Regulatory Technical Standards - Frequently Asked Questions

Platform as a service (PaaS) is a development and deployment environment in the cloud containing the resources that enable delivery of anything from simple cloud-based apps to sophisticated enterprise applications.

In June 2020, UK Finance (a cross-sector trade body that includes the members of the CMA9) commissioned Accenture UK to propose a roadmap for the post-implementation strategy of OBIE. Click on 'Show More Info' below to access their 'Open Banking Future State' report.

By allowing Account Information Service Providers (<a href="/glossarycollection/account-information-service-provider" style="color:#48277C;" target="_blank" title="Account Information Service Provider"><u>AISP</u></a>) to access consumer accounts, Open Banking supports a number of Personal Finance Management (PFM) use cases. Some typical examples are budgeting and transaction categorisation, and more advanced providers are able to provide intelligent forecasting.<br/><br/>

Examples of PFM apps include <a href="https://cake.app" style="color:#48277C;"><b><u>Cake</u></b></a> and <a href="https://emma-app.com" style="color:#48277C;"><b><u>Emma</u></b></a>.

There is currently no obligation for UK registered organisations to use the Open Banking Implementation Entity (<a href="/glossarycollection/open-banking-implementation-entity" style="color:#48277C;" target="_blank" title="Open Banking Implementation Entity"><u>OBIE</u></a>) interface. The use of the OBIE interface is free, and although organisations are required to register with the Financial Conduct Authority (<a href="/glossarycollection/financial-conduct-authority" style="color:#48277C;" target="_blank" title="Financial Conduct Authority"><u>FCA</u></a>), they are not required to register with the OBIE.<br/><br/>

In general, any interface should be fit for purpose and able to support widespread usage. This means that using the OBIE interface would be sensible for a UK firm but it does not prevent them from using an alternative national or commercial interface.

A 'BaaS' provider is a licensed financial institution which is able to provide digital payment services to a non-banking business.<br/><br/>

For example, a high street retailer might decide they want to offer their customers their own, branded, payment card. The retailer believes that this will help build customer engagement and facilitate their loyalty programme. The retailer also knows that the card will reveal the customer's payment data which it intends to use to improve its marketing and product offerings.<br/><br/>

Rather than setting up their own bank or payment institution, the retailer could choose to offer this card, (and other banking services such as loans and accounts) through a BaaS provider. Because the provider is already licensed, it can bring the retailer's offering to market much more quickly and at a far lower cost.<br/><br/>

The BaaS provider does this via an Application Programming Interface (<a href="/glossarycollection/application-programming-interface" style="color:#48277C;" target="_blank" title="Application Programming Interface"><u>API</u></a>) which provides a secure and reliable connection to the retailer, enabling customers to access banking services directly through the retailer's own app. As the retailer is effectively an intermediary between the customer and the BaaS provider, it is spared the associated regulatory and compliance burdens.

Identity verification often comes with cumbersome processes for business that create sales friction. Open Banking can often solve that problem. For high value transactions or age-related products and services, your business may rely on documents being sent and analysed before decisions can be made. Instead, customer consent to access their bank details means data is coming from a bank where it has already been checked and verified. This can be used as a digital ID meaning you can drive sales at a faster pace and improve service delivery.

Some products are more susceptible to being used for money laundering or terrorist financing purposes. Features that criminals are attracted to include:<br/><br/>

- anonymity;<br/>
- unlimited spend;<br/>
- international transactions;<br/>
- lack of paper trails;<br/>
- simplified or absent due diligence;<br/>
- limited validation processes;<br/>
- unverified funding sources;<br/>
- cash acceptance;<br/>
- settlement methods.

Risk Number: RA1<br/><br/>

Risk Type: Customer Risk<br/><br/>

Sub-Risk Type: An applicant is, or becomes, a politically exposed person (PEP) which could create a risk of exposure to the proceeds of corruption.<br/><br/>

Inherent Risk: The risk is that a PEP uses our services to launder the proceeds of corruption obtained via the abuse of their political position.<br/><br/>

Inherent Risk Rating: 7/10<br/><br/>

Controls: Our organisation uses a service provided by PassFort automated via Dow Jones to screen applicants and clients against PEP lists. We carry out continuous monitoring on high-risk clients and PEPs undergo monthly re-screening against the updated lists. Where a PEP is identified, we undertake enhanced due diligence measures and seek additional information to better judge whether the client presents a higher risk.<br/><br/>

Residual Risk Rating: 3/10

The European Banking Authority (<a href="/glossarycollection/european-banking-authority" style="color:#48277C;" target="_blank" title="European Banking Authority"><u>EBA</u></a>) guidelines refer to another document: 'Guidelines on internal governance under Directive 2013/36/EU' for an explanation of proportionately.<br/><br/>

Essentially, 'Payment Institutions (<a href="/glossarycollection/payment-institution" style="color:#48277C;" target="_blank" title="Payment Institution"><u>PI</u></a>) should take into account their size and internal organisation, and the nature, scale and complexity of their activities, when developing and implementing internal governance arrangements. Significant PIs should have more sophisticated governance arrangements, while small and less complex PIs may implement simpler governance arrangements.'<br/><br/>

Unfortunately there is no definition of 'simpler governance arrangements'.<br/><br/>

The following criteria should be taken into account by PIs and competent authorities:<br/><br/>

- the size in terms of the balance-sheet total of the PI and its subsidiaries within the scope of prudential consolidation;<br/><br/>

- the geographical presence of the PI and the size of its operations in each jurisdiction;<br/><br/>

- the legal form of the PI, including whether the PI is part of a group and, if so, the proportionality assessment for the group;<br/><br/>

- whether the PI is listed or not;<br/><br/>

- whether thePI is authorised to use internal models for the measurement of capital requirements (e.g. the Internal Ratings Based Approach);<br/><br/>

- the type of authorised activities and services performed by the PI (e.g. see also Annex 1 to Directive 2013/36/EU and Annex 1 to Directive 2014/65/EU);<br/><br/>

- the underlying business model and strategy; the nature and complexity of the business activities, and the PI’s organisational structure;<br/><br/>

- the risk strategy, risk appetite and actual risk profile of the PI, taking into account also the result of the SREP capital and SREP liquidity assessments;<br/><br/>

- the ownership and funding structure of the PI;<br/><br/>

- the type of clients (e.g. retail, corporate, institutional, small businesses, public entities) and the complexity of the products or contracts;<br/><br/>

- the outsourced activities and distribution channels;<br/><br/>

and,<br/><br/>

- the existing information technology (IT) systems, including continuity systems and outsourcing activities in this area.<br/><br/>

For the benefit of the doubt, it is probably safest to implement all of the controls and processes mentioned in the EBA guidelines on outsourcing.

Essays have been written but Digital Transformation (DT or DX) is fundamentally the adoption of digital technology to transform services or businesses.

Yes, the application will need to provide a description of the business continuity arrangements.

The difference centres around the Electronic Money Institution's (<a href="/glossarycollection/electronic-money-institution" style="color:#48277C;" target="_blank" title="Electronic Money Institution"><u>EMI</u></a>) size and business activities. If an EMI's total business activities generate less than €5 million outstanding e-money, and the EMI does not require passporting rights, it might be able to register as a 'small EMI'. Registering as a 'small EMI' is generally cheaper than authorisation.<br/><br/>

(c) The Financial Conduct Authority