New guidance on account providers’ open banking obligations in latest FCA PSD2 policy statement

In its latest policy statement, the FCA gave new guidance to payment account providers and other payment service providers on how to meet their obligations under the revised Payment Services Directive (PSD2).

Notably, for account providers working to ensure access to third party providers, the FCA:

  • strongly encouraged firms to consider meeting their open access requirements using a dedicated application programming interface (API), rather than adapting their customer interfaces 
  • advised firms which plan to use an API, and wish to be exempt from requirements to effect contingency measures against a failure of such API, to apply to the FCA for an exemption by 14 June 2019
  • clarified that exemption applications should evidence how the interface meets the PSD2 exemption requirements
  • encouraged all firms seeking an exemption to contact the FCA in advance
Background to this policy statement
PSD2 was implemented in the UK in January 2018. The Directive provides for various implementing technical standards and European Banking Authority (EBA) guidelines to come into effect in 2019. During the course of this year, the FCA has been consulting with market participants on some of these standards and guidelines. This policy statement confirms the FCA's approach to amending its Payment Services and E-money Approach Document and Handbook in light of those measures and consultations.
Open banking – what’s the big idea?
PSD2 introduced new rights for certain third-party banking service providers to directly access consumers' online payment accounts (with their consent) - and required account providers to enable such access. The benefitting third-party providers include those providing account information services, payment information services, card-based payment instruments and payment initiation services. These measures are designed to open up the banking industry to new players and foster innovation. They are also aimed at protecting consumers – not least by combating the widespread practice of consumers having to provide their log-in details to third-party providers, at great risk to their own account security. Instead, under open banking, customers can be directed to their payment account providers in order to provide their credentials, rather than having to provide them to the third-party provider.
Dedicated (API-based) interface vs modified customer interface
Account providers offering online services may enable account access either by using a dedicated interface built on an API or by adjusting their customer interface to comply with the applicable security, information, exchange and identification rules which are being introduced in September 2019 under the strong customer authentication requirements. In the UK, a number of retail banks are already developing a standard set of secure APIs. In its policy statement, the FCA emphasised the benefits of standardised APIs for market participants and consumers and encouraged account providers to adopt one.
Contingency measures against failures of dedicated interface

Under PSD2, account providers that rely on a dedicated API interface are generally required to put in place a contingency mechanism to provide fall-back access in the event that the dedicated interface fails. However, the Directive provides for competent authorities to exempt account providers who are building APIs from the requirement if the dedicated interface meets certain conditions. Under the EU technical standards, unless account providers have been granted this exemption by 14 September 2019, they will have to build a contingency system.

Clarifications on process for contingency exemption

The FCA’s policy statement provided some further clarity on the process for applying for the contingency measures exemption in the UK. In particular, it noted:

  • Firms are encouraged to contact the FCA in advance of seeking an exemption.
  • Exemption requests should be submitted to the FCA by 14 June 2019, so that firms have sufficient time to put in place the contingency measures if their applications are denied.
  • It is for individual account providers to provide the FCA with a description of the technical specifications they have implemented and a summary of how these fulfil the requirements of PSD2.
  • If a firm fails to meet some of the requirements when the exemption request is submitted, but the account provider demonstrates "clear and credible plans" to meet them by 14 September 2019, the FCA may indicate that it is "minded to exempt" and confirm the exemption once it has received evidence of satisfaction.
  • The FCA aims to issue a decision within one month of receiving an application.
  • Any firm that does not have an exemption before 14 September 2019, including any business which intends to start providing services after that date, will need to build a contingency mechanism.
Other guidance
The FCA policy statement sets out various other detailed and helpful clarifications on its guidance in respect of PSD2, with a particular focus on:
  • the secure communications between UK payment account providers and third-party providers (which includes the contingency exemptions outlined above);
  • strong customer authentication requirements applicable to all payment service providers; and
  • amended fraud reporting requirements applicable to all payment service providers.

From September 2019, account providers and third-party providers will also be under an obligation to report ‘problems’ with APIs to the FCA. The FCA refused to provide further guidance as to what a reportable problem may be, other than to refer back to the regulatory technical standards, which state that a systems breakdown is presumed to take place when five consecutive requests for access to information in respect of third party payment services are not replied to within 30 seconds. 

What happens next?
2019 is set to be a busy year for many payment service providers, as they work to meet their PSD2 obligations:
  • By 14 March, all account providers with online payment accounts will need to have in place (i) the technical specifications of their access interfaces; and (ii) testing facilities for third-party providers.
  • By 14 June, those seeking exemptions from the contingency mechanism requirement will need to have submitted their applications to the FCA.
  • By 14 September, any contingency mechanism exemptions will need to be in place and all payment service providers will need to comply with the new strong customer authentication rules. 
Firms should take note of the changes to the FCA’s Payment Services and E-money Approach Document and Handbook outlined in the policy statement and adapt their practices accordingly.
Should you need advice on any of the above, please don’t hesitate to get in touch.