From the drafting stages of the revised Payment Services Directive (PSD2), EU lawmakers have sought to ensure that regulation of payment services in the bloc is balanced against the need to promote innovation.
Since then, businesses falling under the definition of “technical service providers” (TSPs) set out by PSD2 have (wisely) leveraged their exclusion from the scope of the directive to explore innovative ways of supporting payment services, improving user experience and responding to market needs.
But their days as unregulated entities may be drawing to an end, as recent developments suggest.
In the five years since PSD2 became law, the number of authentication firms (one type of TSP excluded from the scope of PSD2) supporting payment service providers has exploded.
Fintech-led digitalisation has been one driver behind the growth, but two others have been equally important.
Firstly, regulators worldwide have acknowledged and promoted the benefits of the regulatory technology (regtech) sector. Examples of jurisdictions taking active steps in this regard include* the United Kingdom, the European Union, Australia, Hong Kong and Russia.
The other driver is, of course, the disruption brought by COVID-19, which increased the value and urgency of remote entity verification services for the payments industry.
There is nothing new in that regulated firms need to ensure their TSPs comply with applicable rules but, as is often the case, they can’t demonstrate this to the regulator.
The Bank of Ireland recently expressed dissatisfaction with firms’ inability to show how their TSPs comply with anti-money laundering and counter-terrorist financing obligations.
France’s National Agency for the Security of Information Systems (ANSSI) has gone even further by launching a public consultation on proposed standards applicable to remote identity verification service providers. Those proposed standards would put TSPs into the scope of regulation, with the exception of fully automated (non-hybrid) ones.
The security watchdog’s initiative could be a sign of TSPs unregulated days being numbered. This also begs the question of whether this is the beginning of a trend.
The ANSSI’s proposed standards aim to ensure that such services are developed in French territory in compliance with the domestic and EU regulatory regime, such as the General Data Protection Regulation and Electronic Identification, Authentication and Trust Services Regulation, along with relevant national laws.
Requirements introduced by the framework include obtaining indemnity insurance for any damages caused to consumers and assuming responsibility for the activity carried out on behalf of clients to the extent of applicable sector-specific rules, with implications for contractual arrangements and allocation of liability.
Providing evidence of no exposure to risk relating to impartiality, quality and conflicts of interest, as well as the obligation to inform clients of any sector-specific legal or regulatory requirements are also in the proposal.
Compliance with the framework’s provisions would be fundamental for obtaining access to a range of certification schemes.
Certain schemes translate into compliance requirements applicable to payment and e-money institutions, as can be seen from the provisions of Decree No. 2020-118 regulating customer due diligence measures when dealing with legal persons.
The French example illustrates how reliance on regulatory exclusions requires a certain element of precaution, especially when it comes to the assessment of regulatory risk and business feasibility.
Exclusions under legal instruments do not necessarily mean that other domestic laws do not address the excluded aspect.
Regulations change, so do exclusions. The more firms rely on TSPs for meeting regulatory compliance requirements, the more attention regulators will pay to TSPs.
The French experience shows that policy agendas, which aim to promote innovation, will sooner or later show their limitations. It is a natural consequence of striving for balance between new opportunities and emerging risks.
*The references in this article were extracted from VIXIO PaymentsCompliance’s Horizon Scanning tool. Learn more about Horizon Scanning and the full VIXIO PaymentsCompliance solution here.