SUP 15.14 Notifications under the Payment Services Regulations
Application
1This section applies to payment service providers.
Purpose
The purpose of this section is to give directions and guidance to payment service providers relating to the form, content and timing of notifications required under the Payment Services Regulations.
Notification by credit institutions under regulation 105
A full credit institution to which regulation 105 of the Payment Services Regulations applies must notify the FCA if it refuses a request for access to payment account services from:
- (1)
a person falling within paragraphs (1)(a) to (e) (excluding (1)(d)) of the Glossary definition of payment service provider; or
- (2)
an applicant for authorisation or registration as such a payment service provider.
References in this section to a refusal of a request for access to payment account services include a withdrawal or termination of access to such services.
A notification required by regulation 105(3) of the Payment Services Regulations and SUP 15.14.3D must include duly motivated reasons for the refusal.
Unless the FCA directs otherwise, a notification required by regulation 105(3) of the Payment Services Regulations and SUP 15.14.3D must be submitted by the full credit institution to the FCA:
- (1)
in the form specified in SUP 15 Annex 9D;
- (2)
by electronic means made available by the FCA; and
- (3)
at the same time as it informs the person referred to in SUP 15.14.3D(1) or (2) of its refusal.
If for any reason the full credit institution does not notify the person referred to in SUP 15.14.3D(1) or (2) of its refusal, the full credit institution must submit the notification required by SUP 15.14.3D immediately following the decision by the full credit institution to refuse access.
The direction in SUP 15.14.6D will not apply if the FCA gives a different direction to a specific credit institution, in the light of the particular circumstances surrounding a refusal of access to payment account services, about how to notify the FCA. The FCA is likely to be minded to do so where a credit institution decides to withdraw access to a large number of persons falling within paragraphs (1)(a) to (e) (excluding (1)(d)) of the Glossary definition of payment service provider simultaneously, such that complying with SUP 15.14.6D becomes impractical, and provides advance notice of the proposed withdrawal to their usual supervisory contact at the FCA. For these purposes, fewer than ten persons is unlikely to be considered a large number.
Credit institutions are reminded of the general notification requirements in SUP 15.3, including the obligation to notify the FCA as soon as they become aware of any matter (including a matter which may occur in the foreseeable future) which could affect their ability to continue to provide adequate services to their customers and which could result in serious detriment to a customer of the credit institution (SUP 15.3.1R(3)).
Notification by account servicing payment service providers under regulation 71
An account servicing payment service provider to which regulation 71(8)(c) of the Payment Services Regulations applies must notify the FCA if it denies an account information service provider or a payment initiation service provider access to a payment account under regulation 71(7).
A notification required by regulation 71(8)(c) of the Payment Services Regulations and SUP 15.14.10D must include details of the case and the reasons for denying access.
A notification required by regulation 71(8)(c) of the Payment Services Regulations and SUP 15.14.10D must be submitted by the account servicing payment service provider to the FCA:
- (1)
in the form specified in SUP 15 Annex 10
- (2)
by electronic means made available by the FCA; and
- (3)
immediately after the first occasion on which it denies the account information service provider or the payment initiation service provider in question access to a payment account.
Where:
- (1)
an account servicing payment service provider denies access to more than one payment account or to a payment account on multiple consecutive occasions; and
- (2)
these denials of access:
- (a)
are in respect of the same account information service provider or payment initiation service provider; and
- (b)
arise out of the same facts and happen for the same reasons,
the account servicing payment service provider is required to submit only a single notification in respect of them under regulation 71(8)(c) of the Payment Services Regulations and SUP 15.14.10D.
- (a)
Where an account servicing payment service provider has already submitted a notification in accordance with regulation 71(8)(c) of the Payment Services Regulations and SUP 15.14.10D and continues to deny access to a payment account, it is not required to notify the FCA of a consecutive denial of access that happens after the original notification was sent if it:
- (1)
is in respect of the same account information service provider or payment initiation service provider; and
- (2)
arises out of the same facts and happens for the same reasons.
An account servicing payment service provider that has previously submitted a notification in accordance with regulation 71(8)(c) of the Payment Services Regulations and SUP 15.14.10D must notify the FCA if it subsequently restores access to the payment account for the account information service provider or payment initiation service provider that was the subject of the original notification, unless it indicated in the first notification that it intended to immediately restore access and access was so restored.
A notification required under SUP 15.14.15D must be submitted by the account servicing payment service provider to the FCA:
- (1)
in the form specified in SUP 15 Annex 10;
- (2)
by electronic means made available by the FCA; and
- (3)
immediately after it restores access to the payment account(s) for the account information service provider or payment initiation service provider.
For the purposes of SUP 15.14.12D and SUP 15.14.16D we would expect the account servicing payment service provider to complete and submit the notification as quickly as possible.
Notification of major operational or security incidents under regulation 99
Regulation 99(1) of the Payment Services Regulations provides that, if a payment service provider becomes aware of a major operational or security incident, the payment service provider must, without undue delay, notify the FCA. The purpose of this section is to direct the form and manner in which such notifications must made and the information they must contain, in exercise of the power in regulation 100(2) of the Payment Services Regulations.
The EBA has issued Guidelines on incident reporting under the Payment Services Directive that specify the criteria a payment service provider should use to assess whether an operational or security incident is major and needs to be reported to the FCA. These Guidelines also specify the format for the notification and the procedures the payment service provider should follow.
Payment service providers must comply with the EBA’s Guidelines on incident reporting under the Payment Services Directive as issued on 27 July 2017 where they are addressed to payment service providers.
In particular, a notification required by regulation 99(1) of the Payment Services Regulations must be submitted by the payment service provider to the FCA:
- (1)
within the timescales and at the frequencies specified in the EBA’s Guidelines on incident reporting under the Payment Services Directive;
- (2)
in writing on the form specified in SUP 15 Annex 11D; and
- (3)
by such electronic means as the FCA may specify.
Payment service providers should note that article 16(3) of Regulation (EU) No 1093/2010 also requires them to make every effort to comply with the EBA’s Guidelines on incident reporting under the Payment Services Directive.
Where the electronic means of submission of notifications is known not to be available or operated at the time the incident is first detected, the notification should be sent to the FCA as soon as the electronic means of submission becomes available and operational again. Unless the FCA has informed a specific payment service provider that electronic means of submission are also available to it and operated at other times, the electronic means of submission are available and operated during normal operating hours, as specified by the FCA.
The EBA’s Guidelines on incident reporting under the Payment Services Directive contain guidelines on the completion of the form specified in SUP 15 Annex 11D. Payment service providers should use the same form in all reports concerning the same incident. Payment service providers may not have sufficient information to complete all parts of the form in the initial report. They should complete the form in an incremental manner and on a best effort basis as more information becomes readily available in the course of their internal investigations.
General provisions
SUP 15.6.1R to SUP 15.6.6G (Inaccurate, false or misleading information) apply to payment service providers that are required to make notifications in accordance with this section as if a reference to firm in SUP 15.6.1R to SUP 15.6.6G were a reference to the relevant category of payment service provider and a reference to a rule were a reference to the directions in this section.
Payment service providers are reminded that regulation 142 of the Payment Services Regulations (Misleading the FCA or the Payment Systems Regulator) makes it an offence for a person to knowingly or recklessly provide the FCA with information which is false or misleading in a material particular in purported compliance with the directions given in this section or any other requirement imposed by or under the Payment Services Regulations.
If a payment service provider fails to comply with the directions in this section then the notification is invalid and there may be a breach of the regulation of the Payment Services Regulations or the direction that required the notification to be given.
The Financial Services and Markets Act 2000 (Service of Notices) Regulations 2001 (SI 2001/1420) contain provisions relating to the service of documents on the FCA. They do not apply to notifications required under this section because of the specific directions given in this section.
Notification that a fraud rate has been exceeded (article 20 of the SCA RTS)
2Article 18 of the SCA RTS permits payment service providers not to apply strong customer authentication where the payer initiates a remote electronic payment transaction identified by the payment service provider as posing a low level of risk according to the transaction monitoring mechanism referred to in article 2 and article 18 of the SCA RTS.
2Article 19 of the SCA RTS requires payment service providers to ensure that the overall fraud rates per quarter for transactions executed under the article 18 exemption are equivalent to or lower than the reference fraud rates indicated in the Annex to the SCA RTS. Article 19 defines a quarter as 90 days.
2Where a fraud rate calculated in compliance with article 19 of the SCA RTS exceeds the applicable reference fraud rate, article 20(1) of the SCA RTS requires payment service providers to immediately report to the FCA, providing a description of the measures that they intend to adopt to restore compliance with the reference fraud rates.
2Payment service providers should report in respect of each quarter in which a fraud rate exceeds the applicable reference rate.
2Where a fraud rate exceeds the applicable reference rate for two consecutive quarters, the payment service provider is required by article 20(2) of the SCA RTS to immediately cease to make use of the article 18 exemption. The report for the second quarter should confirm that the payment service provider has ceased to make use of the article 18 exemption.
2Payment service providers required by article 20(1) of the SCA RTS to report to the FCA must do so:
- (1)
in the form specified in SUP 15 Annex 12D;
- (2)
by electronic means made available by the FCA; and
- (3)
immediately after the monitored fraud rate exceeds the applicable reference fraud rate.
2A payment service provider that has previously ceased to make use of the article 18 exemption in accordance with article 20(2) of the SCA RTS must notify the FCA in accordance with article 20(4) of the SCA RTS before again making use of the article 18 exemption:
- (1)
in the form specified in SUP 15 Annex 12D;
- (2)
by electronic means made available by the FCA; and
- (3)
in a reasonable timeframe and before making use again of the article 18 exemption.
2A payment service provider notifying the FCA before again making use of the article 18 exemption must provide evidence of the restoration of compliance of their monitored fraud rate with the applicable reference fraud rate for that exemption threshold range for one quarter, under article 20(4) of the SCA RTS.
2Notifying the FCA one month before making use again of the article 18 exemption would be a reasonable timeframe within the meaning of SUP 15.14.35D(3).
Notifying problems with a dedicated interface (article 33(3) of the SCA RTS)
2Account information service providers, payment initiation service providers, payment service providers issuing card-based payment instruments, and account servicing payment service providers must report problems with dedicated interfaces as required by article 33(3) of the SCA RTS to the FCA:
- (a)
without undue delay;
- (b)
using the form set out in SUP 15 Annex 13D4; and
- (c)
by electronic means made available by the FCA.
2The following problems with dedicated interfaces should be reported:
- (a)
the interface does not perform in compliance with article 32 of the SCA RTS; or
- (b)
there is unplanned unavailability of the interface or a systems breakdown.
Unplanned unavailability or a systems breakdown may be presumed to have arisen when five consecutive requests for access to information for the provision of payment initiation services or account information services are not replied to within 30 seconds.