Card Payment Sweden (CPS) June newsletter

EU updates

European Commission reflects on ‘enabling’ measures to foster the full roll-out of instant payments On 10 June 2021, the European Commission organised a webinar on “exploring the potential of instant payments for EU consumers and businesses”

<https://ec.europa.eu/info/events/finance-210610-instant-payments_en> .

The event focused on the opportunities and challenges of instant payments and confirmed the Commission’s objective of fostering the full take-up of instant payments in the EU. This webinar followed a targeted consultation on instant payments and will feed into the forthcoming decision on whether new legislation is needed in this field.

<https://ec.europa.eu/info/consultations/finance-2021-instant-payments-targeted_en> 

and a public consultation

<https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12931-Instant-payments> 

CPS supports the uptake of instant payments as part of the mix of solutions at consumers’ disposal. It is a payment method that will answer demands for immediate transactions between bank accounts, at anytime and anywhere. But for users to be able to make an informed choice, it is necessary that they have access to all the relevant information about the different solutions and their features.

Currently instant payments lack in additional services offered by other technologies. Credit cards, for example, not only offer an access to a dedicated and specific credit line, increasing the freedom of consumer choice, but also have extensive security procedures, and grant additional protection upon non-delivery of products or services or when products are damaged during delivery. In addition, the processing of instant payments makes it challenging to detect fraud whereas high-standard fraud prevention and monitoring are some of the key features for card payments. For these reasons, cards are often preferred by consumers in mid- to high value payment transactions and for online purchases.

CPS therefore calls on the EU’s executive to promote greater choices for consumers without any bias for a specific technology solution, be it instant payment, card-based payments, electronic bank transfers or others. Consumer choice should be the basis of developing new payment methods and policies, as preferences may differ across Member States and according to payment needs.

European Payments Initiative (EPI) faces competition from other market initiatives The longstanding dominance of Visa and Mastercard led to EU concerns that critical payment infrastructure could lie in foreign hands – but the Commission is keen not to be seen as playing favourites as it pursues its “open strategic autonomy”.

The EU’s executive has clearly expressed its support of the European Payments Initiative (EPI), launched by 31 European banks/credit institutions and 2 third-​party acquirers to rival US-led card networks.

But EU officials also “follow with great interest other industry-led initiatives” that seek to facilitate interoperability and competition between multiple retail payment solutions.

Initiatives by Fintech companies as well as banks “are welcome from our perspective, and are exactly what we intended when proposing EU open-banking laws”, Marcel Haag, a Director at the Commission’s department for financial stability and capital markets, told the European Payment Conference on 17 June.

Fintech companies have made no formal announcement of their plans to launch the European Retail Payments Framework (ERPF), but at an online event on 10 June, Ralf Ohlhausen, Chairman of the European TPP Association (ETPPA) said the payment initiation services, enabled by PSD2, have “a great potential to become the prime solution for point of sale”, allowing swift payments in stores and online.

Commission to mandate the use of instant-payment protocols, as well as implementing existing PSD2 rules fully, Ohlhausen added.s fully, Ohlhausen added. 

Likewise, the European Card Payment Association (ECPA) is looking into the possibility of interconnecting card processing in Europe and providing an alternative to international card schemes. The European card payment interconnection (ECPI) initiative would connect national card schemes using existing card infrastructures for authorisation (using ISO standards) and the SCT Inst infrastructure for clearing and settlement, ensuring cross-border reachability and European independence for all internal market transactions.

ECB set to move into exploration phase of digital euro The European Central Bank (ECB)  will in mid-July confirm that it is moving into the next phase of developing a digital euro, as announced by ECB President Christine Lagarde on 10 June.

“The Governing Council will approve to go ahead into an exploration phase that will include multiple aspects, from technology to privacy to inclusion and everything in between”, President Lagarde told reporters following the ECB’s decision to keep rates unchanged and continue to conduct net asset purchases under the pandemic emergency purchase programme (PEPP).

Meanwhile, ECB board member Fabio Panetta, who is overseeing the development of the digital currency, said such a currency would both protect the privacy of consumers and protect Europe’s monetary sovereignty from competing cryptocurrencies or digital currencies created by governments.

Privacy will be better protected if the central bank is involved in digital payments, “because we are not like private companies. We have no commercial interest in storing, managing or monetizing the data of users”, Panetta told the Financial Times on 20 June.

<https://www.ecb.europa.eu/press/inter/date/2021/html/ecb.in210620~c8acf4bc2b.en.html> 

Also on the privacy front, the ECB has tested “offline payments for small amounts, in which no data is recorded outside the wallets of payer and payee”, Panetta added, suggesting the cap on such payments could be €70 or €100.

CPS welcomes the on-going discussion on the digital euro, but calls on the ECB to involve all interested stakeholders in its evaluation of different design options. Several use cases of a digital currency are being tested by the industry in the current infrastructure. These developments should be considered and evaluated by the ECB when analysing the design options of a digital euro.

A digital euro – reportedly a digital alternative to cash payments –  should also ensure a high degree of user-friendliness and should be integrated into existing banking and payment solutions, in accordance with the expectations of European citizens and businesses. Any decision on a digital euro should be taken through an inclusive and transparent decision-making process.

<https://www.ecb.europa.eu/paym/digital_euro/html/pubcon.en.html>  

Commission proposes a framework for a European Digital Identity available to all EU citizens The European Commission on 3 June published its proposal for a Regulation amending the eIDAS Regulation, to establish a framework for a European Digital Identity.

<https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-regulation> 

The cornerstone of the proposal is the so-called “European Digital Identity Wallets” – personal digital wallets that will allow citizens to digitally identify themselves, store and manage identity data and official documents in electronic format. Its concrete uses foresee proving someone’s age, filling tax declarations and opening bank accounts, among others.

The European Digital Identity Wallets will be built on the basis of trusted digital identities provided by Member States. Unlike under the current eIDAS Regulation, Member States will have an obligation to provide their citizens and businesses with a digital identification system and ensure that they are mutually recognised across the EU.

Presenting the initiative, EU Commissioners Margrethe Vestager and Thierry Breton also stressed that it would place citizens in the “driving seat” when it comes to control over their personal data. In other words, users will choose which aspects of their identity, data and certificates they share with third parties, and keep track of such sharing.

The Commission proposal emphasised the interactions of the Digital Identity Wallets with online platforms. As explained by Commissioner Vestager, it will be mandatory for ‘very large online platforms’ (as defined under the DSA) to accept the use of European Digital Identity Wallets upon users’ voluntary request for the purpose of identifying themselves when accessing online services.

In parallel to the proposal, the Commission also published a Recommendation on a Common Union Toolbox for cooperation with the Member States towards a European Digital Identity Framework.

<https://digital-strategy.ec.europa.eu/en/library/trusted-and-secure-european-e-id-recommendation> 

BIS launches Innovation Hub Nordic Centre in Stockholm On 16 June, The Bank for International Settlements (BIS), in collaboration with the Riksbank and the central banks in Denmark, Iceland and Norway, launched its fifth center for innovation in Stockholm – the BIS Innovation Hub Nordic Center.

<https://www.riksbank.se/sv/om-riksbanken/bis-innovation-hub-nordic-centre/>  

The launch is part of a plan to expand the Innovation Hub’s global reach and the Nordic Centre will help advance the work on six priority themes: suptech and regtech; next generation financial market infrastructures; central bank digital currencies; open finance; cyber security; and green finance.

 “The Nordic countries’ vibrant and innovative fintech environment will serve as a catalyst for key experimentation to help central banks meet the challenges of the digital future”, said the Head of the BIS Innovation Hub, Benoît Cœuré following the establishment of the new centre.

  <https://www.riksbank.se/sv/om-riksbanken/bis-innovation-hub-nordic-centre/>

EBA publishes report on PSPs readiness to apply SCA for e-commerce card-based payment transactions The European Banking Authority (EBA) on 11 June published a report on data provided by payment service providers (PSPs) on their readiness to apply strong customer authentication (SCA) for e-commerce card-based payment transactions.

<https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Reports/2021/1014781/Report%20on%20the%20data%20provided%20by%20PSPs%20on%20their%20readiness%20to%20apply%20SCA.pdf> 

Despite PSPs in some jurisdictions lagging behind in enabling SCA, overall the data reveals significant progress over the past 9 months in complying with the requirements. For instance:

• 99% of EU merchants are able to support SCA
• 94% of all payment cards in the EU are SCA-enabled
• 82% of all payment service users (PSUs) are enrolled into an SCA solution
• 92% of e-commerce card-based authentication requests reported by acquirers are compliant with the SCA requirements
• 87% of initiated e-commerce card-based payment transactions reported by issuers are compliant with the SCA requirements

The PSPs involved also reported a significant reduction in fraudulent e-commerce card-based payment transactions over the same period.

With regards to the percentage of SCA‐enabled payment cards and PSUs by Member State, Sweden leads the pack with 100% of cards reported to be SCA‐enabled and 100% of PSUs being SCA‐enrolled.

EBA publishes final revised Guidelines on major incident reporting under PSD2 The European Banking Authority (EBA) on 10 June published its final revised Guidelines on major incident reporting under the second Payment Service Directive (PSD2). These will apply as of 1 January 2022.

<https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/Guidelines%20on%20major%20incident%20reporting%20under%20PSD2%20EBA-GL-2021-03/1014562/Final%20revised%20Guidelines%20on%20major%20incident%20reporting%20under%20PSD2.pdf> . 

The revised guidelines are estimated to reduce the reporting burden for payment service providers by optimising and simplifying the reporting process and templates, focusing on incidents with significant impact on payment service providers (PSPs), and improving the meaningfulness of the information to be reported.

In particular, the Guidelines introduce a new criterion on the breach of security of network or information systems, which was narrowed down in scope from ‘breach of security measures’, as originally proposed. This new criterion focuses on malicious actions that have compromised network or information systems related to the provision of payment services and it would allow the reporting of additional security incidents that would be of interest to supervisors.

EBA also allowed more time for the submission of the final report. PSPs should deliver the final report to the competent authority in a maximum of 20 working days after business is deemed back to normal.

The Paris-based institution further noted the ongoing negotiations on the Commission proposal for a digital operational resilience act (DORA), which contains a proposal to harmonise and streamline the reporting of information and communication technologies (ICT)‐related incidents across financial sector.

Depending on the outcome of these negotiations, EBA guidelines may eventually be repealed when the DORA regulation applies, which is currently estimated to be in 2024 or later.

Payment card networks set to escape EU cybersecurity rules under Council position EU governments agreed to temporarily exclude payment card networks from the scope of the digital operational resilience act (DORA).

The compromise comes after Denmark, France, Spain, Sweden, Romania and Estonia demanded that Visa and Mastercard face the same cyber standards as the rest of the payments market – especially in light of their size.

Their calls created legal confusion, as the EU has not established financial supervision over two payment networks, even though the European Central Bank does oversee their activities <https://www.ecb.europa.eu/paym/pol/activ/systems/html/index.en.html> .

To bridge the gap, the Council compromise calls on the Commission to consider including the two credit card giants into the PSD2, which will be reviewed in 2022.

“The potential systemic cyber risk associated with the operation of payment systems should be duly addressed at Union level through harmonised digital resilience rules”, the text says.

“To that effect, the Commission should swiftly consider the need for enlarging the scope of this Regulation while aligning such review with the outcome of the comprehensive revision envisaged for the Payment Services Directive”, it adds.

 <https://img.rule.io/1893/6065701f1d268>

Michael Hoffmann, CEO Card Payment Sweden