The EMA monitors and frequently responds to government and European consultations on regulation that impact the e-money and payment services industry. The relevant regulatory proposals and consultations are listed below.
On Monday 4 July we submitted evidence to the House of Commons Public Bill Committee responsible for scrutinizing the Finance Bill 2016.
New proposed legislation has been incorporated into the Finance Bill 2016 that will give HMRC the power to gather payments data from payment service providers and online “business intermediaries” on their customers – both businesses and consumers. HMRC want to increase tax revenue by gathering data to aid in the capturing of unreported income (the “hidden economy”), a goal that the EMA supports.
However, this aim should not be to the detriment of consumers’ rights to the protection of their data. The proposals as set out in Clause 164 of the Finance Bill 2016 give rise to broader powers than those set out in the explanatory notes, resulting in a law that is heavily disproportionate in relation to the intended result. The new powers are drafted in such a way as to give the impression that HMRC will be making targeted requests for data from data-holders on an ad-hoc basis. However, in reality they will require data holders to report all relevant data on a quarterly basis, potentially moving to monthly basis in the near future, and they may require them to report on all accounts, regardless as to whether they are consumer or business accounts. In addition to this, there are no in-built safeguards on how the data will be used in future.
The data collection powers being proposed are not sufficiently limited: the scope of what data can be collected, and the definition of whose data can be collected are broad, collection will be periodic – annually or even monthly, and the data, once collected, may be used for any purpose. These proposed powers are compounded by the recent introduction of the UK government’s draft Digital Economy Bill, which will allow HMRC to share data with other bodies.
Below we have set out our concerns in further detail.
Evidence for Finance Bill 2016 Clause 164. Electronic Money Association
The EMA responded to a previous consultation: https://emaprd.wpengine.com/blog/ema-response-to-hmrc-consultation-on-extension-of-data-gathering-powers
Data Protection concerns: EMA evidence for House of Commons for Finance Bill 2016 Read More »
We welcomed the implementation of specific e-money thresholds under Article 15 and the reference to any low-risk situations that may qualify for SDD under European guidance. However, we expressed our expectation for it to be made clear that both identification and verification may be postponed within the limits set by Article 15(1) (7).
As Lithuania proposed not to make use of the national optional threshold of EUR 500 for non-reloadable e-money products, we emphasised the importance of taking advantage of this option, in order for the e-money industry to continue providing solutions to the financially excluded and those with limited means.
Regarding the requirement for a local point of contact for each issuer physically distributing products in Lithuania, we set out why this requirement would not be an appropriate means of exercising control over passporting EMIs.
Find more details of the EMA response here.
EMA responds to 4MLD implementation consultation in Lithuania Read More »
We sought two objectives, requesting:
(i) clarification regarding when issuers are expected to issue co-badged cards, and
(ii) that the PSR withdraw their requirement to label corporate cards under three different labels, instead of a single “corporate” label.
The final consolidated PSR Guidance, published on 5 October, was amended in line with the our proposals:
Details of the response can be found here.
We sought two objectives, requesting:
(i) clarification regarding when issuers are expected to issue co-badged cards, and
(ii) that the PSR withdraw their requirement to label corporate cards under three different labels, instead of a single “corporate” label.
The final consolidated PSR Guidance, published on 5 October, was amended in line with the our proposals:
Details of the response can be found here.
EMA responds to Czech Republic PSD2 consultation
The EMA submitted a response to the Czech Ministry of Finance’s consultation on the implementation of PSD2 in the Czech Republic. The consultation web-page can be found here, and the existing Czech Payments Systems Act (Regulation no. 284/2009 Coll.) here.
The consultation asks for stakeholders’ views regarding the specific options where Member States may diverge from the PSD2 requirements. The EMA response focuses primarily on those options that will affect EMIs, PIs and CIs passporting into the Czech Republic, whether by way of freedom of establishment or by freedom of services.
The response argues:
Read the EMA response here.
EMA responds to Czech Republic PSD2 consultation Read More »
EMA responds to EBA Consultation on Passporting under PSD2
See the EBA consultation details here.
The EMA has responded to the EBA’s consultation on regulatory technical standards (RTS) on the framework for cooperation and exchange of information between competent authorities for passport notifications under PSD2. These draft RTS set out templates for passporting, services passporting, agent passporting, and establishment passporting. They also set out a template for distributor passporting. These templates could have a significant impact on PSPs passporting to other EU Member States, including where any services are outsourced to another EU Member State.
The EMA’s response welcomes the standardisation of passporting notifications, as this may improve efficiencies for both regulators and firms. However, there are a number of concerns raised by the EMA in the response.
PSD2 provides for two types of passporting to be undertaken. These are based on the principle of mutual recognition set out in the Treaty of the European Union (“Treaty”). The first is freedom to offer services and the second is the right of establishment. However, the draft format conflates these concepts by requiring one form for both. Not only is this unhelpful from an administrative perspective, but it may result in Member State authorities treating passport entities as established entities. The EMA has accordingly proposed:
– that two forms are used – one for passporting under Freedom of Services, and one for Freedom of Establishment
– a separate, third form should be used for the outsourcing of services
– a definition of “distributor” would help distinguish between agents and distributors in terms of operation and legal responsibilities.
Read the EMA response here.
EMA responds to EBA Consultation on Passporting under PSD2 Read More »
EMA response to FCA Guidance consultation on outsourcing to the cloud
Read about FCA’s consultation here.
The EMA responded to the FCA’s recent consultation on the use of cloud IT service providers This is of significant interest for many Fintechs and innovative PSPs who rely on such outsourcers to deliver many important functions. The FCA draft guidance in a number of areas (i.e. Legal and regulatory considerations, Effective access to Systems Data, Access to business premises) will likely have a significant impact on existing outsourcerrelationships. Based on the current draft, it is likely that many existing service contracts would have to be re-negotiated and possibly terminated with the financial service providers bearing additional costs and corresponding impact on existing operations.
The EMA’s response calls on the FCA to take into account current technology trends and market dynamics when drafting the Final Guidance on this topic. Currently, many regulated firms have limited negotiating leverage to introduce any changes to the standard service delivery agreements offered by the large, reputable cloud IT service providers.
The EMA’s response suggests that instead the Guidance focus on:
(1) additional criteria for a regulated firm to consider when establishing a cloud-service outsourcer due diligence process, and
(2) setting up a robust service review & monitoring framework; for example ensuring a service provided by a cloud-based outsourcer meets agreed key performance indicators (“KPIs”).
Read the EMA response here.
EMA response to FCA Guidance consultation on outsourcing to the cloud Read More »
The EMA has responded to the EBA’s discussion paper on strong customer authentication and secure communication under PSD2. This discussion paper asks for views from stakeholders regarding a number of topics that the EBA proposes to address in the regulatory technical standards it will develop to support compliance with the PSD2 security requirements (including the practicalities around strong customer authentication, dynamic linking of customer authentication with individual transaction information and secure intra-PSP communication).
The EMA’s response:
– raises concerns regarding the minimum 10-month time gap between the time PSD2 comes into force and the earliest date that the EBA RTS may be implemented;
– calls for a risk- and principles-based approach rather than delving into prescriptive detail or producing exhaustive lists of security controls/transaction types;
– expresses concern about the negative consequences of an EU standard that is overly prescriptive or diverges significantly from global standards, as many EMA members operate outside the EU;
– calls for the definition of a governance framework (used to assess compliance of individual solutions/products) with the RTS.
The EMA response also requests:
– further clarification around the category of payment activities that might benefit from the ‘risk-based’ exemption frjaneom the requirement to complete strong customer authentication (SCA): Many online account access interactions (i) do not expose sensitive payment data or payment user credentials and (ii) cannot be used to alter existing account settings; thus, they do not give rise to payment fraud risks.
– a flexible approach with regards to the requirements to ‘dynamically link’ each payment with information about the payee and payment amount, as this will introduce significant friction to the user experience with little benefit in terms of security of payment transaction.
Read the EMA response here.
EMA response to EBA Discussion Paper on security requirements of PSD2 Read More »
EMA response to HMRC on Extension of data-gathering powers
Read about HMRC’s consultation here.
The EMA has responded to HMRC’s consultation on draft legislation intended to tackle the ‘hidden economy’ of tax avoidance by extending their powers to gather bulk data on transactions by customers of electronic PSPs and business intermediaries. This would give HMRC the legal power to require electronic PSPs (ePSPs) and business intermediaries to report bulk transaction data on their customers on a regular (annual, quarterly or potentially monthly) basis.
The EMA has two main concerns in relation to the draft legislation. Firstly, whilst the intention is only to capture income received in the course of business, the current legal drafting would not preclude HMRC from requesting bulk data related to certain consumer accounts as well as business accounts. Secondly, there is no intention of collecting equivalent data from other PSPs, such as banks. We believe that not only would this have a negative impact on consumer trust in relation to ePSP accounts by raising data privacy concerns, it would place ePSPs at a disadvantage to other PSPs such as banks, who would not be required to provide equivalent information.
On that basis, the EMA’s response proposes amendments to the legislation in several areas:
1. A narrowing of the defintion of electronic PSP
2. A narrowing of the types of payment transactions that can be captured
3. A narrowing of the type of payment recipient whose transaction data can be captured
4. A clarification that merchant acquirers should be excluded, as they are already covered under existing powers.
Read the EMA response here.
EMA response on Extension of data-gathering powers Read More »
