UK Open Banking: post-Brexit regulatory boost

The Financial Conduct Authority (FCA) has proposed some significant and welcome regulatory changes to boost Open Banking's growth and adoption in the UK. The proposals will help remove well-known hurdles to better customer experiences and lower barriers to innovation and competition. The changes will help consolidate the UK's position as a leader in Open Banking and prepare the ground for its expansion to Open Finance. Nevertheless, some changes will involve significant effort and investment for some account providers and will take time to implement. 

Just a month after the end of the Brexit transition period and the FCA has already used its newfound autonomy to propose amendments to the Open Banking regulatory framework to boost its adoption. 

The amendments concern the Payment Services Directive (PSD2) Strong Customer Authentication (SCA) and secure communications regulatory technical standards – now known in the UK as SCA-RTS. [1] [2] 

These rules govern the secure exchange of information between payments account providers and third-party providers (TPPs), as well as how and under what circumstances a customer’s identity needs to be authenticated. The FCA proposes two key changes that both industry and customers have been clamoring for, with good reason. 

First, a new exemption so that banks and credit card companies will no longer have to require that customers using account information services (e.g. a money management app) undergo SCA every 90 days. SCA will only be necessary when customers first connect their account to a TPP service. Instead, the onus will be on TPPs to reconfirm every three months the customer’s explicit consent to grant them access to their payments account information. This is a very positive step. Re-authentication requirements have been cumbersome and an impediment to seamless customer journeys. SCA glitches and related service interruptions erode customer confidence in TPPs and have been slowing down the adoption and launch of new account information services.

The second key change concerns the interfaces offered by account providers through which TPPs can access payments accounts information securely. The FCA is proposing to make dedicated interfaces mandatory for most payment accounts.[3] 

Currently, account providers can either offer a dedicated interface – typically using Application Programming Interfaces (APIs) - or a modified customer interface (MCI) - usually based on the customer’s existing online banking platforms. However, MCIs are not standardised and are notoriously difficult and costly for TPPs to access. Because SCA is usually required each time a TPP needs to connect, they also provide a very poor customer experience. MCIs are also much less secure than APIs. They provide unrestricted access to all data available via the online banking platform and rely on TPPs to use only the payment information they are allowed to obtain under PSD2.

While mandating the use of dedicated interfaces is sensible, the FCA acknowledges this will involve significant costs and effort for some account providers. To give firms enough time to prepare, the FCA proposes an 18 months implementation phase, starting from the publication of final changes to the SCA-RTS later this year.

The FCA is also consulting on other changes. These relate to requirements for publishing technical specifications for dedicated interfaces, the availability of testing facilities, and fallback mechanisms used by account providers. It is also proposing to increase the limit for contactless card payments further, in recognition of changing consumer behaviour during the pandemic and the continuing low level of fraud. The FCA proposes to increase the limit for single transactions from £45 to £100 (or potentially £120), while the threshold for cumulative transactions would increase to £200 from the current £130. 

We believe industry and consumers will welcome the FCA’s proposals overall. If adopted, they should help achieve a better balance between consumer protection, user experience, and reliability of TPPs' services. This in turn will support further innovation and competition. It will also help secure the UK’s position as a leader in Open Banking, as the FCA sets out its expansion into Open Finance over the next few years.

***

Footnotes:

[1] PSD2 was transposed into UK law by the Payment Services Regulations 2017. 

[2] The EU Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (EU‑RTS). The UK amended the PSRs in response to the UK’s withdrawal from the EU to require firms to comply with technical standards made by the FCA (SCA‑RTS) instead of the EU‑RTS. The SCA‑RTS is currently substantially the same as the EU RTS.

[3] This requirement will apply to personal and SME ‘current accounts’ – payment accounts under the Payment Account Regulations– and credit card accounts held by consumers or SMEs.