Recent insights from the UK government on the future of UK payment services – signs of regulatory divergence?

May 2023 | SPECIAL REPORT: FINANCIAL SERVICES

Financier Worldwide Magazine

May 2023 Issue

On 13 January 2023, the UK government published a Review and Call for Evidence on the UK Payment Services Regulations 2017 (PSRs). The PSRs serve as the backbone of the current regulatory regime for payment services in the UK. The Review and Call for Evidence (PSR Review) was published five years after the PSRs came into effect to determine if the PSRs have fulfilled their objectives and whether the UK’s payment services regime remains fit for purpose. The PSR Review also invites stakeholders across the payments sector to provide views on the PSRs and responses to specific questions by 7 April 2023.

The PSRs implemented the EU-wide second Payment Services Directive (PSD2), and are therefore almost identical to PSD2. However, the PSR Review has been published amid wider UK legislative proposals that will, if enacted, eventually see all “retained” EU financial services laws on the UK statute book (including the PSRs) repealed and replaced with UK-specific legislation and regulatory rules.

The UK government is also concerned with “future-proofing” the future UK regulatory framework to ensure that it can keep pace with market changes and technological developments, and so, in respect of the part of the framework that will replace the PSRs, the government is weighing up the balance between legislating via statute and delegating powers to the Financial Conduct Authority (FCA) to make more agile payment services rules.

But while the UK’s ‘repeal-and-replace’ plans may sound drastic, there is no escaping the fact that the UK’s payments landscape today has been shaped by its implementation of PSD2, and the decisions made by UK payment firms to structure their businesses around, and comply with, the PSRs. Many of the UK government’s proposals and areas of consultation set out in the PSR Review also appear to follow a similar overarching course to those of the European Commission and the European Banking Authority (EBA) in respect of the EU’s own ongoing review of PSD2.

A dramatic overhaul of the UK’s payment services regime that diverges from the EU’s is therefore unlikely, though, as we will see, some specific policies and positions of the UK government and the FCA are shaping the discussions on this side of the Channel.

Open banking and open finance

One area of similarity between the UK and EU is their approaches to ‘open banking’, an initiative which aims to foster competition and transparency in financial services. Both the UK and EU payment regimes have facilitated the emergence of third-party providers of account information services (AISPs) or payment initiation services (PISPs) by requiring banks and other payment firms providing “payment accounts” to customers (so-called account service payment service providers or ASPSPs) to ‘open up’ payment accounts via access interfaces (APIs) – for example to allow AISPs to access a customer’s payment account information on the customer’s behalf.

The UK and EU regimes have both also recently introduced new rules that aim to foster growth and innovation for AISPs by reducing the “friction” caused by ASPSPs applying strong customer authentication (SCA) when an AISP accesses a customer’s payment account on behalf of the customer. The new UK and EU rules take the form of exemptions for ASPSPs to not apply SCA when a customer’s payment account balance and recent transaction history is accessed via an AISP. ASPSPs in the UK are already expected to make use of the UK’s exemption, and the use of the EU exemption (which, unlike the UK exemption, will still require re-authentication every 180 days) by EU ASPSPs will be mandatory from July 2023.

While the PSR Review did not provide any further concrete proposals on the extent to which open banking will be reflected in the UK’s revised payment services regulatory framework, the PSR Review reaffirmed the government’s commitment to developing open banking in collaboration with key UK regulators concerned with payments and open banking, with a report on the long term regulatory framework for open banking due to be published in 2023.

A further similarity between the UK and the EU is that both want to extend their efforts beyond open banking to cover a wider range of financial sectors and products (such as savings accounts, mortgages and investments) under so-called ‘open finance’ initiatives. In 2021, the FCA published a feedback statement highlighting that a possible first step toward the implementation of open finance would be to extend open access requirements to non-payment accounts and other banking products. The EU’s position seems to be developing along similar lines.

Strong customer authentication

Another area of the PSR Review where the trajectory of UK regulation will likely continue to follow the equivalent EU rules are the requirements for payment service providers to apply SCA. The purpose of SCA is to reduce the risk of fraud when customers initiate payment transactions or access their payment accounts online (among other activities that imply a risk of fraud).

In the PSR Review, the government repeated its support for SCA requirements. However, the PSR Review acknowledges industry concerns that the technical authentication requirements of the UK’s version of the SCA regulatory technical standards made under PSD2 (SCA RTS) may be too prescriptive, and proposes a more “outcomes-based” approach to authentication.

An example of this outcomes-based approach can be seen in the FCA’s most recent policy statement on the PSRs (November 2021), where the FCA says that “behavioural biometrics” should be considered a valid “inherence” authentication factor (something that the user is) for the purposes of the SCA RTS, including methods of authentication that take into account non-body related behaviours such as spending habits (e.g., location or frequency of purchase), noting that advanced methods of authentication such as this can be highly effective at preventing fraud. The EBA, in contrast, has not departed from its view that “behavioural biometrics” can only relate to behaviours produced “by the body”.

Customer protection in insolvency

The PSR Review also specified safeguarding of customer funds under the PSRs as one of the UK’s priority areas of reform. Under the PSRs, payment institutions are required to safeguard customer funds that they receive from or for the benefit of their customers in respect of payment transactions. A payment institution may safeguard the funds either by segregating the funds in an account held at an authorised bank or by “insuring” the funds against their loss. The intention of the safeguarding requirements is to secure a pool of funds for customer claims, which would have priority in relation to the funds, if a payment institution becomes insolvent.

Both the UK’s PSR Review and the EU PSD2 review have highlighted that the current safeguarding regime requires further clarification. Most notably, both the UK and the EU drew attention to the fact that, under each regime, customer funds held by a payment institution in a “safeguarded” account at an authorised bank in accordance with PSD2 and the PSRs (as applicable) may not have been covered by deposit guarantee schemes (the UK version of which is the Financial Services Compensation Scheme (FSCS)). However, separate to the PSR Review, the Prudential Regulation Authority (PRA), which is responsible for supervising authorised banks in the UK, subsequently announced on 31 March 2023 that amendments have been made to the PRA’s Rulebook to clarify that such safeguarded customer funds will be covered by FSCS should the authorised bank fail.

Meanwhile, as set out in the PSR Review, the government believes that the FCA should be the responsible entity for developing rules regarding the safeguarding regime applicable to payment institutions. The UK’s position on safeguarding under the PSRs has been shaped, at least in part, by a recent Court of Appeal judgment (Re Ipagoo) which found, against the FCA, that safeguarded customer funds of insolvent e-money institutions (and, by implication, safeguarded customer funds of insolvent payment institutions) were not held pursuant to a statutory trust. Customer funds under the PSRs remain protected by the effect of the priority claims afforded to customers under the PSRs, but the FCA is concerned that these arrangements remain ambiguous for insolvency practitioners, which could lead to refund delays for customers.

The PSR Review suggests that the FCA may consider a safeguarding regime for payments and e-money that departs from the PSR-based regime in favour of a regime that looks more like the “client assets” regime under the Financial Services and Markets Act 2000 (which does create a statutory trust in respect of client funds held by banks and other relevant firms).

Customer fairness and contractual protection

Both the UK and the EU have identified areas where customer fairness can be improved, including in relation to access to payment services by vulnerable customers. Notably, the PSR Review also specifies the UK government’s concerns with the potential for payment firms to refuse services to certain customers as a means of “censorship” of views, and consequently the government is considering whether the rules on the termination of payment services need to be changed to ensure that all customers receive fair treatment, subject to their activities being lawful.

Ferdisha Snagg is counsel and George Bumpus and Andreas Wildner are associates at Cleary Gottlieb Steen & Hamilton LLP. Ms Snagg can be contacted on +44 (0)20 7614 2251 or by email: fsnagg@cgsh.com. Mr Bumpus can be contacted on +44 (0)20 7614 2235 or by email: gbumpus@cgsh.com. Mr Wildner can be contacted on +44 (0)20 7614 2248 or by email: awildner@cgsh.com.

© Financier Worldwide

Ferdisha Snagg, and George Bumpus and Andreas Wildner

Cleary Gottlieb Steen & Hamilton LLP