What Is A "Payment Service"?

I'm often approached by senior managers in businesses who've been asked this question - usually by their credit card acquirer, a financial regulator or a potential customer doing its due diligence. There's often no simple answer, but I've explained the main issues below. Please get in touch if you would like to discuss any of them.

Which types of businesses need to think about this?

This question tends to arises where your business:

• receives cash from one set of customers and makes payments to other customers. Examples range from e-commerce marketplaces, to law firms, to fully regulated payment service providers (including banks, e-money institutions and payment institutions);

• issues vouchers or other forms of value that can be exchanged for goods or services, either from the same business or some other participating retailers or suppliers;

• enables customers to send transaction data to their card acquirer, initiate a payment from their bank account or share bank statements or other financial information with third parties.

Depending on the circumstances any of these activities could mean that you are either:

• offering an "e-money" service and/or a "payment service", in which case you would and need some form of regulatory authorisation or registration; or

• your activities might be outside the scope of regulation, or in scope but specifically excluded from some or all of the authorisation or registration requirements.

How are payment services regulated?

Activities involving e-money and payments are mainly regulated throughout the EEA under national regulations that implement the second Electronic Money Directive (EMD) and the second EU Payment Services Directive (PSD).

These two directives are 'maximum harmonisation' directives, which means each EEA member state is supposed to apply them the same way (subject to a few permitted options). However, the interpretation by one country’s regulator that a service is either out of scope of the EMD and PSD, or in scope but expressly excluded, cannot be ‘passported’ to other EEA countries. So it is prudent to check the interpretation with local counsel in each significant EEA market in which you intend to operate.

If your activities are in scope, and not excluded, then you would need to be authorised as an E-money Institution (EMI) or payment institution (PI), or registered as small EMI or PI or as the agent of an EMI or PI. If you offer 'account information services' then you only need a registration; and some types of exclusion also require you to register with the local regulator.

A fully authorised firm may “passport” its services into other EEA countries (or rely on its principal’s passports if it is a registered agent).  Because of Brexit, however, UK-based institutions would need to set up an entity based in one of the remaining EU27 countries, or an EEA member state, from which to passport services around the EEA; and EEA-based firms can either register for a temporary permission (by 30 January 2020) or set up a UK subsidiary and apply for the relevant authorisation or registration locally.

What is a payment service?

Unless you enable the collection and withdrawal of physical cash, the “payment services” you are most likely to be concerned with involve:

• the 'execution' (processing etc) of payment transactions involving card-based payments, bank/credit transfers, direct debits, either with or without credit;

• money remittance: where funds are received from a payer, without any payment accounts being created in the name of the payer or the payee, for the sole purpose of transferring a corresponding amount to a payee or to another payment service provider acting on behalf of the payee, and/or where such funds are received on behalf of and made available to the payee;

• issuing payment instruments: contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions (a payment instrument is any personalised device(s) and/or set of procedures agreed between the user and the service provider that is used to initiate a payment order);

• aquiring payment transactions: contracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee (e.g. debit/credit card acquiring or 'merchant acquiring');

• payment initiation services: a service to initiate a payment order at the request of the user with respect to a payment account held at another payment service provider; or

• account information services: an online service to provide consolidated information on one or more payment accounts held by the user with on or more other payment service provider(s).

There are many related definitions, but the central one to understand is that a "payment transaction" means "an act initiated by the payer or payee, or on behalf of the payer, of placing, transferring or withdrawing funds [i.e. money, including "e-money"], irrespective of any underlying obligations between the payer and payee." This definition can involve some degree of legal fiction, such as when applied to card acquiring, which actually involves multiple payment transactions.

What is e-money?

The term “electronic money” or "e-money" means monetary value that is:

• electronically stored; 
• represented by a claim on the electronic money issuer, 
• issued on receipt of funds, 
• for the purpose of making “payment transactions”; 
• accepted by a person other than the electronic money issuer; and 
• not a “limited network” service.

"Limited networks" are services based on specific payment instruments that can be used only in a limited way and meet any one or more of the following conditions:

• allow the holder to acquire goods or services only in the issuer's premises;

• are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer;

• may be used only to acquire a very limited range of goods or services; or

• are valid only in a single EEA State, are provided at the request of an undertaking or a public sector entity, and are regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers which have a commercial agreement with the issuer.

The exclusion for limited networks also applies to payment services generally. This can include loyalty schemes, fuel card schemes and so on. Some regulators may consider gift cards as falling within this exclusion, while others may not see them as within scope of the PSD at all.

Is the service offered by way of business?

This is where a lot of uncertainty can arise because, in some countries (like the UK), the regulator is only concerned about payments activity that is operated or offered as a business separately or distinctly from any other activity. In other countries, however, this may not be a factor that the regulator considers to be very important, if at all.

So it's worth considering that if you are receiving money and paying it out or holding it on a customer's behalf only as a small part of a much wider service - like, say, a law firm - then it is possible that the local regulator might not consider your payments-related activity to be a "payment service" in its own right (but of course other laws and/or professional rules may apply to those scenarios anyway).

It is also worth exploring any opportunities to re-position or integrate the payments activity so that it is not offered by way of business in its own right.

Even if your activity is in scope, could an exclusion apply?

Some activities that initially meet the test of being a "payment service" might actually benefit from a specific exclusion under the EMD or PSD.  There is quite a long list of possible exclusions. Some reflect day-to-day activies, like paying another person directly, paying by paper cheque etc., or physically transporting cash. Others are quite specialised and/or involve a lot of explanation and the possibility for regulators to interpret them differently, as with the scope of the EMD or PSD.  Exclusions that are likely to involve considerable legal analysis are:

• the commercial agent's exclusion: covers payment transactions from the payer to the payee through a commercial agent authorised via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee;

• the technical service providers exclusion: covers services which support the provision of payment services, without the service provider entering into possession of the funds to be transferred - like 'payment gateway' services or anti-fraud services, for example. These services include processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services, but exclude payment initiation services and account information services;

• the limited network exclusion, which I've already mentioned above in relation to e-money.

Conclusion:
Again, there is often no simple answer as to whether your activities constitute a regulated e-money or payment service, but I've explained the main issues above. Please get in touch if you would like to discuss any of them.

Low Take-Up Of UK Temporary Permissions Regime By EEA Firms With UK Passports?

According to the FCA's figures in August 2016, the end of financial services passporting between the EEA and the UK was going to leave 5,476 UK finance firms potentially needing a new passporting 'hub' in one of the remaining 27 EU countries and 8,008 EEA firms potentially needing a UK base to cover their UK offerings. So, how many have acted?

There has definitely been a scramble by UK firms to set up in the EU27, although the figures are spread across multiple registers, and regulators do not disclose the numbers of applications that are still in progress. The Central Bank of Ireland claimed "well over 100" in September 2019, for example, with similar numbers thrown out by others. 

Not all firms might use their passports, of course. It's quite straightforward to take advantage of the passporting regime - a simple notification to your home state regulator, which then notifies the various host state regulators. And there's no obligation to actually use a passport. Many firms will have ticked the box for all EEA countries to avoid inadvertently committing an offence wherever their customers happened to reside. And the picture is perhaps distorted by non-EEA corporations who were using the UK as their passport hub, so their new Irish subsidiary would not count as an application by a UK parent.

There has been less pressure on EEA firms who operate under passports in the UK because the FCA offered a Temporary Permissions Regime (TPR) that allows them to continue trading for 3 years as if they were passporting. The registration deadline has been extended each time Brexit has been delayed, so the current deadline is 30 January 2020. However, it's likely that most, if not all, EEA firms that were intending to use the TPR option will have already registered, although some newly authorised firms could still squeeze in (e.g. new FinTech firms).

At any rate, the Financial Conduct Authority has responded to a Freedom of Information Act request with the news that 1,441 EEA-based firms had applied for the TPR by October 2019. Of those, 228 are based in Ireland, 170 in France, 165 in Cyprus and 149 in Germany. 

If this is to be considered a high take-up of the TPR option, then it would appear that only about 18% of EEA passports into the UK were actually being used. That's perhaps not unreasonable, given the tick-box approach to passporting to avoid inadvertently committing an offence in the UK in the event that they ended up with UK customers.

In any event, these 1,441 firms now have until 30 January 2023 to decide whether to set up offices in the UK and get authorised locally, to the extent they continue to serve the UK market.

You Have 9... No, wait, 8 Days To Comply With The Changes To The Money Laundering Regs

Not only do the recent changes to the Money Laundering Regulations widen the range of firms who have to comply, but there are also changes to the requirements for customer due diligence, risk assessments, policies, controls, procedures and training for firms already in scope. You have until by 10 January 2020 to comply with most of the changes. I've summarised most changes here. Let me know if you need assistance.

Changes to Scope of the MLRs

The range of firms covered by the MLRs now includes letting agents, art market participants; cryptoasset (e.g. virtual currency) exchange providers and custodian wallet providers. 

The definition of tax adviser is also extended to those who provide material aid or assistance on tax; and certain limits are lowered for e-money transactions and new restrictions are imposed on acquiring anonymous prepaid card transactions. 

Law enforcement authorities and the Gambling Commission can obtain information about safe-deposit boxes and about accounts held with banks, building societies and credit unions.

Changes to due diligence requirements

When you adopt new products, business practices (including new delivery mechanisms) or technology you must take appropriate measures in preparation for, and during, that process to assess - and if necessary mitigate - any money laundering or terrorist financing risks change may cause.

If your firm is a parent, you must establish and maintain throughout your group all the various policies, controls and procedures for the purposes of preventing money laundering and terrorist financing - including for data protection and sharing information and including policies on the sharing of information about customers, customer accounts and transactions.

You must take appropriate measures - and keep records to prove - that you train your employees and agents whose work is relevant to your AML compliance or the identification or mitigation of the risk, prevention or detection of money laundering and terrorist financing. The training must be in the law relating to money laundering and terrorist financing, and related data protection requirements; as well as how to recognise and deal with suspicious transactions and other activities or situations which may be related to money laundering or terrorist financing.

The triggers for applying customer due diligence measures now include:

• at appropriate times for existing customers, on a risk based approach; 
• when you become aware that the circumstances of an existing customer relevant to your risk assessment for that customer have changed;
• when you have a legal duty to contact an existing customer for the purpose of reviewing any information relevant to your risk assessment and relates to the beneficial ownership of the customer, including information which enables you to understand the ownership or control structure of a legal person, trust, foundation or similar arrangement who is the beneficial owner of the customer; 
• when you have to contact an existing customer to fulfil a duty under the International Tax Compliance Regulations 2015.

The obligation to understand the ownership and control structure of a customer applies whether the customer is a body corporate or other legal person, trust, company, foundation or similar legal arrangement.

Where you've exhausted all possible means of identifying the beneficial owner of the body corporate and either you haven't succeeded or you aren't satisfied that the individual identified is in fact the beneficial owner, you must keep written records of all the actions you've taken to identify the beneficial owner and take reasonable measures to verify the identity of the senior person in the body corporate responsible for managing it, as well as all the actions you've taken and any difficulties you encountered in doing so.

Before establishing a business relationship with a customer, you must collect proof of registration or an excerpt of the relevant company or partnership registry (as the case may be) and report to the relevant registrar any discrepancy between information relating to the beneficial ownership of the customer that you collect from the register and information that otherwise becomes available to you in the course of carrying out your duties under the MLRs.

There are new triggers for carrying out 'enhanced' customer due diligence measures, as well as a specified (non-exhaustive) list of measures.

The thresholds for applying customer due diligence in the context of e-money are significantly reduced.

There are new restrictions on acquiring anonymous prepaid card transactions.

Law enforcement authorities and the Gambling Commission can now obtain information about safe-deposit boxes and about accounts held with banks, building societies and credit unions.