On 4 July 2019 the Financial Conduct Authority (“FCA”) published its findings following a review of the safeguarding arrangements in 11 non-bank payment service providers (“PSPs”). The FCA has identified certain compliance failings. The FCA now requires all non-bank PSPs (essentially, payment institutions and e-money institutions) to self-certify, by completing a specific form available on the FCA website, that they are in compliance with the relevant safeguarding requirements by 31 July 2019.
This article summarises the relevant safeguarding requirements for payment institutions (“PI”) and e-money institutions (“EMI”) and discusses some of the issues with the safeguarding requirements. This is the first of two articles on this topic, which focuses on the FCA self-certification requirement and the scope of the safeguarding requirements.
The safeguarding requirements are set out, for PIs, in Regulation 23 of the Payment Services Regulations 2017 (“PSR2017”) and, for EMIs, in Regulations 20-23 of the Electronic Money Regulations 2011 (“EMR2011”). The substantive requirements for both PIs and EMIs are essentially the same, with certain complexity for EMIs.
Who must comply?
With respect to PIs, the safeguarding requirements are mandatory for “authorised payment institutions” but voluntary for “small payment institutions”. In other words, an authorised payment institution must comply with them, whereas a small payment institution may choose whether or not it wishes to comply.
The certification form for PIs only refers to “authorised payment institutions”, which seems to suggest that only authorised PIs are required to submit the self-certification form. However, this is not entirely clear. For small PIs that have voluntarily chosen to comply with the safeguarding requirements, it may be prudent to conduct the internal audit and submit the form as well.
With respect to EMIs, all EMIs (i.e. whether authorised or small) must comply with the safeguarding requirements in relation to funds received in exchange for e-money, and submit the confirmation of compliance form by the end of July. Where an authorised EMI also provides payment services that are not related to the issuance of e-money (“unrelated payment services”), then the EMI must comply with the safeguarding requirements in relation to funds for such unrelated payment services. Where a small EMI also provides unrelated payment services, it may choose whether or not it wishes to comply with respect to funds for its unrelated payment services.
The certification form for EMIs contains two tick boxes: one to confirm the EMI has ceased operation; the other to confirm the EMI in compliance with the safeguarding requirements for its e-money business AND the safeguarding requirements for its unrelated payment services. This means that when an EMI ticks the compliance box, it will have confirmed compliance regarding both its e-money safeguarding arrangements and the safeguarding arrangements for unrelated payment services.
For a small EMI engaging in unrelated payment services that has voluntarily chosen to comply, this seems to suggest that it would have to audit/confirm its safeguarding arrangements for unrelated payment services. However, what if the small EMI has not voluntarily chosen to comply with the requirements for its unrelated payment services? Would provide a confirmation (given there is only one tick box) put the small EMI at risk of providing misleading information to the FCA?
It would be helpful if the FCA could clarify these points as soon as possible given the short certification timeline.
What must be safeguarded?
Only “relevant funds” must be safeguarded. The concepts of “relevant funds” are slightly different for PIs and EMIs.
For PIs, “relevant funds” means, in summary, sums received from or for the benefit of a customer, including those received from a PSP on behalf of a customer, for the purpose of executing a payment transaction. A PI is regarded as having “received” such relevant funds once the funds are credited into the PI’s account within a payment system or at a bank (e.g. its operational account at a bank).
For a PI that also engages in non-payment service businesses, only “relevant funds” connected with payment services need to be safeguard. The FCA in its Approach Document for Payment Services and Electronic Money (the “Approach Document”) specifically discusses, PIs having unregulated foreign exchange business, when customer funds would become “relevant funds” and thus subject to the safeguarding requirements. For example, if a PI buys pound sterling and pays USD to a customer, such USD funds would not be relevant funds and thus do not need to be safeguarded. Whereas if the PI buys pound sterling but instead of paying out USD to the customer it transfers the USD funds, as instructed by the customer, to a third party, such USD funds would become relevant funds upon the completion of the exchange and thus must be safeguarded from that point in time.
Therefore, it is important for PIs that operate hybrid businesses to understand clearly where the line is between its payment service business and non-payment service business.
For EMIs, “relevant funds” catch two type of funds: (i) funds received in exchange for e-money that has been issued (“e-money relevant funds”, also known as the e-money float); and (ii) (if the EMI also provides unrelated payment services), funds received for unrelated payment services (“PS relevant funds”). The e-money relevant funds and PS relevant funds must not be commingled together; i.e. they must be safeguarded separately.
As EMIs must apply separate safeguarding processes for (on one hand) e-money relevant funds and (on the other) PS relevant funds, it is thus crucial for EMIs to understand under what circumstances a payment service would be considered to be related to the issuance of e-money.
There is a judgement by the Court of Justice of the European Union dated 16 January 2019 on this point (Case C-389/17). The case was referred to the CJEU for a preliminary ruling by Lithuania’s Supreme Administrative Court. The CJEU first concluded that the redemption of e-money was inherently related to the issuance of e-money and then ruled that, in determining whether or not a payment service is related to the issuance of e-money, the test was essentially whether the provision of the relevant services triggers the issuance or redemption of e-money in a single payment transaction. The Lithuanian court’s first question was where e-money redeemed at par and then transferred as instructed to a third party, whether the transfer service could be considered to be linked to issuance of e-money. The CJEU ruled that such a transfer service could be so considered provided it was within one single transaction.
The FCA also briefly touches upon this point in the Approach Document; it gives an example that a transfer from an e-money account to pay bills is considered linked with the issuance of e-money (see para 10.39, Approach Document). This seems to be broader than the conclusion of the CJEU judgement (admittedly the CJEU could only rule on the specific questions asked of it).
Other than these, there is no specific guidance from either the FCA or at the EU level.
This calls into question where, e.g. a customer is merely using an e-money product (e.g. a prepaid card) to make purchases and the EMI processes such transactions, whether or not such processing would be considered payment services (execution of payment transactions) related to the issuance of e-money. Such processing does not seem to trigger issuance (value spent was already issued). While “redemption” is not defined in EMR2011, it seems from the relevant provisions (see Regulation 44 EMR2011) that redemption is used to refer to a customer exchanging the e-money (i.e. the value) for funds with the EMI. On that basis, such processing does not seem to trigger redemption either. Therefore, such processing may be “unrelated” to the issuance of e-money according to the CJEU judgement. However, it appears to fall within the FCA example and thus should be “related” to the issuance of e-money.
Further, funds will only become the e-money relevant funds when they are received in exchange for e-money that has been issued. The FCA found (as one of the identified failings) that some PSPs were unable to identify when they were issuing e-money. However, the difficulty for EMIs is that there is a similar uncertainty on what “issuing” means in this context.
The FCA vaguely discusses this points (see PERG 3A, Q22) and suggests that to issue e-money means to “create” e-money. But it does not explain what “create” means for this purpose.
For a device-based loadable e-money product (e.g. a prepaid card), arguably e-money is issued or created when the value is loaded onto the device/card. For an account-based e-money product, it may be argued that e-money is issued/created when the value is credited into the customer’s e-money account. However, it is not clear how the FCA would view such arguments. Even if such arguments hold, given the variety of e-money products on the market, there may be products that do not fall neatly into these models.
Continued in Part 2, which discusses the specified methods of safeguarding and some related issues.