The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2)
in the UK. The consultation ends on 16 March 2017 and the regulations
must take effect on 13 January 2018. The FCA will consult on the
guidance related to its supervisory role in Q2 2017. Time is tight and
there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring whether online merchants' checkout process/pages could be "payment instruments", so that merchants who host their own process might be engaging in the regulated activity of "issuing payment instruments" (and possibly even offering a "payment initiation service"). There is now precious little time for retailers to consider the issue, decide whether their activities are caught and, if so, whether to outsource the hosting of the checkout process to a duly authorised firm or
its agent, restructure the checkout process or the entity/ies that operates it, or become authorised or the agent of an authorised firm.
Everyone is familiar with the e-commerce 'checkout' page or process, with its list of ways to pay for the items selected or in the 'shopping basket'. Sometimes these are hosted by a regulated payment service provider, an exempt 'technical service provider' or 'gateway', and sometimes by the merchant itself (in which case the merchant has to comply with certain security requirements in relation to card transaction data, for example).
Whether technical service providers who are currently exempt will remain so under PSD2 is already an open issue, since to remain so they cannot also provide either a payment initiation service or an account information service, even though they still would not be handling the funds to be transferred.
The big question is whether merchants themselves fall into the regulated scope, especially as they ultimately receive funds, so might not qualify as technical service providers.
Whether technical service providers who are currently exempt will remain so under PSD2 is already an open issue, since to remain so they cannot also provide either a payment initiation service or an account information service, even though they still would not be handling the funds to be transferred.
The big question is whether merchants themselves fall into the regulated scope, especially as they ultimately receive funds, so might not qualify as technical service providers.
First, a few (of the many) relevant definitions:
“issuing of payment instruments” means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions;
“payment instrument” means any— (a) personalised device; or (b) personalised set of procedures agreed between the payment service user and the payment service provider, used by the payment service user in order to initiate a payment order;
“co-badged”, in relation to a payment instrument, refers to an instrument on which is included two or more payment brands, or two or more payment applications of the same payment brand;
Note that the references to 'payment service' and 'payment service provider' are redundant or circular - essentially, they mean anyone who is, or should be, authorised to provide a regulated payment service. The reference to 'co-badging' is important as certain information could have to be provided under the Merchant Interchange Fee Regulations.
I think the primary questions are as follows, but the answers would vary considerably according to the payment method and other facts and circumstances:
- is the checkout process/page a "personalised device"; or "personalised set of procedures agreed between" the customer and the merchant?
- if so, is the checkout process/page "used by the payment service user" (again, see here)?
- if so, is the payment service user using the checkout process/page "in order to initiate a payment order"... as explained previously...or 'payment transactions'?
- finally, how much processing would a merchant have to do to fall within the meaning of "initiate and process the payer's payment transactions": so, when does that processing begin and end; what steps/participants are involved; what is the nature of the processing (e.g. does it send transaction data to a payment gateway, acquirer or other type of payment service provider?); is the merchant acting as principal, agent or payee?
Hopefully, the Treasury and FCA will explain their interpretation soon!