Payments View – March 2022

Card Schemes Suspend Operations in Russia

In response to Russia’s invasion of Ukraine, Visa and Mastercard have suspended their operations in Russia to further isolate the economy from the international community. The effect is that cards issued abroad will no longer work at Russian merchants or ATMs and those with Russian cards will not be able to use them abroad or for international payments online.

The impact domestically is reduced as the Russian government made a decision in 2015 to require all domestic payment transactions to be processed through the national system. Consequently, cards issued in Russia will work in Russia until they expire. To alleviate the problem outside Russia, Russian banks have suggested they will look to issue cards that use the Chinese UnionPay system which is accepted around the world. However, the re-issue of millions of cards is still a significant issue for the Russian banks.

As the war in Ukraine continues to escalate and the international community responds with fast moving measures, we are here to support you and your business. Please join us for the weekly briefings hosted by our Financial Crime team which are intended to help you stay on top of developments in this unsettling time. Registration available here.

PSR Press Release on associated risk with events in the Ukraine

On 3 March 2022, the PSR published a press release encouraging firms to consider how to manage any associated risks in the context of current events in Ukraine. In particular, the PSR highlights the following:

• the ability to withstand attack from a sophisticated state actor;
• whether staffing levels are available to deal with an elevated cyber risk from state sponsored or other actors;
• the implications on third party suppliers if there are sanctions; and
• the resilience of third party suppliers.

The PSR highlights the guidance from the National Cyber Security Centre that outline the actions for organisations to take when the cyber threat is heightened. The NCSC is not aware of any current specific cyber threats to the UK in relation to the events in Ukraine, but it has advised organisations to be vigilant.

Ipagoo - CoA rejects FCA appeal

On 9 March, the Court of Appeal (CoA) dismissed the FCA's appeal of an earlier High Court ruling on Baker & Anor v Financial Conduct Authority (Re Ipagoo LLP) [2022] EWCA Civ 302. We mentioned the High Court ruling and FCA’s appeal in the January edition of Payments View and highlighted that the FCA’s approach to safeguarding has long involved an attempt to force payment and e-money institutions (EMIs) to acknowledge the creation of a trust in favour of their customers.

The CoA has now agreed with the lower court that a statutory trust does not arise in favour of EMI customers as a result of safeguarding requirements under the Electronic Money Regulations 2011 (EMRs).

The CoA’s judgment is also significant as in addition to ruling that a trust does not arise, it held that customer funds that should have been safeguarded under the EMRs must still be protected, and that if there is any shortfall in this protection (e.g. where the EMI failed to safeguard customer funds) which results in a shortage in the EMI’s “asset pool”, this can be made up through distribution of the insolvent EMI's other assets and electronic money holders are granted rights over that asset pool in priority to other creditors.

The CoA was not sympathetic to the FCA's arguments that these findings would have a negative effect on other creditors, framing this effect as an “inevitable consequence” of statutes whose clear purpose is to “insulate and protect” EMI customers' funds. The CoA also briefly discussed a few other recent cases involving safeguarding regimes whose roots come from the PSD2 - namely, Re Supercapital [2021] 1 BCLC 355 and Re Premier FX [2021] EWHC 1321 (Ch), both of which had found that statutory trusts did arise. However, the CoA swiftly dismissed the similarities with Ipagoo, finding that the decisions in those cases were of ”little assistance”, as they were built on the PSRs, rather than the EMRs.

Although at the time of the CoA’s judgment, the Insolvency and Companies Court (ICC) had supported the FCA’s interpretation in a draft judgment for Re Supercapital, it has since retracted its decision. The ICC instead followed the approach of the High Court in Ipagoo (as the CoA judgment was still pending) and held that no statutory trust arose under the EMRs and that an office holder of an entity that had not properly safeguarded relevant funds would be obliged, under the terms of the EMRs, to override the usual priority rules that arise on insolvency and add to the asset pool, a sum equal to the amount of funds that should have been safeguarded, but were not.

While the FCA could attempt to appeal the CoA’s decision, it’s worth noting that there were no dissenting opinions on this appeal, so the prospect of being granted an appeal is unclear. Nevertheless, it will be interesting to see whether the courts now follow the interpretation in Ipagoo for future cases. The ICC’s revised judgment is perhaps telling of this and as it is now CoA authority, we expect this will be the dominant view and the FCA will need to adjust its interpretation. Please let us know if you would like to discuss this decision in more detail.

API failure to safeguard customer funds results in fine for bank

Premier FX was an API which provided foreign exchange and money remittance services to its customers. In June 2018 it was discovered that Premier FX was failing to properly segregate or safeguard client monies, resulting in a shortfall of over £10m when the company went into liquidation. The FCA publicly censured Premier FX for breach of the PSRs but did not impose a fine on the basis that to do so would have further reduced the funds available to customers.

On 24 February the FCA did, however, fine Premier FX’s bank for breaching Principle 2 of the Principles for Business by not acting with due skill care and diligence in carrying out its ongoing monitoring of Premier FX. The bank had agreed to make an ex gratia payment to be distributed to all customers of Premier FX who lost money and, but for this payment, would likely have received a higher fine than the £783,800 one imposed.

The Final Notice is premised upon the fact that Premier FX, as an MSB, was higher risk for financial crime purposes. On that basis, the FCA found that the bank failed to conduct its monitoring of Premier FX for AML purposes with due skill, care and diligence. However, Premier FX was not money laundering; the wrongdoing was committed by Premier FX against its own customers. Accordingly, the FCA appears to have used the bank’s financial crime obligations as a means to achieve the consumer protection which Premier FX should have been providing. This, along with the incoming Consumer Duty, is further evidence that the FCA views consumer protection as paramount.

What it means in practice for APIs and EMIs is that they can expect their safeguarding banks to monitor their activity much more closely and require more detailed information from firms regarding their businesses. If the practical consequence of the Final Notice is that banks will be liable for any failure to properly safeguard by their customers, banks will understandably want to know a lot more about how their customers’ safeguard.

Strong Customer Authentication (SCA) – Card based e-commerce and Account Information Exemption Changes

E-commerce

The requirement for SCA compliance with respect to card-based e-commerce transactions finally came into effect on 14 March.

In the context of e-commerce transactions, the requirement for SCA applies to payment service providers whenever a payment service user initiated a payment – including card payment transaction initiated through the payee (usually a merchant).

Although the obligation to apply SCA doesn’t apply directly to online merchants / retailers, businesses face a number of challenges with regard to (i) how to accommodate SCA within online payment journeys with the least disruption and impact on conversion rates and (ii) engaging with acquirers and the wider card industry to understand when and how the available exemptions from SCA might be applied.

The FCA had granted an extension for the implementation of SCA for e-commerce due to concerns about industry readiness and the impact this would have on consumers and merchants. Failure to comply with the SCA requirements after 14 March may now result in supervisory or enforcement action. The requirements have been in place across most of the EU since the start of 2021.

It is anticipated that a significant number of merchants remained unprepared for the change and consumers will feel the impact as merchants are unable to process their transactions or require additional steps to be taken at checkout.

Account Information

The UK changes to Art 10 of the SCA RTS also come into effect from the end of this month (26 March). As mentioned in the last edition of Payments View, the FCA has added a new Art 10A which allows PSPs to avoid the need to apply SCA where a payment service user is accessing account information through an AISP and that user is limited to accessing either or both of the following items without disclosure of sensitive payment data:

• the balance of one or more designated payment accounts;
• the payment transactions executed in the last 90 days through one or more designated payment accounts.

This is provided that SCA was applied on at least one previous occasion where the AISP accessed the relevant information on behalf of the payment service user.

EBA Guidelines on the PSD2 limited network exemption

On 24 February 2022 the EBA published its final Guidelines on the limited network exclusion under PSD2. The Guidelines are intended to address inconsistencies in the way national competent authorities have applied the exclusion to further the development of the Single Market for payment services.

Payment instruments that might benefit from this exclusion include store cards, fuel cards, public transport cards, and meal vouchers. The Guidelines introduce provisions, and where relevant, criteria and indicators, aimed at ensuring that payment instruments that can benefit from the exclusion are used in a limited way, thus reducing potential risks that may arise for the users of such instruments.