FCA Updates Payment Services Approach On Customer Authentication, Gift Cards

The FCA has today published its policy statement explaining changes to the Approach document following the consultation on Strong Customer Authentication and some other revised guidance in September (although the links to the actual revised Approach Document don’t appear to be working correctly at the moment).

Notwithstanding the confusion created by the proposed changes to the guidance on the "limited network exclusion" to exclude gift cards from the scope of PSD2 (no doubt partly due to the obligation to register programmes that exceed €1m in transactions in any 12 month period), the FCA confirms the guidance as follows:

store cards – for example, a ‘closed-loop’ gift card, where the card can only be used at the issuer’s premises or website (so where a store card is co-branded with a third party debit card or credit card issuer and can be used as a debit card or credit card outside the store, it will not benefit from this exclusion). On the other hand, in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them.

The FCA explains this interpretation in the latest policy statement (at para 6.15) as follows:

"The change we have made to clarify that retailers issuing their own gift cards should not have to notify, is based on the issuer and the retailer being the same person. If the issuer is not the retailer, but the card would be used to purchase goods and services from that retailer, it is possible that the card would be considered a payment instrument under the PSRs 2017 and the limited network exclusion test would be relevant. We already give relevant guidance in PERG Q40 on such instances."

For convenience, the limited network exclusion provides as follows (with the paragraph (k)(i) being the limb which gift card programme operators - and the FCA - have historically assumed applied to avoid gift cards being subject to e-money and payment services regulation):

(k) services based on specific payment instruments that can be used only in a limited way and meet one of the following conditions—

(i) allow the holder to acquire goods or services only in the issuer's premises;

(ii) are issued by a professional issuer and allow the holder to acquire goods or services only within a limited network of service providers which have direct commercial agreements with the issuer;

(iii) may be used only to acquire a very limited range of goods or services; or

(iv) are valid only in a single EEA State, are provided at the request of an undertaking or a public sector entity, and are regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers which have a commercial agreement with the issuer.

This overlooks the fact that while the retailer may have already received the funds or value from the purchaser of the gift card/account (potentially via a payment service provider under a regulated payment transaction), yet the "holder" is often a different person who is later using the gift card/account balance as a means of acquiring goods or services (albeit that transaction may only be accounted for in the retailer's accounting system without being processed via a third party payment provider).

While the FCA's view may be factually and logically correct (particularly from a VAT standpoint), and will no doubt come as a relief to retailers who would otherwise have to register programmes, it involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate to catch other payment methods - particularly in relation to card payments, for example. The FCA's guidance should therefore confirm the step-by-step rationale as to why a "payment order" is therefore not initiated; how the gift card scenario falls outside the definitions of "payment transaction"; and why neither the gift card holder nor the retailer/issuer are a "payer" or "payee" respectively. But I suspect that may open a can of worms...

The FCA's view also represents a key area of potential divergence from EU payments law in the Brexit context, to the extent that the Commission and EEA regulators may well decline to adopt the FCA's interpretation. The Central Bank of Ireland, for example, includes "prepaid gift card to buy cinema tickets" in the list of programmes that fall within the limited network exclusion. The FCA does not seem to be concerned that the same programme that regulators insist must be registered in, say, France - and therefore surface in the European Banking Authority's register of large limited networks - would not be registered at all in the UK. That wider uncertainty creates confusion and the potential for "regulatory creep" as firms might take action beyond what is required by the FCA in order to avoid it - such as shutting programmes, outsourcing or applying to register unnecessarily (at least from a UK standpoint). 

The sooner such scope for confusion at EEA level is removed, the better.

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

Shifting Sands: The FCA Considers Gift Cards Outside The Scope Of PSD2

The sands are shifting under the legal status of gift cards, as the UK's Financial Conduct Authority consults on guidance that removes them from the scope of e-money and payments regulation altogether, rather than deeming them to be excluded as "limited networks". This interpretation would at least remove the need for large gift card programmes to be registered with the FCA, but also suggests a divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation. Ultimately, it is unclear whether a gift card programme might yet somehow fall within the regulated scope but still benefit from an exclusion.

What's a "gift card"?

Gift cards have always represented the advance purchase of goods or services from the retailer who issued the card. Sometimes the value is recorded on the card (or voucher) itself, sometimes it is represented by a credit to a specific account for the card or named customer in the retailer's IT system. In either case, such value is considered 'closed loop'. There is a subtle difference between this and paying for a specific item in advance. But in both cases, the retailer has been able to treat the funds paid by the purchaser as its own funds, so that the customer has always taken on the risk of the retailer going bust before the value could be redeemed or the specific item was delivered (think Farepak and Wrapit).

Gift cards vs "E-money"

Electronic money, on the other hand, requires you to first 'load' value to a device or account (or 'e-wallet') which the "issuer" then enables you to use to pay for purchases at a range of retailers who either participate on the issuer's proprietary platform, or who accept the issuer's 'prepaid debit cards' via the major card schemes. In this sense, e-money is 'open loop'. Here, the customer is taking the risk that the e-money issuer might go broke before the customer can spend the e-money with the retailers. The risk of this has always been considered much greater than the risk of an individual retailer's insolvency, so financial regulators were given powers to control e-money issuance to try to eliminate that risk. The first electronic money directive in 2000 ("EMD") therefore obliged e-money issuers to hold sufficient capital to avoid insolvency and to keep the cash corresponding to their customers' e-money balances separate from the issuer's own cash. They defined "electronic money" as being stored value that is accepted as a means of payment by an entity other than the issuer, thereby excluding 'closed loop' stored value that is issued and spent or redeemed with the the same entity. 

Exemptions for "limited networks"

The closed/open loop distinction was carried through into the first payment services directive in 2007 ("PSD") by explicitly excluding from the definition of "payment services" any "services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services". This provision became known as the "limited network exemption".  

That exemption was effectively endorsed in 2009, when the second e-money directive ("EMD2") defined "electronic money" by reference to the value being used for the purpose of making payment transactions under the PSD, rather than accepted by an entity other than the issuer.  The reference to the PSD thus automatically picked up and relied on the limited network exemption. 

In 2010, the Treasury proposed an obligation for retailers to segregate their gift card funds, but failed to attract any support. The limited network exemption then evolved into a narrower "limited network exclusion" by 2015 under the second payment services directive ("PSD2"), yet Question 40 of the FCA's Perimeter Guidance still cites "a closed loop gift card" as benefiting from that exclusion.  

In addition, PSD2 requires limited networks which transact more than €1m in any 12 month period to be registered with the local financial regulator, which then has a duty to determine whether the limited network exclusion actually applies to it. The first 12 month period expires on 13 January 2019, with registration due on 10 February. This has obliged retailers to begin tracking the size of their loyalty programmes to determine if and when they need to register, and the consequences of a finding that the programme is not excluded. In essence, the retailer could find itself prosecuted for having operated an e-money and/or payment service without either being authorised or registered as an agent an authorised firm (subject to any 'due diligence defence').

Gift cards now out of scope altogether?

In its latest consultation, however, the FCA proposes to change its stated view by removing the gift card example from Q40 and instead stating:

"... in our view, ‘gift cards’ where the issuer is a retailer and the gift card can only be used to obtain goods or services from that retailer are not payment instruments within the meaning of the PSRs 2017. This is because these basic gift cards do not initiate payment orders; payment for the goods or services is made by the customer to the retailer of the goods in advance, when the card is purchased from the retailer. Accordingly, this exclusion is not relevant to them."

But does that analysis extend to server-side stored value that can only be spent with the issuer? It is also at odds with the fact that VAT is not assessed on gift card purchases to avoid duplication, since VAT will in any case be levied on the actual purchase of items from the retailer in due course (let's ignore 'breakage', where the consumer leaves a balance that the retailer eventually takes to revenue). 

Wider consequences?

While this may be factually and logically correct, and might come as a relief to some large retailers, it otherwise creates confusion and "regulatory creep" as firms take action beyond what is required in order to avoid uncertainty - such as shutting programmes, outsourcing or applying to register unnecessarily. It involves an apparent re-interpretation of the relevant definitions to overlook what may be regarded as certain 'legal fictions' in the PSD and PSD2 that operate particularly in relation to card payments, for example. It also represent a key area of potential divergence from EU payments law in the Brexit context, to the extent that other EEA regulators may well decline to adopt the FCA's interpretation - the Central Bank of Ireland, for example, includes gift cards in the list of programmes that fall within the limited network exclusion. 

At the same time, however, the FCA's view does not alter the need for retailers to be careful about the implications of any changes made to their programme, in case they find that the limited network exclusion does then apply and needs to be registered.

Payment Services #.0: When Payments Finally Become Less Visible

Today marks the dawn of new payments regulation under the second Payment Services Directive (PSD2). Yawn, you say. But, unusually for a technology-based industry, the experience for customers should outstrip the hype. Is this Payment Services 2.0? 3.0? 4.0?  Who cares? After all, "paying" for something or "checking your balance" should not be an activity all on its own. It should be just a small part of something else you're in the middle of doing. In other words, it's what you won't see that should make all the difference...

You might not deal with your bank anymore when paying or checking statements

New “payment initiation services” will mean you can use a separate service provider to make payments from your bank account or other payment accounts, without logging-in to your payment account provider's systems.

New “account information services” will combine the information from all your payment accounts and display it to you in one place. You could also permit that information to be sent to others (e.g. a lender, a comparison website or professional adviser). 

Not only will such services cut the amount of time you spend logging-in to different providers. They'll also make it easier for you to gather your financial information, understand and control your financial affairs and make payments from a range of accounts. 

You won't see retailers charging you for the privilege of paying them

From now on, nobody can add a charge based purely on how you pay them. So all their profit will be in the price of the goods or services you buy, not the extras. 

The UK has typically gone further than other EU countries to apply this to every type of consumer payment method. So, any contract term requiring such a 'surcharge' will not be enforceable. In fact, there will be an implied requirement to refund the excess. Or you could initiate a chargeback via your debit/credit card issuer, or make a claim against your credit card issuer under section 75 of the Consumer Credit Act. 

In addition, any extra charge for using a commercial payment method must be limited to the supplier's cost of accepting that type of payment. Again, no room for extra margin here.

You won't realise that big loyalty schemes are now policed by the FCA

Retail loyalty schemes, such as gift cards, fuel cards and other ‘limited network’ programmes, will need to be registered with the Financial Conduct Authority if the value of their transactions meets or exceeds €1 million (or the GBP equivalent) in any 12 month period.

The intention is to safeguard customer funds that are paid into wider schemes, as with any other e-money or payment service.

The FCA must then decide if the scheme really is a ‘limited network’ that's entitled to an exclusion from e-money and payments regulation. 

If not, then the retailer may have already committed an offence by offering the scheme in the first place.

The retailer also commits an offence if it fails to notify the FCA within 28 days after reaching the €1 million threshold. So retailers should check the status of their loyalty programmes well before then!

You will see less delay in handling your complaints 

The time for processing customer complaints has been cut from 8 weeks to 15 business days. This increases the pressure on payment service providers to operate much more efficiently, so they have fewer complaints and find it easier and less costly to solve any problems you do have. 

You won't see the increased security

You won't see all the standards-setting and development work that's going on behind the scenes to make all of this happen in a far more secure way than payment services have worked before.

The new regulations bring mandatory technical standards for better ways to make sure customers are who they claim to be, and for the different types of payment service providers to work together where you need them to do so.

So, finally, "payments" will become less visible... if you know what I mean.

Will EU Red Tape Kill Store Cards And Loyalty Schemes?

Following my earlier SCL article on PSD2, I've had a few more thoughts on the European Commission's proposals aimed at ‘limited network’ services, such as retail store cards, gift cards, fuel cards and loyalty programmes. Remember, the Commission wants the changes agreed by Spring 2014, and Member states will have two years to implement them. It will be another five years before the Commission revies the effect of the changes, so this is the last chance to rectify the mistakes in PSD1 and avoid more in PSD2...

You will recall (no doubt) that the PSD exempts payment transactions based on payment instruments accepted only within the issuer's premises or certain 'limited networks'. Such instruments are also exempt from the definition of 'electronic money' in EMD2 by reference to the PSD exemption. While this exemption survives under PSD2, operators will be obliged to notify the regulator if the average of their transactions in the preceding 12 months exceeds €1m per month. The regulator may then disagree that the exemption applies. This catches 'closed loop' stored value and other instruments such as retail store cards, gift cards, fuel cards and loyalty programmes. Yet, as discussed previously here and here when the UK Treasury considered self-regulation to ring-fence funds in this area, there is no evidence of any harm to consumers in such scenarios, compared to the collapse of retail pre-payment schemes such as those offered by Farepak or tour operators which appear not be caught.

Here are my additional thoughts:

1. Other than simply the volume/value, there seems to be implied an additional basis on which a regulator might decide that a service which otherwise fell within limited network exemption below the threshold average of €1m per month would no longer qualify when it reached that threshold. What basis would that be?


2. If the regulator were to disagree that the limited network exemption under PSD2 applies, is the service provider automatically guilty of an offence without any possibility of an orderly transition to full authorisation or finding an authorised payment institution or PSD agent to operate the service?


3. Similarly, if the regulator were to disagree that the limited network exemption under PSD2 applies to a ‘closed loop’ stored value service, does that amount to a decision that the exemption from the definition of “electronic money” under EMD2 would also cease to apply to that service? If so, a service provider who was lawfully operating within the exemption below the volume threshold would suddenly find itself in breach of both PSD2 and EMD2, again without any possibility of an orderly transition to full authorisation or finding an authorised e-money institution to operate the service.


4. Outcomes such as those in scenarios 2 and 3 above seem to conflict with the privilege against self-incrimination and may be otherwise unacceptable from a public policy standpoint (e.g. the avoidance of retrospective regulation). Practically speaking, this mechanism could also drive every service provider with a programme operating anywhere near the volume threshold to approach the regulator for an indication of whether it’s programme would, if it reached the threshold, be deemed in breach. However, even doing that would open up a similar risk that the regulator may disagree that the exemption applies, with the ugly consequences that may follow. Accordingly, we may find that the operators of all limited network payment schemes apply for authorisation, or use an authorised firm to operate their schemes merely as a precaution against the possible commission of an offence. Or they cancel their programmes altogether. 

Surely such 'regulatory creep' is not the intention...?