EU Regulatory Developments in Payments Reform of the E-Money Directive and Data Protection Directive

Transcription

1 BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. EU Regulatory Developments in Payments Reform of the E-Money Directive and Data Protection Directive William Long, 17 November 2010

2 EU s E-Money Market Number of e-money accounts in Europe has grown from 15 million in 2005 to 125 million by end of 2009 Total value of outstanding e-money in Europe has risen from 400 million in 2005 to 1.7 billion by end of 2009 UK is centre of e-money issuers with 96 non bank e-money issuers and 16 bank and building society issuers Non bank issuers in the UK sold an estimated 1 billion in 2009 UK Government believes e-money market has significant growth potential and wishes to encourage new entrants and innovation 2

3 EMD and EMD2 September 2000 the E-Money Directive ( EMD ) was adopted and required to be implemented by 27 April 2002 July 2006 European Commission review found e-money market hindered by EMD October 2008 proposals for a new EMD2 were published September 2009 EMD2 adopted by European Parliament October 2010 HM Treasury and FSA published two consultation papers which will close on 30 November April 2011 EMD2 to be implemented in the UK EMD2 intended to harmonise with Payment Services Directive EMD2 is a maximum harmonising Directive although member States have discretion in some areas 3

4 EMD2 Main Changes New definition of e-money Electronically (including magnetically) stored monetary value as represented by a claim on the issuer on receipt of funds for the purpose of making payment transactions and accepted by a natural or legal person other than the issuer Technology neutral, compared with the definition under EMD Capital Requirements on Electronic Money Institutions ( ELMIs ) Initial capital will be reduced from 1 million to 350,000 Initial and ongoing capital must be at least 2% of average outstanding balance of e- money There are additional capital requirements for payment services using methods set out in PSD New Safeguarding requirements ELMIs are required to safeguard funds in prescribed manner by placing them in a segregated account or holding an insurance policy or bank guarantee ELMIs will have 5 business days before funds that have not yet cleared must be safeguarded Customers will rank above other creditors in access to safegaurded funds if issuer becomes insolvent 4

5 EMD2 Main Changes Business Activities ELMIs will be able to carry on unrelated payment services and other unregulated business ELMIs can also grant credit where same conditions that apply to payment institutions under the PSD apply ELMI may distribute or redeem e-money through a distributor or agent but cannot issue e-money through a distributor or agent acting on its behalf ELMI may provide payment services in the UK through an agent only if the agent is registered Storage Limits 150 maximum storage limit for small e-money institutions to be removed EMD2 amends Third Money Laundering Directive so full due diligence not required where following thresholds are not exceeded: for a non-reloadable device the maximum amount that can be stored is 250 for a reloadable device a limit of 2,500 is imposed on the total amount transacted in a calendar year and no more than 1,000 is redeemed in a calendar year Member States may increase exemption for carrying out due diligence from 250 to 500 for national payment transactions. 5

6 EMD2 Exclusions Limited network exemption E-money used only within a limited network of services providers or for a limited range of goods or services is exempt from the rules for e-money, including authorisation requirements for issuers No definition of limited network. Geographically, it may cover the whole of Europe, e.g. a single retailer store card. Quantitatively, a limited network of retailers could be numerous e.g. covering a franchise UK proposal is to allow self-regulation of the limited network sector and Government is considering effectiveness of self-regulatory solutions Mobile operators Transactions executed by means of any telecommunication device are exempt, if goods or services purchased are delivered to and are to be used through a telecommunication device provided the operator does not act only as an intermediary between user and supplier UK consultation: prepaid airtime stored on a mobile device is e-money if the customer can purchaser goods/services from third party merchants 6

7 EMD2 Redemption New redemption requirements Redemption at any time (even after termination of contract) Redemption may be subject to a fee that is proportionate and commensurate with costs but only if stated in contract and only where: redemption is requested before a contract ends the customer terminates the contract before the end-date redemption is requested more than one year after the contract ends If customers does not reclaim funds after termination of contract, issuer has to safeguard such dormant accounts and such funds will count towards the calculation of capital requirements Proposed solutions include: issuer imposes a charge (e.g. an account maintenance charge) to absorb dormant funds set a prescription period (e.g. 6 years) after which customer s right is extinguished 7

8 Data Protection Regulatory Framework EU Data Protection Directive (95/46/EC) (implemented in UK by Data Protection Act 1998) eprivacy Directive (2002/58/EC) with new eprivacy Directive to be implemented in June 2011 Payment Card Industry Data Security Standards (PCI DSS) Consultation of the European Commission on a legal framework for personal data adopted 1 December 2009 EU Data Protection Directive to be reformed likely to include a principle of accountability, i.e. data controllers accountable for ensuring actual compliance with substantive data protection requirements 8

9 Reform of the EU Data Protection Directive Concerns about inconsistent implementation of the Data Protection Directive Technology such as cloud computing and social networking raises new challenges for regulation of data protection and use should be made of privacy by design and privacy enhancing technologies New regulatory model based on concepts of accountability and mutual recognition based on financial services model Transparency requires that affected individuals be notified when a privacy breach occurs Data controllers should provide for complaints procedures which are effective and affordable 9

10 Data Security Breaches Catalogue of recent security breaches involving customer data US data breach potentially exposed 46 million credit card accounts mobile operator lost device with 17 million German customer records hackers stole more than 130 million credit and debit card numbers from US acquirer Recent UK FSA fines have been significant 2007 UK Building Society fined 980,000 for lapses in security where laptop stolen 2008 UK Life Insurance Group fined over 1.2 million for loss by fraudsters 2009 UK Insurance Group fined over 3.2 million for security breach 10

11 Developments in Data Security New rules on reporting data security breaches in the form of amendments to 2002 Directive on Privacy and Electronic Communications (e-privacy Directive) must be implemented by June 2011 For now applies only to providers of publicly available electronic communications services Definition of "personal data breach" Key elements: Duty to notify the relevant national regulator "without undue delay" Duty to notify affected individual if breach is "likely to adversely affect" that individual's privacy except where provider can demonstrate it applied "appropriate technological protection measures" which render data unintelligible to unauthorised users March 2008 ICO published breach disclosure guidance 11

12 Comments/Questions BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm. For purposes of compliance with New York State Bar rules, Sidley Austin LLP s headquarters are 787 Seventh Avenue, New York, NY 10019, and One South Dearborn, Chicago, IL 60603, Doc