ApplePay and EU Payment Regulations

AJO
Regulatory Sandbox photo

Apple is launching its own payment service to the excitement and curiosity of many in the payments industry – as well as those who are fans of the world’s most valuable brand. The service is ready to launch in the US and hopefully soon in Europe.

As ApplePay looks to expand into the EEA, a key area of consideration is whether it will fall within the scope of the payment laws of the Member States – namely two key sets of regulation, stemming from the E-Money Directive (EMD) and the Payment Services Directive (PSD).

This post looks to examine some of the key issues that may face the ApplePay service under the above sets of regulations, including what is coming up as the proposed PSD2 continues to be finalised.

One important disclaimer is that the issues in this post reflect some of the types of matters which the service would need to explore in further detail –  only a full transparent review of the service would lead to any firm conclusions on its legal and regulatory position. Accordingly, the below is a high level review of certain potential issues and is not to be relied upon in any definitive manner nor as legal and/or regulatory advice.

What do we know about ApplePay?

We understand that the customer payment flow works as follows (when used with an iPhone 6 – but note it can also be used, in a slightly different manner, via iPad Air 2 (online only), iPad mini 3 and the Apple Watch):

1. Adding an existing customer payment card: A customer can add a payment card to their iPhone 6, which may already be linked to their iTunes account or a different card can be added from the iPhone 6’s camera. The card is added to the iPhone Passbook feature.

2. Here’s one of the first really interesting and important features – when a card is added to the iPhone 6 Passbook, the card number is never stored on the device, nor on Apple servers. Apple allocates a special “Device Account Number“, which is encrypted and stored on a chip inside the iPhone (known as the “Secure Element”). This means that if your device is ever lost or stolen or, if there is a security breach at Apple itself, your card details are never exposed. With recent horror stories of customer financial information breaches, this will alleviate many consumer concerns over the security of their financial information. Further, if your iPhone is lost or stolen, you can use the ‘Find iPhone’ feature to facilitate the suspension of payments from that device.

3. A customer can easily initiate a payment by:

Offline: holding their iPhone 6 over a merchant reader with their finger on the ‘Touch ID’ feature. The iPhone 6 has a NFC antenna built in to facilitate the payment instruction. This is similar to current contactless payment methods but with the benefit of using your ‘always handy’ phone together with your fingerprint as a means of authentication.

Online / In App: selecting the ApplePay payment mark via the app/site you visit on your iPhone and again using your fingerprint on the ‘Touch ID’ function.

4. Once the payment has been initiated, the assigned Device Account Number, as well as a dynamic transaction specific security code is sent via the payment card processing networks. This security code process is known as ‘tokenisation’ and it is a form of transmitting financial details securely – each of Visa and MasterCard have reportedly allowed ApplePay to use its tokenisation processes to allow the payment data to be transmitted in this way. Please note that tokenisation is not unique to ApplePay and it will be interesting to see what other payment methods will develop its use further (and/or given its security features, if it will one day become the industry standard). What is ApplePay specific, however, is that these tokens will also be used with the Apple ‘Touch ID’ fingerprint feature which adds an extra layer of payment authentication and security.

5. From an additional privacy perspective, Apple does not store details of a customer’s transactions, although details can be found via the Passbook feature.

Is ApplePay caught by the EU E-Money Regulations?

To determine whether ApplePay is within the scope of the EU E-Money regulations, the first question to ask is whether ApplePay involves the issue of ‘e-money’.

E-money” is defined under Article 2(2) of the EMD as meaning:

‘electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions as defined in point 5 of Article 4 of Directive 2007/64/EC, and which is accepted by a natural or legal person other than the electronic money issuer’.

It appears that ApplePay does not involve the issue of e-money – there doesn’t appear to be any electronic stored value issued by Apple to its customers on receipt of funds. It looks like Apple only facilitates the processing of payments by sending secure payment information.

What about ApplePay carrying out regulated payment services under the PSD?

It is indeed arguable that ApplePay involves certain regulated payment services – as provided for under the PSD. However, and this is key here, there is an exclusion available to operators of potentially regulated payment service providers if they don’t come into possession of the payment transaction funds and provide technical services that support payment processing. In particular, Article 3(j) stipulates that the PSD does not apply to:

“services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred, including processing and storage of data, trust and privacy protection services, data and entity authentication, information technology (IT) and communication network provision, provision and maintenance of terminals and devices used for payment services;”

The above does appear to have clear application to ApplePay, which may be very helpful indeed on removing ApplePay from the requirement to become authorised as a payment institution across the EU.

Are there any regulations coming down the pipeline which may more clearly capture ApplePay?

The short answer is yes. The PSD is under revision – referred to as PSD2 – which is currently making its way through the Brussels legislative process. More details on PSD2 can be found by clicking here.

One of the proposals under PSD2 is the introduction of new regulated payment services, which if no exclusion is available, will potentially require operators of such services to become authorised.

Of particular interest to ApplePay is the proposed new regulated payment service known as a “Payment Initiation Service”. The definition of a Payment Initiation Service (as provided by the Council of Ministers ‘final’ compromised text) is set out in draft Article 4(32) of PSD2 as follows:

payment initiation service’ means a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider;

What is also relevant to the introduction of the above is that the exclusion set out above for technical service providers will not necessarily apply to payment initiation services, so even if ApplePay were to continue to not come into ‘possession’ of the funds, it may subsequently fall within scope of the PSD2. To this end, the development of PSD2, and in particular the parameters of this new regulated payment service should be on ApplePay’s radar as it looks to expand and grow across Europe.

Related posts:

  1. ApplePay UK Launch and EU Payments Law
  2. Security of Internet Payments: EBA Consultation Paper
  3. Just how neutral is the ‘Mobile Device’ exclusion in the EMD and PSD?
  4. Mobile payments – time to properly sort out the EU regulatory framework

Leave a Reply

Your email address will not be published. Required fields are marked *