Deadline For SCA On E-commerce Transactions Slips Again

Once upon a time, the second Payment Services Directive required mandated the introduction of 'strong customer authentication' (SCA) - also known as 'two factor authentication' or 'multi-factor authentication' - for remote and electronic payment transactions from 14 September 2019. But fear that consumers will abandon online transactions, lack of industry preparation and then the pandemic have seen this rather battered can being kicked steadily further down the road. The UK's Financial Conduct Authority has now declared the latest 'deadline' to be 14 March 2022.

This time it might be serious.

FCA Delays SCA... Again

The UK's Financial Conduct Authority has again delayed its deadline for enforcing the implementation of 'strong customer authentication' in e-commerce transactions, until 14 September 2021. 

The FCA had already turned a blind eye to the threshold for applying SCA to contactless card transactions, in light of the role that contactless cards play in social distancing.

The FCA still expects firms to follow the industry implementation plan agreed with UK Finance, though that can now be extended to the new deadline.

FCA Turns Blind Eye To SCA For Contactless Card Payments

The introduction of 'strong customer authentication' (SCA) - also known as 'two factor authentication' or 'multi-factor authentication' for remote and electronic payment transactions has had a checkered history. Payment service providers should have been challenging customers to provide extra authentication details from 14 September 2019. But lack of industry preparation led the FCA (in line with the European Banking Authority and other EU national regulators) to state that it will not enforce the requirement until 14 March 2021, so long as PSPs are following an agreed industry plan to introduce the checks. In light of the COVID19 crisis, the FCA has now added:

"...we are very unlikely to take enforcement action if a firm does not apply strong customer authentication when the cumulative amount of transaction values has exceeded EUR 150 or five contactless transactions in a row. But this is only as long as the firm sufficiently mitigates the risk of unauthorised transactions and fraud, by having the necessary fraud monitoring tools and systems in place and taking swift action where appropriate."

Further time may also be allowed for introducing SCA for e-commerce payments generally, beyond 14 March 2021.

Meanwhile, the date for applying regulatory standards to secure communications amongst PSPs was also deferred from 19 September 2019 to 14 March 2020, yet some PSPs have not complied. The FCA is also letting them off the hook, where they are "facing further delays due to coronavirus:

"...we will consider on a case-by-case basis the appropriate further measures. In doing so, we will in particular consider:

• firms’ security around authentication to access their online banking and when making payments;

• their controls and processes to reduce fraud;

• whether that impact is likely to be exacerbated given the current circumstances."

 

The EU Boosts Consumer Protection For The Digital Age

Next week, the European Parliament will significantly boost consumer protection in the EU by approving changes to 4 directives on consumer rights. Member states will have 2 years from publication in the Official Journal to implement the changes. The Enforcement and Modernisation Directive amends:

• The Unfair Commercial Practices Directive (implemented in the UK by the Consumer Protection from Unfair Trading Regulations 2008);
• The Consumer Rights Directive (implemented in the UK by the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013);
• The Unfair Contract Terms Directive (implemented in the UK by the Consumer Rights Act 2015);
• The Price Indications Directive (implemented in the UK by the Price Marking Order 2004). 

Online traders and marketplaces. 

There are new information obligations for online traders and marketplaces. These include pre-contract disclosure obligations for online marketplaces; and failure to include the information in an invitation to purchase is both a misleading omission and a blacklisted commercial practice (in some cases for all traders and in some cases just for online marketplaces). 

Traders must provide the criteria used to rank search results (a misleading omission for all traders offering search facilities, and required pre-contract information for online marketplaces). Failure to clearly indicate that search results have been paid for is a blacklisted commercial practice. 

The trader must state whether it verifies reviews (and, if so, how). Submitting fake reviews is a blacklisted commercial practice. 

The status of the seller must be disclosed (a misleading omission and pre-contract information requirement for online marketplaces). 

Whether the consumer will benefit from consumer protection law and how contractual obligations are divided between the seller and the online platform are pre-contract information requirements for online marketplaces. 

All traders must state whether there is any personalisation of the price on the basis of automated decision-making.

Dual Quality Products

The practice of selling dual quality products can be deemed misleading, i.e. where the product is marketed in one member state as being identical to the goods marketed in other member states, while the composition or characteristics are significantly different (unless justified by legitimate and objective factors). Dual quality has been identified as an issue in fish fingers, instant soup, coffee, soft drinks, detergents, cosmetics and baby products.

 

Ticket bots

There is a ban on the use of ticket bots to bulk buy tickets for resale (a practice already dealt with in UK legislation).

Digital services and good with digital elements

To align the Consumer Rights Directive with the draft Digital Content Directive there are new definitions of “digital services” and “goods with digital elements”. These are caught even where they are provided only in exchange for personal information; and there are provisions dealing with the use of personal data and user generated/contributed content after cancellation.

Communicating with traders

 

Traders must provide pre-contract information about online means of communication including use of chat bots or other technology (but reference to fax numbers is deleted) and the technology must enable the consumer to store any written correspondence, including the date and time, on a durable medium. But where the trader is contracting via means with limited time or space to communicate (e.g. text) the trader need not provide the model withdrawal form.

Reference prices for discounts

Any reference price used to indicate a discount must have been in use for at least a month (subject to  exceptions/derogations.

Complaints/redress

The European Commission must use the single digital gateway to inform consumers of their rights and enable them to submit cases to the Commission’s Online Dispute Resolution Platform. Consumers will also have new rights to seek redress directly from traders

Penalties for breach

Member states must impose penalties for breaches of the national consumer protection law implementing the amendments, including the ability to fine businesses up to 4 % of the trader’s annual turnover in the member state or member states concerned, or, if turnover information is not available, up to at least €2 million. 

Where national law may differ 

The Unfair Commercial Practices Directive and the Consumer Rights Directive are 'maximum harmonisation' directives, meaning member states cannot depart from them except in ways that are expressly permitted ('derogations').  New permitted derogations (provided they are proportionate, non-discriminatory and justified by consumer protection) relate to:

• Online marketplaces: member states can impose further information obligations on these; 

• Contracts concluded as a result of unsolicited home visits or excursions organised by a trader: a longer cancellation period for contracts agreed in these situations, from 14 to 30 days; and/or removing exceptions to the right to cancel where the services begin early with the consumer’s consent, the price depends on fluctuations in the financial market, the goods are made to the consumer’s specification or clearly personalised or the goods are sealed for health or hygiene reasons have been unsealed;

• Solicited visits for home repairs:  the consumer's right to cancel can be removed for contracts involving repairs carried out on a solicited home visit where certain conditions are met.

E-commerce Marketplaces, Commercial Agents and PSD2

E-commerce marketplaces are now common in most sectors, enabling suppliers and consumers of all types of goods and services to find each other, contract directly, pay or be paid, arrange delivery and download their transaction data. But action being taken by some payment service providers (PSPs) suggests that many marketplace operators who offer this service in the European Economic Area may not have realised that the payment step needs to be structured in a way that avoids the need for the operator to be authorised by an EEA financial regulator as a payment institution or e-money institution under the Payment Services Directive or E-money Directive (depending on whether the supplier or customer is able to hold a balance in their 'account').

Some financial regulators, like the UK's Financial Conduct Authority, take the view that offering a payment service or e-money service has to be the operator's regular occupation or business in itself to fall within the scope of the PSD or EMD in the first place (the "business test"), although the payment step would need to be a small, ancillary part of the service offered and this is open to interpretation. But less pragmatic or experienced regulators around the EEA might apply the Directives simply because the operator is running a business of any kind. 

This means operators should err on the side of structuring their activities to avoid holding balances and to take advantage of an exclusion under the Payment Services Directive (e.g. for commercial agents authorised to negotiate or conclude contracts on behalf of either the payer or payee); or involve a PSP to handle the receipt and distribution of funds (or become the registered agent of a PSP). 

Other exclusions under the PSD or EMD may also be helpful. But even relying on an exclusion can be somewhat tricky because the interpretation of exclusions can vary from regulator to regulator across the EEA; and there is no 'passport' for one regulator's interpretation as there is for regulated PSPs who can offer their service across the EEA from under authorisation in their home member state. 

That means an operator should seek legal advice on how to structure its activities appropriately under the law of its home EEA member state; and if that involves relying on the local regulator's interpretation of the business test or an exclusion, the operator should check that analysis works under the law of each member state where the operator has a presence or significant numbers of participants (whether suppliers or their customers).  Acting on formal legal advice should also make it less likely that a regulator will take action for acts or omissions consistent with that advice, although it will not necessarily stop a regulator requiring a different structure going forward.

Final UK Regulations Implementing #PSD2

The UK government has today announced its final approach to implementing the new Payment Services Directive (PSD2), along with the final version of the Payment Services Regulations 2017. A final assessment of the impact of the new regulations is yet to be published. The FCA is expected to finalise its guidance on its approach to supervising PSD2 - along with application forms and so on - by September, and to accept applications for authorisation/registration from October 2017 to meet the implementation deadline of 13 January 2018.

It turns out that the responses to the consultation in February have only persuaded the government to change a few aspects of its approach to implementation (explained below). But it seems from the summaries that many responses didn't account for the fact that the government's hands have been tied since 2015, when the UK agreed the final version of PSD2 at EU level. As it's a maximum harmonisation directive, member states can only depart from PSD2 where it specifically allows them to. The ship has sailed (albeit with some awkward passengers on board, as explained in my own response). For the most part, implementation is now a question of how the FCA interprets the language in its application to the real world, which it consulted on in April. This does not suggest any lack of 'sovereignty', just a failure to influence EU negotiations (assuming those affected took the opportunity to engage at that time).

Ban on surcharging

One area of departure from the government's initial plan is to prohibit retailers from charging customers any additional amount for using any type of payment method/instrument.

The original idea was only to ban surcharging for the use of cards covered by the Interchange Fee Regulation (as required under PSD2), as well as cross border bank transfers and direct debits in euros (under the Single Euro Payments Area regulations); and limit the surcharges for other payment methods to the direct cost borne by the retailer for making them available.

But the government has opted instead for a blanket ban on businesses surcharging consumers for using any type of payment method, on the basis that it: 

"will create a level playing field between payment instruments and create a much clearer picture for consumers in which they know the full price of the product/service they are purchasing upfront and [can be] confident that there will be no additional charges when they come to pay [with] any payment instrument they choose to use. A blanket ban will also be much easier to enforce than the current position in which merchants are able to pass on costs (but the consumer has no easy way of assessing what these are).

Meanwhile, the government says it will "assess the scale" of claims that interchange fees for card payments have been rising again.

Scope of account information services

PSD2 introduces a new “account information service” which basically involves providing information from one or more payment accounts held by the user with one or more other payment service providers.

Initially, the list of services the government said it believed might constitute account information services included some services of a much broader in nature:

"• price comparison and product identification services;

• income and expenditure analysis, including affordability and credit rating or credit worthiness assessments...

[and] might include accountancy or legal services, for example” (para 6.30)."

This provoked concern that the government's interpretation was too broad and overlooked the requirement that an account information service would need to be conducted by way of business in its own right, rather than merely as an ancillary part of a wider service. Examples of services that the government says that respondents were concerned about include: 

"banks’ corporate functions; price comparison websites; accountants; financial advisors; legal firms; and Credit Reference Agencies (CRAs). Many of these services are currently provided via a contractual relationship between service providers, users, and ASPSPs, often referred to as Third Party Mandates (TPMs)."

The government now confirms, however, that:

"many uses of these mandates are likely to be outside of the scope of the PSDII. Examples could include power of attorney, where the services are unlikely to be undertaken ‘in the course of business’."

In addition, the FCA has already suggested this narrower view, based on the 'business test' in its own consultation on how it proposes to supervise PSD2.

Next steps

The FCA is expected to finalise its guidance on its approach to supervising PSD2 - along with application forms and so on for the various types of authorisation/registration - by September, and to accept applications for authorisation/registration from October 2017.

How The UK Will Introduce #PSD2

The UK Treasury has published its plans for implementing the new Payment Services Directive (PSD2), which must be done by 13 January 2018.  We have until 16 March 2017 to comment on the draft regulations.  No doubt we will also soon hear what how the FCA will approach its supervisory role.

I've previously covered the key differences between PSD2 and the current directive, and there are many areas for differing interpretation...

I will share my thoughts on the current consultation in the coming week(s).

Update: a copy of my submission to the Treasury consultation is here.

Regulating Convergence

This week I get the chance to chat about my three of my favourite topics from a legal standpoint: payments, peer-to-peer finance and data. 

All three are in a state of regulatory flux (which is also making for some late nights). But that tells you a lot about where commerce, and society itself are headed. The much vaunted 'convergence' of Web 1.0 has definitely arrived.

As ever, the challenge for independent regulation of these areas is to approach electronic commerce in a holistic way that promotes competition and innovation, rather than in a blinkered fashion that results that strangles innovative services at birth...

It should be a lively week.

More in a wrap-up post at the end.

Should Central Banks Supervise Facebook Credits?

This is an interesting question that I've been keeping an eye on for sometime now. Forbes is the latest media outlet to wonder whether Facebook Credits are going to be deemed systemic and somehow in need of regulatory supervision. They cite estimates that Facebook Credits total "$470 million of revenue in 2011, or about 11% of Facebook’s total business."

Financial regulators haven't been terribly interested in Facebook Credits because they merely constitute 'closed loop' stored value, rather than 'open-loop' stored value or 'e-money'. The line of demarcation is somewhat open to conjecture, but as explained below it seems likely that the Facebook Credits programme (as currently configured) will remain outside the scope of regulation. However, Facebook could decide to make things really interesting by 'opening the loop'  to become a full-scale e-money issuer...

When you buy Facebook Credits you're really just buying a 'claim code', like you would a music download, and that code is redeemable for purchases of items on the Facebook.com platform. The code is purchased from and redeemed by the same Facebook entity (if you're a resident of or have your principal place of business in the US or Canada, it's Facebook, Inc., otherwise, it's Facebook Ireland Limited). This means the suppliers of items you buy don't actually redeem the Facebook Credits themselves. Instead they rely on Facebook to process that transaction, and the suppliers receive only 70% of the price of the items sold, after Facebook deducts its commission or fees. The terms and conditions also make it clear that the 'credits' aren't able to be re-sold or transferred to anyone outside of Facebook. All of this means Facebook Credits are 'closed loop' stored value.

Typically, the European Commission has been the most aggressive in trying to comprehensively regulate e-money (and everything else!). That's largely arisen from efforts to break open the continental 'banking monopoly', starting with retail payments. As a result, issuing e-money in the European Economic Area (EEA) is a regulated activity under the second 'E-money Directive', and its use in retail payment transactions is covered by the Payment Services Directive. The two directives have been implemented in the UK by The Electronic Money Regulations 2011 and the Payment Services Regulations 2009. Essentially, this creates a framework within non-banks can be authorised to process retail payments.

Key regulatory requirements related directly to E-money include official authorisation/supervision, minimum and ongoing capital requirements and the need to safeguard (insure or segregate) money corresponding to outstanding E-money. “Electronic money” is defined as:

"...electronically (including magnetically) stored monetary value as represented by a claim on the electronic money issuer which—(a) is issued on receipt of funds for the purpose of making payment transactions; (b) is accepted by a person other than the electronic money issuer; and (c) is not excluded by regulation 3;" [my italics].

Parking the various issues with the real meaning and scope of "payment transactions", it's clear from the relevant terms and conditions that Facebook Credits are not accepted by anyone other than the relevant Facebook entity. Technologically speaking, it also seems likely that none of the suppliers of items purchased with Facebook Credits would be able to recognise and redeem the unique claim codes. Furthermore, both of the regulation 3 exemptions are relevant in the context of Facebook Credits:

"3. (a) monetary value stored on instruments that can be used to acquire goods or services only—

(i) in or on the electronic money issuer’s premises; or
(ii) under a commercial agreement with the electronic money issuer, either within a limited network of service providers or for a limited range of goods or services;"

which is generally referred to as the 'limited network' exemption; and a 'digital goods' exemption (which also applies to services) for:

"...(b) monetary value that is used to make payment transactions executed by means of any telecommunication, digital or IT device, where the goods or services purchased are delivered to and are to be used through a telecommunication, digital or IT device, provided that the telecommunication, digital or IT operator does not act only as an intermediary between the payment service user and the supplier of the goods and services."

The digital goods exemption is pretty clear cut, and probably applies to most of what Facebook Credits are used for. But being able to pay for a trip to the movies, as Forbes reports occurred in the US last summer, would likely fall outside the EU digital goods/services exemption if it occurred in the European Economic Area. So that puts pressure on the extent to which Facebook can claim to be a "limited network" of service providers or only providing access to "a limited range of goods or services". And if that exemption fell away, we'd be back to whether a participating merchant could be deemed to be 'accepting' Facebook Credits. 

The meaning of "limited" is left undefined in the legislation, probably to give the authorities a broad enough discretion to act where they think it's necessary or appropriate. However, the ordinary dictionary meaning does not equate to 'small', 'narrow' or 'few', so the size of the programme of itself shouldn't be a problem.

Nevertheless, it seems that the scope, scale and growth of the Facebook Credit programme is continuing to provoke policy discussion about its regulatory status, particularly as to whether there are systemic grounds on which Facebook should be segregating customer funds related to oustanding stored value and whether it has some kind of unfair cost advantage over authorised E-money institutions.

I discussed the policy issues related to operational risk, safeguarding and competition concerns in the context of other limited network offerings during the UK consultation on the introduction of the 2011 regulations. Incredible as it may seem, I think these will recede as the eventual scale of 'proper' E-money issuance will gradually grow to vastly exceed the quantity of Facebook Credits in issue - unless Facebook decides to enter the E-money market itself and go 'open-loop'. Now that would be interesting.

An EU Contract Law? Too Tough To Digest

A hat-tip to Mayer Brown for the heads-up on the latest in the saga of a proposed European Contract Law. We have until 1 July to send feedback on 189 individual articles included in a 'feasibility study'. The Commission will then consider that feedback, together with the results of an earlier consultation.

As I have posted previously in another place, I'm not terribly supportive of a new European Contract Law. It doesn't fix any real problem, and it won't catalyse a single, cross-border market - notwithstanding the rationale advanced by the European Commission. The example used is:

"An Irish consumer buys an MP3 player online from a French retailer. In this case, Irish contract law would apply if the French retailer has designed his website for Irish consumers."

This is a strange scenario, littered with odd assumptions. Besides, there are notable instances of successful cross-border retailing in the EU that rely on the law of a single Member State as the law of the contract. And choice of law is the least of the barriers to setting up such an operation, as the European Commission itself discovered in the context of the reform of laws related to consumer rights and consumer credit. In particular, a May 2007 study by Civic Consulting revealed that:

“the main [non-regulatory] barriers hindering selling of consumer credit products in other EU Member States are different language and culture; consumers’ preference for national lenders; credit risk for lenders – no access to creditworthiness information; problems related to tax, employment practices etc.; difficulties to penetrate local market; different consumer demand in different Member States; lack of consumer confidence in a brand; differing stages of development of consumer credit; and lack of adequate marketing strategies.”

Furthermore, the law should follow, not lead commerce (though I realise that is a common law, rather than a civil law view). Otherwise, it acts as a hurdle to innovation and market development, and only those who are 'good at regulation' (incumbent players) will cope.

A pan-European contract law also conflicts with the principle already enshrined in various financial and other regulatory frameworks that, in general, the law in a corporation's home Member State should govern that corporation's cross-border EU activities. In fact, given the preponderance of any EU-based cross-border retailer's trade is with the citizens of its home state (with the exception of retailers based in Luxembourg) this proposal would seem to envisage retailers either imposing European Contract Law on their local customers, or creating separate set of terms for cross-border customers. I don't see how either is helpful, other than to generate work for the likes of... well, me.

But I'm not in the business of creating more hurdles for cross-border trade. So, while I will of course personally attempt to digest yet another European dog's breakfast, I propose to focus my drafting energies on an exclusion clause that will mean my clients and their customers won't have to.

Apply within ;-)