Since the stroke of midnight on 31 January 2020, United Kingdom 'is out', to use the same wording we have seen appearing in London's squares, to mark the country's exit from the European Union. Beyond an all too lively and often vague narration of
the economic consequences that such a step, now taken, could have on the old continent (and not only), in this article we want to analyze a possible impact of "Brexit" on the sole digital payments market.
Before going into any kind of discussion, however, it should be remembered that the ratification of the agreement, the process of which was concluded on 30 January 2020, has ensured an orderly exit of the UK from the EU, avoiding the discontinuity in bilateral
relations that was so feared. Until 31 December 2020 (unless extended) there will be a
transitional period during which the European Union and the United Kingdom will negotiate an understanding on future bilateral relations.
In Italy, for example, transitional measures to ensure the business continuity of intermediaries and markets in the event of withdrawal from the UK without agreement were provided for in Decree-Law No 22 of 25 March 2019. In August 2019 the Bank of Italy
signed a Memorandum of Understanding with the UK supervisory authorities: Bank of England/Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA).
This MoU will be operational as soon as EU law no longer applies to the United Kingdom, once the transitional period has ended.
Having said that, we will observe in this article some aspects that, apart from the bilateral agreements to be agreed, we think may be relevant, taking into account in particular some regulatory provisions provided in the
PSD2, in the Regulation on Interchange Fee of card payments (so-called "IFR") and in
Regulation (EU) No 910/2014, (so-called "eIDAS").
The evaluations that we will bring to the reader's attention, therefore, are part of the development scenarios that, at the outcome of the negotiations conducted during the transition period, could emerge and for which it would be desirable, in addition
to avoiding a no deal hypothesis (such as to propose a post-transition period Hard Brexit), the least possible indeterminacy.
Differences between EU, EEA and SEPA
Before going into the analysis, it is appropriate to clarify some aspects concerning the Member States of the European Union, the countries of the European Free Trade Association (EFTA) members of the European Economic Area (EEA) and the SEPA countries.
The Member States that are currently part of the European Union (from which the United Kingdom is now excluded) are 27, of which only 19 have adopted the euro as their currency.
The European Economic Area (EEA) was established in 1994 with the aim of extending the provisions applied by the European Union to its internal market to include the countries of the European Free Trade Association (EFTA). EU internal market legislation
becomes part of EEA countries' legislation once they agree to transpose it. Implementation and practical application are therefore subject to the control of appropriate EFTA bodies and a Joint Parliamentary Committee.
In addition to the 27 Member States of the European Union, the following countries are part of the EEA: Norway, Iceland, Liechtenstein. While Switzerland (or rather, the Swiss Confederation) is equated with the European Union, it has opted to conclude bilateral
agreements with the EU.
SEPA covers all payments in euro made within the 27 Member States of the European Union with the addition of Iceland, Norway, Liechtenstein, Switzerland, Monaco, San Marino and the British Crown Dependencies. EU countries may use SEPA payment instruments
for transactions in euro. Non-EU countries are each responsible for adjusting both technically and legally so that SEPA payment instruments can be used under the same conditions as in EU Member States.
The United Kingdom, like Iceland, Liechtenstein, Norway, Switzerland, Monaco and San Marino, will be responsible for adjusting both technically and legally so that SEPA payment instruments can be used under the same conditions as in the EU Member States.
The possible impact on the new PSD2 forecasts
In this case it is good to focus on two new aspects (compared to PSD1) introduced by PSD2 and very relevant:
- Extension of the scope of application to "one leg" transactions;
- New cross-border operating regime for EU payment institutions and e-money.
Regarding the first point, the new directive on payment services extends the positive scope to include:
- Rules on transparency and correct information, as well as certain rules concerning the rights and obligations of the parties in relation to the use of payment services, which also apply to “one leg” transactions, i.e. when only one of the two payment service
providers is located in the European Union;
- Rules of transparency and correct information applied to payment transactions made in any currency.
Clarified the novelties introduced by the PSD2, we now see the possible impact depended on Brexit over:
- The management of payment services based on access-to-accounts (Payment Inititiation, Account Information, Funds Checking);
- Management of card payments (including those arranged via Digital Wallet).
Next, we will go into detail from the second point of the previous list, i.e. we will analyse the impact of Brexit on UK intermediaries (banks, payment institutions, e-money institutions) who will (continue to) provide payment services in the EU.
How post-Brexit payment transactions will be handled
In a post-Brexit scenario, it is worth asking how payment transactions involving payment services providers located in the UK can be handled.
Let's take a few examples:
- Payment Initiation initiated by a PISP payment (or electronic money) institution located in the European Union to an UK ASPSP (e.g. a bank);
- Account Information transaction initiated by an AISP payment (or electronic money) institution located in the European Union to an UK ASPSP (e.g. a bank);
- Payment Initiation initiated by an UK PISP payment (or electronic money) institution to an ASPSP (e.g. a bank) located in the European Union;
- Account Information transaction initiated by an UK AISP payment (or electronic money) institution to an ASPSP (e.g. a bank) located in the European Union;
- A transaction carried out by means of a Decoupled Debit Card issued by an UK issuer (CISP) which requires access to accounts held with an ASPSP (e.g. a bank) located in the European Union in order to perform a funds-checking transaction;
- Transaction carried out by means of a Decoupled Debit Card issued by an issuer (CISP) located in the European Union which requires access to accounts held with an UK ASPSP (e.g. a bank) in order to perform a funds-checking transaction;
- Payment (in pounds sterling or euros) with a credit card issued by a UK issuer accepted by a merchant (including online) who has a contract with an acquirer located in the European Union;
- Payment by a credit card issued by an issuer located in the European Union accepted by a merchant (including online) who has a contract with an UK acquirer;
- Payment with an UK digital wallet, accepted at a merchant who has contracted with an acquirer located in the European Union;
- Payment by digital wallet issued and managed by a payment service provider located in the European Union, accepted at a merchant who has contracted with an UK acquirer.
For the examples described in points 7, 8, 9, 10, it is important to note the impact of EU Regulation 2015/751 (the so-called 'IFR' Interchange Fee Regulation) on the economics underlying interregional card payment transactions; we will discuss this later
in this article.
In all examples given, the applicability, or non-applicability, of EBA's technical standards on
Strong Customer Authentication (so-called "SCA") and on the security of communication channels for access to accounts, as set out in
EU Delegated Regulation 2018/389, should also be noted. In particular, it is interesting to note the obligation to apply the SCA for remote card payments, for which there is an extension due on 31 January 2020 (... too many extensions of the same deadlines!).
The possible impact on existing UK-based EU institutions operating with passport licences in EU states
Let us now look at the post-Brexit scenarios which, to some extent, will impact on institutions who are licensed in the UK to provide payment services and who also do business in the EU, thanks to their passport licences.
The current PSD2 provides that a payment or electronic money institution that has applied for and obtained authorisation from its home Community country may operate as a "Community payment institution" (or "Community electronic money institution") in other
countries of the European Union:
- through the opening of branches;
- via Agents (or "contracted entities" as far as only electronic money institutions wishing to distribute and redeem electronic money are concerned);
- in pursuant to the freedom to provide services or the freedom of establishment.
The cross-border operation of EU institutions is guaranteed by the so-called "passporting rules" defined in the current Payment Services Directive. It follows that all payment and e-money institutions that had applied for and obtained a licence in
the United Kingdom, thus avoiding the possibility of permanently losing their cross-border licence, will still have to review the agreements, terms and conditions of use relating to the provision of the services offered in the territory of the Union.
As of the date of publication of this article (7 February 2020), the total number of payment and e-money institutions in the United Kingdom, authorised by the FCA (Financial Conduct Authority, i.e. the competent authority in the UK), registered
in the EBA public register is represented by the following evidence:
- 177 electronic money institutions (about 48% of the total);
- 387 payment institutions (about 38% of the total);
- 70 TPP AISP payment institutions providing only the Account Information service (about 68% of the total);
- 54 TPP PISP payment or electronic money institutions providing the Payment Initiation service (approximately 39%).
Each of these entities can (or could, or perhaps will still be able to ...) potentially operate in the territory of the European Union operating across borders, thanks to a passport licence.
Cross-border operation envisaged for Community payment institutions and electronic money
In relation to the new regime for cross-border operations for payment and e-money institutions under PSD2, it should be noted that in the case of "Community" institutions, i.e. those entities operating in a Member State other than their home Member State
where they have applied for and obtained authorisation, there is provision for the use of precautionary measures, the content of which cannot in any way be compared with that expressed in PSD1.
Of importance is the introduction of the so-called "host Member State control" in addition to the so-called
"home Member State control" - already provided for in the previous Directive - in respect of which the host Member State may require Community institutions to appoint a central contact point in their territory in order to facilitate the competent authorities'
supervision of networks of agents and, in urgent cases, where immediate action is necessary to address a serious threat to the collective interests of payment service users in the host Member State - e.g. large-scale fraud - the Competent Authorities of the
host Member State may take precautionary measures, in the context of cross-border cooperation between the Competent Authorities of the host and home Member States and pending the adoption of measures by the Competent Authorities of the home Member State.
That said, it should be possible to better understand the impact of post-Brexit PSD2 on FCA-approved institutions (including TPPs) in the UK, given the underlying complexities.
The identification of UK TTPs under the European eIDAS Regulation
To be honest, there is an additional critical element that, with regard to those entities providing payment services based on access-to-accounts (Payment Initiation, Account Information and Funds Checking), whether they are TPPs or banks, must be considered
in a post-Brexit perspective (i.e. at the end of the transition period): identification under the eIDAS Regulation.
PSD2 and EU Delegated Regulation 2018/389 require each of these entities to use qualified certificates for electronic seal or website authentication, as provided for in Regulation (EU) No 910/2014 (eIDAS):
- The first guarantees the confidentiality, integrity and authenticity of the data transmitted via the certified communication channel;
- The second shall ensure that the data come from the sender who affixed the seal and that they have not been altered since it was affixed.
In all access-to-accounts transactions, i.e. when any TTP accesses any ASPSP,
regardless of the type of interface adopted, the ASPSP is called to verify the presence of the above mentioned certificates, thus being able to identify who is accessing.
Well, it is quite clear that, even in such a circumstance, one must question the validity of the eIDAS certificates issued by Identity Providers who may reside in the United Kingdom, after the transition period.
The possible impact on Interchange Fee for card payments
In the list of possible impacts that we are evaluating in this article, we now look in more detail at the impact on the economics behind card payments. As well in this case, before going into the examination of possible changes following Brexit on this market,
it is appropriate summarize some provisions of Regulation (EU) 2015/751 (so-called "IFR - Interchange Fee Regulation").
Let’s start by remembering what the rules refer to. The Community text lays down uniform technical and commercial requirements for card-based payment transactions executed in the European Union where
both the payer's payment service provider (i.e. the issuer who issued the card with which the acquiring consumer makes the payment)
and the payee's payment service provider (i.e. the acquirer who agreed with the merchant to accept the cards)
are located in the Union.
“Card-based payment transactions" means any card-based transaction (i.e. based on the infrastructure and business rules of a payment card scheme), whether carried out in the presence of the cardholder (as is the traditional case of a transaction carried
out at a physical business, via EFT terminals) or in absentia, for example in an e-Commerce or m-Commerce context, regardless of the support or adoption technology. In this sense,
payments that are made by Digital Wallet also fall within the scope of application, provided that the result is a payment transaction via the enrolled card. The regulations also apply to payments made with contactless cards and all Mobile Payment transactions
involving the use of a card (Mobile Proximity Payment and Mobile Remote Payment).
The new regulation sets an upper limit to the Interchange Fee (the fee that the acquirer must pay back to the issuer for handling the transaction) of 0.3% for each credit card transaction and 0.2% on debit card transactions.
The Regulation, as mentioned above, applies only when both the issuer who issued the card and the acquirer who has agreed to the merchant are located in the Union; it follows that, for cross-border payment transactions the Regulation reduces costs
for European retailers, i.e. those that fall within the perimeter of the European Union, thereby including the wider perimeter defined by the EEA, as well as for domestic payment transactions, thus ensuring a level playing field for the whole card payment
market (new level-playing field).
Having said that, it is important to stress that the cap set by the Regulation
do not apply to inter-regional transactions, i.e. all those transactions for which the fees paid by the acquirer (the inter-regional MIFs) relate to transactions carried out in the European Union with payment cards issued in other parts of the
world (non-EU and non-EEA).
In light of the above, the dynamics of the card based transaction economics depends, in substance, on the value of the Interchange Fee, and at the end of the transition period, there is a risk that different scenarios could arise according to the applicability
(or non-applicability) of the cap above mentioned to transactions that could be considered, to all intents and purposes, interregional.
As we have had the opportunity to analyse in this brief article, the picture that appears in the aftermath of the agreement of 30 January 2020 on the exit of the United Kingdom from the European Union is far from clear. From February the 1st to 31 December
2020 there will be a transition period during which the best arrangements will have to be made, just to avoid what would otherwise be a Hard Brexit deferred for a few months.
The European digital payments market has always seen the UK as a reference point and the actions carried out over the last fifteen years in this former Member state (think of the impetus given to Open Banking and Open API-based solutions with the first UK
projects in 2013, or the first instant credit transfer projects launched in the second half of the first decade of the millennium), have appeared enlightening for the entire digital payments industry, especially innovative ones.
The first entrepreneurial initiatives in the wake of the PSD1 have, since 2009, seen a proliferation of payment institutions set up in Great Britain and authorised by the FCA, which have also operated (and still operate) in the territories of the European
Union. Not only bigtech, but also many startups have chosen the UK to start their business, taking advantage of a RegTech approach that is particularly open to experimentation (think of the FCA's Regulatory sandbox and TechSprints initiatives).
The combination of these considerations inevitably leads one to meditate on the consequences that Brexit will have (and, to a large extent, has already had) on the digital payments market in the old continent. The hope - since going back, by now, is no longer
possible - is that the negotiations can be "enlightened" by that same light, a sign (and also track) of a path of innovation started at the
time, mitigating the effects as much as possible, because (let me tell you) although it may seem anachronistic, this time it’s really the case that we are working on a detachment from the European Union ... as European as possible.
This article was also published in Italian on PagamentiDigitali: http://bit.ly/2vfxa8k
 Converted into
law, with amendments (Law no. 41 of 20 May 2019, published in the Official Gazette of 24 May 2019).
 Payment Initiation
Service Provider, i.e. a person authorised (and supervised) to operate the payment order placement service.
 The same example
is also valid for a bank located in the EU that provides Payment Initiation services.
 ASPSP stands
for Account Servicing Payment Service Provider and indicates the person who has a rooted account relationship with their customer. This account, where accessible online, must be accessible - in accordance with the provisions of the PSD2 - by the so-called
"TTP". (Third Party Provider) for the execution of Payment Initiation, Account Information and Funds Checking transactions. TTP can be: PISP, AISP.
 Account Information
Service Provider, i.e. an entity authorized (and supervised) to operate the account information service.
 The same example
is equally valid for a bank located in the EU that provides Account Information services.
 The same example
is also valid for an UK bank providing Payment Initiation services.
 The same example
is also valid for an UK bank providing Account Information services.
 These are debit
cards issued by issuers that do not have an account relationship with the customer to whom they offer this payment instrument.
 CISP (Card-based
Payment Instrument Issuer Service Provider) are defined as those issuers who can issue Decoupled Debit Cards and who, in order to manage the payment transaction initiated with such cards, need access to the accounts held with the ASPSP (e.g. a bank) of the
customer to whom they offer the product, through the account availability verification transactions (so-called "Funds Checking") pervised by the PSD2.
 Register developed,
managed and maintained by the European Banking Authority pursuant to Article 15 of EU Directive 2366/2015 (PSD2).