FCA moves to clarify scope of regulation of account information services under PSD2

Out-Law News | 19 Sep 2017 | 4:07 pm | 3 min. read

Service providers that help other businesses to pool information from different payment accounts on behalf of customers will not be subject to regulation under new UK payment services laws if they do not deliver the aggregated data to the customer themselves, the Financial Conduct Authority (FCA) has confirmed.

The regulator clarified the scope of rules for account information services in a new paper it has published (279-page / 2.92MB PDF) which concerns its approach to regulating under the proposed new Payment Services Regulations (PSRs) in the UK. The PSRs will implement the EU's revised Payment Services Directive (PSD2).

Financial services and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said the FCA had offered clarity on an issue over which there has been much uncertainty.

Account information service providers (AISPs) are among the new batch of financial technology (fintech) companies to have emerged into the payment services market in recent years.

The services AISPs provide can take a variety of forms, but in essence they help consumers to gain an overview of their financial situation by aggregating information from one or more of their payment accounts and displaying that data in a way that is easy for consumers to understand and base decisions on.

Many AISPs have been operating outside the scope of regulation, but PSD2 has been developed to change that, with legislators seeking to balance protection for consumers with a framework that supports competition and innovation in the market.

While they will not face the same extent of regulatory obligations as banks and other payment service providers (PSPs) under PSD2, AISPs will be subject to rules on data security and be required to obtain professional indemnity insurance, or put in place a comparable guarantee.

AISPs are defined in the EU legislation as businesses operating "an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider".

AISPs need the explicit consent of a payment service user to deliver them the services they offer.

However, there has been uncertainty about whether all the businesses involved in 'four-party' schemes in the world of account information services would actually qualify as AISPs under the new regulatory regime.

A four-party scheme typically involves a bank, a data supplier, which are businesses that largely currently act as screen scraping providers, a fintech account information aggregator and another third party, such as a price comparison website. It arises when a bank customer engages the fintech or uses the other third party.

Under the scenario, the fintech gathers the information it needs to provide its services by contracting with a data supplier which accesses the data from the bank's systems. The fintech company then shares that data with price comparison websites or other third parties that offer additional services that the customer may benefit from.

The main elements of an AISP, as characterised by the definition of 'account information services' under PSD2, include that the purpose of the service they offer is to provide 'consolidated', or aggregated, online information to payment account to payment service users. That service must also be provided "online" and the information provided must be extracted from "one or more payment accounts". In addition, the payment accounts must be 'held' by payment service providers, such as banks.

There has been uncertainty in the market over whether a business participating in the four-party scheme that has no relationship with end-customers, but acts as a data supplier only, would be classed as an AISP.

Now the FCA has clarified the position in new amendments to its Perimeter Guidance manual.

"More than one business may be involved in obtaining, processing and using payment account information to provide an online service to a customer," the FCA said. "However, the business that requires authorisation or registration to provide the account information service is the one that provides consolidated account information to the payment service user (including through an agent) in line with the payment service user’s request to that business."

The FCA also confirmed that registered AISPs "will be responsible for the arrangements" they put in place with service providers, including where they outsource the provision of account information services to third parties.

Scanlon of Pinsent Masons said the FCA had elaborated on the view the UK Treasury had expressed on the topic when it set out its policy announcement on the proposed new PSRs.

Scanlon said: "The Treasury concluded in July that the ‘general rule’ is that the AISP which holds the contractual relationship with the customer for accessing their account is the business that needs to be registered as an AISP under the PSRs. Here, the FCA appears to go one step further to clarify that it is not simply a general rule but that it is in fact the case that the AISP which holds the relationship with the customer will need to register while other businesses it uses as part of the process to access data will not."

According to the FCA's paper, businesses will be able to apply to register as an AISP under the new PSRs from 13 October.

It confirmed, however, that businesses that have been providing account information services since prior to January 2016 will be able to operate on an unregistered basis until new regulatory technical standards on strong customer authentication and common and secure communication take effect. It said this is "likely to be after mid-2019".