As the U.S. payments industry looks forward to regulatory relief, experts from the Prepaid International Forum talk about regulatory threats and opportunities for e-money in the U.K. and EU.
European regulators reeling from terrorist attacks in Paris in 2015 and Brussels in 2016, among others, turned their attention to prepaid cards last year, in an effort to crack down on terrorist financing. The proposals, which included prohibiting online use of anonymous prepaid cards as well as lowering the thresholds before customer due diligence (CDD) is required put the industry on alert. The Prepaid International Forum (PIF), a nonprofit trade group based in London, responded quickly, arguing for a risk-based approach to regulation rather than knee-jerk reactions that its members believed would do little to actually fight terrorist financing and money laundering. What’s more, the European Banking Authority announced a proposal for stronger authentication for electronic payments—part of its mandate under the Second Payments Services Directive (PSD2)—which many in the industry believe will hamper online commerce and basically put an end to one-click checkout, again without taking true risks into account.
Paybefore spoke with two leaders of PIF’s AML Working Group—Dr. Hartwig Gerhartinger, vice president, group regulatory and governmental affairs, Paysafe Group; and Giedre Mitkute, legal assistant, Locke Lord LLP—to find out more about these regulatory issues and what’s ahead in 2017. (See our EU Regulatory Glossary below for terms that may be helpful in following the discussion.)
Paybefore: Brexit aside, what are the top regulatory or legislative challenges for the e-money industry in the U.K. and EU in 2017?
PIF: We see a big wave of regulation ahead for the payments industry. From a financial regulatory perspective, this year will be influenced greatly by the preparations for the Second Payment Services Directive (PSD2). PSD2 comes with the promise to increase competition and innovation in the payments landscape, while increasing the standards of security and consumer protection. While PSD2 will not have to be implemented by member states until January 2018, we will see a lot of very detailed regulation coming in this year.
The European Banking Authority is mandated to create four Regulatory Technical Standards (RTS) in various fields. The RTS that got most of the attention is the RTS on Strong Customer Authentication. The draft RTS published by the EBA for consultation last year received more than 200 responses, which gives a flavor about the sensitivity and importance of this piece of legislation for the payments industry in general. On top of that, the EBA will be working on five guidelines which cover topics like Operational Risk and Security Measures as well Security Incident Reporting or Complaints Handling. Most of the work by the EBA will be finalized this year.
While keeping an eye on all these developments, payments companies need to get ready for the new General Data Protection Regulations (GDPR), which also enter into force in 2018. The GDPR together with the data protection rules under PSD2 will require changes to various processes within payment businesses, e.g., the way customers need to consent to the use of their data for marketing purposes.
|“It’s important to acknowledge that the digital trail created by the terrorists using the prepaid cards helped law enforcement to trace their movements and elucidate the case. This trail wouldn’t have existed if the terrorists had used cash instead of prepaid products.”
—Prepaid International Forum
Last but not least, the implementation of the 4th Anti-Money Laundering Directive by European member states will be a challenge for many prepaid businesses, especially for the players—for example, in the gift card market—that rely on an exemption from requirements to carry out customer due diligence (CDD). AMLD4 permits member states to exempt certain low-value, low-risk products from identification requirements. To be considered for the exemption, products have a €250 maximum balance and monthly transaction limit and a €100 cash withdrawal limit (with some additional conditions). However, member states are free to impose stricter requirements in implementing the exemption for e-money instruments, which is where some of the challenges come in for prepaid issuers providing their services under a European passport. What’s more, many member states haven’t yet published their draft texts of their implementing regulations even though the deadline for AMLD4 implementation is set for June 26, 2017. For example, the U.K., which despite the Brexit vote is continuing with its implementation of AMLD4, has not yet published the draft text of its implementing regulations, which has basically put the industry in a holding pattern.
|EU Regulatory Glossary
If you’re not immersed in the regulatory environment of the EU, the process and parties can get confusing. Here are a few definitions to help you keep up with what’s happening.
Member States: The 27 countries that make up the EU are called member states.
European Banking Authority: The European Banking Authority (EBA) is an independent EU Authority that works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
EU Council: Defines the general political direction and priorities of the EU. Members are heads of state or government of EU countries, European Commission President, High Representative for Foreign Affairs & Security Policy. President: Donald Tusk.
EU Commission: Promotes the general interest of the EU by proposing and enforcing legislation as well as by implementing policies and the EU budget. Members include a team or ‘College’ of Commissioners, one from each EU country. President: Jean-Claude Juncker.
EU Parliament: Directly elected EU body with legislative, supervisory and budgetary responsibilities, includes 51 members (MEPs). President: Martin Schulz.
Consultation paper: Similar to the notice of proposed rulemaking process in the U.S., a consultation paper is a proposal shared by a regulator or other relevant authority to get feedback prior to issuing final legislation or standards. The main EU bodies (the Commission, the Council and the Parliament) typically do not openly consult before adopting their positions. The EBA and EU member states often consult before adopting final legislation/standards.
Trilogue: Meeting of the European Parliament, the European Commission and the European Council, which aims to reach an agreement on a compromise text of law acceptable in content and form to the three institutions.
Rapporteurs: A Rapporteur is a member of the European Parliament who is responsible for drafting a report on a draft European Law for the Parliament committee in which he is a member.
Directive: A directive is a legislative act that sets out a goal that all EU countries must achieve. However, directives often allow some flexibility to the individual countries in adopting, for example, stricter than the set minimum requirements or not adopting certain requirements. Directives are addressed to member states need to be transposed into national legislation by individual EU countries before a set deadline. It is only then that the requirements become applicable to businesses and individuals.
Draft text: Member states usually issue a draft of their implementing regulations, which is then often open for comments from the interested stakeholders for a set time period before the final text is adopted into law.
Regulation: A regulation is a binding legislative act. It must be applied in its entirety across the EU.
Into Force: The effective date or compliance deadline.
Paybefore: What about the even stricter requirements for the electronic money exemption under a new directive amending AMLD4 (the so-called AMLD5) proposed by the European Commission?
PIF: Well, the Commission proposal is now under discussion with the Commission, the EU Council and the EU Parliament adopting varying positions on the details of the amendments. It will most likely take until mid-2017 for this process to be finalized. We are not expecting that the new requirements will have to be transposed by member states in 2017. However, it is definitely challenging to build business strategies in a framework that is subject to constant change, which is why PIF is of the opinion that the good compromise reached under AMLD4 shouldn’t have been subject to any amendments under AMLD5.
Paybefore: There’s a lot in flux. Before we get into more of the specifics on the challenges, is it all doom and gloom for the industry?
PIF: One of the main changes of PSD2 is the creation of new payment services, such as “payment initiation services” and “account information services”. Both services are based on the access by third parties to payment accounts, which is seen as a potential game changer, allowing the rollout of business models that leverage on the data held by banks while making it easy for customers to manage their financials.
This could enable, for example, e-money institutions to draw from the wealth of information available from their customer’s account to offer new, data-rich and more personalized value-added services.
Even though discussion about the technical interfaces that will be needed to ensure a smooth access to accounts have hardly started, it seems that strategic decisions need to be made now.
Paybefore: Going back to the challenges, let’s talk about lowering the thresholds for purchase of non-reloadable prepaid cards before customer due diligence rules kick in. What are the current thresholds—is it still €150 (down from €250)? What are the implications of this change for the industry?
PIF: The exact AMLD5 changes to the CDD exemption are not yet clear. Currently, the EU Commission and the EU Council seem to be settled on the limit for the maximum monthly payment transactions limit and the maximum amount stored on electronic money instruments to be reduced to €150 from €250 in the AMLD4, as well as on the reduction of the maximum cash withdrawal limit to €50 from €100.
However, there seems to be more of a divide of opinion among the members of the EU Parliament over the need to reduce these limits because, as some MEPs have pointed out—there’s a lack of sufficient evidence in the impact assessment to show that reducing the limits would counter terrorist financing. The EU Parliament committees (ECON and LIBE) are set to vote on their legislative resolution on Feb. 9. In the end, the changes to AMLD5 will have to be decided in the trilogue negotiations between the Commission, the Council and the Parliament, thus the outcome is yet to be seen.
If the maximum storage and monthly payment transaction limits were to be reduced to €150, the impact on the prepaid industry will vary segment by segment. Some e-money issuers will carry out CDD on their customers as soon as the limits are reached to enable customers to use their products above the quite low thresholds, and some will reduce the maximum limits to fit under the new limits. We expect that some e-money products will be discontinued, especially where the cost of identity verification is not justified by the limited returns available on the low-value instruments. The ease with which a customer’s identity can be verified will be a significant factor. While in the U.K. the electronic verification method is quite prevalent, this isn’t necessarily the case in other member states. Typically, distributors, such as supermarkets and convenience stores, aren’t well-positioned to carry out CDD on customers. Thus, issuers likely will look for other ways to collect and verify customer identity at some other point, for example when cards are activated.
This will not, of course, necessarily mean that distributors will stop selling prepaid cards above the prescribed thresholds, but it will be up to each issuer to ensure that customer information is collected and verified, as well as to come up with a solution as to how this will be done, either with the assistance of distributors or independently.
However, one of the EU Parliament’s draft reports indicated plans to include e-money distributors as entities subject to the anti-money laundering legislation, which would be extremely prejudicial for the electronic money industry. Potentially this could mean that any Website provider or convenience store that sells or loads electronic money cards would be subject to all of the obligations under the money laundering regime. This includes carrying out CDD, having appropriate risk-based policies and procedures, carrying out risk assessments, monitoring and reporting, as well as staff training. E-money issuers already have to comply with all of these requirements as well as oversee the activities of their distributors, thus it is not clear what benefit all of this duplication of effort would achieve. Distributors typically do not have a full picture of the relationship with the customer (e.g., transaction history) and are simply ill-placed to recognize any suspicious activity.
If this proposal was adopted as part of AMLD5 changes, we would anticipate e-money distribution networks would shrink as the returns from e-money distribution business are not likely to justify the costs of compliance.
Paybefore: Under the proposed rules, what information would distributors have to collect?
PIF: The rules proposed by the EU Commission do not establish any particular requirements for the distributors of electronic money. The requirements need to be applied by the e-money issuers in their capacity as “obliged entities” under the AML rules. Including distributors into the group of obliged entities would not only double the KYC requirements, it would also create a lot of practical issues that should be avoided.
Under the proposed rules, the e-money issuer would be required to identify the customer by collecting personal information from them, if the product does not benefit from the CDD exemption. This information must be verified “on the basis of documents, data or information obtained from a reliable and independent source”. As AMLD4 intends to strengthen the risk-based approach, the e-money institution will have room to delay this second step (verification) in line with the risk profile of the product and the business relationship.
Paybefore: Is there any evidence that such changes would have the intended effect of limiting the anonymous use of prepaid instruments for use for terrorist and criminal purposes? Is there any evidence that anonymous prepaid cards were involved in the terrorist attacks in Europe?
PIF: There is little publicly available information on the actual case that triggered the discussion. From what was reported in the press, we understand that the terrorists used prepaid cards for unsuspicious transactions, like their everyday spending, renting apartments and cars, and that most of the products that were found were in fact verified, identified and/or verified payment instruments. It’s also said that the terrorists had bank accounts with debit cards. However, there is no hard evidence that the attacks could have been prevented if the proposed rules had been in place at the time.
At the same time, it’s important to acknowledge that the digital trail created by the terrorists using the prepaid cards helped law enforcement to trace their movements and elucidate the case. This trail wouldn’t have existed if the terrorists had used cash instead of prepaid products.
Paybefore: What about the potential loss of the CDD exemption for nonreloadable cards used online?
PIF: The EU Commission’s proposal to suppress the CDD exemption for the online use of e-money products was widely criticized across all stakeholders. PIF always has strongly opposed the proposed complete or partial suppression of the CDD exemption for the online use of prepaid products. Not only does it create an uneven playing field between products designed for offline use only and products that can also be used online, it will hamper innovation at a time when the lines between online and in-store payments are blurring.
The Commission proposal also goes against the spirit and the idea of the evidence-driven, risk-based approach and it ignores the variety and diversity of low-value, low-risk prepaid products (for example, a gift card which can be spent at multiple retailers). Instead, the proposals seem to require identification of any users of regulated prepaid products for online use, regardless of the money laundering and terrorist financing risks related to such products, creating unnecessary hurdles for online payments. The proposed measures also seem to ignore completely that prepaid cards enable the tracing of transactions and are subject to transaction monitoring at the point of sale both online and offline. The Commission proposal also lacks any evidence for this distinction.
This criticism was also taken into account by the rapporteurs in their joint report, issued in November last year, in which they proposed to strike the respective wording without substitution. The EU Council seems to have settled on a position that for a limited period of three years, the CDD exemption still could apply if online transactions were limited to €50. Thereafter electronic money instrument users would have to be identified irrespective of the amount paid online. It cannot be said what the final compromise reached in the trilogue negotiations on this question will be, but we continue to advocate for a level playing field between online and offline payments under the CDD exemption.
If the Commission proposals went ahead, we anticipate that some electronic money products will be withdrawn from the market or restructured to move to an unregulated sector, such as closed-loop gift cards, where none of the anti-money laundering requirements apply.
|“It’s worrying that a seemingly easier solution could be to simply stop accepting all non-EU issued prepaid cards, and it cannot be completely ruled out as a potential outcome. This proposal shows a complete lack of understanding of the prepaid market environment and what is technically possible or not. It also seems extremely prejudicial on the prepaid industry to only impose such a requirement on non-EU issued prepaid cards, while no similar restrictions are proposed for other types of payment instruments, such as debit or credit cards.”
—Prepaid International Forum
Paybefore: The European Commission has said that: “In addition, anonymous prepaid cards issued outside the Union will only be used in the Union where they can be shown to comply with requirements equivalent to the ones in 4AMLD.” Is this enforceable? Will it mean that cards issued outside the EU will no longer be accepted at the POS?
PIF: The AMLD5 proposal package includes a restriction on prepaid cards issued outside the EU to be only acceptable within the EU if such cards are compliant with the AMLD4 requirements. However, it is not yet clear if the obligation on ensuring this would fall on the acquirers of cards or on the card schemes (the latter being proposed by the EU Council). In any case, at the current date there are no readily available controls that would enable either the schemes or the acquirers to enforce such a restriction, without new data gathering on a massive scale and the development of new technical solutions to distinguish between AMLD4-compliant and non-compliant and non-EU-issued cards.
It’s worrying that a seemingly easier solution could be to simply stop accepting all non-EU issued prepaid cards, and it cannot be completely ruled out as a potential outcome. This proposal shows a complete lack of understanding of the prepaid market environment and what is technically possible or not. It also seems extremely prejudicial on the prepaid industry to only impose such a requirement on non-EU issued prepaid cards, while no similar restrictions are proposed for other types of payment instruments, such as debit or credit cards.
Paybefore: Obviously, nobody wants their products to be used by terrorists or money launderers. Are there new controls that would make more sense in terms of combatting these threats? Or, do you feel that current regulations/laws are doing the job?
PIF: The prepaid industry has invested substantial amounts of money in the creation and improvement of transaction monitoring systems to prevent their products from being used for unlawful purposes such as fraud, money laundering and terrorist financing (ML/TF). Thanks to these investments, providers of prepaid services are able to monitor efficiently all transactions based on extensive data collected. This encompasses, in particular, data about the electronic devices and IP addresses used for online payments, as well as information about where the respective prepaid products have been purchased. For example, issuers’ transaction monitoring systems usually allow them to link multiple transactions to specific computing devices. By blocking computing devices that are linked to suspicious usage patterns, issuers can mitigate the risk of these products for being used for ML/TF purposes. Also, as mentioned, this data are available to law enforcement for their investigations.
Paybefore: What are the next steps for passage of the amendments? Is there any hope of further changes that would make the rules less onerous to the industry?
PIF: The original AMLD5 proposal had set an ambitious time frame for bringing forward both the implementation of AMLD4 and AMLD5 changes to Jan. 1, 2017. This has not, of course, materialized, given that the AMLD5 negotiating position is yet to be agreed by the Parliament.
Moving forward, the final AMLD5 would have to be negotiated at trilogue stage between the EU Parliament, the Council and the Commission, which are expected to take place in March, with an aim of finalizing the discussions in June 2017. From the draft texts published by the Council and the Parliament it does, however, seem that a likely implementation deadline for most of the AMLD5 amendments will not be earlier than 12 months after AMLD5 is adopted.
Paybefore: Let’s shift to online authentication proposal from the European Banking Authority. We previously reported that the EBA would be coming out with new rules in January. What’s the status and what are chief concerns with the proposal?
PIF: The EBA published its consultation paper on the draft regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure communication (CS) on Aug. 12, 2016. The consultation received a huge number of responses and the draft RTS were subject to a lot of criticism from the payments industry and other stakeholders.
One of the major concerns with the draft RTS was the absence of an exemption on a risk-sensitive basis from the requirement to apply strong customer authentication. The exemptions set out in the draft RTS are not proportionate to the overall fraud risks (e.g., mandating SCA to be applied for all remote payment transactions over €10, regardless of their risk) and not future proof (e.g., exemption for contactless transactions of €50 or €150 cumulative, whereby upon exceeding such limits SCA would be required).
The immediately apparent implication of not allowing for the risk-based approach to decide what lengths to go in authenticating customers when authorizing transactions and setting too limited exemptions is that it would damage the frictionless customer experience and lead to abandoned transactions. Strong authentication requires the customer to authenticate a payment by using two elements, e.g., by inputting codes generated through a card reader or received on their mobile devices. It does make sense for payments with a higher transactional risk. However, it’s disproportionate for low-risk (and not necessarily low-value) transactions, significantly hampering the customer shopping experience.
In the introductory statement from the EBA chair, delivered at a scrutiny hearing held by ECON on Nov 29, 2016, the EBA indicated that it will continue to evaluate the feedback it has received. Thus, there seems to be some scope for amendments to the draft RTS. The EBA chair also indicated in the same statement that the final RTS will be submitted for review and adoption “a month or so” later than the deadline of Jan. 13, 2017, set by PSD2. Thus, we should expect to see a final draft RTS around mid-February.
Paybefore: What’s your general outlook on the regulatory environment?
PIF: 2017/18 will be a period of regulatory change and challenges for the prepaid and e-money industry, as well the wider payment services and banking sector. Some of the regulatory changes make it apparent that even after 15 years of regulation, the prepaid and e-money industry is all too often misunderstood by the EU and local member state legislators alike.
While the regulatory challenges are by no means insignificant, AMLD4 and especially the PSD2 can be catalysts for change. E-money institutions are often at the forefront of new and innovative products and services and are likely to reinvigorate and take advantage of any opportunities coming their way as a result of, among other things, the regulatory changes.
For more than 10 years, PIF has been a strong voice for the prepaid sector. We continue to build an increasingly diverse and proactive group of businesses that enables us to educate the relevant bodies and represent our members’ interests at all levels of the legislative process. PIF is uniquely positioned to extend its influence and help the sector navigate what is an often uncertain and complex time for the payments industry.
- Prepaid International Forum Rips into Proposed EC Prepaid Rules
- Visa Criticizes European Move toward Stronger Online Authentication
- EC AML Proposal Would Ban Anonymous Use of Prepaid Cards Online, Lower CDD Thresholds for In-Store Use
Image Credits: Ditty_about_summer