There’s been a lot of talk surrounding PSD2. Some has been positive; highlighting the huge opportunities it presents to payment services companies and the FinTech industry at large. A lot more has been negative; scrutinising the significant disruption and administrative burden the new regulation is likely to cause. Both angles have their merits, and are particularly applicable to payment initiation services providers.
Like it or not, from January 2018, UK providers of payment initiation services will have to be authorised by the FCA under the Payment Services Regulations 2017, the legislation that implements the second Payment Services Directive, PSD2.
Just what are payment initiation service providers?
The regulations, which were published by HM Treasury in draft form earlier this year, define such services as ‘a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider‘.
While consumers in the UK are relatively unfamiliar with payment initiation service providers, they are much more common elsewhere in the EEA (they initiate 55% of payments made in the Netherlands). Their value comes from enabling merchants to accept credit transfers for payment for goods or services, because they can confirm that the payment was initiated and funds are on their way, thereby providing a competitively priced alternative to payment by card.
The difficulties have been:
- the transparency of the service provider to both the consumer and their payment account provider;
- the security implications of a third party accessing a payment account; and
- problems with liability if anything goes wrong.
In the spirit of fostering competition, the European Commission has tackled these issues by bringing the providers into regulation, obliging them to hold professional indemnity insurance and requiring them to meet certain standards. It’s a bold move given the resistance of the banks and the step away from the established understanding of a payment service as involving the provider taking possession of the funds (these entities will be regulated as a payment service provider but will never touch the money).
Who are payment initiation service providers?
In its consultation document, HM Treasury stated its intention to take a broad interpretation of payment initiation services. We expect there will have been significant push back from the many providers who find they could be within scope, such as technology platform providers, commercial Bacs bureaux and payroll companies that initiate payments by way of business but do not take possession of the funds.
The technology service provider exemption remains in the new directive, but it has been amended to exclude payment initiation service providers (emphasis added):
services provided by technical service providers, which support the provision of payment services, without the provider entering at any time into possession of the funds to be transferred, excluding payment initiation services or account information services but including—
(i) the processing and storage of data;
(ii) trust and privacy protection services;
(iii) data and entity authentication;
(iv) information technology;
(v) communication network provision; and
(vi) the provision and maintenance of terminals and devices used for payment services.
The consultation closed in mid-March so we anticipate HM Treasury’s conclusions will be delivered in the next few weeks so that those who are caught can prepare for the impending changes to their business.
What rules will they have to follow?
The European Commission has recognised that the risks posed by payment initiation service providers are different to those presented by other payment service providers. They clearly pose a security risk given their access to payment accounts and a liability to the extent that they are the conduit of the details of the payment instruction, but they do not take possession of the funds. Therefore, payment initiation service providers have to meet an initial capital requirement of €50,000 (in contrast to the €125,000 initial capital required of a payment institution that provides payment accounts) but there is no ongoing capital requirement. Instead, payment initiation service providers must hold professional indemnity insurance.
Payment initiation service providers will be subject to:
- the anti-money laundering obligations imposed on regulated entities;
- reporting requirements that will allow the FCA to monitor the firm’s activities to ensure compliance with the regulations, including the obligation to report major incidents (see Crisis management under PSD2: what you need to know); and
- the conduct of business requirements, to the extent that they are applicable to the business model and the interaction with customers.
Those businesses that have to be authorised as payment institutions must have their application approved by 13 January 2018 to continue doing business. The gateway for applications will be open from 13 October with the application forms being available from mid-September. This will be a tight window for applications, both for new authorisation and variation of permissions (where an existing payment or e-money institution wishes to provide payment initiation services), so firms are well advised to be prepared to complete and submit the application pack as promptly as possible.
Applicants will have to provide:
- the address of their head office and/or registered office (must be within the UK, along with the ‘mind and management’ of the firm);
- details of their incorporation, ownership and the individuals who direct the business:
- a business plan (the background of the business, future plans and target markets);
- a description of the governance arrangements (the internal policies and procedures, reporting lines and so forth); and
- 36 month financial forecasts.
Alison Donelly is Director and head of Payments & e-money at fscom, a financial services compliance advisory firm that specialises in fintech.