Thanks to a barrage of regulatory reforms brought in over the past year, 2019 is poised to be a challenging year for European payments firms. Banks are under intense pressure to complete the process of opening up access to third-party providers, while all firms in the online payments chain must grapple with an unprecedented and largely unpopular shake-up of security rules. The cards market remains subject to close attention from competition authorities, while financial crime efforts appear set to focus on anonymous means of payments — not least cryptocurrencies. And for hundreds of firms, this is taking place against the fraught backdrop of the UK’s impending exit from the EU.
Banks and Third-Party Providers
Although the revised Payment Services Directive (PSD2) has already been in effect for just under a year, significant challenges still lie ahead. Chief among those challenges will be meeting requirements set down by regulatory technical standards on strong authentication, which take effect on September 14.
One of the directive’s main aims is to foster competition by forcing banks to open up account access to newly regulated third-party providers, or TPPs, and the standards set out numerous demands for how that should work in practice.
If providers of payment accounts — typically, but not exclusively, banks — choose to facilitate access by building a dedicated interface such as an API, they must also provide a contingency access mechanism by adapting the customer-facing online interface. However, an exemption from providing that “fallback” option is available if the firm’s API receives the approval of its national regulator.
2019 will reveal whether or not banks are successful in gaining that exemption in time.
Testing of interfaces must begin no later than March 14. Although there is no set deadline for submitting an exemption request, the UK’s Financial Conduct Authority (FCA) has already said that firms should do so no later than June 14. Firms are also encouraged to begin communications with their regulator as early as possible.
If a bank does not build a fallback interface and fails to gain an exemption in time, it is not yet clear what the consequences will be.
National regulators have so far proven evasive on the topic, although the European Banking Authority (EBA) has said in no uncertain terms that the deadline will not be extended and any bank in that situation will be deemed in breach of the law.
That said, it appears unlikely that many banks will choose to build a fallback interface. Although some smaller or digital-only banks may choose not to build a new API and adapt the customer interface instead, most of the wider industry appears to have ruled out building a fallback alongside a dedicated interface.
The fallback would differ from existing access models built around credential sharing because under the technical standards the bank needs to be able to identify whether the account is being accessed by a TPP or by the end user.
Technologists have said a relatively crude URL-based system could fulfil that requirement, but it is not yet clear how a third party would be able to present its eIDAS certificate — a digital document that proves its regulated status — when using a fallback.
For third-party providers, the choices that banks make will be significant. Existing players have been encouraged to connect to banks’ interfaces as early as possible and play an active role in the testing process.
In many cases, issues that do arise are expected to be addressed by a new working group set up in December by the EBA. The authority will chair the group, and firms on both sides of the divide have been invited to apply to join. European and national-level authorities are also due to take part.
Further ahead, the European Central Bank has repeatedly said it will monitor whether PSD2’s third-party access regime is successful and could choose to take further action if it feels it is necessary. Such action would likely be legislative changes to allow non-bank payment providers access to its real-time settlement facility, TIPS.
Additional pressure on the banking sector could come from moves to address fraud. Not only must all regulated payment providers begin recording fraud data in a standardised fashion from the start of the year, but there are signs that action could be taken on authorised push payment (APP) fraud.
APP fraud involves victims being tricked into authorising a payment to an account controlled by a fraudster, and is currently not subject to the same reimbursement mechanism as card fraud. Following gradual reforms in the UK, European officials have identified the area as one to watch in future.
Cards, Acquiring and Issuing
The technical standards also pose unprecedented challenges to firms involved in e-commerce, including card acquirers, issuers, schemes and other electronic payment providers.
From September, all remote payments of more than €30 will require two-factor authentication unless an exemption can be used. The most eye-catching exemption on offer has been for firms that use transaction risk analysis to mitigate fraud: for them, strong authentication is only needed if their fraud rates are below certain fixed thresholds.
Given the challenging nature of those thresholds, it is highly likely that strong authentication will be required on many more online transactions than today.
There are already signs that some providers are trialling two-factor authentication methods. With card credentials not permitted as a "knowledge" factor — something only the payer knows — the bulk of providers will likely turn to biometrics, one-time transaction codes via SMS, or a combination of both.
Some major players have already indicated willingness to shift strategy.
Visa and Mastercard have each developed non-card account transfer services of their own, potentially allowing them to compete with TPPs if there is a shift away from plastic, while American Express has obtained permission from the UK regulator to provide payment initiation services.
Mastercard has also unveiled plans to offer an intermediary platform sitting between banks and TPPs that also provides dispute resolution and fraud detection services.
Those moves could prove timely. The UK’s FCA recently announced it would carry out a “programme of analysis to understand the value chain in new payments business models” and singled out cards as one of three financial services sub-sectors where consumer needs are potentially not being met.
At the same time, the country’s Payment Systems Regulator (PSR) is soon to finalise its terms of reference for a market review into card acquiring services. The review will focus on several areas, including competition, switching and pricing, and officials have revealed that consultations on its scope attracted a relatively high total of 35 industry responses.
Although only a UK-related initiative, the PSR’s acquiring review has wider resonance within Europe.
The regulator said it intends to collect data on scheme fees, which are set by networks such as Visa and Mastercard and charged to acquirers. The fees are typically passed directly onto merchants, which have become increasingly vocal about what they see as excessive increases.
With the European Commission due to assess the effectiveness of its Interchange Fee Regulation (IFR) during the next two years, scheme fees will be one of the major battlegrounds for lobbyists.
Many retail groups have called for scheme fees to be capped alongside interchange fees, or at least for greater transparency to be introduced, whereas the schemes themselves insist the charges are necessary to fund improvements in security and customer experience.
Another dispute will likely be whether commercial cards — currently exempt from the regulation — should be brought within scope.
It also appears highly probable that 2019 will see the conclusion of an EU antitrust case against both Mastercard and Visa. Once consultations conclude this month on an offer made by the two schemes to lower interchange fees on intra-regional card transactions, the European Commission is expected to issue a final decision.
Mastercard has said it expects a fine of around $650m.
Providers of currency conversion services, including the schemes, will also need to prepare for incoming EU regulations on cross-border payments. Although the first part of the new Cross-Border Payments Regulation will not become effective until early 2020, the final text is likely to be published in the union’s official journal in the coming weeks.
Brexit, Fintech and Crypto
The UK’s impending exit from the European Union continues to create problems for the continent’s payments sector. Although Brexit is slated to take place on March 29, less than three months from now, there is still little clarity on what that will look like for firms.
A withdrawal agreement and political declaration finalised by negotiators would effectively prolong the UK’s single market membership until the end of 2020, with the option to extend that further if needed. For financial firms that means full passporting rights would be retained.
However, the agreement must also be approved by a parliamentary majority in the UK, and has so far been received badly by all sides.
With that deal looking relatively unlikely to be voted through by MPs this month, the question is then whether an amended agreement could be reached in time, whether the Brexit process could be halted through the revocation of Article 50 of the Treaty of the Foundation of the EU, or whether the UK could crash out without a deal.
That latter option would mean from 11pm UK time on March 29, payment and e-money institutions authorised by the FCA would no longer be allowed to provide services in an EU member state.
Firms passporting into the UK are able to benefit from a temporary permissions regime, but the majority of pan-European providers have sought to establish separate legal entities to maximise market access.
Even if the current withdrawal agreement is adopted in the UK, passporting will still end by 2021. The future relationship between the two respective financial services markets will instead rely on some form of equivalence, although further discussions on that are due to take place during transition.
Brexit is not the only reason some financial firms have been re-evaluating their regulatory status, however. Some large providers, such as Klarna and Revolut, have sought to blur the boundaries between banking and fintech by becoming licensed as credit institutions.
The emergence of certain national initiatives, such as Lithuania’s specialised bank regime or the UK’s settlement account access regime for non-bank payment firms, has given such firms an unprecedented opportunity to compete with more established rivals.
At the same time, the European Commission and the EBA have each been paying close attention to the development of fintech and legislative reforms likely to surface this year. The conclusion of work on regulatory sandboxes could be first out of the gate, with the EBA hinting that it could publish best practice guidance on a harmonised approach within the coming weeks.
A controversial corner of the fintech market — virtual currencies or crypto-assets — is also entering an important year in terms of regulation.
With the 5th Anti-Money Laundering Directive (5th AMLD) due to be transposed across the EU by early 2020, subjecting certain exchanges and wallet providers to due diligence requirements for the first time, national authorities across the bloc should soon open consultations on the reforms.
Meanwhile, the Financial Action Task Force (FATF), a global-standards setter for fighting money laundering and terrorist financing, has amended its recommendations on cryptocurrencies. The result is its member countries are urged to make various regulatory or legislative reforms so that the technology is harder to use for illicit purposes.
Although many countries will likely focus only on the points of exchange between fiat and cryptocurrencies, some have already indicated plans to go further. Licensing regimes could also be introduced, although in the short term that is more likely at national rather than EU level.
In almost all cases, the focus has been on ending the anonymity associated with virtual assets.