Taking on PSD2

With two key cut-off dates for compliance with the new Payment Services Directive (PSD2) coming up in early 2018, all payment services and e-money firms should be working towards fulfilling their new obligations, as well as applying for re-authorisation or re-registration (as appropriate) as soon as they possibly can – or take the risk of forfeiting their licensed status. 

The first cut-off date will require authorised payment institutions (APIs) and authorised e-money institutions (AEMIs) to comply with the majority of the new requirements introduced by PSD2 from 13 January 2018. Firms should also factor in the need to give two months' notice of changes to terms of business, i.e. by 13 November 2017.

The new requirements to be met by the January deadline include changes to the conduct of business rules, new complaints handling timeframes and new reporting and notification duties, including in respect of security incidents, fraud data and complaints. Exceptions to this are limited:

• The new control thresholds bringing the regime into line with the 10, 20 and 30 percent change in control bands applying to most other regulated firms will not apply to firms until they have become re-authorised, i.e. they will not apply to firms with a transitional licence.
• Requirements to report complaints will only apply from a reporting period beginning July 2018.
• Strong customer authentication (SCA) and secure communications requirements, come into force 18 months after the date on which the regulatory technical standards (RTS) adopted by the EBA under PSD2 come into force (April 2019 at the earliest).

Additionally, firms, including small payment institutions (SPIs) and small e-money institutions (SEMIs), must submit their applications for re-authorisation / re-registration by 12 April 2018 (extended to 12 October 2018 for SPI re-registration) if they are to be re-authorised by 12 July 2018 – being the date on which transitional authorisations will cease. This process has been developed to ensure that all existing payment services firms and e-money firms are PSD2 compliant and held to the same standard as new firms applying for authorisation.

Summary timeline

• 13 October 2017: applications for re-authorisation opened – the FCA recommends submissions to be made “as early as possible”.
• 13 January 2018: (the majority of) PSD2 requirements become effective.
• 12 April 2018: deadline for APIs, AEMIs and SEMIs to submit applications, including all required information. The application fee payable is £750 for re-authorisation and £250 for re-registration.
• 13 July 2018: existing authorisations and registrations for APIs/AEMIs and SEMIs will expire and the FCA Register will be updated to reflect this. If they wish to provide services beyond 13 July 2018, firms must have submitted a re-authorisation application providing all the relevant information before 13 April 2018.
• 12 October 2018: deadline for SPIs to submit applications.
• 13 January 2019: existing SPI registrations will expire; if they wish to provide services beyond this date, firms must have submitted a re-registration application before 12 October 2018.

The FCA must make a decision on a complete application within 3 months and must determine an incomplete application within 12 months.

However, the transitional provisions in the Payment Services Regulations 2017 (PSRs) implementing PSD2 and associated FCA guidance do not address what would happen where an application is made in good faith before the 13 April deadline, but is subsequently found not to have contained all the information required. As drafted, the PSRs would entitle the FCA to treat such an application as incomplete, and take the decision timeline beyond 12 July 2018 – meaning the transitional period would be over and the firm would lose its licence at that point, even if the FCA were still working on the application in a positive manner.

For this reason we suggest firms ensure they submit fully complete applications, and against the contingency that the FCA does not deem them complete, submit sooner rather than later to allow the FCA time to ask questions or request further information before 12 April 2018.

What does the application entail?

The relevant re-authorisation or re-registration form is available on and should be submitted through the FCA website, complete with all the additional information relating to their updated security and compliance frameworks, including:

• descriptions of:
  • risk management procedures and the firm's resources for monitoring, handling and reporting security incidents and security-related customer complaints;
  • the processes in place to file, monitor, track and restrict access to sensitive payment data – the form requires a significant level of detail, such as detail on flows of sensitive data within the business, access rights, authorisations and policies, monitoring tools, expected internal or external use of data, breach identification and a description of an annual internal control program;
  • a business impact analysis, arrangements for business continuity and the procedure for testing and review of such plans, disaster recovery and back-up, description of how key events will be dealt with (e.g. key system failure, key person failure, inaccessibility, loss of key data) and mitigation measures;
  • principles and definitions applied for the collection of statistical data on performance, transactions and fraud;
• for businesses that propose providing newly regulated account information or payment initiation services (AIS/PIS), confirmation that they hold professional indemnity insurance (PII) or a comparable guarantee; and
• a security policy document including a detailed risk assessment and mitigation measures taken to adequately protect users against risks identified, including fraud and illegal use of sensitive and personal data.

Firms with agents would also need to take these operations into account in their answers.

Clearly, an API/EMI's ability to complete the application successfully is dependent on it having in place the relevant policies and processes required under PSD2, which, as set out above, should be in place by 13 January 2018. The proper development of these should not be underestimated and depending on the status of their existing arrangements, firms might find that they have a significant amount of work to do before they are in a position to begin applying for FCA re-authorisation.

Please contact the FSR team if you would like assistance with navigating this process and the changes being introduced by PSD2.