New reporting and notification requirements under the Second Payment Services Directive (PSD2)
PSD2 introduces the following new notification requirements. Full details can be found in Chapter 13 of Payment Services and Electronic Money: Our Approach. (Part II: Notifications). Please also see our page on the Limited Network Exclusion (LNE) and Electronic Communications Exclusion (ECE).
Withdrawals of Payment Account Services
A credit institution that may refuse a Payment Service Provider’s (PSP’s) request to access payment account services, or withdraw existing services, only for duly motivated reasons which must be proportionate, objective, and non-discriminatory. The credit institution must notify the FCA of the refusal or withdrawal and provide the reasons for refusal to us. We will use the information provided in this notification for the purposes of monitoring compliance with regulation 105 of the Payment Services Regulations (PSRs 2017). More information can be found in Chapter 13 of Payment Services and Electronic Money: Our Approach.
Account Information Services (AIS)/ Payment Information Services (PIS) denial of access
An Account Servicing Payment Service Provider (ASPSP) that denies an Account Information Service Provider (AISP) or Payment Information Service Provider (PISP) access to payment service users’ payment accounts must submit a notification to us. Access may be denied if the ASPSP believes the request is unauthorised or fraudulent. The notification must include the details of the case and the reasons for taking action.
Major Incident Reporting
All firms covered by PSD2 must report to the FCA using the Major Incident Notification form when they become aware of a major operational or security incident. This form must be submitted within four hours of detecting the incident while the FCA is open, or when the FCA re-opens. More information is available in Payment Services and Electronic Money: Our Approach.
Credit institutions providing (or intending to provide) account information or payment initiation services
Authorised deposit takers (Credit institutions) do not need to seek additional permissions to offer AIS and PIS services, but to make notification to the FCA of the addition to their business model. The credit institution is required to provide a description of the AIS or PIS activity. We require this information in order to improve our understanding of the providers in this new and emerging market. This will help us measure potential risks to consumers, as well as indicate how competition is working in the sector.
Reporting requirements are detailed in Chapter 13 of Payment Services and Electronic Money: Our Approach.
New notifications for firms
The EU Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (SCA-RTS) introduces the following notification requirements for firms.
Fraud rate Notification – NOT004
Under the SCA-RTS, PSPs must apply strong customer authentication unless a relevant exemption applies. If PSPs make use of the SCA-RTS Article 18 transaction risk analysis exemption, they are required under SCA-RTS Article 20 to notify the FCA when their monitored fraud rate exceeds the relevant applicable reference fraud rate. PSPs should notify the FCA using NOT004.
Problems with a dedicated interface – NOT005
Under SCA-RTS Article 33(3), ASPSPs, AISPs and PISPs are required to report problems with dedicated interfaces to the FCA. In the event of unplanned unavailability or a systems breakdown of a dedicated interface as defined under SCA-RTS Article 33(1), ASPSPs, AISPs and PISPS should use NOT005 to notify the FCA.