PSD2 Brexit

 

Since the second Payment Services Directive, also known as PSD2, has been adopted across European countries, this directive has been considered one of the crucial legislation for the UK and taken into account alongside other regulatory frameworks of financial services. Today, the UK is a leading exporter of advanced payment services not only in the EU but also worldwide.

 

What exactly is PSD2?

PSD2 is the revised Payment Services Directive, designed and used by countries within the European Union and the European Economic Area, including the UK, to govern their electronic payment services and payment service providers. PSD2, the updated version of the first Payment Service Directive, was published in December 2015, started gradually entering into force in January 2016, and applies since January 2018. This Directive aims to revolutionize the banking industry across Europe by upgrading consumer protection, boosting security, alleviating competition, and fostering innovation in the sector. It is safe to say that today PSD2 is the most prominent legislation in regard to banking and financial services in European countries, including the UK.

Why does PSD2 matter?

Firstly, PSD2 modernizes and integrates payment services in the EU and UK by changing the distribution of power in the banking industry and enabling the emergence of new independent service providers. Also, PSD2 provides clear descriptions of roles and statutes available for both existing and emerging players in the banking industry to ensure a level playing field for all players. Specifically, PSD2 alters the distribution of power by removing the right of account-holding financial institutions to monopolize their clients‘ information and demanding account-holding financial institutions to open up their data channels for new players, known as third-party payment service providers, or TTPs. TTPs, introduced by PSD2, are financial institutions that do not hold payment accounts of their consumers and have a more limited range of activities than account-holding financial institutions that are also, under PSD2, known as Account Servicing Payment Service Providers, or ASPSPs. Under PSD2, financial institutions, which provide and maintain payment accounts for customers, must ensure third-party providers equal access to clients‘ financial and personal information when consumers permit them to do so. Also, to guarantee access to consumers' data, account-holding financial institutions are mandated to provide open Application Programming Interfaces, or APIs, that permit software at one institution to access payment account information and initiate payments from another. In other words, account-holding financial institutions deliver open APIs to allow third-party financial service providers, with customers‘ explicit consent, to initiate payments or make their customers’ account transaction data available to third-party providers. When account providers open up their banking data through APIs, third parties, authorized as Account Information Services Providers, or AISPs, can access consumers' account information on behalf of consumers to provide advanced services regarding their funds. Also, AISPs can collect and aggregate information from all customer payment accounts held on multiple account providers and allow customers to overview their financial situation and analyze their spendings and financial needs. However, under PSD2 requirements, these service providers are not allowed to instigate payments or transfers on the customers' behalf to their online banking account. These operations can only be provided by third parties, licensed as Payment Initiation Services Providers, or so-called PISPs. These service providers can initiate payments by filling in the information required to make payment and informing the consumer and merchant of the transaction. Also, PISPs allow consumers to instigate transactions directly from their account-holding financial institution instead of using a credit or debit card. In addition to already mentioned requirements, PSD2 specifies that consumers have the right to use any third-party provider they choose for their banking services. PSD2 fosters innovation and competition based on open access to consumers' data to all payment service providers as they can deliver more and, usually cheaper, alternatives regarding financial services. In other words, having access to consumers' information gives new third-party financial service providers the ability to compete with already existing payment service providers in the creation and improvement of certain financial services that otherwise would be unobtainable.

Secondly, PSD2 reduces the risk of fraud for online payments and enhances the protection of consumers‘ personal and financial data through advanced security measures. Under PSD2, Strong Customer Authentication, also known as SCA, requirements demand all payment service providers to use at least two out of three independent elements to verify the identity of the consumer. These three elements include knowledge, or information that the only consumer knows, such as password, possession, or something that the only consumer has, for instance, token or smartphone, and inheritance, that are biometric features, for example, facial recognition or fingerprints. In addition to the demand for multi-factor authentication for online transactions and access to data, PSD2 also requires all payment service providers to deliver unique authentication codes which dynamically link each transaction to its value and the recipient. This requirement is known as dynamic linking. Dynamic linking ensures that the online transaction becomes instantly invalid if there are any changes considering the specific payment amount or payee. By demanding stronger identity checks, especially for high-value transactions, PSD2 makes payments safer and increases consumers‘ confidence in payment service providers.

Also, it is worth noting that PSD2 provides the surcharge ban that protects consumers by forbidding merchants from charging consumers additional fees for making transactions by certain payment methods. PSD2 also prohibits the use of non-transparent pricing methods for cross-border payments. Before the implementation of PSD2, consumers could only see either a fixed fee or a percentage of the transfer amount, allowing merchants to charge consumers extra fees when the exchange rate is less competitive than expected. PSD2 ensures that consumers are aware of actual costs and charges when transferring money abroad.

 

PSD2 and Brexit

Even though the UK withdrew from the European Union and, by extension, the European Economic Area, so-called EEA, on the 31st of January 2020, PSD2 continues to apply to financial service providers in the post-Brexit UK. Compliance with PSD2 is inevitable for financial institutions from the UK as they need to continue to interact with other European financial institutions and to remain competitive in the banking industry. Also, as PSD2 promotes the digitalization of financial services and reflects the overall new approach to the payment market, this legislation provides consumers with access to more options than ever before, broadens the market to new players able to offer advanced services and products, and boost consumer experience. Considering what is said above, the finance sector in the UK will likely be critically disrupted if it becomes incompatible compared to the rest of Europe. However, the UK government has indicated to make some changes to PSD2 provided by the EU. Also, the UK will likely use EU legislation to create its own with some adjustments to meet the individual needs of the UK‘s internal market after Brexit. To find out more, we further discuss changes to post-Brexit financial services and amendments to PSD2 requirements provided by the UK government to facilitate the adaptation to the new situation.

PSD2 and Brexit: impact on payment service providers

 

Loss of PSD2 passporting rights provided by PSD2

As already mentioned, PSD2 helps create an efficient and integrated payment area in Europe that ensures the same rules regarding financial services in all European countries, a wide range of payment services, transparent information on payments, and better consumer protection. To build a single payment market, PSD2 provides passporting rules that allow financial institutions from the EU or EEA to establish branches and deliver their financial services elsewhere in the EEA when they meet shared EU regulatory and supervisory standards regarding payment services. Also, passporting rules covered by PSD2 permit all citizens and businesses from EEA to make payments between different countries of EEA as conveniently and safely as they would in their own countries. Under PSD2, cross-border operations, including transactions between countries from EEA, are subject to identical charges as domestic payments. In other words, passporting rights provided by PSD2 ensure that financial institutions and payments are able to operate all over Europe without barriers. Because the UK’s withdrawal from the EU at the end of January 2020 meant the termination of passporting, the UK immediately entered a transition period that lasted until 31st of December 2020 to continue cross-border operations between the UK and the rest of the EEA. However, the transition period has also ended, which means that the UK can no longer be treated as an EEA state under PSD2. In other words, as the transition period has been terminated, financial institutions from the UK no longer have their passporting rights to do business across the EEA. Also, financial institutions from the EEA are encountering similar difficulties when seeking to operate in the UK. To overcome the challenges that arise from the loss of passporting rules, financial institutions from the UK have already built bases in the EEA, while financial institutions from EEA are applying to the Financial Conduct Authority, or FCA, for temporary regimes to be able to operate in the UK. These changes that allow financial service providers to continue to trade in and from the UK are discussed in great detail below.

Temporary permissions for the EEA-based financial institutions

When the transition period ended on the 31st of December 2020, the UK‘s Financial Conduct Authority temporarily established several permissions that enable relevant financial institutions and funds which passport into the UK to continue operating in the UK when the passporting regime terminated at the end of the transition period. Firstly, after the transitional period came to an end, some providers of financial services from the EEA entered the UK‘s Temporary Permissions Regime, also known as TPR, to continue providing services in the UK for a limited period while seeking full authorization. This regime ensures that financial institutions from the EEA are treated as authorized financial service providers in the UK for an additional three-year period. To put it differently, under the TPR, financial services providers from the EEA can continue to provide services without the need to be authorized in the UK by the FCA or the PRA, also known as the Prudential Regulation Authority. The financial institutions from the EEA that are allowed to provide financial services in the UK under the TPR by the end of this regime must either stop doing business or get properly regulated in the UK. In other words, this regime also allows third parties from the EU to fully prepare for the impact of Brexit, which may include applying for UK authorization. In addition to the TPR, the UK‘ FCA granted an arrangement, known as the Temporary Marketing Permissions Regime, or TMPR, for EEA-based investment funds passported into the UK. This arrangement allows funds that were passporting from the EEA into the UK to continue to be marketed in the UK in the same manner as it was before the end of the transition period. Finally, the UK‘s FCA allows other financial service providers from the EEA to enter few more regimes: the Supervised Run-off Regime, o so-called SRO, or the Contractual Run-off Regime, or so-called CRO, if they have already decided to close their UK business and exit the UK market. Financial service providers that enter these regimes are covered by The Financial Services Compensation Scheme, or FSCS, to protect consumers when a provider fails and cannot return money to their clients.

Challenges for the UK-based financial institutions

As mentioned above, all temporary regimes provided by the UK's FCA allow financial service providers from the EEA to continue their passporting activities in the post-Brexit UK for three more years. However, countries of the EEA do not have any arrangements that can be the equivalent of these temporary permissions for financial institutions from the UK that provide their services in the EEA. Due to this barrier, some UK-based financial institutions have already stopped providing their financial services into the EEA. Nevertheless, in order to overcome issues arising from the loss of passporting rights in the EEA, many UK-based financial institutions are establishing their separate licensed entities in the EEA. These entities allow UK-based financial institutions to continue to provide their financial services throughout the EEA after the end of the transition period, as they can be legally authorized as payment service providers by the competent authorities of the EEA. When UK-based financial institutions establish new bases in the EEA, they also need to provide their clients with new contracts to re-sign them to these newly set up entities. Also, the end of the transition period means that the UK-based financial institutions need to consider whether they would need to assess the authorization requirements in each member state if their businesses involve multiple countries of the EEA.

PSD2 Brexit: new requirements to help accustom to changes

 

New identification certificates for the UK-based third-party providers

With the termination of the transition period, eIDES certificates issued to the UK's Third-Party Payment Service Providers, or TPPs, were revoked by the European Banking Authority. These certificates are required for TPPs to be valid under PSD2 requirements of eIDAS, a regulation on electronic identification and trust services for electronic transactions. eIDAS certificates allow TTPs to identify themselves to access customer account data, initiate payments, and exchange customers‘ account information online in a secure way on behalf of the consumers. It is crucial to note that, under PSD2, these certificates are the only accepted identification standard permitted between AISPs and PISPs in Europe. In response to the revocation of eIDAS certificates, the UK‘s FCA has allowed UK-based third-party providers to use an alternative to these certificates to access customer account information from account providers or initiate payments. Besides, the FCA has required UK-based account-holding financial institutions to make changes to their systems to accept alternative certificates that enable TPPs to continue accessing customer account information. Also, all UK-based payment service providers must ensure that they can identify and accept eIDAS certificates of the EEA-based TPPs that have entered temporary regimes provided by the UK. Finally, the FCA has already set out the changes to the Regulatory Technical Standard, also known as RTS, on Strong Customer Authentication and Common and Secure Communication, known as SCA & CSC, to allow for these alternative identification arrangements.

Changes to RTS on SCA and CSC after the transition period

In January 2021, one month after the end of the transition period, the FCA proposed some significant regulatory changes regarding the Regulatory Technical Standard on Strong Customer Authentication and Common and Secure Communications, or RTS - SCA & CSC, requirements now known in the UK as SCA-RTS. These requirements, which were developed under the PSD2 and have been implemented into UK law following Brexit, allow secure interchange of consumers‘ data between payments account providers and third-party providers. Also, these requirements provide guidance on how and under what circumstances the identity of the consumer must be authenticated to ensure that payment service providers know that the one asking for access to an account or trying to make a payment is either the client or someone that has their explicit consent. The amendments suggested by FCA aim to facilitate the adoption of the onshored SCA-RTS requirements in the UK by removing well-known obstacles to higher consumer experience, successful innovation, and competition. Also, the implementation of these changes is expected to achieve enhanced consumer protection and reliability of third parties‘ services.

The first change proposed by FCA to the onshored SCA-RTS aims to address re-authentication requirements by original SCA that have been decreasing customer confidence in third-party providers and slowing down the adoption and introduction of new account information services. The new exemption suggested by the FCA ensures that account providers no longer have to demand that clients using account information services perform SCA every 90 days. Consumers will only need to undergo SCA when they connect their account to these services for the first time. Also, third parties that provide account information services will now be responsible for confirmation of the customer’s explicit consent every three months to allow them access to their account information.

The second amendment to the onshored SCA-RTS concerns the interfaces provided by account providers through which third parties can access payment accounts information in a secure manner. Presently, account providers from the UK can offer an already mentioned Application Programming Interface, or API, or a Modified Customer Interface, also known as MCI, based on the clients‘ current online banking platforms. However, MCIs are not standardized and therefore are less secure, more expensive, and difficult to access for third parties than APIs. When using MCIs, third parties that provide account information services have difficulties considering the implementation of a consent management system required under PSD2, while third parties that deliver payment initiation services encounter challenges regarding the set up of a mechanism for confirmation of funds demanded by PSD2. Unlike MCIs, APIs are easier to implement with an assurance that all the PSD2 requirements are fully satisfied. The API implementation even allows financial service providers to deliver an option of the consent repeal for their consumers to ensure that the information is being shared only with those parties that customers need. Considering the benefits of APIs, the FCA has proposed to make these dedicated interfaces mandatory and remove MCIs as a compliant alternative for most payment accounts, including current accounts, credit card accounts held by consumers, or small and medium enterprises. However, the FCA has excluded certain account providers, including financial institutions that rely on the temporary permissions regime or supervised run-off regime, from the already mentioned requirement. Other changes suggested by the FCA include the following:

  • a proposal for technical specifications and testing facilities regarding dedicated APIs to be available at the launch of new services, but not be required six months in advance;
  • a suggestion to increase the single and cumulative transaction limits for contactless payments, in acknowledgment of changes regarding consumer behavior due to the pandemic and the continuing low quantity of frauds.

The FCA has also proposed changes to its Approach Document, which involve several suggestions on the amendment of the RTS - SCA & CSC from the European Banking Authority and the European Commission.

 

Deadline extension for the enhancement of Strong Customer Authentication

Even though the UK planned to enforce the SCA for e-commerce transactions by September 2021, the FCA has extended the deadline for implementing SCA standards for e-commerce transactions to March 2022. The FCA delays the enhancement of SCA to recognize ongoing challenges due to the end of the transition period and the coronavirus pandemic, reduce disruption to merchants and consumers, and comply with exceptions arising from the onshored version of the legislation.

PSD2 and Brexit: impact payment services users

Until the termination of the transition period, transactions between the UK and the EEA, in any currency, were defined and handled as intra-EEA payments by financial service providers. PSD2 ensures the protection of the principal amount of the intra-EEA transactions, which results in less burdensome payment data requirements. After the end of the transition period, payment services users can continue to make payments and cash withdrawals in or to the EEA. However, these operations may be more expensive and require more time, as transactions between the UK and the EEA can no longer be treated as intra-EEA payments. Also, after the end of the transition period, some accounts providers from the EEA have started to treat direct debit transactions between the UK and Europe as cross-border payments from a fee perspective, resulting in additional charges. Even though increased charges mostly affect consumers and merchants, they also indirectly impact financial service providers from the UK. Financial institutions from the UK must consider whether changes to internal or other operational processes are needed regarding new charges. Also, financial service providers must inform their consumers about any changes in fees structure and ensure transparent communication in regard to any inconvenience, including payment disruptions. In addition to extra fees, as the transition period has ended, payment service providers must also provide additional information when making certain transactions between the UK and the EEA. Transactions between the UK and the EU have always required the name and the account number or unique transaction identification number of the payer and payee. However, because the transition period has already ended, information regarding the transactions between the UK and the EEA must also include one of the following: full payer address, official personal document number, customer identification number, or date, and place of birth. If this additional required information is not delivered, financial service providers located within the EEA and UK can reject or delay transfers, resulting in decreased satisfaction of consumers.

The future of financial services in the post-Brexit UK

Even though the decision of the UK to become independent from the EU has brought many hardships to the European Banking industry, as the future of the post-Brexit outlook remains uncertain, it is difficult to specify the impact on the financial sector in the UK and the rest of Europe. Nevertheless, it is crucial to acknowledge that Brexit has created opportunities to innovate in order to make the best of a challenging situation. One of these changes is new post-Brexit solutions to the payment service regulatory framework that hopefully will allow the UK to alleviate the development of international relationships and continue to build a worldwide-thriving financial sector.

 

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.