Payments after PSD2: evolution or revolution

Speech delivered by Karina McTeague, Director of Retail Banking Supervision at the FCA, at the Pay360 Conference.

Speaker: Karina McTeague, Director of Retail Banking Supervision
Event: Pay360 Conference organised by the Emerging Payments Association, London
Delivered: 1 March 2018
Note: this is the speech as drafted and may differ from the delivered version

Highlights

  • From a consumer protection and market integrity perspective, we have a real interest in the Open Banking Implementation Entity’s successful delivery of the CMA’s Open Banking API requirements and wider adoption of APIs by the industry.
  • Customer communications should be balanced, and not seek to dissuade customers from using third party AIS or PIS providers through their communications or terms and conditions.
  • We welcome the development of industry arrangements designed to facilitate the successful delivery of PSD2 objectives (including voluntary guidelines and dispute management system).
  • We will be looking to see that firms’ culture prioritises treating customers fairly, and doesn’t take inappropriate advantage of ill-informed, naïve or vulnerable consumers.

The media coverage at the launch of Payment Services Directive (PSD2) and Open Banking on 13 January 2018 gave a flavour of some of the services coming the way of consumers as a result of these regulatory changes - a glimpse of the future.

As a regulator, I’m often asked to look into my crystal ball and predict the shape and size of a market, and the winners and losers on the playing field.

As tempting as that is, I must decline. Especially as, looking at today’s agenda, there are many here who are better equipped to divine the future.

Instead, let me share my thoughts on some aspects of PSD2 and Open Banking from a regulator’s perspective.

PSD2 and Open Banking: opportunities

Undoubtedly, PSD2 offers opportunities: For consumers, financial services and - through retail businesses - for the UK economy.

It provides consumers with choice: choice to share their data in a way that allows them to take advantage of the newly regulated payment initiation service (PIS) and account information service (AIS). I want to stress the word choice. I’m hearing from banks and others that their customers are concerned that their data will be shared without their permission; that the new services envisaged by PSD2 will be foisted upon them.

It’s important that we all ensure consumers know and understand that the new AIS and PIS offerings are simply that: offerings that they can choose to accept, or not; and, if they do accept, that they can withdraw from at any time.

13 January was never going to be the start of a revolution; it was never going to be a big bang.

We don’t know what the tipping point or catalyst will be that will visibly change the landscape for consumers and businesses. Perhaps some of today’s speakers will be able to provide some insight.

But let me go through some real time stats and observations relating to firms applying for permission to deliver account information and payment initiation services.

Since we opened our doors for PSD2 applications on 13 October last year we have received applications from 59 firms for the two new regulated activities (account information and payment initiation services).

On 13 January we admitted 13 firms through the regulatory gateway to provide the new services (2 live-market and 11 new to market). Of these, 10 were registered account information service providers.

Since then we’ve authorised or registered 6 additional firms for the new regulated activities and a further 60 other PSD2 cases (including reauthorisations).

In terms of the profile of applicants:

  • some were already conducting activities under PSD1 and are applying for reauthorisation so they can expand into this new area
  • we are seeing firms which already operate extensively in other countries – and are seeking to move into the UK market with payment initiation services

These applications also cover a range of business propositions including:

  • consumer credit businesses (already authorised under FSMA) planning to extend the scope of credit reports and credit scores
  • existing live market firms producing financial dashboards for consumers
  • business services providers looking to help SMEs with financial forecasting and credit transfers
  • new FinTech applicants providing customers with services such as:
    • rounding up a customer’s purchases to the nearest pound and then investing the digital spare change
    • storing consumers’ digital loyalty points, lightening the number of loyalty cards we carry in our purses and wallets

From a regulatory perspective, we regard 13 January as simply a key milestone in a longer-term/bigger picture plan.

From a regulatory perspective, we regard 13 January as simply a key milestone in a longer-term/bigger picture plan.

Other milestones are still to come. Of these, there are 4 key milestones I want to reference.

Three include changes designed to enhance secure delivery of account information and payment initiation services:

The first is a fully operational Open Banking API for the CMA9’s online current accounts and one-off payments.

Using an API reduces the potential harm from cyber-attacks because there is no need for the Third Party Providers to use or retain customers’ credentials.

So, from a consumer protection and market integrity perspective, we have a real interest in the Open Banking Implementation Entity’s successful delivery of the CMA’s Open Banking API requirements and wider adoption of APIs by the industry.

So, from a consumer protection and market integrity perspective, we have a real interest in the Open Banking Implementation Entity’s successful delivery of the CMA’s Open Banking API requirements and wider adoption of APIs by the industry.

Along with HM Treasury (HMT), we encourage the industry to move in this direction.

The second is when the Regulatory Technical Standards on strong customer authentication and common and secure communication come into force. These regulatory standards are intended to provide additional fraud protection by prescribing requirements for firms to ensure greater safety and security.

However, these standards aren’t expected to come into force until the second half of 2019, which creates a potentially uncomfortable transition period.

So, jointly with HMT, we have set out our expectations that, as an important mitigant against fraud and cyber risks during this transition period, firms should adhere to the principles of safety and security from 13 January. For example:

  • we expect firms to transmit credentials and data securely
  • to be transparent and open about their identities when inter-acting with one another
  • ensure data is held securely to mitigate the risk of illegitimate access

Banking and payments are increasingly about data. So the third key milestone is in May, when the EU General Data Protection Regulation (GDPR) comes into force. GDPR governs the treatment of personal data by all parties involved in handling data - forming part of the overall protective framework within which consumers and businesses can operate.

The fourth milestone is the proposed extension of the CMA9 specification for Open Banking APIs to all the payment accounts covered by PSD2, i.e. credit cards, e-money wallets and some types of online savings accounts – due in 2018/ 2019.

Looking forward, it will be interesting to see how this market develops. The generally held view is that the market will evolve; this will be a relatively ‘slow burn’ as:

  • existing businesses seek to adjust and adapt their business models
  • new entrants build their offerings and customer base
  • consumers become familiar and comfortable with the new services, their potential and their risks. I’ll expand on this point as I go on

What we are seeing is the development of an ecosystem; with opportunities for existing and new participants. But it’s a nascent ecosystem, the growth of which can be stunted by the ill-considered actions of any one of its component parts.

As an observer at the Open Banking Implementation Entity, we are seeing a new dynamic developing in the relationship between incumbents of retail banking and innovators within the payments sector.

Retail banking incumbents are weighing up the opportunities, and the threats, to their businesses of the innovation facilitated by PSD2 and Open Banking. Whilst innovators in the payments sector are looking to gain traction, scale and brand recognition.

Each can see the benefits of partnerships with each other – and the disadvantages. And each is aware of the over-arching and interdependent need to win and maintain public trust in this evolving market.

PSD2 and Open Banking are designed to create positive disruption so it is inevitable there will be tensions.

What is clear, though, is that all market players, across the retail banking and payments sectors, have an inter-dependent interest in the successful transition to the new world – whatever that might look like.

I’m not usually one for sporting analogies but, when I was thinking about what I’d be saying to you this morning, my school hockey playing days came to mind.

There was one fixture my team always dreaded. Not because we’d be beaten. Far from it. But because the quality of the pitch was so bad, we never had a decent game. As a result, neither team could attract enough supporters to cheer us along on those wet, windy Scottish Saturday mornings.

If PSD2 and Open Banking are the pitch, every team in the league, has a responsibility not to stunt the growth of the turf or muddy it up. We all want to attract supporters – the consumer.

At the FCA, we are aware of the challenges around the new regime. What we expect is that, as the teams work out their game plans, they make sure they don’t spoil the pitch for all.

Let me share with you, at this point, the FCA’s expectations, taking first our expectations of all firms we regulate within the payments eco-system, and then some specific expectations of those firms offering online payment accounts, such as current accounts.

We expect all firms we regulate within the payments eco-system, to:

  • put the fair treatment of their customers at the heart of their business models
  • work to realise the potential benefits of account information and payment initiation services
  • be aware of their broader legal obligations, particularly under secure data protection and consumer protection laws
  • fulfil their role in helping customers understand and take steps to protect themselves from the risks associated with fraud
  • in short, we expect the communications and information that firms send to their customers to be balanced and informative

So what do these expectations mean, in particular for banks and building societies?

Banks and building societies should allow their customers to make use of AIS and PIS in relation to those payment accounts without penalty, including allowing their customers to share their credentials.

Their customer communications should be balanced, and not seek to dissuade customers from using third party AIS or PIS providers through their communications or terms and conditions. I want to emphasise this point. Banks and building societies are an important source of information for customers about these new services. They need to fulfil that role in a balanced and socially responsible way. So, for example, banks might include in their customer communications:

  • balanced information about sharing banking and security credentials, distinguishing between regulated AIS/PIS providers and other unregulated services
  • an explanation that some ‘live market’ firms might legitimately continue to operate unregulated for a period of time
  • treat all AIS and PIS providers objectively and fairly, within the spirit of the legislation and in the interests of the customers in question
  • permit access through credential sharing, until they have an alternative means of allowing AIS and PIS providers to access those accounts (although, clearly, in all cases, denying access would be justified in circumstances related to fraud and unauthorised access on the account)
  • in the event that something goes wrong, such as a payment is misdirected or there is an unauthorised transaction, banks and building societies are required to reimburse their customers in the first instance and they should be clear that they are the first point of contact

Moving on

We recognise the ongoing uncertainty about elements of the EU rules over the next year or two, pending the Regulatory Technical Standards on strong customer authentication and common and secure communication coming into force.

I hope it will help if I set out our views on this.

We anticipate, and welcome the development, introduction and use of technology across industry, such as APIs.

However, the use of online banking credentials to access account data will continue in the transition period (and beyond for access to accounts not within the scope of the PSRs 2017). Indeed, this is a current practice reportedly used by service providers to 2 million consumers with, to our knowledge, no material complaints.

We expect all of industry to work in a way that delivers access in the interests of the end consumer or business customer, by improving security and facilitating innovation.

We expect all of industry to work in a way that delivers access in the interests of the end consumer or business customer, by improving security and facilitating innovation.

We welcome the development of industry arrangements designed to facilitate the successful delivery of PSD2 objectives (including voluntary guidelines and dispute management system).

We encourage industry to be transparent and fair in their interactions with each other as we collectively seek to enhance the opportunities that will be delivered by the effective uptake of these newly regulated services.

We urge all firms to participate in the work towards adopting common standards around APIs. We believe that the use of secure APIs provides significant advantages and we believe there are benefits to customers and market participants if these APIs are developed according to common standards and using secure common infrastructure where necessary.

Our Approach Document, and our joint communication with HM Treasury (July 2017), go into more detail and can be found on our website.

Our Payments Department

As I draw to a close, I’d like to mention the FCA’s own response to these changes in the payments landscape.

We have bolstered our payments strategic and supervisory capacity and capability so we can extend our programme of proactive engagement with existing payment services providers, and take on supervision of the newly regulated AISPs and PISPs.

Our supervisors will be looking to see that:

Firms’ culture prioritises treating customers fairly, and doesn’t take inappropriate advantage of ill-informed, naïve or vulnerable consumers.

Firms have sound systems and controls for:

  • effectively managing financial risks, such as safeguarding, and operational resilience
  • combatting the risk that they are used for financial crime and money laundering purposes

We will want to know that firms:

  • help their customers understand the account information and payment initiation services on offer:
    • what the services are
    • what it is they’re consenting to
    • what will happen to the customer’s personal and account data

Where it will be shared, with whom and for what purpose:

  • how customers can complain
  • how customers can withdraw their consent

Conclusion

I want to sum up with two words: trust and opportunity.

Trust

I’ve previously said that PSD2 is an opportunity for banks to demonstrate their trustworthiness to their customers - and to consumers generally.

But trustworthiness is not a matter just for banks. It’s a matter for all players in the payments ecosystem. We all know that perceptions of trustworthiness are determined by actions and words.

Perceptions are also shaped by how these new services are portrayed in the media.

The payments and retail banking sectors are so inter-linked that where one player’s reputation is compromised, it affects the reputation of the ecosystem as a whole. Every firm in the ecosystem has a vested interest in each other ensuring good customer outcomes and market integrity, and helping educate and inform consumers through consistent and balanced messages.

Opportunity

The opportunities offered through PSD2 and Open Banking are undoubted. But they depend on the inherent risks being effectively managed.

Those risks can best be managed by the retail banking and payments sectors working together.

I’m already seeing positive signs of this. For example, the joint work being done by a number of trade associations, covering banks, building societies and payments firms, to agree voluntary guidelines for screen scraping.

This co-operative industry leadership is an important step towards helping consumers understand and build trust in the new services on offer, and realising the opportunities that PSD2 and Open Banking present.

There is another opportunity I want to finish on. A huge amount of work - across the whole industry - has already gone into the delivery of PSD2 and Open Banking. As a result, the UK has achieved a head start amongst its European competitors.

To maintain that advantage, I encourage the industry to continue to work together to deliver the benefits of PSD2 and Open Banking - for consumers, the industry and UK businesses.