Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Key developments of interest over the last month include: the Bank of Italy’s communication on unauthorised payment transactions; the Reserve Bank of Australia’s announcement of an upcoming review into retail payments regulation; and European Banking Authority publishing a statement and 2024/25 supervisory priorities for issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs) under MiCA.
In this Newsletter:
Regulatory Developments: Payments
Regulatory Developments: Digital Assets
Market Developments
Surveys and Reports
For previous editions of the Payments Newsletters, please visit our Financial Services practice page.
On 15 July 2024, the UK Financial Conduct Authority (FCA) and the Payment Systems Regulator (PSR) issued a joint call for information on Big Tech and digital wallets. It focuses on a range of issues including: whether digital wallets are working well for consumers, businesses and other payments users; whether there are any disincentives or other barriers to digital wallets integrating account-to-account payments; and whether stakeholders consider that digital wallets raise any significant consumer protection or market integrity issues. The regulators are interested in hearing from stakeholders across the payments and wider financial services landscape. The call for information closes on 13 September and the regulators will provide an update by Q1 2025.
On 17 June 2024, the Bank of Italy published a communication (in Italian) on unauthorised payment transactions (Communication). Inspections had revealed shortcomings with several payment service providers (PSPs), such as groundless refund refusals, deficiencies in execution of refunds and card tokenization procedures. The communication provides instructions to be followed by PSPs after conducting a self-assessment.
The communication sets out steps for PSPs to ensure regulatory compliance in this area, which include:
A policy on unauthorised payment transactions: PSPs should adopt a specific policy setting out the categories of unauthorised transactions.
Internal education: PSPs should arrange employee awareness initiatives.
Communication to payment service users (PSUs): communications to PSUs must be clear and comprehensible.
Card tokenization procedures: such procedures must be in line with the requirements set out in the SCA Regulation.
ABF ruling: PSPs are also required to take into account rulings of the Arbitro Bancario e Finanziario (ABF) – the Bank of Italy’s out-of-court dispute resolution system - on these matters.
PSPs are required to carry out a self-assessment of the procedures currently adopted to ensure compliance, and if needed they should arrange for a remediation plan to be finalised within 12 months of the publication of the Communication. All assessments carried out will be subject to verification by the Bank of Italy.
For more on this development, take a look at our Engage article.
On 12 July 2024, the Payment Systems Regulator (PSR) published a policy statement (PS24/3) on compliance and monitoring under the Faster Payments System (FPS) APP fraud mandatory reimbursement requirement. For more on the previous PSR consultation on this, take a look at our Engage article.
The PSR has also published:
Faster Payments APP Scams Compliance Data Reporting Standard (CDRS);
APP scams reimbursement: Specific Requirement 1 (SR1) on Pay.UK (as amended – see below);
APP scams reimbursement: Specific Direction 19 on Pay.UK (as amended); and
APP scams reimbursement: Specific Direction 20 on payment service providers (PSPs) (as amended).
The policy statement confirms:
the requirement for directed PSPs to register with Pay.UK by 20 August 2024. This is one way that PSPs will identify themselves as in-scope of the policy to Pay.UK and will help facilitate a shared directory – the FPS Reimbursement Directory. This directory will enable PSPs to find one another’s contact details so that they can meet the requirements in the FPS reimbursement rules and the PSR’s policy, and communicate in respect of FPS APP scam claims received;
the data under reporting standard A that sending PSPs in-scope of the policy are required to retain and report to Pay.UK monthly in respect of transactions they have sent, to enable it to effectively monitor compliance with the FPS reimbursement rules;
the reasonable limits that the PSR is placing on Pay.UK in respect of the use and disclosure of the compliance data it receives; and
the PSR’s approach to requiring PSPs to inform consumers of their rights under the policy.
These changes will be delivered through amendments to the PSR’s Faster Payments APP fraud legal instruments Specific Direction 19 and Specific Direction 20 (including the CDRS) and Specific Requirement 1. The PSR believes this package of amendments will drive effective compliance monitoring from the policy start date of 7 October 2024.
However, in light of consultation feedback the PSR is not currently confirming the following two further requirements on which it also consulted:
its proposal to require all in-scope PSPs to comply with Pay.UK’s FPS rule to use the reimbursement claim management system (RCMS); and
whether and when reporting standard B may come into effect.
Instead, the PSR intends to consult in late 2024 on proposals to require use of the RCMS and on whether and when a shift to reporting standard B could take place. Following consultation, should the PSR require use of the RCMS, it may be possible to bring this requirement into effect by 1 May 2025, which is the date by which all direct PSPs are required to comply with Pay.UK’s FPS rule requiring use of the RCMS. The PSR will keep timings under review and remains open to considering all available options through this future consultation.
On 12 July 2024, the Payment Systems Regulator (PSR) published a response paper (PS24/2) to its May 2024 consultation on guidance for payment service providers (PSPs) on publishing APP scams data for the second reporting cycle (January to December 2023). The final version of the guidance has also been published.
The PSR requires directed PSPs to publish data on APP fraud, showing fraud levels, fraud prevention rates and reimbursement levels. The guidance explains the content that must be included as part of this data requirement, the format that must be used, and the timescales that must be followed. It is for directed PSPs that must publish APP fraud data under the PSR’s Specific Direction 18.
The PSR states that it may issue updated publication guidance for each reporting cycle.
On 18 June 2024, the Head of Payments Policy at the Reserve Bank of Australia gave a speech to announce an upcoming holistic review of retail payments regulation. The review will form part of the government’s plans to update the definition of ‘payment system’ and ‘participant’, and consider regulation of buy-now pay-later (BNPL) services.
The Head of Payments Policy referred to the transparency of payment services, surcharging, merchant payment costs, mobile wallets and the cost and transparency of cross-border payments. The review will consider a range of policy issues, including:
Reviewing the cost of card payments for end users;
Lowering merchant costs using least-cost routing of online debit card transactions;
Increasing competition for payment services on e-commerce platforms; and
The introduction of greater standardisation for tokenisation in online card payments to help reduce the crime risk.
Other key developments referred to in the speech included the Government’s recent introduction of legislation to Parliament which will bring BNPL regulation in line with other types of credit and require BNPL providers to hold an Australian credit licence, and a potential increase in retail payments innovation through the New Payments Platform and its PayTo service.
On 3 July 2024, the Financial Market Commission of Chile (FMC) issued a new regulation governing the country’s Open Finance System and the activity of payment initiation service providers (PISPs). The Open Finance System is aimed at encouraging innovation in the Chilean financial market and allowing users to securely share their information.
The new regulation follows a public consultation which took place between April and May 2024. The Open Finance System will become effective on 3 July 2026, before which the relevant authorities will develop technical manuals and specifications.
The regulatory benefits and costs arising from the regulation will be evaluated periodically.
On 14 June 2024, the Payment Systems Regulator (PSR) published an updated list of payment service providers (PSPs) that participate in the Faster Payments Scheme (FPS) and may therefore fall in scope of the PSR’s mandatory authorised push payment (APP) fraud reimbursement requirement, which is due to come into force on 7 October 2024.
For more on the mandatory reimbursement requirement for the FPS, see our Engage article here.
On 1 July 2024, new guidelines from the Reserve Bank of India came into effect. The guidelines regulate the payment of credit card bills in India (as reported on here). The measures will affect consumers who use apps such as PhonePe, Amazon Pay and Paytm.
Credit card bill payments made through third-party applications are now required to be sent through the Bharat Bill Payment System (BBPS). The BBPS is managed by the National Payments Corporation of India. The measures are aimed at enhancing the security and efficiency of credit card transactions through a standardised payment infrastructure.
On 9 July 2024, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced that major retail banks in Singapore will progressively phase out the use of One-Time Passwords (OTPs) for bank account login by customers who are digital token users within the next three months. MAS and the ABS strongly encouraged those customers who have not activated their digital tokens to do so.
The change is aimed at protecting consumers against phishing by strengthening the authentication process, making it harder for scammers to fraudulently access a customer's account and funds without the customer’s explicit authorisation using their mobile device.
Following the UK General Election, on 10 July 2024 the fintech industry body Innovate Finance published its ‘Fintech plan for government’ setting out its blueprint for the first 100 days of the new government and beyond.
Among other recommendations, Innovate Finance lists the regulatory framework for buy-now, pay-later (BNPL), the National Payments Vision, and giving the regulators powers to introduce a stablecoin regime as live issues requiring prioritisation by the new government. It also refers to the need to ensure that the Payment System Regulator’s (PSR) APP fraud mandatory reimbursement scheme is introduced in a ‘proportionate and effective way’.
On 16 June 2024, it was reported that the South Korean financial regulator, the Financial Service Commission (FSC), has required cryptocurrency exchanges to evaluate listed tokens on their exchanges. Exchanges must review whether to continue the trading of their listed coins, in a measure that aims to protect virtual asset users. This pre-empts the implementation of Korea's first law on virtual asset user protection on 19 July 2024.
Exchanges will now be required to establish their own evaluation and decision-making bodies to assess:
The reliability of the issuer of their listed coin;
The level of compliance with regulation;
User protection measures; and
Technology and security.
Alongside these stricter review guidelines, exchanges must review existing listed tokens every six months to ensure they meet these new guidelines and conduct maintenance reviews every three months. A failure of cryptocurrency coins to meet regulatory standards will result in them being labelled as cautionary and with a risk of being delisted.
Alongside these changes, the South Korean financial authorities plan to amend their internal structures to create effective policies on the cryptocurrency industry.
On 27 June 2024, the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) published a final report on suitability assessments under the Regulation on markets in cryptoassets (MiCA).
The report includes two sets of guidelines on the suitability assessments of:
members of the management body of issuers of asset-referenced tokens (ARTs) and of cryptoasset service providers (CASPs); and
shareholders and members, whether direct or indirect, with qualifying holdings in issuers of ARTs and in CASPs.
The guidelines state that these classes of individuals must be of sufficiently good repute and able to commit the required time to perform their duties. Additionally, in order for the ART issuer or CASP to gain authorisation, the members and shareholders which fall in the classes listed above must not have been convicted of offences relating to money laundering or terrorist financing.
Issuers of ARTs and CASPs must inform the relevant authority of changes to the composition of the management body, after which the authority will assess the change.
The guidelines will apply two months after their publication on the EBA and ESMA websites in all EU official languages.
On 13 June 2024, the EBA published a package of technical standards and guidelines on prudential matters under the Regulation on markets in cryptoassets (MiCA).
The package comprises:
Final draft RTS specifying the procedure and timeframe for an issuer to adjust the amount of its own funds to 3% of the average amount of the reserve of assets when the relevant issuer is issuing an ART or EMT classified as ‘significant’.
Final draft RTS further specifying the liquidity requirements of the reserve of assets.
Final draft RTS to specify the highly liquid financial instruments.
Final draft RTS to specify the minimum content of the liquidity management policy and procedures.
Guidelines on recovery plans specifying the format and the content of the recovery plan that issuers need to develop and maintain, and the content of the communication and disclosure plan.
The EBA will submit the final draft RTS to the European Commission for endorsement. They will then be reviewed by the European Parliament and Council of the EU before being published in the Official Journal of the EU.
The guidelines will apply two months after the publication of all translations on the EBA website.
On 19 June 2024, the EBA published the following final draft regulatory technical standards (RTS), implementing technical standards (ITS) and guidelines under the Regulation on markets in cryptoassets (MiCA):
Final draft RTS on supervisory colleges under Article 119(8) of MiCA.
Final draft ITS on the reporting on asset-referenced tokens under Article 22(7) of MiCA and on e-money tokens denominated in a currency that is not an official currency of a member state pursuant to Article 58(3) of MiCA. The report containing the final draft ITS is accompanied by Annex I, II, III, IV and V.
The EBA will submit the final draft RTS, ITS and guidelines to the European Commission for endorsement. They will then be reviewed by the European Parliament and the Council of the EU before being published in the Official Journal of the European Union.
The guidelines will apply two months after the publication of all translations on the EBA website.
On 4 July 2024, ESMA published a final report (dated 3 July 2024) on its second package of regulatory technical standards (RTS) and implementing technical standards (ITS) under the Regulation on markets in cryptoassets (MiCA).
This covers six RTS and two ITS on:
The content, methodologies and presentation of sustainability indicators and adverse impacts on climate (Articles 6(12),19(11), 51(15) and 66(6)).
Continuity and regularity in the performance of cryptoasset services (Article 68(10)(a)).
Offering pre- and post-trade data to the public (Article 76(16)(a)).
Record keeping obligations for cryptoasset service providers (CASPs). The RTS cover record-keeping for all CASPs (Article 68(10)(b)) and order records for CASPs operating a trading platform (Article 76(16)(b)).
Machine readability of white papers and the register of white papers. The RTS and ITS cover standard forms, formats and templates of white papers (Articles 6(11), 19(10) and 51(10)) and the data necessary for the classification of white papers (Article 109(8)).
The technical means for appropriate public disclosure of inside information (Article 88(4)).
The texts of the draft Delegated and Implementing Regulations containing the RTS and ITS are set out in Annexes IV to XI to the final report.
The draft technical standards will be submitted to the European Commission for adoption, which will decide whether to adopt them within 3 months.
On 12 July 2024, the European Supervisory Authorities (ESAs) (ie, the EBA, ESMA and EIOPA) published a consultation paper on draft guidelines under the Regulation on markets in cryptoassets (MiCA), establishing templates for explanations and legal opinions regarding the classification of cryptoassets along with a standardised test to foster a common approach to classification.
The standardised test is accompanied by a flow chart on identifying whether an instrument falls within scope of MiCA (see Annex C to the consultation paper).
The ESAs are planning to hold a public hearing on the consultation paper on 23 September 2024. The consultation closes on 12 October 2024.
On 11 July 2024, the Law Commission of England and Wales published a scoping paper on decentralised autonomous organisations (DAOs).
The paper does not make formal recommendations for law reform but addresses aspects of DAOs which are significant for policy and legal purposes. Some key points (including areas of further work) from the paper include the following:
There is no current need to develop a DAO-specific legal entity for England and Wales.
The Companies Act 2006 should be reviewed in order to determine whether reform is needed to facilitate the increased use of technology at a governance level where appropriate. The law of other business organisations such as limited liability partnerships should also be reviewed with the same aim.
Further work could be undertaken to determine whether the introduction of a limited liability not-for-profit association with flexible governance options would be a useful and attractive vehicle for organisations in England and Wales, including non-profit DAOs.
The Law Commission’s planned review of trust law under the law of England and Wales will consider – in general terms rather than in the DAO context specifically – the arguments for and against the introduction of more flexible trust and trust-like structures in England and Wales.
The government should consider a review of anti-money laundering regulation in England and Wales to consider whether the same policy objectives can be achieved in a manner more compatible with the use of distributed ledger and other technology.
On 3 July 2024, the Basel Committee on Banking Supervision (BCBS) announced that it has approved a disclosure framework for banks' cryptoasset exposures and agreed to make targeted amendments to its cryptoasset standard. The development following a meeting held by the BCBS during which a range of policy and supervisory initiatives were discussed.
The finalised disclosure framework will include a set of standardised public tables and templates covering banks’ cryptoasset exposures which aims to enhance transparency and market discipline.
The framework will be published later in July, with an implementation date of 1 January 2026.
On 4 July 2024, the EBA published guidelines on information requirements in relation to transfers of funds and certain cryptoassets transfers under the Wire and Cryptoasset Transfer Regulation (WCTR).
The WCTR aims to make the abuse of funds and use of cryptoasset transfers for terrorist financing more difficult, and allow authorities to trace transfers where required for mitigating financial crime.
The new ‘travel rule’ guidelines refer to the information that should accompany transfers of funds and certain cryptoassets. Additionally, the guidelines set out the steps that payment service providers (PSPs), intermediary PSPs, cryptoasset service providers (CASPs) and intermediary CASPs should take to detect and follow up on missing information.
The WCTR recasts existing EU legislation to bring it into line with the Financial Action Task Force’s (FATF) standards by extending the obligation to include information about the originator and beneficiary CASPs.
The new guidelines come into force on 30 December 2024.
On 10 July 2024, the Financial Action Task Force (FATF) published a targeted update on the implementation of its standards on virtual assets (VAs) and virtual asset service providers (VASPs). This relates to FATF recommendation 15 (R.15) and the related interpretative note (INR.15), and recommendation 16 (R.16) (the ‘travel rule’) and the related interpretative note (INR.16).
The FATF has found slow progress in regulating the VA sector (which is a serious concern), although its report does acknowledge positive developments reported by the private sector, such as increases in VA transaction volume using travel rule compliance tools and in VASPs considering travel rule obligations in their operations.
Given the findings of the update, the FATF will continue to:
facilitate outreach and assist lower-capacity jurisdictions;
facilitate sharing of best practices, findings and challenges, including relating to decentralised finance, stablecoins, unhosted wallets, and peer-to-peer transactions and monitor market trends in this area for material developments that may require further FATF work; and
engage with FATF member countries, the global network, technical assistance providers and the private sector on progress and challenges.
On 5 July 2024, the EBA published a statement for the attention of persons issuing to the public, offering to the public, or seeking admission to trading of asset-referenced tokens (ARTs) and e-money tokens (EMTs) and for consumers. This statement replaces the EBA’s July 2023 statement. In summary:
The EBA expects any persons commencing ART/EMT activities to comply fully with the Regulation on markets in cryptoassets (MiCA) from 30 June 2024 (although issuers of ARTs may benefit from transitional arrangements under Article 143(4)-(5) of MiCA). The EBA urges issuers and offerors to have regard to the applicable regulatory and implementing technical standards and guidelines (such as in respect of white papers, governance, complaints handling, own funds, reserve assets, recovery and redemption plans) which are available on the EBA’s website.
The EBA reminds consumers to consider whether an EMT or ART is issued, offered or admitted to trading in accordance with MiCA, and to have regard to the joint ESA warning on cryptoassets more generally.
The EBA also notes that other stakeholders providing cryptoasset services should set up procedures as soon as possible in order to assess MiCA compliance of the ARTs / EMTs for which they offer related services.
The EBA further expects competent authorities who become aware that a person is commencing ART/EMT activities to bring to that person’s attention the relevant MiCA requirements, standards and other regulatory measures.
On the same day, the EBA also published a document setting out key topics for supervisory attention across the European Union for issuers of ARTs/EMTs in 2024/2025. The topics are: internal governance and risk management; financial resilience (including, where applicable, own funds requirements and reserve of assets); technology risk management; and financial crime risk management.
On 5 July 2024, it was reported that Tangem AG, a global provider of secure hardware wallet solutions, has announced a partnership with Visa.
The partnership involves the introduction of a Tangem Visa payment card that is combined with a hardware wallet, enabling Tangem users to make payments using their crypto or stablecoin balance at Visa-accepting merchant locations. The initiative is Europe-wide.
Tangem will also make the technology available to other issuers who are interested in using it for their own customers.
On 11 July 2024, it was reported that BankservAfrica and UnionPay International (UPI) have partnered to facilitate easier and safer ecommerce transactions for UPI cardholders across Africa.
The strategic partnership is designed to place both BankservAfrica and UPI in leading positions to make the most of the accelerated growth in ecommerce across the continent.
On 26 June 2024, Boerse Stuttgart Group (BSG) announced that the ECB has made it the only European exchange operation to participate in EU-wide blockchain tests, in which the settlement of blockchain-based financial transactions against central bank money is being explored. The BSG settles secondary market transactions of tokenised securities directly between trading participants on the blockchain.
On 1 July 2024 Circle, a global financial technology firm and the issuer of USDC and EURC, announced that it is the first global stablecoin issuer to comply with the EU's Markets in Cryptoassets Regulation (MiCA) regulatory framework. After having complied with the new regulatory regime, Circle is now officially available for business customers in Europe.
On 2 July 2024, Klarna announced its partnership with Adobe Commerce to enable merchants to implement Klarna’s buy-now pay-later (BNPL) services as well as other flexible payment options.
On 3 July 2024, it was reported that 14 overseas payment service providers and card organisations, including Ant Group and Mastercard, have extended the International Consumer Friendly Zones programme to the major Chinese cities of Chengdu and Chongqing.
The International Consumer Friendly Zones programme is implemented with the support of local government departments and facilitates the accessibility and useability of digital payment options for international travellers. The programme will be rolled out to a number of shopping areas, airports and stations, and participating merchants in these locations will inform customers of the availability of digital payment methods.
On 8 July 2024, the Boerse Stuttgart Group (BSG) announced that it will expand its market data offering by including ESG data for cryptocurrencies. This move follows the transparency requirements put in place for cryptoasset service providers under the EU Markets in Cryptoassets Regulation (MiCA), which includes sustainability figures for the cryptocurrencies on offer.
BSG will partner with Crypto Risk Metrics, who will calculate and provide the ESG data.
On 5 July 2024, it was reported that Taiwan Mobile, the second-largest telecommunications provider in Taiwan, has received a virtual asset service provider licence from the country’s Financial Supervisory Commission. Following this authorisation, Taiwan Mobile will be able to open a cryptocurrency exchange.
On 20 June 2024, it was reported that Vipps, the Norwegian mobile payment service provider, and MobilePay, used in Denmark and Finland, have launched a person-to-person payment service between the three countries. Users will now be able to transfer money between the countries without an Iban number.
Cross-border transfers will cost 4% of the transaction amount for payers, in addition to any charges payable to banks, while receiving payments is free.
On 27 June 2024, the crypto-currency exchange provider Coinbase announced that it has partnered with Stripe, a financial infrastructure provider.
As a result of the partnership, Stripe will add USDC on Base to its crypto payouts product and fiat-to-crypto onramp. Coinbase will add Stripe’s fiat-to-crypto onramp to Coinbase Wallet to allow users to instantly buy crypto.
On 19 June 2024, it was reported that Swift, the messaging network used by banks to initiate international payments, has surveyed over 2,000 SMEs in Europe. The survey asked decision-makers at SMEs who transact across the European Union (EU) about their views on the EU Instant Payments Regulation. The Regulation seeks to facilitate instant credit transfers in euro. The survey found that 44% of European SMEs believe that the Regulation will save their business money, and 27% think that it will improve their cashflow.
Our previous publication on the proposals for the Instant Payments Regulation can be found here. The Regulation entered into force on 8 April 2024, and there are phased implementation deadlines modified for the different components of the initiative and to allow for euro area and non-euro area member states.
In June 2024, research by Spherical Insights and Consulting projected that the global online banking market will reach USD $44.89 billion by 2033, and was valued at USD $12.87 billion in 2023. The Asia Pacific region is expected to grow the fastest in the next decade.
Factors driving the growth of the market include the wider availability of high-speed internet which allow accessibility and real-time data analytics to offer a better range of financial services products. The findings noted that security and privacy concerns risk restraining the development of the market.
The research also found that the payments segment dominates the market with the largest market share throughout the forecast period, whilst cloud computing accounts for the largest revenue share.
On 5 July 2024, it was reported that a paper from TRM Labs has found that the value of cryptocurrency stolen by hackers had doubled between mid-2023 and 2024.
The report found that the top five hacks and exploits accounted for 70% of the total amount stolen so far in 2024. The largest attack this year involved the theft of over $300 million worth of coins. The main attack methods this year have been private key and seed phrase compromises, as well as smart contract exploits and flash loan attacks.
Authored by Charles Elliott, Virginia Montgomery, and Ada Nourell.
Hogan Lovells (Luxembourg) LLP is registered with the Luxembourg bar.