In practice, due to the architecture of the VOP scheme and its API, adherence by non-EEA PSPs (apart from the case of a non-EEA SCT/SCT Inst scheme participant parent adhering to the VOP scheme to cover their EU/EEA branches) is at present not possible.
This is based on the following:
- All EPC schemes have as ‘default’ geographic scope “SEPA”, in line with the EPC’s mission, as outlined under the EPC by-laws. Since 2006 the EPC has been expanding the remit of applicability of parts of the SEPA Regulation (through the Criteria for the expansion of SEPA) beyond the regulation constitutional scope (“rules for credit transfer and direct debit transactions denominated in euro within the Union where both the payer’s payment service provider and the payee’s payment service provider are located in the Union [...]”) to foster harmonisation within a broader (economic) area.
- With specific reference to the Article 5c VOP obligations, and their link with existing and future SEPA-based SCT/SCT Inst scheme participant PSPs (hence including non-EEA SEPA PSPs):
- VOP obligations are indeed a mandatory requirement only for Euro payments between PSPs located in the EU/EEA – as per the SEPA Regulation scope.
- In line with the EU Commission IPR Clarifications on the location criteria, EU/EEA branches of PSPs located outside of the EU/EEA are required to comply with VOP obligations as well, when exchanging Euro (instant) credit transfers.
- Within SEPA, this will be the case of non-EEA SEPA based SCT/SCT Inst scheme participants (such as UK/CH PSPs) having branches in the EU/EEA. As not all of these branches enjoy an autonomous legal status, the only possible way for these branches to adhere to the VOP scheme, to comply with the regulatory requirements, would be through their e.g., UK/CH parent companies. In this case, the reachability paths of the EU/EEA branches will be managed at the level of the EPC Directory Service (EDS) by their parents (formally scheme adherents). In the EDS, the EU/EEA branches for which VOP-scheme based exchanges are supported will be clearly identified.
- Based on a legal analysis by the EPC it was concluded that:
- participation of non-EEA SEPA PSPs to the VOP scheme for EEA/non-EEA exchanges should remain voluntary, and subject to further feasibility and legal considerations;
- as Article 5c requirements are entirely transposed in the VOP scheme Rulebook, adherence to the scheme (i.e., the multilateral-contract) would in principle ensure applicability of equivalent requirements between EEA and non-EEA SEPA-based PSPs. With specific reference to the GDPR, contractual necessity could be invoked as basis for processing, especially between EU/EEA PSPs and PSPs located in non-EEA SEPA geographies to which the EU has already granted data protection adequacy decisions (UK, Crown Dependencies, Switzerland, Andorra);
- However, first the operational and technical set-up of such EEA/non-EEA VOP scheme-based exchanges needs to be analysed and described, before the EPC is able to finalise the legal assessment, including on data protection profiles.
- Since the beginning of this year, the EPC took up this feasibility assessment, which so far highlighted the following:
- the VOP APIs technical specifications and the API Security Framework require the obtainment and use of QWAC PSD2 certificates to exchange VOP-scheme based requests. This type of certificate may only be obtained in the EU/EEA and there’s currently a lack of reciprocity in the exchange and recognition of equivalent certificates between PSPs located in the EU/EEA and outside (and specifically looking at UK and CH, as geographies possibly interested in joining the VOP scheme).