New oversight regime for payment transactions processing entities operating in Belgium
A new legal framework for the oversight of payment transactions processing entities involved in the processing of Belgian payment transactions was passed on 24 March 2017.1 The new law (the Law) imposes a registration duty and conduct of business rules on systematically important Payment Transactions Processing Entities (PTPE). It also imposes obligations on Payment Scheme Operators (PSOs). The Law applies to all PTPEs operating in Belgium, regardless of where such PTPE has its registered office.
Ensuring the stability and continuity of Belgian payments
Recent issues have raised awareness of the potential impact of an unplanned downtime of a PTPE on the stability and continuity of payment traffic. Due to the increased cross-border activity of PTPEs and their systemic importance, the Belgian legislator thought it necessary to equip the National Bank of Belgium (NBB) with hard-law oversight tools regarding systemically important PTPEs (SIPTPEs).
Problems at Worldline SA/NV contributed to the Law being introduced. Worldline SA/NV processed the majority of Belgian debit and credit card payment transactions. However, it had encountered a number of unplanned downtimes, and in 2016, it was merged into the Dutch automated clearing house Equens SE (which was renamed equensWorldline SE). Due to this merger, the Belgian payment processing operations became part of a new company established in the Netherlands, which posed challenges to the continued effectiveness of the NBB’s oversight. The Law is designed to ensure compliance by SIPTPEs (such as Worldline SE which processes the majority of Belgian payment transactions) with Belgian oversight standards.
From soft-law to hard-law oversight
The NBB is responsible for the oversight of Belgian clearing and payment systems.2 To date, this oversight was based mainly on informal relations, voluntary cooperation and soft-law regulations.3 In 2014, the European Central Bank (the ECB) introduced an oversight framework for systemically important payment systems (the SIPS Regulation).4 The Law builds on the hard-law approach to create an oversight framework for PTPEs that are currently not directly within the scope of the SIPS Regulation.5
Closing the regulatory gap on PTPEs
In its opinion on the draft Law (the ECB Opinion),6 the ECB states that Payment Processing Services (PPS) do not directly fall within the scope of any hard‑law EU legislation, as, in the ECB’s view:
Not a payment service provider: PPTEs do not provide any payment services within the meaning of the PSD or PSD2.7
Not a payment scheme: a PPTE does not qualify as a “payment scheme” within the meaning of Regulation (EU) 2015/751 of 29 April 2015 on interchange fees for card‑based payment transactions.
According to the ECB, PPTEs are currently only indirectly subject to the ECB’s oversight framework for payment schemes, insofar as such schemes must ensure, through contractual arrangements, that PPTEs intervening in these schemes respect any relevant requirements.
Material scope of application
PTPEs: a PTPE is a physical person or a legal entity providing services for the processing of payment transactions. These services comprise technical processes necessary for and specifically intended to execute payment transactions. However, the Law does not apply to general support service providers, such as telecom companies, water suppliers and electricity and gas suppliers, nor to financial message companies, such as SWIFT. A payment transaction in turn means any action initiated by the payer or the payee in the context of the transfer of money (giraal geld/monnaie scripturale), irrespective of any underlying obligation between the payer and the payee, provided that (i) the payment transaction is executed between different payment service providers and (ii) both the payer’s and the payee’s payment service provider is operating in Belgium.
Outsourcing: The preparatory works clarify that the Law applies to PTPEs, irrespective of whether the PTPE outsources the processing of payment transactions. In such case, the outsourcee will be considered to be a PTPE and, if it meets the systemically importance threshold, an SIPTPE.
SIPTPEs: a PTPE is deemed systemically important if, during the past year, it has provided PPS in respect of 125 million or more payment transactions in connection with a single payment scheme. The NBB gives notice to a PTPE of its status as an SIPTPE and publishes a list of SIPTPEs on its website.
PSOs: a PSO is the decision‑making body, organisation or entity legally responsible for the operation of a payment scheme. Payment schemes are a single set of rules, practices, standards and/or guidelines for the execution of payment transactions, which are separate from any infrastructure or payment system supporting its operation, as agreed upon between payment service providers. The preparatory documents on the Law state that Bancontact, Maestro, MasterCard, Visa and American Express are the major payment schemes operating in Belgium.
Negative scope: the Law excludes from its scope of application: (i) the processing of payments through paper cheques, bills of exchange and other paper‑based documents drawn on a payment service provider; (ii) the processing of payments within a payment or securities settlement system; and (iii) the processing of direct debit or credit card schemes.8
Territorial scope of application
The Law applies to PTPEs intervening in the processing of Belgian payment transactions, ie payments executed between two different payment service providers operating in Belgium (so-called “both legs in”). It is thus irrelevant where the PTPE has its registered office. The payment service providers that intervene in the process, must, however, be incorporated under Belgian law or must operate in Belgium through a Belgian branch or a cross-border service provision.9 In respect of the PSOs, the only relevant criterion is again whether the PSO operates in Belgium, regardless of its country of origin.
Some important elements within the new oversight toolbox
The Law does not create a licensing requirement or prudential requirements (eg capital requirements) for SIPTPEs. It imposes a registration obligation on the SIPTPE (and an information obligation on the PSO) and it imposes certain conduct of business rules upon SIPTPEs and PSOs.
PSOs: every PSO must annually, prior to 1 April, provide the NBB with the details of the PTPEs on which it relies for the provision of PPS.
PTPEs: every PTPE must give notice to the NBB and the PSO for which it provides PPS when it meets the threshold for SIPTPEs.
The SIPTPE will have to comply with the provisions of the Law as of the date indicated in the NBB’s notification, which cannot be earlier than one month after the notification.
Conduct of business rules
PSOs: every PSO must ensure that the SIPTPEs on which it relies are capable of complying with the conduct of business rules set out in the Law. This obligation must be met prior to the entry into effect of the services agreement, as well as at any time during the contractual relationship.
Mergers and acquisitions: prior approval of the NBB is required for mergers between SIPTPEs and between SIPTPEs and other companies, and for the complete or partial transfer of business or of the network by an SIPTPE. The NBB has three months as of the receipt of a complete file to oppose the transaction for reasons that relate to sound and prudent management, to appropriate risk management or to the continuity and stability of Belgian payment traffic. The NBB may also make its approval subject to certain conditions.
Outsourcing: SIPTPEs may only outsource important operational tasks relating to the processing of payment transactions, if:
the SIPTPE has obtained prior approval of the NBB;
this does not result in a delegation of responsibility by senior management;
the SIPTPE’s relationship and obligations to payment service providers and payment schemes are not altered;
the SIPTPE still complies with all requirements under the Law; and
this cannot materially impair the quality of the SIPTPE’s internal control, nor the NBB’s ability to supervise compliance with the Law.
Furthermore, the NBB may make its approval of the contemplated outsourcing subject to certain conditions.
Principles for Financial Market Infrastructures (PFMI) applying to SIPTPEs
Risk management: every SIPTPE must identify the potential internal and external operational risks for the processing of payment transactions and limit the impact of such risks through an appropriate risk management policy and systems, procedures and controls.
Systems: every SIPTPE’s systems must be designed to ensure a high degree of safety, integrity, confidentiality and operational reliability, stability and continuity. The SIPTPE’s systems must have a sufficient and scalable capacity.
Business continuity management: every SIPTPE must apply business continuity management and must have in place business continuity plans. This must ensure a speedy recovery of its services and compliance with its obligations in the case of an unplanned downtime of its PPS.
Downtime: there are new limits on the time and frequency of unavailability of an SIPTPE’s services and the Law introduces a duty to inform the NBB.
Technology: every SIPTPE must have robust methods to follow-up on the lifetime of technologies it uses and the selection of technological standards.
Transparent communication: every SIPTPE (or the PSO, if the SIPTPE is unable to do so) must ensure transparent communication on its PPS to the payment service providers, payment schemes and payment service users involved and must provide them with sufficient information. If its services become unavailable, this information must include the causes, consequences and expected duration and recovery time.
Supervisory powers: the NBB may request every SIPTPE and PSO to provide information on its organisation, functioning, financial position and processed payment transactions, as well as regular reporting. The NBB may also make on-site inspections, and inspect and copy every document in the possession of an SIPTPE and PSO.
Sanctions: if the NBB detects an infringement of the Law or if it detects that the conduct of business of an SIPTPE may threaten the stability and continuity of Belgian payment traffic, it may impose a deadline before which the SIPTPE must comply. If the deadline is not met, the NBB may (i) impose penalty payments (dwangsom/astreinte) of a maximum EUR 50,000.00 per day and up to a total of EUR 2,500,000.00; (ii) make public that the SIPTPE has not complied within the deadline; and (iii) in relation to certain requirements, impose an administrative fine of between EUR 25,000.00 and EUR 25,000,000.00 or up to 10% of the SIPTPE’s gross revenues for the preceding accounting year.
The NBB may also prohibit a PSO from relying on an SIPTPE or from outsourcing important operational activities to an SIPTPE if the latter has been sanctioned with an administrative fine.
1. The new law (the Law) was published in the Belgian Official Gazette of 24 April 2017 p. 53,019 and applies as from the day of its publication. In its Financial Market Infrastructures and Payment Services Report 2017, the NBB states that it will start implementation of the new legal framework for processors of retail payment instruments. Regulations will be prepared to further detail the Law’s requirements on the level of, for example, due diligence, notifications of incidents and (un)availability of the system. The report is available on the NBB’s website: https://www.nbb.be/doc/ts/publications/fmi-and-paymentservices/2017/2017-chapter-3-3-processors-retail-payment-instruments.pdf.
2 . Article 8 of the law of 22 February 1998 on the statute of the NBB. The Law has extended the NBB’s oversight to settlement systems. In its judgment of 4 March 2015, the European Court of Justice had ruled that the oversight power of the ECB over clearing and payment systems, as incorporated in article 22 of its statute, did not extend to settlement systems. However, this judgment does not prevent Member States from extending the oversight powers of their national central banks. See judgment T-496/11 (UK/ECB), dated 4 March 2015.
3. Soft-law regulations include, among other things: (a) international regulations, such as the Principles for Financial Market Infrastructures (2012) of the Committee on Payment and Settlement Systems at the Bank for International Settlement and the Technical Committee of the International Organisation of Security Commissions, and (b) Eurosystem regulations, such as the Revised Oversight framework for retail payments (2016), the Oversight framework for credit transfer schemes (2010) and the Oversight framework for direct debit schemes (2010).
4. Regulation (EU) N° 795/2014 of the ECB of 3 July 2014 on oversight requirements for systemically important payment systems (ECB/2014/28).
5. In the Netherlands, a legal regime was created for “afwikkelingsondernemingen” which also interfere in the processing of payment transactions. However, there are significant differences between the Dutch regime and the Law, as:
the Dutch regime applies only to entities incorporated in the Netherlands, whereas the Law applies to all PTPEs operating in Belgium; and
the Dutch regime requires entities below a certain threshold to register with De Nederlandsche Bank (the DNB), while entities above the threshold must obtain a licence from the DNB. The Law also only imposes a registration obligation on PTPEs meeting a certain threshold, without any prudential requirements.
6 Opinion of the ECB of 28 December 2016 on a Belgian draft law on the oversight of payment transaction processors (CON/2016/61), available at: https://www.ecb.europa.eu/ecb/ legal/pdf/en_con_2016_61.sign.pdf.
7 Although this must be assessed on a case-by-case basis, it is indeed possible that purely technical PPS are not captured by the payment services listed in Annex 1 to the PSD and PSD2. More importantly, even if they were to qualify as payment services, it seems that such services would fall within the technical service providers exemption under both the PSD and PSD2. See also article 3(j) of the PSD and PSD2. This exemption applies to “services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services”. The PSD2 adds “with the exclusion of payment initiation services and account information services”. Also note that if a PPTE is regulated as a payment service provider, the NBB will have both prudential and oversight powers in respect of this entity. While its prudential supervisory powers focus on the individual entity, the NBB’s oversight powers focus on the strength and resilience of the payment system.
8 The preparatory works of the Law state that in relation to exemptions (ii) and (iii), the relevant processing entities are the Uitwisselingscentrum en Verrekening (or UCV) and Target2‑BE. Both processing entities are subject to Eurosystem oversight as a Prominently Important Retail Payment System and a Systemically Important Payment System (SIPS) respectively. SIPS are subject to the ECB’s SIPS Regulation.
9 The payment service providers may be operating on the basis of a passport for EEA payment service providers under the PSD and PSD2.
This case summary is part of the Allen & Overy Legal & Regulatory Risk Note, a quarterly publication. For more information please contact Karen Birch – firstname.lastname@example.org, or tel +44 20 3088 3710.