Payments regulatory news, 6 August 2021

FIG Bulletin

Recent UK and EU regulatory developments focussed on the payments sector. See also our Financial institutions general regulatory news of broad relevance in the Related Materials links.


This is our last edition of the weekly regulatory news as we move to focus on more topic-driven material. We will send you notification of new publications from your area(s) of interest in the usual Hogan Lovells Engage Alerts. If you have any enquiries, please contact us.

CRM code for APP scams: LSB update

The Lending Standards Board (LSB) has published a press release setting out the next steps for the contingent reimbursement model code (CRM code) for authorised push payment (APP) scams.

Among other things, the LSB refers to its March 2021 call for input on the CRM code. Although it is in the course of analysing the results, the LSB provides some information on the responses received. Respondents suggest that the risk of APP scams is not evenly distributed among payment providers. Some believe that the CRM code does not take account of more diverse business models and point out that APP scams continue to evolve using different mediums such as cryptocurrencies.

The LSB recognises it is vital that protections are afforded to as many customers as possible. As a result, it will carry out work to further review the wording of the CRM code to ensure that a wider range of firms are able to sign up to, and implement, it, while retaining a consistent level of consumer protection across the board. Also, the LSB has introduced interim registration. This allows firms to demonstrate their commitment to becoming a fully registered firm with an LSB standard or code and sets a timeframe in which they are to become compliant. At the same time, the LSB conducts due diligence on the firm to ensure the customer protections are met at the point they reach full registration.

The LSB advises that it will set out a timeline for making the confirmation of payee (CoP) provisions in the CRM code effective for those firms who have this functionality. It will continue to work closely with the Payment Services Regulator (PSR) and Pay.UK as they strive towards phase 2 of CoP activity.

Other key areas of work for the LSB include refreshing the customer-facing document that accompanies the CRM code and working towards defining success measures of the code.

The LSB plans to publish a full report from the call for input in autumn 2021.

Codified Regulation on cross-border payments: published in OJ

Regulation (EU) 2021/1230 on cross-border payments in the EU has been published in the Official Journal of the EU (OJ). This Regulation lays down rules on cross-border payments and on the transparency of currency conversion charges in the EU. It codifies and replaces the existing Regulation on cross-border payments (924/2009) on 19 August 2021 (that is, twenty days after publication in the OJ).

External review of TARGET Services: Euro system response

The European Central Bank (ECB) has published the response of the Eurosystem to an independent review of incidents affecting TARGET Services (in particular, TARGET2 (T2) and TARGET2-Securities (T2S)) in 2020.

In May, August, September, October and November 2020, TARGET Services encountered a number of major incidents (none of them cyber-related) relating to information technology (IT) and affecting payment transactions and securities processing. Due to the frequency of the incidents and their relevance, the ECB decided in November 2020 to launch an external and independent review of TARGET Services.

Deloitte GmbH (Deloitte) was appointed in December 2020 to conduct this review. The terms of reference envisaged identification of the root causes of the incidents and the drawing of more general lessons, as well as proposing recommendations in certain key areas.

The ECB has released an abridged and redacted excerpt from Deloitte's report following the review. The report describes the 2020 incidents in detail, outlines their consequences for TARGET Services' participants and analyses their root causes. Deloitte identified weaknesses in several areas, including business continuity management, fail-over and recovery testing and communication protocols in crisis situations. Based on these findings, 18 detailed recommendations have been made.

In its response, the Eurosystem accepts these recommendations as well as the report's general conclusions. It commits to implementing the recommendations in full and notes that measures addressing several of the recommendations have already been agreed on or implemented.

The ECB has published an accompanying letter to the European Parliament's Economic and Monetary Affairs Committee in which it notes the review's findings and the Eurosystem's response, and commits to keeping the Parliament and the wider public informed about progress in implementing the recommendations.


Download the full regulatory news bulletin 


Authored by Yvonne Clapham


This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2021 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.