PSD2 Stakeholder Liaison Group. 10 February 2017

Transcription

1 PSD2 Stakeholder Liaison Group 10 February

2 Agenda 1. Welcome 2. Agree agenda 3. Update on PSD2 timing 4. HM Treasury update 5. Discussion of reporting and notification requirements 6. AOB/ next meetings 2

3 Update on PSD2 timing Treasury consulting on draft implementing regulations FCA consultation on rules and guidance FCA open for PSD2 authorisation ( (TBC) Deadline for providing new authorisation information (APIs) EBA RTS SCA/SCS in force 16 March 2017 Q January October February 2017 Q October 2017 April 2018 End of 2018 TBC Treasury Consultation closes FCA consultation closes (TBC) PSD2 implementation deadline Deadline for new authorisation information (SPIs) FCA follow up publications (e.g. on EBA mandated requirements (TBC) Keep up-to-date by visiting the FCA PSD2 webpages 3

4 HM Treasury update Treasury to provide update following publication of its consultation on implementation of the revised EU Payment Services Directive 4

5 Purpose of these slides The purpose of these slides is to set out, for the SLG s consideration our draft proposals for implementing the reporting and notifications requirements of PSD2. The slides focus particularly on the requirements which are not dependent on work streams of the EBA (i.e. where the FCA has discretion to implement the requirements). These are the proposals we expect to consult on in Q The proposals are subject to change and further development prior to that consultation. We provide details (slides 3-5) on all the PSD2 requirements for reporting and notifications. In the rest of the slide pack we set out for consideration our proposals for implementing the following requirements: a) Statistical data on fraud relating to different means of payment b) Complaints reporting c) Notification of refusal or withdrawal of access to payment account services d) Notification of denial of access to payment accounts to providers of AIS/PIS SLG members are asked to review these proposals and the related questions in advance of the SLG meeting. Detailed comments and questions can also be provided by (paymentservices@fca.org.uk) following the SLG and may be discussed in subsequent SLG meetings. 5

6 PSD2 reporting and notification requirements (summary) Relevant draft regulation PSRs 2017/ article PSD2 Requirement Who it affects FCA or EBA Proposed reporting dates Regulation 109 (Art. 96 PSD2) Regulation 98/ Art. 95 PSD2 Regulation 30 (Art.29 PSD2) Reporting Reporting Statistical data on payments fraud All PSPs FCA implementing Assessment of operational and security risks measures Reporting from inward passporting firms All PSPs EEA firms passporting into UK (and UK firms passporting into EEA) EBA is developing guidelines for the framework for operational and security risk management reporting is dependent on this framework EBA is developing RTS on the framework for cooperation and exchange of information between competent authorities (including reporting from passporting firms) Collect data from 13 January 2018 Report annually first report Q Annually First report Q TBC Regulation 109 Complaints reporting All PSPs FCA proposes to extend complaints reporting to all PSPs Collect data from 13 January 2018 Report annually (linked to accounting reference date) first report Q Notifications Regulation 99 (Art. 96 PSD2) Incident Reporting All PSPs EBA is developing guidelines, including notification template Event driven Regulation 105 (Art. 36 PSD2) Notification of refusal or withdrawal of access to payment account services All credit institutions providing payment account services FCA implementing Event driven Regulation 71 (Art. 68 PSD2) Regulation 38 (Art. 37 PSD2) Notification of denial of access to All ASPSPs (all providers of payment accounts to providers of payment accounts accessible account information services or payment online e.g. banks, credit card initiation services providers, e-money providers) Notification of services carried out under the limited network exclusion Providers of services based on payment instruments that are limited in their use e.g. gift cards, store cards, fuel cards etc. FCA implementing FCA implementing Event driven Notifications from 13 October 2017 Regulation 39 (Art. 39 PSD2) 6 Notification of services carried out under the electronic communications network exclusion Providers of payment services in addition to electronic communication services (mobile phone operators) e.g. charging to mobile phone bill purchases digital services in addition to airtime FCA implementing Notifications from 13 October annual auditors report

7 1. What the directive says: Reporting (summary) Statistical data on payments fraud At least every year, PSPs must send their competent authorities statistical data on fraud relating to different means of payment. Competent authorities must provide this information in an aggregated form to the European Banking Authority (EBA) and European Central Bank (ECB). Assessments of operational and security risks measures At least every year, PSPs must send their competent authorities an updated and comprehensive assessment of the operational and security risks to their payment services. They must also include information on the effectiveness of the mitigation measures and control mechanisms they have brought in. Reporting from inward passporting firms Member States may require payment institutions that have agents or branches in their territories to report to them periodically on the activities they carry out in their territories. Complaints reporting Article 101 on dispute resolution provides that in ensuring that PSPs put in place and apply adequate and effective complaints resolution procedures for the settlement of complaints, member states shall monitor their performance in this regard. We propose to extend the reporting of complaints data to the FCA to payment and e-money firms which do not currently report. All payment service providers will be required to complete a new payment services complaints form. 7

8 1. What the directive says: Notifications (summary) Incident Reporting PSPs must notify their competent authorities as soon as possible if they become aware of a major operational or security incident. When the competent authority receives this notification they will be required to give the EBA, the ECB and any other relevant authorities in the Member State relevant details. Notification of refusal or withdrawal of access to payment account services PSD2 requires that credit institutions deal with requests for access to payment account services (i.e. banks accounts including safeguarding accounts) in a proportionate, objective and non-discriminatory manner. Credit institutions will have to have certain steps in place to ensure they treat all such requests fairly. Credit institutions will also be required to notify the competent authority as and when they refuse a request for such access, providing duly motivated reasons. Notification of denial of access to payment accounts to providers of AIS/PIS Firms that provide payment accounts (see PERG 15.3 what is a payment account ) to their customers that are accessible online will have to give AISPs and PISPs access to these accounts, with the user s consent and authentication. Access can only be denied by the ASPSP for reasonably justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction. Notification of services carried out under the limited network exclusion Firms that benefit from the Limited Network Exclusion will have to notify us if their transactions are over 1 million in any 12 month period and provide a description of their activities. When we receive this notification, we will decide if these services are excluded or not. Firms in this position must continue to give us these notifications every year, unless their transaction value falls below the 1 million limit. Notification of services carried out under the electronic communications network exclusion All firms relying on the Electronic Communications Network Exclusion must notify and give us a description of the service. They must also provide us with an annual audit opinion that their customers transactions fall within the financial limits stated in the exclusion. 8

9 a) Statistical data on fraud relating to different means of payment what the directive says At least every year, PSPs must send their competent authorities statistical data on fraud affecting different types of payment. Competent authorities must provide this information in an aggregated form to the European Banking Authority (EBA) and European Central Bank (ECB). In the absence of guidance from the EBA and ECB on the data to be provided, we have developed an interim payments fraud return which focuses on reporting of the top three means of payment most prevalently implicated in fraud and up to three fraud methods which emerged in the reporting period but are not covered in the top three. The fraud reporting we propose to request replicates and builds on existing fraud reporting across the payments industry The reporting may change in subsequent reporting periods given on-going work by EBA/ECB to harmonise the data reported Our objectives are to use this data: to assess whether the enhanced security measures introduced by PSD2 have reduced the prevalence of fraud; to understand whether firms have appropriate systems and controls to prevent financial crime to understand risks to consumers (for example the Which? Super Complaint indicated a possible uplift in fraud relating to push payments i.e. where the payment is maliciously misdirected) 9

10 a) Statistical data on fraud relating to different means of payment how we propose to implement For each PSP s top three means of payment most prevalently impacted by fraud, we propose to direct that PSPs collect the following data from 13 January 2018 and report in Q1 2019: The payment type (selected from a drop down list) [see next slide] Transaction numbers and value of all transactions in the reporting period using the specific payment type Transaction numbers and value of fraudulent transactions in the reporting period using the specific payment type For the payment type, how was the fraud most commonly executed? (selecting the top three types of fraud execution from a drop down list) [see next slide] We propose that firms should report fraud relating to both unauthorised transactions and authorised transactions (i.e. push payments where the payer has been defrauded see drop down list) We are also considering the best way to collect data from firms on any new and emerging payment related fraud, i.e. where this is not reported against the top three payment types bearing in mind the 2019 report will be the first time firms are reporting data to the FCA. See slide 9 for example fraud return with made-up responses 10

11 a) Statistical data on fraud relating to different means of payment how we propose to implement Drop down options for payment type Drop down options for fraud executions Bacs Direct debit Bacs Direct credit Faster Payment Chaps credit Credit card Debit card Pre-paid card SEPA instant Payment initiation service Account information service other Remote purchase (CNP) Manipulation of the payer to issue a payment order (malicious misdirection) Issuance of a payment order by the fraudster Modification of a payment order by the fraudster Lost or stolen card - cash advance at ATM Lost or stolen card - retail transaction contactless used Lost or stolen card - retail transaction pin used Counterfeit (skimmed/ cloned) Card ID theft (account takeover) Card ID theft (application fraud) Unauthorized modification of data stored on an e-money card/e-money account Unauthorised e-money account transaction card not received Application fraud Account takeover unauthorised or fraudulent access to payment account (AIS/PIS) unauthorised or fraudulent initiation of a payment transaction (AIS/PIS) 11

12 a) Statistical data on payments fraud proposed draft return Please provide data on the top three frauds (ranked by number of fraudulent transactions) related to different means of payment (examples in green) A B C F Payment type Total number of transactions using this payment type (millions) Total value of transactions using this payment type in the reporting period ( millions) Total number of fraudulent transactions using this payment type (millions) Total value of fraudulent transactions using this payment type ( millions) For the payment type, how was the fraud most commonly executed? Please provide the top three types of fraud execution 1 Means of payment most prevalently implicated in fraud (if other please specify) Debit card xxx xxx xxx xxx 1 Remote purchase (CNP) 2 Fraud on lost or stolen cards 3 Counterfeit (skimmed/cloned) 2 Means of payment second most prevalently implicated in fraud (if other please specify) Credit card xxx xxx xxx xxx 1 Remote purchase (CNP) 2 Fraud on lost or stolen cards 3 Counterfeit (skimmed/cloned) 3 Means of payment third most prevalently implicated in fraud Bacs Direct debit xxx xxx xxx xxx 1 2 Issuance of a payment order by the fraudster 3 12

13 a) Statistical data on fraud relating to different means of payment Questions for the SLG: Do the payment types and fraud execution sub-categories we have proposed represent all relevant payment services provided and types of fraud PSPs and their customers experience? Do any of the items of data we propose to require pose an issue to particular PSPs? If so what is the issue and what are the alternatives for collecting statistical data on Fraud? Please consider any practical barriers or difficulties to collecting this information Any other comments on our proposal? 13

14 b) Complaints reporting what the directive says PSD2 is a maximum harmonising directive which HMT is likely to implement largely by copy-out. The FCA is must work within the framework set by the legislation. Article 101 PSD2 requires that: dispute resolution rules apply to complaints of payment service users (PSUs) concerning rights and obligations under titles III and IV and title III of the Electronic Money Directive (see annex 1) we refer to these as PSD/EMD complaints banks (and other PSPs) must reply to complaints on paper (or if agreed with the PSU on another durable medium) replies must address all points raised within 15 business days if replies cannot be given within 15 days for reasons beyond the control of the PSP, it must send a holding reply, indicating the reasons for the delay and specifying the deadline by when the PSU will receive the reply the deadline shall not exceed 35 business days the PSP must inform the PSU of an ADR entity which is competent to deal with disputes 14

15 b) Complaints reporting how we propose to implement The proposed DISP rules set the narrow requirements for compliance with PSD2. Replying to complaints about payment services, that are broader than titles III and IV, or all complaints within the PSD2 time limits would also meet the requirements. Complaint under DISP: any oral or written expression of dissatisfaction, whether justified or not, from, or on behalf of, a person about the provision of, or failure to provide, a financial service.. All complaints Complaints about payment services PSD/EMD complaints: complaints of payment service users concerning the rights and obligations arising under Titles III and IV of this Directive (and title III EMD) PSD/EMD complaints Must be responded to within 15/35 days under PSD2 15

16 b) Complaints reporting how we propose to implement PSD2 requires that: Member states shall monitor the performance of PSPs in respect of 101 Draft Proposals: we propose a new payment services complaints reporting form to be completed by all PSPs, including banks and building societies on an annual basis (aligned to accounting reference date) this will collect data on complaints about payment services but for those complaints exceeding 15/35 day time limits we will require a breakdown of the number of those complaints that are PSD/EMD complaints (in order to monitor compliance with the time limits) we propose to collect data on the different types of payment service complained about (see slide 8) The objective of these complaints reporting proposals is to: allow us to monitor complaints about the provision of payment services across the payment services market (banks, building societies, APIs, EMIs) for the first time allow firms to compare their performance against the average in the payment services market we plan to publish the data on our website (anonymised and aggregated). 16

17 b) Complaints reporting how we propose to implement We have proposed a list of payment services (see table 1 in next slide) against which firms will report the number of complaints (as a subset of their total complaints about payment services), we have proposed these products/ services because: These are the payment services complaints identified in financial ombudsman data and we want to closely monitor these complaints We want to monitor complaints about new payment services (such as AIS and PIS) Collecting complaints data on specific products will allow us to monitor issues. Publishing this data on the FCA website (anonymised and aggregated) will enable firms to compare their performance against the average in the sector. See draft proposals for complaints return (next slide) Table 1 total payment services complaints opened (broken down into payment services) Table 2 complaints closed within DISP time limits and PSD2 time limits and redress paid Table 3 contextualisation metrics 17

18 b) Complaints reporting proposed draft return Table 1 Complaints opened Product/service Direct debits A Total Table 3 Contextualisation metrics Product/service A Payment volume in reporting period (1 year) B Number of unique users Standing orders Pre-paid cards and e-money Credit cards Money transfer domestic (i.e. Bacs, Chaps, FPS) Direct debits Standing orders Complaints about payment services Money transfer abroad Debit cards/ cash cards Payment initiation services Account information services ATM withdrawals Other payment service - Please provide details below Other - Sample Product Complaints about payment services Pre-paid cards and e-money Credit cards Money transfer domestic (i.e. Bacs, Chaps, FPS) Money transfer abroad Debit cards/ cash cards Payment initiation services Total complaints about payment services ATM withdrawals Table 2 Complaints closed, upheld and redress paid Account information services A B C D E F G H I J closed within 3 days closed > 3 closed > 15 days but closed> 35 days closed > 8 within 35 weeks days weeks Total closed Total upheld Total redress paid for upheld complaints (single units) Total redress paid for complaints not upheld (single units) Total redress paid (single units) Complaints about payment services or electronic money Of complaints about payment services, please provide the number of complaints concerning rights and obligations arising under titles III and IV PSD or titles III EMD for the remaining columns.

19 b) Complaints reporting Questions for the SLG What payment services complaints data do firms already collect? Should other payment services be added to the list in the complaints form (see hand-out and slide 8)? What is the best contextualisation metric to use for payment services complaints? Payments volume? 19

20 c) Notification of refusal or withdrawal of access to payment account services what the directive says PSD2 article 36 (Regulation 105 PSRs2017) requires that credit institutions deal with payment institutions requests for access to payment account services (i.e. banks accounts including safeguarding accounts) in a proportionate, objective and non-discriminatory manner. Credit institutions will have to have certain steps in place to ensure they treat all such requests fairly. Credit institutions (CI) will also be required to notify the competent authority as and when they refuse a request for such access, providing duly motivated reasons. How we propose to implement: We will provide guidance in our Approach Document on what constitutes a refusal Credit institutions will be directed to complete a refusal/ withdrawal return (see next slide for a draft of the proposed form) The return should be submitted to the FCA at the same time as the access seeker is informed of the CI s decision (if for any reason they are not informed, the FCA should be notified without undue delay) Our objective is to use the notification to monitor compliance with Regulation 105 and assess whether further action is necessary based on the notifications we receive. Notifications will be shared with the PSR with whom we share competence for Regulation

21 c) Notification of refusal or withdrawal of access to payment account services proposed draft return Credit Institution Name Firm Reference Number Contact details (TBC) Details of the party refused access to payment account services Please confirm the regulatory status of the party that was refused access to payment account services: Was access refused or withdrawn? Name and address Drop down: - electronic money institution -authorised payment institution -registered account information service provider -EEA authorised payment institution -EEA registered account information service provider - a person that has submitted an application for registration or authorisation of any of the above - unknown refused [Tick] 21 What products and or services was the party accessing (in the case of withdrawal) or seeking access to? What were the reasons for refusing or withdrawing access? When was a decision made to refuse or withdraw access? Was the decision to refuse access communicated to the party seeking access? If so, on what date was the decision communicated? What period of notice was given if access was withdrawn? Please describe the process that was followed to make the decision Please provide details of the criteria that were applied by the credit institution when deciding whether to refuse or withdraw access Were the reasons communicated to the party seeking access or having access withdrawn? Was the access seeker provided with an opportunity to respond to the credit institutions concerns or rectify any identified risks before the decision to refuse/ withdraw access was made? withdrawn [Tick] Drop down: - safeguarding account - operational account (i.e. business current account) - transactional account - other [if other, please describe] {Freeform} Date YES/ NO If yes, give date [in days] {Freeform} YES/ NO

22 c) Notification of refusal or withdrawal of access to payment account services Questions for the SLG Are there any standard reasons for refusal or withdrawal that we could include in a drop down in the form to aid form standardisation? Are there any particular questions asked in the form which would be difficult for credit institutions to answer? If so, why? Is there anything missing from the notification form? 22

23 d) Notification of denial of access to payment accounts to providers of account information services or payment initiation services PSD2 article 68 (Regulation 71 PSRs 2017) requires firms that provide payment accounts to their customers that are accessible online will have to give AISPs and PISPs access to these accounts, with the user s consent and authentication. Access can only be denied by the ASPSP for reasonably justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction. PSD2 requires an ASPSP to notify the FCA if it denies access to a PISP or AISP under regulation 71(7). The notification must include the details of the case and the reasons for taking action. How we propose to implement: ASPSPs will be directed to provide a return (see draft on next slide) when they deny access to AIS or PIS providers to their customers payment accounts When denying access to an AIS or PIS to a single customers payment account the ASPSP must notify immediately (as quickly as possible) after the first occasion on which it denies access. It is only required to notify once more in respect of that AIS or PIS access to the same customer when that access has been restored When denying access to an ASPSP to all or some of its customers payment accounts for the same reason, the ASPSP is similarly required to notify once, and must notify when access is restored to those same customers 23

24 d) Notification of denial of access to payment accounts to providers of account information services or payment initiation services proposed draft return 1.Type of notification Is this notification: (i) an initial notification that access to a payment account has been denied under regulation 71(7) of the Payment Services Regulation 2017; ii) a notification that the issues set out in a previous notification have been resolved such that access has been restored? Access denied [tick] Please fill in all sections (including section 5 where applicable) Access restored [tick] Please fill in sections 2, 3 and 5. 2.ASPSP submitting the notification: ASPSP name Firm Reference Number Address Contact details 3. Details of the AISP/PISP that has been denied access: Name Where known, the authorisation number of the AISP/PISP contained in the public register(s) of the home Member State defined in Article 14 of Directive (EU) 2015/2366 (e.g. the FCA refers to this as the Firm Reference Number ) Name of the competent authority with which the AISP or PISP is registered or authorised 4. Denial of access Has access been denied to a single payment account or to all payment accounts or a category of payment accounts? Time and date at which access was denied What were the reasons for taking action? Unauthorised access [tick] Fraudulent access [tick] Please provide a description of the circumstances that led to the denial of access If, at the time of submission of this notification access continues to be denied, what steps does the AISP/PISP need to take in order for the ASPSP to restore access? 5. Restoration of access Where access has been restored, please provide details of how the issue was resolved: 24

25 d) Notification of denial of access to payment accounts to providers of account information services or payment initiation services Questions for the SLG Are there any particular questions asked in the form which would be difficult for ASPSPs to answer? If so, why? Is there anything you believe is missing from the notification form that would help the FCA assess the case and take appropriate measures? 25

26 Annex 1 This is a list of provisions under titles III and IV PSD2 (and title III EMD), including a non-exhaustive list of examples of complaints that would be deemed PSD or EMD complaints under PSD2. Title III - Transparency of conditions and information requirements for payment services (articles 38 60) Provision Complaints could be about, for example: 40 Charges for information 44/45 Prior general information (e.g. Information on rates being provided, information on charges) Provision of information after payment (e.g. statement information, breakdown of charges) The framework contract (i.e. terms and conditions) 55 Termination outside of notice period Information on individual payment transactions 59 Payment made in the wrong currency 60 Charges which the customer was not made aware of in advance Title IV Rights and obligations in relation to the provision and use of payment services (articles ) 62 Merchant has been prevented from charging or steering customers by the PSP (within the cost borne) 67 Customer prevented from using AIS/PIS 68 Spending limits agreed have not been enacted 68 Blocking of payment instrument (where not agreed in framework contract) or not informing the user 70 Unsolicited payment instruments 71 Failure to rectify unauthorised payment transaction 73 Unauthorised payment transactions 78 Payment orders incorrect 81 Deductions from the transaction amount 83 D+1 rules for crediting customers account 87 Value dating 88 Incorrect unique identifiers 89 Defective execution 97 Strong customer authentication 101 Complaints procedure not followed as per PSD2 TITLE III - Issuance and redeemability of electronic money 11 Redemption not provided on request (within the timeframe) 26