2024 Regulatory Outlook: Key Initiatives Impacting Payments Industry
CatalystPay #PointOfView is a series, in which our skilled crew is sharing their point of view and industry insights on online payment. In our latest installment, Daniel Watson, CCO & MLRO, shares his view on the regulatory framework that will have significant impact on the payments industry in 2024 onward.
Don't miss out on this opportunity to learn from "the kitchen" in the industry. Stay tuned for more expert articles in the coming weeks.
As we move into 2024, along with key prominent emerging trends and technological innovations, we can already see a full calendar of regulatory initiatives which will affect payment product providers in front of us.
There are a lot of new rules and regulations coming up, mostly because of how fast technology is changing in the world of finance. These new rules are going to change how companies that provide payment services do their business. This year, we're expecting regulators to pay close attention to a few important areas, and each of these areas has its own set of challenges and chances for growth for these companies:
- Digital Assets
- Artificial Intelligence
- Cyber / operational resilience
- FCA Annual 2024/25 Business Plan
- Advance Push Payment (APP) Fraud
- PSD3
- Strong Customer Authentication
- Access to payment systems and account information
Digital assets
How crypto-assets are regulated has been a focus of regulators globally for several years now as they try to find a way to protect consumers and participant firms operating with these products. In June 2023, this led to the EU releasing its first consultation into its Markets in Crypto-Assets Regulation (MiCA) framework; and they will continue to consult on this throughout 2024 with a view to implementing the final provisions by December 2024.
In the UK, the FCA is adopting a more incremental approach through a series of proposals looking at crypto assets financial promotion, registration of custodians and exchanges, and the regulation of stable coins. Whilst we do not yet know what any final regulations or guidance will exactly look, what we can be sure of is that there will be more emphasis on payments firms and their agents to ensure consumers are afforded more protection then they currently may be, and that we will be more accountable when we provide such products. Arguably increased regulatory scrutiny of these products will only be beneficial all round for customers as they will be afforded greater protections which should deliver more peace of mind.
Artificial Intelligence
The rapid development of Artificial Intelligence and its rapid early adoption into financial services has certainly received mixed reviews by both consumers and firms alike. Globally, there appears to be a consensus that this rapid growth has led to an increasingly fragmented landscape; and an understanding globally that international cooperation to create global standards for AI standards is required, in particular for the Financial Services sector.
The FCA is certainly actively looking at how AI is being used in the UK and is cooperating with its peers across the globe. Whilst I don’t imagine we will see anything substantive appearing at a global level in 2024, I do expect that we will at least see an alignment across jurisdictions covering high level standards this year.
Cyber / operational resilience
The fintech sector is likely to face increasing regulatory scrutiny in particular where they use highly innovative tech solutions across multiple partners to deliver their product in a highly complex global regulatory environment. I’d expect to see a particular focus on how firms manage risks associated with this – looking at a number of trends which increase operational risks for firms– AI, automation of processes, operational outages, competition, and platformisation of banking models.
FCA Annual 2024/25 Business Plan
Expect to see this published in April when the FCA will set out its priorities for the next 12 months – we are likely to see a focus and possibly thematic review at individual firm level in the following for the UK market in particular:
- Evaluation of the effectiveness of Consumer duty measures implemented by firms in 2023 and continuing their review into how firms treat customers who experience Vulnerability during the lifecycle of their relationship with them;
- Crypto-Asset promotion and regulation;
- APP Fraud prevention measure.
Advance Push Payment (APP) Fraud
We should talk about this in some detail here given that this is a significant regulatory initiative in the UK, which has been heralded as a ‘step change’ in the payments sector. Until now only larger credit institutions have been responsible for reimbursing customers who have been victims of APP Fraud, under the Contingent Reimbursement Model (CRM) Code. From October 2024, ALL payments firms will be within scope, including banks, EMI and PIs, with both sending and receiving firms splitting the costs of reimbursement 50:50.
Customers will therefore be more protected under consistent minimum standards, with most APP fraud victims being reimbursed within five business days and additional protections offered for Vulnerable Customers. Firms will have clearer guidance to follow, including around the ability to apply a claim excess and maximum level of reimbursement, which the PSR will consult on later this year.
This will impact on ALL firms and likely lead to a responsibility shift in Principal/Agent/Distributor models with the regulated firm needing to control their outsourced risks through financial measures with their agents. We will be watching developments closely in this area.
PSD3
In June 2023, the EU published a set of new legislative proposal for a 3rd Payment Services Directive (PSD3) and a Payment Services Regulation (PSR). It foresees changes to the framework of the European payments landscape and is likely to have a material impact on the sector, both from a legal and an operational perspective.
- PSD3 is an updated version of PSD2 and provides rules on the efficiency and security of electronic/digital payments and financial services in the EU. It aims to improve competition and innovation in the financial industry;
- PSD3 sets out more extensive Strong Customer Authentication (SCA) regulations and stricter rules on access to payment systems and account information;
- PSD3 aims to protect consumers’ rights and personal information while improving competition in the payments industry;
- The new proposals also include a new Payment Services Regulation (PSR) to improve consumer protection. This will be directly applicable to EU member states;
- Timeline: There is yet to be a clear timeline for implementing PSD3 and PSR. The finalized versions might be accessible by late 2024. The member states usually receive an 18-month transition period, suggesting that PSD3 and PSR could take effect around 2026.
PSD3 legislation in the UK
Whilst the UK is no longer technically obligated to follow EU legislation, the UK and EU payments industry is so intertwined that the UK is likely to come under pressure to review and calibrate its equivalent domestic rules with PSD3.
The widely-held expectation is that UK regulators will review PSD3 legislation ahead of its implementation and announce equivalent UK rules to achieve the same, if not better, outcomes for the UK payments industry.
Strong Customer Authentication
The changes regarding Strong Customer Authentication (SCA) and access to payment systems and account information will affect all participants in the payments industry. We can look at the main changes here and how they are expected to make a difference.
PSD3 changes covering SCA are ultimately designed to lead to safer buying experiences. There will be new rules around data sharing, fraud prevention, authentication, transactions, and accessibility.
- Authentication - PSD2 has always required SCA factors to belong to two categories out of the following three: knowledge, possession, and inherence. This is expected to change under PSD3, when using two of the same categories, like token and SMS OTP or even two passwords, will be possible.
- Fraud – PSD3 proposals are also considering a liability shift in terms of fraud. Schemes, technical service providers (such as wallet providers), and payment gateways will now be liable for fraud if they fail to apply SCA. This protects payers from technical malfunctions and encourages firms like Catalystpay to maintain a high quality of service.
- Accessibility - SCA must now be accessible for vulnerable customers such as the elderly, people with disabilities, and non-digitally savvy consumers by providing authentication methods that don’t rely solely on smartphones.
Access to payment systems and account information
The PSR will also introduce changes to the existing Open Banking framework that will remove obstacles to providing open banking services and ultimately increase uptime for banking and financial services.
Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) will be allowed to build custom interfaces that connect to banks and other financial institutions.
Payment Providers will also have to share more information about their API performance by publishing quarterly statistics on interface availability and performance, creating a higher level of transparency. This gives businesses more accurate insights into the payment systems, helping them to make informed decisions about which partner they want to choose for their payment processing needs.
In case of downtime or disruptions, payment firms need to allow third parties (AISPs and PISPs) to use their own interfaces, leading to more efficient payment processes for digital businesses and their customers.
Payment Firms will be required to provide customers with a permission dashboard. This dashboard allows customers to continuously monitor and manage permissions granted to AISPs conveniently.
Conclusion
In conclusion, as we navigate these regulatory developments, it's clear that compliance will be more critical than ever. At Catalystpay, we are committed to staying ahead of these changes, continuously adapting, and enhancing our compliance strategies. Our experienced Compliance team, augmented by external expertise, ensures that we not only meet but exceed regulatory expectations, thereby reinforcing our commitment to our customers and the integrity of our services.