Open Banking after Brexit: CP21/3

The FCA has proposed new guidance on Open Banking, charting its first course of regulatory divergence in the area after Brexit.[1] As detailed below, among other things, the FCA is proposing to make dedicated interfaces mandatory for many payment account providers (ASPSPs).[2]

For third party providers (TPPs) providing payment initiation services (PIS) and/or account information services (AIS), Open Banking has enabled them to pose a competitive challenge to the traditional banks, facilitating customers in initiating payments and accessing account information from platforms external to the account provider.

On the other side of the ledger, ASPSPs have been obliged to share customer data and facilitate access for competitors for no commercial benefit and often at significant cost. While these costs proportionately are small for the UK’s high street banks, for smaller ASPSPs, including many payment and e-money institutions, these costs have been considerable. Furthermore, many ASPSPs offer payment accounts that by their nature are not used for day to day transactions and are instead used for limited and ad-hoc purposes, such as foreign exchange trading. ASPSPs falling into this category have had to devote considerable resource to facilitate access to TPPs, knowing that customers are highly unlikely to access their accounts via a TPP. In the below sections, I explain what the main changes are, and how, unfortunately, the FCA has not taken the opportunity to ease the burden on many ASPSPs that should really fall outside of the scope of the Open Banking requirement altogether.

Dedicated Interface

All ASPSPs currently have a choice on whether to facilitate access via a modified customer access (MCI), or via a dedicated interface. An MCI, as the name suggests, grants access to TPPs via the same interface used by customers, and is therefore cheaper for an ASPSP to use. A dedicated interface is specifically designed for TPPs, and though more expensive than a MCI, is also more secure. In particular, a dedicated interface will ensure that the TPP can only extract the data they are entitled to as part of the payment initiation or account information service.

The FCA has a strong preference for dedicated interfaces. This is driven by several concerns with MCIs.

  • TPPs struggle to connect to payment accounts accessible via MCIs as they lack the necessary technology. Unlike dedicated interfaces, MCIs will not operate on standardised APIs like those provided by the Open Banking Implementation Entity (OBIE).
  • TPPs cannot access customer accounts via MCIs without the customer being present, as most firms using MCIs do not rely on the Article 10 SCA exemption. This means that SCA needs to be applied each time the customer uses the TPP to access that account.
  • The TPP can potentially extract more information than they are entitled to via MCIs.

The FCA is therefore proposing mandating the use of dedicated interfaces. This is a huge development, which would expand the opportunity available to TPPs, but also impose a significant resource requirement on ASPSPs currently operating MCIs.

This proposed mandate would, however, be limited to accounts falling under the Payment Account Regulations 2015 (PARs). This means that it would be limited to accounts held by consumers and SMEs that are used for every day transactional purposes – essentially to current accounts. The FCA acknowledge that it is these accounts for which they anticipate demand existing for TPPs.

This move will no doubt achieve the FCA’s objective of facilitating TPP access to a wider number of payment accounts, thus enabling TPPs to enhance their product proposition. It is unfortunate however that the FCA has not chosen to extend this restriction to its logical conclusion. If the mandate for a dedicated interface only applies to PAR firms, why not remove the Open Banking requirement entirely for ASPSPs not subject to the PARs?

SCA for TPPs

The requirement to apply strong customer authentication (SCA) each time a payment account is accessed has proved burdensome to TPPs. While Article 10 of the SCA-RTS provides an exemption allowing the PSP not to apply SCA for 90 days since the last application of it, for TPPs this means that the customer has to reauthenticate at every ASPSP portal that they access through the TPP. TPPs have found this requirement means the loss of a significant proportion of customers at the reauthentication stage. The FCA has noted that this requirement has inhibited innovation, delaying and preventing the launch of new TPP products and services in the UK.

The FCA is proposing therefore to make life easier for both the TPP and the customer, by creating a new SCA exemption, meaning that the customer will only need to authenticate the first time they access the portal via a TPP. The FCA believes this proposal reflects the low risk associated with TPPs accessing of accounts.

Greater access for TPPs however is countered by a proposal to require the TPP to reconfirm customer consent every 90 days when accessing account information.

It is striking that exempting TPPs from reauthentication means that TPPs would face lower barriers to accessing accounts than customers connecting directly through the ASPSP’s portal.

Technical Specifications and Testing Facilities

Another bugbear for ASPSPs has been the requirement to make available a testing facility and technical specifications six months prior to product launch. While this was designed to assist TPPs in testing interfaces, really it has acted as a barrier to new ASPSP applicants, and thus inhibited competition.

It is good news therefore for ASPSPs that the FCA are proposing to eliminate the six month period, and simply require the testing facility and technical specifications to be made available at product launch.

Fallback Mechanism Exemption

For firms that have chosen to provide a dedicated interface, the RTS requires them to maintain an MCI as a fallback mechanism in case the dedicated interface is unavailable. However, ASPSPs can apply for an exemption from the fallback mechanism where they have had a fully functioning dedicated interface for three months prior to that application.

The FCA propose to ease the requirement of a fallback mechanism, by providing that this requirement only take effect six months after product launch.

Furthermore, in a welcome development for EEA ASPSPs operating under the Temporary Permissions Regime (TPR), the FCA propose to recognise an exemption to the fallback mechanism requirement granted by their home state regulator. Technically these firms have had to maintain a fallback mechanism in the UK since 1 January, and so the FCA’s latitude here will save them the effort of maintaining a fallback MCI or applying for the exemption.

A Mixed Bag

The consultation is a mixed bag of positives and negatives for ASPSPs and TPPs. Overall, however, the FCA is clearly focused on easing the burden on TPPs and facilitating new innovation and new entrants into this sector.

In particular, the requirement for ASPSPs subject to the PARs to develop dedicated interfaces will be a costly one. Given that the FCA propose to limit this requirement to PAR firms, it begs the question why they didn’t scrap the Open Banking requirement altogether for payment and e-money institutions falling outside of the PARs?

If you would like to comment on the proposed changes in CP21/3, please do not hesitate to get in touch with my colleagues or me.

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate. 

Related Posts

CASS Audit

TISA CASS Compliance Survey

Earlier this year, TISA launched a CASS compliance survey in association with fscom, aiming to gather insights on key areas of interest related to CASS

Read More