SCA-RTS: Key changes - AISP and PISP access
The FCA have confirmed that there will be an additional exemption from SCA for an AISP’s access to a customer’s account balance and 90 day transaction history as long as SCA is used for the first access. The AISP must still confirm the customer’s explicit consent every 90 days. Unlike the proposals currently being considered in the EU, use of the exemption will be optional for ASPSPs but the FCA strongly encourages them to apply the exemption as soon as possible. The FCA will monitor the use of the exemption with the possibility of the exemption becoming mandatory if TPP access is being unnecessarily hindered by the use of SCA.
The other significant change is the requirement for ASPSPs to provide a dedicated interface for certain payment accounts. The range of accounts and the providers who are excluded are the same as those set out in the consultation, with ASPSPs given until 26 May 2023 to implement the changes. This is potentially significant where ASPSPs have relied on modified customer interfaces, although given the range of payment accounts in scope many providers will have been required to use the Open Banking API.
In terms of developing the dedicated interface the FCA have confirmed that to help promote innovation, technical specifications and testing facilities for interfaces may now be made available at the launch of new products and services rather than six months in advance. In addition, the obligation to maintain a contingency mechanism will apply six months after launch.
The feedback received on the FCA’s proposals indicates that there are still very different views on the risks and benefits associated with TPP access.
The new version of the Approach Document includes amendments to reflect changes resulting from Brexit and the onshoring process, and also to explain how the regulations, rules and guidance apply to firms within the TPR or SRO. Many of the changes are as consulted on with some useful clarifications on dynamic linking for transactions where the final amount is not known, liability for fraudulent or unauthorised transactions, and merchant initiated transactions amongst other things.
There are some changes and perhaps most significant amongst those is the FCA’s revised view on what can constitute inherence. The FCA had already indicated that it disagreed with the restricted interpretation of “inherence” set out by the EBA in its opinion on SCA factors although it hadn’t indicated how or why it disagreed. The FCA has now clarified that it thinks that inherence can be defined as a characteristic attributable to a person regardless of whether it relates to a physical property of the body. As a result, it can include a behavioural characteristic such as detailed shopping patterns. So, PSPs will be able to use behavioural analytics to verify the behavioural characteristics of an individual for the purpose of SCA. It is clear from the feedback in the Policy Statement that this change has come as a result of lobbying from those in the industry as to the effectiveness of some of the products in this area.
As a result of the recent High Court judgment in the Ipagoo case and the finding that the EMRs do not create a trust over safeguarded funds, the FCA has made some changes to the proposed guidance. It has removed some, but not all, references to trusts and has amended the template safeguarding credit institution acknowledgement letter. Further guidance may be issued following its appeal of the Ipagoo judgment.
By way of contrast, the FCA has decided that no amendments are required as a result of the European Court of Justice judgment in the DenizBank case and its conclusions on contactless card payments. In the feedback the FCA states that it thinks that the judgment does not necessarily prevent the replacement of non-contactless cards with cards which include both Chip and pin and NFC functionality although it doesn’t expand on why it takes this view. That being said, this statement alone will be helpful to card issuers looking to make this type of replacement.
The majority of the changes are effective from 30 November 2021, although it is likely that firms will need time to consider and implement changes.
As set out above there is a longer lead-in time for the requirement to have dedicated interfaces for some accounts, with firms having until May 2023. Although the FCA is confident that the timescale will be sufficient, experience shows that these projects are challenging so firms who are impacted will want to move swiftly to ensure that the deadline can be met. The new exemption for AIS access will be available from 26 March 2022 so both ASPSPs and AISPs will need to consider what they need to do to enable the use of the exemption.