Banking and payments technologies have evolved and consumers increasingly rely on trusted third parties to look after their money in non-banking contexts. Today, you can pay for things on your mobile phone and you can send money to other parts of the world without using a bank. You can buy a card which enables you to get money out of an automated teller machine (ATM) while on holiday, without drawing on your bank account, and you can pay for goods bought online without needing to use a credit card. These are all things which were difficult to imagine, as recently as in the 1990s. Law and regulation however, struggle to keep up with these technological and commercial developments.
The Payment Services Directive (PSD) therefore created a handful of new regulated activities in the payments space. These include issuing and acquiring payment instruments, money remittance and providing IT-based payment consent mechanisms applicable to electronic and mobile payment service providers, in practice. Very little definition was given about these new types of activity, therefore, although an existing merchant acquirer knows he is a merchant acquirer; a person with a new business model may struggle to apply the definitions of the PSD, to work out whether he needs a payment institution licence. Sometimes the frontier between 'subject to regulation' and 'outside the scope of regulation' is fuzzy and difficult to place. The situation is not helped as the scope of relevant European Union (EU) law and regulation constantly changes in order to keep up with technological developments. These difficulties also arise with regard to electronic money (e-money).
E-money has been the subject of two Directives. In April 2002, the first e-money Directive took effect in Member States. This set out basic regulatory rules for providers of cash-equivalent payment solutions, such as pre-paid cards. The central idea was that e-money institutions should be regulated in a manner similar to banks and that their business activities should be restricted to reduce risk for customers. The second one, Directive 2009/110/EC, on the taking up, pursuit and prudential supervision of the business of e-money institutions - in short, the new e-money Directive - must be transposed by Member States no later than 30 April 2011. The new Directive builds on the foundation of the first one, reinforcing the regulatory regime, but introducing some new ideas. In broad terms, these are:
- e-money institutions can engage in a wider range of payment-related activities, allowing them to compete better with payment institutions and banks in the payment space.
- e-money institutions, such as payment institutions, will have to safeguard funds received in exchange for e-money.
- There are more detailed rules on the terms and conditions applicable to e-money, such as issuance, redeemability and interest.
The impact of the e-money Directive on banks
While the e-money Directive primarily seeks to regulate related activities carried out by organisations which do not hold banking licences, it is also relevant to the banks. Banks and infrastructures provide services to the businesses which are developing the new models for payments, and this can result in a number of questions for the banks such as:
- Does it matter for the bank if its client was not licensed, but should have been?
- Can the bank rely on its client to carry out anti-money-laundering or other due diligence, to the standard needed by the bank to satisfy its own regulatory requirements?
- Will the bank be subject to the PSD or other regulatory requirements in providing services to an e-money institution, a payment institution, or another bank?
- What outsourcing requirements are imposed by the regulators of the bank's clients?
Fortunately for the e-money Directive, there is guidance and help from official sources (see 'related links' below). Firms which may worry that they are walking along a frontier and are unsure whether they have strayed beyond the zone of safety will be able to gain comfort from these.
Lessons learnt from the Crown Currency Exchange case
Even when the frontier is clearly shown on the map, there is a risk that the laws which do apply seem poorly designed. Banks and other payment service providers will wish to understand how the law applies to their competitors, because some types of providers may be able to offer better customer protection than others. As noted above, e-money issuers have to take steps to protect funds received from clients - this rule is similar to one in the PSD, which regulates 'payment institutions'. Unfortunately for some customers, the protection given by the PSD may not be as good as it seems.
Client money and its safety continues to be a major preoccupation with regulators policing the new world of e-money. In the UK there has been a recent case involving a money remittance firm called Crown Currency Exchange, which was registered as a 'small payment institution' (SPI) under the PSD. Banks are different from other types of payment service providers - they are 'credit institutions', which means that they are allowed to lend out the money they take on deposit to borrowers. Because a deposit involves credit risk on the bank, banks are subject to stringent prudential regulatory requirements. In contrast, payment institutions are restricted in the type of business they can do and are normally required to protect their clients' money from loss, particularly in the event of the institution's insolvency.
The Crown Currency Exchange case involved a payment institution which coupled its money remittance service with a foreign exchange service. The Crown Currency Exchange took clients' funds, promising them a long-term fixed currency exchange rate. Unfortunately, the firm's gamble on exchange rates was a bad one and the firm went into insolvency. As the Crown Currency Exchange was only an SPI, it did not have to segregate client funds, and the customers lost their money. Press reports indicate that 13,000 customers were affected, losing up to 10,000 UK pounds each. The UK Financial Services Authority (FSA) said: "If a firm is registered as an SPI, we monitor how it conducts its payment services activities, such as making sure it transfers funds in a timely manner and discloses its charges for payment services clearly to customers. We are not able to check other parts of an SPI's business, like its solvency or how it conducts business that does not involve a payment service. An SPI will not be covered by the Financial Services Compensation Scheme (FSCS) and the obligation in the [PSD] to safeguard customer funds does not apply to them (though an SPI may choose to safeguard customer funds). You should check a firm's entry on our Register before using its services to find out whether you are protected by the FSCS if things go wrong" (see also 'related links' below).
What this case shows is that even regulated payment institutions can expose their clients to risk. We can expect the border guards to be increasingly vigilant as more firms seek opportunities in the financial services sector and as new business models are rolled out. Banks and established payment service providers may be able to find opportunities by offering established systems and controls to the newcomers to help them avoid the pitfalls, and to complement the exciting new technologies with the stability of more traditional platforms.
Dermot Turing is a Partner in the international financial regulatory team at Clifford Chance.
The Financial Services Authority (FSA) is the regulator of the financial services industry in the UK. The FSA makes available the following document: 'The FSA's role under the Electronic Money Regulations 2011 - our approach'.
The SEPA Regulation - A Progress Report. First reactions by European Parliament and Council of the European Union introduce important improvements to European Commission's proposal for a SEPA Regulation
Related article in previous issue:
Happy New Year? Post-crisis EU financial sector reform: the impact of 'Basel III' on payments ( Newsletter, Issue 9, January 2011)
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.