The UK’s consultation on deregulating commercial agents could have knock-on impacts on payment services and create regulatory divergence from the EU.

By Christian McDermott, Brett Carr, and Grace Erskine

On 16 May 2024, the UK government launched a consultation into the deregulation of the Commercial Agents (Council Directive) Regulations 1993 (the Commercial Agents Regulations). The Commercial Agents Regulations implemented Council Directive 86/653/EEC (the Commercial Agents Directive) and defined certain pro-agent terms of engagement between businesses and their self-employed commercial agents who are authorised to negotiate the sale or purchase of goods on their behalf.

The stated purpose of the consultation is to ensure that the Commercial Agents Regulations serve the needs of UK businesses post-Brexit, and to remove the legal complexities resulting from the interaction of the Commercial Agents Regulations with the English legal system’s rules on agency and contract law. The UK government’s current proposal is for existing contracts under the Commercial Agents Regulations to remain in force until termination or expiry, and to prevent new contracts from being subject to the Commercial Agents Regulations.

In addition to affecting relationships between UK agents and their principals, the proposals could also have knock-on effects for the payments sector, which we explore in this post.

The updates are part of SAMA’s efforts to promote an innovation-based financial technology ecosystem in the KSA.

By Salman Al-Sudairi, Brian A. Meenagh, and Homam Khoshaim

Last month, the Saudi Arabian Monetary Authority (SAMA) issued an update to the recently implemented Payment Services Provider Regulations (PSPR), which was introduced in January 2020 to regulate Payment Services Providers (PSPs) operating in the Kingdom of Saudi Arabia (KSA). The PSPR provides a clear path for PSPs to obtain SAMA-issued licenses to provide payment services in the KSA. Notably, the PSPR applies concepts implemented by the European Union’s Payment Services Directive (PSD2). This should remove some of the friction involved in international PSPs launching operations in the KSA by allowing them to apply the same business models and operating processes already applied in the jurisdictions in which they operate.

Call for input: Industry needs to engage as the FCA moves forward on its transformative vision for open finance.

By Stuart Davis and Brett Carr

Imagine a world in which you could access your bank accounts, credit cards, mortgage, pensions, savings accounts and ISAs, brokerage account, home and car insurance, life insurance, and other financial products on one user interface or app, even if each of those products is held with a different provider. Then, imagine that the app could provide innovative financial management services across all of those products, such as automated switching to the best products, holistic investment advice and budgeting, and sweeping of excess cash into products yielding a better return than today’s current accounts. This world may be closer than you think, and it will likely have profound impacts for incumbent and new financial services business.

European Commission confirms SCA measures should apply to EU consumers purchasing from UK websites in the event of a no-deal Brexit.

By Christian F. McDermott, Jagveen S. Tyndall, and Amy Smyth

Complex payment processing chains comprise multiple entities operating behind the scenes to support everyday transactions.

The strong customer authentication (SCA) requirements introduced by the revised EU Payment Services Directive (PSD2) aim to reduce fraud and make online payments more secure (as described in previous posts of June and August 2019). SCA requires that a customer provide two forms of identification that meet the following criteria:

While the payments industry scrambles to meet new standards for APIs, the FCA grants an extension for SCA compliance.

By Christian F. McDermott, Jagveen Tyndall, and Amy Smyth

In an effort to evaluate the readiness of banks to comply with the revised EU Payment Services Directive (PSD2), Tink, a banking platform and data provider, has reported that it tested 84 application programme interfaces (APIs) spanning 2,500 banks and 12 European markets. According to Tink the results showed that none of these APIs were sufficiently robust to meet the new regulatory standards. Separately, the UK’s Financial Conduct Authority (FCA) has delayed the implementation of the strong customer authentication (SCA) requirements introduced by PSD2 to enhance the security of all electronic payment services.

Stripe-commissioned report projects that Europe’s online economy risks losing €57 billion when SCA goes into effect on 14 September.

By Christian F. McDermott

A recent report released by 451 Research and commissioned by Stripe, the online payment processing business, has found poor levels of readiness for the requirements of Strong Customer Authentication (SCA). The report projects that European businesses stand to lose €57 billion in economic activity in the first 12 months after SCA takes effect on 14 September 2019.

Background

The revised Payment Services Directive (EU) 2015/2366 (PSD2) introduced SCA as a means to help achieve the overall aim of “ensuring that all payment services offered electronically are carried out in a secure manner, [by] adopting technologies able to guarantee the safe authentication of the user and … reduc[ing], to the maximum extent possible, the risk of fraud.”[1]

As several PSD2 deadlines approach, PSPs must comply with reporting and notification requirements, as well as with their GDPR obligations.

By Christian F. McDermott, Fiona M. Maclean, and Jagveen Tyndall

Though the majority of the provisions relating to the revised EU Payment Services Directive (PSD2) came into force in the UK on 13 January 2018, the regulatory technical standards (RTS) and strong customer authentication measures (SCA) will come into force on 14 September 2019. The FCA has issued a helpful reminder setting out some important deadlines that payment service providers (PSPs) must meet to be compliant.

Application Programme Interfaces

PSD2 allows third party providers (TPPs) to build payment service infrastructures upon the existing platforms of financial institutions; such institutions must provide TPPs with access to client account information via open application programme interfaces (APIs). Financial institutions seeking to enable such access can do so by either constructing dedicated interfaces built on these APIs or through adjusting existing customer interfaces. In both instances, such interfaces and their accompanying customer authentication measures must be in place by 14 September 2019.

Driven by payments innovation and new regulation, 2018 is cited as the year for some of the most significant changes retail banking has seen.

By Stuart Davis and Brett Carr

At the Westminster Business Forum for Digital Payments, Adoption, Innovation and Policy Priorities, Graeme McLean (Head of Banking, Lending & Distribution at the FCA) appraised a panel and audience including legislators, innovators, and market infrastructure providers on the regulatory state of play heading into 2018.

With the revised Payment Services Directive (PSD2) set to apply from 13 January 2018 (see Latham’s Client Alert Understanding PSD2: Key Points to Know About the Upcoming Regime), the industry finds itself, according to McLean, just weeks away from an impending “diversification the retail banking sector has never seen before”.

By Christian McDermott, Calum Docherty, Stuart Davis and Anne Mainwaring

The European Banking Authority (EBA) has published its consultation document on security measures for operational and security risks under the revised Payment Services Directive (PSD2).

The WannaCry ransomware attack that swept across the globe last week revealed the destructive and indiscriminate nature of cyber threats. It attacked hospitals, telecoms networks and universities, seizing hold of important data and leaving users and systems administrators temporarily powerless. These are precisely the risks that the payments industry wants to avoid as it braces for the revised PSD2, which will come into force across the EU from 13 January 2018. As such, the EBA has published a consultation paper on security measures for operational and security risks under PSD2, setting out proposed requirements for payment services providers (PSPs) to mitigate the concomitant payment processing risks.

The consultation paper is one of the EBA’s three security mandates in PSD2, complementing the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (submitted to the European Commission for adoption 23 February 2017), and the Guidelines on Major Incidents Reporting (which recently finished its consultation).