What are the sources of payments law in your jurisdiction?
Fintech (2nd edition)
The main source of payments law in Belgium is the European Union legislator. The European Union strongly harmonised both the prudential rules (which concern the eligibility, the licensing process and the conditions to be met in order to offer payment services) and the rules of conduct (which concern the mandatory pre contractual and contractual rules in relation to payment service users).
These rules are laid down in the EU Directive n°2015/2366 of 25 November 2015 on payment services in the internal market (the “PSD2”). This directive has been transposed into Belgian national law in two distinct acts:
- the law of 11 March 2018 on the status and control of payment institutions and electronic money institutions. This law concerns the prudential rules applicable to payment and electronic money institutions.
- Book VII of the Belgian Economic Law Code.
While the law of 11 March 2018 is only applicable to payment institutions and electronic money institutions, Book VII of Belgian Economic Law is also applicable to all other payment service providers, i.e. the credit institutions and certain (semi-) public entities such as Bpost, the National Bank of Belgium and local authorities.
Beside these laws, special attention must also be paid to the soft law rules enacted by the regulators at both the European level (the European Central Bank Guidelines) and the Belgian level (the National Bank of Belgium).
The Bermuda Monetary Authority provides risk-based regulation and supervision of all banks and deposit companies in Bermuda. The regulatory and supervisory framework is underpinned by principal legislation, the Banks and Deposit Companies Act 1999, as amended, which is regularly supplemented with updated statements of principles, policy and guidance.
The Digital Asset Business Act 2018 (DABA) regulates digital-asset businesses including payment service providers, electronic exchanges, custodial wallet services and market makers or traders of digital assets. See Question 14 for further information on DABA. Further, the Banks and Deposit Companies Amendment Act 2018, which came into force on 17 August 2018, permits financial institutions to apply to the Bermuda Monetary Authority for a restricted license enabling them to provide banking services to companies (and agents or affiliates of the same) who are licensed under the DABA or wish to conduct an initial coin offering. As of the date of writing, no such license has been granted by the Bermuda Monetary Authority.
See Question 2 with respect to money service business.
Law No12,865 published on October 9, 2013 (“Law 12,865/13”) was the first rule to regulate the industry of electronic payments in Brazil, more specifically, the rendering of payment services in the context of card networks that are part of the Brazilian Payment System (Sistema de Pagamentos Brasileiro or “SPB”). Such law created the concepts of card network, card network owners and payment institutions.
In addition to establishing the general principles and rules for card networks and payment institutions, Law 12,865/13 conferred to the National Monetary Council (Conselho Monetário Nacional or “CMN”) and the Brazilian Central Bank (“Banco Central”) powers to, through Resolutions, Circulars and Letter Circulars, regulate the industry of electronic payments, including their incorporation and operation, risk management and the opening of payment accounts, along with the transfer of funds from and to them.
As Chile is a civil law country, the primary source of Payment Law in Chile are legislative enactments of the National Congress. In Chile the legal framework for payment services are based on the following laws:
A) Constitutional Organic Law of the Central Bank of Chile (Ley Orgánica Constitucional del Banco Central de Chile or “LBC”), which empowers the Central Bank of Chile (Banco Central de Chile or “BCCH”) to establish all necessary and applicable regulations to allow the use of new payment methods, in order to ensure the stability of the Chilean payments system. BCCH is expressly empowered to enact rules that regulate companies engaged in the issuance or operation of credit cards, or any other similar system payment method or system.
B) General Bank Law (Ley General de Bancos or “LGB”), which establishes that the Financial Market Commission (Comisión para el Mercado Financiero or “CMF”) is the administrative body responsible for the supervision of banks and financial institutions in Chile. Likewise, CMF is empowered with the authority to inspect companies whose business model consists of: the issuance or operation of credit cards, payment cards with provisional funds, or any other system similar to the aforementioned means of payment; provided that the companies routinely contract with consumers regarding the consumer’s financial obligations, such as issuance of credit cards to consumers, or are within a sector that is regularly involved with the general public.
C) Compendium of Financial Standards (Compendio de Normas Financieras or “CNF”) of the Central Bank of Chile: In exercising its powers, BCCH issued the following financial standards and rules regarding the means of payment:
a) Chapter III.J.1: Issuance of payment cards,
b) Chapter III.J.1.1: Issuance of credit cards,
c) Chapter III.J.1.2: Issuance of debit cards,
d) Chapter III.J.1.3: Issuance of payment cards with provision of funds,
e) Chapter III.J.2: Payment card operation.
D) Law N° 20,950: By enacting Law N° 20,950 in October 2016, the National Congress authorized the issuance and operation of payment cards with provisional funds by non-bank entities.
United States payments law consists of many regulatory regimes, statutes, government-issued guidance, and industry-established rules. The responsibility for supervision and enforcement of these different regimes falls to several federal government agencies and state-level financial services regulators. While differing in purpose and scope, these various laws generally operate to protect consumers, ensure safety and soundness of the covered entities, and prevent money laundering and the funding of terrorism.
Some of the more prominent sources of payments law include the Dodd-Frank Act, Consumer Credit Protection Act, Bank Secrecy Act, Gramm-Leach-Bliley Act, Electronic Funds Transfer Act and Reg. E, Expedited Funds Availability Act and Reg. CC, Reg. J, Reg. II, the Uniform Commercial Code, and state-level money transmission, autorenewal, surcharge, and prepaid access laws. Additionally, each government agency periodically issues guidance on developing industries and several topics to help companies interpret their regulatory obligations. Lastly, certain industries develop rules that all participants must abide by. These include, among others, payment card industry data security standards (PCI-DSS) and NACHA Operating Rules. The applicability of these laws and guidance depends on the method of payment, the type of transaction, and the status of the party involved in the payment transaction and includes differing legal requirements for banks and nonbanks or those entities engaged in legacy or emerging payment systems and methods.
Payments are also being integrated into many services and products, which raises new and evolving issues and risks for payments services providers. These new applications include payments integration into internet-of-things (IoT) products, mobile technology, and wearables. The integration of payments services into these products and services will add overlapping privacy and other data security and retention issues to the already complex payments legal landscape.
The most significant piece of law governing payments in the UK is the Payment Services Regulations 2017 (referred to in this chapter as the “PSRs”). These are the UK implementation of the Second Payment Services Directive (commonly known as PSD2), which is a piece of European Union legislation that came into force on 13 January 2018, having been finalised in late 2015. PSD2 was created by the European Commission as a result of learnings from and in response to market developments since the introduction of the first Payment Services Directive in 2007, which was itself introduced in order to open up the payments market and govern various payment-related activities that had previously been unregulated. These included money remittance (i.e. sending money from one place to another), operating a payment account, the execution of payment transactions and the issuing or acquiring or payment instruments. Under PSD2 and the PSRs, this scope was increased to include third party providers (“TPPs”), the so-called “open banking” account information service providers (or “AISPs” - who are enabled to pull digitised transaction data out of a payment account that is operated by another payment service provider), and payment initiation service providers (or “PISPs” – who are enabled to initiate a push payment such as a bank transfer, from an account operated by another payment service provider). Further detail is given on open banking in answer to questions 4 and 5 below.
PSD2 and the PSRs are supplemented by a range of Guidelines and Regulatory Technical Standards that are produced by the European Banking Authority pursuant to its mandate in Article 98 of PSD2. The most well-known of these is the Regulatory Technical Standard for strong customer authentication and common and secure open standards of communication (commonly known as the “SCA RTS”, official title the Commission Delegated Regulation (EU) 2018/389), which governs the methods by which payment service providers will have to carry out authentication in relation to payment transactions and online access to account information as well as the communication between the TPPs and other payment service providers. Broadly speaking this mandates two-factor authentication, under which authentication must be carried out using any two of three factors of something you know (such as a password), something you possess (such as a mobile phone or a credit card) or something you are (such as a biometric marker like a thumbprint). There are exemptions from the need to carry out strong customer authentication – for instance for certain low value transactions, contactless card payment transactions or recurring transactions – but these are tightly controlled. The SCA RTS was due to come into full effect in September 2019, but in response to calls from the payments and retail industries, who largely did not have strong customer authentication technologies and processes fully implemented, the FCA agreed (with some conditions) to delay enforcement of the SCA until March 14 2021.
The other main piece of payments-related legislation in the UK is the Electronic Money Regulations 2011. These govern the particular payment service of issuing and distributing “e-money”, which is an electronic representation of cash. The typical example of e-money is a prepaid card, but these days e-money structures underlie anything from gift cards to mobile banks.
Lastly, whilst it is not strictly speaking legislation, the documents “Payment Services and Electronic Money – Our Approach” published by the Financial Conduct Authority (available here) is an excellent guide on how the FCA views the application of the various pieces of legislation.
The Law of the People's Republic of China on the People's Bank of China, adopted by the National People’s Congress in 1995 and most recently revised in 2015, provides that the People’s Bank of China (PBOC) serves as the key regulatory body of payment activities in China. The PBOC has promulgated China’s main payment regulations, including the Measures for Payment and Settlement, in 1997, and the Administration Measures on Payment Services by Non-Financial Institutions, in 2010.
However, payments-related matters are not subject solely to the oversight of the PBOC and its regulations. For example, the Law of the People’s Republic of China on Anti–Money Laundering may be implicated by payments-related matters and, although the PBOC undertakes anti–money laundering activities, the Ministry of Finance and Commerce and Public Security Bureaus may also get involved. There are even inter-agency mechanisms through which information is exchanged, major issues and situations are analysed and suggestions are put forth for appropriate measures.
The United Arab Emirates (“UAE”) consists of “onshore” (“UAE Onshore”) and financial free zone jurisdictions, to which different sources of payments law apply. There are currently two financial free zones in the UAE: the Dubai International Financial Centre (the “DIFC”) and the Abu Dhabi Global Market (the “ADGM”) (together, the “Financial Free Zones”).
The sources of payments law in the UAE depend on the applicable jurisdiction and financial regulatory regime:
- UAE Onshore. Where the payment service provider (“PSP”) is providing its services in or from UAE Onshore, it is governed by the federal laws of the UAE. Financial services conducted in or from UAE Onshore are regulated by the UAE Central Bank (“UAECB”), Securities and Commodities Authority (“SCA”) and Insurance Authority (“IA”) (as applicable).
- DIFC. Where the PSP is providing its services in or from the DIFC, it is governed by the laws of the DIFC. The Dubai Financial Services Authority (“DFSA”) regulates financial services conducted in or from the DIFC.
- ADGM. Where the PSP is providing its services in or from the ADGM, it is governed by the laws of ADGM. The Financial Services Regulatory Authority (“FSRA”) regulates financial services conducted in or from the ADGM.
The sources of payments law on UAE Onshore principally consist of the Regulatory Framework for Stored Values and Electronic Payment Systems 2017 (“2017 Payment Regulations”) and Federal Law No. 14 of 2018 regarding the Central Bank & Organization of Financial Institutions and Activities (“2018 FIA Law”).
2018 FIA Law
Article 65 of the 2018 FIA Law sets out the relevant financial activities subject thereto, which include “Providing currency exchange and money transfer services” and “Providing stored values services, electronic retail payments and digital money services” (among others).
The 2018 FIA Law sets out the requirements for conducting the above financial activities and prohibits, under Article 64, any entity from conducting such financial activities without a license from the UAECB.
The 2018 FIA Law further sets out certain information with respect to the application procedure for a UAECB license, reporting obligations to the UAECB and other obligations, delegating a sizeable amount of regulations to the UAECB.
2017 Payment Regulations
The 2017 Payment Regulations set out the requirements imposed upon four main types of PSPs:
1) Retail PSP: Authorized commercial banks and other licensed PSPs offering retail, government, and peer-to-peer digital payment services as well as money remittances;
2) Micropayment PSP: PSPs offering micropayments solution facilitating digital payments targeting the unbanked and under-banked segments in the UAE;
3) Government PSP: Federal and local government statutory bodies offering government digital payment services; and
4) Non-issuing PSP: Non-deposit taking and non-issuing institutions that offer retail, government, and peer-to-peer digital payment services.
The 2017 Payment Regulations cover the following digital payment services:
- Cash-in services: enabling cash to be place in a payment account;
- Cash-out services: enabling cash withdrawals from a payment account;
- Retail credit/debit digital payment transactions;
- Government credit/debit digital payment transactions;
- Peer-to-peer digital payment transactions; and
- Money remittances.
The 2017 Payment Regulations do not apply to the following PSPs, which may be subject to other UAECB laws and Regulations:
- Payment transactions in cash without any involvement from an intermediary;
- Payment transactions using a credit/debit card;
- Payment transactions using paper cheques;
- Payment instruments accepted as a means of payment only to make purchases of goods/services provided from the issuer/any of its subsidiaries (i.e. closed loop payment instruments);
- Payment transactions within a payment/settlement system between settlement institutions, clearing houses, central banks and PSPs;
- Payment transactions related to transfer of securities/assets (including dividends, income, and investment services);
- Payment transactions carried out between PSPs (including their agents/branches) for their own accounts; and
- Technical service providers: Defined as entities facilitating the provision of payment services to PSPs, whilst excluded at all times from possession of funds (or transference thereof). A payment gateway operator could fall under this category.
DIFC and ADGM
The sources of payments law in the DIFC and ADGM are similar:
- DIFC: The sources of payments law in DIFC principally consist of DIFC Law No.1 of 2004 (“Regulatory Law”) and DFSA rulebook (“DFSA Rulebook”).
- ADGM: The sources of payments law on UAE Onshore principally consist of the Financial Services and Markets Regulations 2015, as amended ( “FSMR”) and the FSRA rulebook (“FSRA Rulebook”).
The FSMR and Section 2.6 of the DFSA Rulebook (General Module) both define the provision of money services as “providing currency exchange or money transmission”. Money transmission is defined as “(a) selling or issuing payment instruments, (b) selling or issuing stored value, or (c) receiving money or monetary value for transmission, including electronic transmission, to a location within or outside the [DIFC/ADGM (as applicable)]”.
Section 7.2 of the DFSA Rulebook (General Module) and Section 16 of the FSMR both require that PSPs in the DIFC/ADGM (as applicable) have a license from the DFSA/FSRA (as applicable), authorizing the PSP to provide payment services. However, section 16 of the FSMR provides for an exception to this obligation where the corporate entity is considered “exempt”.
The above regulations set out certain information with respect to the application procedure for a license, reporting obligations to the competent authority and other obligations, with the laws delegating a sizeable amount of regulations to the DFSA/FSRA (as applicable).
Payment systems are defined and governed by Decree 2555 of 2010, External Resolution 5 of 2009 by the Central Bank and by rules in the Basic Legal Letter (CBJ) of the Colombian Financial Superintendence (SFC). Payment systems are separated into low-value (client oriented) and high-value (financial institution oriented) systems depending on the average transactions processed during a 6-month period and require a license depending on whether participants are financial institutions and other conditions are fulfilled.
The provision of payment services within or into Denmark is regulated by the Danish Payments Act (In Danish: Lov nr. 652 af 8. juni 2017 med senere ændringer, om betalinger) (the Danish Payments Act).
The Danish Payments Act implements the Original and Revised European Union (EU) Payment Service Directive (PSD1 and PSD2), the EU Directive on Electronic Money, and the EU Directive on Interchange Fees for Card-Based Payments Transaction, which all are fully implemented into Danish law.
Payment systems are defined in and governed by the Swiss Financial Infrastructure Act (FinfraG) and by rules in the National Bank Act, the Banking Act (BA) and the Anti-Money Laundering Act (AMLA). Payment systems require a license only if this is necessary for the protection of the participants or for securing the functioning of the financial markets; hence, the regulatory framework for payment systems may be complex.
While banking businesses are highly regulated in Taiwan, laws and regulations enable non-banks to provide a variety of payment services. Among others, the Act Governing the Management of Electronic Payment Institutions and its enforcement rules (collectively, "E-Payment Act"), which took effect in May 2015, allows non-banks to offer the electronic payment services (as further described in 2(1) below; collectively, "E-Payment Services") approved by the Financial Supervisory Commissions (FSC), the government agency in charge of securities and futures products. The enactment of the E-Payment Act contributes to the growth of E-Payment Services in Taiwan. Currently, there are five non-banks exclusively operating E-Payment Services. In addition, the Financial Technology Development and Innovative Experimentation Act also offers a regulatory sandbox for applicants to test Fintech in a safe environment.
The Royal Decree-Law 19/2018, of 23 November, on payment services and other urgent measures on financial matters ("Royal-Decree Law"), is the main piece of legislation regulating payment services in Spain.
The Royal Decree-Law partially transposed the Directive (EU) 2015/2366, of 25 November, on payment services in the internal market ("PSD2"), in Spain and its main objectives are to facilitate and improve the security in the use of payment systems through the Internet, to reinforce the level of protection of users against fraud and potential abuse, as well as promoting innovation and competition in payment services through mobile and internet channels.
Nevertheless, because the Royal Decree-Law only transposes PSD2 in part, the Royal Decree 712/2010, of 28 May, and the Order EHA/1608/2010, of 14 June, are still in force as long as they do not contravene the dispositions contained in the Royal-Decree Law and the new legal regime is not approved.
On April 2019 the draft Royal Decree on the legal regime of payment services and payment entities that will complete the transposition of PSD2 into the Spanish legal system was released. Likewise, the draft Order on transparency and information requirements for payment services was published on May 2019. Both drafts are not yet in force and await final approval.
Payment services are mainly regulated by the Act on the Prudential Supervision of Payment Services - Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ‘ZAG’) and by the Civil Law Code (Bürgerliches Gesetzbuch – ‘BGB’), which implemented the European Payment Services Directives 1 and 2 (‘PSD1’ and ‘PSD2’), in Germany. Other important sources of law directly applicable to (regulated) payment service providers in Germany are i.a. the various delegated regulations adopted under the PSD2, the Capital Requirements Regulation (CRR), the EU Funds Transfer Regulation, the SEPA-related EU Regulation 260/2012 and the EU Interchange regulation. Additionally, the German Anti-Money Laundering Act (Geldwäschegesetz – ‘GwG’), transposing the European Anti-Money Laundering Directives in Germany, the German Federal Data Protection Act (‘BDSG’) and the European General Data Protection Regulation (‘GDPR’) need to be complied with.
In the Republic of Korea (“Korea”), there are various payment methods available to which various laws apply. With regard to payments made using credit cards, debit cards and pre-paid cards, the Specialized Credit Finance Business Act (“CFBA”) would apply. Payment methods using electronic means such as electronic fund transfer, electronic debit payment means, electronic prepayment means, electronic currency and electronic receivables would be subject to regulation under the Electronic Financial Transactions Act (“EFTA”); most of the business operators who engage in payment settlement service such as payment gateway business operators are also subject to the regulation under the EFTA. In addition, payment using foreign currency or payment transactions between Korea and foreign countries and activities relating thereto are subject to the Foreign Exchange Transactions Act (“FETA”), including licensing requirements thereunder in addition to the requirements under the EFTA.
The key legislation, in this regard, includes the Act on Financial Undertakings no. 161/2002, the Securities Act no. 108/2007 and the Payment Services Act no. 120/2011, all as later amended. The Payment Services Act awaits the implementation of Directive (EU) 2015/2366, PSD II. Further, companies wishing to provide financial services are subject to the supervision of the Financial Supervisory Authority (FSA) and generally must obtain operating licenses/authorizations from the FSA to provide their services.
Iceland implements most of its financial regulatory framework from the EU, through its participation of the European Economic Area (EEA). With regards to PSD II, the EEA Joint Committee adopted the directive within the EEA area on 14 June 2019. A legislative bill is expected to be introduced before the Icelandic Parliament in the fall of 2019. It is also worth mentioning that on 8 March 2018, the European Commission adopted a specific action plan in the field of fintech which might cause amendments that might take effect in Iceland, due to its membership of the EEA.
The regulatory landscape for payments law in India is largely fragmented. There is no single set of regulations or guidelines that uniformly apply to FinTech payment products in India. The absence of a uniform set of regulations and guidelines makes it challenging to navigate the regulatory landscape. The sources of payments law in India primarily include the following:
(a) Law passed by the Indian Parliament: Legislations enacted by the Indian parliament constitute the primary source of payments law in India. The Payment and Settlement Systems Act, 2007 (PSS Act) is the principal legislation governing payment services in India. Under the PSS Act, no person can commence or operate a payment system in India without obtaining prior approval from the RBI. The PSS Act defines a “payment system” as “a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service of all of them, but does not include a stock exchange.” By way of illustration, payment systems under the PSS Act include the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations and pre-paid payment instruments (PPIs) (such as prepaid cards and mobile wallets).
(b) Directions, notifications and circulars issued by the Reserve Bank of India (RBI): The RBI is the central bank of India responsible for regulating payments and financial products. The key payment products that the RBI regulates via master directions and regulations are:
(i) PPIs: The Master Direction on Issuance and Operation of Prepaid Payment Instruments issued by the RBI on October 11, 2017 as amended from time to time (PPI Master Directions) prescribes the eligibility criteria for PPI issuers, permissible debits and credits from PPIs and other operational guidelines to be followed by PPI issuers while issuing PPIs to customers in India. PPIs are regulated as payment systems under the PSS Act and specified PPI issuers are required to obtain prior approval of the RBI to be able to issue PPIs to subscribers.
(ii) Issuance of Cards: The issuance of credit cards and debit cards is primarily governed by the RBI’s Master Circular on Credit Card, Debit Card and Rupee Denominated Pre-paid Card Operations of Banks and Credit Card Issuing NBFCs dated July 1, 2015 (as amended from time to time) (Cards Master Circular). The Cards Master Circular inter alia prescribes the conditions, eligibility criteria and approval requirements for the issue of credit cards, debit cards and pre-paid cards in India.
(iii) Operations of payment gateways and payment aggregators: The operations of payment gateways and payment aggregators which act as intermediaries in digital payment transactions are primarily governed by the RBI’s directions for Opening and Operation of Accounts and Settlement of Payments for Electronic Payment Transactions involving Intermediaries, 2009 (Payment Intermediary Directions). The Payment Intermediary Directions set out the legal framework applicable to payment intermediaries operating in India. Under the current regulatory framework, there is no licensing requirement for payment intermediaries; however, the RBI has recently indicated that it is considering enhanced regulation and supervision of payment intermediaries such as payment gateways and payment aggregators.
(iv) Payments Banks: The RBI issues a separate category of licenses to ‘payment banks’. Payments banks are primarily governed by the Operating Guidelines for Payments Banks dated October 6, 2016 read with the Guidelines for Licensing of Payments Banks dated November 27, 2014, each issued by the RBI. Payments banks are permitted to maintain small value deposit accounts (upto a maximum amount of INR 100,000 (Indian Rupees one hundred thousand) for their customers, but, are not permitted to undertake any lending operations.
(v) Directions and guidelines issued by the National Payments Corporation of India (NPCI): The NPCI is the implementing entity behind the United Payments Interface (UPI), and is registered with the RBI to operate a payments system under the PSS Act. UPI payments in India are primarily regulated by the UPI Procedural Guidelines and the UPI Operating and Settlement Guidelines issued by the NPCI. Under the current framework, only banks can integrate with the UPI platform to provide money transfer services to their customers. Banks are however permitted to engage technology providers for the design and operation of mobile applications for the purpose of UPI payments, subject to compliance with certain eligibility and prudential norms prescribed by the NPCI. PPI issuers have also been permitted to act as payment system providers within the UPI framework.
Currently, Portuguese payments law is regulated under Decree-Law no. 91/2018, of 12 November (the Payment Services and E-Money Legal Framework, “PSELF”), which transposed Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 (PSD2) into the Portuguese legal order.
The authority that supervises payment services is the BCRP (Banco Central de Reserva). Additionally, Law N° 28194 regulates the means of payment used in Peru, which mainly refers to bank transfers. The means of payments regulated by the law are the following: (i) Deposits, (ii) bank draft, (iii) transfers of funds, (iv) payment orders, (v) debit cards issued in Peru, (vi) credit cards issued in Peru, (vii) cheques with the clause of "non-negotiable", "non-transferable", "not to order" or other equivalent, issued under Article 190 of the Securities Law. The law establishes that the mentioned means of payment must always be used when the amount of the transaction is equal to or above US$ 1,000.
In addition to the traditional means of payment abovementioned, the Law N° 29985 regulates electronic money (e-money) as a payment method. In fact, the only totally digital method of payment recognized in Peru is e-money (monetary value represented by a claim on its issuer). The activity of issuing electronic money is reserved for those companies that operate under the supervision of the Superintendence of Banking, Insurance and Private Administrators of Pension Funds (SBS), these companies are named Electronic Money Issuers.
In Peru there is no payments law like the PSD2, European Second Payment Services Directive, which is a specific regulation for payments market that regulates digital payments. Nevertheless, recently the government has published the National Competitiveness and Productivity Plan which addresses the need to regulate the FinTech industry in order to have clear rules for the development and expansion of this industry. As the FinTech industry mature, additional regulatory proposals will be presented to regulate other services related to payment platforms, factoring, foreign exchange, among others.
Additionally, an updated version of the National Policy of Financial Inclusion was published in August 2019 where a reference of INDECOPI's initiative to carry out a market study aimed at analysing the conditions of competition existing in payment card systems. Although it constitutes a progress, it would be advisable to have a study of the existing legal barriers in the means of payment in general, in order to be able to prepare proposals that contribute to a financial inclusion environment.
Until recently, there was no specific legislation regulating all the aspects of payments in Israel, although there were several laws and regulations which handled certain fragments or types of payment services.
On January 2019, the Knesset (the Israeli Parliament) enacted the Payment Services Law, 5779-2019, which was supposed to become effective on January 2020 but its validity is likely to be postponed until July 2020.
Until the Payment Services law is effective, the regulation of payments is based on the current existing laws:
a. The Charge Cards Law, 5746-1986 which deals with the relationships between holders of charge cards (credit cards, debit cards, payments cards and bank (ATM) cards) and the issuers thereof. It grants several consumers protections and imposes several duties on the issuers including, among other things, a requirement for a written agreement, disclosure requirements, protection against fraud and unauthorized use and rights regarding card-not-present transactions. The said law also regulates the termination of charge card agreements.
b. banking regulations: since many payment services are provided by banks, the regulation applicable to banks are relevant to payments. The Banking (Services to Customers) Law, 5741-1981 and the regulations promulgated thereunder define general disclosure and contractual requirements relating, among other things, to payment services. In addition, the Banking Ordinance, 1941, and the “Proper Conduct of Banking business” (“PCB”) directives which the Bank of Israel issued pursuant to the said ordinance relate to certain payment services: (i) standing orders [PCB no. 439]; (ii) use of ATMs [PCB no. 442]; and (iii) charge cards [PCBs no. 470, 471 and 472].
c. The Payments Systems Law, 5768-2008: this law is not a “payments law” but rather regulates the authorization of controlled payment services. Nonetheless, the said law determines the finality an irrevocability of payment made in a controlled payment system. The “Zahav” payment system, which provides RTGS services in Israel, was authorized as a Designated Controlled Payment System pursuant to the said law. The rules relating to the operation thereof are set forth in the agreement between the Bank of Israel and the operator of the Zahave system (which was appointed by the of the Bank of Israel) – the Tel Aviv Stock Exchange Settlement System. [In order to support the finality of the Zahav System and the stability thereof, the members of the Zahav system are required to keep at all time sufficient liquidated funds (cash or governmental bonds) securing their gross liabilities.
d. Masav’s internal regulations: non RTGS domestic electronic funds transfers are performed using the services of “Masav” – the Interbanking Settlement System. Masav is a corporation owned by the various banks in Israel and provides services to the entire banking system and to private parties. The internal regulations of Masav were examined by the Bank of Israel and by the Antitrust Commissioner.
e. SWIFT and CLS internal regulations: international funds transfers are mainly performed using the SWIFT system and CLS and is therefore subject to their internal regulations. CLS was declared as a Controlled Payment System pursuant to the Payments Systems Law detailed above. It is also worthwhile mentioning, that the infrastructure for communication among issuers and acquirers of charge cards and merchants in Israel is managed by a public company called “Shva”, which is partially owned by banks. This company is also partially regulated, in accordance with the ‘Shtrum Reform”, as set forth in the Law for the Increase of Competition and Decrease of the Centralization in the Banking Market in Israel (Legislation Amendment), 5777-2017. Shva was defined as an Interface System pursuant to the said law.
f. The Bills Ordinance [New Version], which is not a “payments law” but rather deals with three main types of bills: bills of exchange, cheques and promissory notes and It regulates the transferability of bills, their validity and more. There are some regulations and directive relating to the clearing and settlement of checks.
g. The Supervision of Financial Services (Regulated Financial Services) Law, 5766-2016 (the "RFS Supervision Law") is mainly designated to regulate the licensing of payment services providers but also includes certain provision relating to disclosure, fair treatment and consumer protection.
h. AML/ CFT regulations: the Prevention of Money Laundering Law, 5760-2000 (the “AML Law”) and the order issues thereunder by the various regulators, including the Bank of Israel and the Supervisor of Regulated Financial Services, affect the provision of payment services, including the initial registration of clients and the monitoring and supervision of the performance of payments.
As noted above, The Payment Services Law, 5779-2019, is expected to become effective in 202. The said law is the Israeli equivalent to the European PSD 2 and set forth similar (although not identical) requirement regarding , disclosure obligations and other obligations on the payment service providers (vis-à-vis either the payer or the beneficiary of the payments). It also includes provisions regarding means of identification of users, and provisions regarding cancelation of payments due to fraud, unauthorized use, card-not-present transactions and other types of transactions. The Payment Services Law also regulate standing orders. The definitions in the Payment Services Law relate to any type of means of payments and is not limited to charge cards.
The payments sector in the Netherlands is mainly regulated on the basis of European legislation, such as the second Payment Services Directive (PSD2), the second E-Money Directive (EMD2), the Single Euro Payments Area (SEPA) Regulation, the Interchange Fee Regulation and the Payment Accounts Directive. European Regulations have direct effect in the Netherlands. The European Directives have been implemented in – mainly – the Dutch Financial Supervision Act (Wet op het financieel toezicht) and Title 7b of Book 7 of the Dutch Civil Code (Burgerlijk Wetboek). The first act deals with the financial regulatory requirements applicable to financial undertakings involved in the payment chain, whilst the latter focuses on the private law requirements that need to be taken into account by the different parties involved in such payments chain.
One national piece of legislation worth mentioning is a regulatory framework applicable to payment processing service providers (afwikkelondernemingen). The Dutch Financial Supervision Act distinguishes three types of payment processing services: (i) the forwarding of an electronic authorisation request of a payer to its payment service provider (PSP) for an initiated payment order, (ii) consenting to such authorisation requests on behalf of the paying PSP, or (iii) netting. This piece of Dutch legislation is not based on an European example. It results in – for example – card schemes like MasterCard falling under this type of oversight by the Dutch Central Bank (DNB).
There are many payment methods and instruments in Japan, but no comprehensive payment law. The General payment rule applicable to rights and obligations is governed by the Civil Code (Act No. 89 of 1896). The rules for the issuance and control of cash are subject to the Act on Unit of Currency and Issuance of Cash (Act No. 42 of 1987). In addition to these general rules, certain payment methods/instruments are regulated as follows:
1.1. Prepaid Payment Instrument ("PPI")
A PPI is an instrument that records a certain value charged in advance of use and is then debited as payment of consideration for goods and/or services. PPIs are regulated under the Payment Services Act (Act No. 59 of 2009).
1.2 Installed Payment
Installed Payments, in connection with the payment of consideration for goods or services to be divided over 2 months or more, are regulated under the Instalment Sales Act (Act No. 159 of 1961). The Act substantially covers all credit card payments.
Traditionally, remittance was regulated by the Banking Act (Act No. 59 of 1981) and other specific laws applicable to financial institutions. Only banks and such financial institutions were allowed to conduct remittance businesses. However, since the introduction of the Payment Services Act in 2009, certain registered companies, other than banks or financial institutions, are permitted to handle the remittance of up to JPY 1 million.
There are some other traditional payment methods, each subject to specific legislation. For example, promissory notes are subject to the Negotiable Instrument Act (Act No.20 of 1932) and checks are subject to the Check Act (Act No. 57 of 1933), though the issuers of such payment methods are not required to be licensed or registered; the Eelectronically Recorded Monetary Claims Act (Act No. 102 of 2007) provides a legal framework for the electronic recording of monetary claims.
The principal sources of payments law in Jersey include:
- Financial Services (Jersey) Law 1998 (the "FSJL");
- Financial Services (Money Service Business (Exemptions)) (Jersey) Order 2007 (the "MSB Order");
- EU Legislation (Payment Services – SEPA) (Jersey) Regulations 2015 (the "SEPA Regulations")(as amended); and
- Community Provisions (Wire Transfers) (Jersey) Regulations 2007 (as amended).
The European Payment Services Directive ("PSD") and European Payment Services Directive II ("PSD2") do not apply directly in Jersey as Jersey is not a member of the EU. However, generally banking institutions in Jersey are part of wider banking groups to which PSD and PSD 2 do apply and therefore in practice voluntarily operate at a higher standard.
Jersey has however adopted the SEPA Regulations to ensure its laws regarding Euro payments and payments services in Euros closely align with that of the EU, in particular with elements of the PSD/PSD2.
 - Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC
 - Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EC and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC
The main sources for payment law in Liechtenstein are the newly amended Payment Services Act (PSA) and the Payment Services Ordinance (PSO), which entered into force on 1 October 2019 implementing the Payment Service Directive 2 (Directive [EU] 2015/2366; PSD 2). Provisions concerning payment services and payment service providers also can be found in the Banking Act, the Electronic Money Act, the Due Diligence Act, the Postal Act and their respective ordinances.
While there is no single legislative framework which governs payments law in Mexico, its primary sources are: (i) the “Ley Monetaria de los Estados Unidos Mexicanos” ‘Mexican Monetary Law’ —which, inter alia, awards the status as legal tender to the Mexican “Peso” (MXN) and, therefore, requires paper money (or banknotes) and coins to be accepted as payment for all types of transaction (subject to limits, as regards coins),— (ii) the “Ley del Banco de México” ‘Mexican Central Bank Law’, (iii) the “Ley del Sistema de Pagos” ‘Payment Systems Law’ —which deals with both national currency foreign exchange transactions clearing and settlement and which, along with, along with “Mexican Central Bank Law”, establish the Banco de México ‘Mexican Central Bank’ as the statutory regulator of payment and settlement systems, while charging the central bank with the supervision and oversight of such systems, as well as with enforcement powers,— (iv) the “Ley del Mercado de Valores” ‘Securities Law’, (v) the “Ley Para La Transparencia Y Ordenamiento De Los Servicios Financieros” ‘Financial Services Ordering and Transparency Law’ and (vi) the related implementing regulations and directives.
The sources of payments law in Luxembourg include, amongst others, the following:
- Law of 10 November 2009 on payment services, on the activity of electronic money institution and settlement finality in payment and securities settlement systems, as amended (the "2009 Law");
- CSSF Circular 19/714 update of CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure;
- CSSF Circular 19/713 regarding the guidelines of EBA on the security measures for operational and security risks of payment service providers;
- CSSF Circular 17/656 regarding administrative and accounting organisation; IT outsourcing, repealing Circular 05/178;
- Circular CSSF 11/520 that enlists CSSF applicable Circulars specifically to the payment and e-money institutions:
- Circular IML 95/120 regarding the central administration;
- Circular IML 96/126 relating to the administrative and accounting organisation;
- Circular IML 98/143 on internal control (as amended by Circular CSSF 04/155 on the compliance function);
- Circular CSSF 04/155 on the compliance function;
- Circular CSSF 05/178 regarding the administrative and accounting organisation and outsourcing of IT services (abrogation of point 4.5.2. of Circular IML 96/126 and replacement by point 4.5.2. of Circular CSSF 05/178);
- Circular CSSF 06/240 on the administrative and accounting organisation; IT outsourcing and details regarding services provided under the status of support PFS, Articles 29-1, 29-2 and 29-3 of the law of 5 April 1993 on the financial sector, as amended; amendment of IT outsourcing conditions for branches located abroad.
- The law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (hereafter the "AML Law") and other Luxembourg and EU AML related laws.
One of the main laws regulating payments in Malta is the Financial Institutions Act (Chapter 376) (‘FIA’) which is the key act transposing the EU Payment Services Directive 2015/2366 (‘PSD2’). This Act is complemented with subsidiary legislation, particularly the Credit Institutions and Financial Institutions (Payment Accounts) Regulations, as well as a suite of Financial Institutions Rules issued by the Maltese financial services regulator, the Malta Financial Services Authority (the ‘MFSA’). The enactment of the FIA resulted in the introduction of payment institutions being regulated under Maltese Law under the supervision of the MFSA. PSD2 has been fully transposed into Maltese law, partially through Directive No.1, issued under the Central Bank Act (Chapter 204) and partially through the FIA. The Banking Act (Chapter 371), which provides the legislative framework for credit institutions, cross-references the provisions of the Financial Institutions Act as the applicable law of the payment services provided by banks. Furthermore, the Civil Code of Malta (Chapter 16) regulates the private and civil law aspects relating to payments.
In Malaysia, payments are regulated by our Central Bank also known as Bank Negara Malaysia which translates into ‘The National Bank of Malaysia’. To enable the Bank to meet the objectives of a central bank, it is vested with comprehensive legal powers under the following legislation to regulate and supervise the financial system. These pieces of legislation act as the source of what we identify as law governing payments and finances in the country. Listed below are the acts that govern the said law:
A. Central Bank of Malaysia Act 2009 (Act 701)
An Act to provide for the continued existence of the Central Bank of Malaysia and for the administration, objects, functions and powers of the Bank, for consequential or incidental matters.
B. Central Bank of Malaysia Act 1958 (Revised-1994) [Repealed, except for Part III]
An Act to provide for the establishment, administration, powers and duties of a Central Bank of Malaysia.
*Note: This Act has been repealed by the Central Bank of Malaysia Act 2009 [Act 701] except for Part III on Currency (containing section 18 to section 27A) which continues to be in force notwithstanding the repeal of the Act.
C. Financial Services Act 2013 (Act 758)
An Act to provide for the regulation and supervision of financial institutions, payment systems and other relevant entities and the oversight of the money market and foreign exchange market to promote financial stability and for related, consequential or incidental matters.
D. Islamic Financial Services Act 2013
An Act to provide for the regulation and supervision of Islamic financial institutions, payment systems and other relevant entities and the oversight of the Islamic money market and Islamic foreign exchange market to promote financial stability and compliance with Shariah and for related, consequential or incidental matters.
E. Insurance Act 1996
An Act to provide new laws for the licensing and regulation of insurance business, insurance broking business, adjusting business and financial advisory business and for other related purposes. Incorporating Latest Amendments up to Act A1247/2005 - cif : 1 Jan. 1997
*Note: This act has been repealed except section 147(4), 147(5), 150, 151, 144 and 224 shall continue to remain in full force and effect, see section 275 of FSA 2013 - Act 758
F. Development Financial Institutions Act 2002 (Act 618)
The DFIA which came into force on 15 February 2002 focuses on promoting the development of effective and efficient development financial institutions (DFIs) to ensure that the roles, objectives and activities of the DFIs are consistent with the Government policies and that the mandated roles are effectively and efficiently implemented. DFIA also emphasises on efficient management and effective corporate governance, provides a comprehensive supervision mechanism and mechanism to strengthen the financial position of DFIs through the specification of prudential requirements.
G. Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (Act 613)
The AMLATFPUAA provides for the offence of money laundering, the measures to be taken for the prevention of money laundering and terrorism financing offences, investigation powers and the forfeiture of property involved in or derived from money laundering and terrorism financing offences, as well as terrorist property, proceeds of an unlawful activity and instrumentalities of an offence. The First Schedule of the AMLATFPUAA contains a list of the reporting institutions under the AMLATFPUAA i.e. financial institutions and designated non-financial businesses and professions which are required to perform certain obligations which are designed to prevent money laundering and terrorism financing offences. The Second Schedule of the AMLATFPUAA lists serious offences from various legislations, which if committed, are likely to result in a person benefitting or deriving proceeds from the offence.
The AMLATFPUAA promotes a collaborative and multi-agency approach by setting out the powers and functions of:
a. the competent authority which is responsible to oversee the performance of obligations by the reporting institutions, facilitate the enforcement of the AMLATFPUAA and co-operate with the foreign financial intelligence units;
b. enforcement agencies which are responsible to investigate the offences under the AMLATFPUAA; and
c. supervisory and regulatory authorities which are responsible to facilitate in the implementation of the AMLATFPUAA.
The Minister of Finance has appointed BNM as the competent authority under the AMLATFPUAA. The Financial Intelligence and Enforcement Department of BNM is responsible to perform BNM's functions as the competent authority under the AMLATFPUAA
H. Money Services Business Act 2011
The Money Services Business Act 2011 (MSBA) provides for the licensing, regulation and supervision of the money services business comprising money changing, remittance and wholesale currency businesses. The MSBA was enacted with the aim of supporting the development of a more dynamic, competitive and professional money services business industry, (comprising the money changing, remittance and wholesale currency businesses), while strengthening safeguards against money laundering, terrorist financing and illegal activities.
I. Anti-Money Laundering and Counter Financing of Terrorism Policy for Digital Currencies
The policy aims to ensure that effective measures are in place against money laundering and terrorism financing risks associated with the use of digital currencies and to increase the transparency of digital currency activities in Malaysia.
At present, certain payment services are governed by the Payment Systems (Oversight) Act (Cap 222A) (“PSOA”) and the Money-Changing and Remittance Businesses Act (Cap 187) (“MCRBA”). Holders of Stored Value Facilities (“SVFs”), which are a form of pre-paid electronic cash or card that can be used for payments, are regulated under the PSOA. The PSOA empowers the Monetary Authority of Singapore (“MAS”) to monitor the development of the payment system industry in Singapore and make informed policy decisions. Money-Changers and Remittance Businesses are licensed and regulated under the MCRBA, and must obtain a licence from MAS in order to carry on business.
The Payment Services Act 2019 (No. 2 of 2019) (“PSA”) was passed on 14 January 2019, and is tentatively expected to come into force in early 2020, upon which the PSOA and the MCRBA will be repealed. The PSA is a single, activity-based and risk-specific legislation for payment-related services, which consolidates existing payments regulatory frameworks and introduces new types of licensable payment services.