TERREÑA

Th e present institutional framework in charge of setting out the rules and supervision on the European and international payment systems is very complex. Th e competent national authorities and various supranational institutions, with diff erent skills and tasks, play a role in guiding and promoting the development of the sector. Indeed, the growing complex-ity of the European institutional machine is refl ected also in the area of payments, in which the main players are the European Commission, the EBA and the Eurosystem.

15 As declared in the PSD2 “recitals” it is essential that payment service providers report major security incidents “in order to ensure that damages to other payment service providers and payment systems, such as a substantial disruption of a payment system, and to users, is kept to a minimum”.

16 European Commission, A Digital Single Market Strategy for Europe , (Bruxelles: COM(2015)192), 6 May 2015.

17 Other major pillars of the framework are Regulation (EU) N°910/2014 on electronic identifi ca-tion and trust services for electronic transacca-tions in the internal market (eIDAS Regulaca-tion) adopted on 23 July 2014 and EU General Data Protection Regulation (currently in the fi nal stage of approval).

16 G. Giambelluca and P. Masi

The EU Commission

In recent years, the EU legislator (Parliament, Commission and European Council) has focused its action in integrating retail payments in the single market through the development of a comprehensive legal framework for payment services and electronic money on the basis of: Directive 2007/64/

EC on payment services, Regulation (EC) No 924/2009 on cross-border payments in the community , the E-money Directive 2009/110/EC, the SEPA Regulation No 260/2012 and, lastly, the Regulation of interchange fees for card-based transactions No 2015/751 and the revised Directive on payment services.

Th e legislative action has been able to rely on the support of various impact studies and consultative reports. Th e 2011 Commission Green Paper “Towards an integrated European market for card, internet and mobile payments” is still an important reference since it sets out the prin-ciples and objectives for the development of an effi cient and competi-tive market for innovacompeti-tive payments. From the regulatory point of view, the need to intervene is still justifi ed by the persistent fragmentation of important areas of the payments market, in particular card payments, along national borders and by the lack of consumer protection and secu-rity in certain areas, e.g. internet and mobile payments. Development of an integrated single market for safe electronic payments “is crucial in order to support the growth of the Union economy and to ensure that consumers, merchants and companies enjoy choice and transparency of payment services to fully benefi t from the internal market.” ¹⁸

To keep dialogue open with the Member States on these issues, the Commission relies on dedicated bodies and working groups ¹⁹ with the task to foster harmonization in the transposition and implementation of the EU legal framework. Th e need for a permanent monitoring of

18 PSD2 “recital”, no. 4.

19 Th e two main examples are the Payment Committee and the Expert Group on Banking , Payments and Insurance , created after the entry into force in 2009 of the Treaty of Lisbon. Th e two commit-tees support the delegation of executive powers to the European Commission, provide advice/

expertise in the area of payments and assist the Commission in the preparation of Implementing Acts and Delegated Acts of each regulation.

payment innovations also refl ects the diffi culties of the EU regulator in framing payments market: the strong competitive pressures of inter-national players, the speed of technological change, the ability to take advantage of the more favourable regulations, the complex and diffi cult process for setting standards are all factors that aff ect the eff ectiveness of traditional instruments of controls. Diff erent forms of dialogue with the market and among national competent authorities are also needed to ensure consistency and eff ectiveness in the application of rules through-out the EU Member States.

Th e EU Commission’s reliance on technical studies, working groups and direct involvement of competent authorities, self-regulated organiza-tions (SRO) and market operators in the regulatory process is growing with the growth of the single market. Given the diffi culties in fi nding appropriate incentive for new payments and remaining neutral towards the diff erent business models, the Commission’s approach entails the risks of over-regulating the sector and overlapping with the actions and proposals of other authorities. Th is might increase the perception of pos-sible ineffi ciencies in the EU distribution of regulatory powers.

The European Banking Authority

Th e EBA is emerging as an important actor in the institutional frame-work for payment services. In line with the assigned mandate—set by law (Reg. no. 1093/2010)—to contribute to the stability and eff ectiveness of the fi nancial system, the EBA has recently been taking a greater interest in the payment market, since its functioning is relevant to many of EBA’s objectives, like promoting a level playing fi eld for competition, ensuring that risk taking is appropriately regulated and supervised, and enhancing customer protection. Th e EBA is mandated to monitor new and existing fi nancial activities and adopt guidelines and recommendations, with a focus also on innovations.

In July 2014, based on a thorough study of the phenomenon, the EBA issued an Opinion on Virtual Currencies , setting out a regulatory approach towards this particular innovation and inviting the European institutions

18 G. Giambelluca and P. Masi

to regulate it. ²⁰ Th e EBA suggests intervening on those entities that off er conversion services between virtual and legal currencies (virtual curren-cies exchangers) by including them within the scope of application of the anti-money laundering legislation ²¹ ; fi nally, the EBA invited the supervi-sory authorities of Member States to discourage banks, electronic money institutions and payment institutions from engaging in operations related to virtual currencies, pending the issuance of the regulation. Th e risk pro-fi le of virtual currencies has been addressed by several other international regulators, such as the Financial Action Task Force (FATF) (Box 1.2).

Another important step in the EBA‘s work on innovative payment ser-vices came with publication of the Guidelines on the Security of Internet Payments in December 2014. Being based on the European Central Bank (ECB) Secure Pay Recommendations, the guidelines represent a good example of cooperation between institutions in addressing the new challenges of the payment market. In 2015 the EU legislator acknowl-edged the importance of the EBA’s role in the payment systems and its cooperation with the Eurosystem, conferring upon it a series of mandates to develop regulatory technical standards and guidelines, especially on security issues. ²²

20 Th e possibility to include regulation of virtual currencies in PSD2 was excluded during the nego-tiation of the directive PSD2; a new opportunity could arise with the next update of the directive on electronic money.

21 As part of the proposal of the Directive on the prevention on the use of the fi nancial system for the purpose of money laundering and terrorist fi nancing (AMLD4). According to the Committee on Payment and Market Infrastructures (CPMI, Report on Digital Currencies (Basle: CPMI November 2015)), the borderless online nature of digital currencies and the absence of an identifi -able “issuer” of the instrument have raised important concerns by law enforcement authorities about the use of these systems and currencies for illegal activity, as well as compliance with AML/

CFT obligations that apply to traditional payment methods and intermediation.

22 Th e reference is to the Interchange Fee Regulation (IFR), which requires the EBA to develop Regulatory Technical Standards (RTS) to ensure separation between card schemes and processing entities, and to the revised Payment Services Directive (PSD2), which confer on the EBA the task of developing six Technical Standards and fi ve sets of Guidelines. In accordance with the procedure laid down in Article 15 of Regulation (EU) No 1093/2010, the technical standards are formally adopted by the EU Commission.

Box 1.2 The FATF Guidance

In June 2014, the FATF issued the report Virtual Currencies Key Defi nitions and Potential AML / CFT Risks . Despite the benefi ts of payment and fi nancial innovation, the FATF underlines that virtual currencies’ payment products and services (VCPPS) present money laundering and terrorist fi nancing (ML/

TF) risks and other crime risks that must be identifi ed and mitigated. To this end the FATF issued a Guidance for risk based approach ( RBA ) to virtual cur-rencies (June 2015) which focuses on applying the risk based approach to the ML/TF risks associated with VCPPS.

The Guidance is dividing virtual currency into two basic types: convertible and non-convertible virtual currency. The notion of “convertible currency”

does not in any way imply an ex offi cio convertibility (e.g. in the case of gold standard), but rather a de facto convertibility (e.g. because a market exists). Thus, a virtual currency is “convertible” only as long as some private participants make offers and others accept them and has an equivalent value in real currency and can be exchanged back and forth for real cur-rency. The Guidance is on the points of intersection (“nodes”) that provide gateways to the regulated fi nancial system, in particular “convertible vir-tual currency exchangers” in order to clarify the application of the relevant FATF recommendations to them.

Convertible virtual currencies may be either of two sub-types: centralized or decentralized . Centralized virtual currencies have a single administrating authority (administrator)—i.e. a third party that controls the system. An administrator issues the currency; establishes the rules for its use; maintains a central payment ledger; and has authority to redeem the currency (with-draw it from circulation). The exchange rate for a convertible virtual cur-rency may be either fl oating—i.e. determined by market supply and demand for the virtual currency—or pegged—i.e. fi xed by the administra-tor at a set value measured in currency or another real-world sadministra-tore of value, such as gold or a basket of currencies. Currently, the vast majority of virtual currency payments transactions involve centralized virtual currencies (examples: Second Life “Linden dollars”; PerfectMoney; WebMoney “WM units”; World of Warcraft gold). Decentralized virtual currencies (or crypto-currencies) are distributed, open-source, math- based, peer-to-peer virtual currencies that have no central administrating authority, and no central monitoring or oversight (examples: Bitcoin; LiteCoin; Ripple).

Convertible virtual currencies that can be exchanged for real money or other virtual currencies are potentially vulnerable to money laundering and terrorist fi nancing abuse for many reasons. First, they may allow greater anonymity than traditional non-cash payment methods. Virtual currency systems can be traded on the internet, are generally characterized by non-face-to-face customer relationships, and may permit anonymous funding.

(continued)

20 G. Giambelluca and P. Masi

The ECB and the Eurosystem Role

Given its mandate to streamline the operation of payment systems, the Eurosystem has always had a strong interest in promoting innovation in payment system. Th e ECB and the national central banks played a funda-mental role in the migration of the European banking community to the SEPA, as it was considered the natural step following upon the introduc-tion of euro banknotes and coins. According to the EU Treaty, effi ciency and reliability are the main drivers of the Eurosystem activities. Th rough its oversight function, the Eurosystem carries out assessments of the safety and effi ciency of payment systems, payment schemes and instruments; it has also worked to promote a common understanding on security issues by setting up a European forum on the security of retail payments known

Box 1.2 (continued)

Decentralized systems are particularly vulnerable to anonymity risks. There is no central oversight body, and no AML software currently available to monitor and identify suspicious transaction patterns. Law enforcement can-not target one central location or entity (administrator) for investigative or asset seizure purposes (although authorities can target individual exchang-ers for client information that the exchanger may collect). It thus offexchang-ers a level of potential anonymity impossible with traditional credit and debit cards or older online payment systems.

Virtual currency’s global reach likewise increases its potential AML/CFT risks. Virtual currency systems can be accessed via the internet (including via mobile phones) and can be used to make cross-border payments and funds transfers. In addition, virtual currencies commonly rely on complex infra-structures that involve several entities, often spread across several coun-tries, to transfer funds or execute payments. This segmentation of services means that responsibility for AML/CFT compliance and supervision/enforce-ment may be unclear. Moreover, customer and transaction records may be held by different entities, often in different jurisdictions, making it more diffi cult for law enforcement and regulators to access them. This problem is exacerbated by the rapidly evolving nature of decentralized virtual cur-rency technology and business models, including the changing number and types/roles of participants providing services in virtual currency payments systems. And importantly, components of a virtual currency system may be located in jurisdictions that do not have adequate AML/CFT controls.

as “SecuRe Pay Forum”, with the participation of representatives from banking supervision and oversight. Th e SecuRe Pay Forum has formu-lated recommendations for security of internet and mobile payments that, despite the lack of enforcement on the basis of the regulatory frame-work in place, have been taken into consideration for the issue of EBA guidelines on internet payments and represented the starting point of the primary PSD2 rules regarding security of payments (see Box 1.3).

Box 1.3 The EBA Guidelines on the Security of Internet Payments In the light of the growth of frauds registered on internet payments (794 million euro in fraud losses in 2012, up by 21.2 % from the previous year), which undermine the confi dence of market participants in payment sys-tems, EBA decided at the end of 2014 to publish the guidelines on internet payments, based on the content of ECB Secure Pay Recommendations, with the implementation date of 1 August 2015.

The purpose of the guidelines is to defi ne common minimum require-ments for the internet payment services, such as: the execution of card pay-ments on the internet, including virtual card paypay-ments; the registration of card payment data for use in ‘wallet solutions’; the execution of credit transfers on the internet; the issuance and amendment of direct debit elec-tronic mandates; transfers of elecelec-tronic money between two e-money accounts via the internet.

The guidelines, in addition to the requirements, also provide a set of best practices which payment service providers are encouraged, but not obliged, to follow.

Mobile payments—other than those browser-based—are excluded from the scope of the guidelines, together with payments where the instruction is given by post, telephone order, voice mail or using SMS- based technology and payment transactions made by an enterprise via dedicated networks.

The guidelines provide for requirements related to three different areas:

1. General controls and security environment ; payment service providers are requested to implement and regularly review a formal security policy for internet payment services. They should carry out and docu-ment thorough risk assessdocu-ments with regard to the security of internet payments and related services, both prior to establishing the services and regularly thereafter. Payment service providers should ensure the consistent and integrated monitoring, handling and follow-up of security incidents; they have to establish a procedure for reporting

(continued)

22 G. Giambelluca and P. Masi

Box 1.3 (continued)

such incidents to management and, in the event of major payment security incidents, the competent authorities. Payment service provid-ers should implement security measures in line with their respective security policies in order to mitigate identifi ed risks. They must have processes in place ensuring that all transactions, as well as the e-man-date process fl ow, are appropriately traced.

2. Specifi c control and security measures for internet payments ; the most important rules in this area are those related to strong customer authen-tication, which is required for the initiation of internet payments, as well as for actions which imply high risks for the customer, as the issu-ance or amendment of electronic direct debit mandates or the access to or amending of sensitive payment data. Alternative measures may be adopted in some pre-identifi ed categories of low-risk transactions, based on a transaction risk analysis or involving low- value payments, as referred to in the PSD. Also providers of wallet solutions are requested to support strong customer authentication when customers log in to the wallet payment services or carry out card transactions via the inter-net. Other requirements are applicable to the process of customer enrolment, the provision of authentication tools or software delivered to the customer, and the transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions.

3. Customer awareness, education, and communication ; the guidelines require the payment service providers to offer assistance and guidance to customers with regard to the secure use of the internet payment services; they also have to provide at least one secure channel for ongoing communication with customers regarding the correct and secure use of the internet payment service. The payment service pro-viders should explain the procedure for customers to report the sus-pected fraudulent payments, suspicious incidents or anomalies during the internet payment services session and/or possible social engineer-ing attempts. Payment service providers have to set limits for internet payment services and provide their customers with options for further risk limitation within these limits. They may also provide alert and cus-tomer profi le management services, including the confi rmation of the payment initiation and the information necessary to check that a pay-ment transaction has been correctly initiated and/or executed.

As mentioned before, PSD2 introduces a wider set of security require-ments for payment service providers: even if many of them are completely new, due to the need to cover the emerging risks related to the business model of the digital economy, a number of provisions are fully in line with the framework of security requirement designed by the EBA and, even before, by the ECB Secure Pay Recommendations.

Th e Eurosystem also performs a less formal role as catalyst, providing guidance and support to the payments industry and other stakeholders in the development of common standards, interoperability rules and coopera-tive actions which may foster innovation and effi ciency in all the segments of the payment chain. Th is includes a wide range of activities, such as issue of reports, organization of seminars and conferences for market operators and the creation of fora for discussion, at the national and European level.

A major step forward in this role was the establishment in 2015 of the Euro Retail Payments Board, a new entity established and chaired by the ECB with the aim to foster a continuous dialogue with the stakeholders for the development of an integrated, innovative and competitive market for retail

A major step forward in this role was the establishment in 2015 of the Euro Retail Payments Board, a new entity established and chaired by the ECB with the aim to foster a continuous dialogue with the stakeholders for the development of an integrated, innovative and competitive market for retail