Revenge hacking: This man hacked his firm and sold proprietary data after quitting

The January 13<sup>th deadline for the highly-anticipated Second Payment Services Directive, or PSD2, to be adopted by EU Member States has now come and gone. In the UK, the Financial Conduct Authority (FCA) has implemented the Directive within its 2017 Payment Services Regulations.

The headlines have understandably focused on open banking and APIs, which for the first time, allow third-parties access to customer bank account data, providing they grant permission, and provide value-added services. Security and liability challenges have been flagged as the major sticking points as customer account data is opened to non-bank third parties.

But hold on to your hats, the FCA's new e-money and payment services approach document — which aims to help UK Payment Service Providers (PSPs) navigate their way through the new payments landscape — has unearthed some obscure elements to the regulations that could have compliance managers reaching for the headache tablets. Here's seven things you probably should know about PSD2, but no-one may have mentioned:

  1. First up, it might surprise you to learn that PSD2's reach extends well beyond the 28 EU member states. While some non-EU transactions are now caught in its tentacles, so too are transactions where one leg is conducted by a PSP that is outside the EU.
  2. For digital marketplaces and e-commerce platforms that handle client money, it's time to get to grips with the finer details of PSD2, which has tightened its interpretation of the "commercial agents" or "limited networks" exemptions that these platforms previously relied on to avoid becoming a licensed provider of regulated payment services.
  3. Retail consumers can kiss goodbye to irritating card surcharges, most of which will be sent for scrappage under PSD2. Businesses will continue to suffer, however, as corporate cards remain outside the scope of the regulation.
  4. What's a payment account when it's at home? Confusingly, PSD2 and the FCA's 2015 Payment Account Regulations, which implemented the EU Payment Accounts Directive, have different definitions of what constitutes a payment account. Cue head scratching.
  5. Re-birth of the monthly account statements. Despite the 'digitalisation' and 'innovation' themes of PSD2, the FCA's approach document states that payment service providers must now "provide" (which has a specific definition relating to proactively pushing this out to the customer) monthly account statements on paper or a "durable medium" (which also has a specific definition, see below). This does seem odd given the focus on ousting outmoded means of communication and making account data more modern, convenient and ultimately paper-free.
  6. Outage response is about to get a whole lot more serious. 2017 saw a number of well-publicised issues/outages, but Twitter may no longer suffice as a reporting tool for major operational and security incidents. The FCA now requires notification of major operational and security incidents, within hours of them occurring, as well as regular updates. Some "challenger bank" customers have praised their bank's transparency in keeping customers updated via Twitter, but going forward, it may no longer be enough to rely on apologies via social media.
  7. The FCA will be inundated with PSD2 re-authorisation applications. Not the snappiest of headlines but under PSD2, all existing e-money and payment services businesses need to be re-authorised to continue operating beyond mid-July 2018. The FCA set a submission deadline of mid-April, giving itself a three-month approval window. However, anecdotal research suggests that many within the sector have not submitted theirs yet. Come April, the applications will be rolling in thick and fast and it'll be interesting to see how the FCA copes. The big question is, can the applications be approved quickly enough to ensure the sector powers on and that service to customers continues?

January 13<sup>thmay not have been the earthquake that some predicted, but compliance officers could be trembling come July – much depends on the agility of the FCA in approving re-authorisation applications at speed.

Jargon is inevitable in such an intricate regulatory field, so here are some of my terms explained a little further:

PSD2 Jargon Buster

Durable medium: According to the FCA, 'durable medium', in the context of PSD2 refers to "any instrument which enables the payment service user to store information addressed personally to them in a way accessible for future reference ... and which allows the unchanged reproduction of the information stored." This could mean printouts, CD-ROMs (remember them?!), DVDs, etc. Hardly modern-day storage devices in the age of the Cloud. The FCA says "in certain circumstances internet sites" may qualify as a durable medium.

Payment account: This isn't as obvious as the name may seem. Interpreting regulations can often be a game of semantics. PSD2 is no different. It defines a 'payment account' as an "account held by one or more payment service users, which is used to conduct payment transactions." It may include savings and current accounts, or accounts that combine savings with mortgage and payment facilities; the account simply needs to be used to make payments. Yet the FCA's 2015 Payment Accounts Regulations does not class some savings or credit-card accounts as payment accounts. Wonderfully clear, then.

Payment Service Provider (PSP): PSD2 introduces two new classes of PSPs: Payment Initiation Service Provider (PISP) and Account Information Service Provider (AISP), which are expected to provide new services, in addition to those already offered by banks, building societies, payment and e-money institutions. AISPs could, for example, provide aggregated bank account information and analysis services. PISPs, who "initiate a payment from the user account to the merchant account by creating a software bridge," could begin offering services including peer-to-peer transfers and bill payments.

Myles Stephenson is Chief Executive of Modulr.