Search This Blog

Monday, 29 January 2018

Review of E-money Regulation: More Regulation For Retailers?

The European Commission has just reported on the status of EU e-money regulation, raising the prospect of more regulation for retailers who offer 'gift cards' and other loyalty schemes.

Electronic money, or "e-money" is basically electronically stored value that can be used to make payments to people other than the issuer, while "limited network" or 'closed-loop' stored value can only be used to pay the issuer (as with a loyalty points scheme, fuel card or gift card, for example).

E-money is not to be confused with "crypto-currencies" like Bitcoin, Ether etc. which are not considered "funds" for regulatory purposes because they are not 'fiat' currencies that are backed by governments as a matter of law ('legal tender').

The issuance of e-money was first regulated distinctly from banking by the EU in 2000, under the E-money Directive (EMD) which was replaced by a new directive (EMD2) from 2011. By then the activities of electronic money issuers/institutions (EMIs) had also become regulated under the Payment Services Directive (PSD) from 2009, which was replaced in mid-January 2018 by regulations implementing PSD2.

Inconsistencies

These directives are supposed to be applied the same way by all member states in the European Economic Area (28 EU member states plus Iceland, Liechtenstein and Norway). But the Commission has found that EMIs "engage in "forum shopping", choosing to register in the Member States that provide the most beneficial legal frameworks from their viewpoint." EMIs can then use a "passport" process to offer their services in the remaining EEA member states.

For example, the Annex to the report shows that the UK is home to 87 of the EU's 172 E-money institutions (EMIs), with Malta being the next most popular base (13) then Cyprus (10). This also means that the 87 EMIs based in the UK will need a new base in one of the remaining EEA member states from which to passport their EEA-facing services after Brexit.

The UK is also home to 19 of the EU's 74 small EMIs (who transact less than €3 million a month over a 12 month period), with the Netherlands home to 23 and Latvia 12. But small EMIs have no passport rights, anyway, so do not raise the same concerns.

Benefits of EMD2

The benefits of EMD2 were cited as more clarity and lower capital requirements than EMD1; on top of the fact that payment services regulated under PSD2 and e-money services can be provided under the EMD2 authorisation.

The Commission did not find any consumer harm associated with using e-money or redeeming it for cash (withdrawing the funds equivalent to their e-money balance to another payment account or via an ATM).

Compliance costs are said to range from 1% to 5% of overall costs (€25,000 to €500,000) offset to some degree by the reduction in capital requirements from €1 million under EMD1 to €350,000 for full EMIs under EMD2 (compared to €125,000 for full payment institutions under PSD2).

Issues

Negative factors associated with EMD2 were found to be mainly the inconsistencies in how each EEA member state views the role of an EMI's "agent" (which the EMI has to register) and "distributor" (of which an EMI just has to notify its regulator); and "limited network" or 'closed-loop' stored value, which is unregulated. The inconsistencies make it more difficult to predict the regulatory status and related requirements from case to case and state to state.

EMIs also complain that banks won't allow them to open bank accounts as easily as other types of firms, although the Commission hopes this will be improved by various access provisions in PSD2, and moves by central banks to allow EMIs (and PIs) access central bank accounts and settlement systems.

Next steps

The Commission will explore ways to improve consistency in interpreting the role of agents, distributors and "limited networks". In addition, it will consider making large 'limited network'  providers subject to some (unspecified) aspects of EMD2, even though they must already register with the local regulator when their network transaction volume exceeds €1 million over a 12 month period).


Tuesday, 16 January 2018

New To Payments? Try PSD2 Customer Authentication and Communication Standards!

If you are among the new entrants to the regulated payments space you should know that, in a bit to captivate and inspire a generation, the European Banking Authority has published the final 'regulatory technical standards' for payment user authentication and the secure communication of payments data. The standards should take effect in the second half of 2019, but the authorities are keen for regulated payment service providers (PSPs) to adopt them as soon as possible. They are written in legalese, but I've summarised them below in a bid to get them straight in my own head.  Grab a coffee before proceeding!

Strong customer authentication 

PSPs must know they are dealing with their own customer by applying strong customer authentication. This is subject to certain permitted exemptions outlined below. PSPs must also protect the confidentiality and the integrity of each customer's personalised security credentials. Their security measures must be documented, periodically tested, evaluated and audited by auditors with expertise in IT security and payments and operationally independent within or from the PSP.
 
Broadly, authentication must be based on two or more elements of 'knowledge' (password/PIN), 'possession' (card/device) and 'inherence' (fingerprint/iris scan). 

These elements must be subject to measures designed to prevent disclosure (in the case of knowledge) , replication (in the case of possession) and resistance against unauthorized use of device or software (in the case of inherence). 

The breach of one element must not compromise the reliability of the others. Certain measures must also mitigate the risk that a multi-purpose access device has itself been compromised. 

Credentials and Code

Authentication credentials must be masked when displayed and not fully readable as they are being entered; not stored in plaintext; and must be protected from unauthorized disclosure. 

PSPs must document how they encrypt credentials or render them unreadable. 

The creation, processing and routing of credentials must be done in secure environments that accord with industry standards. 

Specific requirements govern the process of associating the user with credentials; delivery; authentication of devices and software; and the renewal, destruction, deactivation and revocation of credentials.

Authentication must result in the generation of an authentication code that is only accepted once by the PSP when the payer uses it to: access the payer’s payment account online, initiate an electronic payment transaction or to carry out any action through 'a remote channel which may imply a risk of payment fraud or other abuse'. 

No information on any of the authentication elements can be derived from the disclosure of the authentication code; nor can it be possible to generate a new authentication code based on the knowledge of any previous code. The code must not be able to be forged. 

Where the authentication has failed to generate an authentication code, it must not be possible to identify which of the authentication elements was incorrect. 

No more than 5 failed authentication attempts can take place consecutively before the authentication tool is blocked, either temporarily (based on certain factors) or permanently (after a warning). The user has 5 minutes of inactivity after being authenticated before access must time-out. 

Dynamic linking!

The payer must be made aware of both the amount of the proposed payment transaction and of the proposed payee. The authentication code must also be ‘dynamically linked’ (specific to) the amount and the payee. Any change to the amount or the payee must result in the invalidation of the authentication code  that was generated. 

PSPs must ensure the confidentiality, authenticity and integrity of the amount of the transaction and the payee throughout all of the phases of the authentication; as well as the information displayed to the payer including the generation, transmission and use of the authentication code.

Transaction monitoring

PSPs must monitor interaction with their customers to detect unauthorised or fraudulent payment transactions, taking into account elements which are typical of the user when normally using the credentials and, at a minimum, the following risk-based factors: 
  • lists of compromised or stolen authentication elements; 
  • the amount of each payment transaction; 
  • known fraud scenarios in the provision of payment services; 
  • signs of malware infection in any sessions of the authentication procedure; and
  • where the access device or software is provided by the PSP, a log of the use of the device or software and the abnormal use of the device or software. 
Exemptions from strong customer authentication

The permitted exemptions (subject to transaction monitoring, and quarterly assessments to be shared with the FCA on request) are: 
  • checking the balance or the last 90 days of transactions without entering sensitive payment data; 
  • a contactless payment of up to €50, a series of up to €150 or 5 consecutive contactless payments; 
  • payment at an unattended parking or transport ticket terminal;
  • the payee is included in a list of trusted payees (unless adding to or changing the list); 
  • recurring payments (after authenticating for the first);
  • transfers between the users’ own accounts with the same PSP; 
  • a remote electronic payment of up to €30, consecutive payments of up to €100 or 5 consecutive remove electronic payments; 
  • commercial payment processes or protocols where the FCA is satisfied they guarantee at least the same level of security as under PSD2; 
  • low risk remote electronic payment transactions (based on certain risk factors) where: 
o the fraud rate is below the relevant reference rate; 
o the amount is below a specific threshold; and 
o the PSP’s real time risk analysis hasn’t identified certain specified problems. 

Secure communcations

A PSP's communication sessions must be protected against the capture of authentication data transmitted during authentication, and against manipulation by unauthorised parties based on certain communication standards. These include secure identification of payer’s and payee’s devices; traceability of both the transactions and the interaction with the user and other participants in transactions; and a secure access interface between payer and online payment accounts. 

The access interface must allow for access by the user’s chosen account information service providers (AISPs) and payment initiation service providers (PISPs), although access by AISPs and PISPs can be facilitated via a dedicated interface that meets certain requirements. 

Wakey-wakey!

The End.

Saturday, 13 January 2018

Payment Services #.0: When Payments Finally Become Less Visible

Today marks the dawn of new payments regulation under the second Payment Services Directive (PSD2). Yawn, you say. But, unusually for a technology-based industry, the experience for customers should outstrip the hype. Is this Payment Services 2.0? 3.0? 4.0?  Who cares? After all, "paying" for something or "checking your balance" should not be an activity all on its own. It should be just a small part of something else you're in the middle of doing. In other words, it's what you won't see that should make all the difference...

You might not deal with your bank anymore when paying or checking statements

New “payment initiation services” will mean you can use a separate service provider to make payments from your bank account or other payment accounts, without logging-in to your payment account provider's systems.

New “account information services” will combine the information from all your payment accounts and display it to you in one place. You could also permit that information to be sent to others (e.g. a lender, a comparison website or professional adviser). 

Not only will such services cut the amount of time you spend logging-in to different providers. They'll also make it easier for you to gather your financial information, understand and control your financial affairs and make payments from a range of accounts. 

You won't see retailers charging you for the privilege of paying them

From now on, nobody can add a charge based purely on how you pay them. So all their profit will be in the price of the goods or services you buy, not the extras. 

The UK has typically gone further than other EU countries to apply this to every type of consumer payment method. So, any contract term requiring such a 'surcharge' will not be enforceable. In fact, there will be an implied requirement to refund the excess. Or you could initiate a chargeback via your debit/credit card issuer, or make a claim against your credit card issuer under section 75 of the Consumer Credit Act. 

In addition, any extra charge for using a commercial payment method must be limited to the supplier's cost of accepting that type of payment. Again, no room for extra margin here.

You won't realise that big loyalty schemes are now policed by the FCA

Retail loyalty schemes, such as gift cards, fuel cards and other ‘limited network’ programmes, will need to be registered with the Financial Conduct Authority if the value of their transactions meets or exceeds €1 million (or the GBP equivalent) in any 12 month period.

The intention is to safeguard customer funds that are paid into wider schemes, as with any other e-money or payment service.

The FCA must then decide if the scheme really is a ‘limited network’ that's entitled to an exclusion from e-money and payments regulation. 

If not, then the retailer may have already committed an offence by offering the scheme in the first place.

The retailer also commits an offence if it fails to notify the FCA within 28 days after reaching the €1 million threshold. So retailers should check the status of their loyalty programmes well before then!

You will see less delay in handling your complaints 

The time for processing customer complaints has been cut from 8 weeks to 15 business days. This increases the pressure on payment service providers to operate much more efficiently, so they have fewer complaints and find it easier and less costly to solve any problems you do have. 

You won't see the increased security

You won't see all the standards-setting and development work that's going on behind the scenes to make all of this happen in a far more secure way than payment services have worked before.

The new regulations bring mandatory technical standards for better ways to make sure customers are who they claim to be, and for the different types of payment service providers to work together where you need them to do so.

So, finally, "payments" will become less visible... if you know what I mean.

Saturday, 6 January 2018

Can You Use P2P Loans to Provide Finance To Others?

The FCA and others have become concerned that some people or firms may be borrowing money on peer-to-peer lending platforms and using that money to provide finance to others without being authorised to do so, rather than borrowing solely to finance their own activities. 

So the Treasury proposes to clarify when a person or business can borrow on a P2P lending platform without needing to be authorised to 'accept deposits' by amending the 'business test' for deposit-taking as explained here.

For the sake of argument, let's just accept that a 'loan' can be a "deposit"; that borrowing on a P2P lending platform can involving "accepting" a deposit; and no potential exemptions apply. The question is whether this is being done "by way of business".

The current test merely says that a borrower will not be 'accepting deposits by way of business' if the borrower doesn't hold himself out as accepting deposits on a day-to-day basis; and any deposits are accepted only on "particular occasions".

This is considered too vague to be helpful in the P2P lending context, so the government proposes to add a specific carve-out for the situation where:
  • the acceptance of deposits is facilitated by an authorised P2P lending platform;
  • the borrower is not a bank or 'credit institution' (as they are already in the business of accepting deposits) or other type of regulated person (who would need to add the permission to accept deposits);
  • the borrower is not carrying on the business of accepting deposits (which is obviously kind of circular, but another provision will say that if the borrower uses the capital or interest on the funds solely to finance other business activity carried on by the borrower (not a third party), this will be evidence that the borrower is not carrying on the business of accepting deposits);
  • the borrower does not hold himself out as accepting deposits on a day to day basis, other than as facilitated by the P2P lending platform.
The key element in the context of borrowing on a P2P lending platform is that the borrower's use of the loan proceeds is to finance that person or firm's own activities, as opposed to being used to provide finance to others.

Of course, this post is for information purposes only and does not constitute legal advice.


Wednesday, 3 January 2018

Central Points of Contact: Erosion of Home State Control Under PSD2 Passports?

One of the great benefits of the old Payment Services Directive (PSD) was that a firm only had to deal with the regulator in its home member state. If the regulator in another member state wanted to complain about a service supplied to its citizens under a 'passport', then that host state regulator had to call the home state regulator.  This was particularly important given that different EEA member states have different interpretations of some aspects of the PSD.

But the new PSD2 allows each host state to require a firm operating locally through branches or agents to appoint a local "central point of contact" if they meet one or more criteria specified by the European Banking Authority
  • if the firm has 10 or more agents located in the host state, which the firm relies on for passporting under the 'right of establishment' (not on a 'cross-border service' basis);
  • if the total [value/number] of payment transactions carried out by the firm in the host state in the last financial year through local agents (including cross-border service agents, so long as there are at least 2 agents operating under the right of establishment), exceeds [EUR 3 million/100,000], including transactions initiated under its payment initiation service.
Firms which trigger any one of the criteria in a host member state must notify the local regulator within 30 days (otherwise, the local regulator wouldn't necessarily know). The EBA will hold a central register of firms with local 'central points of contact'.

Each central point of contact must be able to facilitate certain reporting obligations, as well as communications with, and visits by, host state authorities.  

This is intended to improve co-ordination among regulators, though it seems a lot of trouble to go to in when they can already pick up the phone. 

More concerning, however, is that it also paves the way for host states to enforce their own different interpretations of PSD2...


Lifting the Lid on UK Banks' Current Account Services

In a belated effort to improve competition for personal and business current accounts, new rules require banks to publish data on account opening, service availability and major incidents from 15 August 2018. Data on account-opening and debit card replacement will have to be published from 15 February 2019. Banks will need to start recording and measuring the time taken to open accounts and to replace a debit cards from 1 October 2018. Comparison sites are also likely to publish the data.

The measures exclude 'premium' customers who receive a better level of service linked to minimum credit balances or monthly deposits, and who represent fewer than 20% of customers. Otherwise, their experience could distort the picture of services that typical customers get.

The rules cover banks with more than 70,000 relevant personal current accounts or 15,000 business current accounts (held by ‘banking customers’) per brand. Other firms not required to publish the data may do so, in which case they should comply with the same rules to aid comparison (but are not in breach of any rules if they do not).