EMA publications

The EMA frequently responds to government and European consultations on regulation that impacts the e-money and payment services industry. Sometimes, we also express our views on issues that are raised in the public domain where we feel it is important to provide an industry input.

Our publications reflect the views of the EMA as whole; individual members’ views may vary from time to time. The public consultation responses are listed below. For further information on these positions, please contact us.

EMA responds to Czech Republic PSD2 consultation

EMA responds to Czech Republic PSD2 consultation

The EMA submitted a response to the Czech Ministry of Finance’s consultation on the implementation of PSD2 in the Czech Republic. The consultation web-page can be found here, and the existing Czech Payments Systems Act (Regulation no. 284/2009 Coll.) here.

The consultation asks for stakeholders’ views regarding the specific options where Member States may diverge from the PSD2 requirements. The EMA response focuses primarily on those options that will affect EMIs, PIs and CIs passporting into the Czech Republic, whether by way of freedom of establishment or by freedom of services.

The response argues:

  • Against any requirement for a Central Contact Point for PSPs passporting into the Czech Republic under the Freedom of Establishment, as this is unnecessarily burdensome, particularly for small Fintech companies
  • In favour of a harmonised framework across the EEA in general, as this will decrease barriers for firms wishing to access markets across the EEA
  • Against any requirement to provide the monthly transaction statement in paper format, as this is not coherent with the average customer profile of many EMA members, who often open, access and use their accounts remotely

Read the EMA response here.

EMA responds to Czech Republic PSD2 consultation Read More »

EMA responds to EBA Consultation on Passporting under PSD2

EMA responds to EBA Consultation on Passporting under PSD2

See the EBA consultation details here.

The EMA has responded to the EBA’s consultation on regulatory technical standards (RTS) on the framework for cooperation and exchange of information between competent authorities for passport notifications under PSD2. These draft RTS set out templates for passporting, services passporting, agent passporting, and establishment passporting. They also set out a template for distributor passporting. These templates could have a significant impact on PSPs passporting to other EU Member States, including where any services are outsourced to another EU Member State.

The EMA’s response welcomes the standardisation of passporting notifications, as this may improve efficiencies for both regulators and firms. However, there are a number of concerns raised by the EMA in the response.

PSD2 provides for two types of passporting to be undertaken. These are based on the principle of mutual recognition set out in the Treaty of the European Union (“Treaty”). The first is freedom to offer services and the second is the right of establishment. However, the draft format conflates these concepts by requiring one form for both. Not only is this unhelpful from an administrative perspective, but it may result in Member State authorities treating passport entities as established entities. The EMA has accordingly proposed:
– that two forms are used – one for passporting under Freedom of Services, and one for Freedom of Establishment
– a separate, third form should be used for the outsourcing of services
– a definition of “distributor” would help distinguish between agents and distributors in terms of operation and legal responsibilities.

 

Read the EMA response here.

EMA responds to EBA Consultation on Passporting under PSD2 Read More »

EMA response to FCA Guidance consultation on outsourcing to the cloud

EMA response to FCA Guidance consultation on outsourcing to the cloud

Read about FCA’s consultation here.

The EMA responded to the FCA’s recent consultation on the use of cloud IT service providers This is of significant interest for many Fintechs and innovative PSPs who rely on such outsourcers to deliver many important functions. The FCA draft guidance in a number of areas (i.e. Legal and regulatory considerations, Effective access to Systems Data, Access to business premises) will likely have a significant impact on existing outsourcerrelationships. Based on the current draft, it is likely that many existing service contracts would have to be re-negotiated and possibly terminated with the financial service providers bearing additional costs and corresponding impact on existing operations.

The EMA’s response calls on the FCA to take into account current technology trends and market dynamics when drafting the Final Guidance on this topic. Currently, many regulated firms have limited negotiating leverage to introduce any changes to the standard service delivery agreements offered by the large, reputable cloud IT service providers.

The EMA’s response suggests that instead the Guidance focus on:
(1) additional criteria for a regulated firm to consider when establishing a cloud-service outsourcer due diligence process, and
(2) setting up a robust service review & monitoring framework; for example ensuring a service provided by a cloud-based outsourcer meets agreed key performance indicators (“KPIs”).

Read the EMA response here.

EMA response to FCA Guidance consultation on outsourcing to the cloud Read More »

EMA response to EBA Discussion Paper on security requirements of PSD2

The EMA has responded to the EBA’s discussion paper on strong customer authentication and secure communication under PSD2. This discussion paper asks for views from stakeholders regarding a number of topics that the EBA proposes to address in the regulatory technical standards it will develop to support compliance with the PSD2 security requirements (including the practicalities around strong customer authentication, dynamic linking of customer authentication with individual transaction information and secure intra-PSP communication).

The EMA’s response:
– raises concerns regarding the minimum 10-month time gap between the time PSD2 comes into force and the earliest date that the EBA RTS may be implemented;
– calls for a risk- and principles-based approach rather than delving into prescriptive detail or producing exhaustive lists of security controls/transaction types;
– expresses concern about the negative consequences of an EU standard that is overly prescriptive or diverges significantly from global standards, as many EMA members operate outside the EU;
– calls for the definition of a governance framework (used to assess compliance of individual solutions/products) with the RTS.

The EMA response also requests:
– further clarification around the category of payment activities that might benefit from the ‘risk-based’ exemption frjaneom the requirement to complete strong customer authentication (SCA): Many online account access interactions (i) do not expose sensitive payment data or payment user credentials and (ii) cannot be used to alter existing account settings; thus, they do not give rise to payment fraud risks.
– a flexible approach with regards to the requirements to ‘dynamically link’ each payment with information about the payee and payment amount, as this will introduce significant friction to the user experience with little benefit in terms of security of payment transaction.

Read the EMA response here.

 

EMA response to EBA Discussion Paper on security requirements of PSD2 Read More »

EMA response on Extension of data-gathering powers

EMA response to HMRC on Extension of data-gathering powers

Read about HMRC’s consultation here.

The EMA has responded to HMRC’s consultation on draft legislation intended to tackle the ‘hidden economy’ of tax avoidance by extending their powers to gather bulk data on transactions by customers of electronic PSPs and business intermediaries. This would give HMRC the legal power to require electronic PSPs (ePSPs) and business intermediaries to report bulk transaction data on their customers on a regular (annual, quarterly or potentially monthly) basis.

The EMA has two main concerns in relation to the draft legislation. Firstly, whilst the intention is only to capture income received in the course of business, the current legal drafting would not preclude HMRC from requesting bulk data related to certain consumer accounts as well as business accounts. Secondly, there is no intention of collecting equivalent data from other PSPs, such as banks. We believe that not only would this have a negative impact on consumer trust in relation to ePSP accounts by raising data privacy concerns, it would place ePSPs at a disadvantage to other PSPs such as banks, who would not be required to provide equivalent information.

On that basis, the EMA’s response proposes amendments to the legislation in several areas:
1. A narrowing of the defintion of electronic PSP
2. A narrowing of the types of payment transactions that can be captured
3. A narrowing of the type of payment recipient whose transaction data can be captured
4. A clarification that merchant acquirers should be excluded, as they are already covered under existing powers.

Read the EMA response here.

EMA response on Extension of data-gathering powers Read More »

EMA response to EBA on SDD EDD

Read about the European Supervisory Authorities’ Joint consultation here.

The EMA has responded to the European Supervisory Authorities’ Joint consultation on risk factors and simplified and enhanced customer due diligence as under 4MLD. The EMA welcomed the format of the draft guidance, which set out an initial section with generic guidance followed by sector-specific guidance.

The response highlights a number of points:

– the guidance around the treatment of Politically Exposed Persons (PEPs) is overly complex, and risks excluding PEPs from financial services as the cost of maintaining their accounts may outweigh any commercial benefit for providers.
– the guidance for around correspondent banking relationships could lead to the conclusion that banks have to take steps to “know their customer’s customer”, which will exacerbate de-risking, a phenomenon that has had a negative impact on the e-money and money service business sectors in recent years
– several detailed comments around risk factors that indicate higher or lower risk in the e-money sector.

Read the EMA response here.

EMA response to EBA on SDD EDD Read More »

PSD2 Newly regulated services

One of PSD2’s most contested provisions during the negotiation process related to “third party payment service providers”, later redefined as (i) Payment Initiation Service Providers (PISPs) and (ii) Account Information Service Providers (AISPs).

These are not new services, but they will now be subject to regulation for the first time, and through regulation could achieve the stability to enable a new wave of innovation based on the additional functionality.

PISPs include providers such as Sofort and Trustly, and also bank-led initiatives such as the Dutch iDEAL. They essentially enable a user to initiate a payment transaction from their own bank account, to the bank account of the merchant, over existing banking networks. PISPs add value by facilitating the payment from the merchant’s checkout, populating the payment instruction page with transaction and payee data.

AISPs on the other hand include Yodlee as well as Intuit’s Mint; both offer services that enable users to aggregate data from different financial services providers using . This is done by logging into a user’s account and “scraping” the relevant data, and doing so again for the various financial products: bank accounts, loan accounts, credit cards etc. The user is then able to review their financial information at a single location; and more significantly, may be offered tools to analyse the data, compare prices, make suggestions on service providers and perhaps be offered additional products – all tailored to the user’s specific needs.

During the negotiation process, banks proposed that PISPs and AISPs enter into legal contracts with “account servicing payment service providers” (ASPSPs)- such as banks, before they could access users’ accounts. This might have also created a framework for cost sharing or for fees to be applied. This was rejected by legislators who feared it would act as a barrier to take-up, and set out provisions for unencumbered access wherever there was an online banking interface. Similarly, legislators provided that ASPSPs could not prohibit customers from using their ASPSP account authentication credentials with third party service providers.

PSD2 has also tasked the EBA with developing regulatory technical standards on “secure open standards of communication” between the various parties. This falls short of mandating an API, and was welcomed by PISPs who feared that the development of more detailed specifications could be used as a proxy for limiting bank account and information access.

There are benefits for customers generally, but also for payment service providers looking to offer new payment products. The first is in lowering the cost of funding for these products. E-money issuers for example have an acquiring cost associated with enabling consumers to purchase e-money and funding their accounts or prepaid cards. Direct bank transfers would lessen dependence on debit and credit card funding, lowering the cost of acquiring, and in turn enabling more competitive consumer and merchant fees.

Secondly, and as trailed within PSD2 text, the Commission foresees the migration of these services to the physical world. PISPs could issue “debit cards” linked to users’ own bank accounts, triggering payments over the banking network, and bypassing card schemes. This could save on interchange and other card related fees, but will of course be subject to the PISPs’ own fees.

AISP services have a distinct appeal. They have the potential of concentrating value and creating a single reference point for users. Aggregating user data, mining this information, providing users with tools to better understand their finances, and presenting money saving choices and offers, perhaps in a PSP agnostic environment, have the potential to build consumer trust and to provide a gateway to financial services.

The article “PSD2 Newly regulated services” was written by Dr Thaer Sabri, EMA CEO

PSD2 Newly regulated services Read More »

European Payments Regulators Call for the End of Single-Factor Authentication

On December 19, 2014, citing an increase in fraud, the European Banking Authority (EBA) published its Final Guidelines on the Security of Internet Payments. These guidelines detail minimum security requirements that payment services providers (PSPs) supervised by financial services regulators in the EU were expected to satisfy by August 1, 2015.

As of the end of May 2015, 24 national regulatory authorities in the E.U. stated that they would comply with these guidelines, two (Cyprus and Sweden) indicated partial compliance, while three (Estonia, Slovakia and the U.K.) indicated they would not comply.

The payment services that fall within the scope of these guidelines include all Internet payment services, irrespective of the access device used, that involve:

  • The use of most payment cards, including card registration for use in digital wallets;
  • The transfer of funds out of customers’ bank accounts (through credit transfers or the issuance of direct debit mandates); and
  • E-money transfers between two e-money accounts.

These guidelines do not apply to mobile payments where a payment instruction is provided through a dedicated payment application executing on the customer’s mobile device or to the use of short message service (SMS) technology.

The impact of some of these requirements on the operational processes of many payment service providers (PSPs) will be significant. Many will have to deploy additional security controls, revise user-facing processes and require that their online merchants and third-party service providers can satisfy these requirements.

Further complicating the regulatory landscape for PSPs is the impending adoption of the final text of the Revised Payment Services Directive (PSD2) later in 2015. PSD2 also includes specific security requirements on customer authentication that are similar (but not identical) to the requirements in the EBA guidelines.

The impact of some of these requirements on the operational processes of many payment service providers (PSPs) will be significant.

The expectation is that after adoption by the EU the PSD2 will be transposed into national legislation over a period of 24 months. At that time, PSD2 requirements will supersede the EBA guidelines in the supervisory frameworks of national regulators that have chosen to comply with them.

End of the line for single-factor authentication?
To attain strong customer authentication under EBA guidelines PSPs must deploy procedures that use a minimum of two independent authentication elements – categorised as knowledge, ownership and inherence. Furthermore, authentication procedures are required to incorporate at least one element that is non-reusable and non-replicable and not “capable of being surreptitiously stolen via the internet.” Importantly, inherence-based authentication elements like biometrics are excluded from this requirement.

The impact of this requirement is compounded by the EBA’s apparent adoption of a loose definition of sensitive payment. A wide range of the personally identifiable information (PII) held by PSPs falls within the scope of this definition.

The introduction of these guidelines is expected to further accelerate the ongoing migration of PSP customer authentication processes from single-factor authentication (SFA) to multi-factor authentication (MFA) procedures. The use of static password/user ID credentials will likely be limited to controlling access to less sensitive account overview/profile.

Using the mobile communications channel
Since many PSPs are unlikely to distribute hardware tokens/cards to their customers, wider use of the mobile communications channel to support a MFA customer authentication procedure should be expected. Many PSPs already offer their customers dedicated mobile applications for most mobile device operating systems.

Extending the use of such applications to generate a one-time password (OTP) that is subsequently entered by the customer as part of a multi-factor authentication procedure may be an approach favoured by many PSPs regulated in the E.U. The use of SMS-based solutions to deliver an OTP to a registered customer mobile device could be an alternative approach.

Biometrics going mainstream
The growing availability of biometric-based authentication on consumer mobile devices provides an opportunity for mobile application developers to use them as part of a MFA process. As stated previously, the use of a biometric authentication element in an MFA process allows a PSP to satisfy these EBA guidelines without needing to bear the cost/complexity of deploying an infrastructure that generates and distributes one-time passwords over an alternative channel.

The EBA guidelines introduce explicit requirements for PSPs that issue payment cards to register their cards for use with strong customer authentication services; digital wallet providers are required to support the use of such services for card registration and subsequent payments. PSPs that acquire card payments are also required to support the use of strong customer authentication services.

The language used appears to point to the use of solutions based on the 3D Secure extended cardholder authentication protocol for online payments. It must be noted that legacy 3D Secure variants that use static passwords do not meet the EBA definition of strong customer authentication. In the past, PSPs have been wary of the deployment of 3D Secure solutions since they are perceived to increase friction in the customer experience and lead to increased numbers of failed/abandoned transactions.

Transaction risk analysis
The EBA guidelines allow PSPs to use alternative customer authentication solutions for low-risk transactions. To limit the scope of strong customer authentication sessions, PSPs are increasingly using automated transaction risk-analysis tools to monitor and assign risk ratings to attempted transactions on a real-time basis. A number of these tools offer a dynamic reconfiguration capability coupled with enhanced “learning” abilities.

Impact on customer experience
The impact of the adoption of these guidelines by EU financial services regulators on Internet payment interactions of non-EU customers could be significant. Global PSPs that are regulated in the EU are expected to change customer authentication procedures, their website design and a number of back-office processes to comply. Over a period of time, such changes are likely to be extended to instances of their payment services offered to non-EU customers to maintain a consistent customer experience.

This article was written by Dimitrios Markakis, Senior consultant at Flawless Money Ltd 

First published in n>genuity journal- http://tsys.com/ngenuity-journal/index.html

European Payments Regulators Call for the End of Single-Factor Authentication Read More »

Good news on bitcoin and a mixed consultation from the EBA on risk factors for SDD and EDD

1. The CJEU published its findings on the Hedqvist v Swedish Supreme Administrative Court (C264/14) today; which was consistent with the earlier opinion from the advocate general. The question was whether the sale of bitcoin fell within the scope of VAT, and if so, whether it could benefit from any of the exemptions to the regime. The answer is that bitcoin can benefit from the same exemption that is available to cash, meaning that bitcoin can be used as an effective means of payment. Had VAT been chargeable on bitcoin itself, it would have made its use as a currency impossible. This is because, for example the purchase of £10 worth of bitcoin would cost £12 in the UK, if the VAT rate was 20%, but leaving the user with just £10 of bitcoin to spend. There would in effect be a double Charge of VAT, first on the bitcoin and then on the chargeable item being purchased.

It is likely that other similar digital currencies could also benefit from this treatment. This is a great result for providers across the European Union as the judgment does not only apply to Sweden but also to all other Member States.

Congratulations to David Hedqvist for seeing this through, and the bitcoin companies that supported him in the case.

2. The EBA published its draft Guidelines on the risk factors that have to be taken into consideration when considering whether to apply simplified due diligence (SDD) or enhanced due diligence (EDD) to a customer.

The SDD provisions are of particular importance, and whilst most of the provisions are balanced and well informed, there is an exception. Currently e-money issuers are able to postpone verification of identity until a cumulative (annual) spend threshold of EUR 2500 had been reached – subject to other conditions. The draft Guidelines, (which are open for consultation until the 22nd of January) leave the limit open, and should offer significant flexibility depending on the approach of the national member state regulator.

It can in fact be argued that higher limits better address law enforcement concerns, as they encourage cash substitution while providing far more visibility and traceability of users. This is the case even when relying on SDD provisions.

Postponement of CDD is not only a matter of convenience or cost, it is one of access to customers. New innovative payment service providers who need to build their user base must ensure low barriers to entry.

The EMA will respond to the consultation and represent the views of e-money issuers. This is a matter of significant importance, and is worthy of attention.

The above article was written by Dr Thaer Sabri, EMA CEO

Good news on bitcoin and a mixed consultation from the EBA on risk factors for SDD and EDD Read More »