Red Alert: Retailers With Loyalty Progammes

Three years after being announced in the UK and I suspect many retailers are yet to realise that their loyalty/store card programmes will be regulated by the Financial Conduct Authority from 13 January 2018 - likewise across the European Economic Area. 

As the FCA now also warns, retailers who offer such programmes anywhere in the EEA will need to track the annual transaction volumes very carefully, starting with the completely arbitrary and inconvenient date of 13 January 2018. 

If the volume meets or exceeds €1 million (or the GBP or local currency equivalent) in any 12 month period (the first ending on 12 January 2019), the retailer must notify the FCA (or local regulator) within 28 days (by 10 February 2019).  Firms may also choose to register at any time from 13 October 2017.

But be sure of the outcome before you decide whether or not to register!

The regulator must then decide whether the programme is exempt from regulation as an e-money/payment service.  

If the firm fails to notify, it commits an offence under the Payment Services Regulations 2017 (or local equivalent implementing the second Payment Services Directive (PSD2)). 

If the FCA decides the programme is exempt, then it must include the retailer on the FCA's register of 'limited networks', and the name will be added to a central register of all such firms across the EEA.

If the FCA decides the programme is not exempt from regulation the retailer can appeal, but basically this means the firm will have been found to be violating the Electronic Money Regulations 2011 and/or Payment Services Regulations 2017 by issuing e-money and/or offering a payment service without being duly authorised/registered to do so. Major problem!

So retailers really have to decide now whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

Of course, the mere fact that retailers with loyalty schemes have to be mindful of these requirements and go through the process means they are in effect regulated by the FCA. Ignorance, as they say, is no defence.

Can It Really Be #PSD2?!

The new Payment Services Directive (PSD2) has been approved by the European Parliament. Following the Parliament’s vote, in order to take effect, the Directive must be formally adopted by the EU Council of Ministers and published in the Official Journal of the EU. This is explained by the European Commission here. I understand that should be done by sometime in November. In the meantime, the official version is published by the European Parliament here. From that date of publication in the Official Journal, Member States will have two years to introduce the necessary changes in their national laws in order to comply with the Directive.

I have updated my note for SCL on PSD2 accordingly.

PSD2 - EU Sleight of Hand?

True to form, the EU Parliamentary process threw up an amended proposal for the new Payment Services Directive last Tuesday, leaving everyone two business days to consider it before this week's Parliamentary session. Conspiracy theorists will wonder what last minute lobbying victories were secured and what might have been different with a few weeks to consider them.

It seems pointless to review the draft, let alone summarise any changes, since further changes may well emerge this week from lurking MEPs. Who knows what will finally pop out in the Journal? Only those swimming in the primordial soup.

My summary of the June draft is here.

#PSD2: The Final Chapter?

I have updated my article for the SCL on the differences between the Payment Services Directive (PSD) and the latest compromise text of PSD2, produced following informal negotiations amongst the European Parliament, Council and the Commission.

It seems we are not far away from the final version.

Lack of Transparency In Negotiation Of #PSD2

I don't think the Beurocrats are terribly concerned by rampant Euroscepticism pervading national electorates. The byzantine EU legislative process trundles on as secretively as ever. All the nonsense about immigration is a nice distraction from lack of transparency on more fundamental issues.

The latest attempt at a fait accompli is the revised proposal for a new Payment Services Directive (PSD2), which is designed to shape the EU's payment systems for the decade to come. Having published several drafts previously with some attempt to mark-up the changes from previous meetings of member state representatives, a rapid-fire draft (dated 21 November) was suddenly published on 24 November, the same day it was due to be debated.

Today, as a result of the 24 November negotiations, a further draft (dated 1 December) was published without any changes marked, along with a recommendation that it be used as the basis for negotiations with the EU Parliament. Never mind that alternative service providers and other stakeholders with minimal lobbying power are attempting to understand and warn of the impact of seismic changes to the payments regulatory framework.

This is no way to approach the regulation of the EU financial system - if you have any interest at all in bringing the market along with you. But it's a perfect way to leave control of the market to the major banks and card schemes who have lobbyists plugged into the process.

Rant ends. I'll be trying to update my article on the changes to the proposals in the coming week.

Though it's hard to see the point.

The Updated Updated Review Of #PSD2

The European Council produced a further update of the proposed new Payment Services Directive (PSD2) in late October, and I have now updated my review article for the SCL, as well as the posts assessing the impact on:

• loyalty schemes, including store card and gift card programmes;


• third party gateways and other technical service providers;


• the providers of the newly regulated payment initiation and account information services; and


• security, innovation and competition.

Regulatory Creep Hits Big Loyalty Schemes - Updated

Store cards, gift cards and loyalty rewards are currently exempt from payments regulation where they are only accepted within the issuer’s premises or certain ‘limited networks’. The new European Payment Services Directive (PSD2) extends the scope of this exemption - which is helpful to some extent - but also introduces a notification requirement that will bring big schemes within the regulatory sphere from 13 January 2018, and oblige the authorities to decide whether the exemption is available. This post explains the changes, and the options open to the operators of such schemes. For other significant changes proposed under PSD2, see my longer SCL article). The Treasury's consultation on introducing PSD2 in the UK has just been published.

The limited network exemption under PSD1 applies to services based on instruments that can be used to acquire goods or services only: (a) in the premises used by the issuer; or (b) under a commercial agreement with the issuer either (i) within a limited network of service providers or (ii) for a limited range of goods or services (my numbering/emphasis).

The exemption under PSD2 is for:

"services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:

(i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a 'professional issuer' [not defined];

(ii) instruments which can be used only to acquire a very limited range of goods or services;

(iii) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer." (my emphasis)

Some guidance as to what is meant by 'limited' or 'very limited' is to be found in the relevant recital to PSD2, which states:

"Instruments which can be used for purchases in stores of listed merchants should not be excluded from the scope of this Directive as such instruments are typically designed for a network of service providers which is continuously growing."

In addition, operators of large limited network schemes will be obliged to notify the regulator “if the the total value of payment transactions executed over the preceding 12 months exceeds the amount of EUR 1 million”. The regulator must then decide whether the exemption criteria actually apply, and notify the service provider if the regulator concludes that it does not. There is no provision for a transition period to explore alternative methods of supporting the scheme.

This means that loyalty scheme operators need to consider now whether their scheme will be covered by the revised limited network exemption in January 2018 and, if not, whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

The UK Treasury was due to issue its consultation paper in August 2016 on how it plans to implement PSD2, but has not done so yet. Hopefully, either the Treasury and the FCA will clarify further how they plan to handle the notification process, including whether pre-clearances will be possible during 2017, for example, given the lack of any transition period should the FCA conclude that the exemption does not apply.  Otherwise, queries arising out of any uncertainty in the application of the exemption might be directed to the FCA's Innovation Hub. 

This kind of regulatory 'scope creep' is not at all healthy, however. PSD2 should be clearer on what activities are in or out of scope. Instead, we have activities that are out of scope altogether; in scope but exempt; in scope with authorisation required; in scope with registration required; or in scope with only notification required (as here).

The question also remains why loyalty schemes are being targeted in this way. There is no evidence of any harm to consumers in such scenarios, as discussed in the context of earlier plans by the UK Treasury to propose self-regulation to ring-fence retail loyalty scheme funds (here and here).  It seems a case of mistaken identity with retail pre-payment schemes such as operated by Farepak and certain tour companies which don't appear to be caught anyway.  Similarly, there is no distinction made for 'limited network' schemes whose rules do not allow cash to be obtained by either redeeming the limited network value or seeking a refund for a purchase made using that value.

[First published 23.10.14, and since updated to reflect the change to the notification threshold; again to reflect the removal of 'unlimited' in a late draft of PSD2; and again to include the date when PSD2 takes effect in national law]

PSD2, The Saga Continues - Updated

The European Council issued its revised proposal for PSD2in September 2014.

The Society for Computers and Law has kindly published an update to my earlier article on PSD2 to reflect the revised proposal.

Possibly the key issues relate to:

• limiting the technology service providers exemption to those who supply their services to payment service providers, rather than users - for example, this would no longer seem to apply to 'gateway' data services supplied to merchants/retailers, as opposed to acquirers;
• the distinctions between technology services, on the one hand, and services involving payment initiation, account access, bill payment and acquiring;
• the inconsistent treatment of bill payment services, e-commerce marketplaces and the suppliers of public communications networks (telcos);
• the notification requirements for large store card, gift card and loyalty programmes and other 'limited network' payment schemes;
• the requirement for payment service providers to release to payers the names of payees who refuse to surrender funds that have been paid to them by mistake;
• host state reporting for cross-border service providers, in addition to home state reporting;
• prescriptive security provisions affecting different types of payment service provider, which must meet (as yet unpublished) standards issued by the European Banking Authority;
• e-money institutions having to provide fresh evidence that they meet the threshold conditions for authorisation.

Interested in hearing your thoughts, either here or via the SCL site.