New guidance on account providers’ open banking obligations in latest FCA PSD2 policy statement

In its latest policy statement, the FCA gave new guidance to payment account providers and other payment service providers on how to meet their obligations under the revised Payment Services Directive (PSD2).

Notably, for account providers working to ensure access to third party providers, the FCA:

• strongly encouraged firms to consider meeting their open access requirements using a dedicated application programming interface (API), rather than adapting their customer interfaces 
• advised firms which plan to use an API, and wish to be exempt from requirements to effect contingency measures against a failure of such API, to apply to the FCA for an exemption by 14 June 2019
• clarified that exemption applications should evidence how the interface meets the PSD2 exemption requirements
• encouraged all firms seeking an exemption to contact the FCA in advance

Background to this policy statement

Open banking – what’s the big idea?

Dedicated (API-based) interface vs modified customer interface

Contingency measures against failures of dedicated interface

Under PSD2, account providers that rely on a dedicated API interface are generally required to put in place a contingency mechanism to provide fall-back access in the event that the dedicated interface fails. However, the Directive provides for competent authorities to exempt account providers who are building APIs from the requirement if the dedicated interface meets certain conditions. Under the EU technical standards, unless account providers have been granted this exemption by 14 September 2019, they will have to build a contingency system.

Clarifications on process for contingency exemption

The FCA’s policy statement provided some further clarity on the process for applying for the contingency measures exemption in the UK. In particular, it noted:

• Firms are encouraged to contact the FCA in advance of seeking an exemption.
• Exemption requests should be submitted to the FCA by 14 June 2019, so that firms have sufficient time to put in place the contingency measures if their applications are denied.
• It is for individual account providers to provide the FCA with a description of the technical specifications they have implemented and a summary of how these fulfil the requirements of PSD2.
• If a firm fails to meet some of the requirements when the exemption request is submitted, but the account provider demonstrates "clear and credible plans" to meet them by 14 September 2019, the FCA may indicate that it is "minded to exempt" and confirm the exemption once it has received evidence of satisfaction.
• The FCA aims to issue a decision within one month of receiving an application.
• Any firm that does not have an exemption before 14 September 2019, including any business which intends to start providing services after that date, will need to build a contingency mechanism.

Other guidance

• the secure communications between UK payment account providers and third-party providers (which includes the contingency exemptions outlined above);
• strong customer authentication requirements applicable to all payment service providers; and
• amended fraud reporting requirements applicable to all payment service providers.

From September 2019, account providers and third-party providers will also be under an obligation to report ‘problems’ with APIs to the FCA. The FCA refused to provide further guidance as to what a reportable problem may be, other than to refer back to the regulatory technical standards, which state that a systems breakdown is presumed to take place when five consecutive requests for access to information in respect of third party payment services are not replied to within 30 seconds. 

What happens next?

• By 14 March, all account providers with online payment accounts will need to have in place (i) the technical specifications of their access interfaces; and (ii) testing facilities for third-party providers.
• By 14 June, those seeking exemptions from the contingency mechanism requirement will need to have submitted their applications to the FCA.
• By 14 September, any contingency mechanism exemptions will need to be in place and all payment service providers will need to comply with the new strong customer authentication rules.