The guidelines create new obligations for financial, payment, and electronic money institutions that will impact cloud outsourcing and deployment of FinTech.

By Fiona M. Maclean and Laura Holden

On 25 February 2019, the European Banking Authority (EBA) published a final report on its draft guidelines on outsourcing arrangements (Guidelines). The report followed the EBA’s publication of draft guidelines in June 2018 (Draft Guidelines) and the ensuing public consultation in September 2018 (Public Consultation).

The Guidelines replace the 2006 Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing (CEBS Guidelines) and replace and incorporate the EBA’s final recommendations on outsourcing to cloud service providers (Cloud Recommendations). Financial institutions will now only need to consult one set of guidelines for cloud and non-cloud outsourcing.

The Guidelines apply to a wider range of entities (Covered Entities for the purpose of this article) than the CEBS Guidelines and the Cloud Recommendations, including payment or electronic money institutions. The Guidelines now apply to all financial institutions that are:

  • Within the scope of the EBA’s mandate, including credit institutions
  • Investment firms subject to Directive (EU) 2013/36 IV (Capital Requirements Directive)
  • Payment institutions
  • Electronic money institutions

As a result, a wider range of companies, such as FinTech companies, will now face the challenge of remaining agile and competitive in fast-moving markets, whilst managing the administrative and practical challenges of maintaining compliance with the Guidelines.

The Guidelines come into force on 30 September 2019. Any outsourcing arrangements entered into, reviewed, or amended by Covered Entities after that date must comply with the Guidelines. Covered Entities must also update all existing outsourcing arrangements in line with the Guidelines by 31 December 2021. For Covered Entities that are already subject to the Cloud Recommendations, these deadlines will not have any effect on their obligation to comply with the cloud specific requirements – these requirements will continue to apply as they did prior to publication of the Guidelines. An overview of the status of the Cloud Recommendations, per jurisdiction, can be found here.

While “critical and important functions” are subjected to stricter rules, the Guidelines generally apply to all outsourcings by Covered Entities, including intragroup outsourcings, representing a further widening of scope when compared with the CEBS Guidelines. Covered Entities will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition. Following concerns raised at the Public Consultation, the EBA clarified in the Guidelines that regulators will not consider every outsourcing to a cloud solution as critical or important; rather the same test applies as with other non-cloud service providers, taking into account “cloud specificities”.

Under the Guidelines, the definition of “outsourcing” is based on the Commission Delegated Regulation (EU) 2017/565 and defined as: “an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself”.

The Guidelines define “critical or important functions” based on the wording of MiFID II and the Commission Delegated Regulation (EU) 2017/565, which includes functions that “if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations”.

To outsource banking and payment services to a third country (i.e., non-EU) service provider, the Guidelines require the competent authorities responsible for supervising each party to have a co-operation agreement in place. Therefore, post-Brexit, the UK’s Financial Conduct Authority will need to agree a co-operation agreement with EU regulators to ensure that cross-border outsourced arrangements can continue between the UK and the EU27.

The PSR will not review the fees and rules set by Visa and Mastercard, but will look at the practice of bundling, and will examine effects on innovation in card-acquiring services.

By Brett Carr, Stuart Davis, and Christian McDermott

Following the publication of its Draft Terms of Reference in July 2018, the PSR has now listened to market feedback and has issued its Final Terms of Reference, marking the launch of its review into whether competition in the supply of card-acquiring services is working well for merchants and consumers.

Card-acquiring services allow merchants to accept payment for goods and services via debit, credit, charge, and prepaid cards. In order to benefit from card-acquiring services, merchants must enter contracts with so-called “merchant acquirers”. Card-acquiring services are often bundled with other services, referred to by the PSR as “card acceptance products” — these include physical card readers (also known as point-of-sale (POS) terminals) and payment gateways (the e-commerce equivalent of POS terminals).

The Final Terms of Reference follow a consultation period on the Draft Terms of Reference, the details of which are covered in Latham’s previous blog post.

The PSR is to consider whether there is effective competition in the market and makes clear that further reviews of the payments ecosystem could be triggered by its findings

By Brett Carr, Stuart Davis and Christian McDermott

The Payment Systems Regulator (PSR) has issued Draft Terms of Reference for a market review into the supply of card-acquiring services.

The PSR will use its powers under the Financial Services (Banking Reform) Act 2013 to carry out the market review in line with its statutory competition, innovation and service user objectives.

Effective competition in the payments market is a focus of the PSR, and this review follows shortly after dawn raids reported by the PSR in February 2018 as part of its first action under the Competition Act 1998.

Highlights

  • The PSR is taking these steps to investigate concerns that savings from the interchange fee cap are not being passed on to merchants, there is a lack of transparency around the fees paid by merchants to accept card payments and there are barriers to the substitution of acquirer service providers, which all point to competition not working well in the card-acquiring market.
  • A range of actions is open to the PSR, which could see it give directions to the market and its participants, make proposals to the FCA or make a market investigation reference to the CMA.

The FCA has outlined its approach to implementing key standards under the revised Payment Services Directive.

By Christian McDermott, Stuart Davis, Brett Carr, and Charlotte Collins

The FCA has published a statement on its website relating to the European Banking Authority’s (EBA’s) Opinion and draft Guidelines of 13 June 2018 on the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication under PSD2 (the RTS).

Background

The drafting of the RTS, which will apply from 14 September 2019, proved to be one of the most controversial aspects of the revised Payment Services Directive (PSD2) (for background on the RTS, please see Latham’s related Client Alert). The RTS provide for how account information service providers and payment initiation service providers — commonly referred to as third party providers (TPPs) — should interact with account servicing payment service providers (ASPSPs) such as banks. This is crucial to enabling TPPs to provide their services, which rely on ASPSPs making available certain information regarding a customer’s payment account (with the customer’s consent). In turn, these new services will help to open up the banking sector to new business models.

The consolidation of UK payment system operators marks another big step in delivering on the New Payments Architecture.

By Stuart Davis and Brett Carr

What happened?

Operational responsibility for the Bacs and Faster Payments systems, which process a combined £6.3 trillion worth of payments annually, has transferred to the New Payment System Operator (NPSO).

The successful consolidation of the operators (and planned consolidation of the Cheque and Credit Clearing Company in late 2018) has been a key focus for both the Payment Systems Regulator (PSR) and the Bank of England. Proponents argue that by bringing the operators together, the NPSO will help not only to simplify access to payment systems and promote competition, but will also help deliver other identified solutions (see What’s next?). As a single, primary deliverer of many of these solutions, the NPSO will be more efficient than the current three entities and it will be able to realise projects and their benefits more quickly and cost effectively. The consolidation plan has been articulated in the Payment System Operator Delivery Report issued in May 2017.

Bank of England announces that, for the first time, a non-bank payment services provider has accessed the UK payments system directly.

By Andrew Moyle, Stuart Davis, Charlotte Collins, and Brett Carr

The Bank of England has announced that a regulated payment services provider (PSP) has become the first non-bank direct participant in the UK’s Faster Payments system. This was facilitated by the Bank of England extending settlement account access in its Real-Time Gross Settlement (RTGS) system to non-bank PSPs, which was announced in July 2017 (see Latham’s related blog post). This change enabled non-bank PSPs to access the UK payment schemes that settle in central bank money directly for the first time, rather than needing to “plug in” to these systems indirectly via settlement agent banks.

Numerous models exist for direct and indirect participation in the UK’s various payment systems, and on-boarding timescales are improving rapidly (it is expected that it will take a well-prepared PSP around 12 months to gain access). 2017 was a record year for the number of new direct participants joining the main UK interbank payment systems (seven banks). But this announcement marks a milestone for non-bank payment services providers, helping to reduce the inherent complexity and cost of the provision of payment services by non-banks.