Regulation, regulation and more regulation

Regulation, regulation and more regulation

In the immediate aftermath of the 2007/8 financial crisis, measures to promote better conduct and improve customer protection and the resilience of the financial system dominated the regulatory agenda. More recently, regulators in many countries have added competition and innovation objectives to their agenda.

These present significant challenges for those in the payments industry who face compliance with multiple regulatory requirements.

This year in the UK, for example, payments institutions will be implementing the Payment Services Directive 2 (PSD2), the Open Banking initiative, the Global Data Protection Regulation (GDPR) and some will be also coping with ring-fencing of their retail and investment banking operations. Throw into the mix the implications of the UK’s exit from the European Union and that amounts to a whole heap of trouble.

The deadline for implementation of PSD2, January 2018, comes before the UK officially exits the EU. John Salmon, a partner at London-based law firm Hogan Lovells, says most banks are expected to go ahead with their PSD2 plans, regardless of what a post-EU UK will look like.

“From a retail banking point of view, most of the business is quite domestic,” he says. “The big exception is payments. Banks have invested millions into PSD2 and are unlikely to throw that all away; they see the changes they are making as long-term.”

Salmon believes the UK authorities may tweak the PSD2 directive for cross-border payments in the post-EU environment and add elements to it, but it won’t be abandoned.

Salmon does not believe the UK’s exit from the EU will have a big impact on PSD2, GDPR or Open Banking. The main challenge will be on the technology front as institutions try to plan IT strategies for these multiple initiatives. The regulatory environment is still quite fluid and not everything has been nailed down.

A case in point are the regulatory technical standards (RTS) on strong customer authentication and secure communication. The European Banking Authority (EBA) says these are “key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union”.

Until the end of February, there had been little clarity about the RTS and how they should be implemented. At the end of February, the EBA published the final draft RTS. It described them as the result “of difficult trade-offs between the various, at times competing, objectives of the PSD2, such as enhancing security, facilitating customer convenience, ensuring technology and business-model neutrality, contributing to the integration of the European payment markets, protecting consumers, facilitating innovation, and enhancing competition through new payment initiation and account information services”.

One of the main concerns addressed by the final draft relates to the exemptions from the application of strong customer authentication based on:

  • the level of risk involved in the service provided;
  • the amount and recurrence of the transaction;
  • the payment channel used for the execution of the transaction…

This is an excerpt. The full article is available in the March 2017 edition of Banking Technology.