Steiner Case No Save Haven For Card Issuers, Acquirers, Processors or Merchants

I have a real problem with the facts and ultimate outcome for the cardholder in the recent case of Steiner v National Westminster Bank plc [2022] EWHC 2519 (KB) decided in October. I make no criticism of the lawyers or judge involved, but those in the payment card business should not see it as setting up any kind of safe haven. 

In essence, the court absolved a credit card issuer from liability for the price of a timeshare deal under section 75 of the Consumer Credit Act because the supplier of the timeshare ('CLC') was found not to be a party to the credit card 'arrangements'. Instead, those arrangements were found only to involve a separate company ('FNTC') that was not part of the same corporate group as CLC and was acting as a trustee and not as agent for CLC. 

Unfortunately, it seems the Mastercard rules were not fully explored, as the judge held:

13. Equally, there was no evidence before me as to the rules of the Mastercard network, but it was not suggested that they prohibited a merchant who was a member of the scheme from receiving payment under the scheme as trustee or agent for another.

However, the Mastercard rules effectively require that acquirers, merchants and sub-merchants (and the intermediate 'Payment Facilitator') must be party to the overall scheme arrangements, and it would be a breach of those rules if that were not the case (see Chapters 5 and 7). 

In addition, it appears that as a separate company and a trustee, FNTC was not lawfully able to handle funds due to CLC under the Payment Services Regulations 2017. There is no evidence that FNTC was a payment institution (or small payment institution) or the agent of one; and as a separate company and trustee it could not benefit from any of the exclusions from the need for authorisation/registration as a payment institution, the most common in such scenarios being the exclusion for a commercial agent or a group company collecting or making payments on behalf of other companies in the same group. 

In this specific case, there may have been good reasons why the Mastercard rules were not explored and/or the card acquirer, FNTC and CLC were not joined as defendants and subject to a barrage of claims and remedies to recover the funds (assuming that the card issuer could not have known of the apparent breach of scheme rules and FNTC's apparently unlawful conduct). There may have been shortcomings in the evidence or other issues involved in mounting the potential legal claims and remedies - not the least of which would be the necessary financial resources.

But I do not see this case as a reliable basis for anyone to start setting up trustees as payment processors in an attempt to avoid liability under supply contracts, card scheme rules, Payment Services Regulations and/or section 75 of the Consumer Credit Act!

Will Your UK-issued Card Still Work In The EEA After Brexit?

Some confusion arising around this question today. The answer is that it should not be an issue, based on how card acquiring really works.

The EU has been clear since 2016 that, regardless of which type of Brexit occurs, UK-based financial institutions will no longer benefit from the ability to 'passport' their services into the rest of the European Economic Area (Norway, Liechtenstein and Iceland also participate in the financial services passporting arrangements). This position was emphasised in the relevant EU 'preparedness notice' in February 2018.

In the payments space about 350 UK firms rely on outbound passports around the rest of the EEA, while 142 EEA-based firms passport into the UK, as the FCA explained to Parliamentary select committee in August 2016.

More recently, the UK has said it will give the EEA-based firms a three year transition period to figure out how to continue serving the UK market.

So, in the payments space, the 350 UK-based banks, e-money institutions and payment institutions who currently rely on passports have been setting up additional new entities based in one of the remaining EU27 countries, from which they will service their customers who are resident in the EEA (as have I, on a professional basis, as UK professional qualifications will also cease to be recognised for providing services in the EEA). 

So, when Brexit occurs, the current residents of other EEA countries will be offered payment cards and accounts from an EEA-based entity, rather than a UK one.

That is not to say that a UK resident travelling in the EEA will not be able to make a payment using their payment cards issued to them in the UK under the typical international card schemes (which actually don't base their definition of Europe according to EEA and non-EEA distinctions, anyway). 

So, EEA-based merchants/retailers will still be able to take payment via their EEA-based payment provider (known as a 'card acquirer' or 'merchant acquirer'); and the UK customer will pay their UK card issuer as usual. The card scheme operator will still net-off amounts owed between EEA and non-EEA based issuers and acquirers and they will settle the difference with the schemes. It's just that the UK issuer in this example will then be among the non-EEA group.

#PSD2: Are Merchant Checkouts "Payment Instruments"?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring whether online merchants' checkout process/pages could be "payment instruments", so that merchants who host their own process might be engaging in the regulated activity of "issuing payment instruments" (and possibly even offering a "payment initiation service"). There is now precious little time for retailers to consider the issue,  decide whether their activities are caught and, if so, whether to outsource the hosting of the checkout process to a duly authorised firm or its agent, restructure the checkout process or the entity/ies that operates it, or become authorised or the agent of an authorised firm.

Everyone is familiar with the e-commerce 'checkout' page or process, with its list of ways to pay for the items selected or in the 'shopping basket'. Sometimes these are hosted by a regulated payment service provider, an exempt 'technical service provider' or 'gateway', and sometimes by the merchant itself (in which case the merchant has to comply with certain security requirements in relation to card transaction data, for example). 

Whether technical service providers who are currently exempt will remain so under PSD2 is already an open issue, since to remain so they cannot also provide either a payment initiation service or an account information service, even though they still would not be handling the funds to be transferred.

The big question is whether merchants themselves fall into the regulated scope, especially as they ultimately receive funds, so might not qualify as technical service providers.

First, a few (of the many) relevant definitions:

“issuing of payment instruments” means a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions;

“payment instrument” means any— (a) personalised device; or (b) personalised set of procedures agreed between the payment service user and the payment service provider, used by the payment service user in order to initiate a payment order;

“co-badged”, in relation to a payment instrument, refers to an instrument on which is included two or more payment brands, or two or more payment applications of the same payment brand;

Note that the references to 'payment service' and 'payment service provider' are redundant or circular - essentially, they mean anyone who is, or should be, authorised to provide a regulated payment service. The reference to 'co-badging' is important as certain information could have to be provided under the Merchant Interchange Fee Regulations.

I think the primary questions are as follows, but the answers would vary considerably according to the payment method and other facts and circumstances:

• which payment transaction is involved in the relevant scenario, and who is the relevant 'payer'?

• is the checkout process/page a "personalised device"; or "personalised set of procedures agreed between" the customer and the merchant?

• if so, is the checkout process/page "used by the payment service user" (again, see here)?

• if so, is the payment service user using the checkout process/page "in order to initiate a payment order"... as explained previously...or 'payment transactions'?

• finally, how much processing would a merchant have to do to fall within the meaning of "initiate and process the payer's payment transactions": so, when does that processing begin and end; what steps/participants are involved; what is the nature of the processing (e.g. does it send transaction data to a payment gateway, acquirer or other type of payment service provider?); is the merchant acting as principal, agent or payee?

Hopefully, the Treasury and FCA will explain their interpretation soon!

An Integrated EU Market For Payments?

A Dog's Breakfast

We have until 11 April to weigh in on the European Commission's dream for "an integrated European market for card, internet and mobile payments."

Tedious as the EC's role and processes are, we mustn't forego these opportunities to feed into the EU's 'social dialogue'. If we don't participate we'll get legislation that's more reflective of canine culinary expertise rather than how various markets actually work (like the Payment Services Directive).

Some key issues in the current green paper are:

• whether we need more sunlight on how much we pay in interchange fees;

• whether it's overkill to make a retailer show on your receipt how much it costs to use your chosen payment method;

• whether non-financial service providers should be able to directly access clearing and settlement systems;

• whether you should be allowed to permit any service provider you like to show you your bank balance, rather than only your bank; and

• whether competition is being inhibited by the process of 'standardisation' and demands for "full interoperability".

My own personal view is that the short answer to all of the above is, "Yes."

The challenge to regulating payments is that service providers and regulators alike tend to view "paying" and "banking" as consumer activities in their own right. Whereas consumers don't actually "pay" - and retailers don't even "accept payment" - as distinct activities. The man from Visa who thinks the brand on my payment card is the most important brand in the context of me buying a gift for a friend on my way to a party is institutionally deluded. Actually paying for the gift is a barely considered sub-process in the course of getting to the party, and I might pay in cash.

Not only must we remember that payment occurs in the context of wider consumer activities, but we must also acknowledge that payment details are a subset of all the personal and transaction data used in retail services that are subject to broader market forces and other regulation. In particular, the impact of the EC's proposal for more comprehensive regulation of personal data processing cannot be underestimated. There seems little point in dealing with access to bank balance information in the context of payments regulation when the wider data protection regime would enable the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing; not to mention enhanced internal controls, enforcement and compliance burdens, including the appointment of a data protection officer.

But let's glance away from the data protection elephant for a moment.

On the question of interchange, it's clear from Annex 2 of the green paper that the EC doesn't understand the lack of a direct contractual/settlement relationship between issuers and acquirers in four-party card schemes like Visa/MasterCard, even where a banking group has both an issuing business and an acquring business. Each acquirer and issuer contracts directly with the card scheme, and the card scheme settles independently with each of them. Besides, the issuing arm's cardholders won't always be making payments to the aquiring arm's merchant customers. Not only does this add an important nuance to the interchange debate, but it also has far wider implications for payment services regulation than there's time to cover here.

As consumers, of course we want retailers to keep a lid on their interchange costs (like any other overhead). That would enable them to improve their services, increase product selection or maybe reduce their prices. But unless the retailer has its own specific surcharge, I don't need the receipt to tell me the cost of using my chosen payment method, any more than I'd need to know what it cost to get the item from the warehouse to the shop. The underlying cost might be fascinating to EC officials and payments geeks, but the all-in price of the item should be enough for me to compare the efficiency of retailers' operational processes. Whether those retailers are competing properly in their own markets is a separate issue to the cost of payments in any event.  

I can also see that the cost of payments might be reduced by enabling sophisticated businesses to directly accessing clearing and settlements systems, rather than relying on financial institutions whose systems are geared to servicing the broader market. And such businesses shouldn't need to become regulated financial institutions or to join cosy industry bodies for that privilege. However, I should point out that developing an internal acquiring and settlement capability is very likely to prove an unwelcome distraction for non-financial corporate groups.

Similarly, as a consumer, I should be able to appoint a single service provider to enable access to my various bank, card and other payment accounts, without being in breach of the obligation to keep my account access details confidential. It's not beyond the wit of man to work out which provider is liable for any security breaches that might occur in that data sharing process.

Finally, we need to be really careful about requiring "standardisation" and "full interoperability" rather than merely enabling the market to develop this naturally, free of anti-competitive activity. Entrepreneurs don't have the time or resources to sit around in policy and standards meetings. Nor do they wish to telegraph to incumbents their disruptive plans. Yet there is also little meaningful distinction between "technologicial interoperability" and "commercial interoperability" in a digital world where business models are automated or 'hard coded'. I'm struggling to understand the EC's intention here. On the one hand the EC wants to see competition (which generally means less consolidation and more fragmentation - plenty of new players and competing, disruptive solutions), and on the other hand it wants to "avoid fragmentation of the market". So these aims seem incompatible. 

Interoperability and standards may be important to enable efficient, straight-through processing between participants at either end of an overall business process or system. But the more tightly that process is bound together - or the narrower the group of entities involved in the development of standards/interoperation - the harder it is for new entrants to compete by disintermediating or improving any one element of that process. This is a key reason we have been trying to avoid any preoccupation with mandating standards in relation to data release formats in the context of the 'midata' initiative, for example (formerly 'mydata'). This avoids creating an extra hurdle to the release of the data, while opening up a market for the supply of data transformation applications that collect such data in multiple formats and display or transfer it in another format. 

Paradoxically, the EC's own concerns on this front are reflected in the green paper questions as to whether card scheme management should be separated from control over card payment processing (Q's 9 and 10), as well as the competition challenge to standards-setting by the European Payments Council:

"Joaquín Almunia Commission, Vice President in charge of Competition Policy, said: "Use of the internet is increasing rapidly making the need for secure and efficient online payment solutions in the whole Single Euro Payments Area all the more pressing. I therefore welcome the work of the European Payments Council to develop standards in this area. In principle, standards promote inter-operability and competition, but we need to ensure that the standardisation process does not unnecessarily restrict opportunities for non-participants."

I rest my case.