Read about the reporting and notification requirements under the Payment Services Regulations 2017 (PSRs), including major incident reporting.
The PSRs introduced new notification requirements, which we have listed here.
Full detail for each requirement can be found in Chapter 13 of Payment Services and Electronic Money: Our Approach[1] (Part II: Notifications). Please also see our pages on the Limited Network Exclusion (LNE)[2] and Electronic Communications Exclusion (ECE)[3].
Withdrawals of payment account services
A credit institution may refuse a payment service provider’s (PSP) request to access payment account services, or withdraw existing services, only for duly motivated reasons which must be proportionate, objective, and non-discriminatory.
The credit institution must notify us of the refusal or withdrawal, and provide the reasons for refusal. We will use the information provided in this notification for the purposes of monitoring compliance with regulation 105 of the PSRs.
Account information services (AIS) / payment information services (PIS) denial of access
An account servicing payment service provider (ASPSP) that denies an account information service provider (AISP) or payment information service provider (PISP) access to payment service users’ payment accounts, must submit a notification to us.
Access may be denied if the ASPSP believes the request is unauthorised or fraudulent. The notification must include the details of the case and the reasons for taking action.
Major incident reporting
All PSPs must report to us using the Major Incident Notification form when they become aware of a major operational or security incident.
This form must be submitted within 4 hours of detecting the incident when we are open, or when we re-open.
Credit institutions providing (or intending to provide) account information or payment initiation services
Authorised deposit takers (credit institutions) do not need to seek additional permissions to offer AIS and PIS services, but do need to notify us of the addition to their business model.
The credit institution must provide a description of the AIS or PIS activity. We need this information to improve our understanding of the providers in this market. This will help us measure potential risks to consumers, as well as indicate how competition is working in the sector.
Notifications for firms
The technical standards on strong customer authentication and common and secure methods of communication (SCA-RTS) include the following notification requirements for firms.
Fraud rate notification – NOT004
Under the SCA-RTS, PSPs must apply strong customer authentication unless a relevant exemption applies. If PSPs make use of the SCA-RTS Article 18 transaction risk analysis exemption, they are required under SCA-RTS Article 20 to notify us when their monitored fraud rate exceeds the relevant applicable reference fraud rate. PSPs should notify us using NOT004.
Problems with a dedicated interface – NOT005
Under SCA-RTS Article 33(3), ASPSPs, AISPs and PISPs must report problems with dedicated interfaces to us. In the event of unplanned unavailability or a systems breakdown of a dedicated interface, as defined under SCA-RTS Article 33(1), ASPSPs, AISPs and PISPs should use NOT005 to notify us.
