Publications and events

1. The CJEU published its findings on the Hedqvist v Swedish Supreme Administrative Court (C264/14) today; which was consistent with the earlier opinion from the advocate general. The question was whether the sale of bitcoin fell within the scope of VAT, and if so, whether it could benefit from any of the exemptions to the regime. The answer is that bitcoin can benefit from the same exemption that is available to cash, meaning that bitcoin can be used as an effective means of payment. Had VAT been chargeable on bitcoin itself, it would have made its use as a currency impossible. This is because, for example the purchase of £10 worth of bitcoin would cost £12 in the UK, if the VAT rate was 20%, but leaving the user with just £10 of bitcoin to spend. There would in effect be a double Charge of VAT, first on the bitcoin and then on the chargeable item being purchased.

It is likely that other similar digital currencies could also benefit from this treatment. This is a great result for providers across the European Union as the judgment does not only apply to Sweden but also to all other Member States.

Congratulations to David Hedqvist for seeing this through, and the bitcoin companies that supported him in the case.

2. The EBA published its draft Guidelines on the risk factors that have to be taken into consideration when considering whether to apply simplified due diligence (SDD) or enhanced due diligence (EDD) to a customer.

The SDD provisions are of particular importance, and whilst most of the provisions are balanced and well informed, there is an exception. Currently e-money issuers are able to postpone verification of identity until a cumulative (annual) spend threshold of EUR 2500 had been reached – subject to other conditions. The draft Guidelines, (which are open for consultation until the 22nd of January) leave the limit open, and should offer significant flexibility depending on the approach of the national member state regulator.

It can in fact be argued that higher limits better address law enforcement concerns, as they encourage cash substitution while providing far more visibility and traceability of users. This is the case even when relying on SDD provisions.

Postponement of CDD is not only a matter of convenience or cost, it is one of access to customers. New innovative payment service providers who need to build their user base must ensure low barriers to entry.

The EMA will respond to the consultation and represent the views of e-money issuers. This is a matter of significant importance, and is worthy of attention.

The above article was written by Dr Thaer Sabri, EMA CEO

The current PSD sets out ‘negative scope’ provisions that list a range of services that would be considered out of scope of payments regulation. Many of these followed pre-existing legal and commercial practice, while others simply draw a distinction between electronic and paper based payment products.

Three of these exemptions have been much used by new payment service providers, and all have been amended in some way by PSD2 in response to competing business and regulatory policy objectives.

(i) The first and much discussed is the limited network exemption; a demarcation of three circumstances where payments regulation is disproportionate. It exempts from the PSD (and EMD2) payment schemes that are limited by geography, limited by the number of merchants participating or by the range of goods and services for which payments are made. This is a key exemption that exempts staff canteens, book tokens as well as many gift card products. Regulators have however struggled with the interpretation of ‘limited’, and continue to do so. In an effort to contain the size of such schemes PSD2 has introduced ‘very limited’ to one limb and qualified issuers as ‘professional’ in another. More significantly however, notification is now required if the turnover associated with exempt schemes exceed EUR 1m. This is likely to increase regulators’ workload significantly, without necessarily increasing clarity or pan European consistency. A new limb provides products with a specific tax or social purpose such as ‘luncheon vouchers’ with exemption now and these are also free from notification obligations.

(ii) The second exemption relates to commercial agents, and provides for some conditions to be fulfilled. The idea is that where a payment is undertaken to a party acting as commercial agent for another person, then the agent does not provide a payment service; they simply receive the payment on behalf of their principal as payee. This is an important exemption and has been relied upon by bill payment service providers for decades. It also precedes the PSD. Increasing use of this arrangement by e-commerce platforms has however prompted a change limiting its scope of application. PSD2 now prohibits such arrangements where the agent acts for both payer and payee. It is not clear however if the change achieves the intended purpose.

(iii) The third exemption, the ‘IT Operator’ exemption, widely used by mobile network operators to offer premium rate service payments has been relaxed in some ways and restricted in others. It now extends the scope of products that can be purchased under the exemption, from digital goods that are delivered to a device to the purchase of ‘tickets’ and also to charitable donations. Simultaneously however, it introduces transaction and cumulative turnover limits that apply to each subscriber.

The nature of the changes, their impact and interpretation will be another focus of discussion at next week’s EMA Conference.

The article “PSD2 Exemptions” was written by Dr Thaer Sabri, EMA CEO

This is the first time that EU payments legislation has sought to detail IT security requirements. They have generally been part of prudential obligations to maintain good internal controls.

The provisions can be divided into four areas: (i) strong customer authentication, meaning two factor – with a number of exemptions, which are required for most remote interactions including account access, (ii) dynamic linking of the authorisation of each remote transaction with the amount and the payee, (iii) a requirement for PSPs to establish a security risk management and mitigation framework, and to report to the competent authority periodically on such risks and mitigation strategies, and (iv) a requirement to notify competent authorities of major operational or security incidents with an information sharing process that involves the EBA, ECB and host member state competent authorities.

Whilst risk management and incident notification may be part of existing practice, new EBA guidelines are expected to elaborate on these obligations. Strong customer authentication in turn builds on current EBA guidelines on the security of Internet payment, and these would be updated to reflect amended and additional requirements.

The EMA conference next week will bring the EBA, member state regulators, and industry security practitioners together to discuss the impact on different parts of the payments sector.

The article ” PSD2-IT Security Provisions” was written by Dr Thaer Sabri, EMA CEO