A number of businesses are looking to enter the mobile payments market with services that they can offer across the EU. This could, for example, involve offering customers in different countries the ability to open an account through their mobile phone. In this article, we consider how European legislation makes this easier, by setting similar standards across the EU, and at the legal challenges that remain. In particular, we look at examples in the UK, France and Germany of how legal requirements can differ, and how to approach the difficulties that this can create.
What sort of mobile payments?
Examples of mobile payments could include contactless payments, online purchases through the browser function, and personal (P2P) transfers using an app. Each option requires a source of funds, and this can be provided in a number of ways.
· An account could be created specifically for mobile payments, in which case it may well be a prepaid account, such as Barclaycard’s Quick Tap mobile contactless payments service in the UK or Amex Serve in the USA.
· Alternatively, a mobile payments service could draw on an existing credit or debit card, as with the Google Wallet, or link a customer’s phone number to their bank account as with Buyster in France or Mpass in Germany.
· Other structures are possible, for example, the payments could be charged to the mobile operator’s phone bill, or even made under a ‘money remittance’ service allowing for one-off payments to merchants or P2P.
How are the payments regulated?
The applicable financial services regime depends on the type of payment account or service that is offered, and each regime largely derives from EU Directives. We won’t get into the detail of the Directives here, but it is worth noting the key ones:
· Payment Services Directive, Money Laundering Directive, E-Commerce Directive, Unfair Terms in Consumer Contracts Directive and Unfair Commercial Practices Directive, which may apply to many if not all of the services described above
· Consumer Credit Directive, which can apply to credit cards and other credit products
· E-Money Directive, which will apply to many prepaid products
· Banking Consolidation Directive, which governs banks offering debit cards/current accounts.
These Directives typically require the following from a business providing an account or other payment service.
· The business needs to be authorised (ie licensed) and supervised by a financial services regulator. Being authorised also means having to meet various requirements on how the business is run and on the adequacy of its resources. This is often called being subject to ‘prudential supervision’.
· The business must comply with numerous rules around how it does business with customers and delivers its payments service, often called ‘conduct of business’ rules. Examples of areas the conduct of business rules regulate are:
(i) requirements on providing customers with information when offering a service and transactional information thereafter;
(ii) restrictions on the terms in customer agreements, and on the levels of charges; and
(iii) rules around how obligations and liabilities are allocated between the business and its customers.
· Anti-money laundering requirements, meanwhile, straddle the prudential supervision and conduct of business regimes. They include having to carry out due diligence on customers (including identity checks), monitor their transactions, and report suspicion of money laundering to the authorities.
How do the Directives apply across the EU?
The ‘passporting’ provisions of the Directives help businesses wishing to offer cross-border services in the EU. They mean that a business licensed in one EU country can normally use its ‘home’ authorisation to do business in other EU States, without having to get additional licences in any ‘host’ countries. Passporting would allow, for example, an e-money institution authorised by the Financial Services Authority in the UK to provide prepaid accounts to its French customers, without needing a separate French licence.
Another advantage is that the Directives set the benchmark for conduct of business rules across the EU, allowing businesses to assume that, in each EU country, the same or similar rules will govern how they design, sell and provide their mobile payments service. The problem, however, is that some material differences can still arise between the laws of different countries, as we discuss below.
Another complication when a business passports its licence into another country is that, while it can usually be confident of being subject only to home State prudential supervision, it may be less clear whether the conduct of business rules of the home or host State apply. For example, someone selling German accounts to UK mobile customers will know that German anti-money laundering requirements apply, assuming the accounts are offered from an establishment in Germany, but may be uncertain as to whether equivalent requirements in the UK also apply.
Nonetheless, it is in many cases clear that UK rules will apply only where a service is provided from an ‘establishment’ in the UK, which could be where accounts are opened at a bank branch or mobile phone retail outlet in the UK. Where a UK establishment is not used, many UK requirements are excluded: that could, for example, be the case where a customer can open a prepaid account directly through their phone or online. By contrast, France takes the view that French rules should typically apply even where a service is provided in France without the use of a French establishment.
How can laws differ?
There are a number of reasons why laws in EU countries can differ, even where EU Directives apply.
Firstly, a Directive needs to be implemented into national law in each EU State. That means a national legislator has to interpret how the Directive should be reflected in national laws, and different legislators may interpret the same provisions differently. Even if the provisions of a Directive are implemented with identical wording in two countries, it is possible for the regulators and courts in each country to have a different interpretation of what they mean. To ease this problem, the European Commission and EU States have initiatives aimed at ensuring consistent interpretation of, for example, the Payment Services Directive.
Secondly, the Directives often have ‘opt outs’, offering countries a choice as to whether or not to impose a particular requirement. As the following examples show, this can lead to discrepancies within the EU.
· The Money Laundering Directive allows countries to exempt providers of certain prepaid products from having to carry out due diligence on their customers, and EU countries have typically allowed that exemption to apply. In Germany, however, new legislation means that the exemption no longer applies if someone distributes regulated prepaid products paid for in cash, or where cash withdrawals are possible, on behalf of e-money institutions (banks issuing prepaid products will also lose the exemption on the same basis from 2012). That will be a very significant obstacle to some e-money institutions, who (unlike banks) may not be geared up to do customer due diligence, and so may choose to exit the German market; potential new entrants, meanwhile, may be deterred from entering the market in the first place. This would also make it much more difficult to offer German customers the ability to open prepaid accounts directly through their phones unless the provider avoids using distribution agents in Germany, or makes sure that those agents don’t accept cash as payment for prepaid balances and that customers cannot make cash withdrawals.
· The E-Money Directive allows countries to waive various requirements of the Directive for ‘small e-money institutions’, but they can make this waiver conditional on the institutions applying a ‘purse limit’ (ie a maximum storage amount) on their prepaid accounts. The UK has decided not to impose a purse limit, but draft legislation in France suggests that such a limit may be required.
Thirdly, national legislators can sometimes impose domestic laws that go beyond the requirements of a Directive (through ‘gold-plating’ or otherwise). There are limits, however, on how far they can go. Where a Directive is ‘maximum harmonisation’, as is the case for the Payment Services and Consumer Credit Directives, domestic laws cannot add to the requirements in an area that has already been regulated by the Directive. As can be imagined, however, there are grey areas where it is unclear whether or not something has already been covered by the Directive. In any case, some of the relevant Directives are ‘minimum harmonisation’, which means that there is little to restrict additional domestic laws, so long as they do not conflict with the Directive. This type of variation in national legislation is illustrated by the following examples.
· The Payment Services Directive allows, in many situations, for customers to be made liable for up to €150 of unauthorised transactions, whereas the UK has adopted a lower threshold of £50.
· In the UK, consumer credit laws implementing the Consumer Credit Directive are extended to certain mortgages and business lending, even though they fall outside the scope of the Directive. Additionally, the UK’s Office of Fair Trading has used powers under its consumer credit licensing regime to impose guidance (that lenders can only ignore at their peril) which arguably goes beyond the requirements of the Directive in areas that are subject to ‘maximum harmonisation’.
· In France (and many other countries), customer contracts have to be translated into the local language – a sensible requirement (after all, not everyone speaks English), but not one that comes from the Directives.
Fourthly, national legislators can sometimes fail to implement Directives on time, or can even implement them incorrectly. Reportedly around a third of countries failed to implement the new E-Money Directive on time, at the end of April this year. In France, for example, agents distributing prepaid products will continue to need to be licensed as banks (unless an exemption applies) until at least the end of this year, even though this goes against the Directive.
How does one approach the differences?
The first step for a business wanting to offer payment services from one country to customers in other EU countries is to ask where exactly the payment services will be provided. Would it be in the service provider’s home country, or in each country where customers are resident or from where they access the service?
Where an account or service is offered through a mobile phone (particularly if browser-based), there can be ways of structuring it so that it is supplied in the provider’s home country. This avoids having to ‘passport’ the service, and reduces the extent to which foreign legal requirements apply.
Where such a structure is not possible, the business would need to passport the account or service into its customers’ jurisdictions, and get fuller local law advice in those jurisdictions to make sure it offers a compliant service. The key question becomes: which home country should the business set itself up in and passport from?
· Passporting will probably be easier to achieve if the home country has a reputation for strong regulation and a highly regarded regulator. That way, the business may find itself less subject to scrutiny from other regulators and, if its service meets robust regulatory standards at home, it will in many cases meet or surpass the requirements abroad, making it easier to maintain a relatively uniform product and processes across the EU.
· Conversely, a business could opt for a home country with a lighter touch approach to regulation and implementation of EU legislation. This could mean a lower level of prudential supervision at home, but with more needing to be done to meet higher conduct of business standards abroad.
· Those are the requirements from the perspective of financial services regulation. There will of course be a number of other considerations when choosing a home country, such as the attractiveness of its tax regime, the availability of local staff with the requisite expertise, and other costs of doing business in that country.
Finally, an alternative is to outsource regulatory compliance by offering a ‘white label’ product. For example, a mobile network operator could look to a bank or e-money institution that already does business across the EU (and so is used to the different regulatory environments) to provide a mobile payments account to the mobile operator’s customers and under its brand, without the operator having to comply with local financial services requirements directly.
The article authors, all of Hogan Lovells International LLP, are Ben Regnard-Weinrabe (Partner, London), Mark Taylor (Partner, London), Thomas Robinson (Associate, London), Bénédicte Denis (Partner, Paris), Sebastien Gros (Senior Associate, Paris) and Richard Reimer (Counsel, Frankfurt).