UK Review of the Payment Services (and E-money) Regulations

The Treasury is calling for evidence to assist in its review of the Payment Services Regulations 2017. This also necessarily involves consideration of the Electronic Money Regulations 2011, since e-money institutions are subject to both. Those regulations implemented corresponding EU directives that are also being reviewed (which the Treasury ignores). You have until 7 April 2023 to submit responses to the UK process. Please let me know if you would like assistance.

Of course, 'elephant in the room' is whether the UK regulations should remain harmonised with the EU directives that they implemented, particularly as most UK payment service providers will have EEA aspirations, at least, if not their own regulated firms within the trade bloc. Indeed, the UK review will seem eerily familiar to many, because the European Commission embarked on its own review of the second Payment Services Directive (PSD2) in May 2022; and in July the European Banking Authority proposed numerous changes that I summarised for Ogier Leman in Ireland, including the merger of PSD2 and the second E-money Directive (EMD2). I suspect the UK review is timed to coincide with likely changes arising from the EU's review process. The timing might not work perfectly, so the UK might make any changes that seem settled or non-controversial in the EU process, then mop up the rest in due course.

The UK government believes that its e-money and payment services regulation should address: 

• 'authorised push payment' (APP) fraud; 
• whether 'strong customer authentication' requirements are too prescriptive and should be 'outcome-based' including delaying payments where APP fraud is suspected to allow for communication with a potentially affected customer;
• the use of cryptoassets or cryptocurrencies as payment methods.

There is no mention of the European Commission or EBA proposals relating to the review of PSD2 and EMD2, let alone consideration of whether those proposals should be addressed in the UK. I guess that is left to the rest of us to consider and submit.

The UK has already made changes to its insolvency regime to cater for the more orderly and efficient wind-down of payment and e-money institutions, as this was something that the EU directives did not really address (aside from the 'pooling' provisions relating to safeguarded funds). The UK government is also inviting evidence on whether these additional arrangements are adequate (and the EBA has urged greater clarity on wind-down arrangements under the EU directive(s).

The government persists in its tediously jingoistic claims that the UK somehow pioneered 'Open Banking' through the API requirements proposed by the Competition and Markets Authority in 2016 (among other remedies to improve competition for retail banking). However, that happened three years after the specific open banking requirements were proposed in the first version of PSD2. In fact, such 'open data' and 'midata' initiatives were fully developed by 2012 common across Europe and, indeed, globally within the context of the World Economic Forum, as I posted at the time. It cites unspecified plans to ‘develop’ and ‘progress’ such services through a Joint Regulatory Oversight Committee after the CMA found that its mandated Open Banking Implementation Entity was improperly managed and lacked corporate governance.

While omitting a focus on whether banks unfairly withhold payment accounts from innovative financial services businesses, the consultation also includes highly irregular claims that the government is concerned about whether payment service providers might be terminating customer relationships in reaction to the customers' right wing, 'libertarian' political views. The paper concedes that there is no evidence at all that this is a genuine issue, merely citing assertions from a Conservative MP based on speculation by a conservative pundit about why PayPal might have regarded his accounts as suspicious. That such nonsense has found its way into a Treasury consultation paper is deeply worrying. It smacks of the false claims about Channel 4's activities by the then Culture Secretary, ironic given the government's decision to boycott and later sell Channel 4 in reaction to what it believed was unwarranted scrutiny of its activities by journalists. Just as the government has been forced to row back on the sale of Channel 4, it would seem unwise to politicise payment services regulation...

Though maybe the drafts-person was fully aware of the irony in referring to the 'Daily Sceptic' and the 'Free Speech Union' in the context of better ways to combat APP fraud.  

FCA Updates Payment Services Approach On Customer Authentication, Gift Cards

The FCA has today published its policy statement explaining changes to the Approach document following the consultation on Strong Customer Authentication and some other revised guidance in September (although the links to the actual revised Approach Document don’t appear to be working correctly at the moment).

Notwithstanding the confusion created by the proposed changes to the guidance on the "limited network exclusion" to exclude gift cards from the scope of PSD2 (no doubt partly due to the obligation to register programmes that exceed €1m in transactions in any 12 month period), the FCA confirms the guidance as follows:

store cards – for example, a ‘closed-loop’ gift card, where the card can only be used at the issuer’s premises or website (so where a store card is co-branded with a third party debit card or credit card issuer and can be used as a debit card or credit card outside the store, it will not benefit from this exclusion). On the other hand, in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them.

The FCA explains this interpretation in the latest policy statement (at para 6.15) as follows:

"The change we have made to clarify that retailers issuing their own gift cards should not have to notify, is based on the issuer and the retailer being the same person. If the issuer is not the retailer, but the card would be used to purchase goods and services from that retailer, it is possible that the card would be considered a payment instrument under the PSRs 2017 and the limited network exclusion test would be relevant. We already give relevant guidance in PERG Q40 on such instances."

For convenience, the limited network exclusion provides as follows (with the paragraph (k)(i) being the limb which gift card programme operators - and the FCA - have historically assumed applied to avoid gift cards being subject to e-money and payment services regulation):

(k) services based on specific payment instruments that can be used only in a limited way and meet one of the following conditions—

(i) allow the holder to acquire goods or services only in the issuer's premises;

(ii) are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer;

(iii) may be used only to acquire a very limited range of goods or services; or

(iv) are valid only in a single EEA State, are provided at the request of an undertaking or a public sector entity, and are regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers which have a commercial agreement with the issuer.

This overlooks the fact that while the retailer may have already received the funds or value from the purchaser of the gift card/account (potentially via a payment service provider under a regulated payment transaction), yet the "holder" is often a different person who is later using the gift card/account balance as a means of acquiring goods or services (albeit that transaction may only be accounted for in the retailer's accounting system without being processed via a third party payment provider).

While the FCA's view may be factually and logically correct (particularly from a VAT standpoint), and will no doubt come as a relief to retailers who would otherwise have to register programmes, it involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate to catch other payment methods - particularly in relation to card payments, for example. The FCA's guidance should therefore confirm the step-by-step rationale as to why a "payment order" is therefore not initiated; how the gift card scenario falls outside the definitions of "payment transaction"; and why neither the gift card holder nor the retailer/issuer are a "payer" or "payee" respectively. But I suspect that may open a can of worms...

The FCA's view also represents a key area of potential divergence from EU payments law in the Brexit context, to the extent that the Commission and EEA regulators may well decline to adopt the FCA's interpretation. The Central Bank of Ireland, for example, includes "prepaid gift card to buy cinema tickets" in the list of programmes that fall within the limited network exclusion. The FCA does not seem to be concerned that the same programme that regulators insist must be registered in, say, France - and therefore surface in the European Banking Authority's register of large limited networks - would not be registered at all in the UK. That wider uncertainty creates confusion and the potential for "regulatory creep" as firms might take action beyond what is required by the FCA in order to avoid it - such as shutting programmes, outsourcing or applying to register unnecessarily (at least from a UK standpoint). 

The sooner such scope for confusion at EEA level is removed, the better.

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

Shifting Sands: The FCA Considers Gift Cards Outside The Scope Of PSD2

The sands are shifting under the legal status of gift cards, as the UK's Financial Conduct Authority consults on guidance that removes them from the scope of e-money and payments regulation altogether, rather than deeming them to be excluded as "limited networks". This interpretation would at least remove the need for large gift card programmes to be registered with the FCA, but also suggests a divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation. Ultimately, it is unclear whether a gift card programme might yet somehow fall within the regulated scope but still benefit from an exclusion.

What's a "gift card"?

Gift cards have always represented the advance purchase of goods or services from the retailer who issued the card. Sometimes the value is recorded on the card (or voucher) itself, sometimes it is represented by a credit to a specific account for the card or named customer in the retailer's IT system. In either case, such value is considered 'closed loop'. There is a subtle difference between this and paying for a specific item in advance. But in both cases, the retailer has been able to treat the funds paid by the purchaser as its own funds, so that the customer has always taken on the risk of the retailer going bust before the value could be redeemed or the specific item was delivered (think Farepak and Wrapit).

Gift cards vs "E-money"

Electronic money, on the other hand, requires you to first 'load' value to a device or account (or 'e-wallet') which the "issuer" then enables you to use to pay for purchases at a range of retailers who either participate on the issuer's proprietary platform, or who accept the issuer's 'prepaid debit cards' via the major card schemes. In this sense, e-money is 'open loop'. Here, the customer is taking the risk that the e-money issuer might go broke before the customer can spend the e-money with the retailers. The risk of this has always been considered much greater than the risk of an individual retailer's insolvency, so financial regulators were given powers to control e-money issuance to try to eliminate that risk. The first electronic money directive in 2000 ("EMD") therefore obliged e-money issuers to hold sufficient capital to avoid insolvency and to keep the cash corresponding to their customers' e-money balances separate from the issuer's own cash. They defined "electronic money" as being stored value that is accepted as a means of payment by an entity other than the issuer, thereby excluding 'closed loop' stored value that is issued and spent or redeemed with the the same entity. 

Exemptions for "limited networks"

The closed/open loop distinction was carried through into the first payment services directive in 2007 ("PSD") by explicitly excluding from the definition of "payment services" any "services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services". This provision became known as the "limited network exemption".  

That exemption was effectively endorsed in 2009, when the second e-money directive ("EMD2") defined "electronic money" by reference to the value being used for the purpose of making payment transactions under the PSD, rather than accepted by an entity other than the issuer.  The reference to the PSD thus automatically picked up and relied on the limited network exemption. 

In 2010, the Treasury proposed an obligation for retailers to segregate their gift card funds, but failed to attract any support. The limited network exemption then evolved into a narrower "limited network exclusion" by 2015 under the second payment services directive ("PSD2"), yet Question 40 of the FCA's Perimeter Guidance still cites "a closed loop gift card" as benefiting from that exclusion.  

In addition, PSD2 requires limited networks which transact more than €1m in any 12 month period to be registered with the local financial regulator, which then has a duty to determine whether the limited network exclusion actually applies to it. The first 12 month period expires on 13 January 2019, with registration due on 10 February. This has obliged retailers to begin tracking the size of their loyalty programmes to determine if and when they need to register, and the consequences of a finding that the programme is not excluded. In essence, the retailer could find itself prosecuted for having operated an e-money and/or payment service without either being authorised or registered as an agent an authorised firm (subject to any 'due diligence defence').

Gift cards now out of scope altogether?

In its latest consultation, however, the FCA proposes to change its stated view by removing the gift card example from Q40 and instead stating:

"... in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them."

But does that analysis extend to server-side stored value that can only be spent with the issuer? It is also at odds with the fact that VAT is not assessed on gift card purchases to avoid duplication, since VAT will in any case be levied on the actual purchase of items from the retailer in due course (let's ignore 'breakage', where the consumer leaves a balance that the retailer eventually takes to revenue). 

Wider consequences?

While this may be factually and logically correct, and might come as a relief to some large retailers, it otherwise creates confusion and "regulatory creep" as firms take action beyond what is required in order to avoid uncertainty - such as shutting programmes, outsourcing or applying to register unnecessarily. It involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate particularly in relation to card payments, for example. It also represent a key area of potential divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation - the Central Bank of Ireland, for example, includes gift cards in the list of programmes that fall within the limited network exclusion. 

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

FCA Publishes Final Approach and Rules Implementing #PSD2

The FCA has today published its final policy statement on how it will supervise the Payment Services Regulations 2017 (implementing the second Payment Services Directive, or PSD2).

I haven't digested it fully yet, but following earlier consultations, the FCA explains that it has amended its approach in various respects, particularly, its perimeter guidance on the new account information services and payment initiation services, complaints handling and reporting and conduct of business requirements. There is a table summarising the updates on page 6 of the policy statement.

I may post on any significant changes separately.

Further updates will be required when certain regulatory/implementing technical standards (RTS/ITS) and EBA Guidelines are finalised in late 2017 and early 2018, including EBA Guidelines on operational and security risk, and fraud reporting.

In the meantime, various draft application forms for authorisation and reporting have been published, with the final versions to be available for applications from 13 October 2017.  As explained in my earlier post, the FCA recommends waiting until then, even if you are making an application under the current regulations - otherwise it will need to be updated or re-assessed.

Top Tip: Make Any UK Applications Under #PSD2 From 13 October 2017

The FCA has published several web pages explaining the new authorisation/registration process under the Payment Services Regulations 2017 ("PSRs 2017") and similar process in the existing Electronic Money Regulations 2011 ("EMRs") that are updated by the new PSRs 2017. Basically, firms are "strongly encouraged" by the FCA to make their applications on or after 13 October 2017.

For payment institutions:

"You will be able to submit applications under PSD2 from 13 October 2017, giving you the opportunity to become registered or authorised under the PSRs 2017 from 13 January 2018.

Rather than applying under the PSRs 2009, you are therefore strongly encouraged to make your application under the PSRs 2017, on or after 13 October 2017.

If you decide to apply under the PSRs 2009 and we have not determined your application by 13 January 2018, we will treat your application as being made under the PSRs 2017. This means you will be required to provide more information to us, as required under the new regime [which would likely slow the process down]. If we have determined your application under the PSRs 2009 by 13 January 2018, you will need to submit an application to re-register or become re-authorised under PSD2 and the PSRs 2017, and pay an additional application fee.

Businesses applying for re-authorisation under PSD2 will need to submit a complete application by 13 April 2018 in order to continue operating on or after 13 July 2018.

Businesses applying for re-registration will need to submit a complete application by 13 October 2018 in order to continue operating on or after 13 January 2019."

For e-money institutions:

"You will be able to submit applications under PSD2 and the amended EMRs, from 13 October 2017, giving you the opportunity to be registered or authorised under the new regime from 13 January 2018.

Rather than applying under the current EMRs, you are therefore strongly encouraged to make your application under PSD2 and the amended EMRs, on or after 13 October 2017.

If you decide to apply under the current EMRs and we have not determined your application by 13 January 2018, we will treat your application as being made under the amended EMRs. This means you will be required to provide more information to us, as required under the new regime [which would likely slow the process down]. If we have determined your application under the current EMRs by 13 January 2018, you will need to submit an application to re-register or become re-authorised under PSD2 and the amended EMRs, and pay an additional application fee.

Businesses applying for re-authorisation or re-registration under PSD2 will need to provide all the information we need with an application by 13 April 2018 in order to continue operating on or after 13 July 2018."