European payments regulation, such as the original Payment Services Directive (PSD) of 2007 and Single Euro Payment Area (SEPA), have already caused significant change within the banking and payment industry. Business models, propositions and customer relationships have all been affected – and more regulation is expected.
PCM considers three areas: the security of internet payments, card interchange regulation and the PSD2.
Security of internet payments
The European Banking Authority’s (EBA) final guidelines on the security of internet payments were published on 19 December 2014. EU payment service providers (PSPs) are expected to implement the guidelines by 1 August 2015 and all EU competent authorities to comply by incorporating the guidelines into their supervisory practices from this date – writes Robert Courtneidge and Joyrene Thomas.
The guidelines are based on the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay). This is a voluntary cooperative initiative set up by the European Central Bank (ECB), comprising relevant authorities from the European Economic Area (EEA), who advise on issues around the security of electronic retail payment services.
The guidelines require that PSPs carry out ‘strong customer authentication’ to verify a customer’s identity before proceeding with an online payment. This is intended to prevent online fraud through both online banking and e-commerce card payment channels.
“The EBA guidelines on internet payments provide the legal basis for achieving a level playing field for all PSPs across the EU,” explained Geoffroy Goffinet at the EBA Consumer Protection Unit.
“Through this piece of work, the EBA looked into supporting the development of e-commerce across the EU, while ensuring proper protection of consumers.”
‘Strong customer authentication’ is a procedure based on the use of two or more of the following elements: something only the user knows (knowledge of a static password or PIN), something only the user possesses (possession of a token, smart card or mobile phone) and something the user is (inherence, such as a fingerprint).
In addition, the elements selected must be mutually independent, so the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet.
The Financial Conduct Authority in the UK recently updated its position around the security of internet payments. “Many firms already have in place measures for strong customer authentication, and we would remind payment service providers of their responsibility to ensure consumers’ payments are safe and secure. We will be incorporating the detail of the requirements of the Guidelines into our supervisory framework in line with the revised Payment Services Directive (PSD2) transposition timeline.” This indicates that the FCA will not be checking compliance with the guidelines until PSD2 is in force.
Payment card interchange
The multilateral interchange fee (MIF) regulation was passed on 20 April 2015 and hence will come into force 6 months after it is published in the official journal of the European Union.
Overall, there is downward pressure on the interchange paid by the card acquirer to the card issuer each time a card purchase transaction is executed. This particularly the case for entities operating within a four-party model, such as MasterCard and Visa. The regulation imposes interchange fee caps of 0.2% and 0.3% of the transaction value for consumer debit and consumer credit card payments respectively. However, this does not necessarily mean that all card acceptors will automatically pay less interchange as a proportion of their merchant service charge (MSC) as a result.
Member states may allow a per transaction fee of no more than €0.05 cents in combination with the 0.2% cap for consumer debit card transactions. They can do this providing the sum of interchange fees of a particular payment card scheme does not exceed 0.2% of the annual transaction value of domestic debit card transactions of that payment card scheme. Furthermore, member states may apply the 0.2% cap calculated as an ‘annual weighted average’ of all domestic debit card transactions within each payment card scheme.
So what does this mean in practice? To take a worked example, Visa Europe published new domestic interchange reimbursement fees for the UK dated March 2015. Immediate Visa debit card interchange rates in the UK move from a simple pence-per-transaction fee (irrespective of the transaction amount) to a combination of a 0.2% fee plus a fixed pence-per-transaction fee with a capped amount. There are 4 separate rates, which differentiate between so-called secure and non-secure transactions, and between consumer and commercial cards.
Therefore, depending on the value of a Visa domestic debit card transaction and the level of security applied to the transaction capture, it is possible that some card acceptors may pay more interchange as a proportion of their MSC than previously under these new rates. Naturally, this example only considers one card product from one card payment scheme in one country (Visa immediate debit cards in the UK). Card acceptors could expect to see varying levels of net gains and losses across their card acceptance portfolio.
New market entrants – fend off or embrace?
Both established non-bank players and new entrants are a concern for banks
There are some notable exceptions to the new interchange rules. The 0.2% and 0.3% caps do not apply to purchase transactions made with commercial cards or those issued by three-party schemes, such as American Express. Equally, the outlook for surcharging, the ‘honour all cards’ rule and the separation of scheme and processing entities remains uncertain.
Payment Services Directive 2 (PSD2)
With regard to the long-awaited revisions to the Payment Services Directive, the various European legislative institutions have yet to reach political agreement on the text. The latest published draft remains the compromise text of the Council dated 1 December 2014. This is not expected to be the final version for the Parliament and Council to vote on and adopt. Member states will have 2 years to transpose the Directive into national law, which is anticipated to be by the third quarter 2017 at the earliest.
The objectives of PSD2 are to better deal with legal uncertainty, security risks in the payment chain and consumer protection. The latest draft contains the following key provisions:
- A requirement for strong customer authentication for electronic payment transactions (as per the EBA guidelines detailed above)
- PSPs are required to obtain clearance from the regulator with regard to limited network products where the monthly volume of transactions exceed €1 million
- Third party payment service providers (TPPs) will be required to obtain a license or be registered as payment institutions where they offer online banking-based payment initiation or account services
- Payment institutions operating in one member state through agents with their head office in another member state may be required to establish a central point of contact in their territory
The European regulatory agenda is driving industry change. Various new guidelines and regulations, including those detailed above, as well as those around anti-money laundering, wire transfer, data protection and cyber security, will impact participants.
Regulation is the archetypal external risk that affects all players in the market, however may impact individual organisations differently, depending on their approach and readiness.
Those within the payment industry are advised to be aware of their obligations ahead of time. They are recommended to regularly evaluate the sustainability of their business approach and models, bearing in mind, of course, that regulation brings opportunities as well as threats.