In recent months, many people have been asking us the question – what happens to PSD2 requirements on Access to Account when the UK leaves? These requirements oblige UK and EU financial institutions to “open their accounts” and allow third parties (TPPs) to access information or initiation payments, at the request of the account holder.
On 7 July 2020, the European Commission published a “notice to stakeholders” called WITHDRAWAL OF THE UNITED KINGDOM AND EU RULES IN THE FIELD OF BANKING AND PAYMENT SERVICES. It is fairly dry stuff and gave a rather legalistic view of the formal position that would exist. On the 29th of July, the European Banking Authority (EBA) made a much more direct statement, calling on financial institutions to get ready and spelling out some of the consequences.
The key statement as regards PSD2 Access to Account was, “Account information service providers (AISPs) and payment initiation service providers (PISPs) registered/authorised in the UK will no longer be entitled to access customers’ payment accounts held at the EU payment service providers and their PSD2 eIDAS certificates under Article 34 of the Commission Delegated Regulation (EU) 2018/389 will be revoked.”
Considering that 50% of TPPs operating under PSD2 are registered in the UK, this is quite massive.
How Sure Are We That This Will Happen on the 1st January 2021?
Brexit has already happened and we are now in a transition period. Everything written in this article is based on the assumption that no deal is made which would allow business to continue after the transition in some other way.
Some Definitions and Legal Explanation
Before we get on to the detailed impacts, let’s just go over some terminology about TPPs, registration, passporting and qualified certificates.
All institutions that provide payment services must be regulated. They are regulated (registered) by the National Competent Authority (NCA) of their country. This might be the central bank, or another organisation: in the UK it is the Financial Conduct Authority. Organisations that can access accounts – so TPPs – are either Credit Institutions, Payment Institutions or Electronic Money Institutions (plus one or two rarer categories).
Europe’s 4882 credit institutions automatically have the right to access accounts, but it is not clear how many of them actually want to. The interest has been in the “FinTechs” – which are (according to popular opinion) newer, smaller, more agile, more technology-savvy companies which are entering the financial services area with new innovative services.
These TPPs must not only be regulated for Account Information Services or Payment Initiation Services but “Passport” to other countries where they want to do business.
Finally, in order to technically connect, the TPPs must obtain “Qualified PSD2 Certificates” from regulated (Qualified) Trust Service Providers (QTSPs). The QTSP community has been trying to understand whether or not they will be allowed to issue Qualified PSD2 certificates to UK financial institutions after Brexit.
The Impact on UK TPPs Accessing EU Bank Accounts
Firstly, UK TPPs (whether Credit Institutions, Electronic Money Institutions or Payment Institutions) will no longer have a right to access EU bank accounts and will be restricted to the UK ecosystem.
Aware of this possibility, many have been opening businesses and applying for a second license in another EU country, as a contingency plan. As Gijs Boudewijn, European Payments Federation, puts it, “The fact that a hard Brexit would result in the loss of passporting rights for UK TPPs has been known for a pretty long time. Where relevant from a business perspective we have seen UK TPPs obtain PDS2 licenses in other member states. ”
Ralf Ohlhausen of the European TPP Association cautions that if a TPP has not done this, they are now effectively too late. “The EBA’s reminder is good, but a TPP which is not yet in the middle of a new authorisation process already, may not get there anymore in time before the end of the year. Obtaining a PSD2 license is quite a big and lengthy effort, especially for smaller fintechs.”
UK TPPs could imagine that they might strike bilateral deals with banks to access accounts and to do so using non-PSD2 APIs, but this could be tricky. The quid pro quo of PSD2 was not only that ASPSPs were obliged to offer access, but that it was mandatory for the TPPs to become regulated if they are offering payment services, which includes account information and payment initiation services.
The Impact on EU Regulated Entities
It should not be forgotten that this is a two-way process, and just as UK TPPs are accessing accounts in Europe, so EU TPPs are accessing accounts of UK Banks. As, George Miltiadous of HSBC (UK), put it that “Some of the larger consumers of UK APIs are TPPs regulated outside the UK.”
Such TPPs will miss the UK, which had to have APIs 18 months before the rest of continental Europe and so the quality and maturity of the APIs is significantly better than most countries in Europe, with some TPPs arguing that the UK is the only national community with a coherent and stable enough set of APIs that enables them to run a commercial product at a national level.
The impact on EU ASPSPs will be minimal. They may see a drop off in traffic, as the UK TPPs drop off, but real API usage is only just starting, with some clusters of banks more advanced than others.
The UK Competition and Markets Authority (CMA) has already planned to make some tweaks to PSD2 rulings to make the UK ecosystem more useable to TPPs, as Ralf says, “The good news for the TPPs staying in the UK is that the CMA thankfully just suggested getting rid of the 90-day AIS re-authentication nightmare right after Brexit. The rest of Europe must hope that EBA will change that unfortunate RTS stipulation very quickly too – before it drives other countries to exit!”
Presumably, this divergence is the kind of independence that the Brexit supporters hoped to see, with the departure of the UK, although it comes at a cost of scale and the ability to reach half a billion people in one economic area.