As several PSD2 deadlines approach, PSPs must comply with reporting and notification requirements, as well as with their GDPR obligations.
Though the majority of the provisions relating to the revised EU Payment Services Directive (PSD2) came into force in the UK on 13 January 2018, the regulatory technical standards (RTS) and strong customer authentication measures (SCA) will come into force on 14 September 2019. The FCA has issued a helpful reminder setting out some important deadlines that payment service providers (PSPs) must meet to be compliant.
Application Programme Interfaces
PSD2 allows third party providers (TPPs) to build payment service infrastructures upon the existing platforms of financial institutions; such institutions must provide TPPs with access to client account information via open application programme interfaces (APIs). Financial institutions seeking to enable such access can do so by either constructing dedicated interfaces built on these APIs or through adjusting existing customer interfaces. In both instances, such interfaces and their accompanying customer authentication measures must be in place by 14 September 2019.
Competent authorities can exempt institutions that decide to construct a dedicated interface from also providing a contingency mechanism, with fall-back access if the initial interface were to fail. However any such exemption request must be submitted by 14 June 2019. The FCA further encourages payment providers to engage with testing facilities and live interfaces as soon as possible to ensure continuity of services to their customers by 14 September 2019.
The FCA has also finalised several reporting and notification requirements, as summarised below.
- Fraud Reporting. PSD2 requires PSPs to provide competent authorities with statistical data on payments fraud annually. Competent authorities then provide this data in an aggregated form to the European Central Bank (ECB). PSPs should have started collecting such data reflecting these guidelines from 1 January 2019.
- Authorised Push Payments (APP). APP fraud occurs when a fraudster tricks a payer into making an APP into their account under false pretences. The FCA’s reporting requirements for complaints in relation to APP fraud take effect from 1 July 2019.
- Dedicated Interface Reporting. Under the SCA, PSPs are required to publish quarterly statistics on the viability and performance of their dedicated interfaces. These statistics should be published from 14 September 2019. PSPs must also report problems with dedicated interfaces from this time.
Data Privacy and PSD2
Companies seeking to ensure compliance with PSD2, and the SCA in particular, should also be mindful of their obligations under the General Data Protection Regulation (GDPR).
For certain transactions, the SCA requires that a customer provides two forms of identification based on the following: knowledge (something the customer alone knows, such as a PIN); possession (something the customer alone has, such as their phone); or inherence (something unique to the customer, such as their fingerprint). Fingerprint or facial recognition functionality will lead to the processing of biometric data; biometric data is specifically included within the Article 9(1) definition of “special categories of personal data”.
This data processing has two primary ramifications. Firstly, such processing can only be legitimised through an Article 6 lawful basis and an Article 9(2) exception. Secondly, data protection impact assessments (DPIAs) will be required before such functionalities can be implemented (this measure was also confirmed by guidance issued from the UK’s Information Commissioner’s Office (ICO)). DPIAs are mandatory under Article 35 of the GDPR if the processing is likely to pose a high risk to the rights and freedoms of individuals, particularly in the case of new technologies. PSPs should therefore seek to integrate “privacy by design” in the early stages of application production.