Global menu

Our global pages

Close

Payment Matters: No. 38

  • United Kingdom
  • Financial institutions
  • Financial institutions - Payment services

03-12-2018

Industry lobbying for a card number / CVV to be accepted as a knowledge factor

A group of industry associations (the European Payment Institutions Federation, EuroCommerce, Ecommerce Europe, the Merchant Risk Council, DigitalEurope and EMOTA) have sent a joint letter to the European Banking Authority (“EBA”) lobbying for a card number and CVV to be a valid knowledge factor following the implementation of strong customer authentication (“SCA”) for a phased period of time.

The group has suggested that the disapplication of a card number and CVV as a knowledge factor would disrupt the payments ecosystem because a large percentage of the market would not have access to an easy and convenient authentication solution.

This is based on the group’s analysis that alternative knowledge factors (e.g. passwords) could impact the customer journey due to transaction abandonment and institutions will not have sufficient time to implement biometric solutions in order to use an inherence factor, particularly as a large proportion of customers do not have access to online banking or a smartphone.

What does this mean for you?

We are aware that there are concerns regarding the regulatory guidance that a card number/CVV is not a knowledge factor for the purposes of SCA (paragraph 35 of the EBA Opinion notes that a card number/CVV cannot be considered to be a knowledge factor as it is not ‘something only the user knows’). It is, however, worth noting that there is a potential argument that a card number/CVV could be used as a possession factor post implementation of SCA (potentially negating the need for a phased prohibition period).

Paragraph 20.18 of the FCA’s draft guidance (CP18/25) notes that where certain information is printed on a payment card (such as the card verification number (CVV)) it cannot be used as a knowledge factor but it may be used as evidence of the possession of a card, alongside the use of an entirely separate factor. The FCA goes further and notes that use of a dynamic CVV is stronger evidence of possession of a payment card as it prevents card details being used in the absence of the physical card itself. Some institutions would, of course, support the reversal of the EBA Opinion and the FCA draft guidance, which notes that a card number/CVV cannot be used as a knowledge factor, where the PSP intends to use a card number/CVV as a knowledge factor alongside an alternative possession or inherence factor.  

The European Court of Justice rules on interpretation of a ‘payment account’ under the Payment Services Directive

In a judgment handed down on 4 October (Bundeskammer für Arbeiter und Angestellte (Austria) v ING-DiBa Direktbank Austria Niederlassung der ING-DiBa AG (C 191/17)), the European Court of Justice (“ECJ”) has ruled on the interpretation of a ‘payment account’ under the Payment Services Directive (“PSD”).

The ECJ’s judgment closely follows the Opinion published by Advocate General in June 2018, noting that the possibility of making and receiving payment transactions to a third party is a defining feature of a ‘payment account’ under PSD2. In the context of the case in question, this meant that an account which required the use of an intermediary account in order to send and receive payments did not fall within the definition of a payment account under PSD.

Interestingly the ECJ came to this conclusion by considering the definition of a ‘payment account’ within the Payments Account Directive (“PAD”). This analysis has received much criticism across the industry as it is widely understood that the scope of PAD and PSD are not the same. The scope of PAD is narrower and sets out that accounts which are not used for day to day transactions are not within scope, (although these may still fall within the definition of a ‘payment account’ within PSD).

What this means for you?

The industry is now grappling with what constitutes a ‘payment account’, particularly in the context of third party access under PSD2 which only applies to ‘payment accounts’ which are ‘accessible online.’ The FCA guidance in PERG places a ‘balancing act’ in the hands of a PSP when determining what constitutes a payment account under PSD, rather than there being a defining feature which takes an account out of scope.

The FCA may decide to issue additional guidance to provide clarity given that institutions are now considering de-classifying certain types of accounts based on the ECJ judgment. However, in the absence of any new guidance, PSPs are left grappling between the arguments in favour of de-classification and a number of competing considerations (e.g. it may encourage unauthorised screen scraping post-RTS).

Retailers’ lobby for enhanced rights under the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (“RTS”) under PSD2

Two industry representatives for a significant proportion of retailers (EuroCommerce and Ecommerce Europe) have jointly wrote to the European Commission to lobby for changes in relation to the current API initiatives developed under PSD2/RTS. The industry representatives have suggested that:

  • merchants should be able to suggest the use of an exemption to SCA as retailers are in a unique position to define transaction risks
  • APIs should allow retailers and third parties to send data to banks to support the exemption of application of SCA
  • retailers should be able to access the payer’s whitelist to ensure that authentication is not requested by the Bank when the recipient is a trusted beneficiary under Article 13 of the RTS
  • all existing authentication models, including but not limited to redirection, decoupled and embedded models, should be available

What this means for you?

A number of the proposals voiced by EuroCommerce and Ecommerce Europe have been considered by the regulators (e.g. the EBA Opinion notes that merchants should not be able to decide whether to apply an SCA exemption and has acknowledged that acquirers can outsource the SCA transaction risk analysis to merchants). However, there is still wide industry debate regarding the application of the RTS and the FCA has recently consulted on its approach to the RTS. We would suggest further European level guidance is unlikely (other than via the EBA’s Q&A tool) and that the EBA is unlikely to reconsider its position on merchants because it has previously noted that the RTS only applies to PSPs, rather than the payer or payee directly. If you require assistance with the application of the RTS, please get in touch with us.

The European Parliament’s Economic and Monetary Affairs Committee has published a report detailing changes on cross-border payments and currency conversion charges

The European Parliament’s Economic and Monetary Affairs Committee (“ECON”) has voted to adopt a report detailing proposed changes to the Cross-border Payments Regulation regarding charges on cross-border payments and transparency measures. As previously reported in Payment Matters, proposals to amend the Regulations were initially put forward by the European Commission in March 2018 and have since been debated by the European Council, the European Commission and the European Parliament, particularly in relation to the requirement to disclose the full costs of the currency conversion prior to the initiation of a card-based payment transaction. The final shape of the amended Regulations will now be negotiated between the European Parliament, the Council and the Commission, although it is not clear when the proposed final text will be published.

What does this mean for you?

If ECON’s proposals are copied across into the final text, PSPs will be required to charge the same fees for cross-border transactions in any currency of a Member State as they charge for domestic payments. It is worth noting that ECON’s report proposes to amend the text to refer to ‘any currency of a Member State’ – not just Euro payments which has previously been debated across the industry.

As expected, ECON’s suggested proposals also require PSPs to put in place transparency measures to prevent PSPs potentially recouping lost revenue as a result of the new restrictions on charges. ECON has not endorsed a temporary cap on exchange rate charges but PSPs will be required to disclose the full costs of the currency conversions for both credit transfers and card-based transactions prior to the initiation of the payment transaction. There is also an obligation for PSPs to use the effective exchange rate used by the party providing currency conversion services at the time of the initiation of the transaction for clearing and settlement purposes. This will likely receive criticism from PSPs as implementation could be technically complex and costly for PSPs in the context of card-based payment transactions.

Additional transparency measures proposed by ECON also include requirements that PSPs ensure:

  • the full cost of the currency conversion shall be disclosed as the difference between the exchange rate used for converting the payment transaction and the latest available reference exchange rate of the ECB
  • currency conversion services at point of sale or an ATM shall always provide the option of payment in the local currency
  • they put in place technical tools which allow cardholders to change their preference regarding alternative currency conversion services
  • they provide the information regarding all currency conversion to customers free of charge

As noted above, it is not clear when we will receive a final text following the trilogue negotiations between the European Council, the European Parliament and the European Commission but we recommend that you review the latest proposed changes in ECON’s report (available here).

Pay UK issues ‘confirmation of payee’ research

Pay UK, previously known as the New Payment System Operator, has issued a report on the new Confirmation of Payee (“COP”) system which PSPs will need to put into place next year. The report sets out Pay UK’s responses to findings and recommendations following independent research in relation to the new system. For example, Pay UK notes:

  • the COP experience should be undertaken in near real time which does not impact the customer journey where there is a positive response to a COP request
  • the industry has an important role to ensure that customers understand what COP does (and does not do) as awareness of the system will be key to ensure that payers are encouraged to be accurate
  • upon receipt of a negative COP outcome, customers will be able to: (a) confirm the correct details with the payee; (b) correct the error and resubmit; (c) cancel the payment; or (d) proceed to make the payment with clear warnings about the consequences and liability if the payment goes wrong (although Pay UK expects the topic of liability to be considered further under the Contingent Reimbursement Model issued by the Payment Systems Regulator and other industry practices)

For further details regarding Pay UK’s responses to the stakeholder feedback, please see a copy of the report (available here).

What this means for you?

The findings and recommendations have been taken into account by Pay UK when finalising the technical specifications for COP which we understand have now been issued to all PSPs (including the applicable rules, standards and guidance).

The report notes that further engagement will be undertaken before the end of the year to refine recommendations around common terminology and language, and the Payment Systems Regulator has also issued a consultation regarding the regulatory directions to oblige implementation by Summer 2019 (please see below for further information on this consultation).

We, therefore, recommend that all PSPs review the report and the published rules, standards and guidance and begin working on their internal propositions to ensure that they are in a position to implement the new system in accordance with the technical specifications in 2019 (although Pay UK notes that it is likely that the guidance will continue to develop organically in line with users’ experience as COP is introduced in the market).

The Payment Systems Regulator (“PSR”) consults on general directions regarding the implementation of Confirmation of Payee

Following the publication of Pay UK’s report, the PSR has published a consultation requesting feedback on its proposal to implement regulatory directions requiring PSPs to fully implement the new COP scheme by Summer 2019.

The consultation proposes to direct all PSPs to implement COP so that they are able to: (i) receive and respond to COP requests by 1 April 2019; and (ii) send COP requests and present responses to customers by 1 July 2019. The PSR notes that the phased implementation approach will ensure timely and coordinated application as both the sending and receiving PSPs must have the necessary technology in place for the system to deter fraud effectively.

The consultation also seeks feedback regarding additional regulatory directions on the implementation of COP. For example:

  • should the directions only apply to PSPs carrying out Faster Payments and CHAPS transactions? If so, does this include indirect participants in Faster Payments and CHAPS?
  • should the directions apply to PSPs which are not the payer’s or the payee’s PSP but are in some way involved in the transaction?
  • should COP be applied to all channels where a customer can initiate a Faster Payment or a CHAPS payment (e.g. mobile, internet, telephony and branch-initiated payments)?
  • should the directions cover transactions initiated from the accounts of both individuals and businesses?
  • is it legitimate for a person to opt out of COP?

You can find full details of the proposed regulatory directions within the consultation (available here).

What does this mean for you?

If the PSR’s recommendations are implemented, PSPs will be required to put in place the technology to receive and respond to COP requests by April 2019 and send COP requests by 1 July 2019.

The PSR suggests that the proposed deadlines are achievable based on what PSPs need to do to implement the new COP system. However, depending on your existing operational processes, it may be difficult to update all customer interfaces with the requisite technology to enable COP requests/responses in near real time in the first half of 2019 (particularly in the context of the competing regulatory deadlines under PSD2, the RTS and associated guidance). PSPs should also consider the cost implications in relation to the implementation of the new COP system which will need to be borne by PSPs in the first half of 2019 if these regulatory directions come into force.

We, therefore, recommend that all PSPs take the time to review the consultation and provide feedback on the various regulatory proposals, particularly in relation to the proposed timelines as the PSR is seeking feedback on the potential barriers which PSPs may face in meeting the proposals within the suggested timeframes (e.g. the conflicting regulatory deadlines in the first half of 2019).

Please note the deadline for responding to the consultation is 5pm on 4 January 2019.

Sixth anti-money laundering directive – strengthening the preventive framework

The sixth anti-money laundering directive (“MLD6”), which complements the criminal law aspects of the fifth anti-money laundering directive adopted earlier this year, was published in the Official Journal of the European Union on 12 November 2018. All EU member states are expected to bring into force the laws and administrative provisions necessary to comply with this directive by 3 December 2020.

Although the UK is expected to withdraw from the EU in March 2019 before the deadline for EU Member States to implement MLD6, the current text of the draft withdrawal agreement includes a transitional or implementation period ending on 31 December 2020, during which the UK would be required to implement EU directives (including both MLD5 and MLD6). The UK may therefore be obliged to implement MLD6 but, even if not, it may choose to do so.

The key provisions of MLD6 are set out below:

Unified list of predicate offences

The term ‘predicate offence’ refers to the criminal activity that gives rise to, or underpins, a money laundering offence. Article 2 of the MLD6 sets out 22 predicate offences which may generate criminal property for the purposes of committing a money laundering offence. These offences are wide-reaching and include environmental crimes, tax crimes and cybercrime, as well as more traditional examples such as the trafficking of drugs and humans, fraud and corruption.

It will not be necessary for there to be a criminal conviction in relation to the predicate offence, and no individual offender will require to be identified in respect of the underlying offence in order to secure a conviction for money laundering. For predicate offences committed in another Member State or third country, the offence must be illegal in both the home State and the other jurisdiction.

The move to define predicate offences is likely to result in an additional burden on regulated firms, including staff training and monitoring systems to detect signs of predicate offences, as well as suspicious activity linked to money laundering.

Penalties

The minimum prison sentenced is to be increased from one year to four years as well as dissuasive sanctions including: fines; temporary or permanent exclusion from access to public funding; temporary disqualifications from the practice of commercial activities; or temporary bans on running for elected or public office.

Where the laundered property is of high value or derives from certain predicate offences, the circumstances shall be regarded as aggravated, the court may take into account aggravating circumstances when sentencing offenders.

Extension of criminal liability to corporates

Criminal liability is extended to corporates where a money laundering offence is committed for their benefit by an individual in a leading position within that corporate or where a lack of supervision or control by such individual has made possible the commission of a money laundering offence. This is an interesting move towards the wider trend of ‘failure to prevent’ economic crimes such as the UK offences of bribery and corporate facilitation of tax evasion offences introduced over the last decade.

Criminal proceedings may also be brought against perpetrators, inciters or accessories in such money laundering offences committed for the benefit of an organisation as a whole.

Confiscation

Authorities will now be required to freeze or confiscate both the proceeds and instrumentalities used in the commission of money laundering offences in order to remove the financial incentives which drive perpetrators.

Jurisdiction

Member States will be required to establish their jurisdiction over money laundering offences where the offence is committed in whole or in part on its territory or the offender is one of its nationals. Where an offence falls within the jurisdiction of two Member States, the Member States shall co-operate to centralise proceedings in a single Member State. This provision is in line with the EU’s commitment to enable more efficient and swifter cross-border cooperation between competent authorities.

What does this mean for UK businesses?

Whether or not the UK government implements the MLD6 into national law, these new provisions are of significance to any UK businesses trading with any state that has transposed the directive into domestic legislation. These Member States will have jurisdiction where the offence is committed, wholly or partly, in its territory, or if the offender is an EU national.

If the UK does adopt equivalent legislation, individuals and corporate entities will be in scope for money laundering and predicate offences. Corporates undertaking regulated business across a range of sectors are already faced with the near-herculean task of trying to get on top of the stringent requirements of MLD4 and grappling with the detail of MLD5. The new provisions of MLD6 and, in particular, the corporate offences it envisages, will only serve to add to the already-full plate of most compliance officers.

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings