the UK leads the way with Payment Services Regulations
Significant changes are taking place in the online payment
sector. On 9 February 2009 the UK became the first EU Member
State to transpose the EU Payment Services
Directive[1] (the PS Directive) into national law
when it passed the Payment Services Regulations
2009[2] (the Regulations). From 1 November
2009[3] , it will be a criminal offence to provide payment
services in or from the UK without authorisation by or registration
with the Financial Services Authority (FSA) (unless you fall within
the list of exemptions in the Regulations). Certain existing
payment providers can delay obtaining authorisation or registration
under transitional provisions which are discussed
below[4].
This article looks at some of the key provisions of the
Regulations but, as the PS Directive and the Regulations are
complex and detailed, to say the least, it can only scratch the
surface; the aim is to highlight the forthcoming changes so
businesses can act if they have not done so already.
what is the objective of the Payment Services Regulations?
The Regulations are intended to reflect the objectives of the PS
Directive, which are to establish a single market in payment
services, removing barriers to entry to the market and applying a
standard set of rules and obligations. Payment service users
should get the same level of information whichever Member State
they are from. In short, the PS Directive wants to achieve a
position where a payment service provider has only to get licensed
in one Member State and it can then export its services across the
EU following harmonised rules on conducting its payment
business.
The Regulations implement the PS Directive by setting up a new
authorisation and registration regime for those who operate
“payment accounts” (defined as an account held in the name of a
payment service user which is used for the execution of payment
transactions) and who provide payment services. This type of
authorisation will be different from the authorisation requirements
under the Financial Services and Markets Act 2000 (the FSMA).
Some businesses that provide payment services to the igaming sector
will be authorised already under FSMA as E-money issuers. As
such, they will not need to obtain authorisation under the
Regulations, however, they will be subject to the new provisions in
the Regulations on how they conduct their businesses.
which Payment Services Providers are covered by the
Regulations?
The Regulations apply to the provision of the payment
services[5] when carried out as a business occupation or regular
activity including the following:
- operation of payment accounts (eg cash deposits and withdrawals
from current accounts, e-money accounts, credit card accounts
etc)
- execution of payment transactions (including direct debits,
payment cards and credit transfers)
- card issuing and merchant acquiring
- money remittance
- certain mobile/cell phone payment services or similar services
provided by means of a PDA, iTV or other IT device
Whilst the scope of the Regulations is wide, they do not apply
to, amongst others:
- money exchange businesses (eg bureaux de change)
- servicing of securities (eg share sales and dividend
payments)
- payment instruments used on the issuer’s premises (eg staff
catering and store cards) or within a limited network of service
providers (eg petrol cards) or for a limited range of goods or
services (eg transport cards such as the London tube and rail
Oyster card)
- payment transactions through commercial agents
- telecom operator payments services when not acting as an
intermediary between payer and payee (eg payer just using phone to
send an SMS to his bank or topping up his phone credits)
As indicated above, there is also a distinction to be made
between:
- payment service providers which have to become authorised or
registered and must meet the conduct of business requirements
and
- those such as credit institutions (eg banks), E-money issuers,
or payment service providers authorised in another member state
(EEA authorised payment institutions), which do not need
authorisation but must comply with the conduct of business
requirements.
how do you get authorised or registered under the Payment
Services Regulations?
If the Regulations apply to you then[6] you will need to
become either, an “authorised payment institution” or, registered
as a “small payment institution” or, registered as an agent of one
of those institutions. You must also register in the UK if
you are an agent of an authorised payment institution based in
another Member State.
Applications are made to the FSA
and, as you might expect, involve providing a good deal of due
diligence type information including:
- an operations plan
- a business plan
- evidence of initial capital (Reg 6(3))
- means of ring-fencing users funds
- internal control mechanisms
- money laundering compliance
- management structure
- shareholdings and identity of directors with references
An application for authorisation must be determined within three
months and if refused the applicant can appeal to the Financial
Services and Markets Tribunal ('the Tribunal'). You can
register as a small payment institution if the monthly average over
a period of 12 months of the total amount of payment transactions
executed by you, including any UK agents, does not exceed €3
million. There are lighter requirements to registration than
authorisation; however, being authorised has the significant
advantage that you can passport (ie supply) your services into
other Member States.
Depending on how each Member State implements the PS Directive
into its national law, there may well be registration or
notification requirements to comply with when supplying services
cross border or setting up an agency in any particular Member
State. For example, UK authorised payment institutions will
have to notify the FSA before passporting their services to other
Member States. Likewise payment service providers licensed in other
Member States will have to notify their home State when they are
passporting their services here in the UK.
Note though that a payment services provider incorporated and
located outside the EEA is not generally within the scope of the
Regulations. Therefore, it would not need to become
authorised, registered or give any notification to the FSA before
providing internet based services to UK customers from its non EEA
location. Non EEA payment businesses would include those
incorporated and operating from Alderney or the Isle of Man.
The FSA is required to maintain and publish a register of
authorised or registered payment institutions and agents so
customers can easily check the list by referring to the FSA website
(http://www.fsa.gov.uk/).
when should a Payment Services Regulations apply?
Although the Regulations are implemented on 1 November 2009,
there are certain transitional provisions for existing payment
service providers.
A business that has been lawfully providing payment services in
the UK before 25 December 2007, does not need to become authorised
or registered as an agent until 1 May 2011. However, you do
not have passport rights until you become authorised so it would be
as well to deal with the process now rather than later.
In certain circumstances, UK financial institutions, to which the
Regulations apply, will be deemed to be authorised but they must
submit certain required information to the FSA by 25 December
2009.
A business that meets the criteria of a small payment
institution and that has been operating in the UK before 25
December 2007, does not need to register until 25 December
2010.
However, in all circumstances you
should thoroughly check and/or obtain professional advice on the
detailed transitional provisions in the Regulations before deciding
whether and when you need to apply or give notice to the FSA.
Quite apart from the authorisation or registration time
limits, the conduct of business requirements under the Regulations
will apply from 1 November 2009 so you should be preparing to
comply now if you have done so already.
Applications for authorisation or registration should be
lodged with the FSA during the official window between 1 May 2009
and 31 July 2009 to ensure that they are considered in time for 1
November 2009.
what are the obligations of an authorised payment
institution?
Authorised payment institutions have to comply with many
obligations under the Regulations including the maintenance of
sufficient capital - both initial capital and an ongoing funds
requirement. The ongoing requirement is calculated in
accordance with one of three alternative formulae (A, B or C); for
example, according to method A you would need to maintain own funds
equivalent to 10% of your fixed overheads for the preceding
financial year. No doubt an applicant will want to chose the
method of calculation that is the least onerous for its specific
business.
Customer (payment user) funds must be ring fenced. Any user
funds received in respect of a payment transaction that exceed £50,
must be safeguarded by either keeping them segregated from any
other funds held and placed in a separate account, or the funds
must be covered by an insurance policy, or a guarantee from an
insurer or credit institution (the proceeds of which are payable
upon insolvency into a separate account specifically for holding
user funds). The users must have a priority claim on those
funds before other creditors.
Being authorised or registered also brings with it the right to
offer other services including:
- foreign exchange services
- safe keeping activities
- storage and processing of data
- granting credit but only if the credit is in connection with
the execution of the payment transaction, other customer funds are
not used and, where the authorised payment institution is
exercising passport rights, it is repaid within 12 months
In addition to the obligations on authorised or registered
payment institutions, all those covered by the Regulations will
have to comply with the conduct of business requirements.
There are detailed rules dealing with the rights and obligations of
both payment service providers and their customers. These
include the provision of specific pre and post contract information
requirements for users, such as stating the execution time and
value date of payments, means of identification and authorisation,
charges, exchange rates, interest and many other matters.
Some information may be excluded by contractual agreement but not
if the contract for payment services is with a consumer.
There also provisions on who is liable and/or has the burden of
proof in the event of unauthorised or incorrectly executed payment
transactions, how disputes should be handled and when refunds are
payable etc.
The conduct of business requirements are far too extensive to be
dealt with in a summary article such as this but that should not
detract from highlighting their importance particularly for
businesses that are already authorised under the FSMA which may
have to meet these requirements in addition to their existing
obligations.
enforcement of the Payment Services
Regulations
The FSA will be taking compliance with the Regulations very
seriously. By all accounts, it has been taking a stronger
approach to enforcement regarding its other statutory obligations
including prosecuting insider dealing and levying fines for
ineffective money laundering compliance procedures. The Regulations
give the FSA extensive powers. Where its officers have
reasonable cause to believe that any premises are being used by an
authorised or registered payment institution or agent, an FSA
officer may, on producing evidence of authority at any reasonable
time:
- enter and inspect the premises and observe the carrying on of
business activities
- inspect and copy any document found there that is reasonably
required
- require any person on the premises to provide an explanation of
any document or state where it may be found
The FSA will also issue press releases as a form of
sensor. Consequently, reputation management will be ever more
important going forward. The FSA can also impose unlimited
penalties or, alternatively, cancel an authorisation or
registration. In addition, there are civil powers including
applying for an injunction or seeking an order to freeze assets or
requiring the payment of damages to those who have lost out.
The Regulations create several new criminal offences, the main
one being a prohibition on any person providing a payment service
in the UK unless they are one of the following:
- an authorised payment institution
- a small payment Institution
- an EEA authorised payment Institution exercising its passport
rights
- a credit institution, electronic money institution, the post
office, the Bank of England or the European Central Bank and the
National Banks of the EEA States, or Government Departments or
Local Authorities (other than when carrying out functions of a
public nature)
- a person exempt under Regulation 3 (Credit Unions, Municipal
Banks and National Savings Bank)
A person can also sue for damages
for breach of statutory duty if an authorised payment institution
acts without authorisation or regulation, fails to ring-fence funds
or fails to provide the specified user information or comply with
other requirements in relation to payment transactions set out in
the regulations.
final word on the Payment Services Regulations
It is almost impossible to explain in one article the scope,
application and effect of the Regulations. They run to some
81 pages and the FSA’s guidance explaining its approach to the
Regulations runs to 140 pages! The important point to make is
that if your business is providing payment services (whether or not
it is already FSA authorised) or you think it might possibly be
covered by the definitions in the Regulations, you should act now
in reviewing what if any obligations you will have to meet.
If you are providing payment services in a Member State other than
the UK, then you should consider both the provisions of the PS
Directive and keep track of your home States implementation of the
Directive into national law.
caveat
This article is intended to highlight changes in the law and
does not purport to be, nor should it be relied on, as legal
advice. You should formally engage a lawyer to advise you
before acting or not acting on any matter mentioned in this
article.
1 Directive 2007/64/EC of 13 November 2007 on
payment services in the internal market.
2 The Payment Services Regulations 2009 SI
no. 209
3 All Member States have to implement the
PS. DIRECTIVE into their national laws by 1 November 2009
4 The transitional provisions are
discussed below.
5 Unless you are a credit institution,
E-money issuer or an EEA authorised payment institution
If you would like to view previous
ebulletins, please visit our other recent briefings
page.
