Global E-Payments Guide Series, Part IV: E-payment User Protection and Crime Prevention

Introduction on Global E-Payments Guide by Aliant Corporate PAG. 

 

Global E-payments Guide was created by Aliant’s Corporate Practice Group, where our experienced and well established lawyers from France, Italy, the Netherlands, Finland, Cyprus, U.K, Israel, U.S.A and China have answered some fundamental and up-to-date questions on E-payments. If you are interested in E-payments in any of the beforementioned countries please follow these five part series.

 

 

What do we mean by e-payments?

By “E-payments” (also called digital payments), we mean any payment for a good or service without the use of cash, made electronically, i.e. telematically or by internet, using an electronic device (from the traditional payment cards to computers, smartphones, tablets, smartwatches, as well as the Point Of Sale or “POS”, either contactless or with magnetic stripe reading).

 

Why are e-payments important?

Even before the pandemic, global digital payments industry has been involved in many innovations, including mobile wallets, P2P mobile payments, real-time payments and cryptocurrencies. This new, simple-to-use, cashless payment methods have become an appealing alternative for billions of people and attracted many users.

Over the years, China and the United States developed into the world’s leading digital payments markets, but Europe is set to witness the most impressive digital payments growth. However, with social distancing rules in place, more people started embracing contactless payments as a safer way to manage their money in both developed and emerging countries and consumers are increasingly inclined to use E-payments.

From the side of the E-payment service providers, even large players such as Amazon, PayPal, Apple and Facebook are continuously investing in online and mobile payment solutions and the ongoing changes in e-commerce solutions, with the transition from individual separate online shops to integrated platforms, is creating space for new business models and new opportunities for E-payments.

In conclusion, due to fast technological developments and the increasing of consumers attitude to pay products and services by their online banking accounts as well as by E-payments and mobile payments via smartphone applications, the transition to a cashless society is inevitable and irreversible, therefore this sector is very profitable at the present and will remain productive for a long time.

 

Do you need any help in e-payment market?

If you are an entrepreneur who wants to succeed in the E-payments market, you know that in the era of global e-commerce, after launching your services locally, you have to spread beyond national borders and therefore operate in different countries, often subject to very different rules and policies.

How do you choose where to start an E-payment service or in which country is it preferable to expand a service already successfully launched in your country?  Are administrative authorisations and/or specific requirements to operate payment services? Which activities are allowed? Are there public supervisory auditing of the activity?

To help tackle these questions, Aliant presents an overview of the different legal frameworks for payment services around the world which, without being considered exhaustive or as a legal opinion, aims of providing entrepreneurs and investors who operate internationally and who are interested in payment services with a preliminary tool for choosing the markets in which to launch or expand their payment services.

This general information is merely offered on the basis that it is not a substitute for legal advice and we cannot accept any kind of liability incurred in reliance on their content.

Of course, for any in-depth analysis or specific legal assistance in this sector, Aliant’s experts are available to advise and share their global expertise in the field of digital payments.

Is there any particular protection in favour of E-payments services users (retail customers)?

EUROPEAN UNION (EU)*

Consumer protection is at the heart of EU laws on e-payment services and PSD2 expressly aims to better protect consumers against fraud, abuse, and payment problems and strengthen consumer rights.

Consumers are the main beneficiaries of transparency of conditions and information requirements which we examined in the previous questions 4 and 5 and of Rights and obligations in relation to the provision and of the detailed rules for the execution of payment services at each stage, provided for by Title IV of PSD2 (Art. 61-103), which could be extended to microenterprises by single Member States and to non-consumer parties upon their choice.

As for the rule on execution of e-payments, PSD2 specifies when and how consent to payment transactions must be given or revoked, the methods and terms in which a PSP must perform an e-payment as well as the liability in cases of non-execution, inaccurate or late execution of payment transactions and unauthorized payments.

If the e-payment service provides for the granting of credit to consumers (as, for example, in the case of revolving credit cards), the rules set by the Consumer Credit Directive (Directive 2008/48/EC or “CCD”) also apply.

* In order to create a single payment area where European citizens and businesses have easy access to safe cross-border payments with the same charges and the same rules the EU adopted in 2007 the first payment services directive (the so-called PSD1) applicable inside the European Economic Area to all payments executed in other way that cash, electronic payments included, establishing the rights and obligations related to this kind of services as well as the set of information that operators must give to users, and introducing a new figure of financial intermediary (payment institutions) allowed to provide payment services in competition with banks.

A new directive on payment services has been adopted in 2015 and became applicable starting from 2018 (the so-called PSD2) with the aim to improve the first set of rules and include new digital payment services, such as mobile and internet payment services, preserving consumers from frauds and abuses.

FRANCE

Electronic payment services are subject to French consumer law like any other service.

As such, pre-contractual information must be provided by the company with regard to consumers, in particular on the essential characteristics of the service, its price or the identity of the company.

The company must also inform the consumer of his right of withdrawal. This right must be exercised within fourteen days of the conclusion of the contract. If the consumer does not have the possibility to exercise this right, for example if the provision of the service is fully performed before the end of the period, he must also be informed.

Finally, a special feature for payment service providers, they must make available on their website a brochure prepared by the European Union on the list of consumer rights when they make payments in Europe.

ITALY

In compliance with PSD2, rules to protect the transparency of, in general, banking services and, specially, payment services laid down by the Consolidated Law on Banking – TUB and the Supervisory Provisions of the Bank of Italy are mandatory for consumers.

PSPs must publish on their website and make available to consumers user-friendly electronic leaflet on consumer rights in the e-payment sector issued by the European Commission based on Directive (EU) 2015/2366.

Furthermore, if consumer must open a payment account with the PSP for the execution of an e-payment service, all the documents intended for the consumer (advertisements, information, contracts, and communications) must adopt the standardized terminology approved by UE Commission and specific information papers are to be provided to Users.

Finally, for e-payment services that provide for the possibility of granting credit to consumers, such as for revolving payment cards, PSPs must also comply with the specific Italian rules of consumer credit regarding information and specific documents to be provided by PSPs to Users, the minimum mandatory content of the contracts and contractual communications.

The NETHERLANDS

The Dutch regime is divided into a scheme for

• consumers and
• payment service users who are not consumers.

All provisions of Title 7B, Book 7 of the Dutch Civil Code and the regulations of the BGfo Wft apply in full to consumers and as a rule it is not possible to deviate from them.

Under art. 7:550, first paragraph and 7:551 first paragraph of the Dutch Civil Code, it is stipulated in this regard that the provisions of Title 7B and the regulations of the BGfo Wft cannot be deviated from to the detriment of the payment service user, unless stipulated otherwise.

In many cases the regulations are therefore mandatory in nature, although in a number of cases there are rules of regulatory law.

FINLAND

According to the Finnish Act on Payment Services, the User of payment services is allowed to terminate the general agreement immediately if not agreed otherwise, and the payment service provider has to give at least a 2-month term of notice before termination of the general agreement.

Additionally, under the Act, discriminatory requirements cannot be imposed for the use of the service, and the provider is not allowed to give misinformation to the User concerning the service. Relevant information has to be disclosed to the customer, such as service price, contract terms and customer rights before closing of the contract.

CYPRUS

Consumer protection is at the heart of EU laws on e-payment services and PSD2 expressly aims to better protect consumers against fraud, abuse, and payment problems and strengthen consumer rights.

Consumers are the main beneficiaries of transparency of conditions and information requirements which we examined in the previous questions 4 and 5 and of Rights and obligations in relation to the provision and of the detailed rules for the execution of payment services at each stage, provided for by Title IV of PSD2 (Art. 61-103), which could be extended to microenterprises by single Member States and to non-consumer parties upon their choice.

As for the rule on execution of e-payments, PSD2 specifies when and how consent to payment transactions must be given or revoked, the methods and terms in which a PSP must perform an e-payment as well as the liability in cases of non-execution, inaccurate or late execution of payment transactions and unauthorized payments.

If the e-payment service provides for the granting of credit to consumers (as, for example, in the case of revolving credit cards), the rules set by the Consumer Credit Directive (Directive 2008/48/EC or “CCD”) also apply, which is transposed into Cyprus Law via the Consumer Credit Law 106(I) of 2010 (as amended).

UNITED KINGDOM (UK)

Consumers are protected through a process known as ‘safeguarding.’ To safeguard properly, a PSP must either keep the consumer’s money separate from its own money, or protect it with an insurance policy or similar guarantee. This means that, if the PSP goes out of business, the consumer should get most of his money back. The type and level of protection depends on the type of service used by the consumer. Some small PSPs are exempt from safeguarding provisions.

Money held with PSPs are not protected by the Financial Services Compensation Scheme which applys to UK-authorised banks, building societies or credit unions and provides a level of protection up to £85,000 per depositor.

Surcharging is the practice of merchants/retailers charging a fee for using a particular payment instrument, e.g., a debit card, credit card, or e-money account such as PayPal. In the UK for most retail payments, merchants are prohibited from charging a fee in addition to the advertised price of a transaction on the basis of a consumer’s choice of payment instrument: the Consumer Rights (Payment Surcharges) Regulations 2012.

For other retail payments and most payments between businesses made with commercial payment instruments, merchants are prohibited from charging customers more than the direct cost borne by them for use of the relevant means of payment.

ISRAEL

The Payment Services Law states that the client must have access to the contract including any changes that are made. (Paragraph 4)

A client has the right to end the contract at any time. (Paragraph 6)

A client must be informed of any money transfers as well as any transfer orders received. (Paragraphs 12-13)

The e-payment services provider shall take no commission and shall not be able to refuse a payment transfer for unreasnble reasons. If he does refuse he must notify the client in a reasonable time (Paragraphs 14-15)

E-payment consumers are also beneficiaries of provisions related to information requirements and transparency of conditions which we examined in the previous questions 4 and 5.

UNITED STATES OF AMERICA (USA)

There are significant consumer protections built into both federal laws and regulations, as well as various state laws and regulations and these protections are enforced by several various federal and state agencies.

CHINA

Normally, the Law on Protection of Consumer Rights and Interests of People’s Republic of China (PRC) will govern the protection of rights and interest of customers of e-payment.

Meanwhile, customers of e-payment are also protected in certain aspects by the Law for E-commerce of PRC, the Law for Cyber Security of PRC, the Law for Data Security of PRC, the Law for Protection of Personal Data of PRC , the Civil Code of PRC, as well as the Criminal Law of PRC.

For example, the Law for Protection of Personal Data of PRC may protect personal data of customers of e-payment, and the Law for Cyber Security of PRC may provide a safe cyber world for customs of e-payment.

When a crime is committed in the activities of e-payment, it will be governed by the Criminal Law of PRC.

 

 

 

What controls are adopted in your country to prevent E-payments services crimes as well as to provide any users’ protections?

EUROPEAN UNION (EU)*

The European Commission carries out risk assessments in order to identify and respond to risks affecting the EU internal market. It promotes the adoption of global solutions to respond to these threats at international level. The European Union adopted robust legislation to fight against money laundering and terrorist financing which contributes to those international efforts.

It is essential that gatekeepers (banks and other obliged entities) apply measures to prevent money laundering and terrorist financing. Traceability of financial information has an important deterrent effect. The European Union adopted the first anti-money laundering Directive in 1990 in order to prevent the misuse of the financial system for the purpose of money laundering. It provides that obliged entities shall apply customer due diligence requirements when entering into a business relationship (i.e. identify and verify the identity of clients, monitor transactions and report suspicious transactions). This legislation has been constantly revised in order to mitigate risks relating to money laundering and terrorist financing.

On 24 July 2019, the European Commission adopted a Communication entitled “Towards better implementation of the EU’s anti-money laundering and countering the financing of terrorism framework” accompanied by four reports.

On 7 May 2020, the European Commission adopted an action plan for a comprehensive Union policy on preventing money laundering and terrorism financing built on six pillars. To gather the views of citizens and stakeholder on these measures, the Commission launched a public consultation in parallel to the adoption of this action plan.

On 16 September 2020, the European Commission adopted a report assessing whether Member States have duly identified and made subject to the obligations of Directive (EU) 2015/849 all trusts and similar legal arrangements governed under their laws. Directive (EU) 2015/849 (the 5th anti-money laundering Directive) indeed extended to trusts and similar legal arrangements the transparency rules and obligations applicable to legal entities, requiring Member States to identify and notify trusts or trust-like arrangements governed under their legal framework.

FRANCE

The Prudential Control and Resolution Authority (ACPR) and the French intelligence service responsible for combating tax fraud, money laundering and terrorist financing (known as Tracfin) work together to combat money laundering and terrorist financing.

Electronic payment service providers are subject to a system adopted for this fight, a system based on two complementary components

• obligations of vigilance with regard to customers and business relationships, making it possible to detect atypical sums and transactions according to the risk classification of the payment service provider, the customer and the profile of the business relationship (in particular by carrying out all the necessary diligence to identify the customer and the beneficiary, by inquiring into the origin and destination of the funds, etc.)
• the obligations to report and inform Tracfin of sums or transactions related to their activity.

Payment service providers are also subject to an annual assessment of the risks to which they are exposed. This assessment is carried out by the ACPR in cooperation with Tracfin in two stages:

• the first step consists of assessing the inherent risk to which each organization is exposed;
• the second step consists in assessing the AML/CFT risk management system of each organization

The result is an overall assessment of the risk profile for each financial institution, which is used to determine supervisory measures.

With regard to security risks, payment service providers are required to notify the ACPR and the Banque de France/Bank Of France of major operational and security incidents related to the payment services they provide.

Finally, to prevent online fraud, since May 15, 2021, PSD2 requires strong authentication for payments over 30 euros in the following three cases:

• when the payer accesses his online payment account
• when initiating an electronic payment transaction
• when they carry out an action using a remote communication method.

This obligation is fully applicable in France to all online payments.

ITALY

Italy has strict laws on the control of currency deposits in banks. The mandatory guidelines of the Central Bank of Italy (Banca d’Italia, a member of the European Central Bank) require the reporting of all suspicious cash transactions and other activities, such as a third-party payment on an international transaction, on a case-by-case basis.

Law 197/31 defined money laundering as a criminal offense when it relates to a separate, intentional felony offense. Italy has strict laws on the control of currency deposits in banks. Banks must identify their customers and record and report to Italy’s Financial Intelligence Unit (FIU), Italian Exchange Office (UIC), any cash transaction that exceeds approximately $15,000. The Bank of Italy’s mandatory guidelines require the reporting of all suspicious cash transactions and other activity, such as a third-party payment on an international transaction, on a case-by-case basis. Italian law prohibits the use of cash or negotiable bearer instruments for transferring money in amounts in excess of $15,000, except through authorized intermediaries or brokers.

Banks and other financial institutions are required to maintain records necessary to reconstruct significant transactions for ten years, including information about the point of origin of funds transfers and related messages sent to or from Italy. Banks operating in Italy must remit account data to a central archive controlled by the Bank of Italy. This archive was established for recordkeeping and financial oversight purposes, but has proven useful for tracking money laundering. A “banker negligence” law makes individual bankers responsible if their institutions launder money. The law protects bankers and others with respect to their cooperation with law enforcement.

Italy’s Operating Instructions for Identifying Suspicious Transactions requires financial intermediaries to provide their employees with AML training. Reports on training must be submitted annually to the intermediary’s Board of Directors.

The NETHERLANDS

There are four supervisory bodies in the Netherlands for the supervision of the rules concerning e-payments and thus for making sure no crime inherent to e-payment are committed.

• De Nederlandsche Bank (DNB) is a prudential supervisor. It grants licenses to banks, payment institutions and electronic money institutions. In addition, DNB monitors, among other things, the financial position of banks, payment institutions and electronic money institutions, secure access to payment accounts, risk management and authentication (the way in which you identify yourself to the bank and give permission for access to the account).
• The Authority for Consumers and Markets (ACM) monitors access to payment systems, payment account services and the fees for the use of payment instruments.
• The Netherlands Authority for the Financial Markets (AFM) supervises the provision of information by payment service providers. The AFM monitors how payment service providers treat their customers.
• The Dutch Data Protection Authority (AP) supervises the processing of personal data.

The supervisors have made mutual agreements and cooperate as much as possible. The    agreements between the AFM and DNB and the AP and DNB are laid down in cooperation covenants and protocols

FINLAND

There is a Financial Intelligence Unit within the National Bureau of Investigation which duties include detecting and preventing money laundering and terrorist financing.

Payment service providers have an obligation to identify customers and verify their identity, and to monitor and obtain information on customers’ transactions. Strong identification must be used when electronic payments are made. Beneficial owners shall be identified as well, and their identity verified if necessary.

Records shall be kept of customer due diligence data in a secure manner for a period of five years following the end of regular customer relationships. Additionally, providers have an obligation to report suspicious transactions to the Financial Intelligence Unit.

A transaction is allowed to be suspended for further inquiries if it is suspicious, or if it is suspected that the transferred assets are used for terrorist financing.

Detected fraud has to be also reported to the Financial Supervisory Authority and affected Users of the payment service.

Banks have the duty to reimburse unauthorised payment transactions to the customer, if the customer has acted in due care and reported the unauthorised payment

CYPRUS

In Cyprus, Law13(I)/2021 entered into force in February 2021, which harmonises the Cyprus law with Directive (EU) 2015/849, the fifth AML EU Directive.

Under the AML Law, as an obliged entity EMIs and PIs needs to apply adequate and appropriate policies, controls and procedures, which are proportionate to its nature and size, so as to mitigate and manage the risks of money laundering and terrorist financing effectively, in relation to the following:

• customer identification and customer due diligence;
• record-keeping;
• internal reporting and reporting to the Autorities;
• internal control, risk assessment and risk management in order to prevent money laundering and terrorist financing;
• detailed examination of each transaction which by its nature may be considered to be particularly vulnerable to be associated with money laundering offences or terrorist financing and in particular complex or unusually large transactions and all other unusual patterns of transactions which have no apparent economic or visible lawful purpose;
• informing its employees in relation to: (i) the systems and procedures in accordance with paragraphs (a) to (e) above (ii) the Directives issued by the competent Supervisory Authority (iii) the European Union’s Directives on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing and (iv) the relevant requirements for personal data protection;
• ongoing training of their employees in the recognition and handling of transactions and activities which may be related to money laundering or terrorist financing;
• risk assessment practices;
• compliance management;
• recruitment and assessment of employees’ integrity.

Other forms of cyberattacks faced by e-payment service organisations include, among others, Phishing, Distributed Denial of Service (DDoS), exploits of vulnerability and spam as the main attack vectors.

UNITED KINGDOM (UK)

The Financial Conduct Authority (FCA) expect all PSPs and e-money issuers to establish and maintain systems and controls to comply with their legal obligations relating to financial crime under the Payment Services Regulations 2017 (PSR 2017), and the Electronic Money Regulations 2011 (EMR 2011) and (where it is the supervisory authority) under the legislation referred to above. These systems and controls include appropriate and risk-sensitive policies and procedures to deter and detect financial crime and an organisational structure where responsibility to prevent financial crime is clearly allocated. Under the MLRs, PSPs and e-money issuers are required to demonstrate that they establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing. Appropriate policies and procedures are proportionate to the nature, scale and complexity of the PSP’s activities and enable it to identify, assess, monitor and effectively manage financial crime risk to which it is exposed.

In identifying its financial crime risk, a PSP or e-money issuer should consider a range

of factors, including (where they are relevant):

• its customer, product and activity profiles;
• its distribution channels;
• the type, complexity and volume of permitted transactions;
• its processes and systems; and
• its operating environment.

A PSP or e-money issuer must carry out risk assessment and to mitigate the risk of their products being used for money laundering or terrorist financing purposes. PSPs and e-money issuers that provide payment or e-money services to merchants should consider whether any special risk mitigation measures are necessary for these customers.

Other forms of cyberattacks faced by e-payment service organisations include, among others, Phishing, Distributed Denial of Service (DDoS), exploits of vulnerability and spam as the main attack vectors.

ISRAEL

The only penalty that relates specifically to crimes committed in this context is legislated under Paragraph 40 of the Payment Services Law.

The paragraph states that stealing data related to e-payments may be punishable by imprisonment with a sentence between 3-5 years.

There are additional penalty options under other criminal offences as mentioned above in question 10.

UNITED STATES OF AMERICA (USA)

The same controls that would be apply to traditional banking transactions, like AML and KYC rules, prohibition on transacting business with organized crime, or a country or an organization subject to an embargo.

CHINA

According to the Measures and the Detailed Rules for the Measures, there are controls (measures) to prevent crimes inherent to e-payment services, such as measure for anti-money laundering.

Such “anti-money laundering measures” include measures to prevent financial crimes such as money laundering, terrorist financing and other financial crimes such as internal anti-money laundering control, customer identity identification, suspicious transaction report, customer identity information and transaction record keeping. The acceptance materials for anti-money laundering measures refer to reports containing the following contents:

• The document of anti-money laundering internal control system, including the framework of anti-money laundering compliance management, measures for customer identification and data preservation, measures for suspicious transaction reporting, measures for transaction record preservation, measures for anti-money laundering audit and training, internal procedures for assisting anti-money laundering investigation, and measures for anti-money laundering work confidentiality;
• Position setting and duty description of anti-money laundering, including internal organization responsible for anti-money laundering, senior anti-money laundering management personnel and full-time anti-money laundering personnel, as well as their contact information;
• Description of technical conditions for carrying out suspicious transaction monitoring.

Besides these specific measures, measures that for upgrading threshold for being a payment institution are also adopted. An applicant for a Payment Business License must meet the following conditions:

• A limited liability company or a joint venture limited company established in accordance with the relevant laws of PRC and a non-financial institution as a legal person;
• A minimum amount of registered capital in conformity with the provisions of these Measures;
• There are investors who conform to the provisions of these Measures;
• At least five senior managerial personnel familiar with payment business;
• Anti-money laundering measures that meet the requirements;
• Facilities for payment business that meet the requirements;
• A sound organizational structure, internal control system and risk management measures;
• Business premises and safety guarantee measures that meet the applicable requirements;
• The applicant and its senior management personnel having never been subject to punishment for using payment business to carry out illegal or criminal activities or for handling payment business for illegal or criminal activities in the recent three years.
• The main investors of an applicant must meet the following conditions:
• Be a lawfully established limited liability company or a joint venture limited company;
• As of the application date, provide information processing support services for financial institutions for more than two consecutive years, or provide information processing support services for e-commerce activities for more than two consecutive years;
• Have made profits continuously for more than 2 years as of the application date;
• In the last three years, has not been punished for carrying out illegal or criminal activities or handling payment business for illegal or criminal activities.

The term “main investor” includes the investor who has the actual control of the applicant and the investor who holds more than 10% of the equity of the applicant.

According to these controls, a limited company must apply for approval for license scope for its business scope. Then, as a non-financial institution, the limited company shall obtain a Payment Business Permit under these Measures, and become a payment institution, so it may be able to provide payment services. All the Payment institutions shall be subject to the supervision and administration of the People’s Bank of China (PBC).  Meanwhile, the company, as a payment institution shall also record their website for operating with Ministry of Public Security of PRC, and Ministry of Industry and Information Technology of PRC.

These become a loop to control and manage e-payment services. Namely, e-payment is under strict management, supervision, and control right from the beginning.

Please follow these series for the final Part V where we will discuss privacy protection for E-payment services’ customers, credit grant by E-payment service providers as well as dispute settlement relating to e-payment services.

If you would like to read the entire Global Guide on E-Payments, you can download it here .

Follow us on LinkedIn.