Insights from one of the Payments Association project teams on AIS and PIS

Overall the key drive/point of the session from the FCA’s perspective was to garner input in to their consultation process.  They were taking the points/questions posed on board in that light, however (unsurprisingly) weren’t providing any answers/clarification in response to questions.  As such, it was useful/interesting to see what other people were thinking about, but not an opportunity to actually get any feedback/clarification.

The FCA did also reiterate that they were keen for people to respond formally as well to the consultation.  They made the point that the regulations (clause 115.5) set out that the regulatory authority’s implementation should not impact the “live market”.  As a specific example of this it was highlighted that, although other methods for collecting data will have to be available, screen scraping will not be disallowed from January onwards, so existing business models will continue to be able to operate.  Their point here was that they are keen to get consultation responses that set out specific business models they may not have thought of/come across with views on whether they should/should not fall within the AIS/PIS boundaries and rationale etc.

Re: attendees, there were various banks, quite a few industry organisations, several tech providers and aggregators and a few advisory businesses.

Topics covered:

• There were questions and discussion around scenarios where there are several entities in a “chain”, trying to get certainty of who would/wouldn’t be an AISP/PISP.
  • This string of discussion focused more around AIS than PIS, so scenarios discussed in detail were those like service aggregators accessing information from a bank as part of a service provided to financial management service providers.  The corporate payment scenarios of businesses using Bacs bureaux to instruct payments from their bank account were also brought up, as were other examples such as a business granting its accountant access to bank account or an individual granting power of attorney to another person or business (these latter two were both acknowledged as sitting outside the intent of the regulations).
  • The FCA acknowledged that there are various business models which they are not aware of and it is not necessarily the intent for all parties in these to fall in scope.  They requested that people respond to the consultation with some detail on business models and a view on which parties should/shouldn’t fall within the scope and why, and any suggestions on how to define this.
  • There was a view presented that if all parties (i.e. the ASPSP, the customer and the entity instructing a payment or accessing data) have standing contracts in place between one another, then this could/should fall outside the scope.  FCA/Treasury rebutted this on the basis that large providers may be able to negotiate contracts with banks that smaller competitors couldn’t and therefore could end up with a “dual regime” which wouldn’t be fair to smaller providers in the market who would have to be regulated due to not being large enough to negotiate such contracts.  Such a scenario would also not be in keeping with the spirit of the regulations.  So, the question posed was what is fundamentally different about the service/model that means it should fall outside the scope, as opposed to relying on this contract point.
• There was some discussion around Authorisation timeframes.  They key point flagged was that the FCA will open its doors for applications on 13^th Oct, they are hoping/trying to publish the forms ahead of this, but there was no commitment to do so.
• There was a discussion around ASPSPs being able to know/validate whether entities connecting to them are authorised AISP/PISPs or not.  As there is no central, machine readable registry (or at least there won’t be in January), it’s not clear how this will work.
• The challenge re: EIDAS certificates (or lack thereof) in January was also discussed.  Given the lack of these and the lack of the RTS it is again not clear how relevant security/authentication measures will work.
• In relation to both of the above two points along with others, the FCA did make reference several times to the “industry” having to come up with solutions to make this work.  Clearly, it’s not up to the regulator to solve all of these challenges/come up with answers.
• In relation to insurance; the FCA brought this point up in particular.
  • Reading between the lines they don’t believe there is appropriate cover available in the market.  A few people said “we have cover” and the FCA’s steer was to review it carefully to ensure it meets the specific need of the regulations.
  • I asked specifically what level of action they could/would take to ensure relevant cover is available (i.e. will they force the market to provide this?).  Their response was that they can’t force the market to provide it, however FCA and Treasury were “working together and engaging the industry to try to ensure a market for this”.  However they did flag that they needed input from industry participants in order to have more of a view on the need, and carry more weight in their discussions.
  • It was acknowledged that there is a degree of “chicken and egg” in that the specifics of this cover are not currently required, and therefore there isn’t a market for it, however unless there’s a market for it then it won’t be possible to purchase it.  Overall this probably just means entities need to get out and start talking to their ensurers about the specifics of what is required and feed back to the FCA based on their experiences, but based on the comments in the room it didn’t sound like many people had been doing this.
• The focus was very much around AISP/PISP perimeter, safeguarding topics didn’t come up.