CP18/25: Approach to final Regulatory Technical Standards and EBA guidelines under the revised Payment Services Directive (PSD2)

Open consultation: CP18/25
Consultation closes

We are consulting on new rules and guidance to implement the revised Payment Services Directive (PSD2). We propose changes to reflect final regulatory technical standards on security and new fraud reporting requirements published by the European Banking Authority. We are also proposing new complaints reporting rules about authorised push payment (APP) fraud.

Read CP18/25 (PDF)

We are responding to calls from stakeholders to provide clarity as soon as possible by consulting for 4 weeks so that we can publish our final position in early 2019.

Enhancing the security of payments to combat fraud

We set out our approach to rules to report and combat payment fraud, which are intended to improve the security of payment services. They add security processes around checking a customer’s identity when paying online with cards or accessing online banking services.

Enabling competition and innovation

PSD2 introduced a new class of regulated firm, collectively referred to as third-party providers (TPPs). These provide online dashboards, payment initiation and similar services (‘open banking’). We update our guidance on how TPPs can access customers’ accounts (with the customer’s consent) in a secure and effective manner. We also clarify, where more than one business is involved in providing an account information service to a customer, how such arrangements might work.

Why we are consulting

PSD2 was implemented in the UK in the form of the Payment Services Regulations 2017 (PSRs 2017). While most requirements applied from 13 January 2018, additional rules come into effect on 14 September 2019. 

These rules on strong customer authentication and common and secure communication (SCA-RTS) seek to increase the security of customers’ payments and set out new rules that affect ‘open banking’ services. The EBA published an additional Opinion and Draft Guidelines on this in June and we issued a Statement in response.

We are now consulting on our proposed approach to the SCA-RTS and our implementation of the Guidelines that set out an exemption process for banks and other account providers building interfaces for TPPs engaged in open banking.

We are also consulting on new fraud reporting requirements that will affect the data collected and reported by all payment service providers (PSPs) (see EBA Guidelines on fraud reporting).

In June 2018 (CP18/16), we consulted on requiring PSPs and Credit Unions to handle complaints when they have received funds as a result of APP fraud. We now propose to require these firms to record and report data on complaints about APP fraud.  

We are also consulting on other changes to our Payment Services and E-money Approach Document and Perimeter Guidance. These reflect our practical experience of new firms’ applications and issues identified since publication of our September 2017 Policy Statement. We have also aligned our guidance with the final Passporting RTS published in November 2017.

Who this applies to and who should read the consultation

All PSPs, including banks, building societies, e-money issuers, payment institutions, registered account information service providers and payment initiation service providers. The consultation will also be of interest to Credit Unions, consumer bodies and relevant trade bodies, retailers, consumers, micro-enterprises and those involved in open banking initiatives.

What you need to do

Please send us your comments by 12 October 2018.

You can send them to us using the online response form:

Online response form

You can also:

  • email your responses to [email protected]
  • write to us at: Jack Wilson, Strategy & Competition Division, Financial Conduct Authority, 12 Endeavour Square, London E20 1JN