What are the sources of payments law in your jurisdiction?
The Bermuda Monetary Authority provides risk-based regulation and supervision of all banks and deposit companies in Bermuda. The regulatory and supervisory framework is underpinned by principal legislation, the Banks and Deposit Companies Act 1999, as amended, which is regularly supplemented with updated statements of principles, policy and guidance.
The Digital Asset Business Act 2018 (DABA) regulates digital-asset businesses including payment service providers, electronic exchanges, custodial wallet services and market makers or traders of digital assets. See Question 14 for further information on DABA.
See Question 2 with respect to money service business.
(a) the Money Services Law (2010 Revision) (MSL) which regulates money services business, which is defined as the business of providing (as a principal business) any or all of the following services:
(i) money transmission;
(ii) cheque cashing;
(iii) currency exchange;
(iv) the issuance, sale or redemption of money orders or traveller’s cheques; and
(v) such other services as the Governor in Cabinet may specify by notice published in the Gazette.
(b) the Bank and Trust Companies Law (2018 Revision) (Bank and Trust Companies Law) which regulates banking business which is defined as “the business of receiving (other than from a bank or trust company) and holding on current, savings, deposit or other similar account money which is repayable by cheque or order and may be invested by way of advances to customers or otherwise.”;
(c) the Proceeds of Crime Law (2018 Revision) (PCL) which has general application to all Cayman domiciled entities and the Anti-Money Laundering Regulations (2018 Revision) which regulates certain businesses conducting ‘relevant financial business’, as defined under the PCL which includes money or value transfer services and issuing and managing means of payment (e.g. credit and debit cards, cheques, traveller’s cheques, money orders and bankers’ drafts, electronic money);
(d) the Cayman Islands automatic exchange of information regime, which implements the international tax information disclosure regimes of the Foreign Account Tax Compliance Act and the Common Reporting Standards;
(e) Electronic Transactions Law (2003 Revision) provides that information, documents and contracts (or any provision thereof) shall not be denied legal effector validity solely because it is in electronic form. Similarly, evidence of a contract (or provision thereof) shall not be denied admissibility solely because it is in electronic form and electronic signatures are also expressly permitted however the law provides certain restrictions on the acceptance of signatures.
The principal legislation governing sources of payments in Cyprus are:
- the Central Bank of Cyprus Law 2002 (CBCL), which establishes and regulates the relevant competent authority, the Central Bank of Cyprus (CBC) in its interaction with pan-EU payment systems such as TARGET2-CY;
- the Business of Credit Institutions Law 1997 (BCI Law), which regulates authorised credit institutions in Cyprus as well as those passporting into Cyprus from elsewhere in the European Economic Area (EEA). The BCI Law transposes the Capital Requirements Directive 2013/36/EU (CRD IV);
- the Payment Services Law 2018 (PSL), which transposes the Payment Services Directive (EU) 2015/2366 (PSD2);
- the Electronic Money Law 2012 (EML), which transposes Electronic Money Directive 2009/110/EC (EMD); and
- the Settlement Finality in Payment Systems and Securities Settlement Systems Law 2003 (SFL) which transposes the Settlement Finality Directive 98/26/EC (SFD).
The offering and performance of payment services in Denmark are governed by the Danish Payments Act (hereinafter, the "Payments Act"), which im-plements the newest European payment service directive (PSD 2) into Dan-ish law. Denmark has fully implemented PSD 2 into national legislation.
The provision of payment services is mainly regulated by two Finnish acts, the Payment Institutions Act (297/2010, as amended) and the Payment Services Act (290/2010, as amended), which implemented the EU's Payment Services Directives 1 and 2 ("PSD1" and "PSD2") in Finland.
Finnish legislation related to payments is generally based on EU law. For example, also the Act on Detecting and Preventing Money Laundering and Terrorist Financing (444/2017, as amended) is based on the EU directives regulating anti-money laundering obligations.
The Consumer Protection Act (38/1978, as amended) is relevant in terms of offering of consumer credits and other relevant products and services to consumers in Finland.
Overall, the main source of law in France is in the French Monetary and Financial Code.
In Germany payment services are regulated in the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – “ZAG”), wherein the European Payment Services Directive II was transposed into national law. In addition to the ZAG an-ti-money laundering and data protection regulation are also to be complied with.
The Payment Services Directive (2007/64/EC), which became law in Gibraltar via the Financial Services (EEA) (Payments Services) Regulations 2010 (“the Payment Services Regulations”) – and the amendments brought by the second iteration of the Payment Services Directive, EU (2015/2366), which were transposed through the domestic Financial Services (Payment Services) Regulations 2018 (LN. 2018/010).
One of the main laws regulating payments in Malta is the Financial Institutions Act (Chapter 376) (‘FIA’) which is the key act transposing the EU Payment Services Directive (Directive 2007/64/EC) (‘PSD’) This Act is complemented with subsidiary legislation, particularly the Credit Institutions and Financial Institutions (Payment Accounts) Regulations, as well as a suite of Financial Institutions Rules issued by the Maltese financial services regulator, the Malta Financial Services Authority (the ‘MFSA’). The enactment of the FIA resulted in the introduction of payment institutions being regulated under Maltese Law under the supervision of the MFSA. The revised EU Payment Services Directive 2015/2366 (‘PSD2’) has been partially transposed into Maltese law through Directive No. 1, issued under the Central Bank Act (Chapter 204). The Banking Act (Chapter 371), which provides the legislative framework for credit institutions, cross-refers to the provisions of the FIA as the applicable law of the payment services provided by banks. Furthermore, the Civil Code of Malta (Chapter 16) regulates the private and civil law aspects relating to payments.
The main laws regulating payment solutions and payments in Israel are: the Debit Cards Law, 5746-1986, the Notes Ordinance (New Version); and the Supervision of Financial Services Law (Regulated Financial Services), 5776-2016 (the “Supervision Law”).
In addition, several reports have been published over the past few years by various committees, such as the committee headed by the Bank of Israel (“BOI”) on the subject of the Transaction Chain in Debit Card Transactions (July 2016) and the report of the Inter-Ministerial Committee to Promote the Use of Advanced Payment Solutions in Israel (June 2017) , which serve as a basis for regulators positions, interpretation of current law as well as for future legislation.
There is also new proposed legislation – namely, the Payment Services Law, 5778-2018 (which is partially based on the principles of the European Payment Services Directive II, as well as the current Debit Cards Law, which it is intended to replace) (the “Draft Payment Services Law”) that is to regulate a variety of existing and future payment services, mainly with respect to customer protections related thereto, which recently received the initial approval of Israeli parliament, and a draft of the Supervision of Financial Services Law (Regulated Financial Services) (Providing Payment Services) (the “Supervision Law Amendment”), which deals with licensing and registration aspects. This proposed legislation, if and when adopted, will expand the current definitions of payment providers and payment methods which will subject additional entities and services to the new legislation, while they are not currently regulated by payment solution and payment legislation.
There are many payment methods and instruments in Japan, but no comprehensive payment law. The General payment rule applicable to rights and obligations is governed by the Civil Code (Act No. 89 of 1896). The rules for the issuance and control of cash are subject to the Act on Unit of Currency and Issuance of Cash (Act No. 42 of 1987). In addition to these general rules, certain payment methods/instruments are regulated as follows:
1.1. Prepaid Payment Instrument ("PPI")
A PPI is an instrument that records a certain value charged in advance of use and is then debited as payment of consideration for goods and/or services. PPIs are regulated under the Payment Services Act (Act No. 59 of 2009).
1.2 Installed Payment
Installed Payments, in connection with the payment of consideration for goods or services to be divided over 2 months or more, are regulated under the Instalment Sales Act (Act No. 159 of 1961). The Act substantially covers all credit card payments.
Traditionally, remittance was regulated by the Banking Act (Act No. 59 of 1981) and other specific laws applicable to financial institutions. Only banks and such financial institutions were allowed to conduct remittance businesses. However, since the introduction of the Payment Services Act in 2009, certain registered companies, other than banks or financial institutions, are permitted to handle the remittance of up to JPY 1 million.
There are some other traditional payment methods, each subject to specific legislation. For example, promissory notes are subject to the Negotiable Instrument Act (Act No.20 of 1932) and checks are subject to the Check Act (Act No. 57 of 1933), though the issuers of such payment methods are not required to be licensed or registered; the Eelectronically Recorded Monetary Claims Act (Act No. 102 of 2007) provides a legal framework for the electronic recording of monetary claims.
As a civil law country, legislation is the primary source of payments law in Mexico. Following the bill discussion and approval by both Chambers of Congress, legislation is enacted by the Executive Branch and published in the Federal Official Gazette.
Payments systems and services are regulated in Mexico as follows:
(i) The Bank of Mexico Law (Ley del Banco de México) establishes that such institution should be in charge of:
(a) regulating payment systems; and
(b) fostering the optimal functioning of such payment systems.
(ii) The Payment Systems Law (Ley del Sistema de Pagos) provides the characteristics, conditions and operation of payments systems in Mexico under the supervision of the Bank of Mexico.
(i) The Transparency and Ordering for Financial Services Law (Ley para la Transparencia y Ordenamiento de los Servicios Financieros) authorises the Bank of Mexico to regulate the means of payment and the payment services banks provide to their customers including, among others: (a) commissions and exchange fees; (b) services enabling cash to be placed on a payment accounts; (c) cash withdrawals; (d) transfers of funds on a payment account; and (e) the execution of payment transactions through digital or IT devices.
(ii) The Monetary Law (Ley Monetaria) establishes the provisions for the regulation of banknotes and metallic coins as means of payment and acknowledges the Mexican peso (MXN) as the currency of legal tender in Mexico.
(iii) The Fintech Law (Ley para Regular las Instituciones de Tecnología Financiera), regulates the activities of issuing, administering, redemption and transmission of electronic payments, which are carried out through computer applications, interfaces, webpages and other platforms.
British Virgin Islands
The principal legislation governing sources of payments in the BVI are the Banks and Trust Companies Act, 1990 (BTCA) and the Money Services Act, 2009 (FMSA). The BTCA regulates banking business in the BVI and the FMSA regulates financing and money services business in the BVI.
SSEK: Depending on the payment service provided, the relevant regulations are as follows:
a. Payment Transaction Processing
- Bank Indonesia (“BI”) Regulation No. 18/40/PBI/2016 regarding Provision of Payment Transaction Processing (“PTP Regulation”);
- BI Circular Letter No. 18/41/DKSP regarding Provision of Payment Transaction Processing.
b. Card-Based Payment Instrument
- BI Regulation No. 11/11/PBI/2009 regarding Provision of Card-Based Payment Instruments, and its amendment;
- BI Circular No. 11/10/DASP regarding Provision of Card-Based Payment Instruments, and its amendment.
c. Electronic Money
- BI Regulation No. 20/6/PBI/2018 regarding Electronic Money;
- BI Circular No. 16/11/DKSP regarding Provision of Electronic Money, and its amendment.
d. Fund Transfer
- Law No. 3 of 2011 regarding Fund Transfer;
- BI Regulation No. 14/23/PBI/2009 regarding Fund Transfer;
- BI Circular Letter No. 15/23/DASP regarding Provisions of Fund Transfer.
e. National Payment Gateway
- BI Regulation No. 19/8/PBI/2017 regarding National Payment Gateway;
- BI Board of Governors Regulation No. 19/10/PADG/2017 regarding National Payment Gateway.
f. Financial Technology
- BI Regulation No. 19/12/PBI/2017 regarding the Provision of Financial Technology (“BI Fintech Reg”);
- BI Board of Governors Regulation No. 19/14/PDAG/2017 regarding Regulatory Sandbox;
- BI Board of Governors Regulation No. 19/15/PDAG/2017 regarding Procedures for the Registration, Submission of Information, and Monitoring of Financial Technology Providers;
- Financial Services Authority (“OJK”) Regulation No. 13/POJK.02/2018 regarding Digital Financial Innovation in the Financial Services Sector (“OJK Fintech Reg”).
Currently, Portuguese payments law is regulated under Decree-Law no. 317/2009, of 30 October (the Payment Services and E-Money Legal Framework, “PSELF”), which current version transposed both the Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 (“PSD1) and Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 (the e-Money Directive, “EMD”).
The transposition procedure of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 (PSD2) is currently underway, and the national parliament has already granted the government due authorisation for the enactment of the new Decree-Law transposing the PSD2 and repealing the current PSELF.
The Federal Reserve Act established the Federal Reserve, the body that issues notes, provides for payment services, acts as fiscal agent and depository of the United States, supervises and regulates banking institutions and sets monetary policy. The Federal Reserve issues payment system regulations, including Regulation E implementing the Electronic Funds Transfer Act (electronic transfers and credit cards), Regulation J (check processing) and Regulation CC implementing the Expedited Funds Availability Act (deposit holding periods).
The Bank Holding Company Act reserves certain activities to regulated banks. The National Bank Act established he Office of the Comptroller of the Currency (OCC), that has issued regulatory guidance to banks in connection with their payment system activities. The Consumer Financial Protection Bureau (CFPB), created under the Dodd-Frank Act, issues guidance to protect consumers in payment transactions. The Federal Deposit Insurance Act created the Federal Deposit Insurance Corporation (FDIC) that insures bank deposits and issues guidance on deposit activities.
The Uniform Commercial Code, adopted in all 50 states, governs transactions in negotiable instruments, bank deposits, ACH transfers, and investment securities. In addition, many states have enacted laws requiring the licensing f businesses engaged in money transmission activities, that require establishment of anti-money laundering procedures.
The sources of payments law in the UAE depend on whether the payment service is governed by the laws of the United Arab Emirates (the “UAE”), or by the laws of distinct jurisdictions such as the Dubai International Financial Centre (the “DIFC”) or the Abu Dhabi Global Market (the “ADGM”) (the “Financial Free Zones”), all of which have their own payment laws.
The Regulatory Framework for Stored Values and Electronic Payment Systems 2017 (the “2017 Regulations”) governs the provision of payment services subject to the jurisdiction of the UAE.
The 2017 Regulations was issued by the UAE central bank pursuant to the authority granted to it under Union Law No. 10 of 1980 concerning the central bank, the monetary system and organization of banking.
These regulations set out the requirements imposed upon four main types of payment services providers:
- Retail payment services provider: Authorized commercial banks and other licensed payment services providers offering retail, government, and peer-to-peer digital payment services as well as money remittances;
- Micropayment payment services provider: Payment services providers offering micropayments solution facilitating digital payments targeting the unbanked and under-banked segments in the UAE;
- Government payment services provider: Federal and local government statutory bodies offering government digital payment services; and
- Non-issuing payment services provider: Non-deposit taking and non-issuing institutions that offer retail, government, and peer-to-peer digital payment services.
These regulations exclude from their scope technical service providers, defined as entities facilitating the provision of payment services to payment services providers, whilst excluded at all times from possession of funds (or transference thereof) (“Technical Service Providers”). A payment gateway operator could fall under this category.
The Dubai Financial Services Authority (the “DFSA”) rulebook (the “DFSA Rulebook”) governs the provision of payment services subject to the jurisdiction of the DIFC. The DFSA is the financial regulatory authority of the DIFC.
Section 2.6 of the DFSA Rulebook (General Module) defines the provision of money services as “providing currency exchange or money transmission”. Money transmission is defined as “selling or issuing payment instruments, selling or issuing stored value, or receiving money or monetary value for transmission, including electronic transmission, to a location within or outside the DIFC”.
Despite inclusion as a financial service, at the date of writing, no DFSA regulations exist specifically addressing requirements to establish a money transmission business. We are aware that the DFSA is currently working on such regulation which should be published in the near future.
The Financial Services and Markets Regulations 2015, as amended (the “FSMR 2015”), governs the provision of payment services subject to the jurisdiction of the ADGM. Further information regarding requirements for payment services providers in the ADGM can also be found under the Financial Services Regulatory Authority (the “FSRA”) rulebook (the “FSRA Rulebook”). The FSRA is the financial regulatory authority of the ADGM.
The FSMR 2015 and FSRA Rulebook set out requirements for the provision of financial activities in the ADGM including dealing in investments, insurance, accepting deposits, credit, operating trading facilities, managing assets, and providing money services.
The main legal act for regulation of payments in Ukraine is the Law of Ukraine "On payment systems and transfer of money in Ukraine." This area is also regulated by other Ukrainian laws, in particular: the Law of Ukraine "On financial services and governmental regulation of financial services markets", the Law of Ukraine "On electronic trustworthy services" and the Decree of the Cabinet of Ministers of Ukraine "On currency regulations and currency control system" that will be replaced by the Law of Ukraine "On currency and currency transactions" as of 07/02/2019.
The payments are subject to regulation by the National Bank of Ukraine and, therefore, this area is regulated by the various regulations of the NBU.
It should be noted, that the draft law No. 7270 is currently under consideration of the Ukrainian Parliament, that provides significant amendments to the Law of Ukraine "On payment systems and transfer of money in Ukraine" and, among other things, allows to open current accounts and issue e-money to the non-banking financial institutions.
Payment systems are defined in and governed by the Swiss Financial Infrastructure Act (FinfraG) and by rules in the National Bank Act, the Banking Act (BA) and the Anti-Money Laundering Act (AMLA). Payment systems require a license only if certain conditions are fulfilled; hence, the regulatory framework for payment systems is complex.
The sources of law regulating payments in India include the Payment and Settlement Systems Act, 2007 (PSS Act) and the Payment and Settlement Systems Regulations, 2008 issued thereunder. The PSS Act and the Regulations provide the necessary statutory basis for India’s central bank, the Reserve Bank of India (RBI) to undertake the function of regulating payment and settlement systems in India. Under the PSS Act, the RBI has wide discretion to issue directions and guidelines to payment systems. While there is also a proposal to make changes to the PSS Act and introduce a new regulator called the Payments Regulatory Board (PRB), the necessary amendments to the PSS Act have not been passed yet.
The most significant piece of law governing payments in the UK is the Payment Services Regulations 2017 (referred to in this chapter as the “PSRs”). These are the UK implementation of the Second Payment Services Directive (commonly known as PSD2), which is a piece of European Union legislation that came into force on 13 January 2018, having been finalised in late 2015. PSD2 was created by the European Commission as a result of learnings from and in response to market developments since the introduction of the first Payment Services Directive in 2007, which was itself introduced in order to open up the payments market and govern various payment-related activities that had previously been unregulated. These included money remittance (i.e. sending money from one place to another), operating a payment account, the execution of payment transactions and the issuing or acquiring or payment instruments. Under PSD2 and the PSRs, this scope has been increased to include third party providers (“TPPs”), the so-called “open banking” account information service providers (or “AISPs” - who are enabled to pull digitised transaction data out of a payment account that is operated by another payment service provider), and payment initiation service providers (or “PISPs” – who are enabled to initiate a push payment such as a bank transfer, from an account operated by another payment service provider). Further detail is given on open banking in answer to questions 4 and 5 below.
PSD2 and the PSRs are supplemented by a range of Guidelines and Regulatory Technical Standards that are produced by the European Banking Authority pursuant to its mandate in Article 98 of PSD2. The most well-known of these is the Regulatory Technical Standard for strong customer authentication and common and secure open standards of communication (commonly known as the “SCA RTS”, official title the Commission Delegated Regulation (EU) 2018/389), which governs the methods by which payment service providers will have to carry out authentication in relation to payment transactions and online access to account information as well as the communication between the TPPs and other payment service providers. Broadly speaking this mandates two-factor authentication, under which authentication must be carried out using any two of three factors of something you know (such as a password), something you possess (such as a mobile phone or a credit card) or something you are (such as a biometric marker like a thumbprint). There are exemptions from the need to carry out strong customer authentication – for instance for certain low value transactions, contactless card payment transactions or recurring transactions – but these are tightly controlled. The SCA RTS will come into effect in September 2019, meaning that payment service providers have until then to implement strong customer authentication technologies and processes.
The other main piece of payments-related legislation in the UK is the Electronic Money Regulations 2011. These govern the particular payment service of issuing and distributing “e-money”, which is an electronic representation of cash. The typical example of e-money is a prepaid card, but these days e-money structures underlie anything from gift cards to mobile banks.
Lastly, whilst it is not strictly speaking legislation, the documents “Payment Services and Electronic Money – Our Approach” published by the Financial Conduct Authority (available here) is an excellent guide on how the FCA views the application of the various pieces of legislation.
The legal framework in the Netherlands regarding payments is predominantly based on European legislation. Obviously, the Payments Services Directive (“PSD”) is the most important piece of legislation in this respect. In the Netherlands, the PSD has been implemented in the Dutch Civil Code and the Financial Supervision Act. The Netherlands did not make use of the Member State option to treat micro-enterprises the same way as consumers. Other examples of relevant sources of European legislation are the Regulation on cross-border payments, the E-money Directive, the SEPA Regulation, the Payment Accounts Directive and the Interchange Fee Regulation.
Implementation of the revised PSD, better known as the PSD2, has been seriously delayed and is expected to take place by the end of 2018. In anticipation of the implementation, institutions can already submit a draft application for a PSD2 license.
China's legal system is based primarily on the model of Civil Law, and therefore the sources of payments law are in the form of code law. Currently, they are in the form of various laws, administrative regulations, rules, policies and circulars issued by the People’s Bank of China (“PBOC”), the central bank of the People’s Republic of China, among which the most important laws and regulations include:
(i) PRC Law of the People's Bank of China (《中华人民共和国中国人民银行法》) adopted by the National People’s Congress;
(ii) Measures for Payment and Settlement (《支付结算办法》) issued by the PBOC ; and
(iii) Administration Measures on Payment Services by Non-financial Institutions (《非金融机构支付服务管理办法》) issued by the PBOC.
While banking businesses are highly regulated in Taiwan, laws and regulations enable non-banks to provide a variety of payment services. Among others, the Act Governing the Management of Electronic Payment Institutions and its enforcement rules (collectively, "E-Payment Act"), which took effect in May 2015, allows non-banks to offer the electronic payment services (as further described in 2(1) below; collectively, "E-Payment Services") approved by the Financial Supervisory Commissions (FSC), the government agency in charge of securities and futures products. The enactment of the E-Payment Act contributes to the growth of E-Payment Services in Taiwan. Currently, the FSC has granted approvals for six non-banks to provide E-Payment Services. In addition, the Financial Technology Development and Innovative Experimentation Act also offers a regulatory sandbox for applicants to test Fintech in a safe environment.