The Digital Agenda for Payment Services

Nilixa DevlukiaFinancial Conduct Authority

30 September 2015

80 BC 17891000-600 BC

1200 BC

A really long time ago

1966 1967 2012 2015

Applepay

Coins made from base metals appear in China

Bank of England first issues a £10 note

First cash machine in the world installed by Barclays

Contactless payments introduced on London buses

Barter

How We Pay?

What is Digital?

Replacement of cash?

Replacement of bricks and mortar?

Mobile money?

Benefits Potential Pitfalls

Inclusion Exclusion

Ease of use Consumer understanding/ protection

Speed Security

Access Behavioural changes

Tailored services Complexity Cost

The Wider Galaxy (not far far away!)

PSDII Objectives

PSD II -Timeline

Compromise text published in June.

Publication in OJ expected late

2015 – Enters into force 20 days

later

Transposition deadline 24 months after

publication (late 2017)

NB.– EBA RTS on SCA and secure communication

subject to a different timeline

! EBA RTS on strong customer authentication & secure communication expected to take effect in 2018

What’s changed- ScopePSD1 EEA Currency: conduct of business requirements apply intra EEA (both legs in EEA)

PSDII EEA and non EEA Currency: conduct of business requirements apply intra EEA (both legs in EEA)

PSD2 EEA and non EEA currency: conduct of business requirements apply for that part in the EEA (one leg) X

X

Some information requirements excludedExecution time

What’s changed- Reporting –more more and more……………….

Note – interaction with NIS directive

• Mandates regular assessment and reporting of security risks to CAs

• Annually - an updated and comprehensive assessment of the operational and security risks associated with the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to these risks

• Obligation to report individual incidents and upward reporting by the competent authority

• When the incident could impact the financial interests of users, the PSP shall inform them too

• Annually - statistical data on fraud related to different means of payment to their competent authority

Two New Payment Services • PSD2 regulates two new payment services:

1. Account Information Services (AIS) - account aggregation2. Payment Initiation Services (PIS)

• Mandates third party access with user consent to payment accounts accessible online

• Introduces a liability regime for AIS and PIS

• Obligation to indemnify ASPSP losses

• Lighter touch supervision regime for AIS

• Note - Specific provision for instrument issuers (Article 57a) – clarity required for e-money providers

EBA RTS for Strong Customer AuthenticationSCA requires at least two of the followingwhenever a payer:• Accesses their payment

account• Initiates a remote payment• Carry's out any action with a

risk of fraud or other abusesthrough a remote channel

Elements must be independent so that breach of one does not compromise the integrity of the others

EBA RTS for Secure Communication

• Emphasis on AIS/PIS but standards will apply to all communication sessions between all parties

• Will also protect integrity and confidentiality of user’s personal security credentials

• Standards will cover:1. Identification2. Authentication3. Notification4. Information5. Security measures

Role of the EBA

• 14 PSDII Mandates

• Tight timelines

• Running alongside UK implementation

• Top tip! Respond to EBA consultations

Next steps

Publication of the final text in late 2015

2016 onwards: EBA work on its mandates

2016: UK transposition

2017: UK transposition

Thank You