There has been a rapid increase in collaboration between fintechs and other technology firms and more traditional payment service providers (PSPs) such as banks, merchant acquirers, and money transmitters. While fintechs and technology firms are often seen as direct competitors of traditional PSPs, in a market driven by innovation, both sides of the market increasingly consider collaboration a mutually beneficial way to play to each participating firm’s strengths. For more traditional PSPs, the technologies that a fintech or technology firm develops can help enhance and streamline, and in some cases modernize, the services provided to customers. For a fintech or technology firm, partnering with a PSP can provide an efficient and effective way to expand into the payment services market, particularly for customers who are more inclined to use traditional PSPs.
Regulators are monitoring these developments with growing interest and with an eye to potential risks to customers and markets as well as their ability to supervise regulated firms and their operations. This post highlights a number of EU/UK regulatory issues that fintechs, technology companies, and PSPs should consider when collaborating with one another.
Does the fintech or technology firm need regulatory authorization?
Before a PSP and a fintech or technology firm enter into any agreement or arrangement to collaborate, each should consider whether the fintech or technology firm may require regulatory authorization (or licensing) in order to provide the relevant services.
Where the PSP is contemplating providing a joint service with the fintech or technology firm, it should assess the regulatory and reputational risks involved. For example, the PSP should consider whether it could be facilitating the provision of a regulated payment service by a technology firm without appropriate regulatory authorization and who will be liable if the customer suffers a loss or does not receive the service to a satisfactory standard.
For a fintech or technology firm looking to expand into payment services in the EU/UK, there are a number of options in respect to authorization to consider:
- Obtain authorization as a bank. This permits the firm to conduct a broad range of regulated activities, including accepting deposits. An authorized bank is also generally permitted to issue electronic money (i.e., nondeposit stored value facilities) and provide regulated payment services. However, the process of obtaining authorization is time-consuming and may require significant investment in compliance and risk management functions. In addition, banks are subject to extensive ongoing regulatory requirements, including in respect of governance, risk management, capital, and liquidity, which a fintech or technology firm may not have the ability to meet without making substantial changes to its policies, procedures, and operations.
- Obtain authorization as an electronic money institution (EMI). This permits the firm to issue electronic money and provide regulated payment services. However, unlike a bank, the firm would be subject to safeguarding rules restricting the manner in which it holds funds relating to electronic money and payment services.
- Obtain authorization as a payment institution (PI) or register as an account information service provider (AISP). This permits the firm to provide certain payment services, depending on the scope of regulatory permissions obtained. The firm would not generally be able to provide stored value facilities to its customers; however, it would be able to issue cards that access e-money issued by a bank or EMI. A firm that is registered as an AISP or authorized as a PI but that has permissions to provide only account information services and/or payment initiation services can intermediate between a PSP and its customers but cannot hold funds in relation to payment transactions executed for the customers.
- Become an agent of a PI or EMI. This permits the firm to operate under the regulatory authorization of the PI or EMI to provide certain regulated services. However, the PI or EMI would be required to monitor and supervise the firm’s provision of regulated services, so the firm should expect the PI or EMI to require fairly extensive warranties and undertakings in its agreement with the firm. The firm would also likely have to pay a fee to the PI or EMI or enter into a profit-sharing arrangement with it as part of the arrangement.
- Avoid provision of regulated services. The firm may also wish to avoid regulated activities that would require prior regulatory authorization or registration altogether and provide unregulated services alongside a PSP or to a PSP to support the PSP’s provision of services to its customers. This would generally require that the firm does not hold funds relating to payment services and does not contract with the customer in respect of any regulated services. Whether this is a viable option will depend on the proposed services, the information and funds flows, and the contractual arrangements between the parties.
- Adopt a mixed strategy. Depending on the business model of the firm and the services it plans to offer, it may wish to use a combination of the options discussed above for different products or categories of customers.
For a fintech or technology firm, the process of obtaining regulatory authorization can be time-consuming and expensive, and the firm may not be able to meet certain minimum requirements set by the regulator without first making significant changes to its business and operations. A firm seeking to enter the payment services market should therefore consider carefully the relative pros and cons of obtaining regulatory authorization or seeking to remain outside the regulatory perimeter for payment services.
Do regulatory outsourcing requirements apply?
PSPs are subject to various rules on outsourcing in the UK/EU. If a fintech or technology firm provides services to the PSP, these may be subject to such rules. To determine whether and, if so, how the rules apply in the context of a collaboration, it is crucial to understand which entity will be providing which services, and to whom.
Outsourcing requirements are found in the Capital Requirements Directive ((EU) 2013/36) for EU banks, in the Payment Services Directive ((EU) 2015/2366) (PSD2) for EU PIs, and in the Electronic Money Directive (2009/110/EC) (by reference to PSD2) for EU EMIs. In addition, the European Banking Authority (the EBA) has issued detailed guidelines on outsourcing by such firms.
Outsourcing requirements generally apply to PSPs where a PSP outsources critical or important operational functions. The key requirements and considerations for PSPs entering into an outsourcing arrangement for a critical or important function include the following:
- PSPs must notify the regulator where the PSP intends to rely on an outsourced service provider for the performance of critical or important functions. In some cases, the regulator may require the PSP to provide a copy of the proposed contract with the service provider.
- PSPs must ensure that (i) the outsourcing arrangements do not result in the delegation by senior management of their responsibilities; (ii) the relationship and regulatory obligations of the PSP toward its clients are unaffected; and (iii) the conditions under which the PSP is authorized are not undermined.
- PSPs are required to set out the respective rights and obligations of the PSP and the service provider in a written agreement that includes service level standards. The agreement must provide that subservicing by the service provider takes place only with the PSP’s written consent. The agreement must also detail the PSP’s rights of instruction, information, audit, and termination. Information and audit rights (including for on-site inspections) must be reserved for the PSP as well as its regulators and auditors. The written agreement is a key consideration for PSPs, as negotiating such terms is often a point of contention between PSPs and fintechs or technology firms.
The written agreement between the PSP and the fintech or technology firm should cover several other contractual points, including these:
- which entity provides the regulated services
- which entity bears responsibility for loss or fraud
- termination rights
- which entity retains the customer relationships in the event the joint venture is terminated
- the process for approval of marketing materials
- intellectual property rights
- responsibility for compliance with data privacy legislation
Application of anti-money-laundering rules
Where the PSP and fintech or technology firm are providing a joint service, the parties should also consider which entity is responsible for collecting information from customers to ensure compliance with anti-money-laundering (AML) rules, in particular customer due diligence measures. For example, where the fintech or technology firm acts as agent of the PSP or assists the PSP with onboarding customers, the PSP should ensure that appropriate AML policies and procedures are in place. While a PSP may outsource the collection of relevant information to the fintech or technology firm, it will ultimately remain responsible to its regulators for compliance with AML rules.
In addition, PSPs must ensure that they comply with the EBA’s guidelines on information and communication technology and security risk management where an outsourcing arrangement is contemplated in relation to the provision of data processing services. In general, PSPs must
- ensure that their service providers comply with appropriate information technology security standards
- define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis
- adopt a risk-based approach to data storage and data processing locations and information security considerations where the outsourcing arrangements involve the handling or transfer of personal or confidential data
The last of these requirements may involve agreeing to a data residency policy with the service provider on commencement of the outsourcing relationship, setting out the jurisdictions in which the PSP’s data can be stored, processed, and managed. This may also require agreeing on how the service provider will address any data loss as well as its breach notification obligations to the PSP.
With any new venture, PSPs, fintechs, and technology companies should consider whether the services would be regulated and, if so, whether the fintech or technology company requires authorization. PSPs, in particular, should consider compliance with the EBA guidelines on outsourcing and data security and anti-money-laundering legislation. The written agreement between the PSP and the fintech or technology company should clearly set out the rights and obligations of each party.