In this article, we look at someone wishing to offer mobile payment services to people in multiple European Union countries - for example, by offering customers of different nationalities the ability to open an account through their phone. We consider how EU financial services law makes this easier, where the legal stumbling blocks are, and how to deal with them. A particular challenge comes from having to comply with varying requirements in different EU countries, and we illustrate this below with some examples from the UK, France and Germany.
What sort of mobile payments?
Examples of payments through a mobile phone could include contactless payments, online purchases through the browser function, and personal (P2P) transfers using an app. In each case, a source of funds is naturally needed, and this can be achieved in different ways.
- An account could be created especially aimed at mobile payments, in which case it may well be a prepaid account, as for Barclaycard's Quick Tap mobile contactless payments service in the UK or Amex Serve in the USA.
- Alternatively, a mobile payments service could draw on existing accounts, such as a credit or debit card, as with the Google Wallet.
- Other structures are possible, for example, the payments could be charged to the mobile operator's phone bill, or even made under a "money remittance" service allowing for one off payments to merchants or P2P.
How are the payments regulated?
Different financial services regimes apply depending on the type of payments account or service that is offered, and each largely derives from EU Directives. We won't get into the detail of the Directives here, but it is worth noting the key ones:
- Payment Services Directive, Money Laundering Directive, E-Commerce Directive, Unfair Terms in Consumer Contracts Directive and Unfair Commercial Practices Directive, which may apply to many if not all of the services described above;
- Consumer Credit Directive, which can apply to credit cards and other credit products;
- E-Money Directive, which will apply to many prepaid products; and
- Banking Consolidation Directive, which governs banks offering debit cards/current accounts.
These Directives typically require the following from a business providing an account or other payment service.
- The business needs to be authorised (i.e. licensed) and supervised by a financial services regulator. Being authorised also means having to meet various requirements on how the business is run and on the adequacy of its resources. This is often called being subject to "prudential supervision".
- The business must comply with numerous rules around how it does business with customers and delivers its payments service. For example, requirements on providing customers with information when offering a service and transactional information thereafter; restrictions on what can go in the customer agreement, and on the levels of charges; and rules around how obligations and liabilities are allocated between the business and its customers. These are often called "conduct of business" rules.
- Anti-money laundering requirements, meanwhile, straddle the prudential supervision and conduct of business regimes. They include having to carry out due diligence on customers (including checking their identities), monitor their transactions, and report suspicion of money laundering to the authorities.
How do the Directives apply across the EU?
A great advantage of the Directives is that a company licensed in one EU country can normally use its home authorisation to do business in other EU States, without having to get fresh licences in those "host" countries where it does business. This "passporting" of a licence means, for example, that an e-money institution authorised by the Financial Services Authority (FSA) to provide prepaid accounts in the UK does not also need to be separately licensed in France to offer the same service to its French customers.
Another advantage is that the Directives set a benchmark for conduct of business rules across the EU. This allows someone wishing to offer a mobile payments service to assume that, in each EU country, the same or similar rules will govern how they design, sell and provide the service. The problem, however, is that some material differences can still arise between the laws of different countries, as we discuss below.
As an added complication, when a business passports its licence into another country, while it can generally be confident of being subject only to home State prudential supervision, it may be less clear whether the conduct of business rules of the home or host State apply. For example, someone selling German accounts to UK mobile customers will know that German anti-money laundering requirements apply assuming the accounts are offered from an establishment in Germany, but may be uncertain as to whether equivalent requirements in the UK also apply.
We can nonetheless say that UK rules will often only apply where a service is provided from an "establishment" in the UK, which could be where accounts are opened at a bank branch or mobile phone retail outlet in the UK. Where a UK establishment is not used, many UK requirements are excluded: that could, for example, be the case where a customer can open a prepaid account directly through their phone or online. By contrast, French rules will typically apply even where a service is provided in France without the use of a French establishment.
How can laws differ?
There are a number of causes for differences in the laws between EU countries, even where EU Directives apply.
Firstly, a Directive needs to be implemented into national law in each EU State. That means a national legislator has to interpret how the Directive should be reflected in national laws, and different legislators may interpret the same provisions differently. Even if the provisions of a Directive are implemented with identical wording in two countries, it is possible for the regulators and courts in each country to have a different interpretation of what they mean. To ease this problem, the European Commission and EU States have initiatives aimed at ensuring consistent interpretation of, for example, the Payment Services Directive.
Secondly, the Directives often have "opt outs", whereby a country has a choice over whether or not to impose a particular requirement. Some countries will choose to impose the requirements, and others will not, as the following examples show.
- The Money Laundering Directive allows countries to exempt providers of certain prepaid products from having to carry out due diligence on their customers, and EU countries have typically allowed that exemption to apply. In Germany, however, new legislation means that the exemption no longer applies if someone distributes regulated prepaid products paid for in cash, or where cash withdrawals are possible, on behalf of e-money institutions (banks issuing prepaid products will also lose the exemption on the same basis from 2012). That will be a very significant obstacle to some e-money institutions, who (unlike banks) may not be geared up to do customer due diligence, and so may choose to exit the German market; potential new entrants, meanwhile, may be deterred from entering the market in the first place. This would also make it much more difficult to offer German customers the ability to open prepaid accounts directly through their phones unless the provider avoids using distribution agents in Germany, or makes sure that those agents don't accept cash as payment for prepaid balances and that customers cannot make cash withdrawals.
- The E-Money Directive allows countries to waive various requirements of the Directive for "small e-money institutions", but they can make this waiver conditional on the institutions applying a "purse limit" (i.e. a maximum storage amount) on their prepaid accounts. The UK has decided not to impose a purse limit, but draft legislation in France suggests that such a limit may be required.
Thirdly, national legislators can sometimes impose domestic laws that go beyond the requirements of a Directive (through "gold-plating" or otherwise). There are limits, however, on how far they can go. Where a Directive is "maximum harmonisation", as is the case for the Payment Services and Consumer Credit Directives, domestic laws cannot add to the requirements in an area that has already been regulated by the Directive. As can be imagined, however, there are grey areas where it is unclear whether or not something has already been covered off by the Directive. In any case, some of the relevant Directives are "minimum harmonisation", which means that there is little to restrict additional domestic laws, so long as they do not conflict with the Directive.
- For example, in the UK, consumer credit laws implementing the Consumer Credit Directive are extended to certain mortgages and business lending, even though they fall outside the scope of the Directive. Additionally, the UK's Office of Fair Trading has used powers under its consumer credit licensing regime to impose guidance (that lenders can only ignore at their peril) which arguably goes beyond the requirements of the Directive in areas that are subject to "maximum harmonisation".
- Another example is that in France (and many other countries), customer contracts have to be translated into the local language - a sensible requirement (after all, not everyone is English literate), but not one that comes from the Directives.
Fourthly, national legislators can sometimes fail to implement Directives on time, or can even implement them incorrectly.
- Reportedly around a third of countries failed to implement the new E-Money Directive on time, at the end of April this year. This means that in France, for example, agents distributing prepaid products will continue to need to be licensed as banks (or to meet conditions to be exempt) until at least the end of this year, even though this goes against the Directive.
How does one approach the differences?
The first step, for a business wanting to offer payment services from one country to customers in other countries across the EU, is to ask where exactly the payment services will be provided. Would it be in the country where the service provider is based, or in each country where customers are resident or from where they access the service?
Where an account or service is offered through a mobile phone (particularly if browser-based), there can be ways of structuring it so that it is provided in the business's home country. This avoids having to "passport" the service, and reduces the scope for legal requirements abroad to apply. Where such a solution is not possible, the business would need to passport the account or service into its customers' jurisdictions, and get fuller local law advice in those jurisdictions to make sure it offers a compliant service. This will probably be easier to achieve if the business is set up in (and passports from) a country with a reputation for having strong regulation and a strong regulator. That way, the business may find itself less subject to scrutiny from regulators abroad and, if its service meets robust regulatory standards at home, it will in many cases meet or surpass the requirements abroad, making it easier to maintain a relatively uniform product and processes across the EU.