Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

20190131 - Presentation Q&A on legislation's influence (on travel management)

31 views

Published on

Presentation given at the event organised by ACTE and BATM on 31 January 2019 addressing a few questions on the payments legislation that are relevant for travel and expense manager.

Published in: Education
  • Be the first to comment

  • Be the first to like this

20190131 - Presentation Q&A on legislation's influence (on travel management)

  1. 1. EU legislation’s impact on the payment landscape Brussels Education Forum – 31 January 2019 Tommy Vandepitte Data Protection Officer (ext) Note: personal views, no legal advice
  2. 2. Legislation with an impact Anti-Money Laundering • 4th AML Directive 2015/849 • Reg. 2015/847 (payment info) • 5th AML Directive 2018/843 (2020) • Act 18 september 2017 • RD 14 augustus 2018 Payment Services • IFR 2015/751 • PSD2 2015/2366 • Book VII, T 3 ELC Data Protection • GDPR 2016/679 • Dir. 2016/680 • Act 30 July 2018 • Act 3 December 2017 (DPA) • Act 5 September 2018 (info committee)
  3. 3. Approach Which questions might users of (card) payment systems have in relation to recent or (near) future regulation?
  4. 4. Will 2019 regulation impact pricing of card payments? IFR
  5. 5. Short answer Likely.
  6. 6. Pricing • Non-client facing revenue • Interchange fee • Non-commercial cards (art. 3-5 IFR) • Commercial card (review in 2019) 9/12/2015 2018 max. 0.2% (credit: 0.3%) 97-99 100 Scheme Processor • Client facing “revenue” • Card fee (= generic) • Transaction based fees • Foreign exchange • Cash withdrawal (/ ATM cost) • Administration related • Manual handling • Collection cost • Late payment / insolvency • Subsidies by cross-sold services
  7. 7. What is it: are surcharges allowed or not? IFR and PSD2
  8. 8. Short answer No.
  9. 9. Surcharges • Prohibition to surcharge (art. 62 §4-5 PSD2) • Never allowed • for cards that are that have a limited interchange fee (art. 3-4 IFR) [this a.o. still allows surcharges for commercial cards] • For credit transfer and direct debit transactions in euro between two PSPs established in the EU • Member states can decide to broaden the prohibition (“goldplating”) • Belgium decided to goldplate and to prohibit all surcharging (art. VII.30§3 ELC, in force since 9 August 2018) • Beyond that: steering per se allowed (art. 11§1 IFR and 62 §3 PSD2)) • by offering a discount • by charging a surcharge in cases the prohibition does not apply (so for Belgium this never applies), but not exceeding “the direct costs borne by the payee for the use of the specific payment instrument” • by Informing payer of the cost / interchange fee (art. 11 §2 IFR), by friendly asking, etc.
  10. 10. What is it I hear about a UBO-register? AML4
  11. 11. Short answer Belgium has implemented it. First notification required by end of March 2019.
  12. 12. UBO register • Duty for the Board of Directors of each corporation • First registration UBOs: 31 March 2019 • Thereafter: within one month of a change • Via MyMinFin(Pro) [https://eservices.minfin.fgov.be/mym-portal/public/citizen/external_services] • Implementation of AML4 • Act of 18 September 2017 • Royal Decree of 14 August 2018, entry into force 31 oktober 2018 • Good source: https://financiën.belgium.be/nl/ubo-register
  13. 13. Do I need a “data processing agreement” with my payment service provider? GDPR
  14. 14. Short answer No.
  15. 15. Data protection – Parties (small circle) • Individual card • Corporate card controller Controller (payment) Controller (employer) (exp.man.) data subject data subject data subjects program manager (legal) representative UBO staff processors controllers staff processors controllers
  16. 16. Data protection – Parties (bigger circle) Scheme Processor Issuer acquirer Insurance company Loyalty program expense management platform (for employer) hosting specific applications Authentic sources Commercial DBs website communication support - email campaigns - print campaigns (e.g. statements) physical card creation merchant
  17. 17. Data Protection – employer / PSP Corporation - employer • purpose: expense management, accounting • legitimacy: execution of the agreement? legal requirement? legitimate interest? • transparency: staff privacy statement, corporate card policy, internal card allocation process,… • responsibility: information asset owner, tasks of program manager, expense manager, accounting team, HR, … • security: upload via platform, local storage, internal transfer, … • rights of data subjets: staff rights process Issuer • purpose: AML, underwriting, fraud and risk management • legitimacy: entering into an agreement, legal requirement, legitimate interest • transparency: customer privacy statement, application (and other) forms,… • responsibility: information asset owner, tasks of onboarding team, relationship manager, underwriting team, … • security: download from platform, local storage, internal transfer, … • rights of data subjets: customer / cardholder rights process controller-to-controller: no agreement required
  18. 18. Do I need a “data processing agreement” with the provider of my expense management tool? GDPR
  19. 19. Short answer Yes.
  20. 20. Data flows Issuer expense management platform (for employer) website communication support - email campaigns - print campaigns (e.g. statements)
  21. 21. Data Protection – employer / expense man. Corporation - employer • purpose: expense management, accounting • legitimacy: depending on the data set received • execution of the agreement? legal requirement? legitimate interest? • consent • transparency: staff privacy statement, corporate card policy, internal card allocation process,… • responsibility: information asset owner, tasks of program manager, expense manager, accounting team, HR, … • security: access and download via platform, local storage, internal transfer, agreement with processor, … • rights of data subjets: staff rights process Expense management tool • Selection: should provide “sufficient guarantees” • Agreement: • purpose: must respect it • legitimacy: n/a (controller’s responsibility) • transparency: n/a (controller’s responsibility) • responsibility: information asset owner, tasks of maintenance team, developpers, … • security: generic clause or minimum level • support the controller: DPIA, security, data breach notification, data breach communication, rights of data subjets • Own obligations • data processing records (art. 30 §2 GPDR) • security: access rights for staff, do not use production data for test, network security, etc. … [note: art. 32 GDPR], • data breach: notification of controller (art. 33 §2 GDPR) • Follow up to be done by controller on a risk-basis (e.g. ISO27000 cerficiation) controller-to-processor: agreement required (art. 28 §3 GDPR)
  22. 22. Is virtual currency the next big thing for global payment? eMoney + AML
  23. 23. Short answer Perhaps, but it is unlikely it will be that in the front end in the near future.
  24. 24. The card payment scheme Source: MasterCard Annual Report Scheme • Centralized • Based on “trust”, supported by • Rules of the scheme and supervision (private) • Prudential legislation and supervision (public) • Conduct of business legislation and supervision (public) Processor art. 7 IFR
  25. 25. Virtual currencies • Decentralized • Internet based and thus international since • Not based on trust, but on the process • Distributed ledger • Mining: hashing transactions and adding to the next block • Consensus
  26. 26. Acceptance of means of payment • Currency • Function 1: measure value (<> barter) • Function 2: store value (<> perishable goods) • Function 3: exchange of value (payment) • Fiat currency (must be accepted by the payee) • cash [Note: limited for reasons of fraud and tracibility (AML)] • eMoney (Dir. 2009/110, amended) • wire transfer • Cards • Acquiring agreement (with acquirer) • Steering per se allowed (art. 11§1 IFR) • No distinction based on issuer of the card (art. 10§1 IFR) • Virtual currency • Merchant can accept at own risk • Latency of confirmation of a transaction (block length) • Change virtual currency to fiat currency is not always easy (reluctance of banks) • Virtual currency often considered “financial instrument”)
  27. 27. Questions

×