As we marked the first anniversary of PSD2 implementation (at least, in the UK!) this week, there will doubtless be numerous conversation pieces and reflections about the success of PSD2 so far – and its relationship with Open Banking – and what more delights both have to offer in 2019, the year the UK is supposed to leave the European Union.
Perhaps the biggest impact of PSD2 has been the link-up with Open Banking, and the licensing of those third-party providers (TPPs) undertaking the new payment services of ‘account information services’ (AIS) and ‘payment initiation services’ (PIS), designed to allow to manage their finances and provide a range of alternative payment options to traditional card payments.
You will notice the deliberate use of the word licensing; PSD2 did not ‘create’ these TPPs, as many of them were already providing account information services through the screen-scraping of customers’ accounts. What it did was to require most TPPs wishing to provide these services post-13 January 2018 to be duly authorised or registered by the FCA, depending on whether they had already been providing these services prior to January 2016.
The RTS
To enable the properly licensed TPPs to access customers’ online payment accounts directly, they will have to meet the binding Regulatory Technical Standards on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) (the RTS) by 14 September 2019.
Among other things, the RTS sets the standards that firms offering online payment accounts – referred to as account servicing payment service providers (ASPSPs) – must comply with when granting access to appropriately licensed TPPs. ASPSPs may choose which interface they make available to TPPs, either through a dedicated interface (Open Banking and other open APIs) or through ‘screen scraping +’ via the payment service user interface. For more information on the impact of the RTS on ASPSPs, please see Alison Donnelly’s helpful blog here.
The ‘live market’
The fly in the ointment. As Accountable Executive at the FCA for the delivery of PSD2, I recall one of the most difficult challenges was estimating the population of firms which would require an authorisation or registration to provide one or other of AIS and PIS. The range was from conservative double figures to triple figures. Of perhaps more ‘inconvenience’, at least perhaps to the regulator and ASPSPs generally, was that these ‘live market’ firms did not immediately need to seek an authorisation or registration, provided they were operating as an AIS provider or PIS provider before 12 January 2016. These firms were able to continue to operate without registration or authorisation until 14 September 2019, but would not benefit from the right of access provided for in PSD2. Whilst many of these firms have indeed now sought and, in many cases, obtained the appropriate regulatory licence, there are surely many still out there that have yet to mobilise. As the RTS comes into effect on 14 September 2019, it is this date that sets the hard deadline for live market firms.
Scores on the doors
As at the time of writing, some 71 firms have been granted a licence to undertake AIS, 40 of which are registered solely for this service as service as registered account information service providers (RAISPs).
In addition, 32 firms have been authorised – as payment institutions or e-money institutions – to provide PIS. It does beg the question as to how many firms are out there and still relying on the ‘live market’ transitional arrangements.
What do I need to do?
So, if you are a ‘live market’ firm yet to apply to the FCA for a licence to continue to provide AIS or PIS there are, effectively, two choices open to you:
- apply now for an appropriate licence; or
- cease providing these services beyond 14 September 2019
Whilst you may seem to have plenty of time by when to submit an application, you absolutely must take into account the FCA’s processing times, in addition to your own preparation time before when you would be ready to submit an application. The FCA used to publish KPIs on average determination times for different application types across the payments sector, but has now corrupted its own reported data by amalgamating different application types, with differing timelines. The last reliable data published by the FCA (for the year 2016/2017) showed that the FCA took up to 46 weeks to process an application for an authorised payment institution. Typically, applications will be processed more quickly than this, but this will be driven to a large extent by your own preparedness and the quality of the application submitted.
Firstly, though, you need to decide what licence you need. If you are carrying on AIS only, then you will need to apply as a RAISP. If you are providing any other payment services, including PIS, you will need to apply for authorisation as a payment institution.
The FCA will take a proportionate approach to their assessment. It is the responsibility of the firm applying for registration or authorisation to ensure they can meet the requirements. Applications will be processed effectively and efficiently, taking into account the likely risks posed by the firm operating in a particular sub-sector. The information the FCA relies on and asks for, and the level of scrutiny it applies, will vary according to the perceived risk and complexity inherent in the applicant firm’s proposed business model.
The number of TPPs already licensed might suggest that the FCA will be familiar with many of the business models out there, but innovation is such that new business models will undoubtedly emerge. The key is to present your business in such a way that the FCA can easily understand it.
If you would like us to help you with your application or indeed any of your regulatory compliance requirements, please do not hesitate to get in touch with us at fscom.