Regulatory Technical Standards on Strong Customer Authentication and Secure Communication
What has happened?
In November 2021, the FCA set out the final rules for its Regulatory Technical Standards on Strong Customer Authentication and Secure Communication (SCA-RTS) as well as amendments to its ‘Payment Services and Electronic Money – Our Approach’ (the Approach Document, AD) and the Perimeter Guidance Manual (PERG). These will come into force on 30th November 2021, except that Article 10A will come into force on 26 March 2022.
What do you need to do?
The SCA-RTS amendments are intended by the FCA to help remove barriers to continued growth, innovation and competition in the payments and e-money sector, in particular for open banking. The amendments to guidance in AD and PERG aim to make the sector more resilient and protect consumers if firms fail. They also consolidate expectations for firms and provide further clarity for industry.
The rules and amendments apply to;
- payment institutions (PIs), e-money institutions (EMIs) and registered account information service providers (RAISPs),
- credit institutions providing payment services and/or issuing e-money,
- consumers, consumer groups and micro-enterprises,
- credit unions,
- those involved in open banking initiatives, and
- businesses providing payment services under exclusions from the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs)
In its 2020/2021 Business Plan, the FCA identified the payments sector as a priority for the next three years and explained that it intends to ensure that consumers transact safely with payment firms, that payment firms meet their regulatory obligations while competing on quality and value and that consumers and SMEs have access to a variety of payment services.
To remove the barriers that the FCA identified to the continued growth of open banking and to support competition and innovation in the sector, it has introduced several changes to the SCA-RTS, which include:
- Creating a new SCA exemption in Article 10A. This would mean customers do not need to reauthenticate with their ASPSP every 90 days when accessing their account information through a TPP.
- Requiring certain ASPSPs to provide dedicated interfaces to enable TPP access to customer account information for retail and SME payment accounts.
- Amending requirements on providing interface technical specifications, testing interfaces and fallback interfaces by ASPSPs intended to let ASPSPs innovate and launch products and services more quickly.
- Allowing ASPSPs with a deemed authorisation under the Temporary Permissions Regime (TPR) to rely in the UK on an exemption from setting up a fallback interface granted by a home state competent authority located in the EU.
In the AD, the FCA confirms changes to its guidance on prudential risk management and safeguarding customer funds to ensure firms are well run and that consumers are appropriately protected if a firm fails. These changes reflect several published statements which clarify FCA expectations and the temporary guidance brought forward in response to the pandemic. The temporary guidance aims to enhance firms’ resilience through additional prudential risk management and safeguarding requirements.
Following the recent High Court judgement on an application for directions by the Administrators of Ipagoo LLP (in administration) and its conclusions on safeguarded funds, the FCA has made some changes from the version of its guidance consulted on. In contrast to the view expressed in the temporary guidance, and the High Court’s finding in the case of Supercapital (which concerned an API), the High Court found that the EMRs do not create a trust over money received by an EMI from its customers. As such, the FCA has removed references to trusts from the guidance and template safeguarding credit institution/custodian acknowledgement letter. It will still be expected that firms will demonstrate, whether by acknowledgement letter or otherwise, that the safeguarding institution has no right of set-off over safeguarded funds. However, firms that already have a safeguarding acknowledgement letter based on the previous template will not be expected to request a new one.
Other general updates to the AD include changes to regulatory reporting requirements and amendments to reflect previous policy changes, including requirements for eIDAS certificates and the extension of the Banking Conduct of Business Sourcebook (BCOBS) and the FCA’s Principles for Business to the sector.
The FCA is amending Chapter 15 of PERG to update guidance on certain exclusions from the PSRs and EMRs. These changes are intended to help industry identify when business activities fall within the scope of the PSRs and EMRs. Chapter 7 of the AD summarises and responds to feedback on the proposed changes in this area.
The FCA emphasises that ASPSPs offering personal payment accounts in the scope of the Payment Accounts Regulations (PARs), equivalent payment accounts held by SMEs and credit card accounts operated for consumers or SMEs will need to have a dedicated interface in place no later than eighteen months after the rules come into force. The FCA is strongly encouraging ASPSPs to apply the new exemption from the obligation to carry out SCA as soon as practicable after it has come into effect.
The AD confirms that TPPs will be responsible for reconfirming customer consent and will not be required to communicate customer consent to ASPSPs. Where a customer fails to reconfirm consent after 90 days, TPPs must stop accessing the customer’s account information. The FCA is amending the SCA-RTS to make clear that access may re-start if the customer subsequently reconfirms their consent with the TPP. It also emphasises that TPPs will need to reconfirm customer consent under Article 36(6) of the SCA-RTS no later than four months after the rules come into force.
How can we help you?
If you’d like to know more about how we can help you with your payment services and e-money compliance, or with any other regulatory compliance issues, our expert team is here to help. Contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.