2018 has been a year of thrills and surprises for the payments industry with a host of regulatory changes to deal with.
It was the year that the entire industry realised that no matter what you plan for, regulations rarely deliver what’s expected!
So, can we look forward to the dust settling somewhat in 2019 or will it bring yet more regulatory changes to our industry?
Let’s look at what we might expect:
It’s likely that member states that have not yet implemented PSD2 in local law will publish their national regulations early in 2019: namely Portugal, Romania, Spain and Malta. The Netherlands just made it before year-end, announcing their implementation last week.
The Regulatory Technical Standards (RTS) on strong customer authentication (SCA) will become effective on 13th September 2019, 18 months after publication.
European Banking Authority (EBA) guidelines on fraud reporting will become effective as of 1st July 2019.
There are still some RTS that are expected to be published by the European Commission in 2019:
- Guidelines on Professional Indemnity Insurance
- Guideline on Incident Reporting
- Guideline on Authorisation of Payment Institutions
- Guideline on Complaints Procedures by Competent Authorities
- Guideline on Operational and Security Measures
- Guideline on fraud reporting.
Can we expect a PSD3 draft in 2019?
That may be a bit optimistic!
The Commission has planned an application and impact report on PSD2 by 13th January 2021 (article 108 PSD2). It will review issues such as the appropriateness and impact of rules on charges, access to payment systems, the level of competition and the appropriateness and impact of the threshold for the small Payment Institution exemption.
I hope the Commission will also review the status of XS2A supported by banks and the potential to expand this to other accounts. A legislative proposal for PSD3 may follow the application and impact report.
There are still many burning questions about PSD2, which may be answered by the EBA’s new Single Rulebook Q&A tool.
The EU-Japan adequacy decision is currently still in draft and the finalisation of guidelines on the Extraterritorial Applicability of GDPR is expected in April 2019; after the public consultation period.
If you were thinking your company can relax after completing a GDPR compliance project, think again! Yet another piece of EU law is waiting in the wings.
It’s the ePrivacy Regulation, which replaces the 2002 ePrivacy Directive. This aims to enhance the security and confidentiality of communications, regardless of whether they are free or paid for, and it covers both traditional and modern forms.
And just like GDPR, it’s not limited to companies that are physically located in the EU. Companies outside the EU that deal with EU citizens will also have to comply; just as they do with the GDPR.
The aim is for the two regulations to complement each other: ePrivacy aligns with GDPR to address advancements in technologies and enforce a common law for all EU countries.
Itis sometimes referred to as the ‘Cookie Law’, but make no mistake, it encompasses more than GDPR and even includes non-personal data.
The scope of these regulations is immense as they apply to any online interactions including email, SMS, websites, social networks, blogs, VOIP, video, Skype and other tools such as instant messaging, WhatsApp social media messaging and even IoT devices!
I expect to see further enforcement actions and fines for companies that fail to comply with GDPR in 2019. For instance in Ireland, only in the first month after GDPR becoming effective, the data protection authorities allegedly received over 400 data breach notifications and almost 100 complaints on GDPR compliance by organisations. The data protection authority in the Netherlands received already 170 complaints during the first 2 weeks. Highest ranking has been the UK with over 1000 complaints within the first month.
I hope that the European Data Protection Board will updates its guidance on the role of Controller vs Processor and Joint Controller vs Co-Controller.
The payment industry in particular could really use some further guidance. See my other blogs on this topic.
The 5th AML Directive was published in June 2018, but the transposition deadline for member states is not until 20 January 2020.
The EU assessment on high-risk third countries will commence in 2019 and is expected to finish in 2025. 132 jurisdictions need to be reviewed so that equates to almost two a month. Plenty of work to do for the Commission!
We can expect continuous updates to the common EU list of third country jurisdictions for tax purposes; bearing in mind that it was updated five times in 2018!
I wonder which banks will be fined for failure to comply with AML Regulations in 2019. In 2018 we had some big-name banks on the list including ING, Rabobank, Danske Bank, Commonwealth Bank of Australia and HSBC. The level of fines have been historically high this year!
AML centralised supervision
The European Commission is proposing to move all supervision authorities to the European Banking Authority (EBA), with a further expansion of responsibilities. National competent authorities may also expect peer reviews in relation to their supervision. A committee will be established within EBA to design AML measures. Implementation date of this proposal is so far unknown.
As of 1st January 2019, member states are required by the Anti-Tax Avoidance Directive to apply measures against corporate tax avoidance (also referred to as ‘aggressive tax planning’).
These measures include preventing companies from exploiting national mismatches.
Could we also expect a draft for ICO Regulation in 2019?
Possibly, but the least we can expect is that the European Union will form a strategy on how to address ICOs.
Further, as part of the Commission’s efforts to promote Fintech in Europe, they have an action plan which includes:
Simpler and more standardised licensing rules for new FinTech activities, increased alignment of standards and an assessment of whether current EU rules are relevant to new technologies like DLT and AI.
We’ll have to wait until later in the year to hear if they announce any further measures.
Hot from the press is the announcement earlier this week that political agreement has been reached at EU level on the Cybersecurity Act. This is part of EU’s Digital Single Market strategy. Amongst other measures it gives an extended and permanent mandate to the EU Cybersecurity Agency (ENISA).
The Act also creates a framework for European Cybersecurity certificates at a EU wide level. The Act is pending formal approval by the Parliament and Council.
Visa fee charges
Finally, let’s not forget the official complaint made by consultancy firm CMSPI to the European Commission over Visa fee changes.
Will the EC reach a verdict in 2019? The public has been invited by the European Commission to comment on commitments offered by both Visa and Mastercard to reduce inter-regional interchange fees by at least 40%. Would this be enough? Let’s wait what the feedback procedure will bring.
Am I missing anything?
Do you know of any other regulation changes expected in 2019 that will affect the Payments/ Financial Services industry?
Let me know in the comments!