Introduction to e-money and e-payments law
Overview What is e-money? The wider world of payment services How do e-money and payment services within the existing financial services framework? What different laws do you need to consider as an e-commerce business? What are the relevant regulators, schemes and market players? Do you know how to think like a regulator? How do you do business across borders?
What is E-money?
FAMZOO, August 10, 2010 - Some rights reserved
E-money – what a strange fish! The simplest way of thinking about e-money from a regulatory perspective is that it is a particular type of
regulated IOU E-money is simply fiat money held as a regulated liability held on your behalf (usually) by a regulated
entity The ‘electronic’ tag is now a misnomer in a world of e-banking and mobile payments – in fact it is
unhelpful and gives rise to confusion with crypto-currency From a technical perspective it is more helpful to see regulated e-money as being similar to money held
on a bank account albeit that inter alia: an EMI is not able to borrow or lend against funds held by it (no fractional reserve recycling allowed) the funds are not covered by the deposit guarantee scheme the EMI must hold matching assets for liabilities and safeguard the funds using a recognised ring-fence or protected
pool In addition it must be remembered that not all e-money issuers are EMIs – this has consequences for
regulatory analyses E-money issuers sit within the wider group known as Payment Service Providers
Blurring the boundaries
— 
Antana, October 16, 2013 - Some rights reserved
Cryptocurrency is not e-money The rise of bitcoin and other cryptocurrencies (CCs) means that we need to be careful when we think and
talk of electronic money E-money is a very good description of bitcoin and CC’s albeit that they are not currently recognised as
legal money (PSD = ‘funds’) In February 2016, the European Commission announced their intention to: make CC exchanges obliged entities under the 4th AML Directive Incorporate CCs within PSD2 (extending the definition of funds?)
The Commission has previously decided not to incorporate e-money within PSD2. This means we are
likely to have even more confusion once CCs are within scope of the regulated payments regimes On the plus side: adding CCs to PSD2 and 4th AML Directive will make it easier for operators in that space to defend themselves from
charges that they are operating in the darknet and that they are predominantly useful for terrorists, drug dealers and other criminals It will also make it easier for other obliged entities (payments, gaming) to work with CCs’
A wide world of payments law EU law relating to regulated payments is remarkably wide-ranging in its scope and requirements Implementing framework contract requirements onto account/card programs terms takes considerable
time and effort – balance legal requirements vs readability, interpretation issues abound and differ by Member State Always consider the exemptions first once you appear to be in scope (e.g. commercial agent, group
collection money remittances, limited network, B2B programs) PSD2 offers some interesting opportunities and challenges for the e-commerce sector Opportunities:
New payment initiators Account aggregators
Challenges Reduces use of some of the exemptions (e.g. commercial agent exemption, limited network exemption) Potential for Member States to block incoming PSP’s (other than credit institutions) from exercising passporting rights based on interests of payment service users
Much is vague, unclear, overly wide and leaves much to be done later (e.g. strong authentication, rights to access payment account information by initiators and aggregators) Already EC appears to want to amend PSD2
Fitting e-money and payments into existing frameworks Member States must implement the Directives into national law which can differ greatly across Europe Implementation effects give rise to differences in: Translation Interpretation Transposition Sometimes it is remarkable how different the approaches can be within Europe For example: Some Member States refuse to allow cross-border agents and distributors Some Member States law may not safeguard funds sufficiently due to errors in transposition or failure
to adapt existing local law Some Member States take a very strict view on reliance upon exemptions Operators must remember that exemptions and UK interpretations are not passportable Choosing the right Home State is therefore essential Also essential to conduct detailed cross-border analysis for many aspects of your business including: terms
and conditions, AML, agents and distributors
Other laws to consider in ecommerce sector Anti-Money Laundering and Counter-Terrorist Financing Directives JMLSG Guidelines Sanctions OFAC FATCA CSR? Data Protection & Cookies E-commerce Regulations Distance Sales Unfair Terms in Consumer Contracts Brussels Regulations & Rome Convention Online Dispute Resolution Requirements
Relevant Stakeholders FCA & Other EEA Regulators Bank of England/PRA (e.g. see Project Rome) EBA Payment Systems Regulator Card Schemes (including MasterCard & Visa) Industry Associations (EPA, PIF, EMA, GEMA) Learn to talk the language of your other stakeholders: Focus on what matters to them Work collaboratively Legal and Regulatory analysis is only part of the picture Public Policy considerations are overriding issues
Doing Business Across Borders It can be shock to realise how different other MS can be towards innovative payments providers (e.g.
German economic vs UK purposive interpretation) Sometimes MS can appear to be hostile to non-local PSPs Much of this likely driven by a lack of knowledge about the e-payments sector Some of it also driven by fear of loss of control of their local financial sector
Need to ensure your Home State regulator is on-side and supportive of your approach to key issues –
bring them with you on your journey Remember that local interpretation of various laws may differ significantly E.g., Local AML requirements can also make doing business in rest of Europe costly and complicated
(country of establishment vs country of customer) Consider carefully whether to passport at all and if so on a freedom of services or establishment basis Work with cross-border experts
“The only source of knowledge is experience" Albert Einstein
Discussion & Questions
Director & Associates Peter Howitt , John Pauley & David Borge e:Â peterhowitt@ramparts.eu johnpauley@ramparts.eu davidborge@ramparts.eu w: http://www.ramparts.eu t: +44 161 914 9785 Disclaimer: This presentation may contain information and guidance relating to a variety of legal, regulatory, corporate and tax matters. It is not intended to be and should not be relied upon as legal advice by Ramparts.
Electronic Money: Past, Present & Future David Borge
Overview What is e-money? The key legislation and history What are payment services? The main regulatory requirements for EMIs Agents and Distributors Passports (Services and Establishment) Programs: Program Managers and Co-Brand Partners Prepayment business models The future
E-money definition The EMRs define e-money as electronically (including magnetically) stored monetary
value represented by a claim on the issuer that is: 1.
issued on receipt of funds for the purpose of making payment transactions;
2.
accepted by a person other than the electronic money issuer; and
3.
not excluded by regulation 3 of the EMRs i.e. monetary value that is: stored on instruments that can be used to: acquire goods or services only in or on the electronic money issuer’s premises; or under a commercial agreement with the electronic money issuer, either within a limited network of service providers or for a limited range of goods or services; or e.g. Shopping Centre Gift Cards used to make payment transactions executed by any telecommunication, digital or IT device where the goods or
services are delivered to and used through such a device, but only where the operator of the device does not only act as an intermediary between the user and the supplier.
Key Legislation The Second Electronic Money Directive 2009/110/EC (“2EMD”) Electronic Money Regulations 2011 (“EMRs”)
The First Payment Services Directive 2007/64/EC (“PSD”) Payment Service Regulations 2011 (“PSRs”)
2EMD does not stand on its own and contains numerous cross-references to the
PSD. Particularly, in connection with the negative scope, the rules on outsourcing, the use of
distributors and agents, the on-going capital requirements, the possibility to offer payment services, the safeguarding requirements and the out-of-court complaint and redress procedures.
Historical Development 1990’s:
Electronic purses and payment products were developed.
1994:
European Money Institute (precursor to ECB) published its first report on EU prepaid instruments.
2000:
EMD was adopted. Was problematic, too restrictive on EMIs activities and interpretation varied across the Member States.
2007:
PSD was adopted by the European Parliament, to be implemented in member states by November 2009.Â
2009:
2EMD was adopted and replaced EMD. This considerably lowered the initial capital needed to set up a issuing business. It also widened the scope of services that an issuer could undertake to include all payment services. Intended to further liberalise payments sector.
2015:
PSD2 was adopted to replace PSD. Must be implemented nationally by 13 January 2018.Widens the scope the existing PSD by covering new services and industry participants and, amongst the other numerous changes, introduces enhanced security measures. Restricts many exemptions.
What are Payment Services? Payments/withdrawals of cash into/from a payment account as well as managing a
payment account; Execution of payment transactions (including funds covered by a credit line)
including: Direct debits; Card payments; Credit transfers e.g. BACS or CHAPS payments; Transactions made from mobile phones and handheld devices via an IT intermediary
Issuing and acquiring of payment instruments (e.g. cards, e-wallets); Money remittance (which doesn’t necessarily involve payment accounts and includes
escrow services); Definitions Payment Account = account used for Payment Transactions Payment Instrument = personalised device - enables payment orders to carry out Payment Transactions
When is a payment account e-money? It is important to remember that the functionality of an account may sometimes determine whether it is a payment account and also e-money. Examples Payment collection account = not e-money (though addition of a payment card or wallet-wallet transfer makes a payment account also e-money) Ancillary purpose Payment Account – where the account could be a payment account but for the primary purpose being unrelated to making payment transactions (e.g. gambling wallet linked to a card) (see FCA PERG & PSD EG guidance – purposive & functionality test).
Who can issue e-money? Credit Institutions Electronic Money Institutions (EMIs) Post office giro institutions European and National Central Banks Member state or regional authorities
The Regulatory Requirements: Overview Standards for authorisation as an Authorised EMI or registration as Small
EMI;
capital requirements; safeguarding requirements; COB: rules relating to issuing and redeeming e-money for all electronic
money issuers; and
Regulators powers and functions in relation to supervision and
enforcement.
EMI: Authorisation Capital is required in order to ensure that applicants are able to: safeguard their customers funds and redeem e-money as and when
required; absorb unexpected losses that arise while the business is a going concern as well as those incurred on liquidation; and maintain public confidence.
Initial capital: €350,000 Ongoing capital: at least €350,000 – calculated as specified in EMRs. 2% of Outstanding E-money for Small EMIs Different calculation methods must be used for e-money services and payment services.
Safeguarding If a business that has safeguarded funds becomes insolvent, the claims
of e-money holders or payment service users are paid from the asset pool formed from these funds above all other creditors (except for the liquidator’s costs of distributing the assets).
E-money must be safeguarded: Option 1: the segregation method/investment in secure, low risk &
liquid assets; or Option 2: insurance or guarantee from authorised insurer/CI
Beware! Not all Member States apply the safeguarding rules in the
same way and have very specific requirements (e.g. Germany).
Conduct of Business Requirements 2EMD COB: Redemption & Fees (specified 6 year limit in UK & Gibraltar but varies across Member States: Netherlands allows earlier write off with consent of regulator). Requirements re loading of e-money. No interest. Cross reference to PSD COB. PSD COB: Framework contracts. Single payment transactions. Charges for information & currency conversion. Rights & Obligations: charging, authorisation & execution of transactions, execution time, value dating & liability.
Agents & Distributors An EMI may distribute or redeem (but may not issue) e-money
through an Agent or a Distributor. Agents may also provide payment services. EMIs must register their Agents, whilst Distributors only have to be notified to the FCA. EMIs have overall responsibility for agents/distributors e.g. AML, compliance, due diligence. Non-EEA Agents: EC have indicated that this is acceptable but not all Member State regulators will accept (e.g. Gibraltar). One-leg transactions: information exemption to be removed by PSD2. Beware! Lack of EEA harmonisation (not all MS recognise the concept of a Distributor and some confuse it with Agents).
Passporting This is the right of an EMI to conduct activities and provide services in another EEA state on
the basis of its home state authorisation. Establishment Passport: establishment in the host state via branch or Agent. Services Passport: cross-border services basis without establishment (EMDB Form). Local legal advice should always be obtained before passporting of services. Not all Member States will accept Services Passport activity via a foreign Agent (i.e. Germany, Spain, Netherlands, France, Poland, Austria). France: single transaction limit of €1,000 since Sept 2015. Germany: strict requirements on Commercial Agent Exemption & do not recognize in terms of invoice settlement service providers. Sometimes it’s difficult to ascertain where activity should/needs be passported into e.g. cruise ship payroll cards. One-leg transactions: information exemption to be removed by PSD2. Local law requirements not always EMD/PSD related – must consider AML/contract law/ any other provisions.
Program Key Players Card Scheme BIN Sponsorship (Issuer) & Program Managers Co-Brand Partners Processors – Tri-party agreements? Load-Service Providers KYC providers Card manufacturers Customer Care
Program Types General Purpose Reloadable Travel, share cards, gifts Corporate Load Payroll, expenses, incentives, promotions
Clinical Trials “Sharing” Cards (e.g. children, couples etc.) Gambling - pay-in/out cards Refugees Charities Government disbursements Cruise Ships
Some PSD2 Feedback EC Consultation on EU regulatory framework for financial services:
Sept 15 to Jan 16.
FCA: Object to Art 30 PSD2 “Host authorities can take emergency action
over serious threat to the collective interests of the payment service users in the host Member State”: power imbalance between home and host state.
HM Treasury:
Passporting requires more consistency and clarity; current cross-border activity
is too expensive. EMIs should be classified as PIs and regulated as part of PSD2. Definition inconsistency within and across EU legislation
Barclays Bank: 2EMD transaction limits are specified in EUR only.
The future of e-money 2EMD Art 17: EC should have presented report on impact & implementation by
Nov 2012 – delays due to certain MS implementation delays. Publication due 1st quarter 2016. Will probably focus on recommendations on 2EMD rather than a new 3EMD as
PSD2 has clarified many of the key 2EMD concepts (e.g. limited networks, EMI supervision, home/host country definition). EC’s current major focus following Paris attacks is counter terrorism (4th AMLD
implications) – bringing simplified products and cryptocurrency into focus particularly
Director & Associates Peter Howitt , John Pauley & David Borge e:Â peterhowitt@ramparts.eu johnpauley@ramparts.eu davidborge@ramparts.eu w: http://www.ramparts.eu t: +44 161 914 9785 Disclaimer: This presentation may contain information and guidance relating to a variety of legal, regulatory, corporate and tax matters. It is not intended to be and should not be relied upon as legal advice by Ramparts.
The ever changing payments landscape
Overview Overview of EU and UK legal framework Overview of current requirements PSD – information requirements PSD – payment service standards PSD2 impact Potential opportunities Potential costs New entrants and existing PSPs Passporting and interchange fees Final thoughts
Overview of EU and UK legal framework EU Level framework
Payment Services Directive (PSD) Typically European Union (EU) Member States (MS) implement directives through changes to their own laws In some countries directives are automatically incorporated into local laws when they become effective
UK UK have implemented PSD through the UK Payment Services Regulations (PSRs) Changes also made to Financial Services and Markets Act 2000 (FSMA) and associated subordinate legislation, e.g.
the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO) The Financial Conduct Authority (FCA) is the regulatory authority responsible for PSD in the UK The FCA has issued guidance in the form of its PSR approach document: “The FCA’s role under the Payment Services Regulations 2009: Our approach” Firms must also follow the FCA’s rulebook, also known as the Handbook
Overview of current core requirements Authorisation and general FCA requirements
In order to provide payment services firms must either be authorised or an agent of an authorised firm
In order to become authorised firms must meet a set of threshold conditions in relation to capital, resources, management, systems and location
Authorised firms, and ultimately their agents, are subject to FCA supervision
PSR conduct of business requirements
Information based requirements
Payment service standards
PSD – information requirements Information based requirements including:
Pre contract and post contract information: Single payment transactions Framework contract agreement (schedule 4 information)
Exemptions Consumer credit act (CCA) carve out Low value payment instruments Corporate opt outs
Durable medium (information to be provided or made available)
During the life of the agreement: Changes to the agreement Information before and after transactions are carried out, e.g. exchange rates
Charges for information – cannot charge for those required under the PSRs unless additional or different format information requested
Additional charges and reductions (cannot prevent payee charging, or offering a reduction, for use of a particular payment instrument)
PSD – payment service standards Payment service based requirements including:
Payment instruments:
obligations of provider and customer;
spending limits; and stopping use
Carrying out payment transactions: receipt, authorisation (including recurring transactions), sending, revocation, refusal and execution of payment orders including regulatory timeframes
Unauthorised transactions including liability and refund requirements and recurring transactions
Value dating of payment transactions
Exemptions: corporate, low value and CCA carve out
PSD2 impact The second Payment Services Directive (PSD2)
Came into force on 12 January 2018
MSs must transpose it into their national laws by 13 January 2018
Key changes Geographical scope and currencies increased New payment services defined: payment initiation service and account information service Requires account holding Payment Service Providers to grant access to payment account information to third parties
providing such services Clarification of liability in certain situations Increasing the transparency of payments and charges Reduction in use of exemptions: Limited network definition much stricter ATM exemption much narrower and irrelevant if other payment services Digital downloads – stricter and transaction limits introduced Payment transactions through commercial agents – can only act for payer or payee
Safeguarding (greater harmonisation)
Potential opportunities New payment services represent great opportunities
Account information services (AIS)
Some are currently providing these services, e.g. Money Dashboard
Questions about legitimacy – breaching customer terms and conditions? PSD2 brings legitimacy plus requirement for account holding payment service providers (PSPs) to provide information in accord with standards to be published by European Banking Authority (EBA) Great potential for various business models through access to wealth of customer information
Payment initiation services (PIS) Various European providers, and popular in certain countries but UK activity is limited UK market may present a big opportunity Requires account holding PSPs (e.g. banks, credit card providers and e-money issuers) to provide access in accord with security standards to be published by the EBA Could be intermediary for large retailers that do not set-up a PIS provider themselves
Potential costs PSD2 will inevitably result in companies having to make changes
System changes
Document and process changes
Changes to accommodate new payment services EBA standards Big impact to existing account holding PSPs
Existing businesses may lose out: Banks and other account holding PSPs may get less interaction with their customers E-money firms will have to open up their accounts as well as banks Payment schemes, merchant acquirers and card issuers will face greater competition
New entrants and existing PSPs New FinTech entrants
Many new entrants may set-up as providers of AIS or PIS
Some may provide services to new AIS or PIS providers
Existing PSPs and potential security risks
Many may resist the changes as far as it is possible to do so: Could refuse access until EBA publishes the required security standards Could refuse access if it believes the other party (AIS or PIS provider) does not meet the standards
PSD2 ultimately compels account holding PSPs (AHPSPs) to grant appropriate access to authorised firms providing such services
Will detract from AHPSPs interaction with its customers and will therefore likely be resisted
Many have, and will continue, to raise concerns about security
EBA need to publish the security standards (including in relation to application programme interfaces (APIs)) in good time and MS regulators must ensure AHPSPs comply
Liability
PSD2 changes the liability provisions to account for AIS and PIS providers
Passporting and interchange fees Passporting
Firms who are well positioned to take advantage of the changes in one country should ensure they are ready to take advantage of the ability to provide services throughout the EU
Small payment institutions (small PIs) and small e-money institutions (small EMIs) cannot passport
Authorised PIs and EMIs and other regulated entities, e.g. banks, can passport
Interchange fees regulation
Imposes fee caps on consumer debit and credit card transactions
Likely to result in revenue loss for established payment businesses while at the same time PSD2 introduces even further competition
Final thoughts
Complex and ever changing regulation of payments services offers both opportunities and challenges to existing businesses and new entrants to the market alike
Smaller, more nimble businesses may be better equipped than others to take advantages of the changes
Existing AHPSPs such as banks and even established e-money issuers may resist some of the changes due potential impact on profit
All market participants could take advantage of the new payment services by offering to customers (both their existing customers and new customers)
Those keen to take advantage should ensure they are well positioned in terms of business model, authorisation and ability to passport throughout the EU
Potential double impact of PSD2 and interchange fee regulation on existing companies
“The only source of knowledge is experience"
Albert Einstein
Questions?
Director & Associates Peter Howitt , John Pauley & David Borge e:Â peterhowitt@ramparts.eu johnpauley@ramparts.eu davidborge@ramparts.eu w: http://www.ramparts.eu t: +44 161 914 9785 Disclaimer: This presentation may contain information and guidance relating to a variety of legal, regulatory, corporate and tax matters. It is not intended to be and should not be relied upon as legal advice by Ramparts.
Cybercrime, Data Protection & Liability Risks “We may at some point see a cyber-attack so powerful on an individual bank that it has the power to bring down the institution, necessitating a state bailout�
Overview Review and discussion of key issues involving cybercrime
including: examples of recent e-crime impacting the financial sector, transferring/mitigating/managing liability (including insurance) expected level of security measures for PSPs understanding the wider risks to your reputation and brand
Size of Risk Mcafee, one of the most widely known security software
companies, estimated the cost of cybercrime to the global economy in 2014 to be a staggering $400 billion. In 2012, an undisclosed major London business suffered as much as £800 million in losses in just one attack. In 2014, Ebay announced an attack on its system resulted in the exposure of personal information of up to 145 million of its users[1]. That same year an attack on Home Depot, a US online retailer, resulted in the theft of 56 million payment card details[2].
Ever increasing risk & complexity
Yuri Samoilov, December 22, 2014 - Some rights reserved
"The U.K.’s biggest banks fear cyber attacks more than regulation, faltering economic growth and other potential risks" (Centre for the Study of Financial Innovation )
What is cybercrime? "an attack on the confidentiality, integrity and accessibility of an entity's
online/computer presence or networks - and information contained within" (IOSCO) and the World Federation of Exchanges (WFE)) It includes: Phishing Hacking Denial of Service Distribution of malware Unauthorised access Interception, Processing & Corruption of Data
Most common cybercrimes According to Mcafee, the two most prevalent techniques
are: social engineering, where a user is tricked into granting access, and vulnerability exploitation, whereby an attacker takes advantage of a previously undiscovered flaw in the application's code to gain access.
EU Focus 28th April 2015 the European Commission adopted the European
Agenda on Security – fighting cybercrime is one of the top three priorities together with tackling terrorism and disrupting organised crime. The EU has acknowledged the “borderless, flexible and innovative” nature of cybercriminals and recognises that cybercrime “demands a new approach to law enforcement in the digital age”. 2013 Directive on attacks against information systems, which aims to tackle large-scale cyber-attacks by requiring Member States to strengthen national cyber-crime laws and introduce tougher criminal sanctions.
Data Protection Requirements “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (DPA, 7th Principle) Having regard to the state of technological development and the cost of implementing any
measures, the measures must ensure a level of security appropriate to: (a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b)the nature of the data to be protected. (Interpretation of the 7th Principle (Part II, Sch 1, DPA)
Data Protection Requirements Partners “Where processing of personal data is carried out by a data processor on
behalf of a data controller, the data controller must in order to comply with the seventh principle – (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures.
EU Data Protection Regulation 2016 New EU wide Regulation is proposed - the latest draft of the Regulation dated Jan 2016
states: [personal data must be “processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”) (Article 5) Article 31: Having regard to the state of the art and the costs of implementation and taking into account the
nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, including inter alia, as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services
processing personal data;
EU Data Protection Regulation 2016 (c) the ability to restore the availability and access to data in a timely manner in the event of a physical
or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 1a. In assessing the appropriate level of security account shall be taken in particular of the risks
that are presented by data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority …, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals. Infringements of Art 31 are subject to administrative fines up to 10m EUR, or in case of a business, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher
Data Protection Top Risks UK Security Report by UK ICO of 2014 suggests the following
priority risks: a failure to keep software security up to date; a lack of protection from SQL injection; the use of unnecessary services; poor decommissioning of old software and services; the insecure storage of passwords; failure to encrypt online communications; poorly designed networks processing data in inappropriate areas; and the continued use of default credentials including passwords.
2nd Payment Services Directive “All payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud” (Recital 95, PSD2) New two factor authentication requirements: All PSPs must apply strong authentication for payers - ‘Strong customer authentication’
means authentication based on the use of two or more independent elements that are based on something only the user knows (knowledge), something only the user possesses (possession) or something the user is (inherence), as well as designed to protect the confidentiality of the authentication data PSPs must “include the authentication of transactions through dynamic codes, in order to make the user aware, at all times, of the amount and the payee of the transaction that the user is authorising” (Recital 95).
2nd Payment Services Directive Security reporting obligations for payment service providers: “1. In the case of a major operational or security incident, payment service providers shall…notify the
competent authority in the home Member State of the [PSP]. Where the incident has or may have an impact on the financial interests of its payment service users, the [PSP] shall...inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident. (Art 96, PSD2)
By 13 January 2018, EBA shall, in close cooperation with the ECB and after
consulting all relevant stakeholders… issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 addressed to each of the following: (a) payment service providers, on the classification of major incidents referred to in paragraph 1, and
on the content, the format, including standard notification templates, and the procedures for notifying such incidents; (b) competent authorities, on the criteria on how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities.
High Profile Cases Sony (2011): Personal details from approximately 77 million accounts were compromised Prevented users of PS3 from playing online Outage lasted 23 days Fined £250,000 by ICO
Talk Talk (2015): 4m customers bank and credit card stolen Could lead to fines of £500,000 by ICO Severe Reputational Damage
Carbanak Virus (2013 -?) Global (but Russia particularly impacted) Over $1bn in losses to date
What is financial crime? the term "financial crime" is defined widely (see amended
section 1 of the Financial Services and Markets Act 2000 (FSMA). Financial crime is defined as including any offence involving: Fraud or dishonesty. Misconduct in, or misuse of information relating to, a financial
market. Handling the proceeds of crime The financing of terrorism
Checklist FCA in its financial crime guide provides self-assessment checklists for regulated businesses: Are sufficient resources allocated to cyber-security measures? Does the organisation's management receive sufficient management information (MI) to understand
and assess the organisation's exposure to cybercrime risk? Are arrangements in place to collect and assess information on cybercrime risk from all available sources? Is a risk register kept and, if so, is it kept up-to-date? Are staff (including non-IT staff) given cybercrime training at least once a year? Is there a document cyber-security policy in place, with the terms cybercrime, cyber-attacks and cyber-threats clearly defined? Are staff kept up-to-date on new cybercrime threats? Is the organisation aware of the cyber-security measures in place at its suppliers, including in particular any outsourced service suppliers? Are arrangements in place to share information on attempted and successful cybercrime with authorities and regulators?
Defensive Measures Do firewalls: monitor open connections, including attachments in an e-mail; block unauthorised or unwanted inbound internet traffic or connections; and disable internet add-ons (such as cookies and pop-ups)?
Does antivirus software scan any file or data package in the system for viruses (derived from a
virus database)? Can antivirus software clean, quarantine and delete any infected files? Does software: detect bots and distributed denial of service (DDNoS) attacks, and block communications?
Is software aimed at identifying, logging, reporting and blocking any malicious activity on
computer systems? Are terminals protected from unauthorised and inappropriate usage?
Defensive Measures Part II Does the organisation's disaster recovery plan cover cybercrime risk? Are simulations of an attack of the organisation's computer system carried out to test
for vulnerabilities? Are vulnerabilities identified, quantified and prioritised? Are all potential hazards assessed? Are all assets, equipment and infrastructure catalogued to guide the prioritisation of threats? Are continual checks of security controls and systems carried out to ensure they are up-to-date and implemented effectively? Is data encrypted? Who holds a key to decrypt it? Are networks isolated from insecure networks, such as the internet or local area network (LAN), to form a closed and secure system?
Detection Are systems in place to: detect hacker attempts and anomalous behaviour? enable rapid detection of cyber-attacks and the blocking of any follow-up
attempts? conduct real-time monitoring and analysis of potential security breaches, alerts or unusual activity for all devices (for example, computers and smartphones)? are reports logs used?
Is there a database security application in place that: monitors and analyses all activity to a database; controls and logs user access; and works independently of native database functioning?
Cyber- Resilience Is confidential and critical information automatically detected and secured on
separate systems? Is information stored in a way that allows restoration in the event of a primary system failure? Are storage facilities or data centres, or both, located in a separate physical location from the main network? Are arrangements in place to notify others who could be affected by a cyberattack (for example, customers, suppliers or connected parties)? Does the organisation have cybercrime insurance, or similar, in place?
Liability Check What does your contract with the customer say? Potential negligence claims Have you breached your regulatory obligations as a financial institution? EMRs 6(5)(b) and 13(6) (b) requires EMIs to have "effective procedures to
identify, manage, monitor and report any risks to which [they] might be exposed" Have you breached data protection requirements? Bad Press & Reputational Damage Costs: Fines, Indemnity, damages, business interruption, loss of customers E.g. under the New Data Protection Regulation the Sony hack could have cost it
up to a max of $1.5bn
PSD - Transfer of Liability PSP's can only refuse a refund for an unauthorised payment if: it can prove the transaction was authorised it can prove the customer is at fault (acted fraudulently, deliberately
or with ‘gross negligence’); or Advised of the transaction >13 months or more after the transaction First £50 liability is customers where card lost or stolen or failed to take reasonable care of security details No liability for any unauthorised payments made after customer notifies the PSP of the loss, theft or unauthorised use of a card or password – unless PSP can prove customer acted fraudulently.
“The only source of knowledge is experience" Albert Einstein
Questions & Discussion
Director & Associates Peter Howitt , John Pauley & David Borge e:Â peterhowitt@ramparts.eu johnpauley@ramparts.eu davidborge@ramparts.eu w: http://www.ramparts.eu t: +44 161 914 9785 Disclaimer: This presentation may contain information and guidance relating to a variety of legal, regulatory, corporate and tax matters. It is not intended to be and should not be relied upon as legal advice by Ramparts.
AML and International Tax Reporting Requirements
Overview AML legal framework Risk based approach AML and RegTech Convincing others Regulators and enforcement agencies Cross-border issues International tax reporting requirements FATCA Final thoughts
AML legal framework EU Level framework
Currently subject to the third money laundering directive (3MLD)
The fourth money laundering directive (4MLD) will replace 3MLD by 26 June 2017 at the latest
Territoriality principle:
General principle of EU AML legislation is that the rules and regulations of the Member State (MS) in which an undertaking is established apply
MSs are allowed to enact legislation that reverses this presumption e.g. location of the customer
What laws should we follow?
You must always follow the laws of the country you are established in
But you may also have to follow the laws of the countries in which your customers reside
Image by TaxRebate.org.uk: https://creativecommons.org/licenses/by/2.0/
Image by TaxRebate.org.uk: https://creativecommons.org/licenses/by/2.0/
Risk based approach What does a risk based approach to AML actually mean?
3MLD, and EU MS laws all require firms to take a risk based approach to AML
Firms must assess the money laundering (ML) and terrorist financing (TF) risks of their business
Firms must apply an appropriate strategy to mitigate the risks identified – no tick box approach
Laws and regulations provide a framework Simplified due diligence (SDD): low risk; product values below certain levels Customer due diligence (CDD): identification and verification required Enhanced due diligence (EDD): higher risk situations, e.g. PEPs, ML/TF suspicion or large transactions
Justifying approach
Must carry out risk assessment; create appropriate ML/TF policies and procedures and execute
Don’t have to play safe as long as you can justify it
Image by Howard Lake: https://creativecommons.org/licenses/by-sa/2.0/
AML and RegTech What is RegTech?
Familiar to many FinTech companies: use of technology to fulfil regulatory requirements
AML compliance is a key example where RegTech has been used for many years
FCA keen to make the UK a hub for RegTech and are inviting input from all interested parties
RegTech development
RegTech continues to develop to meet the evolving demands of businesses and consumers
Firms that can successfully combine compliance and technology expertise will continue to be at an advantage in this field
AML RegTech
Firms look for solutions that: Can readily evidence compliance with AML requirements; Ensure checks are carried out as quickly as possible; Provide comfort that customers are who they say they are; and Provide an excellent user experience without putting off customers.
RegTech firms keen to push boundaries and influence changes in laws and attitudes of regulators
Not just KYC, e.g. suspicious activity reporting and regulatory reporting
Convincing others Regulators
Must evidence your risk based approach by documenting it and ensuring it is executed properly
Be open and cooperative in your communications with regulators
Evidence that you keep up to date with changes in industry practice, regulations, guidance and updates from regulators and international bodies such as the Financial Action Task Force (FATF)
Counterparties
Must convince your clients that your AML systems and controls are effective
Business models and risk appetite vary: build in ability to tailor to counterparties’ requirements
Image from a Blatant World article: https://creativecommons.org/licenses/by/2.0/
Image from EurActiv.com: https://creativecommons.org/licenses/by-sa/2.0/
Regulators and enforcement agencies Do I have to speak to my regulator?
Countries take ML/TF requirements seriously and expect regulated firms to do likewise
Regulated firms have to interact with their regulators and enforcement agencies, e.g. financial intelligence units (FIUs)
Better to do so proactively than be approached
Interaction with financial intelligence units and law enforcement agencies
Must report suspicion and knowledge of ML/TF activity
Registration with FIUs for online reporting
Automation and use of RegTech could help enhance processes and reduce time required
Ensure MLRO / nominated officer in place and is point of contact for FIU
Ensure efficient issue identification, reporting, tracking and resolution mechanism in place
Cross-border issues Operating in multiple EU jurisdictions
Must comply with the laws in the MS in which you or your agents are established
Must also comply with local laws where required in addition, e.g. when providing services to Spanish residents
Reporting suspicion and knowledge of ML/TF Home MS AND MS of customers Tipping off Freezing accounts
Operating in multiple jurisdictions both inside and outside of the EU
Different AML regimes
Different reporting/freezing regimes e.g. the US would not typically freeze accounts but require funds to be returned to point of origin Significant conflict for firms operating in EU and US
The Fourth Anti-Money Laundering Directive The Fourth Money Laundering Directive (4MLD)
MS must implement it by 16 June 2017 at the latest
Implementation may be brought forward to end of 2016
Intended to address inconsistencies between 3MLD and the Financial Action Task Force’s recommendations
Key changes
Increased focus on risk based approach
Risk based approach not just for financial entities: EBA, national, regulators, industry
Tax crimes
Customer due diligence
Politically Exposed Persons
Beneficial ownership
Third country equivalence
Cross-border wire transfers
International tax reporting requirements International tax considerations:
US Foreign Account Tax Compliance Act (FATCA) – does apply to EMI’s
OECD Common Reporting Standards (CRS) – does not apply directly to EMI’s
The EU Directives on Administrative Cooperation in Tax Matters (DAC) (2011/16/EU & 2014/107/EU) – does not apply directly to EMI’s
What is the purpose of these requirements?
Combatting tax evasion by reporting on accounts held overseas
Current international, and certainly UK, focus
UK Implementation
The International Tax Compliance Regulations 2015 – require firms to: Carry due diligence as per FATCA, DAC and CRS (where applicable to your business) Maintain a record of due diligence Report to HMRC
Reporting requirements: some similarities and differences
Potential confusion over reporting requirements for prepaid accounts
FATCA What is FATCA?
The US Foreign Account Tax Compliance Act
It is a tax based initiative by the US administration
Obliges certain entities to either report on the financial activities of US persons or withhold funds
What is the purpose of FATCA?
US government (the IRS) initiative to crack down on people hiding untaxed income outside the US
What is the impact of FATCA?
Obliges financial institutions to:
Perform appropriate due diligence on their customers so that they can either: Report to the IRS on US persons with substantial assets ($50,000 and above); or Withhold 30% of any US-source income
How can the US do this?
Through mutual international tax agreements: EU directive implemented Member States have also implemented their own regulations including the UK FATCA
Final thoughts Firms must ensure they apply an appropriate risk based strategy to their AML requirements Firms must keep their AML procedures up to date to reflect changes in regulations, industry practice and
customer behaviour RegTech can be a useful tool for firms to use to meet their AML obligations Must be able to convince clients and regulators of your approach to AML Need to be mindful of cross-border issues both within, and beyond, the EU 4MLD will require firms to make significant changes to their AML procedures Ensure you are aware of your tax reporting requirements
“The only source of knowledge is experience"
Albert Einstein
Questions?
Director & Associates Peter Howitt , John Pauley & David Borge e:Â peterhowitt@ramparts.eu johnpauley@ramparts.eu davidborge@ramparts.eu w: http://www.ramparts.eu t: +44 161 914 9785 Disclaimer: This presentation may contain information and guidance relating to a variety of legal, regulatory, corporate and tax matters. It is not intended to be and should not be relied upon as legal advice by Ramparts.