Search This Blog

Sunday, 29 November 2020

Card Acquirers Circling the Wagons?

Following its initial findings that merchants with up to £50m in card transactions are over-paying for acquiring services, the Payment Systems Regulator (PSR) has taken the unusual step of setting up a "confidentiality ring" to allow potentially affected parties to access the survey results.

The confidential material comprises:

  • Raw data file containing the responsesof 1,037 small and medium sized merchants to questions in the merchant questionnaire;
  • Raw data file key needed to interpret the variable names and values from the raw data file; and
  • Data tables file providing weighted tabulations of the responses.

The confidential material can only be used: 

"in order to prepare submissions and make representations to the PSR in connection with the Market Review and, accordingly, to facilitate the exercise by the PSR of its statutory functions... and (if relevant) to prepare and conduct an appeal against any decision of the PSR in connection with the Market Review, including an appeal in which such parties are, or are intending to apply to be, an intervener."

The deadline for stakeholders to submit responses to the PSR’s consultation on the Interim Report is currently 5pm on 8 December 2020, but this will be extended to allow for access to the Confidentiality Ring, depending on when it opens and how long it lasts. A further announcement on that will be made in due course. Meanwhile, requests to join the Confidentiality Ring must be submitted to the Market Review team at cards@psr.org.uk by no later than 5pm on 4 December 2020... 


Monday, 16 November 2020

Regulator: Card Acquiring Too Costly for UK Merchants With Sales of Less Than £50m

The UK's Payment Systems Regulator (PSR) has found that services which enable retailers to accept credit/debit card payments ('card acquiring') cost too much for those with less than £50 million in annual card payments. It says those merchants should shop around or negotiate a better price with their current provider. In the meantime, the PSR is also considering certain regulatory changes below. Feedback should be emailed to cards@psr.org.uk by Tuesday 8 December 2020. Please let me know if I can assist you in either understanding and re-negotiating your acquiring terms and/or providing feedback to the PSR. 

Content of the report

The report provides a useful guide to the acquring industry (Chapter 3), how the various providers compete (Chapter 4), the analysis of pricing and quality outcomes (Chapter 5), as well as merchants’ ability and willingness to search and switch provider (Chapter 6). The problems and proposed solutions are discussed in Chapter 7.

What are the proposed changes?

The main changes being considered are:

1. whether all merchant service contracts for card-acquiring should have an end date, rather than simply being terminable on a certain amount of notice. This would apply to both acquirer and payment facilitator contracts with small and medium-sized merchants and large merchants with annual card turnover of up to £50 million. This might force merchants to re-tender for their acquiring business, but there is nothing stopping them doing that within the bounds of an existing contract. There is no substitute for a business having the internal discipline to revisit pricing on a regular basis.

2. where merchants with physical tills have a separate contract for their point of sale card terminals/devices ("POS terminals") the end dates for these contracts may not be aligned with the termination provisions of the acquiring service contract, so the PSR is considering:

  • Limiting the length of POS terminal contracts to, say, 18 months.
  • Banning the automatic renewal of POS terminal contracts for successive fixed terms.
  • Declaring contracts for card-acquiring services and POS terminals as being 'linked', where they are sold together as a package by acquirers or Independent Sales Organisations (ISOs). This would enable the merchant to terminate both contracts at the same time without additional charge where, for example, the acquirer wishes to change the fees or other terms of the acquiring contract in ways that are not acceptable, or breaches the contract. But this would not apply where payment facilitators sell POS terminals to merchants separately. In those cases, it would be up to the merchant to negotiate the term and termination rights in the POS terminal contract to coincide with those provisions in the acquiring contract (to cover the situations where either the POS terminals or payment facilitator won't work with a new acquirer).

3. ISOs and acquirers could be required to facilitate price comparison by merchants, e.g. by providng pricing information in an easily comparable format (building on obligations on acquirers in the Internet Fee Regulation and the Payment Services Regulations 2017 to provide fee information to merchants).

Has the regulator got this wrong?
 
Probably not. The PSR has done plenty of homework here and the report seems thorough to me (over 20 years in payments, including spells working inside both a very large merchant and a very large acquirer). Its market research included consulting on the methodologies for: analysing whether the limits on interchange fees had been passed through; surveying merchants; and analysing acquirer profitability. The PSR also engaged with other regulators and all the various types of industry participants: acquirers, banks, ISOs, gateway providers, independent software vendors, online marketplaces, operators of card payment systems, payments consultancies, payment facilitators and trade associations.
 
In fact, as with most such iniatives in the financial services industry, this exercise is probably long overdue.
 
Please let me know if I can assist in your negotiations or feedback. 

Saturday, 14 November 2020

Will It Be Practicable To Transfer Personal Data From the EEA to the UK After 2020?

From 1 January 2021, any EEA-based organisation wishing to transfer personal data from the EEA to the UK (or any other non-EEA country) will need to be able to show that the processing will have the same protection as under EU data protection law (GDPR). Many firms might consider that exercise impracticable from a cost and administration standpoint, particularly in light of certain new recommendations on which the EU authorities are now consulting. These are briefly explained below. The UK's Information Commissioner is "reviewing" the proposals, but of course has no influence. This will affect "thousands" of firms and could prove severely disruptive for cross-border services ranging from payroll and benefits, to e-commerce marketplaces to social media services. If you need assistance, either in the UK or in Ireland/EEA please let me know.

Options for transferring personal data from the EEA to the UK

An EEA-based business can only transfer personal data to a non-EEA country, if one of three situations apply: 

  1. the European Commission has ruled that country's personal data protection laws to be ‘adequate’;
  2. there are appropriate safeguards or 'transfer tools' in place to protect the rights of data subjects (including 'Standard Contractual Clauses'); or
  3. certain 'derogations' or exemptions apply to allow the processing as of right.  

For many reasons it is best to assume there will not be an EU adequacy decision relating to the UK’s data protection regime by 1 January 2021, as that process is long and complex, and there are some features of the UK regime which do present problems, including: 

  • the UK’s use of mass surveillance techniques;
  • intelligence sharing with other countries such as the US;
  • the questionable validity of the UK immigration control exemption;
  • the lack of a ‘fundamental right’ to data protection under UK law; 
  • UK adequacy findings for other countries’ personal data regimes that the EU does not deem adequate; and 
  • the potential for future divergence from EU data protection standards if the UK GDPR is further modified post Brexit. 

As a result of the decision of the European Court of Justice in a case against Facebook (‘Schrems II’), a data exporter relying on Standard Contractual Clauses (or other contractual 'transfer tools') must first verify that the law of the third country ensures a level of protection for personal data that is equivalent to the EU's General Data Protection Regulation. If that level is considered sub-standard, the data exporter may be able to use certain measures to plug the gaps, but this process would need to be carefully documented and is the subject of the main recommendations from the EDPB. 

The extent to which you can usefully rely on the derogations, either before considering the other appropriate safeguards or 'transfer tools', or if those other options are not available is also somewhat doubtful, as I will explain.

Assessing whether personal data transfers outside the EEA are appropriate

To help data exporters evaluate whether the use of transfer tools will be appropriate, the forum of all the EEA data protection authorities (the European Data Protection Board or EDPB), is now consulting on recommendations for: 

The EDPB's first set of recommendations contain steps outlined below. The European Essential Guarantees enable data exporters to determine if the rights for public authorities to access personal data for surveillance purposes can be regarded as a justifiable interference with the rights to privacy and the protection of personal data. Basically:

A. Processing should be based on clear, precise and accessible rules;

B. Necessity and proportionality with regard to the legitimate objectives pursued need to  be demonstrated;

C. An independent oversight mechanism should exist;

D. Effective remedies need to be available to the individual.

The steps involved in assessing the appropriateness of transfer tools must be documented. These involve:

  • mapping the proposed transfers;
  • choosing the basis for transfer (adequacy decision, 'transfer tool' or derogation);
  • unless an adequacy decision has been made by the EU, working with the data importer to assess whether the law or practice of the third country may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer (legislation, especially where ambiguous or not publicly available; and/or certain reputable third party findings such as those in Annex 3), and not rely on subjective factors such as the perceived likelihood of public authorities’ access to your data in a manner not in line with EU standards;
  • considering whether any supplementary tools might avoid any problems with the third country's laws (various use-cases and suggested tools are explained in the Annex 2 to the recommendations);
  • taking any formal steps to implement the relevant tool;
  • re-evaluate the assessment periodically or on certain triggers, such as changes in the law (which you should also oblige the data importer to keep you informed about).

Data exporters must thoroughly record their assessment process in the context of the transfer, the third country law and the transfer tool on which they propose to rely. But it may not be possible to implement sufficient supplementary measures in every case, meaning the transfer must not proceed. As the Commission points out, there are "no quick fixes, nor a one-size-fits-all solution for all transfers."

The problem with relying on 'derogations'

The EDPB's first set of recommendations state (at para 27) that "If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with... ” assessing whether the proposed transfer tool is effective. However, that order of approach is not consistent with Article 49, which provides that:

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

...

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

In addition, the EDPB's own guidance on article 49 itself points out (on pages 3-4) that: 

“Article 44 requires all provisions in Chapter V to be applied in such a way as to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. This also implies that recourse to the derogations of Article 49 should never lead to a situation where fundamental rights might be breached…Hence, data exporters should first endeavor [explore?] possibilities to frame the transfer with one of the mechanisms included in Articles 45 [adequacy] and 46 [transfer tools] GDPR, and only in their absence use the derogations provided in Article 49 (1)” [but even then the use of the derogations would imply the need for an assessment of the third country’s personal data protection regime by virtue of article 44].

Accordingly, there seems to be no alternative to running through the steps to assess whether the relevant 'transfer tools' will work (with or without supplementary measures) in the context of the transfer and the third country's law. Yet many firms will likely find that process impracticable from a cost and administration standpoint.


Thursday, 12 November 2020

FCA Irons Out Brexit Wrinkle For UK Open Banking

'Open banking' enables you to use certain 'account information' and 'payment initiation' service providers (TPPs) to extract your payment data or initiate payments from your payment accounts with banks and other payment service providers (ASPSPs). There are 2 million users in the UK. Open Banking was driven by UK competition law enforcement against banks who were hogging access to payment account data; and by changes to the EU Payment Service Directive as a result of similar concerns across Europe. A key feature of the Open Banking regime is that TPPs' systems must authenticate themselves using a certificate that complies with an EU identity regime (eIDAS), from which Britain excluded UK based TPPs by leaving the EU. The FCA has now come up with the quick fix described below to try to support the continuity of Open Banking after 31 December... 

In July, the European Banking Authority confirmed that eIDAS certificates issued to UK-based TPPs by EU trust providers will be revoked on 31 December, even though UK law would recognise them as valid under its new UK eIDAS Regulation. 

The FCA does not have the ability to delay the revocation of eIDAS certificates; there is no scope within eIDAS to issue UK-only certificates; and there are not yet any UK trust providers qualified to issue eIDAS certificates under the new UK eIDAS Regulation. 

That means TPPs in the UK will no longer be able to access their customer’s payment account data held with their account service payment service providers (ASPSPs) after 31 December without a further change to UK eIDAS requirements, so the FCA has amended them to allow for the use of an alternative form of authentication certificate.

As a result of the recent changes, UK ASPSPs must now accept at least one other electronic form of identification issued by an independent third party, in addition to continuing to accept eIDAS certificates. 

The additional form of identification must:

  • be a digital certificate issued by an independent third party upon identification and verification of the payment service provider’s identity;
  • include the name of the TPP as well as information on the competent authority the TPP is authorised or registered with, and the corresponding registration number (Firm Reference Number (FRN));
  • be revoked as soon as the TPP is no longer authorised to conduct TPP activities. 

An ASPSP must: 

  • verify the authorisation status of the TPP in a way that would not create any obstacles to TPP access;
  • satisfy itself of the suitability of the independent third party issuing the certificate;
  • specify publicly which means of identification it accepts to ensure TPPs are aware (e.g. on the Open Banking Implementation Entity (OBIE) transparency calendar or on their website).

To ensure continuity of service and enable TPPs to use the existing 90-day reauthentication cycle, the FCA will allow ASPSPs to accept a certificate obtained from a provider of an API programme that does not meet the amended requirements until 30 June 2021, so long as:

  • TPPs have also presented a compliant certificate, as described under the amended requirement, to that non-qualifying API programme;
  • that API programme verifies the certificate; and 
  • continues checking, on behalf of the ASPSP, the status of the TPP’s compliant certificate. 

So, a legacy OBIE certificate may be used during that period, provided that the TPP has presented a valid certificate to the OBIE. 

The FCA has removed the need for the certificate to include the address of the TPP and issuer; the need for revoking the certificate if identity information is unverifiable; and the need for a certificate to be amended (as, technically, a certificate can only be revoked). 

ASPSPs must: 

  • assess the need for any changes to their systems and processes and implement any necessary changes by 31 December, and tell TPPs which alternative certificate they will accept as early as possible. 
  • continue accepting valid eIDAS certificates. This includes for UK firms until their certificates are revoked, even after 31 December where applicable; as well as for EEA-based firms that benefit from the UK's Temporary Permission Regime to continue providing their services in the UK after Brexit.

TPPs whose eIDAS certificate is likely to be revoked must have an alternative certificate(s) as soon as possible ahead of 31 December.