The Bank for International Settlements issues paper on the regulation of digital payment services and e-money
The Bank for International Settlements (BIS) is an international financial institution which supports central banks worldwide in their pursuit of monetary and financial stability, through international cooperation. To realize its mission, the BIS provides a platform for responsible innovation and knowledge-sharing and conducts in-depth analyses on core financial stability policy issues. One of these policy issues is the regulation of digital payment services and e-money.
In early July 2021, the BIS issued a paper on the regulatory requirements for digital payment and e-money services offered by non-bank service providers (“non-banks”). The paper was informed by responses to a survey administered in early 2021 by the Committee on Payments and Market Infrastructures (CMPI) to 75 jurisdictions, which was subsequently supplemented by a desktop review of public documents issued by selected authorities. Of the 75 jurisdictions surveyed, 23 were from advanced economies and 52 were from developing economies.
The paper addresses the proliferation of non-banks in retail payments and the questions that are related to their regulation. It focuses on non-banks offering consumer-facing services (e-money and payments), rather than on those involved in “back-end” processes such as clearing, settling and processing payments. It divides the consumer-facing services into two categories: accepting, managing or transferring value, and providing ancillary services. Further, it examines the types of services that belong under each category and the extent to which they are regulated in both advanced economies and developing economies.
Advanced vs. Developing Economies
The study found that, generally, most jurisdictions allow non-banks to offer at least some of the digital payment and e-money services described above. However, it also found that advanced economies tend to regulate non-bank services more lightly, allowing them to provide more services than in developing economies, where non-bank services are more restricted and the regulation more intensive. Interestingly, mandatory partnerships with banks, minimum capital, security deposits and interoperability are regulatory requirements more common in developing economies than they are in advanced economies, where consumer protection rules tend to be more popular than in developing economies.
Most and Least Permitted Services
More traditional payment services, such as e-money accounts and the processing of electronic funds for third parties, were found to be the most common payment services that non-banks are permitted to offer. Next in line were e-wallet and money transfer services and the acquisition of payment transactions. Conversely, less permitted activities appeared to be the newer-type services such as virtual asset services, payment initiation, account information services and activities that are typically associated with banking such as transaction accounts (other than e-money transaction accounts).
In addition, survey results pointed to the issuance of e-money as being subject to the strongest regulation while virtual asset services as subject to the weakest regulation.
Most Common Regulatory Requirements
The authors reported that, of the thirteen types of regulatory requirements applicable to non-banks included in the survey, nine types on average related to e-money issuance, while only four types related to virtual asset services.
The most prevalent requirements across jurisdictions, according to the results, related to anti-money laundering (AML), with most jurisdictions (87%) indicating their AML rules applied to non-banks. Other common requirements included those related to risk management, data protection and, less so, to licensing/registration.
The least common requirements dealt with interoperability. Only one-fifth of responding jurisdictions indicated having specific interoperability rules for non-banks.
Regulatory Requirements and their Application
The paper reported that rules governing areas, such as AML, risk management, cyber security, data protection and consumer protection had a tendency of being applied uniformly across the payment landscape. Whereas rules applicable, for instance, to licensing/registration, minimum capital, funds safeguarding, security and interoperability were generally applied differently, depending on the nature of the payment service.
Anti-Money Laundering (“AML”) and Counter Terrorism Financing (“CTF”)
- The most common requirements across payment services and jurisdictions were related to AML and CTF.
- Some jurisdictions have adopted a tiered regulatory approach based, for instance, on transaction values, while others have exempted transactions altogether based on the risk they present.
- Internal controls and other risk management measures are requirements that tend to apply across jurisdictions. Typically, the obligations include operational resilience and the monitoring and assessment of risks related to outsourcing.
- Most jurisdictions require non-banks to develop cyber-security risk policies that are tailored to their business model, the size of their operations, the types of transactions they process, the risks they present and the types of data they handle.
Data and Consumer Protection
- Most jurisdictions have general laws to protect the data held by a wide range of organizations, including non-banks. These laws typically define “personal data”, cover data transfer consents and the rights of data “subjects”. Some jurisdictions impose these requirements on cross-border transfers of data as well.
- Other jurisdictions have specific laws to protect consumers in their dealings with non-banks and the payment services they offer. The obligations are usually related to fee disclosure, complaints-handling processes and fraud prevention.
- While some jurisdictions have general licensing frameworks that apply to all or several payment services, others vary their requirements based on the type of services provided, size of transactions or geographical areas covered by the services.
- The jurisdictions that allow non-banks to issue e-money normally require them to be licensed or registered.
- Most jurisdictions have initial and ongoing capital requirements for non-banks offering payment services. The initial capital requirements generally consist of a flat fee, while the ongoing capital requirements tend to be adjusted based on business volumes.
- Capital requirements in some jurisdictions depend on where the non-bank is located or on the type of services it provides.
- Ongoing capital requirements are often set at between 2-5% of a non-bank’s e-money float.
Safety and Security
- Almost all jurisdictions where non-banks are permitted to issue e-money, and most of those where non-banks can provide transaction accounts, require funds be safeguarded to protect consumers against an e-money issuer’s failure or its incapacity to repay consumers.
- The interoperability requirement is the least common requirement among the jurisdictions surveyed.
- There is no interoperability requirement in any of the jurisdictions surveyed for virtual asset services. That said some jurisdictions require interoperability, albeit to a very limited extent, for account information and money transfer services.
- As part of their national payment strategies, many jurisdictions are developing plans to achieve interoperability. These initiatives are meant to increase efficiencies and enhance competition in the payments markets.
Emerging Regulatory Responses to Emerging Payment Methods
The paper stresses that new disruptive technologies are likely to create more payment methods in the future. The authors point to the emergence of distributed ledger, blockchain and crypto- assets as examples. They appear unconvinced, however, that technologies such as cryptocurrencies will ever emerge as an efficient payment method because of their numerous shortcomings. That said, they remark that the introduction of stablecoins as a variant of cryptoassets may evolve over time to become “a convenient means of payment for e-commerce (particularly when integrated into online platforms) and peer-to-peer and micro-payments” with the potential of becoming systemically important, if globally adopted.
Some jurisdictions such as the US and UK have already started to adapt their regulatory frameworks for the advent of stablecoin. The paper goes on to mention that jurisdictions where stablecoin exists and resembles a product or service that is already regulated, will likely treat it under existing frameworks.
Regulation of Digital Payment Services and E-Money in Canada
The federal government introduced legislation, which received Royal Assent on June 29, 2021, to regulate retail payment providers in Canada. The much-anticipated An Act Respecting Retail Payment Activities (short name: Retail Payment Activities Act (“RPAA”)) mandates the Bank of Canada to oversee payment service providers, which include entities that perform electronic payment functions, such as payment processors, digital wallets, currency transfer services and other payment technology companies. The Bank of Canada will supervise the operational risks posed by the service providers and their ability to safeguard end-user funds. Please refer to our recent legal update for more information.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) will continue to regulate money services businesses in relation to AML and CTF matters, as well as continue to oversee their AML compliance programs.