Tech payments industry should demand clarity on reach of PSD2, says expert

PSD2 came into force last month and will need to be implemented into national laws across the EU by 13 January 2018. The new legislation replaces a previous directive on payment services and will impose obligations on companies involved in the payments market that have previously been outside the scope of regulation, reflecting innovations that have emerged in recent years and the different types of companies now involved in delivering payment services.

The FCA has existing guidelines that help PSPs subject to existing payment services laws to comply with the current legal framework, but has announced its intention to update the guidance to reflect the new PSD2 regime. The existing guidance comprises the Payment Services Approach Document and the Perimeter Guidance Manual, the FCA said.

The regulator has made clear that it is the Treasury that is responsible for implementing PSD2 into UK law and that it is likely to consult on how to do so this summer. However, the FCA has opened a 'call for inputs' (12-page / 381KB PDF) to ask PSPs and other businesses that use payment services, among others, for their views on what changes should be made to its existing guidance on payment services. It has specifically asked whether updates to the guidance are necessary "to reflect developments in payment services and changes in the market" and "assist" businesses with their "understanding and/or compliance with the regulatory regime".

Payments and technology law specialist Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that firms will welcome further guidance to assist them in complying with their legal requirements under the payment services regime. 

"The guidance from the FCA referred to in the call for input, supported by stakeholder groups, have proved invaluable resources in bringing the existing Payment Services Regulations (PSRs) to life in the UK – as the PSRs are designed to cover all EU markets and, within that group, there are widely differing payments cultures, having UK specific guidance helps to hone in on real local issues," McFadyen said. “The UK’s guidance sits alongside EU-level Q&A guidance that has also proved helpful."

"A particular area for focus will be to provide examples of how emerging technology-focused payments products are to be treated – EU policy makers found it challenging to devise the definitions in PSD2 around this. As such, there remains some uncertainty within industry about exactly which innovative and evolving products and services will fall within scope of the new rules, particularly given that those products and services are developing at pace. Industry will therefore be eager to encourage Europe and the FCA to provide some practical examples in any new guidance on this," McFadyen said.

"An example of where there is uncertainty is on the topic of digital wallets – as these have widely varying functionality it will be interesting to see which ones end up coming within the scope of the regulations," he said.

McFadyen also said that it will be interesting to see how the interaction between PSD2 and the Treasury-backed scheme on open data in banking will evolve given that there is a broad "overlap" between the two initiatives and the fact that the UK is "looking to lead the way in defining and using common API standards".

Under PSD2 banks and other payment service providers (PSPs) must give so-called payment initiation service providers (PISPs) access to their customers' accounts so as to facilitate transactions ordered at the customers' request. However, in return, PISPs must observe a number of data security obligations and take on certain liabilities in relation to any unauthorised transactions it is responsible for.

PSD2 also promotes account information services, like businesses that allow customers to access information about all their payment accounts in one place. The new rules require PSPs to open up access to the accounts they manage on behalf of a customer where the account information service provider (AISPs) has obtained the "explicit consent" of that customer for such access. Like PISPs, AISPs also face data security obligations.

In addition to rules on customer authentication, facilitating third party access to accounts and account information, data security and liability, PSPs must also abide by a range of requirements relating to transparency over account services and charges, major operational or security incident reporting and complaint handling, amongst other things.