Red Alert: Retailers With Loyalty Progammes

Three years after being announced in the UK and I suspect many retailers are yet to realise that their loyalty/store card programmes will be regulated by the Financial Conduct Authority from 13 January 2018 - likewise across the European Economic Area. 

As the FCA now also warns, retailers who offer such programmes anywhere in the EEA will need to track the annual transaction volumes very carefully, starting with the completely arbitrary and inconvenient date of 13 January 2018. 

If the volume meets or exceeds €1 million (or the GBP or local currency equivalent) in any 12 month period (the first ending on 12 January 2019), the retailer must notify the FCA (or local regulator) within 28 days (by 10 February 2019).  Firms may also choose to register at any time from 13 October 2017.

But be sure of the outcome before you decide whether or not to register!

The regulator must then decide whether the programme is exempt from regulation as an e-money/payment service.  

If the firm fails to notify, it commits an offence under the Payment Services Regulations 2017 (or local equivalent implementing the second Payment Services Directive (PSD2)). 

If the FCA decides the programme is exempt, then it must include the retailer on the FCA's register of 'limited networks', and the name will be added to a central register of all such firms across the EEA.

If the FCA decides the programme is not exempt from regulation the retailer can appeal, but basically this means the firm will have been found to be violating the Electronic Money Regulations 2011 and/or Payment Services Regulations 2017 by issuing e-money and/or offering a payment service without being duly authorised/registered to do so. Major problem!

So retailers really have to decide now whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

Of course, the mere fact that retailers with loyalty schemes have to be mindful of these requirements and go through the process means they are in effect regulated by the FCA. Ignorance, as they say, is no defence.

Can It Really Be #PSD2?!

The new Payment Services Directive (PSD2) has been approved by the European Parliament. Following the Parliament’s vote, in order to take effect, the Directive must be formally adopted by the EU Council of Ministers and published in the Official Journal of the EU. This is explained by the European Commission here. I understand that should be done by sometime in November. In the meantime, the official version is published by the European Parliament here. From that date of publication in the Official Journal, Member States will have two years to introduce the necessary changes in their national laws in order to comply with the Directive.

I have updated my note for SCL on PSD2 accordingly.

PSD2 - EU Sleight of Hand?

True to form, the EU Parliamentary process threw up an amended proposal for the new Payment Services Directive last Tuesday, leaving everyone two business days to consider it before this week's Parliamentary session. Conspiracy theorists will wonder what last minute lobbying victories were secured and what might have been different with a few weeks to consider them.

It seems pointless to review the draft, let alone summarise any changes, since further changes may well emerge this week from lurking MEPs. Who knows what will finally pop out in the Journal? Only those swimming in the primordial soup.

My summary of the June draft is here.

#PSD2: The Final Chapter?

I have updated my article for the SCL on the differences between the Payment Services Directive (PSD) and the latest compromise text of PSD2, produced following informal negotiations amongst the European Parliament, Council and the Commission.

It seems we are not far away from the final version.

Lack of Transparency In Negotiation Of #PSD2

I don't think the Beurocrats are terribly concerned by rampant Euroscepticism pervading national electorates. The byzantine EU legislative process trundles on as secretively as ever. All the nonsense about immigration is a nice distraction from lack of transparency on more fundamental issues.

The latest attempt at a fait accompli is the revised proposal for a new Payment Services Directive (PSD2), which is designed to shape the EU's payment systems for the decade to come. Having published several drafts previously with some attempt to mark-up the changes from previous meetings of member state representatives, a rapid-fire draft (dated 21 November) was suddenly published on 24 November, the same day it was due to be debated.

Today, as a result of the 24 November negotiations, a further draft (dated 1 December) was published without any changes marked, along with a recommendation that it be used as the basis for negotiations with the EU Parliament. Never mind that alternative service providers and other stakeholders with minimal lobbying power are attempting to understand and warn of the impact of seismic changes to the payments regulatory framework.

This is no way to approach the regulation of the EU financial system - if you have any interest at all in bringing the market along with you. But it's a perfect way to leave control of the market to the major banks and card schemes who have lobbyists plugged into the process.

Rant ends. I'll be trying to update my article on the changes to the proposals in the coming week.

Though it's hard to see the point.

The Updated Updated Review Of #PSD2

The European Council produced a further update of the proposed new Payment Services Directive (PSD2) in late October, and I have now updated my review article for the SCL, as well as the posts assessing the impact on:

• loyalty schemes, including store card and gift card programmes;


• third party gateways and other technical service providers;


• the providers of the newly regulated payment initiation and account information services; and


• security, innovation and competition.

Regulatory Creep Hits Big Loyalty Schemes - Updated

Store cards, gift cards and loyalty rewards are currently exempt from payments regulation where they are only accepted within the issuer’s premises or certain ‘limited networks’. The new European Payment Services Directive (PSD2) extends the scope of this exemption - which is helpful to some extent - but also introduces a notification requirement that will bring big schemes within the regulatory sphere from 13 January 2018, and oblige the authorities to decide whether the exemption is available. This post explains the changes, and the options open to the operators of such schemes. For other significant changes proposed under PSD2, see my longer SCL article). The Treasury's consultation on introducing PSD2 in the UK has just been published.

The limited network exemption under PSD1 applies to services based on instruments that can be used to acquire goods or services only: (a) in the premises used by the issuer; or (b) under a commercial agreement with the issuer either (i) within a limited network of service providers or (ii) for a limited range of goods or services (my numbering/emphasis).

The exemption under PSD2 is for:

"services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:

(i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a 'professional issuer' [not defined];

(ii) instruments which can be used only to acquire a very limited range of goods or services;

(iii) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer." (my emphasis)

Some guidance as to what is meant by 'limited' or 'very limited' is to be found in the relevant recital to PSD2, which states:

"Instruments which can be used for purchases in stores of listed merchants should not be excluded from the scope of this Directive as such instruments are typically designed for a network of service providers which is continuously growing."

In addition, operators of large limited network schemes will be obliged to notify the regulator “if the the total value of payment transactions executed over the preceding 12 months exceeds the amount of EUR 1 million”. The regulator must then decide whether the exemption criteria actually apply, and notify the service provider if the regulator concludes that it does not. There is no provision for a transition period to explore alternative methods of supporting the scheme.

This means that loyalty scheme operators need to consider now whether their scheme will be covered by the revised limited network exemption in January 2018 and, if not, whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

The UK Treasury was due to issue its consultation paper in August 2016 on how it plans to implement PSD2, but has not done so yet. Hopefully, either the Treasury and the FCA will clarify further how they plan to handle the notification process, including whether pre-clearances will be possible during 2017, for example, given the lack of any transition period should the FCA conclude that the exemption does not apply.  Otherwise, queries arising out of any uncertainty in the application of the exemption might be directed to the FCA's Innovation Hub. 

This kind of regulatory 'scope creep' is not at all healthy, however. PSD2 should be clearer on what activities are in or out of scope. Instead, we have activities that are out of scope altogether; in scope but exempt; in scope with authorisation required; in scope with registration required; or in scope with only notification required (as here).

The question also remains why loyalty schemes are being targeted in this way. There is no evidence of any harm to consumers in such scenarios, as discussed in the context of earlier plans by the UK Treasury to propose self-regulation to ring-fence retail loyalty scheme funds (here and here).  It seems a case of mistaken identity with retail pre-payment schemes such as operated by Farepak and certain tour companies which don't appear to be caught anyway.  Similarly, there is no distinction made for 'limited network' schemes whose rules do not allow cash to be obtained by either redeeming the limited network value or seeking a refund for a purchase made using that value.

[First published 23.10.14, and since updated to reflect the change to the notification threshold; again to reflect the removal of 'unlimited' in a late draft of PSD2; and again to include the date when PSD2 takes effect in national law]

PSD2, The Saga Continues - Updated

The European Council issued its revised proposal for PSD2in September 2014.

The Society for Computers and Law has kindly published an update to my earlier article on PSD2 to reflect the revised proposal.

Possibly the key issues relate to:

• limiting the technology service providers exemption to those who supply their services to payment service providers, rather than users - for example, this would no longer seem to apply to 'gateway' data services supplied to merchants/retailers, as opposed to acquirers;
• the distinctions between technology services, on the one hand, and services involving payment initiation, account access, bill payment and acquiring;
• the inconsistent treatment of bill payment services, e-commerce marketplaces and the suppliers of public communications networks (telcos);
• the notification requirements for large store card, gift card and loyalty programmes and other 'limited network' payment schemes;
• the requirement for payment service providers to release to payers the names of payees who refuse to surrender funds that have been paid to them by mistake;
• host state reporting for cross-border service providers, in addition to home state reporting;
• prescriptive security provisions affecting different types of payment service provider, which must meet (as yet unpublished) standards issued by the European Banking Authority;
• e-money institutions having to provide fresh evidence that they meet the threshold conditions for authorisation.

Interested in hearing your thoughts, either here or via the SCL site.

 

Should Central Banks Supervise Facebook Credits?

This is an interesting question that I've been keeping an eye on for sometime now. Forbes is the latest media outlet to wonder whether Facebook Credits are going to be deemed systemic and somehow in need of regulatory supervision. They cite estimates that Facebook Credits total "$470 million of revenue in 2011, or about 11% of Facebook’s total business."

Financial regulators haven't been terribly interested in Facebook Credits because they merely constitute 'closed loop' stored value, rather than 'open-loop' stored value or 'e-money'. The line of demarcation is somewhat open to conjecture, but as explained below it seems likely that the Facebook Credits programme (as currently configured) will remain outside the scope of regulation. However, Facebook could decide to make things really interesting by 'opening the loop'  to become a full-scale e-money issuer...

When you buy Facebook Credits you're really just buying a 'claim code', like you would a music download, and that code is redeemable for purchases of items on the Facebook.com platform. The code is purchased from and redeemed by the same Facebook entity (if you're a resident of or have your principal place of business in the US or Canada, it's Facebook, Inc., otherwise, it's Facebook Ireland Limited). This means the suppliers of items you buy don't actually redeem the Facebook Credits themselves. Instead they rely on Facebook to process that transaction, and the suppliers receive only 70% of the price of the items sold, after Facebook deducts its commission or fees. The terms and conditions also make it clear that the 'credits' aren't able to be re-sold or transferred to anyone outside of Facebook. All of this means Facebook Credits are 'closed loop' stored value.

Typically, the European Commission has been the most aggressive in trying to comprehensively regulate e-money (and everything else!). That's largely arisen from efforts to break open the continental 'banking monopoly', starting with retail payments. As a result, issuing e-money in the European Economic Area (EEA) is a regulated activity under the second 'E-money Directive', and its use in retail payment transactions is covered by the Payment Services Directive. The two directives have been implemented in the UK by The Electronic Money Regulations 2011 and the Payment Services Regulations 2009. Essentially, this creates a framework within non-banks can be authorised to process retail payments.

Key regulatory requirements related directly to E-money include official authorisation/supervision, minimum and ongoing capital requirements and the need to safeguard (insure or segregate) money corresponding to outstanding E-money. “Electronic money” is defined as:

"...electronically (including magnetically) stored monetary value as represented by a claim on the electronic money issuer which—(a) is issued on receipt of funds for the purpose of making payment transactions; (b) is accepted by a person other than the electronic money issuer; and (c) is not excluded by regulation 3;" [my italics].

Parking the various issues with the real meaning and scope of "payment transactions", it's clear from the relevant terms and conditions that Facebook Credits are not accepted by anyone other than the relevant Facebook entity. Technologically speaking, it also seems likely that none of the suppliers of items purchased with Facebook Credits would be able to recognise and redeem the unique claim codes. Furthermore, both of the regulation 3 exemptions are relevant in the context of Facebook Credits:

"3. (a) monetary value stored on instruments that can be used to acquire goods or services only—

(i) in or on the electronic money issuer’s premises; or
(ii) under a commercial agreement with the electronic money issuer, either within a limited network of service providers or for a limited range of goods or services;"

which is generally referred to as the 'limited network' exemption; and a 'digital goods' exemption (which also applies to services) for:

"...(b) monetary value that is used to make payment transactions executed by means of any telecommunication, digital or IT device, where the goods or services purchased are delivered to and are to be used through a telecommunication, digital or IT device, provided that the telecommunication, digital or IT operator does not act only as an intermediary between the payment service user and the supplier of the goods and services."

The digital goods exemption is pretty clear cut, and probably applies to most of what Facebook Credits are used for. But being able to pay for a trip to the movies, as Forbes reports occurred in the US last summer, would likely fall outside the EU digital goods/services exemption if it occurred in the European Economic Area. So that puts pressure on the extent to which Facebook can claim to be a "limited network" of service providers or only providing access to "a limited range of goods or services". And if that exemption fell away, we'd be back to whether a participating merchant could be deemed to be 'accepting' Facebook Credits. 

The meaning of "limited" is left undefined in the legislation, probably to give the authorities a broad enough discretion to act where they think it's necessary or appropriate. However, the ordinary dictionary meaning does not equate to 'small', 'narrow' or 'few', so the size of the programme of itself shouldn't be a problem.

Nevertheless, it seems that the scope, scale and growth of the Facebook Credit programme is continuing to provoke policy discussion about its regulatory status, particularly as to whether there are systemic grounds on which Facebook should be segregating customer funds related to oustanding stored value and whether it has some kind of unfair cost advantage over authorised E-money institutions.

I discussed the policy issues related to operational risk, safeguarding and competition concerns in the context of other limited network offerings during the UK consultation on the introduction of the 2011 regulations. Incredible as it may seem, I think these will recede as the eventual scale of 'proper' E-money issuance will gradually grow to vastly exceed the quantity of Facebook Credits in issue - unless Facebook decides to enter the E-money market itself and go 'open-loop'. Now that would be interesting.