Search This Blog

Wednesday, 15 February 2017

#PSD2: Are Merchant Checkouts "Payment Instruments"?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring whether online merchants' checkout process/pages could be "payment instruments", so that merchants who host their own process might be engaging in the regulated activity of "issuing payment instruments" (and possibly even offering a "payment initiation service"). There is now precious little time for retailers to consider the issue,  decide whether their activities are caught and, if so, whether to outsource the hosting of the checkout process to a duly authorised firm or its agent, restructure the checkout process or the entity/ies that operates it, or become authorised or the agent of an authorised firm.

Everyone is familiar with the e-commerce 'checkout' page or process, with its list of ways to pay for the items selected or in the 'shopping basket'. Sometimes these are hosted by a regulated payment service provider, an exempt 'technical service provider' or 'gateway', and sometimes by the merchant itself (in which case the merchant has to comply with certain security requirements in relation to card transaction data, for example). 

Whether technical service providers who are currently exempt will remain so under PSD2 is already an open issue, since to remain so they cannot also provide either a payment initiation service or an account information service, even though they still would not be handling the funds to be transferred.

The big question is whether merchants themselves fall into the regulated scope, especially as they ultimately receive funds, so might not qualify as technical service providers.

First, a few (of the many) relevant definitions:
“issuing of payment instruments” means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions;
“payment instrument” means any— (a) personalised device; or (b) personalised set of procedures agreed between the payment service user and the payment service provider, used by the payment service user in order to initiate a payment order;
“co-badged”, in relation to a payment instrument, refers to an instrument on which is included two or more payment brands, or two or more payment applications of the same payment brand;
Note that the references to 'payment service' and 'payment service provider' are redundant or circular - essentially, they mean anyone who is, or should be, authorised to provide a regulated payment service. The reference to 'co-badging' is important as certain information could have to be provided under the Merchant Interchange Fee Regulations.

I think the primary questions are as follows, but the answers would vary considerably according to the payment method and other facts and circumstances:
  • is the checkout process/page a "personalised device"; or "personalised set of procedures agreed between" the customer and the merchant?
  • if so, is the checkout process/page "used by the payment service user" (again, see here)?
  • if so, is the payment service user using the checkout process/page "in order to initiate a payment order"... as explained previously...or 'payment transactions'?
  • finally, how much processing would a merchant have to do to fall within the meaning of "initiate and process the payer's payment transactions": so, when does that processing begin and end; what steps/participants are involved; what is the nature of the processing (e.g. does it send transaction data to a payment gateway, acquirer or other type of payment service provider?); is the merchant acting as principal, agent or payee?
Hopefully, the Treasury and FCA will explain their interpretation soon!

#PSD2: What Is An Account Information Service?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring the issues related to the new "account information service", which is being interpreted very broadly indeed by the FCA.  Firms providing such services will need to register with the FCA, rather than become fully authorised (unless they provide other payment services); and they are spared from compliance with a number of provisions that apply to other types of payment service provider. But now is the time for assessing whether a service qualifies, and whether to restructure or become registered.

The Treasury has, naturally, copied the definition from the directive:
‘account information service’ means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (article 4(16)) - [my emphasis] - but has added:
"and includes such a service whether information is provided—
(a) in its original form or after processing;
(b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user’s instructions" [which do not appear in PSD2]
This reflects the government's broad definition of the directive (para 6.27 of the consultation paper) - consistent with the UK needlessly creating a rod for its own back and particularly ironic in the light of Brexit. The account information service provider (AISP) should be granted access by the account service provider to the same data on the payment account as the user of that account (para 6.25). A firm will be considered an AISP even if it only "uses" some and not all of that account information to provide "an information service" (para 6.28).

Services that the government believes are AISs include (but are not limited to):
  • dashboard services that show aggregated information across a number of payment accounts; 
  • price comparison and product identification services;
  • income and expenditure analysis, including affordability and credit rating or credit worthiness assessments; and 
  • expenditure analysis that alerts users to consequences of particular actions, such as breaching their overdraft limit.
The services could be either standardised or bespoke, so might include accountancy or legal services, for example (para 6.30).

Some key points to consider:
  • does it matter to whom the account information service is provided? The additional wording seems to suggest that the 'payment service user' must be at least one recipient of the information, but does that mean the payment service user of the payment account or the person using the account information service?  This would seem to cover every firm that prepares and files tax or VAT returns, for example, since these are usually provided to both the client and HMRC.
  • the service has to be "online", but what if some of it is not?
  • little seems to turn on the word "consolidated", since the Treasury says a firm only needs to use some of the information from the payment account to be offering an AIS, and it could be from only one payment account. For instance, what if a service provides a simple 'yes' or 'no' to a balance inquiry or request to say whether adequate funds are available in an account, and that 'information' or conclusion/knowledge is not drawn from the payment account itself, but merely based on comparing the balance with the amount in the customer's inquiry or proposed transaction?
  • the payment account that the information relates to must be 'held by the payment service user' with one or more PSPs, so presumably this would not include an online data account or electronic statement that shows the amount of funds held for and on behalf of a client in a trust account or other form of safeguarded or segregated account which is in the name of, say, a law firm or crowdfunding platform operator (albeit designated and acknowledged as holding 'client money' or 'customer funds');
  • it seems impossible for the relevant data to provided in its 'original form', since data has to be processed in some way to be 'provided' online, but this could cover providers of personal data stores or cloud services that simply hold a copy of your bank data for later access;
  • what is meant by 'after processing':
  1. it may not be clear that a firm is providing information 'on a payment account', as opposed to the same information from another type of account;
  2. does this mean each data processor in a series of processors is providing an AIS to its customer(s) - which brings us back to whether it matters who the customer is - or does interim processing 'break the chain' so that the next processor can say that the information was not 'on a payment account' but came from some other service provider's database (whether or not it was an AIS), such as a credit reference agency?
  3. what about accounting/tax software providers providers who calculate your income and expenditure by reference to payment account information but may not necessarily display or 'provide' the underlying data - although presumably the figures for bank account interest income (if any) in a tax return might qualify?
Sorry, more questions than answers at this stage!

Tuesday, 7 February 2017

#PSD2: What Is A Payment Initiation Service?

The Treasury is currently consulting on regulations to implement the new Payment Services Directive (PSD2). There is little commentary in the consultation paper and many old questions remain unanswered, with the regulations to go live on 13 January 2018.  Government policy is to simply gold plate 'copy out' EU directives, which creates a rod for the UK's own back leaves the FCA to say how it will interpret the new rules in a consultation paper it proposes to issue in Q2.  But some new services will be regulated, and time is getting very tight for firms who offer them to figure out whether to outsource the operation of the service to a duly authorised firm or its agent, or become authorised or the agent of an authorised firm. In this post, I'll briefly explore the new regulated service of "payment initiation" and why it takes a very careful analysis of the facts to figure out who is offering that service in any given payment scenario.

The decision to regulate "payment initiation services" is said to have resulted from the popularity of services that enable you to pay for online purchases by making a bank transfer (see recital 27 and the Commission's FAQs 18, 21).

But "payment initiation service" seems to have been defined in article 3 to cover any payment method:
“a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider .”
Note also, that a "payment instrument" is defined as "a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order.

The UK government also says it reads the definition of "payment initiation service" broadly and that users will have the right to use payment initiation services in connection with all online payment accounts, including current accounts, credit card accounts, savings and e-money accounts (paras 6.22, 6.23 and 6.27).  That makes sense, as to exclude providers of payment initiation services for some payment methods and not others would be discriminatory, and shield the excluded firms from competition (see PSD2 recitals 29, 32 and 68).

There is no definition of “initiate a payment order” in PSD2 and different payment methods comprise different processes, actors and events - and sometimes several payment transactions are involved, as in the case of card payments (see PSD2 recital 68).

The European Banking Authority has issued regulatory technical standard for security of online payments that also identifies "payment integrators" as firms who "provide the payee (i.e. the e -merchant) with a standardised interface to payment initiation services provided by PSPs". In other words, even within the payment initiation process, there are technical service providers who support the process but are not responsible for the "payment initiation service" that initiates the relevant payment order.

So when considering who is providing a payment initiation service, one needs to consider: which type of payment method or instrument is being used; which of potentially several payment orders is involved; which payment account each order relates to; which payment service user is making the request to initiate the relevant payment order; which element of which service actually initiates that payment order; and who provides that service.

Yet there are divergent views on who initiates card payments, for example, since there are actually multiple transactions involved...

PSD2 concedes (at recital 68) there are (at least) three steps to a credit card payment - authorisation, an initial transaction where the issuer pays the acquirer (which can be a complex netting process involving a scheme operator), and a later one between cardholder's bank and the issuer (to pay the card bill). There's a third, of course, where the acquirer pays the merchant - and the fact this is not mentioned in the recital underscores why it is silly to refer to the cardholder as the 'payer' and merchant as his intended 'payee', since the cardholder intends to pay the card issuer, rather than the merchant. 

Recital 68 sidesteps the critical issue by stating that the "use of a card or card-based instrument... triggers" the whole payment flow, as does the provision that addresses the scenario where the card issuer is separate from operator of the related payment account:
"the payer has initiated the card-based payment transaction for the amount in question using a card based payment instrument issued by the payment service provider" (Article 65(2)(b))
"Payer" means either "a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order.

"Allowing" a payment order is not necessarily the same as "initiating" what has been 'allowed'.  And it's important to consider which payment instrument is being used and who really 'uses' it.

So it's easy to see why, in the context of a credit card payment, there is disagreement as to whether the cardholder is initiating one or more payment order(s) when offering to pay by card and/or entering her PIN in the relevant card terminal; or the merchant initiates a payment order when it accepts the transaction at the terminal and/or sends the transaction to the acquirer; or whether the acquirer initiates the first payment order when it accepts the transaction from the merchant and/or submits the transaction to the card issuer via the card scheme systems. 

Only when you determine the answer to this question can you then identify the payment method or instrument involved; the relevant payment order; the payment account to which the order relates; the payment service user who is making the request to initiate the order; which element of which service actually initiates that payment order; and who provides that service. 

Clearly, it's important for the authorities to provide greater clarity here; and it looks like the EU and the Treasury has left it to the FCA to do so...

Monday, 6 February 2017

#PSD2: Bill Payment Services In Scope Of UK Regs?

The Treasury is currently consulting on regulations to implement the new Payment Services Directive (PSD2).  There is little commentary in the consultation paper and many old questions remain unanswered, with the regulations to go live on 13 January 2018.  Government policy is to simply gold plate 'copy out' EU directives, which creates a rod for the UK's own back leaves the FCA to say how it will interpret the new rules in a consultation paper it proposes to issue in Q2.  One issue is whether bill payment services are viewed as being in scope in the UK or other EEA member states. If so, providers will need to outsource the operation of the service to a duly authorised firm or its agent, or become authorised or the agent of an authorised firm. Timing for those options is now tight...

Bill payment services enable a customer to pay a supplier's bill by paying a third party, e.g. at the till in a local shop.  

The Financial Conduct Authority has said these services are not caught by the current Payment Services Regulations so long as the customer's payment to the third party discharges the customer's obligation to pay the supplier. In other words, in such a scenario the third party is the 'payee' or intended recipient of funds, not the supplier.

But the new Payment Services Directive (PSD2) instructs EU member states to treat these services as 'money remittance', unless they are treated as part of some other type of regulated payment service (recital 9).  And there is no word, yet, on whether or how the UK plans to deliver on this edict, which is critical to deciding which option existing providers should choose in the event their services are ruled in scope.  

An additional issue is that, even if bill payment services are ruled out of scope by the UK authorities, there is no way to 'passport' that interpretation to other member states in the EEA. So there is still the awkward possibility that a service provider offering the same type of service on a cross border basis from the UK (or from outside the UK) could find that another member state rules the service as being in scope of PSD2.  In that case, the same options would apply: outsource the service to a duly authorised firm or its agent, or get a local entity authorised or appointed as an agent in the relevant jurisdiction(s) - which might be useful when passporting disappears post-Brexit, in any event.  

Thursday, 2 February 2017

How The UK Will Introduce #PSD2

The UK Treasury has published its plans for implementing the new Payment Services Directive (PSD2), which must be done by 13 January 2018.  We have until 16 March 2017 to comment on the draft regulations.  No doubt we will also soon hear what how the FCA will approach its supervisory role.

I've previously covered the key differences between PSD2 and the current directive, and there are many areas for differing interpretation...

I will share my thoughts on the current consultation in the coming week(s).

Friday, 20 January 2017

Post-Brexit Outlook For Passported Financial Services

Well it's been a dismal six months watching the politicians shadow-box among themselves over what Brexit really means. There's no shared vision of the big picture, let alone any grip on the detail. What is clear, however, is that size matters in trade negotiations. So the larger trading partners like the EU will dictate their own terms in any deals. And while the application of logic seems to be prohibited in this 'post-truth' era, I intend to proceed on the basis that the UK will not even be a member of the EEA (or the Customs Union) - and that it certainly won't get a better trade deal with the EU than it has today. That means the only real job left for UK politicians is to figure out who gets pork-barrelled compensated by the UK taxpayer for being worse off for having to treat the EEA as a separate market (where they can't pass those costs onto their UK/EEA customers more).

While the car makers got in first, ejecting from the EU/EEA poses a very significant challenge, in particular, for the 5,476 of the UK firms relying on 336,421 'outbound' passports to avoid being authorised in every EEA member state. This works out at 61 passports per firm, which is somewhat strange given there are 31 EEA countries, but passports are counted for each separate directive that requires them (only one if a firm has several under the same directive). Brexit is also a challenge for the 8,008 EEA firms that hold 23,532 passports (about 3 each) to cover their UK offerings.

In essence, a total of 13,484 firms need to apply for 359,953 additional regulatory permissions over the next two years if they want to continue to make sure they can cover their existing markets.

Such applications don't come cheaply or quickly, and involve significant ongoing management and administration costs following authorisation. And because most of the work will be required abroad, the lion's share of the related fees and expenses will be charged outside the UK, worsening the UK's trade deficit even further. The UK can also kiss goodbye to the tax revenues on the earnings of each foreign firm, as well as the incomes of its management and staff...

But that's all water under the bridge (or out the English Channel, if you will).

During the next two years, any financial services firm based in the UK/EEA that relies on a passport for cross-border activities or ambitions involving the UK will need to pursue the following options, either organically or by acquisition: 
  • Retain/obtain authorization for an entity established in the UK, if it wishes to serve the UK market;
  • Obtain/retain authorization for an EEA-based entity to take advantage of the EEA passport regime for the remaining EEA countries;
  • Seek to rely on any passporting arrangements that the UK may agree with non-EEA countries (these could only be formally agreed post-Brexit, but might be planned in the meantime);
  • Obtain/retain authorisations in any non-EEA countries it wishes to target - as is the case today, but the cost/benefit of targeting some of these countries may now have changed, given the extra cost of authorisation to serve EEA markets, and perhaps jockeying among countries wishing to take advantage of the situation.
So where would you base your EEA-passport firm?

The relevant analysis, if not the outcome, will vary significantly depending on the type of financial services and markets involved. Most of the relevant passports relate to general insurance intermediation and trade in various securities/markets, but payment and e-money services represent the third most popular category with perhaps greater retail significance - here 350 UK firms rely on outbound passports and 142 EEA firms passport into the UK.  According to a report commissioned by the Emerging Payments Association, the 350 UK firms have six countries to choose from as a potential base for their EEA passport entity, based on criteria including the ease of making an application, supportive regulatory approach/attitude, ease of setting up and doing business, jurisdictional reputation and sovereign/political risk:
  • Cyprus 
  • Denmark 
  • Ireland 
  • Luxembourg 
  • Malta 
  • Sweden
While not wishing to disparage any of those fine jurisdictions, you will see from the commentary in the EPA report why the UK is walking away from a (literally) golden opportunity to continue its role as the preferred EEA passporting hub for financial firms (many of which are managed or staffed by people who moved to the UK for that reason).  Yet, while that commentary is very helpful and a useful lens through which to view options, I know from personal experience that it does not always reflect reality on the ground or capture all the criteria that are relevant to the decision for each firm - and the authors don't pretend that it does.

We are only at the beginning of a very long and expensive journey...

Monday, 14 November 2016

Will Regulatory Technical Standards Slow The Pace Of Payments Innovation?

Under the new Payment Services Directive (PSD2), the European Banking Authority (EBA) is tasked with producing 'regulatory technical standards' to be followed by those with certain obligations, including how payment service providers (PSPs) must authenticate customers and communicate with each other. But it seems this process and the standards themselves are acting as a brake on innovation and related investment.

The EBA consulted on its proposed regulatory technical standards for authentication and communication between August and October, with a revised set due in the coming months.

PSD2 requires PSPs to apply "strong customer authentication" where "the payer... accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses."

But two big issues raised by PSD2 are (1) how each type of payment is initiated; and (2) who actually initiates it.

The EBA believes card payments are initiated by the cardholder as payer, but fudges the issue somewhat by requiring the card acquirers (i.e. the PSP of the merchants) to require their merchants to support strong authentication for all payment transactions. The added complication is where a payment transaction is initiated by the payee, but the payer's consent is given "through a remote channel which may imply a risk of payment fraud or other abuses".

There is a view, however, that card payments are among those that are in fact initiated by the payee (the merchant), who is not in fact the 'payee' of the cardholder at all but is paid by the card acquirer to which the merchant submits its transactions. The cardholder just pays the card issuer. This is all bound up in fundamental problems with the definitions of "payment transaction", "payer" and "payee" in both the PSD and PSD2; and the fact that card acquiring works through a series of back-to-back contracts that do not involve any direct contract between the buyer and the seller at all concerning payment processing. Indeed, a challenge for the UK's implementation plans is that there is a Court of Appeal decision which supports this view. 

In these respects, PSD2 appears to set up a 'legal fiction', which (despite taking a somewhat purposive approach in the 'fudge' explained above) the EBA appears to insist on in language at the end of its consultation paper: "all the requirements under consultation apply irrespective of the underlying obligations and organisational arrangements between" the various types of PSP, payers and payees. In other words, we have a weird situation where the law and related standards are to be applied regardless of how payment systems and processes really work.

Not only can this lead to situations where, for example, some banks insist that the PSD does not cover card acquiring, but it can also cause over-compliance to avoid doubt and other restraints on innovation.

While distinctions concerning how payments are inititiated and by whom might seem to matter less in the context of security measures to be adopted by PSPs - since everyone is interested in reducing financial crime - it is absolutely critical in the context of software and services that contribute in any way to payments being "initiated" and whether the suppliers or users of such software and services must be authorised as "payment initiation service providers" or perhaps even as the issuers of payment instruments

It will be very interesting to see how the Treasury proposes to address these problems in transposing PSD2 itself, although it's more likely the FCA will be left to explain how to comply, assuming the Treasury declines to take a purposive approach to EU law and simply copies the language of PSD2 into UK law (a process known as 'gold-plating').

There are numerous other glitches in the technical standards that have been identified by respondents, too numerous to mention here, but which it is hoped will be reconsidered in the next version - not that such standards should ever be considered as 'final' or set for all time. Indeed, an overarching problem seems to be that in the EBA's attempts to drag our legacy payments infrastructure into the 21st century, insufficient attention has been given to existing and potential alternative security technology - even in cases where incumbents are seeking to leapfrog the limitations of legacy systems.

Meanwhile, a year has slipped by since PSD2 was approved and the standards themselves are only due to take effect in October 2018 'at the very earliest', by which time they are likely to be thoroughly out of step with commercially available technology. 

While old systems may need to be accommodated to some degree, surely the pace of payments innovation should not be tied to the slowest animals in the herd?