are displayed in remote contracting situations, especially in relation to what constitutes a durable medium, allowing firms and customers to benefit from technological developments and new consumer habits (e.g. providing links rather than static PDFs). This would enable more customer-friendly and accessible information, with a digital first principle, in line with new customer habits, while allowing opt-ins for 'paper communication' to cater to those who prefer this option.
11. Are there particular changes that you would advocate to the Cross-border Payments Regulation in relation to the transparency of currency conversion, and what would these entail?
Response:
As addressed in our responses to this consultation, we consider this review to be an opportunity to address weaknesses, overlaps and potential inconsistencies between the regimes that apply in the payments space. In our view, requirements under the Cross-border Payments Regulation are an area where consolidation to a single-set of UK focused rules would be beneficial. The FCA has already established rules in the BCOBS on disclosure by providers of foreign exchange services as part of its work on misleading foreign exchange charges in 2019. In our view, a review of the FCA rules and extension of FCA rules to a wider range of cross-border payments will be more effective than the Cross-border Payments Regulation going forward. We understand that the FCA has undertaken a number of reviews on standardised disclosures and their efficacy which has found that they do not achieve their aims. We therefore consider that FCA rules on avoiding misleading communications etc., rather than dictating a standardised way to make disclosures, would be beneficial.
Building on this, many of our members also point out that the language used around transparency in currency conversion charges in the existing PSRs is unhelpful and should be amended. For example, Part 6 Section 44(d) requires firms to show “the amount of any charges payable to the payment initiation service provider in relation to the payment transaction”.
Some large players in the payments ecosystem maintain that this does not apply to mark-ups on exchange rates, but only to an actual charge set by the institution for the services of currency conversion. As a result, consumers are still facing ‘hidden fees’ and mark-ups through exchange rates that are above the mid-market (interbank) rate.
To evidence this issue, one of our members commissioned research in June 2022; this research found that British consumers lost £1.3 billion in ‘hidden’ fees when sending and spending money abroad.
Part 6 Section 44(d) also only applies after the initiation of a payment order. Our members suggest that transparency should apply before initiation of a payment order and before the receipt of the payment order.
Furthermore, Part 6 Section 45(d) requires that “when an exchange rate is used in the payment transaction differs from the rate provided in accordance with regulation 43(2)(d), the actual rate used or a reference to it, and the amount of the payment transaction after that currency conversion”. With a view to promoting the transparency of currency conversion, many of our members contend that this language is unhelpful for two reasons:
- Point in payment flow: This legal requirement only applies after the receipt of a payment order. This does not allow consumers to effectively make comparisons to choose the best deal. Consumers are also far less likely to drop off from completing the payment flow as they have already committed to submitting their payment order, and so fail to benefit from this ‘transparency’.
- Presentation of information: The PSRs require the “actual rate used or a reference to it” to be communicated to consumers. However, they do not specify how or where it needs to be communicated. Our members have flagged up that some firms continue to present this information deep in their terms and conditions or behind small tool-tips in the payment flow. Our members consider that more could be done to make clear to consumers any potential ‘hidden’ fees that they may be liable to pay. We consider that this would align firms behaviour with the FCA’s forthcoming Consumer Duty, which places an onus on firms to deliver good consumer outcomes and provide consumers with clear communications.
With this in mind, our members call on HMT to ensure that the revised PSRs include a requirement that all financial services firms disclose and break down the total transaction cost (including fees at both ends and foreign exchange rate margins) to their customers before the initiation of a payment order. The revised PSRs should also explicitly define a currency conversion charge to include any margin added to the mid-market exchange rate. For this to work effectively and consistently, the regulations should specify a mid-market exchange rate provided by neutral actors (such as but not limited to Reuters or Bloomberg) and introduce an FCA approval process for mid-market exchange rate providers.
Most banks will show a customer their own exchange rate, without including the actual exchange rate (or the difference between the rate used and the real rate). This inhibits the ability of consumers to make accurate comparisons. This is because UK consumers are not able to accurately calculate the total cost of their transaction or compare costs between providers which has resulted in remittance and cross-border payment costs being exorbitant. This lack of fair competition means there is no incentive for banks and other providers to lower their fees.
Hence, the approach recommended by our members is congruent with international efforts such as the transparency targets of the G20 Roadmap for Enhancing Cross-Border Payments which include the requirement to show the currency conversion cost (FX margin). In fact, the Remittances Action Plan by the United Nations (UN), World Bank and International Fund for Agricultural Development (IFAD) used even stronger language on transparency disclosures. Increased transparency and the downward pressure on prices would also contribute to the UN Sustainable Development Goal 10.C which aspires to lower the cost of remittances to less than 3% by 2030.
Furthermore, the scope of the rules covering microenterprises should be expanded to cover small and medium-sized enterprises (SMEs). One of our members previously commissioned research which found that all UK businesses lost an estimated £4.2 billion from hidden fees, with £3.6 billion of this loss applying to SMEs. SMEs are an integral part of the UK economy, making up approximately half of UK private sector turnover[7]. Expanding the scope of this transparency would allow these smaller firms to benefit from the transparency measures outlined in the PSRs while enabling them to use any additional cost they save from hidden fees as an extra resource to drive innovation and growth. The corporate opt-out for pricing disclosures should also be ended. There is precedent for such an approach, as the G20 Roadmap for Enhancing Cross-Border Payments considers both SMEs and consumers to be part of the 'retail' segment, enabling them to have similar levels of protection as consumers.
HMT should also consider expanding the scope of the rules covering microenterprises to end the Dynamic Currency Conversion practices by retailers and address the unhelpful language contained under the Cross Border Payment Regulation 2 (CBPR2).
Finally, if HMT is to proceed with considering these changes, our members urge HMT to engage with the industry, to ensure any changes are based on practical considerations. For example, some elements of currency conversion transparency may not be in the consumer-facing payment providers’ control, and this information asymmetry along the payment chain should be acknowledged.
Rights and obligations in relation to the provision of payment services (eg PSRs Part 7)
Considered against the government’s objectives for payments regulation:
12. What has been the experience of a) providers and b) users/customers in relation to the termination of payment services contracts? Does the existing framework strike an appropriate balance of rights and obligations between payment service users and payment service providers, including but not limited to a notice period applying in such cases?
13. With reference to paragraph 31 of the accompanying review, do stakeholders have any feedback on the government’s view:
- that, as a general principle, a notice period and fair and open communication with a customer must apply before payment services are terminated?
- that the regulations and wider law operate here as set out under paragraph 29?
14. How and when do providers cease to do business with a user, and in what circumstances is a notice period not applied?
15. How effective are the current requirements in the Payment Services Regulations, notably under Regulations 51 and 71 – are these sufficiently clear or would they benefit from greater clarity, in particular to ensure that notice-periods are given and customer communication is clear and fair?
16. Should there be additional protections for payment service users against the termination of contracts? Should anything be specific to protect their freedom of expression – e.g. to ensure that adequate (or longer) notice is given in such cases, and what communication requirements should apply?
Response: We have considered the responses to Questions 12-16 holistically.
Our members are wary of legislating specifically in this space in isolation — we consider that policy development on contract termination in payment services needs to evolve in lockstep with the development of general law in this area, including consumer law, the Online Safety Bill, and more general policy debates within Parliament around the policing of online behaviour.
Our members, while broadly supportive of the general principle — i.e. that there is a notice period and fair and open communication with customers before their payment services are terminated — consider it crucial that they have the right to disapply this notice period where customers have engaged in, or are suspected of having engaged in, illegal activity.
Additionally, our members consider that PSPs should be able to disapply the notice period in cases that do not meet the threshold for illegal activity, but nonetheless pose the risk of significant harm to a PSP or other party – for example, in cases where customers have violated a PSP’s contractual terms of use. All PSPs have obligations to other firms within the payments chain and these intra-network relationships are integral to the effective functioning of the UK (and global) payments ecosystem, ensuring firms can deliver good customer outcomes. The terms of these agreements set by card networks and bank acquirers, for example, often stipulate that swift action must be taken to prevent or mitigate the effects of a prohibited activity (which does not only cover activity regarded as “illegal”), and prevent or mitigate reputational and other commercial risks associated to partners in the payments chain. Firms failing to meet these obligations to their commercial partners would be liable for breach of contract and any penalties that flow from this.
We would therefore encourage HMT to reflect on the grey areas that exist between the clearly defined boundaries of "legal" and "illegal" content and behaviours, and the very hard decisions that must be taken within those grey areas. There are various reasons why payment service providers may choose (or are required by their contracts with other firms within the payments chain) not to provide a notice period in certain scenarios, including brand and reputational risk management, and societal obligations not to support certain behaviours. For example, while Holocaust denial may not be technically illegal in the UK, certain other jurisdictions have legislated to criminalise Holocaust denial, which means that not only are there cross-border implications for payment service providers to consider directly where a user might be engaging a payment service contract in furtherance of Holocaust denial activities, but card scheme requirements may also operate so as to require termination, and questions of brand risk management and societal obligations take centre stage in difficult decision-making – all of which may lead to termination without notice.
It is worthy of reflection that none of these decisions are easy and further guidance is required in lieu of a blanket two-month notice period with elucidated reasoning. Our members consider the above described scenarios as reasonable and proportionate grounds on which to disapply the general principle, and this approach will enable firms to balance account holders’ rights with the need to manage and mitigate reputational and commercial risks and obligations to commercial partners.
Building on concerns around the notice period, our members have flagged up that there may be unintended consequences, not least conflicts with other legal and regulatory obligations, if firms have an obligation to provide specific reasons to the account holder to justify the account termination. We note that account closure owing to illegal activity on the part of the customer would be out of scope for this obligation; however, if the obligation is in place for all other scenarios, then bad actors may be able to deduce from the silence that their PSP suspects that they may be involved in illegal activity. Where PSPs have suspicion or knowledge of illegal activities on the part of their customers, they are required[8] to file Suspicious Activity Reports (SARs) to alert law enforcement to potential instances of economic crime and other criminal activity. Those filing SARs to the UK Financial Intelligence Unit need to be mindful of “tipping off” provisions[9] in POCA, which makes it an offence, having submitted a SAR to reveal information which is likely to prejudice any law enforcement investigation. With this in mind, we would urge HMT to consider holistically the interplay between firms’ legal and regulatory obligations under POCA, TACT and the MLRs and the requirement to provide (or withold in certain cases) information to justify PSPs’ actions to terminate a customer account. Our members see a tension here, where the withholding or provision of information to customers could lead to perverse outcomes, including exposing PSPs to fines and other liability for breaches of their legal and regulatory obligations.
Looking at the Online Safety Bill in particular, we note that amendments have removed the Secretary of State's powers to define "legal but harmful" material and duties related to that content. Instead, the onus is now on terms of service to be clearer and more transparent about the boundaries of permissible content and the removal of content which breaches those boundaries. This is also consistent with the general position in consumer law on termination for breaches of acceptable use policies. We consider that taking this approach, focused on clear and transparent terms of service rather than legislated boundaries and behaviours, would be the better choice in relation to payment services.
Wider considerations in relation to the provision of payment services
17. What provision, if any, should the regulatory framework make regarding charges for payment services?
Response:
Our members do not consider that it would be appropriate for fees and charges to be set in regulation as a general point. It is worth noting that the regulatory regime for payments does speak to fees and charges: the PSRs include rules on the allocation of charges, and the Interchange Fee Regulation deals with caps on charges. The PSR's work, such as its market study on acquiring activities, has also articulated further the principles around transparency of pricing. Further, the FCA Consumer Duty's price and value outcome will ensure that consumers are charged prices that represent fair value, without the need for explicit numerical or quantified provisions on fees and charges. We do not see the need for further regulatory price intervention beyond the competition powers already held by the PSR.
Many of our members believe that surcharging is detrimental to consumer choice, consumer protection and to competition in the payments sector. We would urge HMT to reassess its approach and prohibit surcharging under the PSRs, which we believe will create a true level playing field between card and non-card payments by fostering competition and consumer choice.
18. Does the existing framework strike an appropriate balance of rights and obligations between:
- Sending and receiving payment service providers?
- Account servicing payment service providers and payment initiation service providers/account information service providers?
No response.
19. Are consumers adequately protected from evolving fraud threats under the existing legislation – is further policy needed to ensure this, and how should that policy be framed?
Response:
We and our members have contributed extensively to a number of PSR consultations relating to APP fraud. We are supportive of providing a fair level of protection for consumers who, notwithstanding reasonable steps to protect themselves or those with characteristics of vulnerability, fall victim to APP scams. Our members welcome the introduction of a consistent approach to consumer protection across the payments industry. As explained in our response to the PSR’s consultation (CP22/4) entitled "Authorised push payment scams: Requiring Reimbursement", we do not consider that the PSR's liability model will actually reduce the amount of people falling victim to APP scams in the first place, and believe that an uncapped, near strict-liability regime is likely to increase APP fraud volumes by creating moral hazard and providing an incentive for first-party fraud. In order to truly reduce the number of victims of APP scams, there needs to be a joined-up, public-private sector approach to tackling APP fraud at source – our members urge the PSR to engage with counterparts in the Home Office, FCA, law enforcement and industry players including technology companies such as “Big Tech” organisations, TelCos to help shape a future fraud prevention strategy.
More specifically, as we have previously set out, our members recommend:
- An increase to the minimum APP fraud claim threshold (from £100 to £250), so PSPs can focus on protecting consumers from losing life-changing sums of money.
- The introduction of an upper threshold cap of no less than £30,000, so that all consumer protection reimbursement for fraud is consistent across payment types. This would provide multiple benefits: resonant with consumers, a proportionate regime for the vast majority of small- and medium-sized PSPs and would not provide an incentive for first-party fraud to be directed at the payment systems. However, the PSR should validate any caps with analysis based on existing Contingent Reimbursement Model (CRM) Code fraud reporting.
- The PSR should look to apply the faster payment system (FPS) liability framework to edge cases such as PISPs in the medium- to long-term and not from the outset, so as to not inadvertently stifle innovation and emerging business models which are the focus of its own five-year strategy as well as the future entity overseeing ‘Open Banking plus’ in the UK.
- The timing of the entry into force of the PSR’s liability model should be aligned with the entry into force of relevant provisions in the Online Safety Bill, which will introduce incentives on other players within the digital economy (social media and TelCo firms) to reduce fraud. The PSR should also consider staggering the roll out of its liability regime, focusing first on CMA9, then gradually rolling out across the sector.
- As mentioned in our response to CP21/10 on APP scams, the PSR should collaborate with industry to pilot the data reporting measures and robustly analyse the impacts before mandatory reimbursement requirements come into play. A pilot would provide the regulator and industry time to spot any adverse effects, and pause the data sharing (or consider alternative approaches, such as aggregated data sharing) to remediate the unintended consequences of placing this data in the public domain.
- The PSR should collaborate with relevant counterparts in the FCA, Home Office, law enforcement and other relevant bodies and industry to shape a joined-up, public-private sector approach to tackling fraud in the UK.
Our members also wish to see a removal of the ‘blocks’ in the PSRs that hinder sending and receiving PSPs from stopping payments where they suspect APP (or other) fraud and for authorised payments liability to be set out in legislation.
We encourage HMT to review our response to CP22/4 in considering their approach to developing further policy relating to fraud protection. Our views are further summarised in our response to the PSR consultation (CP22/5) entitled "Measure One, Metric C process: revised approach" and our response to the PSR consultation (CP23/1) entitled "Reporting Guidance for APP Scams Measure 1: Data Collection and Publication".
20. In relation to payment transactions which payment service providers suspect could be the result of fraud, is there a case for amending the execution times for payments to enable enhanced customer engagement? What requirements should apply here to ensure the risk to legitimate payments is minimised and that such delays only apply to high-risk, complex-to-resolve cases?
Response:
The UK already enjoys interbank payment systems such as the FPS that account for scenarios where transactions can be settled almost instantly. However, occasionally these payments are investigated by the payer’s PSP to ensure that there is no risk of fraud, money laundering, or terrorist funding. With PISPs experiencing virtually no fraud and a low risk of exposure to financial sanctions, there is an opportunity to accelerate the current execution times for credit transfers.
HMT should investigate putting in place regulation that would allow the payer, or any party initiating a transaction on behalf of the payer, to indicate whether a payment is time critical or not. Similar to the proposed instant payment regulation in the EU, time critical payments should be settled in less than 10 seconds, unless the ASPSP starts an investigation.
As part of this, we believe the ASPSPs should undertake sanctions checking on a daily basis on the payee, and not on the transaction itself. This would significantly reduce the probability of time critical payments to be subject to investigation and allow PISPs to offer more competitive retail payment solutions. When the status of a payment changes, we believe the ASPSP should be required to inform the payer, or the party initiating the transaction on behalf of the payer with undue delay.
Our members would generally support the availability of a risk-based delay to execution times for payments - this is a good example of what a risk-based approach to the prevention of fraud in payment services could look like in practice. We would underline that it is important that the regulatory requirements do not further specify the criteria for "high-risk, complex-to-resolve" cases as these cases will vary from PSP to PSP. Rather, the criteria should be set by the PSPs themselves, in close collaboration with their regulators (and perhaps based on guidance issued by the regulator), as part of the PSPs' usual risk and compliance framework. Moreover, we would suggest leaving any proposed timelines out of the PSRs, leaving it rather to statutory instruments, in order to allow further industry consultation as well as to enable flexibility in case future revisions are required in light of the rapid pace of innovation.
21. In relation to fraud, whether unauthorised or authorised, is there a need to a) complement rules with data sharing requirements; and b) for further reforms be made to make Strong Customer Authentication work more effectively and proportionately?
Response:
We consider that SCA should be reformed to take a more technologically-neutral and outcomes-based approach, which balances trust with consumer experience and innovation. Reforms should allow firms to manage fraud risks appropriately while maintaining high security and a frictionless, borderless approach.
Below, we outline our members’ experience of the SCA impact on fraud, consumers, innovation and competition to support our recommendations.
Impact on fraud
Industry research[10] shows that bad actors now find it more difficult to access payment accounts and initiate fraudulent transactions. However, there is increasing sophistication across all payment fraud vectors with bad actors adapting and increasingly using social engineering techniques to drive an uptick in APP fraud, for example.
As fraudsters become more sophisticated and change their approaches, new vulnerabilities to fraud will emerge. The limitations and vulnerabilities of SCA are well known: the RTS have limited the number of technologies and ways in which to perform SCA in practice, so bad actors know where to focus their efforts to side-step the controls. This focus often manifests in single point failure around customers’ mobile devices, as the most common way in which to perform SCA[11] is through testing knowledge (i.e. something only the customer knows like a PIN or password) coupled with something you own (i.e. your mobile phone or tablet). In practical terms, this takes the form of a PSP sending a one-time passcode (OTP) to a customer’s mobile phone to authenticate a payment.
Impact on consumers
Our members’ experience shows that SCA has increased friction in the customer journey and checkout flow with a knock-on impact for the customer experience. While consumers are often reported to value the additional security that SCA brings, in practice the clunky user experience leads to higher cart abandonment rate.
Further, as the multi-factor authentication process often relies on something you own i.e. a mobile device, some of our members also flagged the unintended consequences for financial inclusion and accessibility. If customers want to transact, more often than not, they will need to own and be able to comfortably operate a smart device with a data plan. Additionally, beyond the obvious difficulties for customers with characteristics of vulnerability, customers with legally-recognised, protected characteristics may also find it challenging to navigate the SCA process – for example, those with low vision. In our view, there is a need for the government to reconsider the approach to ensure that the legal and regulatory framework does not inadvertently exclude any consumer populations, especially in light of the forthcoming obligations on firms which will arise as a result of the Consumer Duty.
Unlocking innovation, and moving away from a ‘one-size-fits-all’ approach with the SCA, is one of the ways in which firms can better serve their customers and tailor the customer journey to their specific needs. We explore this in more detail, below.
Impact on innovation and competition
Our members consider that SCA has not kept pace with payments industry innovation and customer preferences. In their view, SCA is a ‘one-size-fits-all’ solution, which is suboptimal and leads to poor user experience. We know that PSPs, wallet services providers and others in the payments chain have developed in-house solutions that balance the need for seamless customer experience alongside robust, data-driven risk management. Firms are leveraging new technologies like Artificial Intelligence (AI) and machine learning to support their customer behavioural analytics, which can be deployed to ensure real-time monitoring of payments transactions.
However, these innovative approaches cannot be deployed more widely as the legal and regulatory framework is locked into the SCA approach with no flexibility. The current rules favour ‘active authentication’ on the part of the customer, which is often unsuitable for those with certain accessibility requirements (described above). Until this focus on active authentication changes, we will not see a case where real-time monitoring and other checks could be deployed in the background, reducing the need for customer interventions and mitigating single point failure vulnerabilities.
Further, in the case of card-based transactions, this has pushed industry towards one technology in order to comply with the PSD2 requirements. Our members wish to flag up that card networks have disproportionate power when developing compliant solutions for card-based authentication via the 3-D Secure (3DS) protocol. While our members recognise that there are benefits to having a standardised approach that streamlines an otherwise complex communication framework for actors within the payments chain, they consider that the customer-facing PSP should have more ownership of the customer journey. Reliance on one standard (3DS) is problematic, and we would encourage the government to explore what more can be done to promote innovation and competition.
Recommendations
We recommend that SCA should be reformed to take a more technologically-neutral and outcomes-based approach, which balances trust with consumer experience and innovation. Reforms should allow firms to manage fraud risks appropriately while maintaining high security and a frictionless, borderless approach.
In order to achieve this target end-state, we offer some guiding principles:
- A balance should be struck between a range of key policy considerations that are all inter-related: good user experience; security and the prevention and detection of economic crime; and the promotion of innovation, competition and the international competitiveness of the UK. At the moment, the FinTech sector and the wider financial services industry’s perception is that the focus is solely on security and economic crime. This is of course critically important, and essential to retaining trust in financial services, but this focus should not be to the detriment of the other key policy considerations.
- UK RTS should be revised to ensure there is an outcomes- and risk-based approach rather than a prescriptive approach. This would be broadly in line with other regulatory approaches, such as the FCA’s new Consumer Duty.
- The government should look to other jurisdictions for helpful comparative approaches that aim to promote innovation and competition. For example, in the 2021 US Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance: “[…] multi-factor authentication (MFA) or controls of equivalent strength, combined with other layered security controls, can more effectively mitigate risks associated with authentication.” If the government were to adopt this or an analogous approach, It would decrease reliance on specific technologies that dominate the market today, by allowing for more varied authentication elements.
- The effectiveness of PSPs’ control framework should be assessed holistically via a risk-appetite framework driven by outcomes-based regulatory principles, in contrast to being assessed through the narrow lens of existing, prescriptive technical standards.
- Review and streamline the regulatory reporting burden for firms to promote competition within the UK payments market. While we recognise the importance of fraud reporting requirements set by the UK regulators and other actors within the payments system (e.g. card networks), the complex and overlapping regimes pose a barrier for new market entrants and are disproportionately burdensome to start-up and scale-up firms.
Issuance and redeemability of electronic money (eg EMRs Part 5)
Considered against the government’s objectives for payments regulation:
22. Are the requirements regarding issuance and redemption of electronic money still appropriate?
No response.
Miscellaneous
23. Noting the intention to commission an independent review in due course, do you have any immediate observations on the efficacy of the operation of the Payment and Electronic Money Institutions Insolvency Regulations to date?
24. Finally, do you have any other observations relating to the payments framework not encompassed above, and how this could be further improved, in line with the government’s objectives?
Response:
Please refer to our responses to Questions 1 and 2.
In addition, our members suggest that HMT should work closely with the FCA and Bank of England (BoE) to create a new regulatory regime that would allow EMIs with Non-Settlement Non-Reserve Accounts (NSNRA) to safeguard customer deposits at the BoE.
Currently, EMIs are required to safeguard at Tier 1 credit institutions. As a customer protection mechanism, safeguarding is not a concept well understood by consumers. Currently, Financial Services Compensation Scheme (FSCS) protection is presented to customers as the only 100% safe option (up to £85,000) to store and protect funds, but EMIs are unable to join the FSCS deposit protection scheme.
Being able to safeguard customer deposits at the BoE would give consumers confidence that their deposits are safe. This could be achieved in one of two ways:
- Non-Settlement Non-Reserve Account: An EMI’s NSNRA at the BoE can be upgraded to have overnight reserves access, and allow the Account to hold two “pots”, namely, one for settlement of funds between financial institutions (as it is currently designed), and a new second pot of funds within the NSNRA in which firms can safeguard customer funds.
- Create a new account type: The BoE could create a new Safeguarding Account that EMIs could have access to, alongside their NSNRA. This account would be interest bearing, and remove the systemic risk currently associated with large EMIs safeguarding at Tier 1 credit institutions.
The BoE conducted a consultation on opening up access to its balance sheet in 2019. In its June 2021 response, the BoE recognised the competition and risk reduction benefits of allowing EMIs to safeguard at the BoE. It did, however, flag its key risk concern as associated with a potential disorderly failure of a non-bank payments firm, and called for the Electronic Money and Payment Services Regimes to be strengthened. Innovate Finance members are now calling for HMT to use this review of the PSRs to do so.
The BoE’s response to its consultation highlighted three areas to strengthen:
- Customer funds to not only be 1-for-1 backed at all times, but for appropriate buffers and/or capital requirements to be in place to absorb unexpected losses. Many of our members are broadly comfortable with this request, so long as the buffers address specific risks associated with the EMI’s business model, instead of containing oversimplified ratios.
- Protections for customers to be in place to guarantee that all funds are returned promptly to customers in the event of a firm's failure. Our members would be pleased to work with the BoE or a third party administrator to develop such a process.
- Formal wind-down plans should be maintained to reduce the risk of disorderly failure. Our FCA-regulated EMI members are already required to develop and produce annual wind-down procedures, and they consider this to be an appropriate requirement to safeguard at the BoE.
In addition, as EMIs grow in size, competition amongst credit institutions offering safeguarding becomes increasingly rare, as very few providers are willing to take on sizable EMIs’ safeguarded funds. For significantly large EMIs that safeguard billions in customer deposits in the UK, this presents two pressing challenges:
- De-banking risk: As EMI members scale, and as there are fewer providers with a risk appetite to hold their safeguarded funds, there is an increasing risk of EMIs being de-banked by their safeguarding partners. This would leave millions of customers unable to use their services.
- Systemic risk: Many of our members currently rely on direct competitors in the traditional banking sector to safeguard customer deposits. It concentrates greater risk onto these safeguarding partners in the event of bank failure. It would also allow EMIs to operate with the BoE directly, and not rely on competitors (traditional banks) for access to the BoE’s services.
Our members would therefore strongly urge HMT to work with the BoE to consider opening up overnight reserves accounts to EMIs that already have a Settlement Account with the BoE. This would allow EMIs to benefit from borrowing funds directly from the BoE, earn interest on held funds and access to the CLS Group’s bank-to-bank foreign exchange (FX) system. These benefits would foster competition by creating a level playing field between FinTech EMIs and the traditional banking sector. These benefits would be passed on directly to the consumer, driving better consumer outcomes.
[ENDS]
[1] See paragraph 2.36 on page thirteen: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1024174/HMT_Payments_Landscape_Review_-_The_Government_s_Response__October_2021_.pdf
[2]https://www.eba.europa.eu/eba-replies-european-commission%E2%80%99s-call-advice-%C2%A0-review-payment-services-directive
[3] https://www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf
[4] According to data points drawn from our members and the wider FinTech ecosystem.
[5]https://www.eba.europa.eu/eba-replies-european-commission%E2%80%99s-call-advice-%C2%A0-review-payment-services-directive
[6] https://www.juniperresearch.com/researchstore/operators-providers/carrier-billing-research-report
[7]https://www.gov.uk/government/statistics/business-population-estimates-2022/business-population-estimates-for-the-uk-and-regions-2022-statistical-release-html#:~:text=SMEs%20accounted%20for%2061%25%20of,and%20turnover%2C%20see%20Figure%2010.
[8] Persons working in the regulated sectors are required to file SARs (where there are grounds to do so) under Part 7 of the Proceeds of Crime Act (POCA) and the Terrorism Act 2000 (TACT). The primary legislative objectives in POCA and TACT are supported by secondary legislation – the Money Laundering Regulations 2017 (MLRs 2017).
[9] Section 333A-E of POCA.
[10] See, for example, BarclayCard’s research (2022) which found that 73% of retailers have seen online payment fraud decline.
[11] SCA requires two forms of authentication. This can be two of three things: something you know, something you possess, and something you are (biometrics).