Clifford Chance

There has been a renewed focus on the payments sector and its regulation. COVID-19 and its impact on spending habits and the Wirecard scandal are two of the contributing factors. But what’s next? We explore five themes likely to drive regulatory change for payments, as well as shape the enforcement policies of global regulators over the next 12 months. In part five we lokk at the continued expansion of Open Banking and Open Finance.

Various jurisdictions have introduced (or are in the process of introducing) Open Banking regimes, allowing third-party payment service providers (TPPs) to initiate payments or access account information on behalf of customers. Competition is a key concern and driver for regulators overseeing such initiatives, with regulators expecting that firms will meet their regulatory responsibilities while competing on quality and value.

The UK

In the UK, initial take-up of Open Banking has been slow but steady, with over 2 million users at the start of 2021 (doubling in a year). We expect this to continue in 2021, as TPPs launch new products and customers become more confident about sharing data with regulated TPPs.

Perhaps more significant is the potential expansion of Open Banking to other types of accounts and financial products under a broader “Open Finance” initiative. For example, the UK Pensions Schemes Bill introduced in Spring 2020 includes a legislative framework that would enable individuals to view all their existing pension pots in a single dashboard format. The UK has also been considering other similar initiatives as part of its Smart Data review and the UK government published its proposed Next steps for Smart Data in September 2020. However, it will inevitably take time to develop legislative frameworks for further initiatives, which will be needed to ensure that third party providers are regulated where appropriate and to provide clarity around important issues such as security, consent, data use, privacy and ethics.

The rules on TPP access, strong customer authentication (SCA) and secure communication standards under the recast EU Payment Services Directive address some of these concerns in the context of Open Banking.

Following delays in implementation due to the impact of COVID-19, 2021 will see the SCA rules being applied in the UK, likely subject to minor changes being proposed by the FCA in its new consultation paper CP21/3.

The FCA expects firms to be working towards their compliance milestones in line with the agreed UK Finance SCA implementation plan well in advance of the 14 September 2021 deadline. The FCA has stated “any firm that fails to comply with the [SCA] requirements … will be subject to full FCA supervisory and enforcement action.” Firms are required to have reached a state of ‘market readiness’ by 31 May 2021 and ‘full ramp up’ by 13 September 2021, all with minimum customer disruption. UK Finance has stated that issuers will need to start checking randomly if e-commerce transactions are SCA compliant, and soft decline them if they are not. This means that payment service providers, gateways, e-merchants, and technology providers will need to be ready for SCA by the end of May 2021, to avoid any unnecessary declines.

For broader Open Finance initiatives, the FCA proposed “a new rights framework” in its December 2019 Call for Input on Open Finance, consisting of seven principles for data protection, complaints handling and customer consent tools. Responses to the call have outlined concerns that it would be very costly to extend the Open Banking access and consent model to other financial products, and that the proposed consent and tracking tools may be better provided by third parties. This indicates that we are likely to see further FCA consultation on this topic in 2021.

Singapore

In Singapore, Open Banking has been largely facilitated by the Monetary Authority of Singapore (MAS), which has encouraged banks to adopt application programming interfaces (APIs) since 2016 with the development of a financial industry API playbook. To promote Open Banking and facilitate the adoption of open APIs, the MAS has also led several other initiatives, such as the 2018 launch of the API Exchange, an open architecture API marketplace and sandbox platform.

In December 2020, Singapore also saw the launch of the Singapore Financial Data Exchange (SGFinDex), the world’s first public digital infrastructure, jointly developed by the public sector in collaboration with the banking industry.

The SGFinDex uses a national digital identity and centrally managed online consent system to allow individuals to access the financial information held across different government agencies and financial institutions. As a public digital infrastructure, stringent security measures are in place to safeguard personal data, and the authentication and authorisation process is underpinned by the use of the national digital identity. Participating financial institutions continue to be subject to existing personal data protection legislation when participating in this initiative. In the next phase of SGFinDex, it is envisaged that individuals will be able to access information on their insurance policies held with insurers and their holdings of stocks at the Central Depository of Singapore.

In 2021, we expect to see increased digital innovation and competition between financial services providers in Singapore arising from the use of SGFinDex, and further government initiatives to support the push towards Open Banking.

Japan

In Japan, the Open Banking regime was introduced from June 2018 to regulate electronic payment service providers (EPSPs), which initiate payments or access bank account information on behalf of customers. However, broader Open Banking principles have been reflected for non-bank fund transfer service providers (FTSPs) that offer payment services using funds cashed out from customers’ bank accounts since that licensing system was established in 2010. Although these new payment services have blossomed with government support, there has been tension with banks. In the wake of a scandal, where customer money was stolen from bank accounts which were breached via FTSP accounts in September 2020, the level of customer authentication and cyber security management requested of regulated EPSPs and FTSPs has become stricter. While the Fair Trade Committee of Japan noted in an April 2020 report that the current level of fees charged by banks could be an impediment to EPSPs or FTSPs building sustainable businesses, and encouraged banks and the

Japanese Bankers Association to resolve these issues, payment service providers will face increased costs arising from a higher standard of establishing and maintaining security measures to access the banking system.

The Middle East

Whilst still in its infancy in the Middle East, local regulators are placing an increasing focus on Open Banking and several regimes are being developed. The Central Bank of Bahrain (CBB) has taken the lead in introducing Open Banking regulations in the region, with amendments to the CBB rulebooks made in December 2018. Following the 2018 establishment of a regulatory sandbox, in January 2021 the Saudi Central Bank (SAMA) announced the issuance of its new Open Banking policy. SAMA plans to launch a new Open Banking regime during the first half of 2022. Related developments have also taken place in the UAE in respect of the regulation of electronic payment and stored value systems such as e-wallets and mobile payments. 2020 saw an overhauling of the regulatory framework for digital payments across the UAE. The UAE Central Bank replaced its 2017 stored value regulations and introduced detailed provisions on licensing and operating digital payment businesses onshore in the UAE, as well as an express prohibition on the operation and marketing of foreign stored value facilities. It has also proposed a further draft regulation on retail payment services and card schemes, setting out a comprehensive regime for the regulation of payment services and seeking to align with international standards. The UAE’s financial free zones, the Abu Dhabi Global Market and Dubai International Financial Centre, similarly issued updated and comprehensive regulatory frameworks governing money services businesses, to bring their standards broadly in line with the EU Payment Services Directive. Whilst these new frameworks bring the UAE and its financial free zones closer to international standards in this area, the barriers to entry into the UAE market have been raised. Whereas firms previously did not require a formal licence, there is now a comprehensive framework in line with international standards.