Key Regulatory and Industry Initiative (KRII)
Central banks across the world support digital currency regulations to guide cryptocurrencies and launch pilot programs.
South Korea’s central bank (BOK) launched a pilot program in April 2020 to test digital won, which will run through December 2021
People’s Bank of China is piloting a Central bank digital currency (CBDC). China’s four largest state-owned commercial banks have been developing and testing a wallet application to store, send, and receive Digital Currency Electronic Payment (DCEP).
In June 2020, the Italian Banks Association (ABI) began a pilot program for digital euro. Since 2019 an ABI working group has been researching digital and crypto-assets. ABI prioritized a digital currency framework that is fully compliant with EU regulations to win public trust and said banks are critical in upholding that trust.
Sweden’s e-krona testing brings it closer to the release of a CBDC. The pilot runs through February 2021.
In March 2020, the Central Bank of France announced an experimental program to test the integration of a CBDC for interbank settlements, inviting participant applications
Across the world, regulators are backing the FinTech ecosystem as the path to payments enhancement. In April 2020, the European Commission began preparation for a digital finance strategy/FinTech action plan to outline public policy through 2025.
In April 2020, Japan’s Fair Trade Commission legislated that practices by banks that cause undue disadvantages to FinTech companies could amount to an abuse of their dominant positions in violation of the antimonopoly law.
The Saudi Arabian Monetary Authority (SAMA) launched a regulatory sandbox environment for financial institutions and FinTechs in Feb 2020 and, in Apr 2020, permitted nine more FinTechs to operate in the sandbox, raising the total to 30.
EU banks RBS and Société Générale embraced a trial of fingerprint embedded payment cards to provide customers with better payment security
In Jan 2020, the Reserve Bank of India issued new debit and credit card rules that allow only domestic card transactions at ATMs and PoS terminals in India. For international transactions, online and contactless transactions, customers must now separately set up card services. Also, cardholders now have the option to switch their card on or off and set their limit.
As part of the UK’s new Financial Conduct Authority (FCA) rules, credit card providers – including UK banks such as Barclays, Lloyds, and Royal Bank of Scotland – must identify customers in persistent debt for at least 18 months. Customers who fail to respond or cannot afford higher payments risked having their credit cards suspended.
3-D secure initiative is an anti-fraud messaging protocol that allows consumers to authenticate themselves with the issuer of their payment card at the time of non-contact transactions (CNP). It helps to prevent unauthorized transactions in e-commerce environments and, in turn, protects against fraudulent trading.
In Malaysia, the MyDebit Corporate Card initiative went into effect in Apr 2020 to reduce the use of checks and cash payments. It enables corporations and entrepreneurs to make payments at government agency offices without a check or cash.
Denmark proposed to withdraw 1000 and 500 krone notes as a first step to achieving a cashless society by 2025.
In Jul 2019, Australia proposed a cap of AUD10,000 (USD7,500) on cash payments for goods or services. Indonesia set an ambitious target to achieve USD130 billion in e-commerce transactions by 2020.
Vietnam declared its goal to cut urban household cash transactions in half by 2020. However, the existing e-wallet regulation created by the State Bank of Vietnam is crippling non-cash adoption. The regulation stipulates that digital wallet accounts must link to a bank account held by the same person. So, if a consumer doesn’t have a bank account in Vietnam, he can’t get an e-wallet.
Mexico plans to launch initiatives to bolster cashless payment systems within cash-intensive tourist zones. As part of an effort to boost financial inclusion, Banco de México is already building CoDi, a system to enable all Mexicans to make online and in-person payments with their mobile phones. Amazon is in talks with the bank to adopt the same.
In Feb 2020, The Saudi Arabia Monetary Authority (SAMA) approved Halalah and BayanPay to launch full e-wallet services, as part of the Kingdom’s attempts to reduce the use of physical cash.
South Korea and Singapore plan to reduce cash use by supporting digital payments. In China, super app WeChat derives about half its revenue from digital payments. After COVID-19, some central banks quarantined physical bills, and some went so far as to burn banknotes. The World Health Organization recommended contactless payments to reduce cash handling and the potential spread of infection.
In the United States, the Law on Bank Charters for FinTechs was updated in Oct 2019, when a federal district court in New York ruled that the US Office of the Comptroller of the Currency (OCC) is not authorized to grant national charters to FinTech companies. In August 2018, the OCC said it would start accepting applications for the charter to enable FinTech firms to operate across the country without complying with state-by-state rules and was supposed to help FinTechs in the US get into banking.
For the time being, it looks like partnering with banks will continue to be the easiest route for FinTechs to enter the banking space. The US OCC granted San Francisco mobile-only FinTech Varo preliminary approval for a national bank charter in May 2020. The charter will allow Varo to grant loans in all 50 states and more freely view customer account data because a third party will no longer hold it. Another San Francisco FinTech, SoFi (a personal finance startup), also filed for a national bank charter with the OCC in July 2020. Already licensed in Europe, German digital bank N26 partnered with already-licensed Axos Bank (previously known as BofI Federal Bank), so it could launch in the United States.
After the European Central Bank reviewed input about granting banking licenses to FinTech firms, UK-based Revolut was granted a license. The Australia Payments Regulatory Authority (APRA) granted unrestricted licenses to FinTechs VOLT, 86400, and Judo. The startups will have to fulfill the same regulatory capital requirements as other authorized deposit-taking institutions (ADIs).
The Asia-Pacific Economic Cooperation (APEC) that consists of more than 20 member nations, including the United States, Canada, China, Japan, and Australia has developed several data protection initiatives. On Mar 9, 2020, the APEC Cross-Border Privacy Rules (CBPR) system Joint Oversight Panel approved the Philippines’ application to join the APEC CBPR system. The APEC Cross-Border Privacy Rules System (CBPR) provides standard data privacy policies that businesses can use to comply with the APEC privacy framework. The system facilitated cross-border data flows by providing a voluntary framework to ensure certainty and minimum privacy protections.
After the introduction of GDPR in Europe, mandatory data breach notification laws were introduced in several countries, including Australia, the Philippines, New Zealand, and Singapore. The current state of data protection in Latin America only refers to overall legislation in Argentina, Colombia, Chile, Mexico, Peru, and Uruguay. Other countries, such as Brazil, have enacted legislation that only covers particular protection areas. Venezuela has no specific data protection legislation but has some protections for privacy under its federal constitution interpreted to apply to data protection. Paraguay, so far, does not appear to be interested in passing GDPR compliance legislation.
India’s data protection bill, which was on the verge of passing in 2020, and Serbia’s data protection law that began in Aug 2019 seek to protect the privacy of personal data, regulate the processing of sensitive and critical personal data, and establish countrywide data protection.
The Reserve Bank of India is working on a regulatory sandbox for financial technology and setting up data science labs to keep pace with innovation in the digital lending space. It has set up an inter-regulatory working group to study regulatory issues relating to FinTech and digital banking in India.
In May 2018, the central bank of Indonesia capped foreign ownership by e-money providers at 49%, which may explain its suspension of e-wallets TokoCash and GrabPay, a mobile wallet originally used by Singapore-based Grab, since they submitted license applications in late 2018.
The Monetary Authority of Singapore will impose restrictions on FinTech firms to safeguard the funds held by mobile wallet operators in the country. To level the playing field, the ring-fencing mechanism will guarantee that funds allocated for a particular purpose cannot be spent on anything else such as lending.
Japan overhauled the Financial Services Agency (FSA) to deal more effectively with FinTech-related fields, including cryptocurrencies. Changes were made to various bureaus to make the organization more suited to address new problems and challenges in the financial sector. The Strategy Development and Management Bureau, which replaced the Inspection Bureau, will reportedly develop a financial strategy policy and handle issues addressing the digital currencies market, FinTech, and money laundering.
Cambodia is fostering FinTech collaboration. The Cambodia FinTech Association, located in the Cambodian capital’s Daun Penh district, will initially include banks, digital payment companies, and financial operators.
Saudi Arabia’s banking regulator is designing a sandbox regulatory environment in line with its economic transformation. The move is similar to initiatives by other regulators in the Arabian Gulf and will help the Saudi Arabian Monetary Authority understand and assess the impact of new technologies on the financial services market.
More than 60 companies from 12 countries formed a Pan-Asian FinTech Cooperation Committee (FCC) to spur the adoption of FinTech in the region. The FCC aims to bring banks, FinTechs, and policymakers together to explore common ground across frontiers and promote the region’s burgeoning FinTech ecosystem.
The Federal Reserve Bank of New York set up a FinTech advisory group that first met in Apr 2019. The group will share views and perspectives on emerging FinTech issues, and the application and market impact of new technologies.
ISO 20022 is now the global standard for payments messaging and creates a common language and model for payment data worldwide. In June 2020, Payments Canada announced the availability of ISO 20022 messages for Lynx, the country’s new high-value payments system. ISO 20022 messages for cross-border payments will start in late 2022 instead of Nov 2021 as initially planned by SWIFT.
Since the 2017 launch of SWIFT, adoption has been steady, including the world’s 60 biggest banks and several other financial institutions. By Nov 22, 2020, every eligible financial institution on SWIFT will be required to confirm all incoming MT 103 payment instructions. FIs will be measured on whether or not they confirm at least 80% of their payments within two business days (including those transferred outside of SWIFT). Institutions that fail to meet the criteria by the end of Nov 2020 may lose access to some features of the Basic Tracker.
In Sep 2019, SWIFT launched a service to deliver global instant payments by integrating global payments innovation (gpi), the cross-border payments service with real-time service levels, into domestic instant payments systems worldwide. SWIFT, together with gpi banks, will facilitate instant international payments with upfront fee and foreign exchange transparency for senders, while also ensuring the ubiquitous availability of instant cross-border payments globally.
TARGET2, a Real Time Gross Settlement (RTGS) funds transfer system, owned and operated by Euro system, is the second generation of TARGET. It enables real-time payments to flow safely and efficiently across Europe in Euro. TARGET2 settles payments related to the Euro system’s monetary policy operations, bank to bank, and commercial transactions without any value limit. Central banks and commercial banks can submit payment orders in euro to TARGET2, where they are processed and settled in central bank money. Deadline for migration to TARGET 2 – Nov 2021
Thanks to TIPS, individuals and firms can transfer money between each other within seconds, irrespective of the opening hours of their local bank. TIPS was developed as an extension of TARGET2 and settles payments in central bank money. TIPS currently only settles payment transfers in euro. However, if demand dictates, other currencies could also be supported.
The Netherlands rolled out instant payments in 2019, and henceforth, all business and private customers of seven Dutch banks (ABN AMRO, ING, Rabobank, de Volksbank ‒ ASN Bank, RegioBank, SNS ‒ and Knab) can quickly transfer payments via mobile and online banking.
In Jun 2019, Nets and Giro launched an instant payment platform for Hungarian banks to test services, and in Mar 2020, GIRO had commercialized a new instant payments platform based on the well-established platform – RealTime24/7. The commercial launch included all Hungarian banks, delivering a massive volume of more than a million successful transactions in the first three days.
In Feb 2019, Bankart, which is a Slovenian firm in the field of processing and modern payments instruments, went live with Nets’ RealTime24/7, enabling transactions between Slovenian banks to be cleared in less than a second.
The European Central Bank (ECB) has updated its approach to regulation, and intraday is now firmly part of its liquidity regime. The new Internal Liquidity Adequacy Assessment Processes (ILAAP) procedure, which was implemented in Jan 2019, has been released by the ECB in Nov 2018.
The regulation aims to ensure banks can meet their payment obligations and determine at regular intervals their liquidity position.
As part of the same, banks and FIs that have to abide by the stipulated liquidity norms should conduct a Statutory Review and Evaluation Process(SREP) and submit the findings of their respective ILAAP assessment to the ECB.
The Reserve Bank of India has eased liquidity norms for shadow banks that act as non-banking financial companies. Banks are now permitted to reckon government securities held by them up to an amount equal to their incremental outstanding credit to NBFCs and Housing Finance Companies (HFCs).
The US Federal Reserve Board announced temporary action in April 2020 to increase intraday credit on both a collateralized and uncollateralized basis to support households and businesses during COVID-19.
The global mobile wallet market accounted for more than USD880 billion in 2017 and is expected to reach more than USD9,352 billion by 2026, for a 30% CAGR.
In India, mobile wallet operators such as PhonePe, Paytm, and Amazon Pay worked to upgrade users’ non-compliant accounts to full KYC by the Feb 2020 deadline. RBI gave them the option to convert their minimum KYC accounts to low KYC pre-paid instruments, or PPI accounts.
The low KYC PPI account will have a monthly transaction limit of Rs 10,000, and this move likely helps 200 million non-compliant KYC mobile wallet users, many of whom authenticated via Aadhaar.
In Europe, mobile wallets ‒ Bluecode, ePassi, momo pocket, Pagaqui, Pivo, Vipps ‒ joined with Alipay to offer QR code-based payments to local merchants in 10 European countries where these apps are accepted. ePassi is preparing to roll out the QR code format for users across several Nordic countries, while the Spanish payment company MOMO, Portugal’s Pagaqui, and Austria’s Bluecode intend to extend the collaboration in their home markets.
In Feb 2020, The Saudi Arabia Monetary Authority (SAMA) approved Halalah and BayanPay to launch full e-wallet services, as part of the country’s attempts to promote a cut in the use of physical cash.
Worldpay from FIS 2020 Global Payments Report predicts Digital wallets to account for 52% of global e-commerce sales by 2023.
Tokenization makes mobile wallet payments more straightforward, safer, and more secure. Tokenization supports Apple Pay, Android Pay, and Samsung Pay, as well as several payment services offered by OEMs and banks.
In India, PayTm operates 300 million wallets, making it the largest mobile payment service platform in the country. In Kenya, M-Pesa allows people to transfer cash using their phones and is used by 67% of adults to contribute to a quarter of the country’s GNP flow.
Mobile payments in China have reached over $41 trillion (277 trillion yuan) annually. More than 92% of the mobile payments are made over the two dominant platforms: Alipay (53%) and WeChat Pay (39%)
Visa is aggressively promoting contactless cards across the globe, specifically in the United States and India. In India, Visa has issued nearly 20 million contactless cards with about 1 million terminals that can accept such cards. Visa contactless payment cards have an embedded antenna and microchip, enabling contactless communication with a card reader at checkout. Cardholders can simply tap or wave the card over a secure reader. Then, the transaction is processed through Visa’s global, secure network, VisaNet, which processes all Visa transactions. In the United States, the shift to contactless cards has started to gather pace with JP Morgan, the biggest credit card issuer, is driving the roll-out of contactless technology on its payments cards to further accelerate the transition. It is estimated that the switch to contactless could boost annual card payment volume by USD78.4 billion by 2021.
The use of biometrics in payments is on the rise because of the desire for convenience, frictionless authentication while paying in all channels, and security. It is estimated that there will be over 2.6 billion biometric payment users by 2023. Slower rates of adoption are expected for local mobile biometric payments in North America, Europe, Africa, ME, and LATAM with the highest rates of adoption expected in China, India, and the rest of APAC. Mastercard, in association with Bank Intesa Sanpaolo, has launched Gemalto’s fingerprint-based authentication cards in late 2018. The rise of new architectures such as system-on-chip (SOC) is expected to give further impetus to the adoption of biometrics.
Tokenization solutions rather than the use of individual tokens are being embraced for enhanced security. Implementation of cloud-deployed tokenization solutions is on the rise. The tokenization market size is expected to grow from USD983 million in 2018 to USD2670 million by 2023, at a CAGR of more than 22%.
It is estimated that by 2021 there will be 27.7 million mPOS devices in circulation. The convenience of making payments anywhere and anytime is the biggest driver for the growth of mPOS volumes. The adoption of AI in payments is increasing due to multiple uses in security, authentication, process efficiency, and transaction processing.
In Oct 2019, American Express, Discover, MasterCard, and Visa launched faster, more secure online checkout based on the new Secure Remote Commerce (SRC) industry standard, to establish a simplified way for card payments to be made across web and mobile sites, mobile apps and connected devices.
In Jul 2020, American Express, Discover, Mastercard, and Visa announced they were each preparing for global expansion of the Click to Pay online checkout – based on the industry-standard EMV Secure Remote Commerce. Geographies are to include Australia, Brazil, Canada, Hong Kong, Ireland, Kuwait, Malaysia, Mexico, New Zealand, Qatar, Saudi Arabia, Singapore, United Arab Emirates, and the United Kingdom, with others to follow.
Following an inter-ministerial panel’s proposal on an independent payment systems regulator, the Reserve Bank of India has submitted a dissent note citing that there is no case for having a separate payments regulator outside the central bank. The proposal for an independent Payments Regulatory Board (PRB) to foster competition, consumer protection, systemic stability, and resilience in the payments sector, according to the draft Payment and Settlement System Bill, 2018.
The New Payment System Operator (NPSO) released initial details of the new procurement process for the clearing and settlement layer part of the New Payments Architecture (NPA). The NPA is a conceptual model for payments in the UK, to cover the processing of £6.7 trillion of Bankers' Automated Clearing System (Bacs), faster payments, and to potentially check payments every year, from 2021. It aims to simplify rules, standards, and processes that banks and others follow to use the systems.
Singapore’s New Payment Services Act was passed into law by the Monetary Authority of Singapore (MAS) in early 2019. The Payment Services Bill that proposes to consolidate and replace The Money-Changing and Remittance Business Act and the Payments Systems (Oversight) Act. The bill will expand the scope of regulated activities beyond stored value facilities (SVF), remittance, and money changing services to include payment account issuance, domestic money transfer, and merchant acquisition services
B2B cross-border payments is a growing segment ripe for disruption. Visa connected with several banks in Nov 2018 to begin testing VisaB2B Connect, a platform that can help banks provide cross-border payments more efficiently. Due to the traction in the cross-border payments segment, Mastercard and Visa vied for the acquisition of Earthport, which was purchased ultimately, by Mastercard.
Although adoption is somewhat nascent, blockchain has promising potential for cross-border payments use. Also, SWIFT plans to expand its blockchain integration, and this trend may grow as banks look more closely at the capabilities of blockchain.
As part of ASEAN 2025, member states engage in the modernization and integration of their financial infrastructures to lead, ultimately, to a pan-regional real-time payment ecosystem. Malaysia’s CIMB and RippleNet have collaborated to improve consumer access to cross-border remittances, both inbound into ASEAN and outbound to other countries.
Brazil, Russia, India, China, and South Africa are creating a single payment system, BRICS Pay, as part of the drive to establish a common system for retail payments and transactions between the five BRICS nations. These countries plan to introduce a cloud platform to connect their national payment systems. An online wallet will be developed with access to these payment systems, as well as a mobile app similar to Apple Pay that can be installed on smartphones for purchases in any of the five BRICS countries, regardless of which currency the payment and the money in the account of the buyer are denominated in. The BRICS Pay contactless payment system will not duplicate the national payment systems; but will act as a service for linking the credit or debit cards of the citizens of the five BRICS countries to online wallets, which will offer them the ability to pay using a smartphone.
FinTech companies such as Adyen, Airwallex, with technology in hand, have built cross border financial infrastructure and applications that inspire global opportunities and help customers scale their business in every corner of the globe. These applications provide simple and fair transparent pricing ‒ No monthly fees, no card fees, just a small margin on top of our interbank FX rates.
The Danske Bank, DNB, Handelsbanken, Nordea, OP Financial Group, SEB, and Swedbank are considering domestic and cross-border payments in multiple currencies. The system builds on the smartphone payment applications that Nordic banks have already created, such as Swish in Sweden, Norway’s Vipps, and MobilePay in Denmark. It was named P27 to connect 27 million people in the Nordics.
In May 2020, the Central Bank of Brazil announced open banking regulations. The implementations should take effect from Nov 2020 in four phases and be fully operational by Oct 2021. The Central Bank of Brazil reinforces that all authorized financial institutions will participate in the open banking system. In addition, the participation of the largest banks in Brazil is mandatory.
In Dec 2019, South Korea formally launched an open banking service to increase convenience and lower transaction costs for bank customers. The new system enables bank customers to access nearly all banking services offered by any bank through a single smartphone application, including withdrawals and transfers, according to the Financial Services Commission.
Australia’s Australian Competition and Consumer Commission ACC opted for a phased implementation of open banking that was to begin in Jul 2020.
Australia’s big four banks – ANZ, NAB, Westpac, and Commonwealth Bank – have taken open banking first steps. Updated timelines: Major banks began to share PRD for credit and debit cards, deposit accounts, transaction accounts, mortgage, and personal loan accounts in Feb 2020, and non-major banks started in Jul 2020.
Beginning in Jul 2020, customers of Australia's four major banks can direct their bank to disclose their banking data from a range of personal accounts to accredited data recipients. Major banks will be required to share consumer data relating to mortgage and personal loan accounts beginning in Nov 2020. Major banks will be obliged to share certain more complex data sets, including joint accounts, closed accounts, direct debits, and scheduled payments from Nov 1, 2020.
In Jul 2018, Malta became a Distributed Ledger Technology regulation pioneer by dismissing the ambiguity that blockchain companies had been coping with previously.
France, Italy, Portugal, Spain, Greece, and Cyprus signed a joint declaration of the cooperation in Dec 2018, saying DLT is a valuable emerging technology ‒ along with 5G and AI ‒ that could transform the countries’ economies. Signees also said governments should promote emerging technologies.
With DLT’s capability to achieve transparency and decentralization, it is applied in clearing and settlements, supply chain financing, digital identity, KYC, etc. to ensure unified payment process effectiveness.
In Nov 2019, Cyprus issued a procurement announcement requesting interest from the private sector to participate in the possible implementation of potential use cases on DLT and more blockchain-related services in public and private sectors.
Estonia is planning to introduce a cryptocurrency with the working name estcoin, according to a blog post by the head of the country’s advanced e-residency digital initiative. However, estcoin would not become the official national digital currency, since Estonia is part of the EU and uses the euro as its currency. Instead, the country is considering several variants of estcoin, which might be used to verify identity in blockchain-based transactions, or as a payment method that is exchangeable with euros.
In 2018, Malta became the first country to enact crypto regulations. The regulation does not consider cryptos as a legal tender and recognized by the government only as a medium of exchange, a unit of account, or a store of value.
In Dec 2019, Ukraine passed a money laundering law with a crypto policy based on Financial Action Task Force (FATF) guidelines. A final version of the Ukraine law covers virtual assets and virtual asset service providers.
In Jun 2019, the FATF adopted new rules on crypto assets and published an updated Guidance on Virtual Assets and Virtual Asset Service. Under these new measures, crypto service providers will be required to implement the same requirements as traditional financial institutions. If a country fails to abide by the financial regulation or falls short, it could be added to a FATF blacklist that restricts access to the global financial system.
As of 2018, the global P2P lending market was worth an estimated $15 billion and is expected to grow nearly 3x by 2024, jumping to $44 billion as more countries, such as Thailand, introduce legislation that regulates and promotes the funding model. In 2019, Thailand introduced an updated framework for debt crowd-based funding. Singapore’s MAS has managed to provide a healthy regulatory framework for the P2P lending industry. Vietnam has a growing P2P lending market in similar lines to that of China and thus needs regulation.
The EU has formulated a draft crowdfunding regulation in 2018 that provides an opt-in framework for operators to choose between compliance with national law or an EU authorization label conferred and supervised by the European Securities and Markets Authority (ESMA).
BPO is an irrevocable document given from a buyer’s bank to a supplier or seller’s bank, in which an agreement is made to pay a specified amount of money on an agreed future date under the condition of electronic matching of data. More banks have started to embrace BPO as the payment method can enhance trade finance technology. Uniform Rules for Bank Payment Obligation (URBPO) are undergoing updates and changes by the ICC Banking Commission to accommodate developments such as DLT
Open Banking Europe (OBE) published the JSON Web Signature Profile to addresses standardization and security in open banking APIs and to align European APIs into one security model. OBE and the European Telecommunications Standards Institute (ETSI) have brought together experts from different PSD2 API Communities. The deliverable of this joint effort is available for industry review and feedback and further consultation with relevant standardization agencies.
The latest regulations cover cross-border payments and currency conversion transparency charges within the European Union.
Charges on cross border payments: Charges levied by PSPs on a PSU in euro (€) shall be the same as charges levied by that PSP for corresponding national payments of the same value in the national currency of the member state.
Charges levied by a PSP on a PSU in the national currency of the member state that notified its decision to extend the application of this regulation to its national currency shall be the same as the charges levied by that PSP on PSU for corresponding national payments of the same value and in the same currency.
Currency conversion charges related to card-based payments: PSPs and currency conversion service parties at ATM or PoS shall disclose the payer before the payment initiation process on the total currency conversion charges as a percentage mark-up over the latest available euro Forex reference rates issued by the European Central Bank (ECB).
Currency conversion charges related to Credit transfers: When credit transfer is initiated online, directly using website or mobile banking service of a PSP, the PSP shall communicate to the payer on the estimated total amount of the credit transfer in the currency of the payer’s account, including any transaction fee and any currency conversion charges.
The PSP shall also communicate the estimated amount to be transferred to the payee in the currency used by the payee.
In Dec 2019, The European Council adopted a Cross-Border Payments Regulation (CBPR2) regulation that requires all cross-border payments in euro in the non-Eurozone EEA countries - Bulgaria, Croatia, Czech, Denmark, Hungary, Iceland, Liechtenstein, Norway, Poland, Romania, Sweden, United Kingdom - to be priced the same as domestic payments. This regulation (the extension of the Cross-Border Payments Regulation, CBPR2) means cross-border euro payments will incur very low, or even zero, fees.
In July 2020, 16 major European banks from five countries backed by the European Central Bank (ECB) paved the way to launch the European Payments Initiative (EPI). The plan offers a unified card and digital wallet for use across Europe — to supersede the previously fragmented landscape. Through the end of 2020, European market players, banks or banking syndicates, and third-party PSPs may apply/join EPI as a founder. The European Payments Initiative is to become operational in 2022.
The European Banking Authority (EBA) extended the deadline for migration for Strong Customer Authentication (SCA) to Dec 31, 2020, from the initial Sep 14, 2019. And, as COVID-19 constrained FI resources, The European Payment Institutions Federation wrote to the EBA (European Banking Authority) in March 2020 asking for a six-month extension of the Dec 31, 2020 SCA deadline. Under SCA, the consumer goes through two-factor authentication that includes providing two or more of these: 1. Knowledge: Pin/Password that only customer knows, 2. Possession of a hardware token, 3. Inherence: Biometric factors such as facial or fingerprint recognition to improve security.
The fifth Anti-Money Laundering Directive came into effect in January 2020. It emphasizes transparency and disclosure of an entity’s actual owners. Additionally, based on its Sept 2020 deadline, member states are now required to set up centralized, automated mechanisms to identify the holders of bank accounts and safe deposit boxes. Throughout the EU, Member State notifications are fragmented, reflecting the complexity of identifying and classifying legal arrangements. Member States that fail to transpose the directives correctly may face enforcement actions and penalties.
A new European Electronic Communications Code is due to take effect in all EU Member States by Dec 21, 2020 to improve the security of electronic communications services. In anticipation of the transition, ENISA began preemptive collaboration with national telecom regulators from across Europe.
The European Commission adopted the RTS (Regulatory Technical Standards) to prevent fraud and secure customer data. Under RTS, the banks set up a communication channel for TPP’s, thereby allowing banks to identify the TPP’s when accessing the customer data and for secure messaging to communicate with each other.
Since the introduction of PSD2, there has been overlap between SecuRePay and PSD2 regarding payee (KYC) identification, linking the payment instrument with KYC, and linking KYC and the payment instrument with 2FA, which should include a dynamic element or biometrics
Beginning in Jan 2020, as part of the implementation of the fifth Anti-Money Laundering Directive (AMLD5), the German Parliament required providers of technical infrastructures, such as Apple regarding the Near Field Communication (NFC) antenna contained in iPhones, to grant access to those technical infrastructures to payment service providers (PSPs).
In Apr 2019, the European Commission launched the European Forum for Innovation Facilitators (EFIF) to foster collaboration and experience-sharing among European financial supervisors about their engagement with FinTech firms through sandboxes and innovation hubs. Also, the European Supervisory Authorities (ESAs) and EU Member States’ National Competent Authorities (NCAs) will be joined by third-country authorities to exchange best practices, identify regulatory obstacles and share FinTech growth information.
The European Commission issued a public consultation in preparation for a digital finance strategy/FinTech action plan that was to be proposed in Q3 2020. The strategy defines priorities for the next five years and policy measures to be implemented.
The EC supports a regulatory sandbox, a controlled and structured environment in which a regulatory framework is set by the financial sector regulator, to allow enough space for innovation development. It aligns compliance and regulation with the rapid growth in FinTech companies without compromising customer security.
Twenty-one EU Member States and three European Economic Area (EEA) countries currently have innovation hubs, while only five Member States have fully operational regulatory sandboxes. The EC is working with market players on risk assessment related to innovations and determine whether EU-level regulatory action is required.
Spain plans to launch a regulatory sandbox under the supervision of three authorities: Banco de España (the country’s central bank); the Comisión Nacional del Mercado de Valores (the National Securities Market Commission, the agency responsible for financial regulation of securities markets); and the Dirección General de Seguros y Fondos de Pensiones (the Directorate-General for insurance and pension funds).
AI: In Feb 2020, the European Commission (EC) presented its long-awaited proposal for comprehensive AI regulation at the European Union level. The draft legislation, which is part of a more significant effort to increase public and private investment in AI to more than €20 billion per year over the next decade, is expected to be available by the end of 2020.
Contactless: Contactless payment adoption in Europe is well ahead of the rest of the world and is becoming a new normal with the pandemic scenario. 89% of people agree that contactless payments have been easy to adopt, and nearly half (42%) of people across Europe admit their use of cash has decreased during COVID-19. It is expected that all point-of-sale terminals in Europe will be contactless-enabled by the end of 2020.[1]
[1] Mastercard,”Contactless Continent,”May 28, 2020
The EU’s Electronic Identification and Trust Services Regulation (eIDAS) has been in effect throughout the European Union since Sep 2018.
The European Parliament passed a regulation to secure ID cards to strengthen identity card security and residence documents throughout the European Union. Moreover, the security features of ID cards will align with those of passports. Both types of travel documents will contain a highly secure contactless chip with the holder’s photo and fingerprints.
5AMLD, together with eIDAS regulation, supports the EU’s Digital Single Market concept that allows immediate homogenous electronic identification in Europe and remotely as 5AMLD emphasizes the transparency of an entity’s real owner.
Electronic ID (eID) provisions and related trust services created by the regulation will dramatically increase the level of security for cross-border transactions for businesses and offer many other benefits.
The eID scheme is active in several member states, while the same is in development in Bulgaria, Cyprus, France, Greece, the Netherlands, Poland, and Romania. Denmark, Ireland, and the UK are exceptions because of a lack of political and social support
After PSD2 implementation, European retail organizations asked authorities to expand the scope of interchange fee controls to tackle stupendous charges imposed by card schemes after rules that banned merchants from recovering costs from consumers were implemented.
Card issuers, acquirers, and merchants are preparing for a Dec 7, 2020 public hearing organized by the European Commission to take stock of the EEA Interchange Fee Regulation. This follows the recent publication of a Commission report on the impact of the IFR (Interchange Fee Regulation) that notably stated that a revision of the IFR would not be proposed at this stage.
The Commission's report was submitted to the European Parliament and EU Council on Jun29, 2020, more than a year past its deadline. IFR does not apply to credit transfers, only to card-based payments, and therefore does not impose caps on a possible interchange fee on credit transfers.
Overall, 85% of TARGET2-Securities (T2S) markets comply with T2S harmonization standards. This figure has not changed since the publication of the harmonization progress report in Jan 2018. However, advancement was made in some T2S markets in compliance with T2S corporate actions, although this is still the area with the most non-compliance cases. The pre-migration assessment of ID2S (the new French CSD), joined T2S in October 2018 and indicated strong compliance with T2S harmonization standards. The AMI-SeCo continues to pay close attention to existing non-compliance cases and resolution plans. Significant updates are underway to define T2S standards in withholding tax, conflicts of laws, and settlement discipline.
Italy’s SIA will build Canada’s new core clearing and settlement system. SIA will work jointly with Payments Canada and industry stakeholders on the next version of their Real-Time Gross Settlement (RTGS) application solution.
The Euro system is consolidating TARGET2 and T2S, in terms of both technical and functional aspects. SWIFT has managed to win the contract. The objective is to meet changing market demands by replacing TARGET2 with a new real-time gross settlement (RTGS) system and optimizing liquidity management across all TARGET Services. The new RTGS system will offer the market enhanced and modernized services. The new consolidated platform will launch in Nov 2021.
Eurozone banks are beginning to implement the European Payments Initiative (EPI). In Jul 2020, 16 major European banks from Belgium, France, Germany, the Netherlands, and Spain paved the way to EPI to offer a digital payment solution that can be used anywhere in Europe and supersede the current fragmented landscape.
In 2020, The Swiss Federal Council published a draft on the amendment of the Anti-Money Laundering Act (AMLA) that is expected to go into force in early 2021. The AMLA amendment was proposed as a result of the fourth FATF (Financial Action Task Force / Groupe d’action financière) country report of Switzerland. The FATF has, among other things, criticized the Swiss money laundering reporting system, which has so far been based on a dualistic approach (right to report / duty to report). The consultation draft is supposed to address this criticism and suggests abolishing the right to report.
UK’s AML and CTF took effect in Jan 2020 and impose additional requirements to obtain information on the customer and its beneficial ownership and the customer’s source of funds. AML and CTF enhance the monitoring of ongoing relationships while also examining the purpose of business relationships and transactions.
The Bank of England (BoE) and the Financial Conduct Authority (FCA) will collaborate with The Monetary Authority of Singapore (MAS) to strengthen cybersecurity
Bank of England to consider adopting cryptocurrency by weighing potential benefits amid the decline of cash and the emergence of Facebook’s Libra. Bank officials will meet with the Bank of Japan, the European Central Bank (ECB), the Sveriges Riksbank, the Bank of Canada, the Swiss National Bank, and the Bank for International Settlements (BIS) to pool research and experiences of the potential for a central bank digital currency (CBDC).
In Mar 2019, The Payment Accounts (Amendment) (EU Exit) Regulations 2019 (SI 2019/661) were published on legislation.gov.uk. The purpose of the regulations is to ensure that UK legislation implementing the Payment Accounts Directive (2014/92/EU) (PAD) operates effectively after Brexit. The regulations apply to every Payment Service Provider (PSP), except credit unions, National Savings and Investments (NS&I), and the Bank of England. This instrument makes amendments to PAR to remove deficiencies arising from the UK’s exit from the EU.
New Zealand implemented the second phase of its AML and Countering Financing of Terrorism (AML/CFT) Amendment Act 2017. The law has been implemented in different phases for different sectors. Since Jan 2019, real estate agents, businesses trading in high-value goods, and sports and race betting industries have had to comply with the new rules.
A cybersecurity strategy was published in Jul 2019 to prioritize (2019 – 2023): cybersecurity aware and active citizens, a strong and capable cybersecurity workforce and ecosystem, an internationally active, resilient and responsive New Zealand, and a proactive approach to tackling cybercrime.
Singapore introduced the Payment Services Act (PSA) in January 2020 to provide licensing and regulation for payment service providers and oversight of payment systems. PSA encourages better digital payment capabilities across the country, fosters greater trust in e-payment systems, and safeguards financial activities in the digital landscape.
Japan’s Financial Service Agency released guidelines in Apr 2019 for AML and combating financial terrorism. The guidelines require actions and expected actions for each financial institution and explain how the FSA will conduct future monitoring.
In Jun 2020, Japan’s three biggest banks - Mizuho Bank, MUFG Bank, and Sumitomo Mitsui Banking Corporation are investigating the creation of a digital currency settlement infrastructure. Other countries studying the possibility of a national digital currency are Australia, Canada, Israel, Russia, Sweden, and Ukraine.
Regulatory guidelines from the Reserve Bank of India (RBI) went into effect in Apr 2020 for payment aggregators and payment gateways on directions for opening and operation of accounts and settlement of payments for electronic payment transactions involving intermediaries.
Reserve Bank of India (RBI) introduced operational guidelines on the interoperability of prepaid payment instruments (PPIs).
India rolled out One-Nation-One-Card in March 2019 to enable passengers in India to commute anywhere through any mode of transport. All new credit and debit cards issued by most banks have the National Common Mobility Card feature to make payments for their travel. Delhi Metro will begin to implement an automatic fare collection counters (AFCs) pilot in Dec 2020 to read these cards for a seamless exit at stations.
RBI announced steps in late 2019 to encourage digital payments, including removing charges related to the National Electronic Funds Transfer (NEFT) and introducing an interoperable system so drivers can rely on FASTags to pay parking fees, fuel, and other activity. And beginning in Jan 2020, banks no longer charged savings account holders for online NEFT transactions.
In Dec 2019, RBI introduced a new type of prepaid payment instrument (PPI) with a limit of up to Rs10,000 to be used only to purchase goods and services. The loading /reloading of such PPI will be only from a bank account and used for making only digital payments such as bill payments, merchant payments, etc.
The 2019 Personal Data Protection (PDP) bill protects Indian users from global breaches and prioritizes the storage and processing of critical information related to individuals in India.
The draft National Cyber Security Strategy 2020 (for2020-25), seeks to secure India cyberspace and is on track for finalization in late 2020.
Government data reveals that India experienced 394,00 instances of cybersecurity incidents in 2019. CERT-In data shows that 336 websites belonging to central ministries, departments, and state governments were hacked from 2017 and 2019.
RBI limits customer liability in fraudulent PPI transactions. Under new customer liability norms, the regulator announced that fraud caused by a third-party breach is not the fault of the customer or the PPI issuer, and the customer is not liable if the incident is reported within three days. If the fraud is reported between three and seven days, customer liability will amount to the transaction value or ₹10,000 (about USD136), whichever is lower.
Reserve Bank of India plans to launch a cryptocurrency. The governor of RBI said issuing cryptocurrency is a governmental issue and should not be handled privately. RBI is considering the development of a sovereign digital currency.
In March 2020, India’s Supreme Court overruled RBI’s move to ban business activities that local banks can do with crypto-related companies citing the right of Indian citizens to practice the profession of their choice. As a result, Indian crypto enterprises were encouraged to reopen as the government works to figure out how to curb anti-money laundering and combat terrorism financing. Within a month after the ban was reversed, WazirX (Indian cryptocurrency exchange) grew 470% in daily trading volume, according to its CEO.
Cambodian and Thai regulators launched an interoperable payment QR code in Mar 2020. Cambodian tourists who visit Thailand may now use their mobile banking app to pay in Cambodian riel when shopping at stores that display a Thai QR Payment sign. The same functionality will be extended to Thai tourists in Cambodia by the end of 2020.
In Nov 2019, Siam Commercial bank announced its partnership with Liquid Group to enable cross-border QR payments between Singapore and Thailand. In Dec 2019, Asia United Bank (AUB) announced a partnership with Liquid Group to enable cross-border QR payments between Singapore and the Philippines. And in Jun 2019, CIMB Niaga partnered with Liquid Group to support Bank Indonesia’s QR-code standardization trial (QRIS) for cross-border transactions.
Over the past year, 17% of cybersecurity-related issues were the result of third-party system breaches, according to an Apr 2020 survey by the UK’s Financial Conduct Authority, which underscores the need for fool-proof counterparty risk mitigation policies.
Thailand’s cybersecurity act, published in May 2019 stipulated that any import, dissemination, or forwarding of data through a computer that may cause damage to the public shall be considered an offense.
In May 2019, Bank Indonesia (BI) launched its Quick Response Indonesia Standard (QRIS) code system to universalize cashless payment in the country. QRIS, which physically manifests as a more complex QR pattern, allows users from one payment service to transfer funds to any rival service within BI’s ecosystem.
Mexico’s Federal Law on Protection of Personal Data was introduced in Feb 2020 to amend the Federal Law on Protection of Personal Data held by Private Parties. The bill seeks to oblige data controllers to immediately notify the government (INAI institute) of any security or privacy breaches involving personal data.
In May 2020, the Central Bank of Brazil announced a new open banking regulation and a partnership with TecBan and Ozone. Brazil is planning to make open banking APIs fully operational by Oct 2021. The newly issued regulation on open banking enables secure sharing of registration and transactional data from individuals or legal entities at the customers’ discretion when data and services identify the customer.
Following a new AML law in late 2018, the UAE issued a resolution in early 2019 with provisions to implement the AML Law. The AML Resolution introduced several significant provisions, including the introduction of a risk-based approach to AML regulation. International wire transfers higher than AED3,500 (USD 953) require the provision of certain information to trace such transfers.
In Jun 2020, Zimbabwe announced the immediate suspension of all mobile payments over suspected malpractice as an AML initiative, a flipside to mobile payments despite its convenience. Malpractice, criminality, and economic sabotage perpetrated by individuals fueling parallel market rates spurred the action.
In 2017, the New York State Department of Financial Services (NYDFS) launched GDPR-like cybersecurity regulations for its massive financial industry. Unusual at the state level, the regulations include strict requirements for breach reporting and limiting data retention. Like the GDPR, the New York regulation has rules for basic principles of data security, risk assessments, documentation of security policies, and designating a chief information security officer (CISO) to be responsible for the program.
The state of California’s SB-327 IoT bill was enacted into law in Jan 2020. It requires IoT product manufacturers to enforce security standards for internet-connected devices, including making them come with unique passwords or requiring users to create them during the setup process.
In late Mar 2020, Washington state became the first state to pass legislation allowing facial recognition to be used by state and local government agencies, with certain limitations. The law is designed to strike a balance between the civil rights issues associated with the use of facial recognition software and the perceived advancements in public safety that the technology could provide. The bill aims to regulate state and municipal government agencies’ use of facial recognition services by Jul 2021.
The California Consumer Privacy Act (CCPA) was approved in Jun 2019 and was enacted in Jan 2020. In Jul 2020, CCPA became enforceable by the California Attorney General. Under the statute, businesses have 30 days after being notified of non-compliance to address alleged violations. Businesses that fails to remedy the violation may be subject to an injunction and liable for a civil penalty of up to USD2,500 for each non-compliance error or USD7,500 for each intentional violation.
Saudi Arabia’s NCA (National Cybersecurity Authority) issued guidelines to help organizations in the Kingdom improve their information security practices based on ISO 27001 guidelines.
The Telecommunications Regulatory Authority (TRA) launched the UAE National Cybersecurity Strategy in Jun 2019. The strategy aims to create safety within UAE community members’ cyberinfrastructure so citizens and residents can fulfill their aspirations and businesses can thrive.
A TRA director said a data protection law would be drafted for the UAE to support the TRA’s new national cybersecurity strategy for 2020-25.
The Saudi Arabian Monetary Authority and the UAE Central Bank announced a pilot project for a shared digital currency, Aber. In Nov 2019, Saudi and UAE leaders confirmed the joint digital currency effort. Aber remains in the experimental phase. Its main objective is to enable Saudi and UAE to deal directly with each other digitally and to conduct financial remittances through the use of blockchains and DLT.
In Dec 2019, the Nigeria Information Technology Development Agency (NITDA) issued non-compliance notices to nearly 100 companies and organizations that had failed to comply with the Nigeria Data Protection Regulation (NDPR), which had extended its deadline until Oct 2019.
In Dec 2019, The Nigeria Information Technology Development Agency (NITDA) issued non-compliance notices to nearly 100 companies and organizations that failed to comply with the Nigeria Data Protection Regulation (NDPR), 2019.
China’s national standard Information Security Technology – Personal Information Security Specification is in the process of revision, and its formal revision is likely to be issued by 2020.
Several regulations were drafted in accordance with the Cybersecurity Law and published for public comment. The legislature is likely to issue final versions by the end of 2020 that may include data security management measures, security assessment of cross-border transfer of personal information, regulations on security protection of critical information infrastructure, and cybersecurity grade protection regulations. Various industry authorities may also formulate and issue regulations or drafts for comments on cybersecurity, data security protection, and personal information protection applicable to their industries in accordance with the Cybersecurity Law.
People’s Bank of China is piloting a CBDC. China’s four largest state-owned commercial banks have been developing and testing a wallet application to store, send, and receive Digital Currency Electronic Payment (DCEP).
Under data protection law, Russian Federal Assembly penalties for violation of data localization rules have dramatically increased. The original penalty for handling Russian personal data was blocking a data operator’s website. However, since Dec 2019, administrative penalties for non-compliance by a data operator were boosted to fines from USD31,500 to USD94,200 for an initial violation, to about USD280,000 for repeat violations.
Also, sanctions for executives who violate companies’ data rules were introduced with penalties of USD1,560 to USD3,125 for an initial violation and between USD7,800 to USD12,500 for repeat violations.
In Aug 2020, Russia approved a bill to regulate cryptocurrencies. The bill gives legal status to cryptocurrency but prohibits its use as a means of payment.
Kenya is stepping up digital security for citizens. A new law outlines restrictions on data handling and sharing by the government and corporations. An independent office will investigate infringements of the new law with violators facing two-year prison sentences or fines of up to USD29,000
Adopted in Nov 2018, Serbia’s Personal Data Protection Law went into effect in Aug 2019 and was formulated to sync with GDPR as part of a wider process to harmonize Serbia with EU law.
Indonesia National Standard QR code payment: Bank Indonesia (BI) launched its Quick Response Indonesia Standard (QRIS) code system in May 2019 to universalize cashless payments nationwide. QRIS, which physically manifests as a more complex QR pattern, allows users from one payment service to transfer funds to any rival service within BI’s ecosystem.
Thailand Cross border QR code payment: In Mar 2020, Cambodian and Thai regulators announced an interoperable payment QR code for use between Cambodia and Thailand. Cambodian tourists who visit Thailand may now use their mobile banking app to pay in Cambodian riel when shopping at stores that display a Thai QR Payment sign. The same functionality was expected to be extended to Thai tourists in Cambodia by Q3 2020.
In Nov 2019, Siam Commercial bank announced its partnership with Liquid Group to enable cross-border QR payments between Singapore and Thailand.
QR code initiatives by firms such as PayPal and Paytm: In Jan 2020, Paytm launched its latest all-in-one QR payment method, allowing merchants to make and accept payments through its wallet, UPI-based payment apps, and RuPay cards.
Similar to Paytm, PhonePe, Mobikwik, Razorpay, and Freecharge, others are encouraging QR-code based payments to capture transactions made by small and informal merchants, such as Kirana stores.
In May 2020, PayPal rolled out QR code payments in the UK, which brought the global total to nearly 30 markets that offered a touch-free way for businesses to receive payments and for consumers to make purchases during COVID-19.
In Mar 2020, HPS by Saudi Payments introduces a unified QR code platform to enable banks, wallet providers, and FinTechs to interact seamlessly within an interoperable platform.
In Feb 2020, RaPay launched its QR code-based merchant payment system, a new platform designed to reduce merchant settlement times associated with taking debit card payments
In Jun 2020, Italian Banks Association (ABI) announced that its banks are willing to pilot a digital euro. ABI prioritized the need for a digital currency framework to be fully compliant with EU regulations to win the public’s trust and said banks would play a critical role in upholding that trust
Sweden is testing e-krona, bringing it that much closer to the proper release of a central bank digital currency (CBDC). The pilot program will be in operation for one year, until Feb 2021.
In Mar 2020, the Central Bank of France announced an experimental program to test the integration of a CBDC for interbank settlements, inviting participant applications