Karina McTeague speech on retail banking and payments at the PayExpo 2017

Speaker: Karina McTeague, Director of Retail Banking Supervision
Event: PayExpo 2017, London
Delivered: 4 October 2017
Note: this is the speech as drafted and may differ from the delivered version

Highlights

• PSD2 opens up opportunities for businesses to develop new services to help consumers manage their money, to compare financial products, or to pay for things online.
• We expect firms to adhere to the principles of safety and security anticipated in the draft RTS.
• We expect firms to put the interests of their customers at the heart of their business models.

I’m delighted to have the opportunity to speak here today – at such an exciting time for banking and payments.

As director of Retail Banking supervision and sponsor for the FCA’s project to implement PSD2, I’m someone who lives and breathes banking and payments every day.

Payments sector is adapting to a 'new normal' and diversifying as it has never done before

So as you might imagine, I see that the payments sector is adapting to a ‘new normal’ and diversifying as it has never done before.

Amid all this change, the FCA is here to ensure the sector works in the interests of consumers and the wider economy. And today, I want to talk about three of the main drivers of that change that we’re seeing:

1. The increasing rate of innovation
2. Significant legislative change
3. And the evolving risk landscape

Innovation

The first thing I want to talk about is innovation in the sector. And there’s a reason I want to talk about this first – to bust the stereotype of the regulator who only talks about risks and rules.

As a regulator, we want the payments sector to work well. This means recognising the potential for positive change; not just the negative impacts that need to be mitigated.

We see innovation in the payments market creating real potential – for consumers and the market alike. Payments is the main touchpoint the vast majority of consumers have with financial services. And we are seeing innovation unlock potential to both improve financial access and help consumers manage their finances better, as well as more easily. What I find so interesting about this is that during my years as a retail banker, payments was seen as a backwater; a dependable revenue stream, but not the place to be ambitious or to push the boundaries.

Now we are seeing a paradigm shift. Driven by online and app-based commerce, many businesses want to ensure that ‘paying’ is not a ‘’painful’ customer journey. They also see opportunities to settle faster, and to shave down the costs of taking payments. This is driving the sector to innovate with faster and more seamless payments, which are more convenient for the merchant and the consumer.

Take Amazon as an example. It is reportedly offering physical supermarkets that do not require the customer to check out. Instead, purchases are recorded using tracking technology and smart algorithms, and funds are debited from the customer’s account as they leave.

This blend of technological and payments innovation could have a profound effect on consumer behaviour. Of course, this effect may not be positive for all consumers, and firms will have to consider any possible side effects carefully. For example, the Money and Mental Health Policy Institute recently flagged the risk that reduced friction, such as that planned by Amazon, can drive increased impulsivity – and negative outcomes for vulnerable consumers.

That said, this trend toward more innovation in payments also includes positive step changes in security, such as the use of biometrics as part of the authentication process. This can reduce friction in the customer journey and be good for the industry, assuming it can increase security and simplify the process of making a payment.

It can also save customers from having to remember their security credentials for each provider they use. But, whilst a move to biometrics may increase security and convenience for customers, firms must also ensure that the biometric data can’t be compromised when they are stored or transmitted. For example, if my PIN has been compromised, if I have to change it, I may have ten thousand potential combinations for a new PIN. But, if my fingerprint data has been compromised, I only have 9 fingers left.

So, where we see innovation, I think it goes without saying that we also need to see regulation – and regulators - keeping pace. And at the FCA, we have been actively working to support innovation in the banking and payments sectors.

Our Innovate initiative supports our overarching statutory objective of promoting competition in the interests of consumers, and demonstrates our deep commitment to innovation, and our willingness to think outside the usual regulatory box. We have provided direct support to dozens of firms in the payments sector to understand the implications of regulation for their business.

We have also worked with 42 firms, including those in the payments sector, in the first two cohorts of our Regulatory Sandbox. Here, both authorised and unauthorised firms - that meet our eligibility criteria - can test their ideas or products, on a limited number of real customers, for a limited duration, in a safe, supervised environment, overseen by the FCA to ensure consumers are protected – without incurring the full costs of regulation.

We have also supported increased competition and innovation in this market through our New Bank Start-up Unit, along with our fellow regulator, the Prudential Regulation Authority. The Unit acts as a one-stop shop for prospective entrants.

And these efforts are bearing fruit. In the five years to 2010 there was only one new UK retail bank authorisation. But, in the following five years there were five. And, since 2015, we’ve authorised a further nine UK retail banks.

We have also worked with the Bank of England to support increased competition by opening up access to the Real Time Gross Settlement system to non-banks.

Legislative change

Alongside this, we have seen, and continue to see, game-changing regulation and legislation in the payments sector.

The first Payment Services Directive created a new class of regulated entity – the ‘payment institution’. It led to a growth in the number of firms specialising and competing in services which, up until then, only traditional banks had offered. PSD transformed the payments landscape by removing legal barriers to new entrants, allowing them to operate on an equal footing to existing providers.

Many of the payment providers here today, and many of the innovations in payments over the last few years, owe some part of their origin to PSD. For example, the critical introduction of Faster Payments in the UK can be tracked back to the ‘D plus one’ requirements under PSD.

As you all know, there are now further - imminent - regulatory changes.

All EU Member States, including the UK, have committed to implement the directive by 13 January 2018. The General Data Protection Regulation comes into force in May next year; and to complete the PSD2 puzzle, the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication will, we understand, take effect from mid-2019.

Although this will come into effect amidst a backdrop of Brexit discussions the Government has made clear that it will continue to implement and apply EU law until the UK has left the EU. We are continuing to provide technical advice to HMT to support the EU withdrawal negotiations and related legislative changes. We are particularly concerned to ensure appropriate transitional and contingency plans are in place.

We benefit greatly from cooperation with other regulators in Europe and globally. It is important that we continue to be able to share information and data with EU counterparts post exit on regulatory changes such as PSD2.

With this in mind, let me turn my attention to the opportunities and requirements that we think PSD2 introduces.

PSD2 - opportunities

PSD2 is generally being hailed as a game-changer and, implemented effectively, it could certainly have a positive impact on the payments sector in a number of ways:

The first is enhanced consumer protection. By driving stronger standards of authentication, PSD2 can enhance security, making life more difficult for fraudsters.

PSD2 is generally being hailed as a game-changer and, implemented effectively, it could certainly have a positive impact on the payments sector

Fraud prevention is a priority for us all - given the distress to consumers caused by fraud, and the financial burden of fraud on payment service providers. And the PSD2 requirements for strong customer authentication are principles-based, helping to future-proof the regulations for future technological changes.

The second potential positive is the creation of new and more convenient ways, for consumers to manage their finances.

PSD2 opens up opportunities for businesses to develop new services to help consumers manage their money, to compare financial products, or to pay for things online. It also offers consumers greater convenience.

For example, through Account Information Services, you can easily imagine a bank customer downloading a secure app that collects data from their online accounts, analyses their spending, and suggests ways to save money - such as changing their utility supplier.

This is ultimately only possible, of course, because PSD2 will let consumers control their bank account data, choose who gets to access it, and what they can do with it. Albeit these services will only be provided with customer consent - which can be withdrawn at any time.

On other side of the equation, I’ve also no doubt there are many merchants here today who are looking for better, and cheaper ways to receive payments from their customers. And you should benefit from PSD2’s intention to drive more competition and to support more innovative ways to pay. You should also benefit from the increased transparency and consistency PSD2 brings in the charges for cross-border payments.

So we welcome the direction of travel that PSD2 sets, the intention behind the legislation, and the market outcomes it seeks to achieve - which chime closely with our own Mission and objectives.

Our goal is to ensure that the implementation of PSD2 supports greater competition and innovation, in a manner that is safe, secure and in the interests of consumers.

We released our Approach Document to PSD2 last month. It provides guidance on the FCA’s approach to payment services and electronic money, as well as firms’ obligations. I do recommend that firms read this.

Our goal is to ensure that the implementation of PSD2 supports greater competition and innovation, in a manner that is safe, secure and in the interests of consumers

I also want to reinforce to you the importance of the regulatory requirements that come with the benefits of PSD2 - because it is not just an exercise in implementing a piece of law.

Ultimately, it is about delivering positive and lasting change in the payments sector, in the interests of consumers. January 2018 will mark a significant step forward in the journey that will allow consumers to take control, not only of whose financial products they use, but of how they leverage their own information from their online payment accounts.

But, whilst the PSD2 implementing legislation comes into effect in January, the Regulatory Technical Standards that prescribe the safety and security requirements for PSD2 are still being considered at the European level. It seems unlikely they will be in place until mid-2019. This means a ‘transitional period’ while we wait for these standards to come into effect.

We recognise that this creates uncertainty for businesses. So, in July, we and HMT issued a joint publication which gives more information on our expectations of firms during this pre-RTS period.

Broadly, we expect firms to adhere to the principles of safety and security anticipated in the draft RTS. So, for example, we expect that the firms concerned should:

• transmit credentials and data securely, in ways that safeguard against the risks of interception
• ensure that data are stored in ways that mitigate the risks of illegitimate access, and that credentials are only held if permitted under PSD2

During this pre-RTS period, we also expect, and encourage, a degree of cooperation between firms. So, for example:

• ASPSPs should not block the access of registered and authorised AISPs and PISPs except for reasonably justified and duly evidenced reasons related to unauthorised or fraudulent access or payments. This includes not blocking access via ‘screen scraping’ unless the ASPSP provides another suitable access route.
• ASPSPs should not take steps to dissuade customers from using these newly-regulated competitors’ services, for instance through their communications or terms and conditions; and
• AISPs and PISPs should be transparent and open about their identities when interacting with other firms, in order to limit the potential for criminal actors to operate in this space.

And this leads me to the closely related initiative – Open Banking. PSD2 and Open Banking share many of the same goals. They both seek to open up competition and innovation, whilst improving security. But they come from different heritages.

Open Banking

The driving principles behind Open Banking are relatively simple:–

• Customers should have more control over their data; and
• It should be easier for FinTechs, and other businesses, to make use of customers’ data, on their behalf, in a variety of helpful and innovative ways.

This explains why much of the work on Open Banking is focussing on opening up access to data, and using common standards. In this way, Open Banking can drive more competition in banking, improving outcomes for customers.

As many of you will know, last year the CMA announced that it would require nine of the UK’s largest banks to establish a common standard for opening up data on current accounts – crucially, with the customer’s consent.

We see benefits to consumers, and firms, if access to customer online data is made available according to common standards and using secure common infrastructure. Standardisation can enhance security across the industry. It can also support innovation by reducing barriers to entry – as third parties won’t have to integrate with different technology on a firm-by-firm basis.

And this, essentially, is why the FCA is supportive of the CMA’s Open Banking remedy. Indeed, we regard Open Banking as a facilitator for delivering the PSD2 objectives. We therefore encourage firms to use common and secure data sharing standards including those being developed as part of the Open Banking project.

Risk landscape

I’ve left discussion on risks (and a return to regulatory stereotype) to the end. Not because it is least important. Far from it. The nature of the risk landscape is evolving. The profile of risks firms and the sector face are not the same as they used to be.

But for the benefits of PSD2 to be realised – for consumers, business and the market – everyone needs to understand their role in managing those risks in the spirit of the PSD2 objectives.

I want to cover three of the key risks the FCA will be looking for firms to focus on when implementing PSD2, and beyond:

1. IT stability and security, especially cyber
2. Fraud
3. Conduct risks

Let me tackle IT stability first.

We are facing an ever-growing cyber threat, where even our fridges can be commandeered to become an attack vector. And a cyber-attack in one part of the ecosystem can damage another part of the ecosystem – especially given the increased global connectivity - as demonstrated by the compromise of the Bank of Bangladesh.

Payment firms will access and hold a significant amount of customer information, transaction history and, in some cases, be able to trigger payments. This makes them prime targets for cybercrime. We therefore expect firms to have:

• appropriate security measures to guard against cyber-attacks. For example, Cyber Essentials certification will help to demonstrate a firm’s approach to meeting our requirements when we are considering its security arrangements
• robust systems, policies and processes in relation to security, access to sensitive data, governance, business continuity arrangements, and management of ‘outsourced’ services

As part of the increased protections provided by PSD2, firms have to submit major incident reports. We will be reviewing these, at individual firm level, and across the sector to inform our supervisory strategy.

We will also be reviewing firms’ annual operating and security risk assessments to determine how effectively they are managing their operational and security risks, and to determine the adequacy of their measures and controls to mitigate those risks.

But strong security is not enough. Even mature, well-funded organisations cannot fully counter the threats in isolation. Hence we need better collaboration amongst industry, and with government, to share intelligence to keep us safe and secure in the future.

On my second key risk, fraud, I want to stress the importance of working together to limit the potential for malicious actors.

Pending formal implementation of the Regulatory Technical Standards, we expect all firms to have in place policies and procedures to monitor, identify and prevent fraud - keeping their customers’ data safe and secure.

Moreover, we expect firms to ensure that customers receive clear and consistent messages on open banking and access to online accounts.

We will be reviewing the Fraud Reports submitted by firms to determine the effectiveness of their fraud detection and prevention capabilities, and to gain an overview of the sector.

Of course, consumers, too, need to be ever-vigilant to fraud, particularly when they are online. Consumers should keep an eye on their finances, and query unexpected activity on their accounts with their bank or account provider.

My third, and final risk is conduct. As the Conduct Regulator, we expect firms to put the interests of their customers at the heart of their business models. Indeed, the very success of PSD2 is predicated on public confidence. And that means:

• firms helping their customers understand what it is they’re consenting to, such as:
  • the degree of access they are providing to their account
  • what account data will be shared, and with whom
  • how their information will be used
• helping their customers understand the pros and cons of different payment mechanisms
• ensuring their customers know what to do, and where to go, if they are not happy with the service, or want to withdraw consent
• finally, when a customer suffers loss, ensuring the customer is not caught in the middle of a dispute between firms fighting amongst themselves as to who is at fault

To close, I’d like to make an observation given that today marks sixty years since the launch of Sputnik, which brought humanity to the stars and kicked off a period of innovation which brought with it much of the technology we rely on today.

I think, given some of the key themes we discussed here today, we could soon see our own ‘space race’ in payments, with competition creating better outcomes. Would it be a pun too far to say that I am hoping for stratospheric levels of innovation and benefits to consumers?

So I’ll finish by wishing the best of luck to firms stepping up to the plate to compete in the new world of PSD2. Our authorisation window opens this month on Friday the 13th - which is not an omen, I can assure you!

Thank you.