Red Alert: Retailers With Loyalty Progammes

Three years after being announced in the UK and I suspect many retailers are yet to realise that their loyalty/store card programmes will be regulated by the Financial Conduct Authority from 13 January 2018 - likewise across the European Economic Area. 

As the FCA now also warns, retailers who offer such programmes anywhere in the EEA will need to track the annual transaction volumes very carefully, starting with the completely arbitrary and inconvenient date of 13 January 2018. 

If the volume meets or exceeds €1 million (or the GBP or local currency equivalent) in any 12 month period (the first ending on 12 January 2019), the retailer must notify the FCA (or local regulator) within 28 days (by 10 February 2019).  Firms may also choose to register at any time from 13 October 2017.

But be sure of the outcome before you decide whether or not to register!

The regulator must then decide whether the programme is exempt from regulation as an e-money/payment service.  

If the firm fails to notify, it commits an offence under the Payment Services Regulations 2017 (or local equivalent implementing the second Payment Services Directive (PSD2)). 

If the FCA decides the programme is exempt, then it must include the retailer on the FCA's register of 'limited networks', and the name will be added to a central register of all such firms across the EEA.

If the FCA decides the programme is not exempt from regulation the retailer can appeal, but basically this means the firm will have been found to be violating the Electronic Money Regulations 2011 and/or Payment Services Regulations 2017 by issuing e-money and/or offering a payment service without being duly authorised/registered to do so. Major problem!

So retailers really have to decide now whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

Of course, the mere fact that retailers with loyalty schemes have to be mindful of these requirements and go through the process means they are in effect regulated by the FCA. Ignorance, as they say, is no defence.

Will Regulatory Technical Standards Slow The Pace Of Payments Innovation?

Under the new Payment Services Directive (PSD2), the European Banking Authority (EBA) is tasked with producing 'regulatory technical standards' to be followed by those with certain obligations, including how payment service providers (PSPs) must authenticate customers and communicate with each other. But it seems this process and the standards themselves are acting as a brake on innovation and related investment.

The EBA consulted on its proposed regulatory technical standards for authentication and communication between August and October, with a revised set due in the coming months.

PSD2 requires PSPs to apply "strong customer authentication" where "the payer... accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses."

But two big issues raised by PSD2 are (1) how each type of payment is initiated; and (2) who actually initiates it.

The EBA believes card payments are initiated by the cardholder as payer, but fudges the issue somewhat by requiring the card acquirers (i.e. the PSP of the merchants) to require their merchants to support strong authentication for all payment transactions. The added complication is where a payment transaction is initiated by the payee, but the payer's consent is given "through a remote channel which may imply a risk of payment fraud or other abuses".

There is a view, however, that card payments are among those that are in fact initiated by the payee (the merchant), who is not in fact the 'payee' of the cardholder at all but is paid by the card acquirer to which the merchant submits its transactions. The cardholder just pays the card issuer. This is all bound up in fundamental problems with the definitions of "payment transaction", "payer" and "payee" in both the PSD and PSD2; and the fact that card acquiring works through a series of back-to-back contracts that do not involve any direct contract between the buyer and the seller at all concerning payment processing. Indeed, a challenge for the UK's implementation plans is that there is a Court of Appeal decision which supports this view. 

In these respects, PSD2 appears to set up a 'legal fiction', which (despite taking a somewhat purposive approach in the 'fudge' explained above) the EBA appears to insist on in language at the end of its consultation paper: "all the requirements under consultation apply irrespective of the underlying obligations and organisational arrangements between" the various types of PSP, payers and payees. In other words, we have a weird situation where the law and related standards are to be applied regardless of how payment systems and processes really work.

Not only can this lead to situations where, for example, some banks insist that the PSD does not cover card acquiring, but it can also cause over-compliance to avoid doubt and other restraints on innovation.

While distinctions concerning how payments are inititiated and by whom might seem to matter less in the context of security measures to be adopted by PSPs - since everyone is interested in reducing financial crime - it is absolutely critical in the context of software and services that contribute in any way to payments being "initiated" and whether the suppliers or users of such software and services must be authorised as "payment initiation service providers" or perhaps even as the issuers of payment instruments. 

It will be very interesting to see how the Treasury proposes to address these problems in transposing PSD2 itself, although it's more likely the FCA will be left to explain how to comply, assuming the Treasury declines to take a purposive approach to EU law and simply copies the language of PSD2 into UK law (a process known as 'gold-plating').

There are numerous other glitches in the technical standards that have been identified by respondents, too numerous to mention here, but which it is hoped will be reconsidered in the next version - not that such standards should ever be considered as 'final' or set for all time. Indeed, an overarching problem seems to be that in the EBA's attempts to drag our legacy payments infrastructure into the 21st century, insufficient attention has been given to existing and potential alternative security technology - even in cases where incumbents are seeking to leapfrog the limitations of legacy systems.

Meanwhile, a year has slipped by since PSD2 was approved and the standards themselves are only due to take effect in October 2018 'at the very earliest', by which time they are likely to be thoroughly out of step with commercially available technology. 

While old systems may need to be accommodated to some degree, surely the pace of payments innovation should not be tied to the slowest animals in the herd?

Can It Really Be #PSD2?!

The new Payment Services Directive (PSD2) has been approved by the European Parliament. Following the Parliament’s vote, in order to take effect, the Directive must be formally adopted by the EU Council of Ministers and published in the Official Journal of the EU. This is explained by the European Commission here. I understand that should be done by sometime in November. In the meantime, the official version is published by the European Parliament here. From that date of publication in the Official Journal, Member States will have two years to introduce the necessary changes in their national laws in order to comply with the Directive.

I have updated my note for SCL on PSD2 accordingly.

PSD2 - EU Sleight of Hand?

True to form, the EU Parliamentary process threw up an amended proposal for the new Payment Services Directive last Tuesday, leaving everyone two business days to consider it before this week's Parliamentary session. Conspiracy theorists will wonder what last minute lobbying victories were secured and what might have been different with a few weeks to consider them.

It seems pointless to review the draft, let alone summarise any changes, since further changes may well emerge this week from lurking MEPs. Who knows what will finally pop out in the Journal? Only those swimming in the primordial soup.

My summary of the June draft is here.

#PSD2: The Final Chapter?

I have updated my article for the SCL on the differences between the Payment Services Directive (PSD) and the latest compromise text of PSD2, produced following informal negotiations amongst the European Parliament, Council and the Commission.

It seems we are not far away from the final version.

Mobile Consumer Rights

The mobile operators have finally agreed a code of practice on consumer billing. 

It does not state a standard cap on the customer’s liability for charges incurred as a result of unauthorised use of the device after it has been lost or stolen, or the notification period for the customer to report a device lost or stolen in order to qualify for the cap. But I understand that there is agreement on a £100 cap on the basis for notification to both the operator and police within 24 hours. 

That's a higher cap than for payment services (which have a cap of 50 euros) and an additional report to the police seem a little onerous, and just more admin for customers and police. However, the code leaves it open for providers to compete over this issue...

Changes to #MIF Regulation

Worth noting that the text of the Merchant Interchange Fees Regulation dated 16 January 2015 differs substantively from the version published on 31 October 2014 and considered by MEPs on 17 December. Troubling that no mark-up has been provided. However, I have done the work and updated my previous summary accordingly.

MEPs Agree To Cap Card Fees (#MIFs)

Based on the recent deal amongst MEPs, it looks like the Merchant Interchange Fees (MIF) Regulation will sail through the EU Parliamentary process in early 2015.

Lack of Transparency In Negotiation Of #PSD2

I don't think the Beurocrats are terribly concerned by rampant Euroscepticism pervading national electorates. The byzantine EU legislative process trundles on as secretively as ever. All the nonsense about immigration is a nice distraction from lack of transparency on more fundamental issues.

The latest attempt at a fait accompli is the revised proposal for a new Payment Services Directive (PSD2), which is designed to shape the EU's payment systems for the decade to come. Having published several drafts previously with some attempt to mark-up the changes from previous meetings of member state representatives, a rapid-fire draft (dated 21 November) was suddenly published on 24 November, the same day it was due to be debated.

Today, as a result of the 24 November negotiations, a further draft (dated 1 December) was published without any changes marked, along with a recommendation that it be used as the basis for negotiations with the EU Parliament. Never mind that alternative service providers and other stakeholders with minimal lobbying power are attempting to understand and warn of the impact of seismic changes to the payments regulatory framework.

This is no way to approach the regulation of the EU financial system - if you have any interest at all in bringing the market along with you. But it's a perfect way to leave control of the market to the major banks and card schemes who have lobbyists plugged into the process.

Rant ends. I'll be trying to update my article on the changes to the proposals in the coming week.

Though it's hard to see the point.

Card Scheme MIF Regulation [Updated 20 Jan 2015]

In addition to a new Payment Services Directive (PSD2), the Beurocrats have been busy on a Regulation aimed at payment card transactions - mainly to cap merchant interchange fees, but also to introduce some 'business rules' (MIF Regulation). Unlike PSD2, the MIF regulation will take effect directly in each member state, rather than having to be implemented into national law first. The caps on fees described below apply from 6 months after the regulation enters into force, while the grace period for the business rules is 12 months after the regulation enters into force. The MIF regulation must be reviewed by the Commission four years after entering into force, with any recommendation to amend the fee cap. Underlining and strike-through reflects changes made to the MIF Regulation since October 2014.

Capping fees:

The January 2015 version of the MIF Regulation (updating the October 2014 version) caps the hidden interchange fees that card issuers receive from merchant acquirers for cross-border all debit card transactions at 0.2%. However, for domestic debit card transactions, Member States may apply either a lower cap per transaction and a fixed maximum fee amount, or allow payment service providers (PSPs) to apply a per transaction fee of up to €0.05 in combination with a maximum percentage rate of no more than 0.2%, provided that the interchange fees of the payment card scheme does not exceed the fee is capped at a weighted average of 0.2% of the annual transaction value of the domestic debit card for all transactions within each payment card a scheme, or 0.2% per transaction. But for 5 years, Member States may allow PSPs to apply to domestic debit card transactions a weighted average interchange fee of up to 0.2% of the annual average transaction value of all domestic debit card transactions within each payment card scheme, or a lower weighted average if they wish.

The interchange fee for each credit card transaction is to be capped at 0.3%, although member states can reduce this for domestic transactions.

If domestic payment transactions are not distinguishable as debit or credit card transactions by the payment card scheme, the provisions on debit cards or debit card transactions apply. However, for 1 year after the fee caps apply, Member States may rule that up to 30% of the indistinguishable transactions are considered to be credit card transactions to which the credit card cap shall apply.

At these levels, the authorities believe that retailers should not be allowed to impose additional charges for use of cards that are subject to the caps (such 'surcharging' is controlled by PSD2). However, cards issued to businesses ('commercial cards') and those issued by 'three party payment schemes' (like Amex) are exempt from the caps. That's because businesses are thought to be able to fend for themselves (unlike consumers); and in a three party scheme all fees are charged by the scheme operator, so both the consumer and the merchant know who's paying what to whom. In those cases, then, the merchants can charge for the pain of accepting such cards and it's up to the scheme operators whether to lower their fees. But there are certain limits to the exemption for three party schemes.

In addition, the caps will not apply to 'limited network' payment instruments (like gift cards) which:

• allow the holder to acquire goods or services only within a limited network of service providers under direct commercial agreement with a professional issuer; or
• can only be used to acquire a very limited range of goods or services; or
• instruments valid only in a single Member State provided at the request of an undertaking or public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer.

Confusingly, however, there's a similar exemption under PSD2 which carries an additional limitation that “The same instrument cannot be used to make payment transactions to acquire goods and services within more than one limited network or to acquire an unlimited range of goods and services”. So it's conceivable that a scheme may be exempt from the need to be authorised under PSD2, yet have its interchange fees regulated under the MIF Regulation.

Business Rules:

The MIF Regulation has some additional 'business rules':

1. there can't be any territorial licensing restrictions on scheme membership within the EU;
2. card schemes (other than three party schemes) must: ensure their system is technically interoperable with other systems of processing entities within the EU; must separateensure the rule-making entity is independent from entities providing payment processing and other services; eliminate cross-subsidies among scheme services; and not make any one service conditional on taking or providing another;
3. all card schemes must:

• allow 'co-badging', so that a single card can be accepted under multiple schemes;
• enable co-branded instruments on the same card, if possible, but give clear and objective information on the different instruments and their characteristics;
• not discriminate between issuers or acquirers concerning co-badging of payment brands or applications or in terms of reporting, fees or other obligations, routing of transactions or by using mechanisms that limit the choice of application by payer and payee when using a co-badged instrument (though prioritising is okay);
• not charge fees on a blended basis for different card types, unless requested;
• not insist that all their types of cards are honoured if a merchant only wants to accept some of them (and so must enable customers to readily distinguish between the different types of cards offered by the scheme);
• not prevent retailers ‘steering’ customers toward using a preferred payment method, without prejudice to rules under the PSD or the consumer rights directive.

While the MIF Regulation is reasonable advanced, the UK Payment Systems Regulator (PSR) recently warned that if the adoption of the MIF Regulation is delayed, or the implementation of its domestic fee caps is deferred from the caps on cross-border interchange fees, it will consider taking action in advance of the Regulation; and that it may still consider whether it is appropriate to take any further action even if the MIF Regulation is adopted.

In other words, official trust in card schemes is low.

Payment Systems Regulator Publishes Regulatory Proposals

It's all go in the payments world at the moment. The EU is trying to hammer out a new payment services directive (PSD2), while the UK's new Payment Systems Regulator (PSR) is setting up shop ahead of its official launch in April 2015.

The PSR has just announced the results of a joint market study with Ofcom on the level of innovation in the payments sector, which casts doubt on certain aspects of PSD2.

In addition, the PSR has published its response to an earlier consultation on its proposed rules for regulating payment systems. The term "payment system" is defined very broadly as:

“a system which is operated by one or more persons in the course of business for the purpose of enabling persons to make transfers of funds, and includes a system which is designed to facilitate the transfer of funds using another payment system.”

The intention behind the rules are to:

• set a new approach to industry strategy development - a new 'Payments Strategy Forum';
• change the governance and control of payment systems to ensure greater transparency and representation of users in decision making, avoidance of conflicts of interest, publication of board minutes and compliance reports to the PSR;
• make it easier for participants of all sizes to access payment systems – directly or indirectly;
• action on interchange if EC regulation is delayed; and
• require system operators to discuss significant developments with the PSR in advance and on an on-going basis.

If the rules still aren't to your liking, you have until 12 January to kick up a fuss.

The Updated Updated Review Of #PSD2

The European Council produced a further update of the proposed new Payment Services Directive (PSD2) in late October, and I have now updated my review article for the SCL, as well as the posts assessing the impact on:

• loyalty schemes, including store card and gift card programmes;


• third party gateways and other technical service providers;


• the providers of the newly regulated payment initiation and account information services; and


• security, innovation and competition.

Regulatory Creep Hits Big Loyalty Schemes - Updated

Store cards, gift cards and loyalty rewards are currently exempt from payments regulation where they are only accepted within the issuer’s premises or certain ‘limited networks’. The new European Payment Services Directive (PSD2) extends the scope of this exemption - which is helpful to some extent - but also introduces a notification requirement that will bring big schemes within the regulatory sphere from 13 January 2018, and oblige the authorities to decide whether the exemption is available. This post explains the changes, and the options open to the operators of such schemes. For other significant changes proposed under PSD2, see my longer SCL article). The Treasury's consultation on introducing PSD2 in the UK has just been published.

The limited network exemption under PSD1 applies to services based on instruments that can be used to acquire goods or services only: (a) in the premises used by the issuer; or (b) under a commercial agreement with the issuer either (i) within a limited network of service providers or (ii) for a limited range of goods or services (my numbering/emphasis).

The exemption under PSD2 is for:

"services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions:

(i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a 'professional issuer' [not defined];

(ii) instruments which can be used only to acquire a very limited range of goods or services;

(iii) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer." (my emphasis)

Some guidance as to what is meant by 'limited' or 'very limited' is to be found in the relevant recital to PSD2, which states:

"Instruments which can be used for purchases in stores of listed merchants should not be excluded from the scope of this Directive as such instruments are typically designed for a network of service providers which is continuously growing."

In addition, operators of large limited network schemes will be obliged to notify the regulator “if the the total value of payment transactions executed over the preceding 12 months exceeds the amount of EUR 1 million”. The regulator must then decide whether the exemption criteria actually apply, and notify the service provider if the regulator concludes that it does not. There is no provision for a transition period to explore alternative methods of supporting the scheme.

This means that loyalty scheme operators need to consider now whether their scheme will be covered by the revised limited network exemption in January 2018 and, if not, whether they should outsource the operation of the programme to an authorised firm (or the agent of one); or seek their own authorisation (or agency registration). Ultimately, they might restructure the scheme to fit the exemption, or shut it down.

The UK Treasury was due to issue its consultation paper in August 2016 on how it plans to implement PSD2, but has not done so yet. Hopefully, either the Treasury and the FCA will clarify further how they plan to handle the notification process, including whether pre-clearances will be possible during 2017, for example, given the lack of any transition period should the FCA conclude that the exemption does not apply.  Otherwise, queries arising out of any uncertainty in the application of the exemption might be directed to the FCA's Innovation Hub. 

This kind of regulatory 'scope creep' is not at all healthy, however. PSD2 should be clearer on what activities are in or out of scope. Instead, we have activities that are out of scope altogether; in scope but exempt; in scope with authorisation required; in scope with registration required; or in scope with only notification required (as here).

The question also remains why loyalty schemes are being targeted in this way. There is no evidence of any harm to consumers in such scenarios, as discussed in the context of earlier plans by the UK Treasury to propose self-regulation to ring-fence retail loyalty scheme funds (here and here).  It seems a case of mistaken identity with retail pre-payment schemes such as operated by Farepak and certain tour companies which don't appear to be caught anyway.  Similarly, there is no distinction made for 'limited network' schemes whose rules do not allow cash to be obtained by either redeeming the limited network value or seeking a refund for a purchase made using that value.

[First published 23.10.14, and since updated to reflect the change to the notification threshold; again to reflect the removal of 'unlimited' in a late draft of PSD2; and again to include the date when PSD2 takes effect in national law]

PSD2, The Saga Continues - Updated

The European Council issued its revised proposal for PSD2in September 2014.

The Society for Computers and Law has kindly published an update to my earlier article on PSD2 to reflect the revised proposal.

Possibly the key issues relate to:

• limiting the technology service providers exemption to those who supply their services to payment service providers, rather than users - for example, this would no longer seem to apply to 'gateway' data services supplied to merchants/retailers, as opposed to acquirers;
• the distinctions between technology services, on the one hand, and services involving payment initiation, account access, bill payment and acquiring;
• the inconsistent treatment of bill payment services, e-commerce marketplaces and the suppliers of public communications networks (telcos);
• the notification requirements for large store card, gift card and loyalty programmes and other 'limited network' payment schemes;
• the requirement for payment service providers to release to payers the names of payees who refuse to surrender funds that have been paid to them by mistake;
• host state reporting for cross-border service providers, in addition to home state reporting;
• prescriptive security provisions affecting different types of payment service provider, which must meet (as yet unpublished) standards issued by the European Banking Authority;
• e-money institutions having to provide fresh evidence that they meet the threshold conditions for authorisation.

Interested in hearing your thoughts, either here or via the SCL site.

 

Mobile Wallet Payments: EPC White Paper

The European Payments Council has issued a white paper on mobile wallet payments in an attempt to drive (bank-centric) 'standards, best practices and schemes' for mobile payments. 

While comments from "all interested stakeholders" are welcomed by 30 September 2013, one needs to bear in mind that the EPC represents the European banking industry. The claim (in footnote 3) that the banking industry includes payment institutions is disingenuous at best. The creation of payment institutions via the Payment Services Directive reflected the European Commission's avowed intent to carve out payment services from the banking monopoly. Some PIs are members of the EPC but most are not, and it's especially telling that neither e-money nor e-money institutions are mentioned in this white paper at all, yet are firmly engaged in providing mobile payment services. 

You will also gather from the overly enthusiastic use of banking and payment applications during the "day in the life of Mr Garcia" that the EPC is not overly fond of retail apps that embed the payment step to the point of convenient invisibility.

As a result, the paper may be interesting if you want to know how retail banks view the mobile payments market segment, but if you're interested in payments innovation more generally you'll need to spend most of the time reading between the lines...

Image from BankingTech