PS18/24: Approach to final Regulatory Technical Standards and EBA guidelines under the revised Payment Services Directive (PSD2)

Open consultation: CP18/25
Consultation closes
Policy Statement: PS18/24

This policy statement confirms the revised Payment Services and Electronic Money Approach Document and Handbook changes following consultation feedback.

Read PS18/24 (PDF)

Read Payment Services and Electronic Money – Our Approach (PDF)

In September 2018 we consulted (CP18/25) on new rules and guidance to implement regulatory technical standards for strong customer authentication and common and secure open standards of communication (SCA-RTS) and related guidelines developed by the European Banking Authority under the revised Payment Services Directive (PSD2).

Today we have confirmed our approach to assessing whether banks and other online account providers are properly set up to enable ‘open banking’. We will start to accept exemption requests and make assessments of them from January 2019. We encourage relevant firms to submit an exemption request before 14 June 2019 and to discuss this with us in advance.

We are also setting out our approach to parts of the SCA-RTS which are designed to enhance the security of electronic payments. For example, banks will need to ask for more information to verify customers making some payments online, to prevent fraud. This is an important set of changes aimed at enhancing consumer protection by making electronic payments more secure. This comes as industry figures put fraud losses on cards alone at £566m.

Additionally, for the purposes of contingency planning for a no-deal Brexit, we are publishing a consultation (CP18/44) on how we propose to make technical standards substantially the same as the SCA-RTS if there is no implementation period following the UK’s departure from the EU.

Enabling competition and innovation

One aim of PSD2 is to enhance competition in payment services by supporting providers of account information services and payment initiation services by bringing these services within the scope of regulation. These firms are collectively known as third-party providers (TPPs). We have already authorised or registered a number of TPPs since January 2018.

This policy statement concerns the technical standards which banks and other online account providers must implement to ensure secure and effective communication between TPPs and account providers with the customer’s consent.

Effective implementation of these technical standards should provide TPPs with a good platform from which to compete in banking and payment services, to provide value added, innovative services and unlock the potential of payment account data and functionality.

Enhancing the security of payments to combat fraud

We set out our final approach to rules to report and combat payment fraud, which are intended to improve the security of payment services. The rules, which will require all PSPs to undertake strong customer authentication with a customer (unless one of the permitted exemptions applies), will be effective from 14 September 2019.

We also publish rules on reporting complaints about authorised push payment fraud, which are part of the FCA and Payment Systems Regulator’s work to tackle scams where customers unknowingly authorise payments to fraudsters.

Who this applies to

This policy statement will primarily be of interest to all payment service providers, including:

  • banks
  • building societies
  • e-money issuers
  • payment institutions
  • registered account information service provider
  • payment initiation service providers

It will also be of interest to Credit Unions, consumer bodies and relevant trade bodies, retailers, consumers, micro-enterprises and those involved in open banking initiatives.

What you need to do

Firms should note the Handbook changes in the policy statement and the guidance in the revised Approach Document and adapt their practices accordingly.