SUP 16.13 Reporting under the Payment Services Regulations

Application

SUP 16.13.1GRP

1This section applies to a payment service provider as set out in this section3 (see SUP 16.1.1A D).

Purpose

SUP 16.13.2GRP

The purpose of this section is to: 3

  1. (1)

    give directions to authorised payment institutions, small payment institutions and registered account information service providers under regulation 109(1) (Reporting requirements) of the Payment Services Regulations in relation to:3

    1212
    1. (a)

      the information in respect of their provision of payment services and their compliance with requirements imposed by or under Parts 2 to 7 of the Payment Services Regulations that they must provide to the FCA; and3

    2. (b)

      the time at which and the form in which they must provide that information and the manner in which it must be verified;3

  2. (2)

    give directions to payment service providers under regulation 109(5) (Reporting requirements) of the Payment Services Regulations in relation to the form of the statistical data on fraud relating to different means of payment that must be provided to the FCA under regulation 109(4) of the Payment Services Regulations at least once per year;3

  3. (3)

    give directions to payment service providers under regulation 98(3) (Management of operational and security risks) of the Payment Services Regulations in relation to:3

    1. (a)

      the information that must be contained in the assessment of operational and security risks and the adequacy of mitigation measures and control mechanisms that must be provided to the FCA;3

    2. (b)

      the intervals at which that assessment must be provided to the FCA (if the assessment is required to be provided more frequently than once a year); and3

    3. (c)

      the form and manner in which that assessment must be provided; and3

  4. (4)

    [deleted]6

    3
  5. (5)

    10give directions to payment service providers referred to at SUP 16.13.3-BD under regulation 109(1) (Reporting requirements) of the Payment Services Regulations in relation to annual financial crime reporting to the FCA.

SUP 16.13.2-AGRP

3The purpose for which this section requires information to be provided to the FCA under regulation 109 of the Payment Services Regulations is to assist the FCA in the discharge of its functions under regulation 106 (Functions of the FCA), regulation 108 (Monitoring and enforcement) and regulation 109(6) (Reporting requirements) of the Payment Services Regulations.

SUP 16.13.2AGRP

2The purpose of this section is also to set out the rules applicable to payment service providers3 in relation to complete and timely reporting and failure to submit reports.

SUP 16.13.2BGRP

3Authorised payment institutions and small payment institutions should refer to the transitional provisions in SUP TP 1.11 (Payment services and electronic money returns).

Reporting requirement

SUP 16.13.3DRP
  1. (1)

    An authorised payment institution, a small payment institution6 or a registered account information service provider3 must submit to the FCA12 the duly completed return applicable to it as set out in column (2) of the table in SUP 16.13.4D.

    2212
  2. (2)

    An authorised payment institution, a small payment institution or a registered account information service provider3 must submit the return referred to in (1):

    1. (a)

      in the format specified as applicable in column (3) of the table in SUP 16.13.4D;

    2. (b)

      at the frequency and in respect of the periods specified in column (4) of that table;

    3. (c)

      by the due date specified in column (5) of that table; and

    4. (d)

      by electronic means made available by the FCA12.

      12
3
SUP 16.13.3-ADRP

3SUP 16.4.5R (Annual controllers report) and SUP 16.5.4R (Annual Close Links Reports) apply to an authorised payment institution as if a reference to firm in these rules were a reference to an authorised payment institution.

SUP 16.13.3-AAD

10SUP 16.23.4R to SUP 16.23.7R (Annual Financial Crime Report) apply to a payment institution as if a reference to firm in these rules and guidance were a reference to a payment institution and the reference to group is read accordingly, other than:

  1. (1)

    a payment institution where its authorisation or registration permits it to provide only one or more of the following payment services and it is not permitted to carry on any regulated activities:

    1. (a)

      account information services;

    2. (b)

      payment initiation services; or

    3. (c)

      money remittance, or

  2. (2)

    a person with temporary PI authorisation that immediately before IP completion day was providing payment services other than through a branch in the UK or a UK-based agent.

SUP 16.13.3ADRP

2SUP 16.3.11 R (Complete reporting) and SUP 16.3.13 R (Timely reporting) also apply to authorised payment institutions, small payment institutions6 and registered account information service providers3 as if a reference to firm in these rules were a reference to these categories of payment service provider3.

SUP 16.13.3BRRP

2SUP 16.3.14 R (Failure to submit reports) also applies to payment service providers that are required to submit reports or assessments in accordance with this section and the Payment Services Regulations3 as if a reference to firm in this rule were a reference to the relevant category of payment service provider3.

SUP 16.13.3CGRP

3Authorised payment institutions, small payment institutions and registered account information service providers are reminded that they should give the FCA reasonable advance notice of changes to their accounting reference date (among other things) under regulation 37 of the Payment Services Regulations. The accounting reference date is important because many frequencies and due dates for reporting to the FCA are linked to the accounting reference date.

SUP 16.13.4DRP

The table below sets out the format, reporting frequency and due date for submission in relation to regulatory returns that apply to authorised payment institutions,3 small payment institutions6 and registered account information service providers3.

(1)

(2)

(3)

(4)

(5)

Type of payment service provider3

Return

Format

Reporting Frequency

Due date

authorised payment institution3

Authorised Payment Institution Capital Adequacy Return

FSA056 (Note 1)

Annual (Note 2)

30 business days (Note 3)

3registered account information service provider

Authorised Payment Institution Capital Adequacy Return

FSA056 (Note 1)

Annual (Note 2)

30 business days (Note 3)

3small payment institution

Payment Services Directive Transactions

FSA057 (Note 4)

Annual (Note 5)

1 month 3 (Note 3)

Note 1

When submitting the completed return required, the authorised payment institution or registered account information service provider3 must use the format of the return set out in SUP 16 Annex 27CD3. Guidance notes for the completion of the return are set out in SUP 16 Annex 27DG3.

Note 2

This reporting frequency is calculated from an authorised payment institution's or registered account information service provider’s 3 accounting reference date.

Note 3

The due dates are the last day of the periods given in column (5) of the table above following the relevant reporting frequency period set out in column (4) of the table above.

Note 4

When submitting the completed return required, the small payment institution must use the format of the return set out in SUP 16 Annex 28CD3. Guidance notes for the completion of the return are set out in SUP 16 Annex 28DG3.

Note 5

This reporting frequency is calculated from 31 December each calendar year.

Statistical data on fraud

SUP 16.13.5GRP

3Regulation 109(4) of the Payment Services Regulations requires payment service providers to provide to the FCA statistical data on fraud relating to different means of payment.

SUP 16.13.6GRP

3This requirement applies to:

  1. (1)

    authorised payment institutions;

  2. (2)

    small payment institutions;

  3. (3)

    registered account information service providers;

  4. (4)

    electronic money institutions;

  5. (5)

    credit institutions with permission to accept deposits under Part 4a of FSMA8.

SUP 16.13.7DRP

3This statistical data on fraud must be submitted to the FCA by electronic means made available by the FCA using the format of the return set out in SUP 16 Annex 27ED. Guidance notes for the completion of the return are set out in SUP 16 Annex 27FG.

SUP 16.13.8DRP
  1. (1)

    5In the case of an authorised payment institution, an authorised electronic money institution or a credit institution with permission to accept deposits under Part 4a of FSMA8:

    1. (a)

      the return set out in SUP 16 Annex 27ED must be provided to the FCA every six months;

    2. (b)

      returns must cover the reporting periods 1 January to 30 June and 1 July to 31 December; and

    3. (c)

      returns must be submitted within two months of the end of each reporting period.

  2. (2)

    In the case of a small payment institution, a registered account information service provider or a small electronic money institution:

    1. (a)

      two returns set out in SUP 16 Annex 27ED must be provided to the FCA every twelve months. Each return must cover a six-month period;

    2. (b)

      one return must cover the period 1 January to 30 June and the other return must cover the period 1 July to 31 December; and

    3. (c)

      both returns must be submitted within two months of the end of the calendar year.

SUP 16.13.8AG

The9 return in SUP 16 Annex 27ED reflects9 the EBA’s Guidelines on fraud reporting under the Payment Services Directive 2 (PSD2), published on 18 July 2018 (EBA/GL/2018/05)9. The return also includes fraud reporting for registered account information service providers, as required by regulation 109 of the Payment Services Regulations. 9

5

Operational and Security Risk assessments

SUP 16.13.9G

4Regulation 98(1) of the Payment Services Regulations provides that each payment service provider must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks relating to the payment services it provides.

SUP 16.13.10G

4Regulation 98(2) of the Payment Services Regulations provides that each payment service provider must provide to the FCA an updated and comprehensive assessment:

  1. (1)

    of the operational and security risks relating to the payment services it provides; and

  2. (2)

    on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.

The purpose of SUP 16.13.11G to 16.13.17G is to direct the form and manner of the assessment and the information that the assessment must contain.

SUP 16.13.11G

4The EBA issued Guidelines on 12 December 2017 on the security measures for operational and security risks of payment services under the Payment Services Directive (EBA/GL/2017/17)6. The Guidelines specify requirements for the establishment, implementation and monitoring of the security measures that payment service providers must take to manage operational and security risks relating to the payment services they provide.

[Note: see EBA guidelines: Guidelines on the security measures for operational and security risks of payment services, 12 December 2017/EBA/GL/2017/17.6]

SUP 16.13.12D

4Payment service providers must comply with the EBA’s Guidelines the6 on security measures for operational and security risks of payment services (EBA/GL/2017/17)6 as issued on 12 December 2017 where they are addressed to payment service providers.

SUP 16.13.13D

4The assessments required by regulation 98(2) of the Payment Services Regulations must be submitted (except payment service providers mentioned in paragraph (1) (c) and (ca) of the Glossary definition of payment service provider and paragraph (1)(c) of the Glossary definition of electronic money issuer)7 to the FCA:

  1. (1)

    at least once every calendar year;

  2. (2)

    in writing, in the form specified in SUP 16 Annex 27GD, and attaching the documents described in that form; and

  3. (3)

    by electronic means made available by the FCA.

In the case of credit institutions, this provision applies only to those with permission to accept deposits under Part 4a of FSMA.8

SUP 16.13.14G

4Payment service providers (except payment service providers mentioned in paragraph (1) (c) and (ca) of the Glossary definition of payment service provider and paragraph (1)(c) of the Glossary definition of electronic money issuer)7 should submit the form and the assessments to the FCA in accordance with SUP 16.13.13D(2) as soon as practicable after the assessments have been completed. In the case of credit institutions, this paragraph applies only to those with permission to accept deposits under Part 4a of FSMA.8

SUP 16.13.15G

4Payment service providers (except payment service providers mentioned in paragraphs (1) (c) and (ca) of the Glossary definition of payment service provider and paragraph (1)(c) of the Glossary definition of electronic money issuer)7 may provide operational and security risk assessments to the FCA on a more frequent basis than once every calendar year if they so wish. Payment service providers (except payment service providers mentioned in paragraph (1) (c) and (ca) of the Glossary definition of payment service provider and paragraph (1)(c) of the Glossary definition of electronic money issuer)7 should not, however, submit such assessments more frequently than once every quarter. In the case of credit institutions, this paragraph applies only to those with permission to accept deposits under Part 4a of FSMA.8

SUP 16.13.16G

4Subject to the requirements in SUP 16.13.13D, payment service providers (except payment service providers mentioned in paragraph (1) (c) and (ca) of the Glossary definition of payment service provider and paragraph (1)(c) of the Glossary definition of electronic money issuer)7 should submit a nil return for each quarter in which they do not make a submission to the FCA. In the case of credit institutions, this paragraph applies only to those with permission to accept deposits under Part 4a of FSMA.8

SUP 16.13.17G

[deleted]6

4
SUP 16.13.17AG

11SYSC 15A (Operational resilience) sets out further provisions which are relevant to a payment service provider’s Operational and Security Risk assessment.

SUP 16.13.18G

5Article 17 of the SCA RTS permits payment service providers not to apply strong customer authentication in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the FCA is satisfied that those processes and protocols guarantee at least equivalent levels of security to those provided for by the Payment Services Regulations9.

SUP 16.13.19D

5Payment service providers intending to make use of the exemption in article 17 of the SCA RTS must include in the operational and security risk assessment submitted in accordance with SUP 16.13.13D:

  1. (1)

    a description of the payment services that the payment service provider intends to provide in reliance on this exemption; and

  2. (2)

    an explanation of how the payment service provider’s processes and protocols achieve at least equivalent levels of security to those provided for by the Payment Services Regulations9.

SUP 16.13.20D

5Payment service providers should comply with SUP 16.13.19D at least three months before making use of the exemption in article 17 of the SCA RTS, and subsequently each time they prepare and submit the operational and security risk assessment required by regulation 98(2) of the Payment Services Regulations in respect of a period in which they have made use of the article 17 exemption.

SUP 16.13.21G

5Payment service providers that follow the guidance in paragraphs 20.55 to 20.60 of the FCA’s Approach Document and comply with SUP 16.13.19D and 16.13.20D may make use of the article 17 exemption on the basis that the FCA is satisfied with the levels of security of their processes and protocols, unless informed otherwise by the FCA.

[Note: see https://www.fca.org.uk/publication/finalised-guidance/fca-approach-payment-services-electronic-money-2017.pdf.]

Reporting statistics on the availability and performance of a dedicated interface

SUP 16.13.22G

5Article 32(4) of the SCA RTS requires account servicing payment service providers that opt to provide a dedicated interface under article 31 of the SCA RTS to monitor the availability and performance of that interface. They must also publish on their website quarterly statistics on the availability and performance of the dedicated interface and of the interface used by its payment services users.

SUP 16.13.23D

5Account servicing payment service providers shall submit to the FCA the quarterly statistics on the availability and performance of a dedicated interface that they are required by article 32(4) of the SCA RTS to publish on their website:

  1. (1)

    within 1 month of the quarter to which the statistics relate;

  2. (2)

    using the form set out in SUP 16 Annex 46AD; and

  3. (3)

    by electronic means made available by the FCA.

SUP 16.13.24G

5The quarterly statistics should cover the periods January to March, April to June, July to September and October to December.

An account servicing payment service provider becoming subject to the obligation in SUP 16.13.23D part way through a quarter should submit the first statistics only in relation to the part of the quarter when this obligation applied.

Guidance notes for completing the form set out in SUP 16 Annex 46AD are in SUP 16 Annex 46BG.