FCA Fires A Flare Over Safeguarding Of Funds Related To Payments And E-money

Everyone worries about banks going bust, and whether there's enough capital and depositor protection if they do. That's because banks are allowed to treat the cash we deposit as their own (subject to the obligation to repay it when we want it). But non-bank payment service providers don't have this privilege, and depositor protection (the Financial Services Compensation Scheme) does not cover their activities. So PSPs must 'safeguard' funds related to the payment transactions they process and the e-money they issue. If they go bust, the safeguarded amount should therefore be available to the relevant customers instead of paying debts owed by the PSPs to their own creditors. As we live in troubled times, earlier this year the UK's Financial Conduct Authority sampled the safeguarding practices of 11 payment service providers to figure out whether  PSPs are safeguarding correctly. The results were not a disaster, but enough problems were detected for the FCA to feel the need to write to all PSPs requiring them to confirm their compliance with safeguarding requirements by end of July... Let's hope they all did! Confidence in a diverse, innovative and competitive payment system depends on PSPs being fanatical about the details involved in protecting customer funds.

Safeguarding Requirements

PSPs must safeguard "relevant funds" - i.e. money received:

• from, or for the benefit of, a user for the execution of a payment transaction; 
• from a payment service provider for the execution of a payment transaction on behalf of a user; or 
• in exchange for electronic money that has been issued,

where they continues to hold the relevant funds at the end of the 'business day' following the day on which they were received.

There are rules on when safeguarding obligations start and end; two different safeguarding methods (either through holding appropriate insurance or by segregating the funds in specially designated bank accounts); the type of account or 'relevant assets' in which the funds must be held; reconciliation and record-keeping; and when amounts that are not "relevant funds" must be removed and held separately to avoid 'commingling'.

To be fair to all concerned, the various definitions, other language and rules require a lot of interpretation to understand how they apply and the FCA has issued extensive guidance in Chapter 10 of its Approach to regulating e-money and payment services.

FCA Findings

Some firms were unable to explain which payment services they provided in certain situations, when they were issuing e-money or when they were acting as agent or distributor for another PSP. That meant they could not identify some "relevant funds" and didn't know whether they were safeguarding the correct amounts.

Even where they were clear on the status of funds, some PSPs did not segregate relevant funds on receipt; or received them into accounts with funds held for other purposes; or did not remove other funds more than once a day where it was practicable to do so.

In addition, some PSPs did not have up to date documentation that explained their treatment of funds and how their systems and controls would ensure compliance with the safeguarding requirements.

Some of the segregated accounts in which PSPs were holding relevant funds or assets were not correctly designated in a way that shows they were safeguarding accounts. 

Some firms did not carry out appropriate reconciliations, or did so infrequently or did not adjust the balance of their safeguarded accounts in a timely way when they identified discrepancies.

Rather than monitoring their processes and procedures to ensure compliance, some firms only checked if they spotted an actual breach - so their controls weren't able to alert them to a potential breach and safeguarding requirements weren't factored into new products.

Continuing Confusion Over Agents vs Distributors

PSPs are able to appoint agents and distributors, but are sometimes uncertain about the difference. The distinction turns on whether the proposed agent or distributor would be providing a payment service. A firm can only provide a payment service if it is either directly authorised or registered as the agent of an authorised PSP.  A distributor, therefore, cannot supply a payment service and, in my view, should not be handling relevant funds at all. Instead, the PSP should oblige the distributor to set up a 'float' of its own money that the PSP can draw on when issuing e-money or executing a payment transaction involving that distributor. That means when a customer pays money to the distributor (e.g. to 'load' or 'top-up' an e-money/prepaid account) the customer is not relying on the distributor to pass those funds to the PSP on the customer's behalf. The PSP already has the equivalent amount of funds that have now become 'relevant funds' to be safeguarded. The distributor can then pay the funds it receives from the customer into the 'float' for the PSP to draw on for the next transaction.

Confusingly, however, the FCA says PSPs are responsible for ensuring that the agent or distributor segregates any "relevant funds" held by the agent or distributor.  That suggests the distributor might be relying on some exclusion from offering a regulated payment service, but if that were so, the funds it receives from customers should not be 'relevant funds' in the first place...

At any rate, the FCA found that some firms calculated their safeguarding obligation at the end of the business day on which e-money was issued via a distributor or agent that received the corresponding funds, and only transferred the amount into a safeguarding account the next business day. This suggests all sorts of confusion!

Conclusion

The FCA is to be commended on its vigilance in this area, and PSPs have to be fanatical about the details if we are to have a diverse, innovative and competitive payment system that works effectively in good times and bad.

Let's Not Confuse E-money Agents and Distributors

The European Banking Authority has issued an opinion that goes some way to clarifying when e-money institutions create an "establishment" when dealing through "agents" and "distributors", though it does not go far enough to be terribly useful (to be covered in another post...). In reaching that opinion, however, it has managed to create confusion over the distinction between agents and distributors. This is unfortunate, given the very significant difference in legal responsibility for the EMI and the time it takes to set up such arrangements - sometimes on a large scale, where chains of small retail outlets or multiple independent online retailers offer prepaid cards, top-up vouchers etc for the issuer.

The EBA accepts that e-money institutions (EMIs) can operate through either:

• 'agents' who provide regulated payment services on the EMI's behalf and must be registered by the EMI with the regulator; or

• 'distributors' who do not provide regulated payment services on the EMI's behalf, so the EMI merely has to notify the regulator that the distributor is being used rather than register it.

But the EBA then states that: 

"...if a distributor receives funds from an end-customer in exchange for e-money, the funds are considered to have been received by the issuer itself, considering that the distributor is acting on behalf of the issuer. The safeguarding obligation of the issuer starts as soon as the distributor receives the funds from the customers, and remains with the issuer/EMI (not with the distributor), so that the customer does not bear any consequence of the funds not being transferred from the distributor to the issuer, including in the event of the distributor's insolvency."

I also notice this has also been picked up by the FCA in its guidance on safeguarding in the Approach document, for example:

"10.28 An institution may receive and hold funds through an agent or (in the case of EMIs and small EMIs) a distributor. The institution must safeguard the funds as soon as funds are received by the agent or distributor and continue to safeguard until those funds are paid out to the payee, the payee’s PSP or another PSP in the payment chain that is not acting on behalf of the institution. The obligation to safeguard in such circumstances remains with the institution (not with the agent or distributor). Institutions are responsible, to the same extent as if they had expressly permitted it, for anything done or not done by their agents or distributors (as per regulation 36 in the EMRs and regulation 36 in the PSRs 2017)...

10.34 Where relevant funds are held on an institution’s behalf by agents or distributors, the institution remains responsible for ensuring that the agent or distributor segregates the funds. "

Elsewhere, the FCA states that

5.6...In our view, a person who simply loads or redeems e-money on behalf of an EMI would, in principle, be considered to be a distributor.

However, the FCA states:

8.338 It is important to recognise that if an agent of an e-money issuer receives funds, the funds are considered to have been received by the issuer itself. It is not, therefore, acceptable for an e-money issuer to delay in enabling the customer to begin spending the e-money because the issuer is waiting to receive funds from its agent or distributor.

These passages might be read as supporting the notion that a distributor is entitled to hold funds on behalf of an EMI, albeit in a segregated bank account, and the EMI is entitled to rely on the distributor to transfer those funds to the EMI's account. 

But in my view, if a distributor were to act in that way it would be operating a payment service (e.g. money remittance) and would therefore need to be either authorised in its own right or registered as an agent of the EMI. In other words, there would be no distinction between an agent and a distributor.

In fact, the role of distributor was created in order to avoid the need for agency registration in a particular scenario (e.g. small retailers whom the EMI would find it difficult to be responsible for registering and supervising); or for the distributor to concern itself with regulatory risk and responsibilities. 

The EMI's obligation to register an agent (and, more importantly, liability for the agent's activities on the EMI's behalf) is avoided by requiring the distributor to keep a 'float' of a minimum amount of funds in an account which the distributor agrees the EMI will draw upon whenever the distributor's system reports to the EMI's system that a customer in one of the distributor's outlets has bought a prepaid card or otherwise loaded funds onto a card or wallet issued by the EMI. 

In that scenario, neither the customer nor the EMI is taking any risk at all that the distributor might fail to transfer funds paid by the customer. The EMI has instant access to the float of funds previously paid by the distributor, and safeguards those funds if the e-money issued to the customer is not spent within the next business day.  Meanwhile, the distributor retains any money paid by the customer as effectively reimbursement for the amount that the EMI has deducted from the distributor's float.

E-commerce Marketplaces, Commercial Agents and PSD2

E-commerce marketplaces are now common in most sectors, enabling suppliers and consumers of all types of goods and services to find each other, contract directly, pay or be paid, arrange delivery and download their transaction data. But action being taken by some payment service providers (PSPs) suggests that many marketplace operators who offer this service in the European Economic Area may not have realised that the payment step needs to be structured in a way that avoids the need for the operator to be authorised by an EEA financial regulator as a payment institution or e-money institution under the Payment Services Directive or E-money Directive (depending on whether the supplier or customer is able to hold a balance in their 'account').

Some financial regulators, like the UK's Financial Conduct Authority, take the view that offering a payment service or e-money service has to be the operator's regular occupation or business in itself to fall within the scope of the PSD or EMD in the first place (the "business test"), although the payment step would need to be a small, ancillary part of the service offered and this is open to interpretation. But less pragmatic or experienced regulators around the EEA might apply the Directives simply because the operator is running a business of any kind. 

This means operators should err on the side of structuring their activities to avoid holding balances and to take advantage of an exclusion under the Payment Services Directive (e.g. for commercial agents authorised to negotiate or conclude contracts on behalf of either the payer or payee); or involve a PSP to handle the receipt and distribution of funds (or become the registered agent of a PSP). 

Other exclusions under the PSD or EMD may also be helpful. But even relying on an exclusion can be somewhat tricky because the interpretation of exclusions can vary from regulator to regulator across the EEA; and there is no 'passport' for one regulator's interpretation as there is for regulated PSPs who can offer their service across the EEA from under authorisation in their home member state. 

That means an operator should seek legal advice on how to structure its activities appropriately under the law of its home EEA member state; and if that involves relying on the local regulator's interpretation of the business test or an exclusion, the operator should check that analysis works under the law of each member state where the operator has a presence or significant numbers of participants (whether suppliers or their customers).  Acting on formal legal advice should also make it less likely that a regulator will take action for acts or omissions consistent with that advice, although it will not necessarily stop a regulator requiring a different structure going forward.

Too Late To Get Authorised In The EU27? Become An Agent!

Getting authorised to offer most types of financial services is a lengthy process at the best of times. But there's now zero chance of getting a new application approved by an EU27 regulator in time for a "hard Brexit" on 29 March 2019. While there's a short deadline for some types of application (e.g. 3 months for payment institutions), these relate to complete applications. Regulators usually ask a few basic questions as the basis for declaring the application 'incomplete' so they can take at least 12 months to consider the application. 

So, as the likelihood of a 'hard Brexit' increases, firms are suddenly interested in alternative ways to establish a new presence to trade in and from the EU27...

Start-ups have always faced this type of problem, and very often get themselves appointed as some form of agent or representative of a firm with an existing authorisation while they apply for their own.

It's tempting to think that a merger or acquisition is an option, but regulatory approval is required for changes in control of regulated firms and the corporate process itself adds fresh complications, risk and time. And even where M&A activity is on the cards, an interim agency arrangement provides the perfect opportunity for the parties to get to know each other and the market opportunity while the corporate aspects are negotiated - without the added pressure of a looming Brexit.

Firms with existing authorisations for many types of regulated activities are entitled to appoint and register other firms as their agents to carry out regulated activities on their behalf (some of which are known as "tied agents" or (in the UK, for example) "appointed representatives"). 

There are some activities that cannot be done through an agent, and even where that is possible, the agent can only do what the principal is authorised to do. So it's important to consider the nature of the authorisation and permissions required, and how quickly the principal might be able to vary or add to its permissions to accommodate the agent. 

It's also possible for a firm that is authorised in one EEA member state to appoint an agent that is based in another EEA state, using any applicable "passport" rights, and for the agent to provide its services under the principal's passports. This would involve a three month passport notification process, as well as the agency registration.  Indeed, it would be possible to actually contract with customers under the law of a third EEA state, e.g. using Irish law as the basis for contracts that are currently written under English law.

The authorised firm (principal) must register each agent with its regulator and provide certain information about the agent, including a description of the governance arrangements that will enable the firm to effectively supervise the agent's activities.  This is an important 'hygiene' factor in any event, however, since the principal is responsible - and accountable to the regulator - for the agent's activities.  

The nature of agency also means that customers have their ultimate contractual relationship with the principal, and can avail themselves of the principal's complaints procedure if dissatisfied with the agent's conduct. But it's usual for the agent to trade under its own name and brand, using a 'white label' approach where the principal's details are disclosed in the service terms and website/email footer and/or on a 'powered by' basis for marketing purposes.

Of course, there are the downsides of fees payable to the principal to cover the additional administration and use of the authorisation (a potentially signficant revenue opportunity for a small principal with a larger agent), the exchange of confidential information between the parties, the need to consider whether the firms are in direct competition (actually quite rare), the need to carefully manage the relationship and the regulatory risks and so on. But such concerns are generally manageable in the short term - and worthwhile in light of the upsides - and most of the work required is useful in the context of the agent getting its own authorisation in the medium term...

And, hey, any port in a storm!