Slides for emerging payments association training day by Ramparts

Introduction to e-money and e-payments law

Overview   What is e-money?   The wider world of payment services   How do e-money and payment services within the existing financial services framework?   What different laws do you need to consider as an e-commerce business?   What are the relevant regulators, schemes and market players?   Do you know how to think like a regulator?   How do you do business across borders?

What is E-money?

FAMZOO, August 10, 2010 - Some rights reserved

E-money – what a strange fish!   The simplest way of thinking about e-money from a regulatory perspective is that it is a particular type of

regulated IOU   E-money is simply fiat money held as a regulated liability held on your behalf (usually) by a regulated

entity   The ‘electronic’ tag is now a misnomer in a world of e-banking and mobile payments – in fact it is

unhelpful and gives rise to confusion with crypto-currency   From a technical perspective it is more helpful to see regulated e-money as being similar to money held

on a bank account albeit that inter alia:   an EMI is not able to borrow or lend against funds held by it (no fractional reserve recycling allowed)   the funds are not covered by the deposit guarantee scheme   the EMI must hold matching assets for liabilities and safeguard the funds using a recognised ring-fence or protected

pool   In addition it must be remembered that not all e-money issuers are EMIs – this has consequences for

regulatory analyses   E-money issuers sit within the wider group known as Payment Service Providers

Blurring the boundaries

Â&#x2014;â&#x20AC;Ż

Antana, October 16, 2013 - Some rights reserved

Cryptocurrency is not e-money   The rise of bitcoin and other cryptocurrencies (CCs) means that we need to be careful when we think and

talk of electronic money   E-money is a very good description of bitcoin and CC’s albeit that they are not currently recognised as

legal money (PSD = ‘funds’)   In February 2016, the European Commission announced their intention to:   make CC exchanges obliged entities under the 4th AML Directive   Incorporate CCs within PSD2 (extending the definition of funds?)

The Commission has previously decided not to incorporate e-money within PSD2. This means we are

likely to have even more confusion once CCs are within scope of the regulated payments regimes   On the plus side:   adding CCs to PSD2 and 4th AML Directive will make it easier for operators in that space to defend themselves from

charges that they are operating in the darknet and that they are predominantly useful for terrorists, drug dealers and other criminals   It will also make it easier for other obliged entities (payments, gaming) to work with CCs’

A wide world of payments law   EU law relating to regulated payments is remarkably wide-ranging in its scope and requirements   Implementing framework contract requirements onto account/card programs terms takes considerable

time and effort – balance legal requirements vs readability, interpretation issues abound and differ by Member State   Always consider the exemptions first once you appear to be in scope (e.g. commercial agent, group

collection money remittances, limited network, B2B programs)   PSD2 offers some interesting opportunities and challenges for the e-commerce sector   Opportunities:

New payment initiators   Account aggregators

Challenges Reduces use of some of the exemptions (e.g. commercial agent exemption, limited network exemption)   Potential for Member States to block incoming PSP’s (other than credit institutions) from exercising passporting rights based on interests of payment service users

Much is vague, unclear, overly wide and leaves much to be done later (e.g. strong authentication, rights to access payment account information by initiators and aggregators)   Already EC appears to want to amend PSD2

Fitting e-money and payments into existing frameworks   Member States must implement the Directives into national law which can differ greatly across Europe   Implementation effects give rise to differences in:   Translation   Interpretation   Transposition   Sometimes it is remarkable how different the approaches can be within Europe   For example:   Some Member States refuse to allow cross-border agents and distributors   Some Member States law may not safeguard funds sufficiently due to errors in transposition or failure

to adapt existing local law   Some Member States take a very strict view on reliance upon exemptions   Operators must remember that exemptions and UK interpretations are not passportable   Choosing the right Home State is therefore essential   Also essential to conduct detailed cross-border analysis for many aspects of your business including: terms

and conditions, AML, agents and distributors

Other laws to consider in ecommerce sector   Anti-Money Laundering and Counter-Terrorist Financing   Directives   JMLSG Guidelines   Sanctions   OFAC   FATCA   CSR?   Data Protection & Cookies   E-commerce Regulations   Distance Sales   Unfair Terms in Consumer Contracts   Brussels Regulations & Rome Convention   Online Dispute Resolution Requirements

Relevant Stakeholders   FCA & Other EEA Regulators   Bank of England/PRA (e.g. see Project Rome)   EBA   Payment Systems Regulator   Card Schemes (including MasterCard & Visa)   Industry Associations (EPA, PIF, EMA, GEMA)   Learn to talk the language of your other stakeholders:   Focus on what matters to them   Work collaboratively   Legal and Regulatory analysis is only part of the picture   Public Policy considerations are overriding issues

Doing Business Across Borders   It can be shock to realise how different other MS can be towards innovative payments providers (e.g.

German economic vs UK purposive interpretation)   Sometimes MS can appear to be hostile to non-local PSPs   Much of this likely driven by a lack of knowledge about the e-payments sector   Some of it also driven by fear of loss of control of their local financial sector

Need to ensure your Home State regulator is on-side and supportive of your approach to key issues –

bring them with you on your journey   Remember that local interpretation of various laws may differ significantly   E.g., Local AML requirements can also make doing business in rest of Europe costly and complicated

(country of establishment vs country of customer)   Consider carefully whether to passport at all and if so on a freedom of services or establishment basis   Work with cross-border experts

â&#x20AC;&#x153;The only source of knowledge is experience" Albert Einstein

Discussion & Questions

Director & Associates Peter Howitt , John Pauley & David Borge e:Â peterhowitt@ramparts.eu johnpauley@ramparts.eu davidborge@ramparts.eu w: http://www.ramparts.eu t: +44 161 914 9785 Disclaimer: This presentation may contain information and guidance relating to a variety of legal, regulatory, corporate and tax matters. It is not intended to be and should not be relied upon as legal advice by Ramparts.

Electronic Money: Past, Present & Future David Borge

Overview   What is e-money?   The key legislation and history   What are payment services?   The main regulatory requirements for EMIs   Agents and Distributors   Passports (Services and Establishment)   Programs: Program Managers and Co-Brand Partners   Prepayment business models   The future

E-money definition   The EMRs define e-money as electronically (including magnetically) stored monetary

value represented by a claim on the issuer that is: 1.

issued on receipt of funds for the purpose of making payment transactions;

accepted by a person other than the electronic money issuer; and

not excluded by regulation 3 of the EMRs i.e. monetary value that is:   stored on instruments that can be used to:   acquire goods or services only in or on the electronic money issuer’s premises; or   under a commercial agreement with the electronic money issuer, either within a limited network of service providers or for a limited range of goods or services; or   e.g. Shopping Centre Gift Cards   used to make payment transactions executed by any telecommunication, digital or IT device where the goods or

services are delivered to and used through such a device, but only where the operator of the device does not only act as an intermediary between the user and the supplier.

Key Legislation   The Second Electronic Money Directive 2009/110/EC (“2EMD”)   Electronic Money Regulations 2011 (“EMRs”)

The First Payment Services Directive 2007/64/EC (“PSD”)   Payment Service Regulations 2011 (“PSRs”)

2EMD does not stand on its own and contains numerous cross-references to the

PSD.   Particularly, in connection with the negative scope, the rules on outsourcing, the use of

distributors and agents, the on-going capital requirements, the possibility to offer payment services, the safeguarding requirements and the out-of-court complaint and redress procedures.

Historical Development 1990â&#x20AC;&#x2122;s:

Electronic purses and payment products were developed.

1994:

European Money Institute (precursor to ECB) published its first report on EU prepaid instruments.

2000:

EMD was adopted. Was problematic, too restrictive on EMIs activities and interpretation varied across the Member States.

2007:

PSD was adopted by the European Parliament, to be implemented in member states by November 2009.Â

2009:

2EMD was adopted and replaced EMD. This considerably lowered the initial capital needed to set up a issuing business. It also widened the scope of services that an issuer could undertake to include all payment services. Intended to further liberalise payments sector.

2015:

PSD2 was adopted to replace PSD. Must be implemented nationally by 13 January 2018.Widens the scope the existing PSD by covering new services and industry participants and, amongst the other numerous changes, introduces enhanced security measures. Restricts many exemptions.

What are Payment Services?   Payments/withdrawals of cash into/from a payment account as well as managing a

payment account;   Execution of payment transactions (including funds covered by a credit line)

including:   Direct debits;   Card payments;   Credit transfers e.g. BACS or CHAPS payments;   Transactions made from mobile phones and handheld devices via an IT intermediary

Issuing and acquiring of payment instruments (e.g. cards, e-wallets);   Money remittance (which doesn’t necessarily involve payment accounts and includes

escrow services); Definitions Payment Account = account used for Payment Transactions Payment Instrument = personalised device - enables payment orders to carry out Payment Transactions

When is a payment account e-money? It is important to remember that the functionality of an account may sometimes determine whether it is a payment account and also e-money. Examples   Payment collection account = not e-money (though addition of a payment card or wallet-wallet transfer makes a payment account also e-money)   Ancillary purpose Payment Account – where the account could be a payment account but for the primary purpose being unrelated to making payment transactions (e.g. gambling wallet linked to a card) (see FCA PERG & PSD EG guidance – purposive & functionality test).

Who can issue e-money?   Credit Institutions   Electronic Money Institutions (EMIs)   Post office giro institutions   European and National Central Banks   Member state or regional authorities

The Regulatory Requirements: Overview   Standards for authorisation as an Authorised EMI or registration as Small

EMI;

capital requirements;   safeguarding requirements;   COB: rules relating to issuing and redeeming e-money for all electronic

money issuers; and

Regulators powers and functions in relation to supervision and

enforcement.

EMI: Authorisation Capital is required in order to ensure that applicants are able to:   safeguard their customers funds and redeem e-money as and when

required;   absorb unexpected losses that arise while the business is a going concern as well as those incurred on liquidation; and   maintain public confidence.

Initial capital: €350,000 Ongoing capital: at least €350,000 – calculated as specified in EMRs. 2% of Outstanding E-money for Small EMIs Different calculation methods must be used for e-money services and payment services.

Safeguarding   If a business that has safeguarded funds becomes insolvent, the claims

of e-money holders or payment service users are paid from the asset pool formed from these funds above all other creditors (except for the liquidator’s costs of distributing the assets).

E-money must be safeguarded:   Option 1: the segregation method/investment in secure, low risk &

liquid assets; or   Option 2: insurance or guarantee from authorised insurer/CI

Beware! Not all Member States apply the safeguarding rules in the

same way and have very specific requirements (e.g. Germany).

Conduct of Business Requirements 2EMD COB:   Redemption & Fees (specified 6 year limit in UK & Gibraltar but varies across Member States: Netherlands allows earlier write off with consent of regulator).   Requirements re loading of e-money.   No interest.   Cross reference to PSD COB. PSD COB:   Framework contracts.   Single payment transactions.   Charges for information & currency conversion.   Rights & Obligations: charging, authorisation & execution of transactions, execution time, value dating & liability.

Agents & Distributors   An EMI may distribute or redeem (but may not issue) e-money

through an Agent or a Distributor.   Agents may also provide payment services.   EMIs must register their Agents, whilst Distributors only have to be notified to the FCA.   EMIs have overall responsibility for agents/distributors e.g. AML, compliance, due diligence.   Non-EEA Agents: EC have indicated that this is acceptable but not all Member State regulators will accept (e.g. Gibraltar).   One-leg transactions: information exemption to be removed by PSD2.   Beware! Lack of EEA harmonisation (not all MS recognise the concept of a Distributor and some confuse it with Agents).

Passporting   This is the right of an EMI to conduct activities and provide services in another EEA state on

the basis of its home state authorisation. Establishment Passport: establishment in the host state via branch or Agent. Services Passport: cross-border services basis without establishment (EMDB Form). Local legal advice should always be obtained before passporting of services. Not all Member States will accept Services Passport activity via a foreign Agent (i.e. Germany, Spain, Netherlands, France, Poland, Austria). France: single transaction limit of €1,000 since Sept 2015. Germany: strict requirements on Commercial Agent Exemption & do not recognize in terms of invoice settlement service providers. Sometimes it’s difficult to ascertain where activity should/needs be passported into e.g. cruise ship payroll cards. One-leg transactions: information exemption to be removed by PSD2. Local law requirements not always EMD/PSD related – must consider AML/contract law/ any other provisions.

Program Key Players   Card Scheme   BIN Sponsorship (Issuer) & Program Managers   Co-Brand Partners   Processors – Tri-party agreements?   Load-Service Providers   KYC providers   Card manufacturers   Customer Care

Program Types   General Purpose Reloadable   Travel, share cards, gifts   Corporate Load   Payroll, expenses, incentives, promotions

Clinical Trials “Sharing” Cards (e.g. children, couples etc.) Gambling - pay-in/out cards Refugees Charities Government disbursements Cruise Ships

Some PSD2 Feedback   EC Consultation on EU regulatory framework for financial services:

Sept 15 to Jan 16.

FCA: Object to Art 30 PSD2 “Host authorities can take emergency action

over serious threat to the collective interests of the payment service users in the host Member State”: power imbalance between home and host state.

HM Treasury:

Passporting requires more consistency and clarity; current cross-border activity

is too expensive.   EMIs should be classified as PIs and regulated as part of PSD2.   Definition inconsistency within and across EU legislation

Barclays Bank: 2EMD transaction limits are specified in EUR only.

The future of e-money   2EMD Art 17: EC should have presented report on impact & implementation by

Nov 2012 – delays due to certain MS implementation delays.   Publication due 1st quarter 2016.   Will probably focus on recommendations on 2EMD rather than a new 3EMD as

PSD2 has clarified many of the key 2EMD concepts (e.g. limited networks, EMI supervision, home/host country definition).   EC’s current major focus following Paris attacks is counter terrorism (4th AMLD

implications) – bringing simplified products and cryptocurrency into focus particularly

The ever changing payments landscape

Overview   Overview of EU and UK legal framework   Overview of current requirements   PSD – information requirements   PSD – payment service standards   PSD2 impact   Potential opportunities   Potential costs   New entrants and existing PSPs   Passporting and interchange fees   Final thoughts

Overview of EU and UK legal framework EU Level framework

Payment Services Directive (PSD)   Typically European Union (EU) Member States (MS) implement directives through changes to their own laws   In some countries directives are automatically incorporated into local laws when they become effective

UK   UK have implemented PSD through the UK Payment Services Regulations (PSRs)   Changes also made to Financial Services and Markets Act 2000 (FSMA) and associated subordinate legislation, e.g.

the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO)   The Financial Conduct Authority (FCA) is the regulatory authority responsible for PSD in the UK   The FCA has issued guidance in the form of its PSR approach document: “The FCA’s role under the Payment Services Regulations 2009: Our approach”   Firms must also follow the FCA’s rulebook, also known as the Handbook

Overview of current core requirements Authorisation and general FCA requirements

In order to provide payment services firms must either be authorised or an agent of an authorised firm

In order to become authorised firms must meet a set of threshold conditions in relation to capital, resources, management, systems and location

Authorised firms, and ultimately their agents, are subject to FCA supervision

PSR conduct of business requirements

Information based requirements

Payment service standards

PSD – information requirements Information based requirements including:

Pre contract and post contract information: Single payment transactions   Framework contract agreement (schedule 4 information)

Exemptions Consumer credit act (CCA) carve out   Low value payment instruments   Corporate opt outs

Durable medium (information to be provided or made available)

During the life of the agreement: Changes to the agreement   Information before and after transactions are carried out, e.g. exchange rates

Charges for information – cannot charge for those required under the PSRs unless additional or different format information requested

Additional charges and reductions (cannot prevent payee charging, or offering a reduction, for use of a particular payment instrument)

PSD – payment service standards Payment service based requirements including:

Payment instruments:

obligations of provider and customer;

spending limits; and   stopping use

Carrying out payment transactions: receipt, authorisation (including recurring transactions), sending, revocation, refusal and execution of payment orders including regulatory timeframes

Unauthorised transactions including liability and refund requirements and recurring transactions

Value dating of payment transactions

Exemptions: corporate, low value and CCA carve out

PSD2 impact The second Payment Services Directive (PSD2)

Came into force on 12 January 2018

MSs must transpose it into their national laws by 13 January 2018

Key changes   Geographical scope and currencies increased   New payment services defined: payment initiation service and account information service   Requires account holding Payment Service Providers to grant access to payment account information to third parties

providing such services   Clarification of liability in certain situations   Increasing the transparency of payments and charges   Reduction in use of exemptions:   Limited network definition much stricter   ATM exemption much narrower and irrelevant if other payment services   Digital downloads – stricter and transaction limits introduced   Payment transactions through commercial agents – can only act for payer or payee

Safeguarding (greater harmonisation)

Potential opportunities New payment services represent great opportunities

Account information services (AIS)

Some are currently providing these services, e.g. Money Dashboard

Questions about legitimacy – breaching customer terms and conditions?   PSD2 brings legitimacy plus requirement for account holding payment service providers (PSPs) to provide information in accord with standards to be published by European Banking Authority (EBA)   Great potential for various business models through access to wealth of customer information

Payment initiation services (PIS)   Various European providers, and popular in certain countries but UK activity is limited   UK market may present a big opportunity   Requires account holding PSPs (e.g. banks, credit card providers and e-money issuers) to provide access in accord with security standards to be published by the EBA   Could be intermediary for large retailers that do not set-up a PIS provider themselves

Potential costs PSD2 will inevitably result in companies having to make changes

System changes

Document and process changes

Changes to accommodate new payment services EBA standards   Big impact to existing account holding PSPs

Existing businesses may lose out: Banks and other account holding PSPs may get less interaction with their customers   E-money firms will have to open up their accounts as well as banks   Payment schemes, merchant acquirers and card issuers will face greater competition

New entrants and existing PSPs New FinTech entrants

Many new entrants may set-up as providers of AIS or PIS

Some may provide services to new AIS or PIS providers

Existing PSPs and potential security risks

Many may resist the changes as far as it is possible to do so:   Could refuse access until EBA publishes the required security standards   Could refuse access if it believes the other party (AIS or PIS provider) does not meet the standards

PSD2 ultimately compels account holding PSPs (AHPSPs) to grant appropriate access to authorised firms providing such services

Will detract from AHPSPs interaction with its customers and will therefore likely be resisted

Many have, and will continue, to raise concerns about security

EBA need to publish the security standards (including in relation to application programme interfaces (APIs)) in good time and MS regulators must ensure AHPSPs comply

Liability

PSD2 changes the liability provisions to account for AIS and PIS providers

Passporting and interchange fees Passporting

Firms who are well positioned to take advantage of the changes in one country should ensure they are ready to take advantage of the ability to provide services throughout the EU

Small payment institutions (small PIs) and small e-money institutions (small EMIs) cannot passport

Authorised PIs and EMIs and other regulated entities, e.g. banks, can passport

Interchange fees regulation

Imposes fee caps on consumer debit and credit card transactions

Likely to result in revenue loss for established payment businesses while at the same time PSD2 introduces even further competition

Final thoughts

Complex and ever changing regulation of payments services offers both opportunities and challenges to existing businesses and new entrants to the market alike

Smaller, more nimble businesses may be better equipped than others to take advantages of the changes

Existing AHPSPs such as banks and even established e-money issuers may resist some of the changes due potential impact on profit

All market participants could take advantage of the new payment services by offering to customers (both their existing customers and new customers)

Those keen to take advantage should ensure they are well positioned in terms of business model, authorisation and ability to passport throughout the EU

Potential double impact of PSD2 and interchange fee regulation on existing companies

â&#x20AC;&#x153;The only source of knowledge is experience"

Albert Einstein

Questions?

Cybercrime, Data Protection & Liability Risks â&#x20AC;&#x153;We may at some point see a cyber-attack so powerful on an individual bank that it has the power to bring down the institution, necessitating a state bailoutâ&#x20AC;?

Overview   Review and discussion of key issues involving cybercrime

including:   examples of recent e-crime impacting the financial sector,   transferring/mitigating/managing liability (including insurance)   expected level of security measures for PSPs   understanding the wider risks to your reputation and brand

Size of Risk   Mcafee, one of the most widely known security software

companies, estimated the cost of cybercrime to the global economy in 2014 to be a staggering $400 billion.   In 2012, an undisclosed major London business suffered as much as £800 million in losses in just one attack.   In 2014, Ebay announced an attack on its system resulted in the exposure of personal information of up to 145 million of its users[1]. That same year an attack on Home Depot, a US online retailer, resulted in the theft of 56 million payment card details[2].

Ever increasing risk & complexity

Yuri Samoilov, December 22, 2014 - Some rights reserved

"The U.K.â&#x20AC;&#x2122;s biggest banks fear cyber attacks more than regulation, faltering economic growth and other potential risks" (Centre for the Study of Financial Innovation )

What is cybercrime?   "an attack on the confidentiality, integrity and accessibility of an entity's

online/computer presence or networks - and information contained within" (IOSCO) and the World Federation of Exchanges (WFE))   It includes:   Phishing   Hacking   Denial of Service   Distribution of malware   Unauthorised access   Interception, Processing & Corruption of Data

Most common cybercrimes   According to Mcafee, the two most prevalent techniques

are:   social engineering, where a user is tricked into granting access, and   vulnerability exploitation, whereby an attacker takes advantage of a previously undiscovered flaw in the application's code to gain access.

EU Focus   28th April 2015 the European Commission adopted the European

Agenda on Security – fighting cybercrime is one of the top three priorities together with tackling terrorism and disrupting organised crime.   The EU has acknowledged the “borderless, flexible and innovative” nature of cybercriminals and recognises that cybercrime “demands a new approach to law enforcement in the digital age”.   2013 Directive on attacks against information systems, which aims to tackle large-scale cyber-attacks by requiring Member States to strengthen national cyber-crime laws and introduce tougher criminal sanctions.

Data Protection Requirements “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (DPA, 7th Principle)   Having regard to the state of technological development and the cost of implementing any

measures, the measures must ensure a level of security appropriate to:   (a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and   (b)the nature of the data to be protected. (Interpretation of the 7th Principle (Part II, Sch 1, DPA)

Data Protection Requirements Partners “Where processing of personal data is carried out by a data processor on

behalf of a data controller, the data controller must in order to comply with the seventh principle – (a)  choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b)  take reasonable steps to ensure compliance with those measures.

EU Data Protection Regulation 2016   New EU wide Regulation is proposed - the latest draft of the Regulation dated Jan 2016

states: [personal data must be “processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”) (Article 5)   Article 31:   Having regard to the state of the art and the costs of implementation and taking into account the

nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate:   (a) the pseudonymisation and encryption of personal data;   (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services

processing personal data;

EU Data Protection Regulation 2016   (c) the ability to restore the availability and access to data in a timely manner in the event of a physical

or technical incident;   (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.   1a. In assessing the appropriate level of security account shall be taken in particular of the risks

that are presented by data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.   In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.   Infringements of Art 31 are subject to administrative fines up to 10m EUR, or in case of a business, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher

Data Protection Top Risks   UK Security Report by UK ICO of 2014 suggests the following

priority risks:   a failure to keep software security up to date;   a lack of protection from SQL injection;   the use of unnecessary services;   poor decommissioning of old software and services;   the insecure storage of passwords;   failure to encrypt online communications;   poorly designed networks processing data in inappropriate areas; and   the continued use of default credentials including passwords.

2nd Payment Services Directive “All payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud” (Recital 95, PSD2)   New two factor authentication requirements:   All PSPs must apply strong authentication for payers - ‘Strong customer authentication’

means authentication based on the use of two or more independent elements that are based on something only the user knows (knowledge), something only the user possesses (possession) or something the user is (inherence), as well as designed to protect the confidentiality of the authentication data   PSPs must “include the authentication of transactions through dynamic codes, in order to make the user aware, at all times, of the amount and the payee of the transaction that the user is authorising” (Recital 95).

2nd Payment Services Directive   Security reporting obligations for payment service providers:   “1. In the case of a major operational or security incident, payment service providers shall…notify the

competent authority in the home Member State of the [PSP]. Where the incident has or may have an impact on the financial interests of its payment service users, the [PSP] shall...inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident. (Art 96, PSD2)

By 13 January 2018, EBA shall, in close cooperation with the ECB and after

consulting all relevant stakeholders… issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 addressed to each of the following:   (a) payment service providers, on the classification of major incidents referred to in paragraph 1, and

on the content, the format, including standard notification templates, and the procedures for notifying such incidents;   (b) competent authorities, on the criteria on how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities.

High Profile Cases   Sony (2011):   Personal details from approximately 77 million accounts were compromised   Prevented users of PS3 from playing online   Outage lasted 23 days   Fined £250,000 by ICO

Talk Talk (2015):   4m customers bank and credit card stolen   Could lead to fines of £500,000 by ICO   Severe Reputational Damage

Carbanak Virus (2013 -?)   Global (but Russia particularly impacted)   Over $1bn in losses to date

What is financial crime?   the term "financial crime" is defined widely (see amended

section 1 of the Financial Services and Markets Act 2000 (FSMA).   Financial crime is defined as including any offence involving:   Fraud or dishonesty.   Misconduct in, or misuse of information relating to, a financial

market.   Handling the proceeds of crime   The financing of terrorism

Checklist   FCA in its financial crime guide provides self-assessment checklists for regulated businesses:   Are sufficient resources allocated to cyber-security measures?   Does the organisation's management receive sufficient management information (MI) to understand

and assess the organisation's exposure to cybercrime risk? Are arrangements in place to collect and assess information on cybercrime risk from all available sources? Is a risk register kept and, if so, is it kept up-to-date? Are staff (including non-IT staff) given cybercrime training at least once a year? Is there a document cyber-security policy in place, with the terms cybercrime, cyber-attacks and cyber-threats clearly defined? Are staff kept up-to-date on new cybercrime threats? Is the organisation aware of the cyber-security measures in place at its suppliers, including in particular any outsourced service suppliers? Are arrangements in place to share information on attempted and successful cybercrime with authorities and regulators?

Defensive Measures   Do firewalls:   monitor open connections, including attachments in an e-mail;   block unauthorised or unwanted inbound internet traffic or connections; and   disable internet add-ons (such as cookies and pop-ups)?

Does antivirus software scan any file or data package in the system for viruses (derived from a

virus database)?   Can antivirus software clean, quarantine and delete any infected files?   Does software:   detect bots and distributed denial of service (DDNoS) attacks, and   block communications?

Is software aimed at identifying, logging, reporting and blocking any malicious activity on

computer systems?   Are terminals protected from unauthorised and inappropriate usage?

Defensive Measures Part II   Does the organisation's disaster recovery plan cover cybercrime risk?   Are simulations of an attack of the organisation's computer system carried out to test

for vulnerabilities? Are vulnerabilities identified, quantified and prioritised? Are all potential hazards assessed? Are all assets, equipment and infrastructure catalogued to guide the prioritisation of threats? Are continual checks of security controls and systems carried out to ensure they are up-to-date and implemented effectively? Is data encrypted? Who holds a key to decrypt it? Are networks isolated from insecure networks, such as the internet or local area network (LAN), to form a closed and secure system?

Detection   Are systems in place to:   detect hacker attempts and anomalous behaviour?   enable rapid detection of cyber-attacks and the blocking of any follow-up

attempts?   conduct real-time monitoring and analysis of potential security breaches, alerts or unusual activity for all devices (for example, computers and smartphones)?   are reports logs used?

Is there a database security application in place that:   monitors and analyses all activity to a database;   controls and logs user access; and   works independently of native database functioning?

Cyber- Resilience   Is confidential and critical information automatically detected and secured on

separate systems? Is information stored in a way that allows restoration in the event of a primary system failure? Are storage facilities or data centres, or both, located in a separate physical location from the main network? Are arrangements in place to notify others who could be affected by a cyberattack (for example, customers, suppliers or connected parties)? Does the organisation have cybercrime insurance, or similar, in place?

Liability Check   What does your contract with the customer say?   Potential negligence claims   Have you breached your regulatory obligations as a financial institution?   EMRs 6(5)(b) and 13(6) (b) requires EMIs to have "effective procedures to

identify, manage, monitor and report any risks to which [they] might be exposed"   Have you breached data protection requirements?   Bad Press & Reputational Damage   Costs: Fines, Indemnity, damages, business interruption, loss of customers   E.g. under the New Data Protection Regulation the Sony hack could have cost it

up to a max of $1.5bn

PSD - Transfer of Liability   PSP's can only refuse a refund for an unauthorised payment if:   it can prove the transaction was authorised   it can prove the customer is at fault (acted fraudulently, deliberately

or with ‘gross negligence’); or   Advised of the transaction >13 months or more after the transaction   First £50 liability is customers where card lost or stolen or failed to take reasonable care of security details   No liability for any unauthorised payments made after customer notifies the PSP of the loss, theft or unauthorised use of a card or password – unless PSP can prove customer acted fraudulently.

â&#x20AC;&#x153;The only source of knowledge is experience" Albert Einstein

Questions & Discussion

AML and International Tax Reporting Requirements

Overview   AML legal framework   Risk based approach   AML and RegTech   Convincing others   Regulators and enforcement agencies   Cross-border issues   International tax reporting requirements   FATCA   Final thoughts

AML legal framework EU Level framework

Currently subject to the third money laundering directive (3MLD)

The fourth money laundering directive (4MLD) will replace 3MLD by 26 June 2017 at the latest

Territoriality principle:

General principle of EU AML legislation is that the rules and regulations of the Member State (MS) in which an undertaking is established apply

MSs are allowed to enact legislation that reverses this presumption e.g. location of the customer

What laws should we follow?

You must always follow the laws of the country you are established in

But you may also have to follow the laws of the countries in which your customers reside

Image by TaxRebate.org.uk: https://creativecommons.org/licenses/by/2.0/

Risk based approach What does a risk based approach to AML actually mean?

3MLD, and EU MS laws all require firms to take a risk based approach to AML

Firms must assess the money laundering (ML) and terrorist financing (TF) risks of their business

Firms must apply an appropriate strategy to mitigate the risks identified – no tick box approach

Laws and regulations provide a framework Simplified due diligence (SDD): low risk; product values below certain levels   Customer due diligence (CDD): identification and verification required   Enhanced due diligence (EDD): higher risk situations, e.g. PEPs, ML/TF suspicion or large transactions

Justifying approach

Must carry out risk assessment; create appropriate ML/TF policies and procedures and execute

Don’t have to play safe as long as you can justify it

Image by Howard Lake: https://creativecommons.org/licenses/by-sa/2.0/

AML and RegTech What is RegTech?

Familiar to many FinTech companies: use of technology to fulfil regulatory requirements

AML compliance is a key example where RegTech has been used for many years

FCA keen to make the UK a hub for RegTech and are inviting input from all interested parties

RegTech development

RegTech continues to develop to meet the evolving demands of businesses and consumers

Firms that can successfully combine compliance and technology expertise will continue to be at an advantage in this field

AML RegTech

Firms look for solutions that:   Can readily evidence compliance with AML requirements;   Ensure checks are carried out as quickly as possible;   Provide comfort that customers are who they say they are; and   Provide an excellent user experience without putting off customers.

RegTech firms keen to push boundaries and influence changes in laws and attitudes of regulators

Not just KYC, e.g. suspicious activity reporting and regulatory reporting

Convincing others Regulators

Must evidence your risk based approach by documenting it and ensuring it is executed properly

Be open and cooperative in your communications with regulators

Evidence that you keep up to date with changes in industry practice, regulations, guidance and updates from regulators and international bodies such as the Financial Action Task Force (FATF)

Counterparties

Must convince your clients that your AML systems and controls are effective

Business models and risk appetite vary: build in ability to tailor to counterparties’ requirements

Image from a Blatant World article: https://creativecommons.org/licenses/by/2.0/

Image from EurActiv.com: https://creativecommons.org/licenses/by-sa/2.0/

Regulators and enforcement agencies Do I have to speak to my regulator?

Countries take ML/TF requirements seriously and expect regulated firms to do likewise

Regulated firms have to interact with their regulators and enforcement agencies, e.g. financial intelligence units (FIUs)

Better to do so proactively than be approached

Interaction with financial intelligence units and law enforcement agencies

Must report suspicion and knowledge of ML/TF activity

Registration with FIUs for online reporting

Automation and use of RegTech could help enhance processes and reduce time required

Ensure MLRO / nominated officer in place and is point of contact for FIU

Ensure efficient issue identification, reporting, tracking and resolution mechanism in place

Cross-border issues Operating in multiple EU jurisdictions

Must comply with the laws in the MS in which you or your agents are established

Must also comply with local laws where required in addition, e.g. when providing services to Spanish residents

Reporting suspicion and knowledge of ML/TF Home MS AND MS of customers   Tipping off   Freezing accounts

Operating in multiple jurisdictions both inside and outside of the EU

Different AML regimes

Different reporting/freezing regimes e.g. the US would not typically freeze accounts but require funds to be returned to point of origin   Significant conflict for firms operating in EU and US

The Fourth Anti-Money Laundering Directive The Fourth Money Laundering Directive (4MLD)

MS must implement it by 16 June 2017 at the latest

Implementation may be brought forward to end of 2016

Intended to address inconsistencies between 3MLD and the Financial Action Task Force’s recommendations

Key changes

Increased focus on risk based approach

Risk based approach not just for financial entities: EBA, national, regulators, industry

Tax crimes

Customer due diligence

Politically Exposed Persons

Beneficial ownership

Third country equivalence

Cross-border wire transfers

International tax reporting requirements International tax considerations:

US Foreign Account Tax Compliance Act (FATCA) – does apply to EMI’s

OECD Common Reporting Standards (CRS) – does not apply directly to EMI’s

The EU Directives on Administrative Cooperation in Tax Matters (DAC) (2011/16/EU & 2014/107/EU) – does not apply directly to EMI’s

What is the purpose of these requirements?

Combatting tax evasion by reporting on accounts held overseas

Current international, and certainly UK, focus

UK Implementation

The International Tax Compliance Regulations 2015 – require firms to: Carry due diligence as per FATCA, DAC and CRS (where applicable to your business)   Maintain a record of due diligence   Report to HMRC

Reporting requirements: some similarities and differences

Potential confusion over reporting requirements for prepaid accounts

FATCA What is FATCA?

The US Foreign Account Tax Compliance Act

It is a tax based initiative by the US administration

Obliges certain entities to either report on the financial activities of US persons or withhold funds

What is the purpose of FATCA?

US government (the IRS) initiative to crack down on people hiding untaxed income outside the US

What is the impact of FATCA?

Obliges financial institutions to:

Perform appropriate due diligence on their customers so that they can either:   Report to the IRS on US persons with substantial assets ($50,000 and above); or   Withhold 30% of any US-source income

How can the US do this?

Through mutual international tax agreements:   EU directive implemented   Member States have also implemented their own regulations including the UK FATCA

Final thoughts   Firms must ensure they apply an appropriate risk based strategy to their AML requirements   Firms must keep their AML procedures up to date to reflect changes in regulations, industry practice and

customer behaviour   RegTech can be a useful tool for firms to use to meet their AML obligations   Must be able to convince clients and regulators of your approach to AML   Need to be mindful of cross-border issues both within, and beyond, the EU   4MLD will require firms to make significant changes to their AML procedures   Ensure you are aware of your tax reporting requirements

â&#x20AC;&#x153;The only source of knowledge is experience"

Albert Einstein

Questions?