Search This Blog

Saturday, 22 April 2017

Durable Medium, According To The FCA

The Financial Conduct Authority has published new guidance (in the form of a web page), on what forms of media will enable firms to satisfy their obligations to provide information or make it available in a 'durable medium' as an alternative to paper... 

Friday, 21 April 2017

#PSD2: The FCA Clarifies The "Business Test"

In deciding whether or not a firm's activities are caught by the new Payment Services Directive (PSD2) as implemented in the UK by new Payment Services Regulations, one needs to first consider whether the activities are conducted by way of business. This is a question of fact and degree that can be difficult to answer. In the consultation on its approach to supervising the new regulations, the Financial Conduct Authority has helpfully done a lot more than it has in other areas to clarify when it considers that a payment activity will constitute 'a regular occupation or business' in itself, as opposed to being merely part of another type of business.

FCA's current guidance on the Payment Services Regulations 2009 states (at PERG 15.2, Q.9):
“…Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations. Accordingly, we would not generally expect solicitors or broker dealers, for example, to be providing payment services for the purpose of the regulations merely through operating their client accounts in connection with their main professional activities.”
The FCA has revised Question 9 as part of its proposed draft changes to the Perimeter Guidance to read as follows:
"Q9. If we provide payment services to our clients, will we always require authorisation or registration under the regulations?
Not necessarily; you will only be providing payment services, for the purpose of the regulations, when you carry on one or more of the activities in PERG 15 Annex 2:
  • as a regular occupation or business activity; and
  • these are not excluded or exempt activities.
Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations (see definition of "payment services" in regulation 2(1)). In our view this means that the services must be provided as a regular occupation or business activity in their own right and not merely as ancillary to another business activity. Accordingly, we would not generally expect the following to be providing payment services as a regular occupation or business activity:
  • solicitors or broker dealers, merely through operating their client accounts in connection with their main professional activities;
  • letting agents, handling tenants’ deposits or rent payments in connection with the letting of a property by them;
  • debt management companies, receiving funds from and making repayments for a customer as part of a debt management plan being administered for that customer; and
  • operators of loan or investment based crowd funding platforms transferring funds between participants as part of that activity.
The fact that a service is provided as part of a package with other services does not, however, necessarily make it ancillary to those services – the question is whether that service is, on the facts, itself carried on as a regular occupation or business activity."
Simlarly, in Question 38, the FCA proposes to state:
"Q38. We are an investment firm providing investment services to our clients - are payment transactions relating to these services caught by the regulations?
Generally, no. Where payment transactions only arise in connection with your the main activity of providing investment services, in our view it is unlikely that you will be providing payment services by way of business. In those limited cases where you are, the PSRs 2017 do not apply to securities assets servicing, including dividends, income or other distributions and redemption or sale (see PERG 15 Annex 3, paragraph (i))."
In relation to e-commerce marketplaces, the FCA proposes to add the following question to its Perimeter Guidance:
"Q33A. We are an e-commerce platform that collects payments from buyers of goods and services and then remits the funds to the merchants who sell goods and services through us – do the regulations apply to us?
The platform should consider whether they fall within the exclusion at PERG 15 Annex 3, paragraph (b). The PSRs 2017 do not apply to payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee.
Recital 11 of PSD2 makes clear that some e-commerce platforms are intended to be within the scope of regulation. An example of where a platform will be acting for both the payer and the payee would be where the platform allows a payer to transfer funds into an account that it controls or manages, but this does not constitute settlement of the payer’s debt to the payee, and then the platform transfers corresponding amounts to the payee, pursuant to an agreement with the payee.
The platform should also consider whether they are offering payment services as a regular occupation or business activity (see Q9). Depending on your business model, the payment service may be ancillary to another business activity, or may be a business activity in its own right. Where the payment service is carried on as a regular occupation or business activity, and none of the exclusions apply, the platform will need to be authorised or registered."
The FCA also proposes to add Question 34A relating to "online fundraising platforms":
"Q34A. We are an online fundraising platform which collects donations in the form of electronic payments and transmits funds electronically to the causes and charities that have an agreement with us - do any of the exclusions apply to us?
Persons collecting cash on behalf of a charity and then transferring the cash to the charity electronically do not fall within the exclusion in PERG 15 Annex 3, paragraph (d), unless they themselves are carrying this out non-professionally and as part of a not-for-profit or charitable activity. For example, a group of volunteers that organises regular fundraising events to collect money for charities would fall within this exclusion. On the other hand, an online fundraising platform that derives an income stream from charging charities a percentage of the money raised for them is unlikely to fall within this exclusion.
Nor will an online fundraising platform accepting donations and then transmitting them to the intended recipient be able to take advantage of the exclusion in paragraph (b), as they are not a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of either the payer or the payee but not both the payer and the payee.
Online fundraising platforms should also consider the guidance in Q33A."
There may be some confusion over whether a platform is an "online fundraising platform" covered by Questions 33A and 34A, as opposed to a 'donation/reward based crowdfunding platform' which I would suggest should be treated consistently with loan/investment based crowdfunding platforms under Question 9 above.

Thursday, 20 April 2017

Consultations On Supervision Of New Payment Services Regs Under #PSD2

The FCA is consulting on its approach to supervising the new regulations that will implement PSD2. It's a huge job, and delays to the release of the draft regulations has left little time to prepare for the regulations to take effect from 13 January 2018. Responses to the FCA consultation are due by 8 June 2017, and can be provided online

The consultation is explained in the first 60 pages of the main policy document, and the detailed changes to the FCA Handbook is in the Annexes (another 217 pages worth!), including important updates to the 'perimeter guidance' on activities that are in scope, out of scope or excluded (Annex K from page 223 of the PDF version).

The FCA has also helpfully published a mark-up showing changes to its Approach Document that explains how it regulates the current PSD. The regulations are still in draft, so the FCA's guidance may also change if the regulations do; and there are certain 'regulatory technical standards' being developed that could also produce changes over time.

I will likely publish my general observations on the FCA's proposed changes in the coming weeks, where possible. 

In the meantime, my general response to the Treasury consultation on the draft Payment Services Regulations is here; and I've also previously posted on the following general issues under PSD2:

Wednesday, 19 April 2017

Financial Authorities Need A Fresh Approach To Innovation

The application of the latest technology and business models to finance ("FinTech") is sparking a debate about the role of regulators and their approach to innovation. Senior officials advocate no change, citing various experiments and distinct innovation teams or projects of their own. But the financial system will fail to keep pace with the demands of the broader economy unless a culture of encouraging innovation is embedded throughout our regulators.

Financial innovation is hog-tied to the past. Regulators are conditioned to view innovation through the lens of current services and rules, rather than to consider it afresh. New services are sidelined into policy silos, where they are 'shoe-horned' into existing rules. Regulators seem reluctant to concede that new services reveal shortcomings in existing models and or that they should drive a change in regulatory approach. 

For example, Mark Carney, Governor of the Bank of England, has said that the Bank of England takes "consistent approaches to activities that give rise to the same risks, regardless of whether those are undertaken by "old regulated" or "new FinTech" firms."  This is because, he claims, "following a raft of post-crisis reforms, the Bank’s regulatory frameworks are now fit for purpose."  

Whose purpose?

Do banks adequately serve their customers?

Do they operate within the law? 

The UK's banks are a constant source of scandal, and frequently incur vast fines and compensation bills for misconduct.  New problems emerge constantly, and on a giant scale. Their role in Russian money laundering is perhaps the latest example. Many of the post-crisis reforms are also yet to take effect in the UK. The critical "ring-fencing" of retail and investment or 'casino' banking, for example, has been watered-down and won't take effect until 2019 - more than a decade after the financial crisis began - while Donald Trump is busy unwinding such reforms in the US. Whether such national initiatives will even be effective in a global system is still unclear.

Despite its name, "FinTech" represents not only the application of technology but also (usually) a customer-oriented commitment to either improve existing financial services or create alternatives that are aligned with customers' requirements. Yet the Bank of England approaches such innovation in the banking sector by asking:
  • Which FinTech activities constitute traditional banking activities by another name and should be regulated as such? Systemic risks associated with credit intermediation including maturity transformation, leverage and liquidity mismatch should be regulated consistently regardless of the delivery mechanism.
  • How could developments change the safety and soundness of existing regulated firms?  
  • How could developments change potential macroeconomic and macrofinancial dynamics including disruptions to systemically important markets? 
  • What could be the implications for the level of cyber and operational risks faced by regulated firms and the financial system as a whole?
This is not just a UK phenomenon. When it comes to assessing the application of technology to the financial system Sabine Lautenschlager, Vice-Chair of the Supervisory Board of the European Central Bank, also advocates "same business, same risks, same rules." 

Sabine says that "customers want to extend their digital life to banking; they want banking services anytime and anywhere." Yet she points to three "potential futures" for 'banking', none of which acknowledges the benefits of innovation. The only 'benign' scenario she considers is the one where banks "team up with" new entrants (or "fintechs"). A second scenario involves fragmentation into regulated and unregulated activity - nothing new, as the unregulated 'shadow banking' sector was already at the vast, pre-crisis levels in 2015. A third is that "fintechs" might be "swallowed up by big tech companies" making the banking market "more concentrated, less competitive and less diversified" (as if banking isn't already!). But the big tech companies already have regulated financial subsidiaries (mainly offering retail payment services under EU carve-outs from the banking monopoly), and their presence in the market automatically makes it less concentrated, more competitive and more diversified.

The ECB's overall concern seems to be that banking will become less profitable, causing existing players to cut spending on risk management.  But a preoccupation with the impact of innovation on  legacy players dooms the sector to over reliance on legacy firms and inefficient models that effectively require super-normal profits to operate. Mark Carney also points out that concerns about banks cutting corners to keep up with more nimble competitors should not constrain innovation, but is instead a matter for the central bank "to ensure prudential standards and resolution regimes for the affected banks are sufficiently robust to these risks."

The ECB has some strange views on what constitutes risks.  It is said to be inherently risky, for example, that P2P lending platforms are "securitising the loans they originate from their platforms". That maybe how such programmes work in the US, but over there a regulated lender makes a regulated loan and sells it to a listed entity that issues bonds under an SEC-registered prospectus. So any problems are happening right under the noses of the relevant authorities. In the UK, the lenders are free to securitise their portfolios - and several have - but that is not the role of the platform operator. Again, however, this involves regulated activity, both at P2P platform level and through the offer and listing of the relevant bonds.  The regulators are already implicated.

"Robo-advice" is also said to create the risk of investors 'herding' into the same positions at the same time, yet this already happens among regulated fund managers (and banks).  

Risks associated with 'cloud' services and outsourcing of data storage are also cited by the ECB, but these are not new risks at all, or even exclusive to financial services.  

Indeed, what regulators seem to miss is that many of the technological advances that are finally being applied to financial services under the "FinTech" banner have been applied to other sectors for over a decade.

This is not to say that new models are necessarily 'good' or effective. It can also take some time for risks to emerge.  The 'lessons' of the past and the resulting regulatory 'tools' and solutions must not be forgotten, and the old models need to be managed along side the new. But those old models and the rules they require should not be the only lens through which all innovation is analysed. New services must also be viewed afresh.

Wednesday, 15 February 2017

#PSD2: Are Merchant Checkouts "Payment Instruments"?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring whether online merchants' checkout process/pages could be "payment instruments", so that merchants who host their own process might be engaging in the regulated activity of "issuing payment instruments" (and possibly even offering a "payment initiation service"). There is now precious little time for retailers to consider the issue,  decide whether their activities are caught and, if so, whether to outsource the hosting of the checkout process to a duly authorised firm or its agent, restructure the checkout process or the entity/ies that operates it, or become authorised or the agent of an authorised firm.

Everyone is familiar with the e-commerce 'checkout' page or process, with its list of ways to pay for the items selected or in the 'shopping basket'. Sometimes these are hosted by a regulated payment service provider, an exempt 'technical service provider' or 'gateway', and sometimes by the merchant itself (in which case the merchant has to comply with certain security requirements in relation to card transaction data, for example). 

Whether technical service providers who are currently exempt will remain so under PSD2 is already an open issue, since to remain so they cannot also provide either a payment initiation service or an account information service, even though they still would not be handling the funds to be transferred.

The big question is whether merchants themselves fall into the regulated scope, especially as they ultimately receive funds, so might not qualify as technical service providers.

First, a few (of the many) relevant definitions:
“issuing of payment instruments” means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions;
“payment instrument” means any— (a) personalised device; or (b) personalised set of procedures agreed between the payment service user and the payment service provider, used by the payment service user in order to initiate a payment order;
“co-badged”, in relation to a payment instrument, refers to an instrument on which is included two or more payment brands, or two or more payment applications of the same payment brand;
Note that the references to 'payment service' and 'payment service provider' are redundant or circular - essentially, they mean anyone who is, or should be, authorised to provide a regulated payment service. The reference to 'co-badging' is important as certain information could have to be provided under the Merchant Interchange Fee Regulations.

I think the primary questions are as follows, but the answers would vary considerably according to the payment method and other facts and circumstances:
  • is the checkout process/page a "personalised device"; or "personalised set of procedures agreed between" the customer and the merchant?
  • if so, is the checkout process/page "used by the payment service user" (again, see here)?
  • if so, is the payment service user using the checkout process/page "in order to initiate a payment order"... as explained previously...or 'payment transactions'?
  • finally, how much processing would a merchant have to do to fall within the meaning of "initiate and process the payer's payment transactions": so, when does that processing begin and end; what steps/participants are involved; what is the nature of the processing (e.g. does it send transaction data to a payment gateway, acquirer or other type of payment service provider?); is the merchant acting as principal, agent or payee?
Hopefully, the Treasury and FCA will explain their interpretation soon!

#PSD2: What Is An Account Information Service?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring the issues related to the new "account information service", which is being interpreted very broadly indeed by the FCA.  Firms providing such services will need to register with the FCA, rather than become fully authorised (unless they provide other payment services); and they are spared from compliance with a number of provisions that apply to other types of payment service provider. But now is the time for assessing whether a service qualifies, and whether to restructure or become registered.

The Treasury has, naturally, copied the definition from the directive:
‘account information service’ means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (article 4(16)) - [my emphasis] - but has added:
"and includes such a service whether information is provided—
(a) in its original form or after processing;
(b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user’s instructions" [which do not appear in PSD2]
This reflects the government's broad definition of the directive (para 6.27 of the consultation paper) - consistent with the UK needlessly creating a rod for its own back and particularly ironic in the light of Brexit. The account information service provider (AISP) should be granted access by the account service provider to the same data on the payment account as the user of that account (para 6.25). A firm will be considered an AISP even if it only "uses" some and not all of that account information to provide "an information service" (para 6.28).

Services that the government believes are AISs include (but are not limited to):
  • dashboard services that show aggregated information across a number of payment accounts; 
  • price comparison and product identification services;
  • income and expenditure analysis, including affordability and credit rating or credit worthiness assessments; and 
  • expenditure analysis that alerts users to consequences of particular actions, such as breaching their overdraft limit.
The services could be either standardised or bespoke, so might include accountancy or legal services, for example (para 6.30).

Some key points to consider:
  • does it matter to whom the account information service is provided? The additional wording seems to suggest that the 'payment service user' must be at least one recipient of the information, but does that mean the payment service user of the payment account or the person using the account information service?  This would seem to cover every firm that prepares and files tax or VAT returns, for example, since these are usually provided to both the client and HMRC.
  • the service has to be "online", but what if some of it is not?
  • little seems to turn on the word "consolidated", since the Treasury says a firm only needs to use some of the information from the payment account to be offering an AIS, and it could be from only one payment account. For instance, what if a service provides a simple 'yes' or 'no' to a balance inquiry or request to say whether adequate funds are available in an account, and that 'information' or conclusion/knowledge is not drawn from the payment account itself, but merely based on comparing the balance with the amount in the customer's inquiry or proposed transaction?
  • the payment account that the information relates to must be 'held by the payment service user' with one or more PSPs, so presumably this would not include an online data account or electronic statement that shows the amount of funds held for and on behalf of a client in a trust account or other form of safeguarded or segregated account which is in the name of, say, a law firm or crowdfunding platform operator (albeit designated and acknowledged as holding 'client money' or 'customer funds');
  • it seems impossible for the relevant data to provided in its 'original form', since data has to be processed in some way to be 'provided' online, but this could cover providers of personal data stores or cloud services that simply hold a copy of your bank data for later access;
  • what is meant by 'after processing':
  1. it may not be clear that a firm is providing information 'on a payment account', as opposed to the same information from another type of account;
  2. does this mean each data processor in a series of processors is providing an AIS to its customer(s) - which brings us back to whether it matters who the customer is - or does interim processing 'break the chain' so that the next processor can say that the information was not 'on a payment account' but came from some other service provider's database (whether or not it was an AIS), such as a credit reference agency?
  3. what about accounting/tax software providers providers who calculate your income and expenditure by reference to payment account information but may not necessarily display or 'provide' the underlying data - although presumably the figures for bank account interest income (if any) in a tax return might qualify?
Sorry, more questions than answers at this stage!

Update on 21 April 2017:

The FCA has indicated in Question 25A of its proposed draft changes to the Perimeter Guidance that:
"Account information service providers include businesses that provide users with an electronic “dashboard” where they can view information from various payment accounts in a single place, businesses that use account data to provide users with personalised comparison services, and businesses that, on a user’s instruction, provide information from the user’s various payment accounts to both the user and third party service providers such as financial advisors or credit reference agencies." [my emphasis added]

Tuesday, 7 February 2017

#PSD2: What Is A Payment Initiation Service?

The Treasury is currently consulting on regulations to implement the new Payment Services Directive (PSD2). There is little commentary in the consultation paper and many old questions remain unanswered, with the regulations to go live on 13 January 2018.  Government policy is to simply gold plate 'copy out' EU directives, which creates a rod for the UK's own back leaves the FCA to say how it will interpret the new rules in a consultation paper it proposes to issue in Q2.  But some new services will be regulated, and time is getting very tight for firms who offer them to figure out whether to outsource the operation of the service to a duly authorised firm or its agent, or become authorised or the agent of an authorised firm. In this post, I'll briefly explore the new regulated service of "payment initiation" and why it takes a very careful analysis of the facts to figure out who is offering that service in any given payment scenario.

The decision to regulate "payment initiation services" is said to have resulted from the popularity of services that enable you to pay for online purchases by making a bank transfer (see recital 27 and the Commission's FAQs 18, 21).

But "payment initiation service" seems to have been defined in article 3 to cover any payment method:
“a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider .”
Note also, that a "payment instrument" is defined as "a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order.

The UK government also says it reads the definition of "payment initiation service" broadly and that users will have the right to use payment initiation services in connection with all online payment accounts, including current accounts, credit card accounts, savings and e-money accounts (paras 6.22, 6.23 and 6.27).  That makes sense, as to exclude providers of payment initiation services for some payment methods and not others would be discriminatory, and shield the excluded firms from competition (see PSD2 recitals 29, 32 and 68).

There is no definition of “initiate a payment order” in PSD2 and different payment methods comprise different processes, actors and events - and sometimes several payment transactions are involved, as in the case of card payments (see PSD2 recital 68).

The European Banking Authority has issued regulatory technical standard for security of online payments that also identifies "payment integrators" as firms who "provide the payee (i.e. the e -merchant) with a standardised interface to payment initiation services provided by PSPs". In other words, even within the payment initiation process, there are technical service providers who support the process but are not responsible for the "payment initiation service" that initiates the relevant payment order.

So when considering who is providing a payment initiation service, one needs to consider: which type of payment method or instrument is being used; which of potentially several payment orders is involved; which payment account each order relates to; which payment service user is making the request to initiate the relevant payment order; which element of which service actually initiates that payment order; and who provides that service.

Yet there are divergent views on who initiates card payments, for example, since there are actually multiple transactions involved...

PSD2 concedes (at recital 68) there are (at least) three steps to a credit card payment - authorisation, an initial transaction where the issuer pays the acquirer (which can be a complex netting process involving a scheme operator), and a later one between cardholder's bank and the issuer (to pay the card bill). There's a third, of course, where the acquirer pays the merchant - and the fact this is not mentioned in the recital underscores why it is silly to refer to the cardholder as the 'payer' and merchant as his intended 'payee', since the cardholder intends to pay the card issuer, rather than the merchant. 

Recital 68 sidesteps the critical issue by stating that the "use of a card or card-based instrument... triggers" the whole payment flow, as does the provision that addresses the scenario where the card issuer is separate from operator of the related payment account:
"the payer has initiated the card-based payment transaction for the amount in question using a card based payment instrument issued by the payment service provider" (Article 65(2)(b))
"Payer" means either "a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order.

"Allowing" a payment order is not necessarily the same as "initiating" what has been 'allowed'.  And it's important to consider which payment instrument is being used and who really 'uses' it.

So it's easy to see why, in the context of a credit card payment, there is disagreement as to whether the cardholder is initiating one or more payment order(s) when offering to pay by card and/or entering her PIN in the relevant card terminal; or the merchant initiates a payment order when it accepts the transaction at the terminal and/or sends the transaction to the acquirer; or whether the acquirer initiates the first payment order when it accepts the transaction from the merchant and/or submits the transaction to the card issuer via the card scheme systems. 

Only when you determine the answer to this question can you then identify the payment method or instrument involved; the relevant payment order; the payment account to which the order relates; the payment service user who is making the request to initiate the order; which element of which service actually initiates that payment order; and who provides that service. 

Clearly, it's important for the authorities to provide greater clarity here; and it looks like the EU and the Treasury has left it to the FCA to do so...

Update on 21 April 2017:

In its consultation, the FCA proposes to add the following Question 25B to its Perimeter Guidance:
"Q25B. When might we be providing a payment initiation service?
The service of payment initiation is defined in regulation 2 as “a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider”.

This includes businesses that contract with online merchants to enable customers to purchase goods or services through their online banking facilities, instead of using a payment instrument or other payment method. However, it is not limited to arrangements where the service provider has a pre-existing relationship with the merchant. Any business offering payment initiation services as a regular occupation or business activity will require this permission unless exempt under Schedule 1 Part 2.
In our view, the provider of a service that transmits a payer’s card details, along with a payment order, to the payer’s payment service provider, but does not come into possession of personalised security credentials, is not carrying out a payment initiation service."