Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

My response to HM Treasury consultation on Implementing PSD2

225 views

Published on

My response to HM Treasury consultation on Implementing PSD2 160317

Published in: Law
  • Be the first to comment

  • Be the first to like this

My response to HM Treasury consultation on Implementing PSD2

  1. 1. By email to PSD2consultation@HMTreasury.gsi.gov.uk 16 March 2017 Response to HMT Consultation on Implementing PSD2 Simon Deane-Johns1 Consultant Solicitor, Keystone Law Question 1: Do you agree with the government’s proposed approach to implementation of the PSDII? Bearing in mind the maximum harmonising nature of the PSDII, do you think the structure of the regulatory regime will allow the UK’s competent authorities to enforce the regulations in a fair and equal way towards all payment service providers? While the maximum harmonising nature of PSD2 encourages fair and equal treatment of payment service providers (PSPs), there are certain aspects of the regime that put this at risk: 1. There are many opportunities for PSD2 to be interpreted differently by member states. Some of the more fertile areas for this are explained below. The more uncertainty that prevails, the greater the risk of ‘regulatory creep’ as businesses will either needlessly apply for authorisation, tying up scarce FCA resources; spend time and money making unnecessary alternative arrangements; or cease the potentially regulated activity altogether. The adverse impact on existing businesses, as well as innovation could be severe. 2. In particular, Article 100(4) of PSD2 provides that in the event of an infringement or suspected infringement of transparency and conduct of business rules, the relevant competent authorities shall be those of the home member state of the provider, except for the agents and branches set up in exercise of the PSP’s right of establishment, where the competent authority is that of the host member state. While an activity that falls within scope of PSD2 can be ‘passported’, there is no way to 'passport' a favourable interpretation relating to scope or the applicability of an exclusion to other member states. This raises the possibility (and from experience under the PSD, the likelihood) that: a. a PSP’s consistent offering across the EEA may be subject to different derogations available to member states under PSD2 among home and host states; 1 The writer is responding to this consultation on the basis of 20 years’ experience as a lawyer advising on retail payment services and e-commerce, including as General Counsel at Earthport (1999-2001), a legal consultant to Amazon.com (2008-2010) and WorldPay (2011-2012) and as external counsel to a range of payment institutions, e- money institutions, merchants and technical service providers since 2012. He is the author of various articles charting the progress of PSD2 for Society for Computers and Law. For more details see: www.keystonelaw.co.uk/lawyers/simon-deane-johns. His views are based on his own general knowledge and experience, and not those of any client.
  2. 2. 2 SEL 4.3 b. home and host states may differ in their interpretation of scope, exclusions or exemptions2 and how regulatory technical standards may be complied with3 , for example, based on differing view as to which activities are: i. out of scope of PSD2 (e.g. whether the payment activity is even carried on by way of business4 ; bill payment service providers5 ); ii. out of scope, but subject to a PSD2 requirement (e.g. a currency conversion service); iii. in scope, but exempt (e.g. limited networks, commercial agents and technical service providers); iv. in scope, but subject only to some form of notification or registration requirement (e.g. ‘exempt’ large limited networks); v. in scope and partially regulated, subject to certain thresholds or conditions; vi. in scope and fully regulated. 3. Despite Brexit, UK-based e-money and payment institutions which offer their payment services in the EEA will want to continue to support those from the UK, and vice versa. In the face of uncertainty, firms would be well advised to assume there will be no passporting between the UK and the EEA, because the implications of mistakenly assuming there will be passporting are profound. Such firms could address the risk of no passporting by setting up an authorised entity based in an EU country to passport its activities in the EEA; and granting a license to the EU-based ‘hub’ entity for a ‘white label’ version of the service; and/or use the UK business operations to support the ‘hub’ entity’s EEA 2 PSD2 and draft PSRs refer to the ‘negative scope’ activities as ‘exclusions’, which were generally known as exemptions under the PSD; and ‘waivers’ that were available under the PSD as “exemptions”. 3 The UK seems to be requiring adherence to the Open Banking API Standard as the means of complying with the European Banking Authority’s regulatory technical standards, for example, when other national standards may be adhered to by systems used by the UK establishments of PSPs whose group systems are based in other EEA member states. Perhaps the Open Banking API Standard accommodates compliance with such other standards? 4 FCA guidance states (at PERG 15.2, Q.9) “…Simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations. Accordingly, we would not generally expect solicitors or broker dealers, for example, to be providing payment services for the purpose of the regulations merely through operating their client accounts in connection with their main professional activities.” This distinction is particularly critical in the context of the limited network and commercial agent’s exclusions, for example, as well as payment initiation and account information services (as explained below). 5 Bill payment services enable a customer to pay a supplier's bill by paying a third party, e.g. at the till in a local shop. The FCA has said these services are not caught by the PSD, so long as the customer's payment to the third party discharges the customer's obligation to pay the supplier. In other words, in such a scenario the third party is the 'payee' or intended recipient of funds, not the supplier. But the PSD2 instructs EU member states to treat these services as 'money remittance', unless they are treated as part of some other type of regulated payment service (recital 9). There is no word, yet, on whether or how the UK plans to deliver on this edict, which is critical to deciding which option existing providers should choose in the event their services are ruled in scope.
  3. 3. 3 SEL 4.3 offerings. It follows that any divergence between UK and EU payment services regulation that requires different features or structures would tend to undermine firms’ ability to mitigate the impact of Brexit. 4. There are inconsistencies in the scope of exclusions and how the recitals to PSD2 suggest they have been targeted. In particular, the third party sales activities of ‘e-commerce platforms’ and telecommunications service providers are structured in a similar way, yet the narrowing of the commercial agents exclusion is aimed at regulating ‘e-commerce platforms’; while telecommunications providers benefit from a specific exclusion (although this may be narrower than such providers realise).6 6. Do you agree with the government’s interpretation of the limited network and commercial agent exclusions? Which business models do you think may now be brought into scope that were previously exempt? Limited network exclusion: 1. The government has not explained its view of every aspect of this exclusion that is open to interpretation, some of which are addressed below. This is a difficult task for the government (and the FCA), but failure to do so would leave unregulated businesses, in particular, facing a considerable degree of uncertainty. The more uncertainty that prevails, the greater the risk of ‘regulatory creep’ as explained in answer to Question 1. 2. Not only does PSD2 alter the scope of this exclusion, but large limited networks7 are subject to a notification requirement and the FCA’s obligation to then decide whether or not they are exempt, with no transition period to explore alternative methods of supporting the scheme if the exclusion is held not to apply. 3. So, businesses with large loyalty schemes, store card programmes etc. need to consider now whether the relevant activities will be covered by the revised limited network exclusion in January 2018 and, if not, whether they should outsource the operation of the programme to an authorised firm (or the agent of one) or seek their own authorisation8 (or agency registration). Ultimately, they might restructure the scheme to fit the exclusion, or shut it down altogether. 6 See recitals 11, 15 and 16; and paragraphs 2(b) and 2(l) of Part 2 of the draft PSRs. The term “digital content” is defined as “goods or service which are produced and supplied in digital form, the use or consumption of which is restricted to a technical device and which do not include in any way the use or the consumption of physical goods or services”. This definition seems very narrow in the context of smart devices, the Internet of Things (e.g. the connected home) and smart contracts, raising questions as to what is meant by “allow the use” of a physical device or item and “consumption” of services. 7 Where “the total value of payment transactions executed through such services provided by the service provider in any period of 12 months exceeds 1 million euros” 8 The timing of the UK transposition process and the time required to prepare an application suggests the authorisation option has already expired.
  4. 4. 4 SEL 4.3 4. Guidance on whether the exclusion applies under PSD2 will need to be far more detailed than for the local network exclusion under the PSD.9 The Treasury and the FCA will need to explain how they plan to communicate awareness of the notification requirement and how they will administer the related notification process, including whether pre-clearances will be possible during 2017, for example, given the lack of any transition period should the FCA conclude that the exclusion does not apply. 5. The starting point for any guidance should be whether the relevant business is within the scope of PSD2 at all. As the FCA has indicated in relation to the PSD, “simply because you provide payment services as part of your business does not mean that you require authorisation or registration. You have to be providing payment services, themselves, as a regular occupation or business to fall within the scope of the regulations.”10 It is arguable that a retailer’s gift card and loyalty ‘points’ arrangements are part of its wider retail activities and not operated as a means of ‘payment’. If an activity is out of scope of PSD2, then the limited network exclusion will be irrelevant. Independently operated loyalty programmes with multiple participating retailers seem more likely to fall within the scope of PSD2 (and the second electronic money directive (“EMD2”)), and would therefore need to consider whether an exclusion applies. 6. The limited network exclusion (or “exclusion”) under PSD2 (Part 2(k) of Schedule 1 of the draft PSRs) is for the following activity (with areas of uncertainty underlined): "services based on specific payment instruments that can be used only in a limited way, that meet one of the following conditions: (i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer [not defined]; (ii) instruments which can be used only to acquire a very limited range of goods or services; (iii) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer." 7. Some guidance as to what is meant by 'limited' or 'very limited' is to be found in the relevant recital to PSD2, but it is still not clear what is meant (again the uncertain aspects are underlined): 9 The limited network exclusion under the PSD applies to services based on instruments that can be used to acquire goods or services only: (a) in the premises used by the issuer; or (b) under a commercial agreement with the issuer either (i) within a limited network of service providers or (ii) for a limited range of goods or services (my numbering). 10 See footnote 1.
  5. 5. 5 SEL 4.3 "Instruments which can be used for purchases in stores of listed merchants should not be excluded from the scope of this Directive as such instruments are typically designed for a network of service providers which is continuously growing." Commercial agents’ exclusion 1. PSD2 narrows this exclusion to apply only to transactions where the commercial agent is acting on behalf of either the payer or the payee. The government has said that it “expects that a number of ‘platform’ business models which match buyers and sellers for goods and services are unlikely to benefit from the new exclusion”. 2. Again, however, the ‘business test’ is critical. Numerous businesses operate client accounts under various regulatory regimes as an adjunct to their businesses, including accountants, law firms and numerous types of financial services regulated by the FCA; as well as those relating to rental bonds and so on. There may or may not be agency relationships involved. 3. “Platform business models” are no different to the examples cited in the FCA guidance11 , since the payments aspect is usually just an ancillary step in a much wider set of services and business processes that are nothing to do with making payments. In fact, they are even less likely to be ‘payment services’ where a party to a transaction on the platform discharges the obligation to pay the counterparty under the terms of the transaction by paying the platform operator. There is also a great deal more functionality and a wider set of business operations involved in a typical retail or e-commerce ‘platform’ than any that merely facilitate payment: extensive contractual and operational arrangements with suppliers; features that catalogue and display data about items for sale; enabling consumers to conduct data searches for items; enabling consumers to read and write product reviews; ensuring compliance with advertising regulation and rules concerning prohibited items; providing delivery information; enabling order tracking; and facilitating or carrying out wholesale and retail warehousing, distribution and delivery. These activities are far more significant aspects of operating an e-commerce service than merely facilitating the transfer of payment data or the resulting disbursement of proceeds to merchants or suppliers. Indeed, the acceptance of payment for items reflects the need to set-off fees owed by merchants and suppliers for services provided to them by the platform operator. 4. Such treatment of e-commerce platforms is also inconsistent with the exemption afforded for transactions that are performed from or via an electronic device and charged to the related service bill for either the purchase of tickets or 'within the framework of charitable activity'; or which involve the purchase of digital content and “voice-based services” on a public telecommunication network being charged to users’ phone bills, which previous drafts of PSD2 conceded are merely “ancillary services to electronic communications services (i.e. the core business of the operator concerned).” 11 See footnote 1.
  6. 6. 6 SEL 4.3 5. Accordingly, ‘platform business models’ whose main regular occupation or business is not providing payment services and where the payment step is merely ancillary to a much wider business offering should generally be seen as falling outside the scope of PSD2 altogether, making the applicability of the commercial agents’ exclusion irrelevant. Question 9: Do you agree with the approach to continue to exercise the SPI exclusion, with the same conditions as under the PSD? Yes Question 10: Do you agree that the government should extend the right of termination to overdrawn current accounts? Yes Question 11. Do you agree that the Title III provisions should continue to apply to transactions involving micro-enterprises in the same way as those involving consumers? Yes Question 12. Do you agree with the government’s proposal to maintain the thresholds set for low-value payment instruments in the PSRs? Yes Question 13: Do you think PSPs should be required to provide monthly statements to payers and payees? PSPs should be able to provide monthly statements to payers and payees either on paper or another durable medium, at the PSP’s option. Question 14: Do you agree with the government’s proposal to provide access to out-of-court procedures (in the form of the FOS) only where the complainant would usually be eligible to refer a complaint to the FOS? I agree with widening the remit of the FOS from a “micro-enterprise” threshold to a “small business” threshold. Only major businesses really have any bargaining power with their payment services providers. Question 15: Do you agree that the prohibition on surcharging should be limited to payment instruments regulated under Chapter II of the IFRs? Yes Question 16: Do you agree with the proposal to maintain the thresholds set for low-value payment instruments under the PSRs? Yes
  7. 7. 7 SEL 4.3 Question 17: Do you agree with the proposed approach to consent, authentication and communication? This is a very complex question that cuts across numerous aspects of PSD2, including the use of personal data; and the nature and scope of payment initiation services, account information services and the technical service providers’ exclusion. Data protection 1. Under Article 94(2) of PSD2, PSPs should only be able to access, process and retain personal data for the provision of payment services, with the explicit consent of the payment service user. However, this should be read as subject to article 94(1) and the rights of use for data controllers to carry out certain necessary processing uses available under Data Protection Act 1998 (“DPA”) and the equivalent provisions under the General Data Protection Regulation in due course12 : • for the performance of a contract to which the data subject is a party, or (b) for the taking of steps at the request of the data subject with a view to entering into a contract (para 2, Sched 2, DPA); • for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract (para 3, Sched 2, DPA); • in order to protect the vital interests of the data subject (para 4, Sched 2, DPA); • either…(b) for the exercise of any functions conferred on any person by or under any enactment,… or (d) for the exercise of any other functions of a public nature exercised in the public interest by any person (para 5, Sched 2, DPA); or • for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (para 6, Sched 2, DPA), and similar rights relating to the processing of sensitive personal data. Strong Customer Authentication: 2. Regulation 100(1) of the draft PSRs requires PSPs to apply "strong customer authentication" where (among other things) "a payment service user... directly or through an account information service provider (a) accesses its payment account online; [or] (b) initiates an electronic payment transaction…." (which presumably could not be done via an AISP). 3. This beg the question, in particular, as to how each type of payment transaction is initiated, and there is considerable uncertainty and scope of differing interpretations here, as discussed in answer to Question 19. 4. While distinctions concerning how payments are initiated and by whom might seem to matter less in the context of security measures to be adopted by PSPs - since everyone is interested in reducing financial crime - it is absolutely critical in the context of software and services that contribute in any 12 Article 6(1) and 9(2), in particular.
  8. 8. 8 SEL 4.3 way to payments being "initiated" and whether the suppliers or users of such software and services must be authorised as "payment initiation service providers" or perhaps even as the issuers of payment instruments. The same can be said for technical service providers in the context of account information services. In both cases, this will in turn affect the scope of the technical service providers’ exclusion, also discussed in answer to Question 19. Question 18. Do you agree with the information and payment functionality that will be available to AISPs and PISPs? This is not possible to assess, due to the government’s overly broad interpretation of the nature and scope of these activities. Please see the answers to Question 19. Question 19. Do you agree with the government’s interpretation of the definition of AIS and PIS? Sadly, no, as the government’s interpretation of the definition of these activities is overly broad. That may be consistent with a policy intent to increase the range of firms who can access bank payment systems, but it will impose a disproportionately high regulatory burden and related legal and compliance costs on firms whose regular occupation or business is not that of carrying on such activities, except perhaps as minor ancillary steps in the context of other types of business. To treat the proposed wide variety of firms as within the scope of PSD2 in a way that makes them ineligible for the technical service providers’ exclusion, would have far reaching consequences for smaller firms, in particular, and for innovation and competition generally in many industries - not to mention overwhelming the FCA’s scarce resources. The Technical Service Providers’ Exemption 1. Under the current PSD, the ‘technical service provider exclusion’ applies to firms that provide various technical services which support the provision of payment services, so long as they do not enter into possession of any funds to be transferred. But under PSD2 that exclusion will not apply where such a firm also provides a payment initiation service (“PIS”) or account information service (“AIS”). “services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services, with the exclusion of payment initiation services and account information services.”13 2. It is clear from the words “which support the provision of payment services” that (a) by implication, the scope of PSD2 is only intended to cover firms whose regular occupation or business is the provision of any type of payment service (including a PIS or AIS); and (b) the exclusion is available to other firms who provide the specified technical services to the first set of firms, but do not themselves handle funds or have as their own regular occupation or business the provision of an AIS or PIS. 13 Paragraph 2(j) of Part 2 of Schedule 1 of the proposed regulations
  9. 9. 9 SEL 4.3 Payment Initiation Service 3. The decision to regulate "payment initiation services" is said to have resulted from the popularity of services that enable you to pay for online purchases by making a bank transfer (see recital 27 and the Commission's FAQs 18, 21). Accordingly, it appears that the German authorities are interpreting the scope of this service to apply only to the online initiation of bank transfers and they claim to have only one payment initiation service provider (“PISP”) – presumably SOFORT GmbH. Yet the UK government has adopted a broad definition of "payment initiation service"; and wishes to insist that users will have the right to use payment initiation services in connection with “all online payment accounts, including current accounts, credit card accounts, savings and e-money accounts” (paras 6.22, 6.23 and 6.27 of the consultation paper) without being clear as to how a PIS might manifest itself in the context of those other types of account. 4. On its face, the definition of "payment initiation service" in article 3 of PSD2 appears to cover any payment method: “a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider.” Note also, that a "payment instrument" is defined as "a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order (see next section). 5. Yet there is no definition of “initiate a payment order” in PSD2 and different payment methods comprise different processes, actors and events. So it becomes a factual matter as to what constitutes the relevant activity. In this regard, it seems logical to consider: a. which type of payment method or instrument is being used; b. which of potentially several payment orders is involved; c. which payment account each order relates to; d. which payment service user is making the request to initiate the relevant payment order; e. which element of which service actually initiates that payment order; f. whether the payment initiation feature is a service offered by way of business in its own right; g. who offers that service; and h. to whom.
  10. 10. 10 SEL 4.3 As the European Banking Authority (“EBA”) has pointed out, even within the payment initiation process, however, there may be technical service providers who support the process but are not responsible for the "payment initiation service" that initiates the relevant payment order.14 6. Different PSPs might also structure the same type of payment method differently (and there may be scope for differing interpretations of the relevant facts). The use of payment cards provides a good example, as discussed further below, given the difference between four party and three party schemes; different payment accounts involved depending on whether the card is a debit card or credit card; and different payment transactions involved with different payer/payees, none of which might actually involve a card payment at all. E-money accounts also come in different varieties, with some e-money issuers only offering customers the ability to pay using prepaid debit cards, while others allow customers to only pay using their e-wallets, and some offer both methods; and various different payment methods may be used in purchasing and redeeming the e-money. It is unusual for a “savings account” to have any payments capability, as opposed to an interest-bearing current account, for example. By way of illustration, here is a suggested analysis of where a PIS might feature in connection payments involving a four party card scheme: a. While PSD appeared to ignore how card schemes actually work15 , PSD2 concedes (at recital 68) that there are (at least) three steps related to a credit card ‘payment’ – (i) pre-authorisation (to check the validity of the card and sufficient funds/credit available); (ii) an initial payment transaction, where the issuer pays the acquirer (which only occurs in four-party card schemes, and involves a complex netting process involving a scheme operator); and (iii) a later payment transaction between the cardholder's bank account and the issuer, to reimburse the issuer). There is a third payment transaction, of course, where the acquirer pays the merchant. But the fact this is not mentioned in the recital underscores why it is misleading to refer to the cardholder as the 'payer' in relation to the merchant and the merchant as the cardholder’s intended 'payee', since the cardholder clearly intends to pay his card issuer, rather than the merchant. b. Accordingly the cardholder could not have initiated any of the actual payment orders that relate to the two or three payment transactions that are involved in the use of a payment card. Recital 68 sidesteps this critical issue by stating that the "use of a card or card-based instrument... triggers" the whole payment flow, and article 65(2)(b) refers to a scenario where: 14 The EBA’s regulatory technical standard for security of online payments refers to "payment integrators" as firms who "provide the payee (i.e. the e -merchant) with a standardised interface to payment initiation services provided by PSPs": https://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014- 12+%28Guidelines+on+the+security+of+internet+payments%29_Rev1 15 Which the FSA and FCA tried to accommodate in Annex 5 of the Approach document. The card scheme process was described by the Court of Appeal in Lancore Services v Barclays Bank plc [2010] 1 All ER 763 (per Rimer LJ); and paragraphs 2.9 and 2.10, Part II of the Joint Money Laundering Steering Group guidance (http://www.jmlsg.org.uk/jmlsg-guidance/part-i-part-ii-part-iii-and-treasury-ministerial-approval).
  11. 11. 11 SEL 4.3 "the payer has initiated the card-based payment transaction for the amount in question using a card based payment instrument issued by the payment service provider". "Payer" is defined to mean either "a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order.” But "allowing" and “giving” are not the same as "initiating" and factually the cardholder is only a party to the second payment transaction mentioned in recital 68. c. Accordingly, in these circumstances, payment initiation would seem to have occurred as follows: i. As to the first payment transaction (between issuer and acquirer in a four-party card scheme), the relevant payment order is likely initiated by the issuer, as payer, requesting a bank transfer to the card scheme operator as payee; and then by the scheme operator as payer by initiating a bank transfer to the acquirer or the acquirer’s PSP; ii. As to the second transaction, between cardholder and issuer, it would depend on whether the payment is made by a bank transfer (initiated by means of payment order from the cardholder as payer via his bank to the issuer’s account) or a direct debit (initiated by means of a payment order from the issuer as payee under the direct debit scheme); and iii. As to the third transaction, between acquirer and merchant, by the acquirer initiating a bank transfer by payment order to its bank (or from its own system, if the acquirer is a bank in its own right), although it is possible that in each case the initiation of the payment order is carried out using a feature provided by a third party (“payment initiation service provider”). 7. Clearly, it is critical that all stakeholders are clear as to the facts in each case before concluding whether a payment initiation service is being offered. Issuing Payment Instruments 8. Allied to “payment initiation services” is the process of issuing the instruments used to initiate payment orders. PSD2 defines a "payment instrument" as "a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order.” The activity of “issuing of payment instruments” is defined as “a payment service by a payment service provider contracting to provide a payer with a payment instrument to initiate and process the payer’s payment transactions.” The term “co-badged” is defined as “in relation to a payment instrument, refers to an instrument on which is included two or more payment brands, or two or more payment applications of the same payment brand.” The availability of “co-badged card-
  12. 12. 12 SEL 4.3 based payment instruments” triggers the need to provide certain information under the Merchant Interchange Fee Regulations. 9. Of course, a typical online merchant 'checkout' page or process usually displays a list of at least several ways a customer may pay for selected items, whether that is by way of two or more payment brands or applications of the same brand. To some extent the page is personalised by reference to the specific buyer and the selected item(s). These pages may be hosted by a regulated PSP, an exempt 'technical service provider' or 'gateway', and sometimes by the merchant itself. At some level the PSP(s) acting as acquirers and those whose payment methods are available on the checkout might be taken to have implicitly agreed with both the merchant and other payment service users that certain payment instruments can be used where certain logos are displayed by following the relevant procedures; and perhaps payment initiation will occur via a service available on the checkout, with some degree of data processing involved. Yet the typical merchant is not itself in the business of issuing payment instruments or providing other payment services, and guidance should make it clear that the merchant is only in scope of PSD2 as a “payee” (or “payer” in the case of refunds, compensation payments etc.) or a “payment service user”, rather than as the issuer of payment instrument. 10. Similarly, a merchant’s checkout page or process should not be interpreted as a payment initiation service, nor is that typically the regular occupation or business of a merchant. 11. It is conceivable, perhaps, that a merchant might otherwise act as a technical service provider in transmitting its own payments data to an acquirer rather than relying on a ‘gateway’ service provider. But if that is to be suggested, then it should be made clear in guidance that the fact the merchant ultimately receives funds does not prevent the merchant relying on the technical service providers’ exclusion, since by the time the funds are received they are simply funds owed to it in satisfaction of a debt owed by the acquirer, and not “funds to be transferred”. 12. There is now little time for retailers and their service providers to decide whether checkout pages or processes are caught and, if so, whether to outsource the hosting of the checkout process to a duly authorised firm or its agent, restructure the checkout process or the entity/ies that hosts or operates it, or become authorised or the agent of an authorised firm. Any guidance on the topic, however, would need to address the following: • which type of payment transaction or method is involved in the relevant scenario, and who is the relevant PSP, payer and payment service user? • is the checkout process/page a "personalised device"; or "personalised set of procedures agreed between" the customer and the merchant acting as a payment service provider? • if so, is the checkout process/page used "in order to initiate a payment order" or “to initiate [and process] the relevant payment transaction(s)”?
  13. 13. 13 SEL 4.3 • finally, how much processing would a merchant have to do to fall within the meaning of "initiate and process the payer's payment transactions"? In other words: o when does that processing begin and end; o what steps/participants are involved; o what is the nature and degree of the processing (e.g. does it send transaction data to a payment gateway, acquirer or other type of payment service provider or somehow directly result in the debit of a payment account?); o is the merchant acting merely as a payee or payment service user? Account Information Service (“AIS”) 13. The Treasury has copied the definition of this activity from PSD2: ‘account information service’ means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (article 4(16)) - [my emphasis] – but has added: "and include such a service whether information is provided— (a) in its original form or after processing; (b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user’s instructions" [which do not appear in PSD2] 14. PSD2 requires that the AIS provider (“AISP”) should be granted access by the account service provider to the same data on the payment account as the user of that account (para 6.25). Yet the government believes that a firm will be considered an AISP even if it only "uses" some and not all of that account information to provide "an information service" (para 6.28). 15. It seems that the concept of “uses” is overly broad, as is the concept of any “information service”, as opposed to an “account information service”. There is also no reference to the need to consider whether the service in question constitutes the provider’s regular occupation or business, in which case it could be an AIS; or whether it is merely ancillary to the provider’s main activity, in which case it should not be an AIS. This is evident from the list of services that the government believes are among those that may constitute AISs (using italics for services that should not constitute AIS’s under the business test): “…. • dashboard services that show aggregated information across a number of payment accounts; • price comparison and product identification services; • income and expenditure analysis, including affordability and credit rating or credit worthiness assessments; and
  14. 14. 14 SEL 4.3 • expenditure analysis that alerts users to consequences of particular actions, such as breaching their overdraft limit. The services could be either standardised or bespoke, so might include accountancy or legal services, for example” (para 6.30). 16. Some other key points to consider include: a. does it matter to whom the account information service is provided? The additional wording seems to suggest that the 'payment service user' must be at least one recipient of the information, but does that mean the payment service user of the payment account or the person using the account information service? In other words, is there an AIS where the recipient of the information is not the actual accountholder (e.g. a trustee, adviser, guardian etc.)? b. what does “online service” really mean? What elements of the end-to-end process of obtaining and providing the account information have to be “online”? c. little seems to turn on the word "consolidated", since the Treasury says a firm only needs to use some of the information from the payment account to be offering an AIS, and it could be from only one payment account. For instance, what if a service provides a simple 'yes' or 'no' to a balance inquiry or request to say whether adequate funds are available in an account, and that 'information' or conclusion/knowledge is not drawn from the payment account itself, but merely based on comparing the balance with the amount in the customer's inquiry or proposed transaction (e.g. authentication or confirmation under article 31(1)(c) of the EBA regulatory technical standards on strong customer authentication)? d. the payment account that the information relates to must be 'held by the payment service user' with one or more PSPs, so presumably this would not include an online data account or electronic statement that shows the amount of funds held for and on behalf of a client in a trust account or other form of safeguarded or segregated account which is in the name of, say, a law firm or an investment firm; e. it seems impossible for the relevant data to provided in its 'original form', since data is arguably processed in some way when merely passing from the account service provider’s system to the AISP’s system. Applying the business test, providers of personal data stores or cloud storage services, for example, are in the business of providing storage services for any type of data or back-ups for later access, rather than providing a specific ‘payment account information’ service; f. what is meant by 'after processing'? For instance:
  15. 15. 15 SEL 4.3 i. it may not be clear that a firm is providing information 'on a payment account', as opposed to the same information from another type of data account; ii. does this mean each data processor in a series of processors is providing an AIS to its customer(s) or does interim processing 'break the chain' so that the next processor can say that the information was not 'on a payment account' but came from some other service provider's database (whether or not it was an AIS), such as a credit reference agency? iii. what about accounting/tax software providers who calculate your income and expenditure by reference to payment account information but may not necessarily display or 'provide' the underlying data? Again, applying the business test, the inclusion of figures for bank account interest income (if any) in a tax return, for example, should not of itself mean that an accounting firm or accounting software provider that is preparing or filing the tax return is in the business of offering an AIS. Acquiring of payment transactions 17. The regulated activity of "acquiring of payment transactions" is now defined to mean: “a payment service provided by a payment service provider contracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee;” Yet it is not clear whether the transfer of funds needs to come from or on behalf of the payment service provider in question, or whether the payee need only receive funds from a third party as a result of the service provided. It is also important to note that a consumer could be a relevant “payee” in this context e.g. if a firm were to enable them to receive a refund, withdrawal or other transfer of funds to their payment account. It should be made clear that a PIS or the issuing of a payment instrument (or indeed a gateway or other technical services that support a payment service) would not be construed as acquiring, even though they each might be said to eventually result in a transfer of funds to a payee. 20 What services are currently provided that you think may be brought into scope of the PSDII by the broad reading of the definition of AIS and PIS? Please see the answers to Question 19.

×