Search This Blog

Monday, 14 November 2016

Will Regulatory Technical Standards Slow The Pace Of Payments Innovation?

Under the new Payment Services Directive (PSD2), the European Banking Authority (EBA) is tasked with producing 'regulatory technical standards' to be followed by those with certain obligations, including how payment service providers (PSPs) must authenticate customers and communicate with each other. But it seems this process and the standards themselves are acting as a brake on innovation and related investment.

The EBA consulted on its proposed regulatory technical standards for authentication and communication between August and October, with a revised set due in the coming months.

PSD2 requires PSPs to apply "strong customer authentication" where "the payer... accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses."

But two big issues raised by PSD2 are (1) how each type of payment is initiated; and (2) who actually initiates it.

The EBA believes card payments are initiated by the cardholder as payer, but fudges the issue somewhat by requiring the card acquirers (i.e. the PSP of the merchants) to require their merchants to support strong authentication for all payment transactions. The added complication is where a payment transaction is initiated by the payee, but the payer's consent is given "through a remote channel which may imply a risk of payment fraud or other abuses".

There is a view, however, that card payments are among those that are in fact initiated by the payee (the merchant), who is not in fact the 'payee' of the cardholder at all but is paid by the card acquirer to which the merchant submits its transactions. The cardholder just pays the card issuer. This is all bound up in fundamental problems with the definitions of "payment transaction", "payer" and "payee" in both the PSD and PSD2; and the fact that card acquiring works through a series of back-to-back contracts that do not involve any direct contract between the buyer and the seller at all concerning payment processing. Indeed, a challenge for the UK's implementation plans is that there is a Court of Appeal decision which supports this view. 

In these respects, PSD2 appears to set up a 'legal fiction', which (despite taking a somewhat purposive approach in the 'fudge' explained above) the EBA appears to insist on in language at the end of its consultation paper: "all the requirements under consultation apply irrespective of the underlying obligations and organisational arrangements between" the various types of PSP, payers and payees. In other words, we have a weird situation where the law and related standards are to be applied regardless of how payment systems and processes really work.

Not only can this lead to situations where, for example, some banks insist that the PSD does not cover card acquiring, but it can also cause over-compliance to avoid doubt and other restraints on innovation.

While distinctions concerning how payments are inititiated and by whom might seem to matter less in the context of security measures to be adopted by PSPs - since everyone is interested in reducing financial crime - it is absolutely critical in the context of software and services that contribute in any way to payments being "initiated" and whether the suppliers or users of such software and services must be authorised as "payment initiation service providers" or perhaps even as the issuers of payment instruments

It will be very interesting to see how the Treasury proposes to address these problems in transposing PSD2 itself, although it's more likely the FCA will be left to explain how to comply, assuming the Treasury declines to take a purposive approach to EU law and simply copies the language of PSD2 into UK law (a process known as 'gold-plating').

There are numerous other glitches in the technical standards that have been identified by respondents, too numerous to mention here, but which it is hoped will be reconsidered in the next version - not that such standards should ever be considered as 'final' or set for all time. Indeed, an overarching problem seems to be that in the EBA's attempts to drag our legacy payments infrastructure into the 21st century, insufficient attention has been given to existing and potential alternative security technology - even in cases where incumbents are seeking to leapfrog the limitations of legacy systems.

Meanwhile, a year has slipped by since PSD2 was approved and the standards themselves are only due to take effect in October 2018 'at the very earliest', by which time they are likely to be thoroughly out of step with commercially available technology. 

While old systems may need to be accommodated to some degree, surely the pace of payments innovation should not be tied to the slowest animals in the herd?

Friday, 11 November 2016

Money Laundering Includes... Tax Evasion and Virtual Currencies?

Hot on the heels of the UK's consultation to introduce the 4th Money Laundering Directive comes the imminent EU approval of MLD5

A key element involves the creation of a central register of beneficial ownership of legal entities and related ownership arrangements, plus ongoing monitoring of those arrangements, with the intention that: 
"The enhanced public scrutiny will contribute to preventing the misuse of legal entities and legal arrangements for ...predicate offences such as tax evasion."
Other key provisions may be seen as closely related to this ambition: 
  • creating a central register of all citizens' bank/payment accounts;
  • enabling authorities to go hunting for evidence of suspicious activity even in the absence of a 'suspicious activity report';
  • imposing customer due diligence and transaction monitoring obligations on 'virtual currency' exchanges and wallet providers; and
  • reducing the limit of anonymity for prepaid cards/instruments.
Needless to say, the members of the European Banking Federation are very uncomfortable with the idea of equating tax evasion with money laundering. The nub of EU banks' concern seems to be that their tax evading customers will simply move their accounts to banks based outside the EEA, the implication being that they'd quite like to retain the business! To be fair, it is a little odd that the list of countries with deficient anti-money laundering regimes doesn't include tax havens typically associated with tax evasion.

But there are reasonable objections on the basis that centralising such sensitive and valuable personal data would be a 'snoopers/fraudsters charter'; and creating a central record of every citizen's bank account and financial arrangements seems mightily disproportionate to the benefit of collecting evidence on the comparatively small proportion of the population that would be involved in significant organised crime or tax evasion. It's surprising that the European Economic and Social Committee ("EESC") did not object on these grounds - either the 'social' aspect of the committee's remit is subordinate to the 'economic' interest, or they consider that the whole of society should happily sacrifice privacy and security to ensure everyone pays their fair share of tax. That's certainly the Scandinavian practice. At any rate, the European Central Bank says that member states' central banks shouldn't have to operate the central registers unless they can bill the government for doing so - highlighting the more important point, that governments are better at wasting the taxes they do manage to collect than collecting taxes in the first place.

The FinTech crowd will no doubt be concerned about stealth regulation of distributed ledger technology or blockchains, via the virtual currency requirements. A "virtual currency" is quite broadly defined as:
"...a digital representation of value that is neither issued by a central bank or a public authority, nor necessarily attached to a fiat currency, but is accepted by a natural or legal person as a means of payment and can be transferred, stored or traded electronically."
Even if exchanges and wallet providers are prepared to tolerate AML regulation as the price for entering the 'mainstream', trying to regulate 'virtual currencies' (or any aspect of digital ledger technology or blockchains) at this early stage is very problematic. The above definition is broad but still does not cover every characteristic of a currency (which the Isle of Man has tried to capture). Indeed, the ECB has bluntly responded that so-called 'virtual currencies' are not currencies or money, pointing out they can also be used for other purposes and the holders don't need to use exchanges or wallet providers. The courts are also struggling with the concept that such 'currencies' are 'ownable' or 'property', as Lavy and Khoo have also explained.

Little wonder that the EESC recommends creating some kind of "European tool for monitoring, coordinating and anticipating technological change." But quite how Europe intends to 'anticipate' let alone 'coordinate' blockchain development is anyone's guess!

In any event, retailers should breathe a sigh of relief. Gift cards and other 'closed loop' instruments generally would not fit the MLD5 definition of a virtual currency, since they typically cannot be transferred or traded electronically. And there is a specific exclusion consistent with the 'limited network' exemption from the definition of electronic money (and therefore 'funds') for instruments that can be used to acquire goods or services only in the premises of the issuer, or within a limited network of service providers under direct commercial agreement with a professional issuer, or that can be used only to acquire a very limited range of goods or services. But note that the limited network exemption will be significantly narrower from January 2018, especially for programs transacting more than EUR1m a year.

At least someone wins!