The Payment Services Regulations 2017

PART 7 U.K.Rights and Obligations in Relation to the Provision of Payment Services

ApplicationU.K.

Application of Part 7U.K.

63.—(1) This Part applies to payment services where—

(a)the services are provided from an establishment maintained by a payment service provider or its agent in the United Kingdom; and

(b)the services are provided in one of the following circumstances—

(i)the payment service providers of both the payer and the payee are located within [F1the United Kingdom] and the service relates to a transaction in [F2sterling];

[F3(ia)the payment service providers of both the payer and the payee are located within the qualifying area and the service relates to a transaction in euro executed under a payment scheme which operates across the qualifying area;]

(ii)the payment service providers of both the payer and the payee are located within [F4the United Kingdom] and the service relates to a transaction in a currency other than [F5sterling or euro]; or

(iii)the payment service provider of either the payer or the payee, but not both, is located within the [F6United Kingdom and the case does not fall within paragraph (ia)].

[F7(1A) In paragraph (1)(b)(ia)—

(a)“payment service provider” includes any person who is a PSP as defined in Article 2(8B) of the SEPA regulation;

(b)“the qualifying area” means the area of the United Kingdom and the EEA States.]

(2) In the circumstances mentioned at paragraph (1)(b)(ii)—

(a)this Part applies only in respect of those parts of a transaction which are carried out in the [F8United Kingdom]; and

(b)regulations 84 to 88 (amounts transferred and received and execution time) do not apply.

(3) In the circumstances mentioned at paragraph (1)(b)(iii)—

(a)this Part applies only in respect of those parts of a transaction which are carried out in the [F9United Kingdom]; and

(b)regulations 66(2) (responsibility for charges), 79 (refunds for direct debits), 80 (requests for direct debit refunds), 84 (amounts transferred and received), 86(1) to (3) (execution time for transactions to a payment account), 91 (defective execution of payer-initiated transactions), 92 (defective execution of payee-initiated transactions), 94 (liability for charges and interest) and 95 (right of recourse) do not apply.

(4) This Part does not apply to registered account information service providers F10..., except for regulations 70 (access to payment accounts for account information services), 71(7) to (10) (denial of access to payment accounts), 72(3) (payment service user's obligation to keep personalised security credentials safe) and 98 to 100 (risk management, incident reporting, authentication and dispute resolution).

(5) Where the payment service user is not a consumer, a micro-enterprise or a charity, the payment service user and the payment service provider may agree that—

(a)any or all of regulations 66(1) (charges), 67(3) and (4) (withdrawal of consent), 75 (evidence on authentication and execution), 77 (payer or payee's liability for unauthorised transactions), 79 (refunds for direct debits), 80 (requests for direct debit refunds), 83 (revocation of a payment order), 91 (defective execution of payer-initiated transactions), 92 (defective execution of payee-initiated transactions) and 94 (liability for charges and interest) do not apply;

(b)a different time period applies for the purposes of regulation 74(1) (notification of unauthorised or incorrectly executed payment transactions).

Application of this Part in the case of consumer credit agreementsU.K.

64.—(1) This regulation applies where a payment service is provided in relation to payment transactions that consist of the placing, transferring or withdrawal of funds covered by a credit line provided under a regulated agreement.

(2) Regulation 71(2) to (5) (limits on the use of payment instruments) do not apply where section 98A(4) of the Consumer Credit Act 1974 (termination etc of open-end consumer credit agreements) M1 applies.

(3) Regulations 76(1) to (4) and 77(1) to (5) (rectification of and liability for unauthorised transactions), and regulation 74 (notification and rectification of unauthorised or incorrectly executed payment transactions) as it applies in relation to regulation 76, do not apply.

(4) Regulations 76(5) and 77(6) apply as if—

(a)in regulation 76(5), the references to an unauthorised payment transaction were to a payment transaction initiated by use of a credit facility in the circumstances described in section 83(1) of the Consumer Credit Act 1974 (liability for misuse of credit facilities);

(b)the references to complying with regulation 76(1) were to compensating the payer for loss arising as described in section 83(1) of the Consumer Credit Act 1974.

Disapplication of certain regulations in the case of low value payment instrumentsU.K.

65.—(1) This regulation applies in respect of payment instruments which, under the framework contract governing their use—

(a)can be used only to execute individual payment transactions of 30 euros or less, or in relation to payment transactions executed wholly within the United Kingdom, 60 euros or less;

(b)have a spending limit of 150 euros, or where payment transactions must be executed wholly within the United Kingdom, 300 euros; or

(c)store funds that do not exceed 500 euros at any time.

(2) Where this regulation applies the parties may agree that—

(a)regulations 72(1)(b) (obligation to notify loss or misuse of instrument), 73(1)(c), (d) and (e) (means of notifying loss) and 77(4) (payer not liable for certain losses) do not apply where the payment instrument does not allow for the stopping or prevention of its use;

(b)regulations 75 (evidence on authentication and execution), 76 (payment service provider's liability for unauthorised transactions) and 77(1) and (2) (payer's liability for unauthorised transactions) do not apply where the payment instrument is used anonymously or the payment service provider is not in a position, for other reasons concerning the payment instrument, to prove that a payment transaction was authorised;

(c)despite regulation 82(1) (refusal of payment orders), the payment service provider is not required to notify the payment service user of the refusal of a payment order if the non-execution is apparent from the context;

(d)the payer may not revoke the payment order under regulation 83 after transmitting the payment order or giving their consent to execute the payment transaction to the payee;

(e)execution periods other than those provided by regulations 86 (payment transactions to payment account) and 87 (absence of payment account) apply.

(3) Subject to paragraph (2)(b), regulations 76 (payment service provider's liability for unauthorised transactions) and 77(1) and (2) (payer's liability for unauthorised transactions) apply to electronic money unless the payer's payment service provider does not have the ability under the contract to—

(a)freeze the payment account on which the electronic money is stored; or

(b)stop the use of the payment instrument.

ChargesU.K.

ChargesU.K.

66.—(1) The payment service provider may only charge the payment service user for the fulfilment of any of its obligations under this Part—

(a)in accordance with regulation 82(3) (refusal of payment orders), 83(6) (revocation of a payment order) or 90(2)(b) (incorrect unique identifiers);

(b)where agreed between the parties; and

(c)where such charges reasonably correspond to the payment service provider's actual costs.

(2) Where both the payer's and the payee's payment service providers, or the only payment service provider, in respect of a payment transaction are within the [F11United Kingdom], the respective payment service providers must ensure that—

(a)the payee pays any charges levied by the payee's payment service provider; and

(b)the payer pays any charges levied by the payer's payment service provider.

[F12(2A) Where, in respect of payment transaction in euro executed under a payment scheme which operates across the qualifying area, both the payer's and the payee's payment service providers are, or the only payment service provider is, in the United Kingdom the respective payment service providers must ensure that—

(a)the payee pays any charges levied by the payee's payment service provider; and

(b)the payer pays any charges levied by the payer's payment service provider.]

(3) The payee's payment service provider may not prevent the payee from—

(a)requesting payment of a charge by the payer for the use of a particular payment instrument;

(b)offering a reduction to the payer for the use of a particular payment instrument; or

(c)otherwise steering the payer towards the use of a particular payment instrument.

[F13(4) In paragraph (2A)—

(a)“payment service provider” includes any person who is a PSP as defined in Article 2(8B) of the SEPA regulation;

(b)“the qualifying area” means the area of the United Kingdom and the EEA States.]

Authorisation of payment transactionsU.K.

Consent and withdrawal of consentU.K.

67.—(1) A payment transaction is to be regarded as having been authorised by the payer for the purposes of this Part only if the payer has given its consent to—

(a)the execution of the payment transaction; or

(b)the execution of a series of payment transactions of which that payment transaction forms part.

(2) Such consent—

(a)may be given before or, if agreed between the payer and its payment service provider, after the execution of the payment transaction;

(b)must be given in the form, and in accordance with the procedure, agreed between the payer and its payment service provider; and

(c)may be given via the payee or a payment initiation service provider.

(3) The payer may withdraw its consent to a payment transaction at any time before the point at which the payment order can no longer be revoked under regulation 83 (revocation of a payment order).

(4) Subject to regulation 83(3) to (5), the payer may withdraw its consent to the execution of a series of payment transactions at any time with the effect that any future payment transactions are not regarded as authorised for the purposes of this Part.

Confirmation of availability of funds for card-based payment transactionsU.K.

68.—(1) This regulation does not apply to payment transactions initiated through card-based payment instruments on which electronic money is stored.

(2) Where the conditions in paragraph (3) are met, a payment service provider which issues card-based payment instruments may request that an account servicing payment service provider confirm whether an amount necessary for the execution of a card-based payment transaction is available on the payment account of the payer.

(3) The conditions are that—

(a)the payer has given explicit consent to the payment service provider to request the confirmation;

(b)the payer has initiated a payment transaction for the amount in question using a card-based payment instrument issued by the payment service provider making the request;

(c)the payment service provider making the request complies, for each request, with the authentication and secure communication requirements set out in the [F14technical standards made under regulation 106A] in its communications with the account servicing payment service provider.

(4) If the conditions in paragraph (5) are met, an account servicing payment service provider which receives a request under paragraph (2) must provide the requested confirmation, in the form of a ‘yes’ or ‘no’ answer, to the requesting payment service provider immediately.

(5) The conditions are that—

(a)the payment account is accessible online when the account servicing payment service provider receives the request; and

(b)before the account servicing payment service provider receives the first request under paragraph (2) from the requesting payment service provider in relation to the payer's payment account, the payer has given the account servicing payment service provider explicit consent to provide confirmation in response to such requests by that payment service provider.

(6) If the payer so requests, the account servicing payment service provider must also inform the payer of the payment service provider which made the request under paragraph (2) and the answer provided under paragraph (4).

(7) An account servicing payment service provider must not—

(a)include with a confirmation provided under paragraph (4) a statement of the account balance; or

(b)block funds on a payer's payment account as a result of a request under paragraph (2).

(8) The payment service provider which makes a request under paragraph (2) must not—

(a)store any confirmation received under paragraph (4); or

(b)use the confirmation received for a purpose other than the execution of the card-based payment transaction for which the request was made.

Access to payment accounts for payment initiation servicesU.K.

69.—(1) This regulation applies only in relation to a payment account which is accessible online.

(2) Where a payer gives explicit consent in accordance with regulation 67 (consent and withdrawal of consent) for a payment to be executed through a payment initiation service provider, the payer's account servicing payment service provider must—

(a)communicate securely with the payment initiation service provider in accordance with the [F15technical standards made under regulation 106A];

(b)immediately after receipt of the payment order from the payment initiation service provider, provide or make available to the payment initiation service provider all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction;

(c)treat the payment order in the same way as a payment order received directly from the payer, in particular in terms of timing, priority or charges, unless the account servicing payment service provider has objective reasons for treating the payment order differently;

(d)not require the payment initiation service provider to enter into a contract before complying with the preceding sub-paragraphs.

(3) A payment initiation service provider must—

(a)not hold a payer's funds in connection with the provision of the payment initiation service at any time;

(b)ensure that a payer's personalised security credentials are—

(i)not accessible to other parties, with the exception of the issuer of the credentials; and

(ii)transmitted through safe and efficient channels;

(c)ensure that any other information about a payer is not provided to any person except a payee, and is provided to the payee only with the payer's explicit consent;

(d)each time it initiates a payment order, identify itself to the account servicing payment service provider and communicate with the account servicing payment service provider, the payer and the payee in a secure way in accordance with the [F16technical standards made under regulation 106A];

(e)not store sensitive payment data of the payment service user;

(f)not request any information from a payer except information required to provide the payment initiation service;

(g)not use, access or store any information for any purpose except for the provision of a payment initiation service explicitly requested by a payer;

(h)not change the amount, the payee or any other feature of a transaction notified to it by the payer.

Access to payment accounts for account information servicesU.K.

70.—(1) This regulation applies only in relation to a payment account which is accessible online.

(2) Where a payment service user uses an account information service, the payment service user's account servicing payment service provider must—

(a)communicate securely with the account information service provider in accordance with the [F17technical standards made under regulation 106A];

(b)treat a data request from the account information service provider in the same way as a data request received directly from the payer, unless the account servicing payment service provider has objective reasons for treating the request differently;

(c)not require the account information service provider to enter into a contract before complying with the preceding sub-paragraphs.

(3) An account information service provider must—

(a)not provide account information services without the payment service user's explicit consent;

(b)ensure that the payment service user's personalised security credentials are—

(i)not accessible to other parties, with the exception of the issuer of the credentials; and

(ii)transmitted through safe and efficient channels;

(c)for each communication session, identify itself to the account servicing payment service provider and communicate securely with the account servicing payment service provider and the payment service user in accordance with the [F18technical standards made under regulation 106A];

(d)not access any information other than information from designated payment accounts and associated payment transactions;

(e)not request sensitive payment data linked to the payment accounts accessed;

(f)not use, access or store any information for any purpose except for the provision of the account information service explicitly requested by the payment service user.

Limits on the use of payment instruments and access to payment accountsU.K.

71.—(1) Where a specific payment instrument is used for the purpose of giving consent to the execution of a payment transaction, the payer and its payment service provider may agree on spending limits for any payment transactions executed through that payment instrument.

(2) A framework contract may provide for the payment service provider to have the right to stop the use of a payment instrument on reasonable grounds relating to—

(a)the security of the payment instrument;

(b)the suspected unauthorised or fraudulent use of the payment instrument; or

(c)in the case of a payment instrument with a credit line, a significantly increased risk that the payer may be unable to fulfil its liability to pay.

(3) The payment service provider must, in the manner agreed between the payment service provider and the payer and before carrying out any measures to stop the use of the payment instrument—

(a)inform the payer that it intends to stop the use of the payment instrument; and

(b)give its reasons for doing so.

(4) Where the payment service provider is unable to inform the payer in accordance with paragraph (3) before carrying out any measures to stop the use of the payment instrument, it must do so immediately after.

(5) Paragraphs (3) and (4) do not apply where provision of the information in accordance with paragraph (3) would compromise reasonable security measures or is otherwise unlawful.

(6) The payment service provider must allow the use of the payment instrument or replace it with a new payment instrument as soon as practicable after the reasons for stopping its use cease to exist.

(7) An account servicing payment service provider may deny an account information service provider or a payment initiation service provider access to a payment account for reasonably justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction.

(8) If an account servicing payment service provider denies access to a payment account under paragraph (7)—

(a)the account servicing payment service provider must notify the payment service user of the denial of access and the reason for the denial of access, in the form agreed with the payment service user;

(b)the notification under sub-paragraph (a) must be provided before the denial of access if possible, or otherwise immediately after the denial of access;

(c)the account servicing payment service provider must immediately report the incident to the FCA in such form as the FCA may direct, and such report must include the details of the case and the reasons for taking action;

(d)the account servicing payment service provider must restore access to the account once the reasons for denying access no longer justify such denial of access.

(9) Paragraph (8)(a) and (b) do not apply if notifying the payment service user—

(a)would compromise reasonably justified security reasons; or

(b)is unlawful.

(10) When the FCA receives a report under paragraph (8)(c), it must assess the case and take such measures as it considers appropriate.

Obligations of the payment service user in relation to payment instruments and personalised security credentialsU.K.

72.—(1) A payment service user to whom a payment instrument has been issued must—

(a)use the payment instrument in accordance with the terms and conditions governing its issue and use; and

(b)notify the payment service provider in the agreed manner and without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument.

(2) Paragraph (1)(a) applies only in relation to terms and conditions that are objective, non-discriminatory and proportionate.

(3) The payment service user must take all reasonable steps to keep safe personalised security credentials relating to a payment instrument or an account information service.

Obligations of the payment service provider in relation to payment instrumentsU.K.

73.—(1) A payment service provider issuing a payment instrument must—

(a)ensure that the personalised security credentials are not accessible to persons other than the payment service user to whom the payment instrument has been issued;

(b)not send an unsolicited payment instrument, except where a payment instrument already issued to a payment service user is to be replaced;

(c)ensure that appropriate means are available at all times to enable the payment service user to notify the payment service provider in accordance with regulation 72(1)(b) (notification of loss or unauthorised use of payment instrument) or to request that, in accordance with regulation 71(6), the use of the payment instrument is no longer stopped;

(d)on request, provide the payment service user at any time during a period of 18 months after the alleged date of notification under regulation 72(1)(b) with the means to prove that such notification to the payment service provider was made;

(e)provide the payment service user with an option to make a notification under regulation 72(1)(b) free of charge, and ensure that any costs charged are directly attributed to the replacement of the payment instrument;

(f)prevent any use of the payment instrument once notification has been made under regulation 72(1)(b).

(2) The payment service provider bears the risk of sending to the payment service user a payment instrument or any personalised security credentials relating to it.

Notification and rectification of unauthorised or incorrectly executed payment transactionsU.K.

74.—(1) A payment service user is entitled to redress under regulation 76, 91, 92, 93 or 94 (liability for unauthorised transactions, non-execution or defective or late execution of transactions, or charges and interest), only if it notifies the payment service provider without undue delay, and in any event no later than 13 months after the debit date, on becoming aware of any unauthorised or incorrectly executed payment transaction.

(2) Where the payment service provider has failed to provide or make available information concerning the payment transaction in accordance with Part 6 of these Regulations (information requirements for payment services), the payment service user is entitled to redress under the regulations referred to in paragraph (1) notwithstanding that the payment service user has failed to notify the payment service provider as mentioned in that paragraph.

Evidence on authentication and execution of payment transactionsU.K.

75.—(1) Where a payment service user—

(a)denies having authorised an executed payment transaction; or

(b)claims that a payment transaction has not been correctly executed,

it is for the payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the payment service provider's accounts and not affected by a technical breakdown or some other deficiency in the service provided by the payment service provider.

(2) If a payment transaction was initiated through a payment initiation service provider, it is for the payment initiation service provider to prove that, within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment initiation service.

(3) Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider, including a payment initiation service provider where appropriate, is not in itself necessarily sufficient to prove either that—

(a)the payment transaction was authorised by the payer; or

(b)the payer acted fraudulently or failed with intent or gross negligence to comply with regulation 72 (user's obligations in relation to payment instruments and personalised security credentials).

(4) If a payment service provider, including a payment initiation service provider where appropriate, claims that a payer acted fraudulently or failed with intent or gross negligence to comply with regulation 72, the payment service provider must provide supporting evidence to the payer.

Payment service provider's liability for unauthorised payment transactionsU.K.

76.—(1) Subject to regulations 74 and 75, where an executed payment transaction was not authorised in accordance with regulation 67 (consent and withdrawal of consent), the payment service provider must—

(a)refund the amount of the unauthorised payment transaction to the payer; and

(b)where applicable, restore the debited payment account to the state it would have been in had the unauthorised payment transaction not taken place.

(2) The payment service provider must provide a refund under paragraph (1)(a) as soon as practicable, and in any event no later than the end of the business day following the day on which it becomes aware of the unauthorised transaction.

(3) Paragraph (2) does not apply where the payment service provider has reasonable grounds to suspect fraudulent behaviour by the payment service user and notifies a person mentioned in section 333A(2) of the Proceeds of Crime Act 2002 (tipping off: regulated sector) M2 of those grounds in writing.

(4) When crediting a payment account under paragraph (1)(b), a payment service provider must ensure that the credit value date is no later than the date on which the amount of the unauthorised payment transaction was debited.

(5) Where an unauthorised payment transaction was initiated through a payment initiation service provider—

(a)the account servicing payment service provider must comply with paragraph (1);

(b)if the payment initiation service provider is liable for the unauthorised payment transaction (in relation to which see regulation 75(2)) the payment initiation service provider must, on the request of the account servicing payment service provider, compensate the account servicing payment service provider immediately for the losses incurred or sums paid as a result of complying with paragraph (1), including the amount of the unauthorised transaction.

Payer or payee's liability for unauthorised payment transactionsU.K.

77.—(1) Subject to paragraphs (2), (3) and (4), a payment service provider which is liable under regulation 76(1) may require that the payer is liable up to a maximum of £35 for any losses incurred in respect of unauthorised payment transactions arising from the use of a lost or stolen payment instrument, or from the misappropriation of a payment instrument.

(2) Paragraph (1) does not apply if—

(a)the loss, theft or misappropriation of the payment instrument was not detectable by the payer prior to the payment, except where the payer acted fraudulently; or

(b)the loss was caused by acts or omissions of an employee, agent or branch of a payment service provider or of an entity which carried out activities on behalf of the payment service provider.

(3) The payer is liable for all losses incurred in respect of an unauthorised payment transaction where the payer—

(a)has acted fraudulently; or

(b)has with intent or gross negligence failed to comply with regulation 72 (obligations of the payment service user in relation to payment instruments and personalised security credentials).

(4) Except where the payer has acted fraudulently, the payer is not liable for any losses incurred in respect of an unauthorised payment transaction—

(a)arising after notification under regulation 72(1)(b);

(b)where the payment service provider has failed at any time to provide, in accordance with regulation 73(1)(c) (obligations of the payment service provider in relation to payment instruments), appropriate means for notification;

(c)where regulation 100 (authentication) requires the application of strong customer authentication, but the payer's payment service provider does not require strong customer authentication; or

(d)where the payment instrument has been used in connection with a distance contract (other than an excepted contract).

(5) In paragraph (4)(d)—

“distance contract” means a distance contract as defined by regulation 5 of the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 (other definitions) M3;

“excepted contract” means a contract that—

(6) Where regulation 100 requires the application of strong customer authentication, but the payee or the payee's payment service provider does not accept strong customer authentication, the payee or the payee's payment service provider, or both (as the case may be), must compensate the payer's payment service provider for the losses incurred or sums paid as a result of complying with regulation 76(1).

Payment transactions where the transaction amount is not known in advanceU.K.

78.  Where a card-based payment transaction is initiated by or through the payee and the amount of the transaction is not known when the payer authorises the transaction—

(a)the payer's payment service provider may not block funds on the payer's payment account unless the payer has authorised the exact amount of the funds to be blocked; and

(b)the payer's payment service provider must release the blocked funds without undue delay after becoming aware of the amount of the payment transaction, and in any event immediately after receipt of the payment order.

Refunds for payment transactions initiated by or through a payeeU.K.

79.—(1) Where the conditions in paragraph (2) and the requirement in regulation 80(1) are satisfied, the payer is entitled to a refund from its payment service provider of the full amount of any authorised payment transaction initiated by or through the payee.

(2) The conditions are that—

(a)the authorisation did not specify the exact amount of the payment transaction when the authorisation was given in accordance with regulation 67 (consent and withdrawal of consent); and

(b)the amount of the payment transaction exceeded the amount that the payer could reasonably have expected taking into account the payer's previous spending pattern, the conditions of the framework contract and the circumstances of the case.

(3) The payer is entitled to an unconditional refund from its payment service provider of the full amount of any direct debit transactions of the type referred to in Article 1 of Regulation (EU) 260/2012 of the European Parliament and of the Council of 14th March 2012 establishing technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009 M4.

(4) When crediting a payment account under paragraph (1), a payment service provider must ensure that the credit value date is no later than the date on which the amount of the unauthorised payment transaction was debited.

(5) For the purposes of paragraph (2)(b), the payer cannot rely on currency exchange fluctuations where the reference exchange rate provided under regulation 43(2)(d) or paragraph 3(b) of Schedule 4 was applied.

(6) The payer and payment service provider may agree in the framework contract that the right to a refund does not apply where—

(a)the payer has given consent directly to the payment service provider for the payment transaction to be executed; and

(b)if applicable, information on the payment transaction was provided or made available in an agreed manner to the payer for at least four weeks before the due date by the payment service provider or by the payee.

Requests for refunds for payment transactions initiated by or through a payeeU.K.

80.—(1) The payer must request a refund under regulation 79 from its payment service provider within 8 weeks from the date on which the funds were debited.

(2) The payment service provider may require the payer to provide such information as is reasonably necessary to prove that the conditions in regulation 79(2) are satisfied.

(3) The payment service provider must either—

(a)refund the full amount of the payment transaction; or

(b)provide justification for refusing to refund the payment transaction, indicating the bodies to which the payer may refer the matter if the payer does not accept the justification provided.

(4) Any refund or justification for refusing a refund must be provided within 10 business days of receiving a request for a refund or, where applicable, within 10 business days of receiving any further information requested under paragraph (2).

(5) If the payment service provider requires further information under paragraph (2), it may not refuse the refund until it has received further information from the payer.

Execution of payment transactionsU.K.

Receipt of payment ordersU.K.

81.—(1) A payer's payment service provider must not debit the payment account before receipt of a payment order.

(2) Subject to paragraphs (3) to (6), for the purposes of these Regulations the time of receipt of a payment order is the time at which the payment order is received by the payer's payment service provider.

(3) If the time of receipt of a payment order does not fall on a business day for the payer's payment service provider, the payment order is deemed to have been received on the first business day thereafter.

(4) The payment service provider may set a time towards the end of a business day after which any payment order received will be deemed to have been received on the following business day.

(5) Where the payment service user initiating a payment order agrees with its payment service provider that execution of the payment order is to take place—

(a)on a specific day;

(b)on the last day of a certain period; or

(c)on the day on which the payer has put funds at the disposal of its payment service provider,

the time of receipt is deemed to be the day so agreed.

(6) If the day agreed under paragraph (5) is not a business day for the payer's payment service provider, the payment order is deemed to have been received on the first business day thereafter.

Refusal of payment ordersU.K.

82.—(1) Subject to paragraph (4), where a payment service provider refuses to execute a payment order or to initiate a payment transaction, it must notify the payment service user of—

(a)the refusal;

(b)if possible, the reasons for such refusal; and

(c)where it is possible to provide reasons for the refusal and those reasons relate to factual matters, the procedure for rectifying any factual errors that led to the refusal.

(2) Any notification under paragraph (1) must be given or made available in an agreed manner and at the earliest opportunity, and in any event within the periods specified in regulation 86.

(3) The framework contract may provide for the payment service provider to charge the payment service user for such refusal where the refusal is reasonably justified.

(4) The payment service provider is not required to notify the payment service user under paragraph (1) where such notification would be otherwise unlawful.

(5) Where all the conditions set out in the payer's framework contract with the account servicing payment service provider have been satisfied, the account servicing payment service provider may not refuse to execute an authorised payment order irrespective of whether the payment order is initiated by the payer, through a payment initiation service provider, or by or through a payee, unless such execution is otherwise unlawful.

(6) For the purposes of regulations 86, 91 and 92 (payment transactions to a payment account and non-execution or defective or late execution of a payment transaction) a payment order of which execution has been refused is deemed not to have been received.

Revocation of a payment orderU.K.

83.—(1) Subject to paragraphs (2) to (5), a payment service user may not revoke a payment order after it has been received by the payer's payment service provider.

(2) In the case of a payment transaction initiated by a payment initiation service provider, or by or through the payee, the payer may not revoke the payment order after giving consent to the payment initiation service provider to initiate the payment transaction or giving consent to execute the payment transaction to the payee.

(3) In the case of a direct debit, the payer may not revoke the payment order after the end of the business day preceding the day agreed for debiting the funds.

(4) Where a day is agreed under regulation 81(5) (receipt of payment orders), the payment service user may not revoke a payment order after the end of the business day preceding the agreed day.

(5) At any time after the time limits for revocation set out in paragraphs (1) to (4), the payment order may only be revoked if the revocation is—

(a)agreed between the payment service user and the relevant payment service provider or providers; and

(b)in the case of a payment transaction initiated by or through the payee, including in the case of a direct debit, also agreed with the payee.

(6) A framework contract may provide for the relevant payment service provider to charge for revocation under this regulation.

Amounts transferred and amounts receivedU.K.

84.—(1) Subject to paragraph (2), the payment service providers of the payer and payee must ensure that the full amount of the payment transaction is transferred and that no charges are deducted from the amount transferred.

(2) The payee and its payment service provider may agree for the relevant payment service provider to deduct its charges from the amount transferred before crediting it to the payee provided that the full amount of the payment transaction and the amount of the charges are clearly stated in the information provided to the payee.

(3) If charges other than those provided for by paragraph (2) are deducted from the amount transferred—

(a)in the case of a payment transaction initiated by the payer, the payer's payment service provider must ensure that the payee receives the full amount of the payment transaction;

(b)in the case of a payment transaction initiated by the payee, the payee's payment service provider must ensure that the payee receives the full amount of the payment transaction.

Execution time and value dateU.K.

Application of regulations 86 to 88U.K.

85.—(1) Regulations 86 to 88 apply to any payment transaction—

[F19(a)executed wholly within the qualifying area in euro under a payment scheme which operates across the qualifying area]

(b)executed wholly within the United Kingdom in sterling; or

(c)[F20executed wholly under a payment scheme which operates across the qualifying area and] involving only one currency conversion between the euro and sterling, provided that—

(i)the currency conversion is carried out in the United Kingdom; and

(ii)in the case of cross-border payment transactions, the cross-border transfer takes place in euro.

(2) In respect of any other payment transaction, the payment service user may agree with the payment service provider that regulations 86 to 88 (except regulation 86(3)) do not apply.

[F21(3) In paragraph (1), “the qualifying area” means the area of the United Kingdom and the EEA States.]

Payment transactions to a payment accountU.K.

86.—(1) Subject to paragraphs (2) and (3), the payer's payment service provider must ensure that the amount of the payment transaction is credited to the payee's payment service provider's account by the end of the business day following the time of receipt of the payment order.

(2) Where a payment transaction is initiated by way of a paper payment order the reference in paragraph (1) to the end of the business day following the time of receipt of the payment order is to be treated as a reference to the end of the second business day following the time of receipt of the payment order.

(3) Where a payment transaction—

(a)does not fall within paragraphs (a) to (c) of regulation 85(1); but

(b)is to be executed wholly within the [F22United Kingdom],

the payer's payment service provider must ensure that the amount of the payment transaction is credited to the payee's payment service provider's account by the end of the fourth business day following the time of receipt of the payment order.

(4) The payee's payment service provider must value date and credit the amount of the payment transaction to the payee's payment account following its receipt of the funds.

(5) The payee's payment service provider must transmit a payment order initiated by or through the payee to the payer's payment service provider within the time limits agreed between the payee and its payment service provider, enabling settlement in respect of a direct debit to occur on the agreed due date.

Absence of payee's payment account with the payment service providerU.K.

87.—(1) Paragraph (2) applies where a payment service provider accepts funds on behalf of a payee who does not have a payment account with that payment service provider.

(2) The payment service provider must make the funds available to the payee immediately after the funds have been credited to that payment service provider's account.

Cash placed on a payment accountU.K.

88.  Where a payment service user places cash on its payment account with a payment service provider in the same currency as that payment account, the payment service provider must—

(a)if the user is a consumer, micro-enterprise or charity, ensure that the amount is made available and value dated immediately after the receipt of the funds;

(b)in any other case, ensure that the amount is made available and value dated no later than the end of the next business day after the receipt of the funds.

Value date and availability of fundsU.K.

89.—(1) The credit value date for the payee's payment account must be no later than the business day on which the amount of the payment transaction is credited to the account of the payee's payment service provider.

(2) Paragraph (3) applies where—

(a)the transaction does not involve a currency conversion [F23by the payee’s payment service provider];

(b)the transaction involves [F24a currency conversion by the payee’s payment service provider] between the euro and pounds sterling F25...; or

(c)the transaction involves only one payment service provider.

(3) The payee's payment service provider must ensure that the amount of the payment transaction is at the payee's disposal immediately after that amount has been credited to that payment service provider's account.

(4) The debit value date for the payer's payment account must be no earlier than the time at which the amount of the payment transaction is debited to that payment account.

LiabilityU.K.

Incorrect unique identifiersU.K.

90.—(1) Where a payment order is executed in accordance with the unique identifier, the payment order is deemed to have been correctly executed by each payment service provider involved in executing the payment order with respect to the payee specified by the unique identifier.

(2) Where the unique identifier provided by the payment service user is incorrect, the payment service provider is not liable under regulation 91 or 92 for non-execution or defective execution of the payment transaction, but the payment service provider—

(a)must make reasonable efforts to recover the funds involved in the payment transaction; and

(b)may, if agreed in the framework contract, charge the payment service user for any such recovery.

(3) The payee's payment service provider must co-operate with the payer's payment service provider in its efforts to recover the funds, in particular by providing to the payer's payment service provider all relevant information for the collection of funds.

(4) If the payer's payment service provider is unable to recover the funds it must, on receipt of a written request, provide to the payer all available relevant information in order for the payer to claim repayment of the funds.

(5) Where the payment service user provides information additional to that specified in regulation 43(2)(a) (information required prior to the conclusion of a single payment service contract) or paragraph 2(b) of Schedule 4 (prior general information for framework contracts), the payment service provider is liable only for the execution of payment transactions in accordance with the unique identifier provided by the payment service user.

[F26(6) Nothing in this regulation affects the liability of a payment service provider under a relevant requirement in a case where the payment order is executed subsequent to fraud or dishonesty (and the requirements imposed by this regulation are subject to any such relevant requirements).

(7) In this regulation, a “relevant requirement” means a requirement imposed by or under—

(a)a direction given under regulation 125,

(b)a direction given under section 54 of the Financial Services (Banking Reform) Act 2013,

(c)a rule made under section 55 of that Act,

(d)an order made under section 56(3) of that Act, or

(e)a variation of an agreement under section 57(2) of that Act.]

Non-execution or defective or late execution of payment transactions initiated by the payerU.K.

91.—(1) This regulation applies where a payment order is initiated directly by the payer.

(2) The payer's payment service provider is liable to the payer for the correct execution of the payment transaction unless it can prove to the payer and, where relevant, to the payee's payment service provider, that the payee's payment service provider received the amount of the payment transaction in accordance with regulation 86(1) to (3) (payment transactions to a payment account).

(3) Where the payer's payment service provider is liable under paragraph (2), it must without undue delay refund to the payer the amount of the non-executed or defective payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.

(4) The credit value date for a credit under paragraph (3) must be no later than the date on which the amount was debited.

(5) If the payer's payment service provider proves that the payee's payment service provider received the amount of the payment transaction in accordance with regulation 86, the payee's payment service provider is liable to the payee for the correct execution of the payment transaction and must—

(a)immediately make available the amount of the payment transaction to the payee; and

(b)where applicable, credit the corresponding amount to the payee's payment account.

(6) The credit value date for a credit under paragraph (5)(b) must be no later than the date on which the amount would have been value dated if the transaction had been executed correctly.

(7) Where a payment transaction is executed late, the payee's payment service provider must, on receipt of a request from the payer's payment service provider on behalf of the payer, ensure that the credit value date for the payee's payment account is no later than the date the amount would have been value dated if the transaction had been executed correctly.

(8) Regardless of liability under this regulation, the payer's payment service provider must, on request by the payer, immediately and without charge—

(a)make efforts to trace any non-executed or defectively executed payment transaction; and

(b)notify the payer of the outcome.

Non-execution or defective or late execution of payment transactions initiated by the payeeU.K.

92.—(1) This regulation applies where a payment order is initiated by the payee.

(2) The payee's payment service provider is liable to the payee for the correct transmission of the payment order to the payer's payment service provider in accordance with regulation 86(5) (payment transactions to a payment account).

(3) Where the payee's payment service provider is liable under paragraph (2), it must immediately re-transmit the payment order in question to the payer's payment service provider.

(4) The payee's payment service provider must also ensure that the transaction is handled in accordance with regulation 89 (value date and availability of funds), such that the amount of the transaction—

(a)is at the payee's disposal immediately after it is credited to the payee's payment service provider's account; and

(b)is value dated on the payee's payment account no later than the date the amount would have been value dated if the transaction had been executed correctly.

(5) The payee's payment service provider must, on request by the payee and free of charge, make immediate efforts to trace the payment transaction and notify the payee of the outcome.

(6) Subject to paragraph (8), if the payee's payment service provider proves to the payee and, where relevant, to the payer's payment service provider, that it is not liable under paragraph (2) in respect of a non-executed or defectively executed payment transaction, the payer's payment service provider is liable to the payer and must, as appropriate and immediately—

(a)refund to the payer the amount of the payment transaction; and

(b)restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.

(7) The credit value date for a credit under paragraph (6)(b) must be no later than the date on which the amount was debited.

(8) If the payer's payment service provider proves that the payee's service provider has received the amount of the payment transaction, paragraph (6) does not apply and the payee's payment service provider must value date the amount on the payee's payment account no later than the date the amount would have been value dated if the transaction had been executed correctly.

Non-execution or defective or late execution of payment transactions initiated through a payment initiation serviceU.K.

93.—(1) This regulation applies where a payment order is initiated by the payer through a payment initiation service.

(2) The account servicing payment service provider must refund to the payer the amount of the non-executed or defective payment transaction and, where applicable, restore the debited payment account to the state in which it would have been had the defective payment transaction not taken place.

(3) Paragraph (4) applies if the payment initiation service provider does not prove to the account servicing payment service provider that—

(a)the payment order was received by the payer's account servicing payment service provider in accordance with regulation 81 (receipt of payment orders); and

(b)within the payment initiation service provider's sphere of influence the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the non-execution, defective or late execution of the transaction.

(4) On request from the account servicing payment service provider, the payment initiation service provider must immediately compensate the account servicing payment service provider for the losses incurred or sums paid as a result of the refund to the payer.

Liability of payment service provider for charges and interestU.K.

94.  A payment service provider is liable to its payment service user for—

(a)any charges for which the payment service user is responsible; and

(b)any interest which the payment service user must pay,

as a consequence of the non-execution or defective or late execution of the payment transaction.

Right of recourseU.K.

95.  Where the liability of a payment service provider (“the first provider”) under regulation 76, 91, 92 or 93 (payment service providers' liability for unauthorised or defective payment transactions) is attributable to another payment service provider or an intermediary, including where there is a failure to use strong customer authentication as required by regulation 100 (authentication), the other payment service provider or intermediary must compensate the first provider for any losses incurred or sums paid pursuant to those regulations.

Force majeureU.K.

96.—(1) A person is not liable for any contravention of a requirement imposed on it by or under this Part where the contravention is due to abnormal and unforeseeable circumstances beyond the person's control, the consequences of which would have been unavoidable despite all efforts to the contrary.

(2) A payment service provider is not liable for any contravention of a requirement imposed on it by or under this Part where the contravention is due to the obligations of the payment service provider under other provisions of F27... national law.

MiscellaneousU.K.

Consent for use of personal dataU.K.

97.  A payment service provider must not access, process or retain any personal data for the provision of payment services by it, unless it has the explicit consent of the payment service user to do so.

Management of operational and security risksU.K.

98.—(1) Each payment service provider must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services it provides. As part of that framework, the payment service provider must establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.

(2) Each payment service provider must provide to the FCA an updated and comprehensive assessment of the operational and security risks relating to the payment services it provides and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.

(3) Such assessment must—

(a)be provided on an annual basis, or at such shorter intervals as the FCA may direct; and

(b)be provided in such form and manner, and contain such information, as the FCA may direct.

Incident reportingU.K.

99.—(1) If a payment service provider becomes aware of a major operational or security incident, the payment service provider must, without undue delay, notify the FCA.

(2) A notification under paragraph (1) must be in such form and manner, and contain such information, as the FCA may direct.

(3) If the incident has or may have an impact on the financial interests of its payment service users, the payment service provider must, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.

(4) Upon receipt of the notification referred to in paragraph (1), the FCA [F28must notify any other relevant authorities in the United Kingdom].

F29(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

AuthenticationU.K.

100.—(1) A payment service provider must apply strong customer authentication where a payment service user—

(a)accesses its payment account online, whether directly or through an account information service provider;

(b)initiates an electronic payment transaction; or

(c)carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

(2) Where a payer initiates an electronic remote payment transaction directly or through a payment initiation service provider, the payment service provider must apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.

(3) A payment service provider must maintain adequate security measures to protect the confidentiality and integrity of payment service users' personalised security credentials.

(4) An account servicing payment service provider must allow a payment initiation service provider or account information service provider to rely on the authentication procedures provided by the account servicing payment service provider to a payment service user in accordance with the preceding paragraphs of this regulation.

(5) Paragraphs (1), (2) and (3) are subject to any exemptions from the requirements in those paragraphs provided for in [F30technical standards made under regulation 106A].

Dispute resolutionU.K.

101.—(1) This regulation applies in relation to complaints from payment service users who are not eligible within the meaning of section 226(6) of the 2000 Act (the ombudsman scheme – compulsory jurisdiction).

(2) A payment service provider must put in place and apply adequate and effective complaint resolution procedures for the settlement of complaints from payment service users about the rights and obligations arising under Parts 6 and 7.

F31(3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(4) When a payment service provider receives a complaint from a payment service user, the payment service provider must make every possible effort to address all points raised in a reply to the complaint on paper or, if agreed between payment service provider and payment service user, in another durable medium.

(5) Subject to paragraph (6), the reply must be provided to the complainant within an adequate timeframe and at the latest 15 business days after the day on which the payment service provider received the complaint.

(6) In exceptional situations, if a full reply cannot be given in accordance with paragraph (4) for reasons beyond the control of the payment service provider, the payment service provider must send a holding reply, clearly indicating the reasons for the delay in providing a full reply to the complaint and specifying the deadline by which the payment service user will receive a full reply.

(7) The deadline specified under paragraph (6) must not be later than 35 business days after the day on which the payment service provider received the complaint.

(8) The payment service provider must inform the payment service user about the details of one or more providers of dispute resolution services able to deal with disputes concerning the rights and obligations arising under this Part and Part 6 (information requirements for payment services), if the payment service provider uses such services.

(9) The payment service provider must also make available in a clear, comprehensive and easily accessible way—

(a)the information referred to in paragraph (7); and

(b)details of how to access further information about any provider of dispute resolution services referred to in paragraph (8) and the conditions for using such services.

(10) The information to be made available under paragraph (8) must be made available—

(a)on the website of the payment service provider (if any);

(b)at branches of the payment service provider (if any); and

(c)in the general terms and conditions of the contract between the payment service provider and the payment service user.