IPSO Response to the European Commission Green Paper. Towards an integrated European market for. card, internet and mobile payments

Transcription

1 IPSO Response to the European Commission Green Paper Towards an integrated European market for card, internet and mobile payments Author: Úna Dillon, Head of Card Services and Communications Irish Payment Services Organisation Ltd. (IPSO) About IPSO The Irish Payment Services Organisation (IPSO) is the representative industry body, the voice and guardian of the payments industry and the strategic interface with all payments stakeholders within the Republic of Ireland. Its fundamental principles are to preserve the integrity and security of the Irish payments systems and to promote and oversee the strategic development of such systems in the interest of the industry and the general public. This document was prepared in conjunction with the card issuers and acquirers operating within the Republic of Ireland, which are members of IPSO Card Services. IPSO Card Services is responsible for examining security and fraud related issues affecting the card payments industry as well as monitoring legal and regulatory changes both at a domestic and European level. In addition, Card Services General Manager represents the Irish retail banks on the European Payments Council (EPC) Cards Working Group and the banking sector on the EPC Card Stakeholder s Group. 1

2 Irish Payments Landscape The payments industry within Ireland is very diverse, offering numerous payment and related products, including: Single high-value automated credits Files of low-value automated credits and debits Cheque payments and paper credit transfers Debit card payments Credit card payments Payment messages via the SWIFT Network, and Cross-border payments IPSO is working closely with its member banks, the Government and other stakeholders to ensure the strategic development of Ireland s payments systems. It has been widely acknowledged that the efficiency of Ireland s payment systems infrastructure could be improved by making more use of secure and efficient electronic payment methods leading to a reduction in cash and paper payment transactions. Irish Payments Summary (2010) Payment Method Number of Transactions (millions) Value of transactions ( billions) Electronic Credits Electronic Debits Credit Card Payments Debit Card Payments ATM Withdrawals Lodgements giro and other paper Cheques and other paper

3 Irish Card Payments Landscape The use of payment cards (i.e. credit and debit cards) in Ireland has grown considerably in recent years as they are increasingly recognised as a cost efficient and convenient alternative payment method to cash and cheques. The use of payment cards is dependent on consumer confidence in such cards and in particular, in the security measures surrounding their use. In order to facilitate this continued expansion in the use of payment cards and to further improve security measures in connection with their use for the benefit of consumers, card issuers and acquirers, IPSO Card Services explores how security issues such as payment card fraud can best be addressed within the card payments industry for the benefit of all stakeholders. It also examines the impact on the card payments industry of legal and regulatory changes and looks at opportunities for the development of card payments in Ireland. Trends in Number of Payment Cards in the Irish market (millions) 3

4 Trends in Volume of Irish Card Payments Trends in Value of Irish Card Payment

5 IPSO general comments on the EC Green Paper IPSO welcomes the opportunity to provide comments on the European Commission s Green Paper Towards an integrated European market for card, internet and mobile payment. We fully support the goals of the paper including in particular: - The necessity for consumer choice - The need for innovation in payments - The need for customer safety and security, and - The need for competition in the market Consumer Choice While banks and payment providers have a future view of payments and payment types, none of us can predict what consumers will want to use, nor can we force consumers to use one payment method or tool over another. We believe that there should be better communication between payment providers, regulators and consumers, with a relevant portal for that communication. All market players should have a relevant channel to help them to understand the needs of consumers better and to meet those needs, through providing better choices while ensuring security and safety of the consumer. Innovation The speed to market of innovation has increased dramatically in the past ten years, especially in the area of internet, mobile and contactless card payments. We believe that the industry should promote the benefits of innovation in payments to both consumers and retailers. 5

6 Regulation and standards should neither impede innovation nor prevent the market in investing in new payment methods and tools. The market should be encouraged by regulators to increase acceptance of new payment tools while considering consumers needs, through communication with consumers. IPSO believes that consumers should be encouraged by the payments industry to use the new technologies available to them while ensuring their trust in the systems and new payment tools. We believe that the costs for using current and future payment tools should be transparent to both retailers and consumers and that they should have the choice to adopt new technologies. Customer Safety & Security IPSO believes that the industry needs to provide choice for our customers while ensuring security of the products and avoiding customer confusion. We believe that certain areas of security and fraud prevention should be reviewed on a regular basis by the industry, to keep up with the fast changing fraud trends in the payments market. Future threats should be considered in more detail by the regulator on an on-going basis. Security is key to consumer trust and the industry needs to ensure that customer trust is upheld today and in the future, as the payments market changes and new methods of payments become available to our customers. The industry should encourage not only the secure use of the payment tools they provide, but the additional tools used by consumers such as PCs, smart phones, etc. There is an onus 6

7 on the industry to fully inform consumers on the risks and dangers of payment fraud and more importantly on the solutions and preventative methods available to them, both through the payments industry as well as through use of technology such as anti-virus and anti-malware software, etc. We believe that this is an area that needs constant review, ensuring the on-going integrity of the payments market. There are many moving parts within the payments industry and the provider of each part needs to ensure that their area is secure. IPSO believes that the industry security standards need to be sufficient, to avoid any reputational risks. Competition IPSO believes that a level playing field is needed for the payments market. While national competition authorities regulate the payments industry, such regulation should be consistent across the board such that all stakeholders can operate in a fair and competitive market. The EPC SEPA Cards Framework is important for the future of card payments and should be adhered to by all banks involved in card payments. Adherence should lead to greater competition (having a set of standards in place means that new entrants to the market can slot in easily to any part of the card payments chain). 7

8 SPECIFIC RESPONSES TO THE COMMISSION S QUESTIONS Multilateral Inter-change Fees (MIFs) s (1) Under the same card scheme, MIFs can differ from one country to another, and for cross-border payments. Can this create problems in an integrated market? Do you think that differing terms and conditions in the card markets in different Member States reflect objective structural differences in these markets? Do you think that the application of different fees for domestic and cross-border payments could be based on objective reasons? (2) Is there a need to increase legal clarity on interchange fees? If so, how and through which instrument do you think this could be achieved? (3) If you think that action on interchange fees is necessary, which issues should be covered and in which form? For example, lowering MIF levels, providing fee transparency and facilitating market access? Should three-party schemes be covered? Should a distinction be drawn between consumer and commercial cards? Responses The industry must support competition. The MIF will differ from country to country because the markets vary; the cost of processing all types of payments, of running a business, of selling will be different in each country. While a SEPA-market may integrate from a clearing, settlement and processing perspective it is important to allow for competition within that market. Interchange itself is sometimes confused with the Merchant Service Charge (MSC) or Scheme Transaction Fee (STF). 8

9 Interchange rates are set based on the costs incurred to both issuers and acquirers, paid by the acquirers to the Issuers on a per transaction basis and covering such costs as: The guarantee of payment from the card issuer, given that the retailer is paid by the acquirer in advance of the cardholder being debited; Payment to cover the interest free period, i.e. the time between a cardholder shopping on their card and them paying their credit card bill; Processing of security and fraud prevention measures such as authorisations, managing hot card files, etc.; Projects such as contactless card payments, etc. General processing costs, including the issuance of plastic cards. The Card Schemes manage the interchange fees, while they have no remit over the set-up of MSC fees. These are set by the acquirers and may or may not reflect the interchange value / level for certain payment products; depending on the acquirer. IPSO believes that to support the growth and promotion of card payments in the future, the acquirers should provide transparency on their costs to retailers for processing payments, for the various product types, e.g. credit, debit, prepaid, etc. where possible. There is a regulatory requirement that all relevant Card Schemes publicise their interchange fees and this is done however there is currently no onus on acquirers to justify their MSCs to retailers. For example, in Ireland, members of the local debit card scheme Laser Card have withdrawn from the Scheme in favour of issuing Visa Debit to their cardholders instead, for the most part. Visa has reduced the interchange fees for the debit card product to more or less meet those set by the Laser Scheme. For both Schemes the interchange is a low value flat fee however there is at least one Acquiring processor which is charging its customers (the retailers) an ad valorem charge per transaction for the new debit card sales. This is not helpful for the market, while IPSO and the Central Bank aim to encourage greater use of more efficient payment methods such as payment cards. 9

10 While MSCs are a commercial matter for acquirers, IPSO believes that the fees charged to retailers for card processing should be transparent to the retailers and the costs justified. There is a misconception being borne in Ireland currently that a hike in merchant fees for accepting debit cards is due to the arrival of the new schemes in the market, i.e. Visa Debit and Debit MasterCard, while this is not the case. IPSO proposes that while interchange, either bilateral or multilateral, can be adequately established between relevant market players that the focus of the Commission should be on the costs charged to retailers by their card processors. We believe that a continued scrutiny of the interchange fees charged at local and European level is not helpful for the market, while the actual costs, being charged and that do cause an issue for consumers and retailers are being ignored. With regard to three-party schemes, IPSO believes that a level playing field is needed. While national competition authorities regulate the payments industry, such regulation should be consistent across the board such that all stakeholders can operate in a fair and competitive market. With respect to commercial cards, it is true to say that in terms of the cost of delivery of this service and the negotiations required with large corporations, the economies are different. As such it is justifiable that there may be a pricing differential for commercial card acceptance Cross-border acquiring 10

11 s (4) Are there currently any obstacles to cross-border or central acquiring? If so, what are the reasons? Would substantial benefits arise from facilitating cross-border or central acquiring? (5) How could cross-border acquiring be facilitated? If you think that action is necessary, which form should it take and what aspects should it cover? For instance, is mandatory prior authorisation by the payment card scheme for cross-border acquiring justifiable? Should MIFs be calculated on the basis of the retailer s country (at point of sale)? Or, should a cross-border MIF be applicable to cross-border acquiring? Responses IPSO is not aware of any obstacles to cross-border or central acquiring in Ireland. Cross-border acquiring is currently operational with the existence of the international card scheme brands throughout Ireland for both debit and credit. Irish-based acquirers have the capability to accept cards from other jurisdictions and non-irish acquirers are already establishing themselves in this country, without issue. The evolution of tools such as Smart Phones and ipads means that cross-border activity will grow. The relevant interchange is set by the card schemes but local market conditions are taken into account. No further action is currently required, in our opinion. 11

12 It should be noted that both foreign and domestic acquirers operating within Ireland are required to adhere to the local legislation, rules and regulation regarding card payment processing. On the subject of MIFs, the calculation of MIFs should be a matter for the relevant card schemes and the location of the acquirer (i.e. where the transaction takes place) should be taken into account, given the varying costs in each country for card processing Co-badging s 6) What are the potential benefits and/or drawbacks of co-badging? Are there any potential restrictions to co-badging that are particularly problematic? If you can, please quantify the magnitude of the problem. Should restrictions on co-badging by schemes be addressed and, if so, in which form? 7) When a co-badged payment instrument is used, who should take the decision on prioritisation of the instrument to be used first? How could this be implemented in practice? Responses The benefits of co-badging are numerous including that issuers can offer many options to their customers including ATM facilities, store loyalty options, transport and ticketing options, personal ID, etc. etc. However, there may be a potential for customer confusion, especially where surcharges and restrictions are set by merchants for particular schemes, card types or payment tools. 12

13 Laser Card in Ireland is a prime example, where the card is co-branded with the international scheme Maestro but where a merchant may charge a higher rate for a cardholder using the Maestro function, over use of the Laser function on the card. The important thing here is that the industry provides choice for our customers while ensuring security of payment products / instruments and avoiding customer confusion. It is understandable that a card scheme would wish to restrict the options on a plastic card or other payment instrument on which their brand would sit. The predominant scheme should be permitted to be aware of the other brands and facilities that an issuer is placing on their payment tools such that they do not affect the reputation of that brand. The issuer, of course, should have the last word; within reason. There can be restrictions by some card schemes, but most are justified. They have not been an issue in the Irish market. Such restrictions should be a matter handled entirely between the card scheme and their issuing members. In Ireland co-badging exists on a reducing number of payment cards with the Irish-based Laser Card Scheme co-badged with the international brand Maestro. The same card is also co-branded with Cirrus, Link and Plus to facilitate the consumer s use of ATMs domestically and abroad. The benefits are two-fold, i.e. the cardholder can use their card at home at both ATMs and POS but can also access POS and ATMs internationally. There are no known apparent draw- backs. Where an issue might arise, and a matter that the Commission does not appear to have reviewed, is the co-badging of product types, e.g. where a single payment card might have both credit and debit card facilities. There has been some debate in the market as to who has the option when a card is presented with some parties suggesting that the retailer should have the option. It is IPSO s opinion that the cardholder should have the choice whether it is their credit card function or debit card that is used during a given transaction. 13

14 It should be noted that this is not currently an issue in the Irish payments market, but certainly something to consider for future reference. In relation to mobile devices, while a number of separately identified payment products, i.e. different apps, could reside side by side on the device, the same rules should apply with the co-badging of different payment brands on one individual payment app as to those for payment cards; although this may be more difficult to police. The introduction of another new framework would be confusing to the market. There is absolutely no requirement for another one. The rules for SEPA card processing are already in place today and are transparent and non-discriminatory. An entity laying out terms and fees for access to card processing infrastructures could be seen as being anti-competitive. It would restrict market players and most likely prevent growth and innovation. Adherence to current clearing, settlement and card processing rules and criteria is currently not an issue Separating card schemes and card payment processing s 8) Do you think that bundling scheme and processing entities is problematic, and if so why? What is the magnitude of the problem? 9) Should any action be taken on this? Are you in favour of legal separation (i.e. operational separation, although ownership would remain with the same holding company) or full ownership unbundling? Responses Unbundling of schemes and processes is largely the norm within the SEPA-zone (according to the various card schemes). 14

15 Issues may arise for Schemes that wish to compete with processing entities. The requirement could possibly be seen as anti-competitive possibly? The case in Ireland is that, in practice, while card issuers are in negotiations with card schemes they are being offered processing services, but have the option not to adopt those services and therefore the banks have the choice to accept processing services from the schemes or to use other parties to do so. IPSO believes that legal separation is sufficient in this regard Access to settlement systems s 10) Is non-direct access to clearing and settlement systems problematic for payment institutions and e-money institutions and if so what is the magnitude of the problem? 11) Should a common cards-processing framework laying down the rules for SEPA card processing (i.e. authorisation, clearing and settlement) be set up? Should it lay out terms and fees for access to card processing infrastructures under transparent and nondiscriminatory criteria? Should it tackle the participation of Payment Institutions and E- money Institutions in designated settlement systems? Should the SFD and/or the PSD be amended accordingly? Responses It is true to say that under the PSD the new players to the card payments market can and do become banks in their own right, which avoids the need for a sponsor bank. 15

16 The experience in Ireland is that this is not problematic as new players on the market tend to use sponsor banks for their clearing and settlement. The risks should be considered by the sponsor institution while ensuring that their customer complies with a minimum required set of standards, especially with regard to the security and integrity of the payments. Both parties should ensure that clearing and settlement is carried out such that consumers and retailers are not affected by delays in payment, or similar. IPSO believes that there should be greater controls and a more active role by the regulators with the new players in the payments market, to avoid any undue risks to retailers and consumers, while the new parties might be less familiar with the problems that can arise in the payments system and on handling such risks as fraud, cybercrime attacks; and general customer queries / disputes Compliance with the SEPA Cards Framework (SCF) 12) What is your opinion on the content and market impact (products, prices, terms and conditions) of the SCF? Is the SCF sufficient to drive market integration at EU level? Are there any areas that should be reviewed? Should non-compliant schemes disappear after full SCF implementation, or is there a case for their survival? Response The requirement to comply with the SCF has led to the cessation of some smaller national card schemes. For some countries this has meant that initial processing costs and charges to consumers and retailers have changed (increased for the most part). That said, the SCF is important for the future of card payments and should be adhered to by all banks involved in card payments. Adherence should lead to greater competition (having a set of standards in 16

17 place means that new entrants to the market can slot in easily to any part of the card payments chain). After full implementation, non-compliant schemes should be reprimanded by the relevant authority and their needs addressed, to ensure future compliance. Certainly the areas of security and fraud prevention should be reviewed on a regular basis to keep up with the fast changing fraud trends in the card payments market. Future threats should be considered in more detail Information on the availability of funds 13) Is there a need to give non-banks access to information on the availability of funds in bank accounts, with the agreement of the customer, and if so what limits would need to be placed on such information? Should action by public authorities be considered, and if so, what aspects should it cover and what form should it take? Response IPSO is not entirely clear on the purpose of this question. Is the Commission asking if retailers can have direct access to Cardholder bank account information? Such access to bank account information is a matter for each country while data protection legislation varies in every one and should be taken into consideration. Customers should be aware, when dealing with their card issuer, if third parties are accessing their information. Non-banks currently operating in the card payments arena appear to work without issue while not accessing account information. If this were to change, there needs to be security standards in place to ensure the protection of the customer information and the integrity of the card payments system. 17

18 All retailers have available to them an online authorisation process which when used correctly at POS can verify that customers have sufficient funds in their accounts to cover transactions taking place. There is an obligation on the Card Issuers, through the online authorisation process, to verify this information in real time. It is in the issuers interests to verify that information. On that basis, we are confused somewhat at the Commission s suggestion that the banks may refuse to cooperate. If the Commission is referring to third party PSPs which act on behalf of card issuers and acquirers for various reasons, such as for the processing of internet sales, etc. then there should be strict agreements in place between those PSPs and the banks in question, with an emphasis on the security of customer data. IPSO believes the security of customer data to be of paramount importance Dependence on payment card transactions 14) Given the increasing use of payment cards, do you think that there are companies whose activities depend on their ability to accept payments by card? Please give concrete examples of companies and/or sectors. If so, is there a need to set objective rules addressing the behaviour of payment service providers and payment card schemes vis-à-vis dependent users? Response Most e-commerce merchants now have a number of payment options available to them, in addition to card payments, for example PayPal. Most retailers will choose to accept cards on 18

19 the basis of cardholder preference as well as for the security (payment guarantee) that they provide (e.g. 3D Secure). Regarding rules to address the behaviour of payment service providers, these are already established by the card schemes / banks. Any issues that might arise are addressed on a case by case basis. IPSO believes that there should be greater intervention by the regulator in future as new third parties enter the payments market, which do not act in accordance with payment processing standards. The rules should also be considered to ensure they are not prohibitive, e.g. by inadvertently making cards the standard form of payment, especially if surcharging is imposed by retailers, which is done in many instances Transparent and cost-effective pricing of payment services for consumers, retailers and other businesses Consumer merchant relationship: transparency 15) Should merchants inform consumers about the fees they pay for the use of various payment instruments? Should payment service providers be obliged to inform consumers of the Merchant Service Charge (MSC) charged / the MIF income received from customer transactions? Is this information relevant for consumers and does it influence their payment choices? 19

20 Response IPSO believes that provision of this information from retailers to consumers would be impractical while a full list of economic costs would be needed. The provision of such information should not be the norm, rather it should be an option for a retailer in the event a consumer questions the pricing on, for example, a surcharge or handling fee which may clearly vary depending on the brand of card used or the method of payment. There should be no restrictions on retailers in providing this information, which should be entirely a matter for them. While the merchant should have the option, we believe that it would be difficult for a merchant to clarify the actual cost of an individual payment card transaction to their customer given that the MSC paid by them includes a number of things including the cost of processing a given sale. If a retailer is obliged to provide such information then we believe they should also be required to provide details on the costs of processing and managing other types of transactions such as payments by cash, cheques, drafts, etc. For those retailers which choose to disclose their costs to customers, there should be a requirement for them to provide accurate details, for example in the case of certain airlines, the level of surcharging and high fees described to customers as covering the cost of the consumer using their debit or credit card, should be transparent and true. It is important that there is transparency around merchant surcharges. It is also of the utmost importance, as far as IPSO is concerned, that the decision regarding the payment type should be entirely up to the consumer. Retailers should not be encouraged to steer cardholders towards one payment method over another especially if the forced choice is disadvantageous to the customer. 20

21 A study carried out by Accenture a number of years ago found that the costs for processing cash and cheques through the payments system were in the area of 1% of GDP. These costs included such things as security, processing, handling fees, staff management, bank charges, printing, etc. These costs are generally not taken into account by retailers in their day to day work, while their card payment charges are transparent appearing in print in their monthly statements. IPSO believes strongly that if the Commission feels that retailers should be obliged to provide details to customers on the cost of processing card payments, they should also be required to give an account of their cash and cheque handling costs Consumer merchant relationship: rebates, surcharging and other steering Practices 16) Is there a need to further harmonise rebates, surcharges and other steering practices across the European Union for card, internet and m-payments? If so, in what direction should such harmonisation go? Should, for instance: certain methods (rebates, surcharging, etc.) be encouraged, and if so how? surcharging be generally authorised, provided that it is limited to the real cost of the payment instrument borne by the merchant? merchants be asked to accept one, widely used, cost-effective electronic payment instrument without surcharge? specific rules apply to micro-payments and, if applicable, to alternative digital currencies? 21

22 Response - It is IPSO s opinion that discounts and surcharges offered by retailers should not restrict the use of more efficient payment methods such as card payments and electronic payments, over the use of cash and cheques. Surcharges, especially excessive charges should be justifiable, i.e. they should reflect the cost to the merchant for accepting a given payment method. While the PSD offered the option to most countries to legislate against surcharging, the Irish market chose not to do so. As such, merchants continue to charge excessive fees for card payments over legacy payment types, while under the (incorrect) impression that the legacy ones are cheaper for them, e.g. cash. - IPSO believes that while surcharging is allowed within the legislation in Ireland, the fees actually charged by merchants to their customers for using specific types of payments should be transparent, and should not exceed the cost to the merchant for accepting the payment method in question. - Regarding merchants accepting one, widely used, cost-effective electronic payment instrument without surcharge, it is difficult to see how this could be identified by a single merchant. That is to say that a merchant should be able to accept any payment method that is available to his customer from their bank or financial provider. Payment methods should not be restricted to one single type or tool. This would be restrictive on both retailer and consumer. - Regarding the suggestion to implement rules for micro-payments, we believe that there are sufficient rules in place. The card schemes and acquirers offer incentives through varied pricing arrangements for low value transactions carried out in a contactless environment. The industry aims to promote more activity on contactless 22

23 cards for low value payments, and to encourage the use of these payments as an alternative to using cash Merchant payment service provider relationship 17) Could changes in the card scheme and acquirer rules improve the transparency and facilitate cost-effective pricing of payment services? Would such measures be effective on their own or would they require additional flanking measures? Would such changes require additional checks and balances or new measures in the merchant-consumer relations, so that consumer rights are not affected? Should three party schemes be covered? Should a distinction be drawn between consumer and commercial cards? Are there specific requirements and implications for micropayments? Response The current card scheme and acquirer rules provide sufficient transparency on the pricing of payment services. The various interchange rates are available to retailers in the public domain, on the websites of each card scheme. This enables shops to see the cost to their acquirer for processing transactions under each card type / brand. There is transparency with MSCs where charges to merchants for management services, terminal rental, till roll costs, customer services, authorisations, etc. are made clear as a norm and are broken down on the customer s statement, as issued by their acquirer. 23

24 This knowledge enables competition while merchants can shop around for the best value available to them. We believe that there is no further change required in this regard Standardisation Card payments 18) Do you agree that the use of common standards for card payments would be beneficial? What are the main gaps, if any? Are there other specific aspects of card payments, other than the three mentioned above (A2I, T2A, certification), which would benefit from more standardisation? Response Yes, common standards are a requirement for card payments. They are beneficial for current and potential market participants. There is sufficient work being undertaken by the European Payments Council to develop a minimum set of standards required for all parties in the card payments market. IPSO believes that no further action is required at this time. 19) Are the current governance arrangements sufficient to coordinate, drive and ensure the adoption and implementation of common standards for card payments within a reasonable 24

25 timeframe? Are all stakeholder groups properly represented? Are there specific ways by which conflict resolution could be improved and consensus finding accelerated? Response These requirements are adequately met through the work of the European Payments Council Cards Working Group and Card Stakeholder Group. Full engagement is required by all stakeholders in the POS payment market, to ensure that all relevant bodies input to the work being done to create a minimum set of required standards. IPSO is not aware of a conflict currently that needs to be addressed. It should be noted however that the work in hand to develop the standards should not be force-accelerated as such a move could lead to inefficiencies and missed steps. Card payments are complicated and the production of standards for same cannot and should not be rushed. 20) Should European standardisation bodies, such as the European Committee for Standardisation (Comité Européen de Normalisation, CEN) or the European Telecommunications Standards Institute (ETSI), play a more active role in standardising card payments? In which area do you see the greatest potential for their involvement and what are the potential deliverables? Are there other new or existing bodies that could facilitate standardisation for card payments? 25

26 Response Work being carried out by the EPC Card Stakeholders Group and EPC Cards Working Group has progressed for some time and is due to be finalised soon. It would be detrimental to this process to start afresh with a new entity. This would cause undue delays to market players which are already making changes to processes, systems and rules. There is no requirement for new parties to play a more active role in the already successful process. 21) On e- and m-payments, do you see specific areas in which more standardisation would be crucial to support fundamental principles, such as open innovation, portability of applications and interoperability? If so, which? Response IPSO believes that as long as the providers of e- and m-payments adhere to the security standards and operational rules for payments, there should be no difference in the requirements here than for any other payment gateway. The work being done at EPC on standards for payments includes such methods as e- and m-payments, so IPSO believes that no further standardisation is required here. 22) Should European standardisation bodies, such as CEN or ETSI, play a more active role in standardising e- or m-payments? In which area do you see the greatest potential for their involvement and what are the potential deliverables? 26

27 Response As per response to Interoperability between service providers 23) Is there currently any segment in the payment chain (payer, payee, payee s PSP, processor, scheme, payer s PSP) where interoperability gaps are particularly prominent? How should they be addressed? What level of interoperability would be needed to avoid fragmentation of the market? Can minimum requirements for interoperability, in particular of e-payments, be identified? Response There are no such gaps. All card payment matters are being addressed sufficiently by the EPC Cards Working Group, through the SEPA Cards Framework and The Volume (the Book of Requirements). 24) How could the current stalemate on interoperability for m-payments and the slow progress on e-payments be resolved? Are the current governance arrangements sufficient to coordinate, drive and ensure interoperability within a reasonable timeframe? Are all stakeholder groups properly represented? Are there specific ways by which conflict resolution could be improved and consensus finding accelerated? 27

28 Response IPSO believes that there is a perceived fragmentation of the European market when compared with the Asian or Kenyan markets for example which are more progressive in the rollout of m-payments in particular. IPSO supports payment developments and customer choice. While as an industry we can provide solutions to consumers, we cannot push usage of the new technologies or payment tools Payments security 25) Do you think that physical transactions, including those with EMV-compliant cards and proximity m-payments, are sufficiently secure? If not, what are the security gaps and how could they be addressed? Response Securing these types of payments is a matter for card issuers (to enable their cardholders to protect their data) and merchants (to protect their businesses). The current EMV standard has proven to be sufficient in this regard. Security is critical for new forms of payments such as e- and m-payments. The industry has invested hugely in security and IPSO believes that all new players in the market need to meet the existing standards; with a special emphasis on consumer protection. 28

29 It would be prudent to have a set of industry recommendations and / or standards to ensure the integrity of the card payments systems, especially while ecommerce card fraud continues to persist. The Volume, as developed by the EPC, which outline the required standards should be used for this purpose. There is no evidence to suggest that proximity payments are any less secure than physical card payments currently. 26) Are additional security requirements (e.g. two-factor authentication or the use of secure payment protocols) required for remote payments (with cards, e-payments or m- payments)? If so, what specific approaches/technologies are most effective? Response There are solutions currently available in the market, which are proven, such as the use of 3D Secure, CAPs, etc. These have proven to be successful mitigants to payment fraud. We believe that there are areas for improvement in security for the online and mobile payment infrastructures. Unlike payment cards, there is no 2FA equivalent to, for example, Chip & PIN for online or mobile payments and as such it is only a matter of time before widespread fraud becomes an issue in this area. The industry will continue to evolve and to produce new solutions to new payment fraud trends. There is sufficient policing of the issues currently done by the card schemes and through the work being done by the EPC. 29

30 IPSO believes that the industry security standards need to be sufficient, to avoid any reputational risks. For example, a recent well-known industry project to introduce an e- payment platform has shown to be lacking in adherence to the minimum security standards, while it leaves security measures up to each bank. There are solutions available in the market and it is essential that minimum standards are in place to ensure integrity of the e- payments process. 27) Should payment security be underpinned by a regulatory framework, potentially in connection with other digital authentication initiatives? Which categories of market actors should be subject to such a framework? Response IPSO believes that it makes sense to have e- and m-payment security. A minimum set of standards with which the market can comply would benefit all parties. To date the self-regulation approach by EU banks has proven to be effective. The industry wants standards and as such will comply with those agreed by the relevant EPC working groups and which have been approved by the EPC Plenary. The ECB is represented on all relevant EPC working groups, providing a neutral position on all matters that may arise. IPSO believes that no further regulatory frameworks are required in this space. 28) What are the most appropriate mechanisms to ensure the protection of personal data and compliance with the legal and technical requirements laid down by EU law?? 30

31 Response Currently all banks consider the security of their customer s financial data to be of the utmost importance. However, there should be a distinction made here between personal and financial data. New players such as Google and Facebook tend not to hold financial data and perhaps appear to take less interest in the security of their customers data. As the market grows and evolves, data security becomes even more critical. In the future we can use what has worked to date but new players in the payments market need to be compliant with the existing security standards into which existing banks and financial institutions have invested hugely. IPSO believes that there are appropriate mechanisms in place to ensure the protection of personal data and compliance with the legal and technical requirements under EU Law, through local and European governance. 5. STRATEGY IMPLEMENTATION/GOVERNANCE 5.1. Governance of SEPA 29) How do you assess the current SEPA governance arrangements at EU level? Can you identify any weaknesses, and if so, do you have any suggestions for improving SEPA governance? What overall balance would you consider appropriate between a regulatory and a self-regulatory approach? Do you agree that European regulators and supervisors should play a more active role in driving the SEPA project forward? 31

32 Response The ECB is currently involved as an overseer on many if not all of the EPC working groups. The contribution by the ECB to date has been useful for EPC members and has ensured clarity on the needs of the Eurosystem with regard to payments systems and compliance with rules and standards already agreed. The timelines and work plans of the EPC have worked to date. Any issues which public authorities have with this should be addressed directly between that body and the EPC, without the need for the bodies in question to participate in or provide new governance for the existing process Governance in the field of cards, m-payments and e-payments s 30) How should current governance aspects of standardisation and interoperability be addressed? Is there a need to increase involvement of stakeholders other than banks and if so, how (e.g. public consultation, memorandum of understanding by stakeholders, giving the SEPA Council a role to issue guidance on certain technical standards, etc.)? Should it be left to market participants to drive market integration EU-wide and, in particular, decide whether and under which conditions payment schemes in non-euro currencies should align themselves with existing payment schemes in euro? If not, how could this be addressed? Response The EPC Card Stakeholder s Group sufficiently captures the needs of all stakeholders in the market, through representation from relevant sectors, including card schemes, banks, retailers, vendors, etc. 32

33 The EPC also ensures that any new standards and or proposals regarding changes to the card payments system are circulated for public consultation, on a regular basis, giving opportunity to all stakeholders to submit their input to the work being done. IPSO believes that there is a risk of over-regulation in areas which could lead to less competition, a reduction in innovation and to costly changes within the market more so than there have been already. 31) Should there be a role for public authorities, and if so what? For instance, could a memorandum of understanding between the European public authorities and the EPC identifying a time-schedule/work plan with specific deliverables ( milestones ) and specific target dates be considered? Response Card payments are complicated. To produce a key set of minimum standards and requirements for all stakeholders takes time while all of the stakeholders need to be involved, need to make costly changes to their software, hardware and their own internal rules and operational structures. IPSO believes that the EPC is sufficiently managing the production of the relevant standards within realistic time frames. While existing banks are committed to complying with the relevant SEPA requirements and standards, we are concerned that there is currently no onus on other stakeholders in the retail market to make such commitments. The Commission should consider how compliance by these third parties can be achieved. The banking industry has already firmly committed to doing the work required and to complying with the relevant standards. To ensure a level 33

34 playing field there should be a method in place to guarantee that new and / or third party stakeholders achieve the same level of compliance. 6. GENERAL REMARKS 32) This paper addresses specific aspects related to the functioning of the payments market for card, e- and m-payments. Do you think any important issues have been omitted or under-represented? Our comments here are twofold: - One point that stands out in the Green Paper is the lack of interest for the consumer. The cardholder insights are thin while the paper appears to take the view of the retailer / merchant and less so the consumer. IPSO believes that the needs of the consumer from a cost, efficiency, innovation, security and practical point of view should be considered further by the Commission. While public consultations can be issued to certain relevant bodies, it is difficult to reach the consumer, to get their view and details on their wishes for retail payments of the future. Perhaps the Commission can seek to develop a mechanism to reach consumers to ask their view on card, e- and m-payments. - The Green Paper appears to hold little regard for the need to ensure that new players in the market which have not been involved in banking or payments are compliant with at least the minimum security standards. The safety and security of consumers is paramount and while banks are heavily regulated in this area, there needs to be a level playing field such that security of all payments is a requirement across the board. 34

35 IPSO Key Messages IPSO fully supports the goals of the paper including in particular: - The necessity for consumer choice - The need for innovation in payments - The need for customer safety and security, and - The need for competition in the market Consumer Choice While banks and payment providers have a future view of payments and payment types, none of us can predict what consumers will want to use, nor can we force consumers to use one payment method or tool over another. We believe that there should be better communication between payment providers, regulators and consumers, with a relevant portal for that communication. All market players should have a relevant channel to help them to understand the needs of consumers better and to meet those needs, through providing better choices while ensuring security and safety of the consumer. Innovation The speed to market of innovation has increased dramatically in the past ten years, especially in the area of internet, mobile and contactless card payments. We believe that the industry should promote the benefits of innovation in payments to both consumers and retailers. Regulation and standards should neither impede innovation nor prevent the market in investing in new payment methods and tools. The market should be encouraged by regulators to increase acceptance of new payment tools while considering consumers needs, through communication with consumers. 35

36 IPSO believes that consumers should be encouraged by the payments industry to use the new technologies available to them while ensuring their trust in the systems and new payment tools. We believe that the costs for using current and future payment tools should be transparent to both retailers and consumers and that they should have the choice to adopt new technologies. Customer Safety & Security IPSO believes that the industry needs to provide choice for our customers while ensuring security of the products and avoiding customer confusion. We believe that certain areas of security and fraud prevention should be reviewed on a regular basis by the industry, to keep up with the fast changing fraud trends in the payments market. Future threats should be considered in more detail by the regulator on an on-going basis. Security is key to consumer trust and the industry needs to ensure that customer trust is upheld today and in the future, as the payments market changes and new methods of payments become available to our customers. The industry should encourage not only the secure use of the payment tools they provide, but the additional tools used by consumers such as PCs, smart phones, etc. There is an onus on the industry to fully inform consumers on the risks and dangers of payment fraud and more importantly on the solutions and preventative methods available to them, both through the payments industry as well as through use of technology such as anti-virus and anti-malware software, etc. 36