FCA Updates Payment Services Approach On Customer Authentication, Gift Cards

The FCA has today published its policy statement explaining changes to the Approach document following the consultation on Strong Customer Authentication and some other revised guidance in September (although the links to the actual revised Approach Document don’t appear to be working correctly at the moment).

Notwithstanding the confusion created by the proposed changes to the guidance on the "limited network exclusion" to exclude gift cards from the scope of PSD2 (no doubt partly due to the obligation to register programmes that exceed €1m in transactions in any 12 month period), the FCA confirms the guidance as follows:

store cards – for example, a ‘closed-loop’ gift card, where the card can only be used at the issuer’s premises or website (so where a store card is co-branded with a third party debit card or credit card issuer and can be used as a debit card or credit card outside the store, it will not benefit from this exclusion). On the other hand, in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them.

The FCA explains this interpretation in the latest policy statement (at para 6.15) as follows:

"The change we have made to clarify that retailers issuing their own gift cards should not have to notify, is based on the issuer and the retailer being the same person. If the issuer is not the retailer, but the card would be used to purchase goods and services from that retailer, it is possible that the card would be considered a payment instrument under the PSRs 2017 and the limited network exclusion test would be relevant. We already give relevant guidance in PERG Q40 on such instances."

For convenience, the limited network exclusion provides as follows (with the paragraph (k)(i) being the limb which gift card programme operators - and the FCA - have historically assumed applied to avoid gift cards being subject to e-money and payment services regulation):

(k) services based on specific payment instruments that can be used only in a limited way and meet one of the following conditions—

(i) allow the holder to acquire goods or services only in the issuer's premises;

(ii) are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer;

(iii) may be used only to acquire a very limited range of goods or services; or

(iv) are valid only in a single EEA State, are provided at the request of an undertaking or a public sector entity, and are regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers which have a commercial agreement with the issuer.

This overlooks the fact that while the retailer may have already received the funds or value from the purchaser of the gift card/account (potentially via a payment service provider under a regulated payment transaction), yet the "holder" is often a different person who is later using the gift card/account balance as a means of acquiring goods or services (albeit that transaction may only be accounted for in the retailer's accounting system without being processed via a third party payment provider).

While the FCA's view may be factually and logically correct (particularly from a VAT standpoint), and will no doubt come as a relief to retailers who would otherwise have to register programmes, it involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate to catch other payment methods - particularly in relation to card payments, for example. The FCA's guidance should therefore confirm the step-by-step rationale as to why a "payment order" is therefore not initiated; how the gift card scenario falls outside the definitions of "payment transaction"; and why neither the gift card holder nor the retailer/issuer are a "payer" or "payee" respectively. But I suspect that may open a can of worms...

The FCA's view also represents a key area of potential divergence from EU payments law in the Brexit context, to the extent that the Commission and EEA regulators may well decline to adopt the FCA's interpretation. The Central Bank of Ireland, for example, includes "prepaid gift card to buy cinema tickets" in the list of programmes that fall within the limited network exclusion. The FCA does not seem to be concerned that the same programme that regulators insist must be registered in, say, France - and therefore surface in the European Banking Authority's register of large limited networks - would not be registered at all in the UK. That wider uncertainty creates confusion and the potential for "regulatory creep" as firms might take action beyond what is required by the FCA in order to avoid it - such as shutting programmes, outsourcing or applying to register unnecessarily (at least from a UK standpoint). 

The sooner such scope for confusion at EEA level is removed, the better.

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

Shifting Sands: The FCA Considers Gift Cards Outside The Scope Of PSD2

The sands are shifting under the legal status of gift cards, as the UK's Financial Conduct Authority consults on guidance that removes them from the scope of e-money and payments regulation altogether, rather than deeming them to be excluded as "limited networks". This interpretation would at least remove the need for large gift card programmes to be registered with the FCA, but also suggests a divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation. Ultimately, it is unclear whether a gift card programme might yet somehow fall within the regulated scope but still benefit from an exclusion.

What's a "gift card"?

Gift cards have always represented the advance purchase of goods or services from the retailer who issued the card. Sometimes the value is recorded on the card (or voucher) itself, sometimes it is represented by a credit to a specific account for the card or named customer in the retailer's IT system. In either case, such value is considered 'closed loop'. There is a subtle difference between this and paying for a specific item in advance. But in both cases, the retailer has been able to treat the funds paid by the purchaser as its own funds, so that the customer has always taken on the risk of the retailer going bust before the value could be redeemed or the specific item was delivered (think Farepak and Wrapit).

Gift cards vs "E-money"

Electronic money, on the other hand, requires you to first 'load' value to a device or account (or 'e-wallet') which the "issuer" then enables you to use to pay for purchases at a range of retailers who either participate on the issuer's proprietary platform, or who accept the issuer's 'prepaid debit cards' via the major card schemes. In this sense, e-money is 'open loop'. Here, the customer is taking the risk that the e-money issuer might go broke before the customer can spend the e-money with the retailers. The risk of this has always been considered much greater than the risk of an individual retailer's insolvency, so financial regulators were given powers to control e-money issuance to try to eliminate that risk. The first electronic money directive in 2000 ("EMD") therefore obliged e-money issuers to hold sufficient capital to avoid insolvency and to keep the cash corresponding to their customers' e-money balances separate from the issuer's own cash. They defined "electronic money" as being stored value that is accepted as a means of payment by an entity other than the issuer, thereby excluding 'closed loop' stored value that is issued and spent or redeemed with the the same entity. 

Exemptions for "limited networks"

The closed/open loop distinction was carried through into the first payment services directive in 2007 ("PSD") by explicitly excluding from the definition of "payment services" any "services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services". This provision became known as the "limited network exemption".  

That exemption was effectively endorsed in 2009, when the second e-money directive ("EMD2") defined "electronic money" by reference to the value being used for the purpose of making payment transactions under the PSD, rather than accepted by an entity other than the issuer.  The reference to the PSD thus automatically picked up and relied on the limited network exemption. 

In 2010, the Treasury proposed an obligation for retailers to segregate their gift card funds, but failed to attract any support. The limited network exemption then evolved into a narrower "limited network exclusion" by 2015 under the second payment services directive ("PSD2"), yet Question 40 of the FCA's Perimeter Guidance still cites "a closed loop gift card" as benefiting from that exclusion.  

In addition, PSD2 requires limited networks which transact more than €1m in any 12 month period to be registered with the local financial regulator, which then has a duty to determine whether the limited network exclusion actually applies to it. The first 12 month period expires on 13 January 2019, with registration due on 10 February. This has obliged retailers to begin tracking the size of their loyalty programmes to determine if and when they need to register, and the consequences of a finding that the programme is not excluded. In essence, the retailer could find itself prosecuted for having operated an e-money and/or payment service without either being authorised or registered as an agent an authorised firm (subject to any 'due diligence defence').

Gift cards now out of scope altogether?

In its latest consultation, however, the FCA proposes to change its stated view by removing the gift card example from Q40 and instead stating:

"... in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them."

But does that analysis extend to server-side stored value that can only be spent with the issuer? It is also at odds with the fact that VAT is not assessed on gift card purchases to avoid duplication, since VAT will in any case be levied on the actual purchase of items from the retailer in due course (let's ignore 'breakage', where the consumer leaves a balance that the retailer eventually takes to revenue). 

Wider consequences?

While this may be factually and logically correct, and might come as a relief to some large retailers, it otherwise creates confusion and "regulatory creep" as firms take action beyond what is required in order to avoid uncertainty - such as shutting programmes, outsourcing or applying to register unnecessarily. It involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate particularly in relation to card payments, for example. It also represent a key area of potential divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation - the Central Bank of Ireland, for example, includes gift cards in the list of programmes that fall within the limited network exclusion. 

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

FCA Launches PSD2 Navigator

The Financial Conduct Authority has always led its EU counterparts in explaining its approach to regulating payment services, and continues to do so in spite of Brexit. 

The FCA had already published its "Approach" document for the new Payment Services Regulations 2017 (incorporating its approach to supervising the Electronic Money Regulations 2011) and has now launched a higher level web page to help navigate the impact and benefits of the new regulations.

This will be of most help to firms offering the new "account information services" and "payment initiation services", as well as retailers operating loyalty programmes that transact over €1 million in any 12 month period starting from 13 January 2018 and various other exclusions.

It is important to consider at the outset, however, whether your firm is offering payment services as a regular occupation or business.

Red Alert: Retailers With Loyalty Progammes

Three years after being announced in the UK and I suspect many retailers are yet to realise that their loyalty/store card programmes will be regulated by the Financial Conduct Authority from 13 January 2018 - likewise across the European Economic Area. 

As the FCA now also warns, retailers who offer such programmes anywhere in the EEA will need to track the annual transaction volumes very carefully, starting with the completely arbitrary and inconvenient date of 13 January 2018. 

If the volume meets or exceeds €1 million (or the GBP or local currency equivalent) in any 12 month period (the first ending on 12 January 2019), the retailer must notify the FCA (or local regulator) within 28 days (by 10 February 2019).  Firms may also choose to register at any time from 13 October 2017.

But be sure of the outcome before you decide whether or not to register!

The regulator must then decide whether the programme is exempt from regulation as an e-money/payment service.  

If the firm fails to notify, it commits an offence under the Payment Services Regulations 2017 (or local equivalent implementing the second Payment Services Directive (PSD2)). 

If the FCA decides the programme is exempt, then it must include the retailer on the FCA's register of 'limited networks', and the name will be added to a central register of all such firms across the EEA.

If the FCA decides the programme is not exempt from regulation the retailer can appeal, but basically this means the firm will have been found to be violating the Electronic Money Regulations 2011 and/or Payment Services Regulations 2017 by issuing e-money and/or offering a payment service without being duly authorised/registered to do so. Major problem!

So retailers really have to decide now whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

Of course, the mere fact that retailers with loyalty schemes have to be mindful of these requirements and go through the process means they are in effect regulated by the FCA. Ignorance, as they say, is no defence.

Will Regulatory Technical Standards Slow The Pace Of Payments Innovation?

Under the new Payment Services Directive (PSD2), the European Banking Authority (EBA) is tasked with producing 'regulatory technical standards' to be followed by those with certain obligations, including how payment service providers (PSPs) must authenticate customers and communicate with each other. But it seems this process and the standards themselves are acting as a brake on innovation and related investment.

The EBA consulted on its proposed regulatory technical standards for authentication and communication between August and October, with a revised set due in the coming months.

PSD2 requires PSPs to apply "strong customer authentication" where "the payer... accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses."

But two big issues raised by PSD2 are (1) how each type of payment is initiated; and (2) who actually initiates it.

The EBA believes card payments are initiated by the cardholder as payer, but fudges the issue somewhat by requiring the card acquirers (i.e. the PSP of the merchants) to require their merchants to support strong authentication for all payment transactions. The added complication is where a payment transaction is initiated by the payee, but the payer's consent is given "through a remote channel which may imply a risk of payment fraud or other abuses".

There is a view, however, that card payments are among those that are in fact initiated by the payee (the merchant), who is not in fact the 'payee' of the cardholder at all but is paid by the card acquirer to which the merchant submits its transactions. The cardholder just pays the card issuer. This is all bound up in fundamental problems with the definitions of "payment transaction", "payer" and "payee" in both the PSD and PSD2; and the fact that card acquiring works through a series of back-to-back contracts that do not involve any direct contract between the buyer and the seller at all concerning payment processing. Indeed, a challenge for the UK's implementation plans is that there is a Court of Appeal decision which supports this view. 

In these respects, PSD2 appears to set up a 'legal fiction', which (despite taking a somewhat purposive approach in the 'fudge' explained above) the EBA appears to insist on in language at the end of its consultation paper: "all the requirements under consultation apply irrespective of the underlying obligations and organisational arrangements between" the various types of PSP, payers and payees. In other words, we have a weird situation where the law and related standards are to be applied regardless of how payment systems and processes really work.

Not only can this lead to situations where, for example, some banks insist that the PSD does not cover card acquiring, but it can also cause over-compliance to avoid doubt and other restraints on innovation.

While distinctions concerning how payments are inititiated and by whom might seem to matter less in the context of security measures to be adopted by PSPs - since everyone is interested in reducing financial crime - it is absolutely critical in the context of software and services that contribute in any way to payments being "initiated" and whether the suppliers or users of such software and services must be authorised as "payment initiation service providers" or perhaps even as the issuers of payment instruments. 

It will be very interesting to see how the Treasury proposes to address these problems in transposing PSD2 itself, although it's more likely the FCA will be left to explain how to comply, assuming the Treasury declines to take a purposive approach to EU law and simply copies the language of PSD2 into UK law (a process known as 'gold-plating').

There are numerous other glitches in the technical standards that have been identified by respondents, too numerous to mention here, but which it is hoped will be reconsidered in the next version - not that such standards should ever be considered as 'final' or set for all time. Indeed, an overarching problem seems to be that in the EBA's attempts to drag our legacy payments infrastructure into the 21st century, insufficient attention has been given to existing and potential alternative security technology - even in cases where incumbents are seeking to leapfrog the limitations of legacy systems.

Meanwhile, a year has slipped by since PSD2 was approved and the standards themselves are only due to take effect in October 2018 'at the very earliest', by which time they are likely to be thoroughly out of step with commercially available technology. 

While old systems may need to be accommodated to some degree, surely the pace of payments innovation should not be tied to the slowest animals in the herd?

The Next Revolution in UK #Payments: Non-bank PSPs and The RTGS

The Bank of England is consulting on the reform of its Retail Gross Settlement System ("RTGS"), which processes half a trillion pounds worth of transactions a day covering almost every payment in the UK economy — from salaries to invoices, from car purchases to retail sales, pensions and investments. 

The system is 20 years old and needs to be reinvented in way that is more flexible and cost-effective. It must interoperate with a wider range of payment systems on a 24x7 basis and better support the increasingly rapid evolution of various new payment methods in the retail, commercial and financial markets.

Responses can be made online by 7 November 2016. 

Humans At The Heart of FinTech

My article on this theme has been published by the Society of Computers and Law in connection with the IFCLA conference, where I participated on a panel discussing disruptive technology in financial services. 

It is interesting to see how people's belief in the 'efficient market' and appeals to the authorities for help when things get out of hand is playing out in the context of the Ethereum project and the DAO!

Can It Really Be #PSD2?!

The new Payment Services Directive (PSD2) has been approved by the European Parliament. Following the Parliament’s vote, in order to take effect, the Directive must be formally adopted by the EU Council of Ministers and published in the Official Journal of the EU. This is explained by the European Commission here. I understand that should be done by sometime in November. In the meantime, the official version is published by the European Parliament here. From that date of publication in the Official Journal, Member States will have two years to introduce the necessary changes in their national laws in order to comply with the Directive.

I have updated my note for SCL on PSD2 accordingly.

PSD2 - EU Sleight of Hand?

True to form, the EU Parliamentary process threw up an amended proposal for the new Payment Services Directive last Tuesday, leaving everyone two business days to consider it before this week's Parliamentary session. Conspiracy theorists will wonder what last minute lobbying victories were secured and what might have been different with a few weeks to consider them.

It seems pointless to review the draft, let alone summarise any changes, since further changes may well emerge this week from lurking MEPs. Who knows what will finally pop out in the Journal? Only those swimming in the primordial soup.

My summary of the June draft is here.

#PSD2: The Final Chapter?

I have updated my article for the SCL on the differences between the Payment Services Directive (PSD) and the latest compromise text of PSD2, produced following informal negotiations amongst the European Parliament, Council and the Commission.

It seems we are not far away from the final version.

UK Plans For #VirtualCurrencies and #Blockchain Technologies

The Treasury has published its response to the recent call for evidence on virtual currencies. The plan is to apply anti-money laundering regulation to virtual currency exchanges and ensure effective enforcement related to the criminal use of the currencies themselves, including seizure. It will also foster the development of standards for consumer protection in conjunction with the British Standards Institute. The government will also invest £10m to address 'research opportunities and challenges'.

In addition to addressing the risks, the report also explores the benefits of digital currencies as methods of payment, including uses beyond the retail scenarios, as well as other applications of blockchain technology; as well as barriers to suppliers setting up in the UK and how the government can help clear the way.

Alternative uses for the “distributed ledger” technology (i.e. beyond retail payment services) that the Treasury identified were:

• transfer of title to digital assets, with inherent authentication, digital ‘signing’ and time-stamping and record-keeping e.g. recording and transferring the ownership of bonds, shares, securities and other financial instruments; passports, driving licences, criminal records, land registry and digital voting; 
• ‘smart contracts’ and smart payments, whereby users encode requirements into a payment instruction or other message in order to achieve autonomous, self-executing payments and contracts that adjust for specific conditions. 
• decentralised data storage solutions (using blockchain technology to store files securely and efficiently);
• encrypted peer-to-peer messaging networks; and 
• links with ‘smart property’ and the Internet of Things, whereby devices (including autonomous vehicles) communicate with each other and maintain and update themselves semi-autonomously.

Great news for the everyone that the government is positively engaging with this technology.

Changes to #MIF Regulation

Worth noting that the text of the Merchant Interchange Fees Regulation dated 16 January 2015 differs substantively from the version published on 31 October 2014 and considered by MEPs on 17 December. Troubling that no mark-up has been provided. However, I have done the work and updated my previous summary accordingly.

MEPs Agree To Cap Card Fees (#MIFs)

Based on the recent deal amongst MEPs, it looks like the Merchant Interchange Fees (MIF) Regulation will sail through the EU Parliamentary process in early 2015.

Lack of Transparency In Negotiation Of #PSD2

I don't think the Beurocrats are terribly concerned by rampant Euroscepticism pervading national electorates. The byzantine EU legislative process trundles on as secretively as ever. All the nonsense about immigration is a nice distraction from lack of transparency on more fundamental issues.

The latest attempt at a fait accompli is the revised proposal for a new Payment Services Directive (PSD2), which is designed to shape the EU's payment systems for the decade to come. Having published several drafts previously with some attempt to mark-up the changes from previous meetings of member state representatives, a rapid-fire draft (dated 21 November) was suddenly published on 24 November, the same day it was due to be debated.

Today, as a result of the 24 November negotiations, a further draft (dated 1 December) was published without any changes marked, along with a recommendation that it be used as the basis for negotiations with the EU Parliament. Never mind that alternative service providers and other stakeholders with minimal lobbying power are attempting to understand and warn of the impact of seismic changes to the payments regulatory framework.

This is no way to approach the regulation of the EU financial system - if you have any interest at all in bringing the market along with you. But it's a perfect way to leave control of the market to the major banks and card schemes who have lobbyists plugged into the process.

Rant ends. I'll be trying to update my article on the changes to the proposals in the coming week.

Though it's hard to see the point.

Card Scheme MIF Regulation [Updated 20 Jan 2015]

In addition to a new Payment Services Directive (PSD2), the Beurocrats have been busy on a Regulation aimed at payment card transactions - mainly to cap merchant interchange fees, but also to introduce some 'business rules' (MIF Regulation). Unlike PSD2, the MIF regulation will take effect directly in each member state, rather than having to be implemented into national law first. The caps on fees described below apply from 6 months after the regulation enters into force, while the grace period for the business rules is 12 months after the regulation enters into force. The MIF regulation must be reviewed by the Commission four years after entering into force, with any recommendation to amend the fee cap. Underlining and strike-through reflects changes made to the MIF Regulation since October 2014.

Capping fees:

The January 2015 version of the MIF Regulation (updating the October 2014 version) caps the hidden interchange fees that card issuers receive from merchant acquirers for cross-border all debit card transactions at 0.2%. However, for domestic debit card transactions, Member States may apply either a lower cap per transaction and a fixed maximum fee amount, or allow payment service providers (PSPs) to apply a per transaction fee of up to €0.05 in combination with a maximum percentage rate of no more than 0.2%, provided that the interchange fees of the payment card scheme does not exceed the fee is capped at a weighted average of 0.2% of the annual transaction value of the domestic debit card for all transactions within each payment card a scheme, or 0.2% per transaction. But for 5 years, Member States may allow PSPs to apply to domestic debit card transactions a weighted average interchange fee of up to 0.2% of the annual average transaction value of all domestic debit card transactions within each payment card scheme, or a lower weighted average if they wish.

The interchange fee for each credit card transaction is to be capped at 0.3%, although member states can reduce this for domestic transactions.

If domestic payment transactions are not distinguishable as debit or credit card transactions by the payment card scheme, the provisions on debit cards or debit card transactions apply. However, for 1 year after the fee caps apply, Member States may rule that up to 30% of the indistinguishable transactions are considered to be credit card transactions to which the credit card cap shall apply.

At these levels, the authorities believe that retailers should not be allowed to impose additional charges for use of cards that are subject to the caps (such 'surcharging' is controlled by PSD2). However, cards issued to businesses ('commercial cards') and those issued by 'three party payment schemes' (like Amex) are exempt from the caps. That's because businesses are thought to be able to fend for themselves (unlike consumers); and in a three party scheme all fees are charged by the scheme operator, so both the consumer and the merchant know who's paying what to whom. In those cases, then, the merchants can charge for the pain of accepting such cards and it's up to the scheme operators whether to lower their fees. But there are certain limits to the exemption for three party schemes.

In addition, the caps will not apply to 'limited network' payment instruments (like gift cards) which:

• allow the holder to acquire goods or services only within a limited network of service providers under direct commercial agreement with a professional issuer; or
• can only be used to acquire a very limited range of goods or services; or
• instruments valid only in a single Member State provided at the request of an undertaking or public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer.

Confusingly, however, there's a similar exemption under PSD2 which carries an additional limitation that “The same instrument cannot be used to make payment transactions to acquire goods and services within more than one limited network or to acquire an unlimited range of goods and services”. So it's conceivable that a scheme may be exempt from the need to be authorised under PSD2, yet have its interchange fees regulated under the MIF Regulation.

Business Rules:

The MIF Regulation has some additional 'business rules':

1. there can't be any territorial licensing restrictions on scheme membership within the EU;
2. card schemes (other than three party schemes) must: ensure their system is technically interoperable with other systems of processing entities within the EU; must separateensure the rule-making entity is independent from entities providing payment processing and other services; eliminate cross-subsidies among scheme services; and not make any one service conditional on taking or providing another;
3. all card schemes must:

• allow 'co-badging', so that a single card can be accepted under multiple schemes;
• enable co-branded instruments on the same card, if possible, but give clear and objective information on the different instruments and their characteristics;
• not discriminate between issuers or acquirers concerning co-badging of payment brands or applications or in terms of reporting, fees or other obligations, routing of transactions or by using mechanisms that limit the choice of application by payer and payee when using a co-badged instrument (though prioritising is okay);
• not charge fees on a blended basis for different card types, unless requested;
• not insist that all their types of cards are honoured if a merchant only wants to accept some of them (and so must enable customers to readily distinguish between the different types of cards offered by the scheme);
• not prevent retailers ‘steering’ customers toward using a preferred payment method, without prejudice to rules under the PSD or the consumer rights directive.

While the MIF Regulation is reasonable advanced, the UK Payment Systems Regulator (PSR) recently warned that if the adoption of the MIF Regulation is delayed, or the implementation of its domestic fee caps is deferred from the caps on cross-border interchange fees, it will consider taking action in advance of the Regulation; and that it may still consider whether it is appropriate to take any further action even if the MIF Regulation is adopted.

In other words, official trust in card schemes is low.

Payment Systems Regulator Publishes Regulatory Proposals

It's all go in the payments world at the moment. The EU is trying to hammer out a new payment services directive (PSD2), while the UK's new Payment Systems Regulator (PSR) is setting up shop ahead of its official launch in April 2015.

The PSR has just announced the results of a joint market study with Ofcom on the level of innovation in the payments sector, which casts doubt on certain aspects of PSD2.

In addition, the PSR has published its response to an earlier consultation on its proposed rules for regulating payment systems. The term "payment system" is defined very broadly as:

“a system which is operated by one or more persons in the course of business for the purpose of enabling persons to make transfers of funds, and includes a system which is designed to facilitate the transfer of funds using another payment system.”

The intention behind the rules are to:

• set a new approach to industry strategy development - a new 'Payments Strategy Forum';
• change the governance and control of payment systems to ensure greater transparency and representation of users in decision making, avoidance of conflicts of interest, publication of board minutes and compliance reports to the PSR;
• make it easier for participants of all sizes to access payment systems – directly or indirectly;
• action on interchange if EC regulation is delayed; and
• require system operators to discuss significant developments with the PSR in advance and on an on-going basis.

If the rules still aren't to your liking, you have until 12 January to kick up a fuss.

The Updated Updated Review Of #PSD2

The European Council produced a further update of the proposed new Payment Services Directive (PSD2) in late October, and I have now updated my review article for the SCL, as well as the posts assessing the impact on:

• loyalty schemes, including store card and gift card programmes;


• third party gateways and other technical service providers;


• the providers of the newly regulated payment initiation and account information services; and


• security, innovation and competition.

Regulatory Creep Hits Big Loyalty Schemes - Updated

Store cards, gift cards and loyalty rewards are currently exempt from payments regulation where they are only accepted within the issuer’s premises or certain ‘limited networks’. The new European Payment Services Directive (PSD2) extends the scope of this exemption - which is helpful to some extent - but also introduces a notification requirement that will bring big schemes within the regulatory sphere from 13 January 2018, and oblige the authorities to decide whether the exemption is available. This post explains the changes, and the options open to the operators of such schemes. For other significant changes proposed under PSD2, see my longer SCL article). The Treasury's consultation on introducing PSD2 in the UK has just been published.

The limited network exemption under PSD1 applies to services based on instruments that can be used to acquire goods or services only: (a) in the premises used by the issuer; or (b) under a commercial agreement with the issuer either (i) within a limited network of service providers or (ii) for a limited range of goods or services (my numbering/emphasis).

The exemption under PSD2 is for:

"services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:

(i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a 'professional issuer' [not defined];

(ii) instruments which can be used only to acquire a very limited range of goods or services;

(iii) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer." (my emphasis)

Some guidance as to what is meant by 'limited' or 'very limited' is to be found in the relevant recital to PSD2, which states:

"Instruments which can be used for purchases in stores of listed merchants should not be excluded from the scope of this Directive as such instruments are typically designed for a network of service providers which is continuously growing."

In addition, operators of large limited network schemes will be obliged to notify the regulator “if the the total value of payment transactions executed over the preceding 12 months exceeds the amount of EUR 1 million”. The regulator must then decide whether the exemption criteria actually apply, and notify the service provider if the regulator concludes that it does not. There is no provision for a transition period to explore alternative methods of supporting the scheme.

This means that loyalty scheme operators need to consider now whether their scheme will be covered by the revised limited network exemption in January 2018 and, if not, whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

The UK Treasury was due to issue its consultation paper in August 2016 on how it plans to implement PSD2, but has not done so yet. Hopefully, either the Treasury and the FCA will clarify further how they plan to handle the notification process, including whether pre-clearances will be possible during 2017, for example, given the lack of any transition period should the FCA conclude that the exemption does not apply.  Otherwise, queries arising out of any uncertainty in the application of the exemption might be directed to the FCA's Innovation Hub. 

This kind of regulatory 'scope creep' is not at all healthy, however. PSD2 should be clearer on what activities are in or out of scope. Instead, we have activities that are out of scope altogether; in scope but exempt; in scope with authorisation required; in scope with registration required; or in scope with only notification required (as here).

The question also remains why loyalty schemes are being targeted in this way. There is no evidence of any harm to consumers in such scenarios, as discussed in the context of earlier plans by the UK Treasury to propose self-regulation to ring-fence retail loyalty scheme funds (here and here).  It seems a case of mistaken identity with retail pre-payment schemes such as operated by Farepak and certain tour companies which don't appear to be caught anyway.  Similarly, there is no distinction made for 'limited network' schemes whose rules do not allow cash to be obtained by either redeeming the limited network value or seeking a refund for a purchase made using that value.

[First published 23.10.14, and since updated to reflect the change to the notification threshold; again to reflect the removal of 'unlimited' in a late draft of PSD2; and again to include the date when PSD2 takes effect in national law]