In this short piece, we overview the main aspects of payment services regulation in the UK. We also explore two ‘hot topic’ trends: data and cryptoassets.
Para 1 looks at the rules at a high level. Para 2 takes a closer look at the two data-focused payment services introduced by the Second Payment Services Directive and briefly explores the impact of Open Banking. Para 3 looks at how regulators are starting to bring cryptoassets within the payment services regulatory perimeter.
- UK payment services regulation – overview
Two Statutory Instruments underpin the regulation of payment services in the UK:
- the Payment Services Regulations 2017 (the ‘PSRs’); and
- the Electronic Money Regulations 2011 (the ‘EMRs’).
These regulations started life as the UK implementations of the underlying EU directives – the Second Payment Services Directive and the Second Electronic Money Directive. Now, post- Brexit transition period, they are part of retained EU law in the UK.
At a high level, the PSRs require providers of payment services to be authorised or registered with the FCA. They also establish a regulatory regime payment services providers must follow.
The EMRs create an authorisation and registration framework for issuers of electronic money.
Beyond the PSRs and the EMRs themselves, there is a range of helpful regulatory guidance:
- A useful first port of call is the Perimeter Guidance Manual in the FCA Handbook (otherwise known as ‘PERG’). PERG contains separate chapters on the PSRs (15) and the EMRs (3A) and contains guidance on the scope of the rules. PERG helps to answer the scoping question, which is typically: do I need to be authorised or registered with the FCA to do [x]?
- The Approach Document. The FCA’s Approach Document sets out the FCA’s approach to implementing the PSRs and the EMRs.
- EBA ‘level three material’. This is a range of non-legislative material produced by the European Banking Authority (the ‘EBA’), including its guidelines, opinions and recommendations. Post-Brexit transition period an important point will be to check the FCA website to confirm the FCA’s compliance position on this material.
- Trend 1: data in payment services – the PSRs and Open Banking
With the regulatory background in mind, our first trend: the ever-expanding role of data in payment services.
Beyond the general increase in the importance of data in digital commerce, there are two specific structural drivers for this in the payment services world:
- the first is the creation of new data-driven payment services in the PSRs.
- the second is Open Banking.
The creation of new data-driven payment services in the PSRs
The PSRs created two new data-driven payment services:
- Account Information Services (or ‘AISs’); and
- Payment Initiation Services (or ‘PISs’).
AISs are defined (in the PSRs) as “online service[s] to provide consolidated information on one or more payment accounts held by the payment service user with another payment service provider or with more than one payment service provider”.
PISs are defined (in the PSRs) as “online service[s] to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider”.
AISs and PISs are interesting because they take advantage of other rules in the PSRs which require banks to share user account data with third party services providers (assuming the user consents, of course).
AISs and PISs are nothing new – the PSRs have been in force since January 2018. But what we are seeing now – three years down the line – is a flourishing industry sector enabled by the regulatory framework underpinned by the PSRs. This sector is increasingly interested in harnessing the vast amounts of data that flow through its systems.
The second structural driver is Open Banking.
Precisely what is meant by “Open Banking” varies by jurisdiction. But a helpful general definition is provided by the Basel Committee on Banking Supervision:
Open Banking is “the sharing and leveraging of customer-permissioned data by banks with third party developers and firms to build applications and services, including for example those that provide real-time payments, greater financial transparency options for account holders, marketing and cross-selling opportunities.”
Open Banking is relatively well developed in the UK. This is thanks in large part to a major investigation by the UK Competition and Markets Authority (‘CMA’) into the retail banking sector in the mid-2010s. The CMA’s investigation uncovered several areas of concern in the sector, primarily around the way the UK’s largest retail banks were not transparent about the customer data they held.
At the end of its investigation, the CMA proposed a number of remedies. The key one for our purposes was the “open banking remedy”, which required large UK retail banks to develop and adopt open API banking standards to make their data more accessible to customers and third-party service providers.
Data in payment services – practical points
A number of practical points emerge from these trends:
- First, data is getting more important. Entities involved in payments structures where data is exchanged should ensure their contracts capture dataflows accurately. They should grant and take licences appropriately.
- Second, given the pace of change in the sector, entities should consider whether their important data contracts have enough flexibility to cover potential future use cases of data as well as current ones.
‘Bonus’ trend – payment services regulation and GDPR
The relationship between payment services regulation and GDPR is something of a ‘bonus’ trend here: it will not come as a surprise to privacy lawyers that much of the user account data shared in the provision of AISs and PISs is personal data for the purposes of GDPR.
A key point here is to bear in mind how the PSRs and the GDPR fit together. There is some friction, particularly around:
- the appropriate GDPR lawful basis of consent;
- the concept of consent itself, as the PSRs concept is slightly different from the GDPR standard; and
- ‘silent party’ data (silent parties being natural persons whose data is processed by a payment service, but who are unaware of the processing – e.g. a ‘payee’ in a payment services application).
The European Data Protection Board’s Guidance on the interplay between payments rules and GDPR from December 2020 is a useful starting point here.
- Trend 2: cryptoassets
Our second trend is that payment services regulation is starting to grapple with the wild west of cryptoassets.
This trend begins with an emerging class of cryptoassets called stablecoins. Stablecoins are a class of cryptoasset which aim to maintain a stable value. Stablecoins can achieve this in a number of ways, but the most common are:
- to peg their value to a stable ‘real world’ asset, like USD or gold; or
- to have their value determined by an algorithm.
In this respect, stablecoins are unlike other cryptoassets. Other cryptoassets are typically characterised by significant price volatility – making them prime candidates for speculative investment, but less useful as a stable, reliable store of value. Stablecoins, by contrast, have clear real-world uses – for instance as a cash-like holding assets used to store value pending investment decisions.
For this reason, coupled with their burgeoning popularity, stablecoins are the next step on the regulatory frontier for payment services. Their rapid growth poses a number of issues regulation would look to address, including: systemic risk, if an important stablecoin failed; the risk that consumers are mis-sold complex – perhaps even nonsensical – financial products; and distortive competitive advantage versus traditional financial products, if the regulatory burden faced by stablecoin users is artificially low.
HM Treasury’s stablecoin consultation paper
All this is the background to the UK Treasury’s consultation paper on stablecoin regulation from January 2021, which sets out a number of regulatory proposals, based in large part on the existing regime for payment services under the PSRs and the EMRs.
At this stage, the Government’s intention is only to regulate currency/asset-backed stablecoins. Not algorithmic stablecoins, which are spared for the time being. The proposals touch on a number of points:
- an authorisation or registration regime for certain market participants.
- a number of new regulated activities, including creating, issuing and destroying stablecoins; and
- other prudential requirements like capital and liquidity requirements.
The Government’s proposals are still in the early stages of the regulatory process. The consultation closed in mid- March and the Treasury is still reviewing the responses.
Stablecoin regulation – practical points
But there are several practical points to bear in mind at this stage:
- First, in the coming years a greater number of cryptoassets – stablecoins and potentially other varieties – will fall within the regulatory perimeter. This is going to make payment services regulation relevant for a greater number of digital commerce businesses.
- Second, although regulators are beginning to tackle cryptoassets, we are still very much in a Galapagos islands world where cryptoassets come in a great many shapes and sizes. This makes it more important for market participants to diligence cryptoassets properly. By diligence we mean: understanding contractual T&Cs, redemption and exchange rights and the relationship between the cryptoasset and the underlying asset (if any).
- Third, market participants should ensure they understand both their own role and other participants’ roles in the structure. This is particularly important where formal regulatory authorisation is not required for a given activity – but registration with or notification to a regulator is necessary. In practice these points are sometimes missed.
 See e.g. this Bloomberg article: Crypto’s Shadow Currency Surges Past Deposits of Most U.S. Banks, here: Crypto’s Shadow Currency Surges Past Deposits of Most U.S. Banks – Bloomberg.