Shifting Sands: The FCA Considers Gift Cards Outside The Scope Of PSD2

The sands are shifting under the legal status of gift cards, as the UK's Financial Conduct Authority consults on guidance that removes them from the scope of e-money and payments regulation altogether, rather than deeming them to be excluded as "limited networks". This interpretation would at least remove the need for large gift card programmes to be registered with the FCA, but also suggests a divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation. Ultimately, it is unclear whether a gift card programme might yet somehow fall within the regulated scope but still benefit from an exclusion.

What's a "gift card"?

Gift cards have always represented the advance purchase of goods or services from the retailer who issued the card. Sometimes the value is recorded on the card (or voucher) itself, sometimes it is represented by a credit to a specific account for the card or named customer in the retailer's IT system. In either case, such value is considered 'closed loop'. There is a subtle difference between this and paying for a specific item in advance. But in both cases, the retailer has been able to treat the funds paid by the purchaser as its own funds, so that the customer has always taken on the risk of the retailer going bust before the value could be redeemed or the specific item was delivered (think Farepak and Wrapit).

Gift cards vs "E-money"

Electronic money, on the other hand, requires you to first 'load' value to a device or account (or 'e-wallet') which the "issuer" then enables you to use to pay for purchases at a range of retailers who either participate on the issuer's proprietary platform, or who accept the issuer's 'prepaid debit cards' via the major card schemes. In this sense, e-money is 'open loop'. Here, the customer is taking the risk that the e-money issuer might go broke before the customer can spend the e-money with the retailers. The risk of this has always been considered much greater than the risk of an individual retailer's insolvency, so financial regulators were given powers to control e-money issuance to try to eliminate that risk. The first electronic money directive in 2000 ("EMD") therefore obliged e-money issuers to hold sufficient capital to avoid insolvency and to keep the cash corresponding to their customers' e-money balances separate from the issuer's own cash. They defined "electronic money" as being stored value that is accepted as a means of payment by an entity other than the issuer, thereby excluding 'closed loop' stored value that is issued and spent or redeemed with the the same entity. 

Exemptions for "limited networks"

The closed/open loop distinction was carried through into the first payment services directive in 2007 ("PSD") by explicitly excluding from the definition of "payment services" any "services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services". This provision became known as the "limited network exemption".  

That exemption was effectively endorsed in 2009, when the second e-money directive ("EMD2") defined "electronic money" by reference to the value being used for the purpose of making payment transactions under the PSD, rather than accepted by an entity other than the issuer.  The reference to the PSD thus automatically picked up and relied on the limited network exemption. 

In 2010, the Treasury proposed an obligation for retailers to segregate their gift card funds, but failed to attract any support. The limited network exemption then evolved into a narrower "limited network exclusion" by 2015 under the second payment services directive ("PSD2"), yet Question 40 of the FCA's Perimeter Guidance still cites "a closed loop gift card" as benefiting from that exclusion.  

In addition, PSD2 requires limited networks which transact more than €1m in any 12 month period to be registered with the local financial regulator, which then has a duty to determine whether the limited network exclusion actually applies to it. The first 12 month period expires on 13 January 2019, with registration due on 10 February. This has obliged retailers to begin tracking the size of their loyalty programmes to determine if and when they need to register, and the consequences of a finding that the programme is not excluded. In essence, the retailer could find itself prosecuted for having operated an e-money and/or payment service without either being authorised or registered as an agent an authorised firm (subject to any 'due diligence defence').

Gift cards now out of scope altogether?

In its latest consultation, however, the FCA proposes to change its stated view by removing the gift card example from Q40 and instead stating:

"... in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them."

But does that analysis extend to server-side stored value that can only be spent with the issuer? It is also at odds with the fact that VAT is not assessed on gift card purchases to avoid duplication, since VAT will in any case be levied on the actual purchase of items from the retailer in due course (let's ignore 'breakage', where the consumer leaves a balance that the retailer eventually takes to revenue). 

Wider consequences?

While this may be factually and logically correct, and might come as a relief to some large retailers, it otherwise creates confusion and "regulatory creep" as firms take action beyond what is required in order to avoid uncertainty - such as shutting programmes, outsourcing or applying to register unnecessarily. It involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate particularly in relation to card payments, for example. It also represent a key area of potential divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation - the Central Bank of Ireland, for example, includes gift cards in the list of programmes that fall within the limited network exclusion. 

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

"No-Brainer": UK Firms Switching From English to Irish Law And Courts For Their New EEA Hubs

Sadly, we are at "the point of no return" for Brexit preparations by UK businesses who supply goods or services into the remaining EU27 countries - or to non-EU markets under EU trade arrangements. Many will have already been making public announcements to reassure their regulators, customers and suppliers that they've planned how to keep their operations running smoothly in the event of a "No Deal Brexit" on 29 March 2019.  But now they have to execute those business continuity plans.

While the politicians seem to think they still have 6 weeks to negotiate a UK withdrawal agreement, few businesses would have that luxury. Working back from 29 March, they have to consider contractual notice periods (some mandated by law), as well as software development and operational process changes that will need to be fully tested and running in good time before that day.

Of course, the timetable is just the tip of the preparation iceberg. Below the waterline other preparations may have been happening for some time, such as establishing a new entity in an EU27 country and getting it authorised or licensed; opening local bank accounts; leasing office premises; transferring or employing management and staff; relocating or purchasing computers and other equipment, stock or assets, and related software and data licenses; and re-contracting some of the more critical affected customers and suppliers through their new entity.

These preparations raise numerous tax, legal and accounting issues in their own right - including the fact that the UK government is still unclear on much of the official rules, processes and procedures. But the choice of law under which each new entity contracts with customers and suppliers, and which courts will govern disputes, are among the most critical to making life as easy as possible in the transition.

Both EEA-based parties will probably want the contractual terms to remain broadly the same as any current English law contract, even if certain aspects might need to be re-negotiated. Billing and payment details, currency and pricing would likely need to change, for example; as will the legal basis for sharing EEA-residents' personal data with UK operations. There won't be an EU "adequacy decision" on the UK's data protection standards before April 2019 - and no timetable can even be agreed for reaching one unless and until the UK has actually left the EU. The General Data Protection Regulations as enacted where the new entity is established will apply to the new entity's collection, use and storage of personal data, even though the customer-facing privacy policy may remain broadly the same and the customers will still have consistent rights to complain about misuse under their own national data protection laws. In turn, the parties will no longer want the contract to be governed by English law and courts, to avoid the need to worry EEA customers and suppliers about the extent to which English law inevitably diverges from the law in EEA member states.

In these circumstances, choosing the application of Irish law instead of English law to govern at least the commercial aspects of a contract becomes a "no-brainer", because at this stage it's substantively very similar to the law of England & Wales, and far more so than the law of any other EU country. Ireland is the only other purely common law jurisdiction in the EU today, and will be alone after Brexit. The few technical differences include, for example, the absence of the right for any non-party to enforce a benefit under the agreement, which the UK allowed through statute in 1999, or different monetary thresholds for the jurisdiction of familiar types of courts. But such differences can be either simply flagged and understood or explicitly accommodated if necessary (to cite the relevant example, most parties try to limit or exclude 'third party rights' anyway, but the rights can also be explicitly specified). So, while the customer is well advised to run a final check of the contract with independent local Irish counsel, it will not face the comparatively awkward and expensive exercise in understanding the numerous substantive differences between English common law and the codified civil law system of other EU member states.

Of course, it remains possible to agree that the commercial elements of the contract and provision for its enforcement are governed by Irish law and courts, even though the regulated activities of one or other party to the contract (and any regulatory complaints) may be governed by the law of another EU member state. But it has been quite common until now for, say, a financial institution established and regulated in another member state to contract with its customers in the English language under English law (or Irish law, for that matter). So customers should have no problem with a switch from English to Irish law on that basis. 

Note that the process for transferring contracts can be a bit tricky, however. For instance, some UK businesses may seek to merely "assign" their English law contracts to a new entity (possibly under a provision that appears to allow this even without the other party's consent). But under English law it is not possible for a party to assign its obligations under a contract - just its own rights or benefits (e.g. the right to receive payments).  So the transfer of existing contracts to a new entity (and the other changes mentioned) would generally need to be done by way of "novation", which necessarily involves the consent of the other party.  The process of amending agreements may also be constrained by law, such as under national regulations implementing the second Payment Services Directive. These provide for a two month notice period for changes, and a right of termination where it is agreed the changes can be proposed unilaterally and the payment service provider takes that route. It's awkward enough for the ongoing relationship that the process might provoke a renegotiation (or that consent to novation might not be forthcoming at all), without actually being seen to trigger a positive right for the customer to terminate within a finite notice period (think Article 50)!

Of course, this all relates to the new EEA-based entity.  The group head office, and perhaps the UK entity, will still have the job of tracking the extent to which English law (and therefore the basis of the offering to UK customers) diverges from Irish law, EU rules and the offering to EEA customers. 

But you'll just have to blame the Brexiteers for that!

Will Your UK-issued Card Still Work In The EEA After Brexit?

Some confusion arising around this question today. The answer is that it should not be an issue, based on how card acquiring really works.

The EU has been clear since 2016 that, regardless of which type of Brexit occurs, UK-based financial institutions will no longer benefit from the ability to 'passport' their services into the rest of the European Economic Area (Norway, Liechtenstein and Iceland also participate in the financial services passporting arrangements). This position was emphasised in the relevant EU 'preparedness notice' in February 2018.

In the payments space about 350 UK firms rely on outbound passports around the rest of the EEA, while 142 EEA-based firms passport into the UK, as the FCA explained to Parliamentary select committee in August 2016.

More recently, the UK has said it will give the EEA-based firms a three year transition period to figure out how to continue serving the UK market.

So, in the payments space, the 350 UK-based banks, e-money institutions and payment institutions who currently rely on passports have been setting up additional new entities based in one of the remaining EU27 countries, from which they will service their customers who are resident in the EEA (as have I, on a professional basis, as UK professional qualifications will also cease to be recognised for providing services in the EEA). 

So, when Brexit occurs, the current residents of other EEA countries will be offered payment cards and accounts from an EEA-based entity, rather than a UK one.

That is not to say that a UK resident travelling in the EEA will not be able to make a payment using their payment cards issued to them in the UK under the typical international card schemes (which actually don't base their definition of Europe according to EEA and non-EEA distinctions, anyway). 

So, EEA-based merchants/retailers will still be able to take payment via their EEA-based payment provider (known as a 'card acquirer' or 'merchant acquirer'); and the UK customer will pay their UK card issuer as usual. The card scheme operator will still net-off amounts owed between EEA and non-EEA based issuers and acquirers and they will settle the difference with the schemes. It's just that the UK issuer in this example will then be among the non-EEA group.

Brexit And Cross-Border Personal Data Transfers: Agree A New Basis Now!

With 6 months to go, the UK government has warned UK firms to assume that their trading partners in the European Economic Area will be unable to send them any personal data from 29 March 2019, unless they enter into formal written agreements generally required for sending data to non-EEA countries or some other basis for transfer listed below. 

It's likely that EEA trading partners may be waiting on UK firms to do the necessary work, so the government recommends that UK firms should be proactive in making contact on this issue. 

However, any agreements would need to be under the law of an EEA member state (so I would likely advise on this area via my consultancy with Leman in Ireland, rather than via Keystone Law in the UK).

 

The UK proposes to allow the free flow of personal data from the UK to the EU27, but does not mention Norway, Liechtenstein or Iceland in relation to that proposal.

The EU can make an "adequacy decision" which allows the free flow of personal data to a non-EU country where that country's level of personal data protection is essentially equivalent to that of the EU. But the process for reaching such a decision - and even agreeing a timetable for that process - could not begin until after Brexit.

Aside from having the explicit consent of the individuals concerned (or perhaps relying on one of the processing rights under the General Data Protection Regulation), alternative ways for EEA firms to make personal data transfers to UK firms are as follows:

1. A legally binding and enforceable instrument between public authorities or bodies;
2. Binding corporate rules;
3. Standard model data protection clauses adopted by the Commission;
4. Standard data protection clauses adopted by an EEA supervisory authority and approved by the Commission;
5. An code of conduct approved by an EEA supervisory authority, together with binding and enforceable commitments of the receiver outside the EEA;
6. Certification under an approved EEA certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;
7. Contractual clauses authorised by an EEA supervisory authority
8. Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by an EEA supervisory authority.