The European Union (EU) revised Payment Services Directive (PSD2) was adopted January 2016 as an update of PSD 1 (adopted in 2007) and introduces two types of new services under its licensing scope: payment initiation services and account information services. New players in the financial industry and incumbents (e.g. banks, electronic money institutions) that intend to offer these services will be referred to hereafter as Third Party Providers (TPPs). In a series of upcoming blogs, we will elaborate further on the key opportunities and challenges for TPPs.
Being or becoming a TPP opens up business opportunities for incumbents and new players alike but requires careful consideration of the cost of compliance, which arise from acquiring the license but even more so from maintaining it. These costs can be optimised through a proper implementation of the PSD2 licensing requirements, which have a broad organisational impact in areas such as business operations, risk management, compliance, governance, and reporting.
This first in a series of blogs aims to help potential TPPs with understanding the regulatory requirements and to successfully acquire and retain their licence in a strategic and efficient manner. We focus on PSD2, but please note that being a licensed business also entails complying with other regulations such as GDPR, AMLD and eIDAS.
Overview of the PSD2 regulatory landscape
A lot has been said and written on PSD2, often leading to misinterpretations of the timelines and requirements of becoming a TPP. Forget all the confusion as we provide you with a clear view on the most relevant topics.
The picture below provides a (simplified) overview of the four key stakeholders within the EU who are involved with the design and implementation of the PSD2 rules.
Due to the sheer amount and complexity of the regulations, various EBA GL and RTS experienced delays and several EU countries (e.g. Belgium, Netherlands, Spain) missed the transposition deadline of 13 January 2018. Main reasons were conflicts of interests between TPPs and Account Servicing Payment Service Providers (ASPSPs, being mostly banks) and discussions on sensitive topics such as privacy aspects in relation to processing payments data. The effect of these delays and complexity is seen in the limited amount of TPP licences issued in the EU, which is displayed in Figure 2.
We expect TPP licensing activity to increase now that the dust has settled and most regulatory requirements are known, and we will continue to monitor this.
In total, 14 documents have been published by the EBA, which are described below and ranked by relevance to TPP licensing. A good understanding by TPPs on the impact of the standards and guidelines on their organisation contributes to a more efficient licensing process.
We advise potential TPPs to first assess the requirements in the documents with high relevance and work their way down to the medium/low relevance documents. The regulatory assessment results provide valuable input to the development of your business case which is a vital step to complete before a licence application should take place.
Business case development
Acquiring and retaining a licence in the financial sector has proven to be challenging for organisations. This can result in long application processes (easily lasting longer than 9 months), supervisory fines and unforeseen required operational changes. These negative experiences cultivate an often-expressed view on licensing and supervision as being a ‘regulatory burden’ with high costs. The PSD2 regulatory framework poses similar challenges, looking at the sheer number and impact of the requirements, but if done right it can be far less costly to acquire and retain a licence. We have also seen cases where a licence trajectory had an overall positive, indirect cost impact since it forced the respective business to streamline and ‘declutter’ operations and enhance the overall business.
Development of a solid business case should assess the opportunities and costs at least on the following three levels: strategic (e.g. products, competition, market), regulatory (e.g. gap analysis) and organisation (e.g. operational readiness). Doing this properly will get TPPs off to a good start of the licence application process, which is further described below.
The licence application process and beyond
The PSD2 licence requirements cover topics such as a payment services description, business plan, governance arrangements, management suitability, internal control framework, risk management and compliance, security and operational standards. The main purpose of the supervisor is to gain confidence that the TPP is running a professional business in all these areas and follows the relevant rules. We suggest TPPs take a structured and tailored approach towards their licence applications which covers the full licensing life cycle (see Figure 4 below). In our next blog we will further detail the phases and pay extra attention to the essential role of shaping the operating model in an activity-based manner from the start.
The overarching idea is to map the regulatory requirements to the current operating model and create a plan to address any gaps, whilst taking into account supervisory guidance and best practices. For the licence application it suffices in most areas to submit documentation showing a compliant organisational set-up (as the licensed products have not been launched yet). Basically, this entails drafting and submitting documentation such as policies, procedures, and risk assessments. But in order to retain the licence and operate without raising supervisory concerns (which are often accompanied by mandatory repairs), TPPs need to be able to demonstrate a compliant way of working to the supervisor. This is why TPPs are wise to start (re)designing their operating model early in the licence application process to ensure ‘Compliance by Design’ for their activities and avoid future costs.
In our experience, implementation of a compliant way of working is most challenging for the requirements in the following areas:
· Operational and security risk management framework, with detailed and high impact requirements on incidents, fraud, authentication and communication
· Anti-money laundering and combating financing of terrorism and especially requirements on Customer Due Diligence (Know-Your-Customer principles) and client/transaction monitoring
· Governance and especially the requirements of a proper segregation of duties (first, second, and occasionally third line of defence)
If you want to start your (pre-)licensing process today, just reach out to Josje Fiolet or Tycho van Ewijk to discover where we can help you. Also, look out for our future blogs where we will dive deeper into these specific licence requirements and how Compliance by Design can be ensured.