Perspectives on (Ca-)Libra #3: Why the Libra is not e-money (on the history of e-money and stablecoins)

Quickly after the announcement of Libra, I, stated that Libra could not be viewed as e-money. Now has come the time to explain my earlier analysis (of June 2019) as to the organisational set up and regulatory qualification of Libra.

Libra is a privately issued and distributed digital  and virtual ‘currency’, that is intended to function as a means of payment. It is not a true currency because its actual composition/counter value is a basket of fiat-currencies and financial instruments. It is not e-money as the Libra is not ‘monetary value’. The digital value qualifies as a financial instrument (a mini-participation in an open ended investment fund) and is used in an open source payment instrument, to be used for payment and acquiring. Both payments and securities legislation apply, as well as the relevant competition and consumer protection rules. 

The Libra association is a manager of the governance and operational arrangements and activities that come with using the virtual currency Libra and participating in the Libra (payment) scheme. This Libra scheme is a private and commercial arrangement which:
- defines a unit of account for a new virtual currency: the Libra,
- defines the asset mix that backs one currency unit,
- lays out the distribution and management rules of the currency units and reserve funds,
- lays out commercial rules and does a private placement to further promote the use of the Libra by giving them away (for free or at a discount). 

Definitions of e-money and term: monetary value
The reason why Libra, as a basket of different currencies, cannot be considered e-money is that it doesn't qualify as such under the definition as it is not monetary value. And to comprehend the definition we must understand that the e-money directive has had a first version and that the European Central Bank was clear on its analysis. E-money is a fiat currency in a digital shape and must be treated as such in terms of: reporting requirements for monetary aggregates, redeemability (at par), assurance that customer fiat money equivalent was kept safe etcetera.

The definition and use of the term 'monetary value' in the first version reflects that all we could think of was digital tokens that one-on-one reflected the physical or existing scriptural account-money forms. This is particularly clear from the consideration 19 in the Opinion of the central bank on the first draft directives.

What we can see here is a central bank ensuring that redeemability against the fiat currency is obliged, in combination with a definition of e-money which does not allow offering e-money at a discount:

"electronic money" shall mean monetary value as represented by a claim on the issuer which is:

(i) stored on an electronic device;

(ii) issued on receipt of funds of an amount not less in value than the monetary value issued;

(iii) accepted as means of payment by undertakings other than the issuer.

Redeemability

1. A bearer of electronic money may, during the period of validity, ask the issuer to redeem it at par value in coins and bank notes or by a transfer to an account free of charges other than those strictly necessary to carry out that operation.

To me, the full analysis and reasoning behind the e-money rules, can only mean that e-money thus covers the 100% forms of convertible fiat currencies. The whole regulatory construct and monetary safeguards in the e-money directive wouldn't work for other constructs. Also, the idea of issuing anything else than a digital equivalent of fiat-currency would have been hypothetical.We are talking the days that each digital player would seek maximum acceptance of the public of any new forms of payments, by piggy-backing on the trust/security mechanisms of the fiat instruments. Introducing a non-fiat-related digital currency was just a step too far and it's not what the E-money directive was meant to support.

When the second e-money directive came in and was aligned with the EU payments directive, it changed some of the structure and definitions. The ECB opinion as to redeemability and monetary matters remained unchanged however, so in essence the rules are still of the same construct. E-money means a one-on-one converted form of existing fiat money and all kinds of monetary statistics, redeemability etc are still in place for the wide variety of mechanisms that now use this regulatory avenue.

We must also understand that at that time we were nowhere near the existence of worldwide consumer platforms with such inherent power to dictate an alternate currency alongside fiat currencies. But now we do have those, including one that tries to issue and launch a Libra. Given the EU e-money directive however, the only reason this Libra would qualify as e-money is when it would be a 100% EU currency backing the Libra. As this is not the case, the Libra will not qualify as e-money.

Should we adapt the EU definition for e-money then?
In theory one could argue that the e-money definition needs adjustment in order to allow the Libra basket of currencies to be regulated. But this doesn't make sense from a financial instruments/securities perspective.

Whenever you dilute a 100% currency basket in the users own currency towards a different asset base, you reform the token at hand into a investment basket. The user is exposed to an additional form of currency and counterparty risk, which does not exist when using the 100% e-money form. Of course the issuer of the financial instrument can proclaim the new asset base to be stable. Or almost stable, but the rules of the financial instrument game are different. If you issue such combinations of assets, you must warn the user of risks, assess whether he/she may be up to the investment/risks that they are taking and so on.

Not obliging Libra to have to do so would be creating an uneven playing field towards all kinds of other providers of financial instruments that equally seek to provide their financial services to customers via a similar asset package that can be bought in tiny portions. In addition, the monetary concerns involved in overissuance of the e-money product may go beyond the geography of the central banks involved as monetary authorities in the currency basket. Merely allowing a basket of currencies as backing for an e-money product would not be consistent with the ECB analysis on relevant monetary considerations and rules to ensure financial stability.

So, as stable as you may give your product a name or try to sell it to the public or regulators, all regulatory and market experts know that no currency basket will ever be stable. Effectively, suggesting the fact that it would be stable for the end-user would be mis-selling of the product, misleading the consumer and what have you. So name it stablecoin as you like, but it remains a risky participation in an investment fund/currency basket. And all rules under EU securities to such investments do apply. Meaning disclosure rules, but also rules as to who can trade/distribute this instrument. It will not at all be open to trade for everyone, without restrictions.

Does paying with Libra involve a payment instrument then?
Next up is the question what exactly qualifies as a payment instrument in the Libra setup. In my view the financial participation is a digital asset/financial instrument. And of course, if you wish, such an instrument could be used to pay. Rather than sending someone digital fiat currencies, the provision of the tradeable digital financial instrument would consist the payment. The payment with Libra would thereby be a payment in kind, as if I exchange a bread for a bottle of water.

So is there a payment instrument involved and where is it?

Next up is the question if we can see a payment instrument, a payment order and a payment transaction under the Payment Services Directive, leading to the placing, transferring or withdrawing of funds. I think the main idea in this respect is to take the intentions of Libra to serve as a worldwide payment system as a starting point. This means we will have to take a close look at the question if tools are provided to the user (yes) meaning those tools (wallets) may qualify as payment instruments, if they move funds, which are defined as:

banknotes and coins, scriptural money or electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC;

If the Libra is not banknotes and coins nor eletronic money, we only have the wonder if it could qualify as scriptural money. But this is indeed where it becomes a bit complicated. As the ECB put it, when advising on the Payment Services Directive:

12.10 The term ‘scriptural money’ is used in the proposed directive without being defined, e.g. in Article 3(b), Article 4(8) of the proposed directive and paragraph 7 of the Annex to the proposed directive. It is suggested that a definition of scriptural money should be established (in the definitions article), bearing in mind that only central banks and credit institutions (which include e-money institutions) may hold such funds.

So we have two options. We could consider the Libra issued by Libra association to the Libra association members (who are all registered security companies, allowed to offer, trade and sell financial products to the public and each other) a form of scriptural money. This is not illogical, given the explicit intentions of the Libra association and it would require the regulatory flexibility to allow for a self issued unit of account / securities product to be viewed as a form of money.

The other option is of course to not view the Libra as scriptural money and not apply the Payment Services Directive to a payment instrument which has a worldwide scope and impact. Although this may sound illogical, it is not illogical at all. The apps and tools that are used to pass on the Libra to other consumers would still have to comply with all securities related regulations. Users would have to sign up, pass suitability tests, issuers, brokers and exchanges of the Libra would need to have their MIFID licenses and such, so the customer would still be protected.

The exercise does show however that the Libra association has had little consideration to the relevant EU requirements and definitions when choosing Switzerland as their jurisdiction. Their guess may have been that they might be able to convince the local regulator to bend the rules a little, but the choice of a currency basket (and financial instrument structure) effectively deters its worldwide inclusive use for cross-border payments. Alternatively, a choice for a single currency basket might work, which would make it regular e-money, to which the PSD and all kinds of KYC/AML rules apply. Yet, this would mean that there needs to be a single issuer in the business model, as the reselling of e-money is prohibited under the EU regulations.

It is this considerable ignorance of relevant EU rules that has made it clear to me that Libra and Facebook will at no point in time be able to make their business model work. A brief visit to any innovation hub at any central bank would have made the above inconsistencies clear, but they apparently chose to ignore this. And the reason may be that the Swiss policy papers on stablecoins may have provided them with the impression that there was some leeway here. But even the relevant local supervisor has explained to them that both securities and payments legislation applies and that their business model will not work.

Then again, this is Facebook, pushing and moving so why could they have been so wrong in their assessment?

My hunch is that Facebook have applied a US centric approach to the whole regulatory debate on issuance of stablecoins and forgot how the regulatory regimes between EU and US differ. But for that I refer to the PS.

The main conclusion for now is: Libra does not qualify as e-money and the transfer of Libra might constitute a payment transfer, depending on the view one has with respect to the application of the word scriptural money under todays context.

February 5, 2020


PS. Regulatory regimes for stablecoins (US) and e-money (EU)
To put this in perspective for US readers, I want to shed a regulatory light onto the difference between stablecoins and e-money and the relevance of 1990s legislative landscapes in the US en Europe with respect to payments. The background against which the e-money directive was being developed here in Europe, was one in which - just as now - all over the world, people were thinking about the best forms of regulation of a new phenomenom: e-cash: electronic cash or Internet cash.

At that point in time I worked for the Dutch central bank and I investigated the difference between the existing regulatory regimes in Europe and in the US payments (see the American Law Review article here). And the big thing to take away here is that:
- the US had both banking supervision laws and money transmission laws,
- Europe did not have money transmission laws and only bank supervision regulation (somewhat harmonized under EU rules).

The consequence of this difference is that the US regulators had a clear money transmission framework that they could use, to apply to new forms of Internet payments and digital coins. In essence they all proclaimed new internet payment stuff to be some fort of money transmission, either by their design or by their nature. And thus: the regulation of those new forms of payment was easily done. No change in laws was required.

In Europe, there was no uniform payment legislation on a European scale. Different member states had different local rules on payments. We had to have a euro in place and many years of deliberation before we even ended up with a harmonised Payment Services Directive in 2007. So we had no payments legislation but we did have some form of e-cash begging to be regulated somehow. As the ECB had clearly outlined its concerns in this respect.

So the fierce debate in Europe was: should e-money be considered the functional equivalent of banking?

The main reasoning was: upon issuance of an e-money token of 1 euro, the issuer receives one euro of the public. This means attracting deposits from the public, which is part of the banking definition. Whereas central banks and Ministries of Finance felt this way, the Ministries of Economic Affairs succeeded in convincing them that an intermediate, light-weight banking regime should be set up. So we got an E-money Directive, creating EU license regimes for organisations that issue electronic money to the public, upon receipt of regular fiat money, which electronic money is then used for all sorts of payments.

The digital e-money had to be issued and redeemed at a 1 on 1 level (at par) and the e-money organisation had to safeguard the full reserve in a separate financial vehicle (or insurance arrangement). No license would be given if the safeguards weren't in place, so this means that the European e-money regime boils down to a regulatory regime which safeguards e-money. Or, what most US people would view as stablecoins (digital tokens, to be issued, traded, sold and transacted on the basis of an at-par rule with the original fiat currency).

Now back to the US. Initially the US payments regulation thus seemed well suited to adapt to new technologies. The birth of the bitcoin and other currencies created an issue. In essence, the US regulators didn't care to define a separate token or form of e-money into their payments regulation. They just stated that virtual currencies were a form of currencies and hence the money transmission regulations should be in place somehow.

Therefore Tether and TrueUSD are registered with the Fincen, but without the legal European safeguards in place to guarantuee the peg. Then again the New York bitlicense regime does have those safeguards, but it is clear that no US regime for stablecoins exists. We can see that the US now lags in regulatory terms. It has fragmented state laws on payments, where EU caught up with harmonised payments legislation and harmonised e-money legislation. And the European e-money regime is essentially the unified EU stablecoin regime for tokens that seek a 1-1 peg with a fiat currency.

FATF and EU need to fundamentally rethink their approach to virtual assets/currencies...

Virtual currencies are on the radar of regulators for quite some time. Yet it is clear that they still struggle with definitions (which always happens when new technologies arise). The FATF is a key example now that they are seeking to harmonise international guidelines for applying FATF-rules to the crypto-world.

In this post I will look at some of the issues at stake and explain why the FATF-exercise requires a lot more time and thinking before the FATF (or EU) move forward. Do note that this is a longread, more geared to specialists in the field, than the general public.

For the public it boils down to this. The US is pushing all countries in the world to a situation where with each virtual or crypto transaction, your information needs to be distributed (by definition) to other players in the value chain.

But as the crypto definitions in countries diverge (and the FATF-definition is ill defined, potentially covering everything in the world), the only sensible thing to do is to stick with the local definitions of crypto-assets and to demand transaction information to be stored locally at the point of transaction. Any law enforcer wishing access to that information should thus approach the relevant local authority for that information.

Apart from this legal argument, we must acknowledge the recent regime changes in the world. It is by no means clear that countries that used to obey the law and follow the rule of law, will do so in the future. Thus, foreign law enforcers may become tools in the hands of local undemocratic rulers.

That is an additional argument that requires the EU (but also the FATF itself) to avoid the situation that a local law enforcer in an undemocratic country can get EU data by harvesting its home companies data for the EU-info, without having an appropriate legal warrant under EU-rules.

And now for the longread part of it...

Definitions: always tough
Back in 2012, the ECB had a hard time grasping the concept of cryptocurrencies. They used the fact whether or not virtual currencies were regulated as their guiding principle:
A virtual currency can be defined as a type of unregulated, digital money, which is issued and usually controlled by its developers, and used and accepted among the members of a specific virtual community.

The US regulator (FINCEN) chose the following approach in 2013:
In contrast to real currency, “virtual” currency is a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, virtual currency does not have legal tender status in any jurisdiction. This guidance addresses “convertible” virtual currency. This type of virtual currency either has an equivalent value in real currency, or acts as a substitute for real currency. 

FINCEN then applied the money transmitter laws in an extensive way to bring exchanges of virtual currencies into their supervisory remit.

Later on, the ECB changed its definition to:
For the purpose of this report, it is defined as a digital representation of value, not issued by a central bank, credit institution or e-money institution, which in some circumstances can be used as an alternative to money. 
The EU stance remained that cryptocurrencies did not conform with definitions of funds and such in the EU legislation, hence their exchange and use was not regulated as such. Of course the integrity and consumer risks were identified and warned for.

In the FATF-context (2015) we read:
Virtual currency is a digital representation of value that can be digitally traded and functions as (1) a medium of exchange; and/or (2) a unit of account; and/or (3) a store of value, but does not have legal tender status (i.e., when tendered to a creditor, is a valid and legal offer of payment)6 in any jurisdiction. It is not issued nor guaranteed by any jurisdiction, and fulfills the above functions only by agreement within the community of users of the virtual currency. 

While these definitions may seem to work at first sight, we still need some creativity to determine the boundaries of these virtual currencies. Essentially it is possible to bring any loyalty point scheme under these definitions, as they do not use a subject based qualification to determine what exactly virtual currencies are.

At that point in time, where the focus was mostly on payments and such, using the experience we had with e-money definitions, I suggested a framework based on objects of the digital values at hand:

	User cannot buy tokens at all (loyalty-type)	User earns tokens and can buy additional (hybrid of loyalty/payment)	User buys and sells tokens (payment-type)
Tokens used in digital issuer-domain only		World of Warcraft	World of Warcraft Lynden Dollar
Tokens used in digital or physical issuer-domain only	Starbucks	Nintendo Points -Digital Payment loyalty schemes for single retailers
Tokens used at other entities than the issuer	Frequent Flyer Programmes	Frequent Flyer Programmes	Bitcoin, e-money on mobile phone's

I think it would be fair to say that, while we pretend to have solved the application of crypto-legislation to the payment-type currencies, we actually haven't truly done so. There are still classification issues pending, but they may have appeared to be too irrelevant to matter,

Enter: ICO's and token frameworks
The next stage however was the widening of the blockchain concept, the application of crypto to generic tokens and the use of tokens as a form of share, security or other representation of objects, value, cash flows. This leads to a big confusion all around the world whether or not to view some tokens as security tokens, utility tokens and such. So, while our first definition already had flaws, we chose a new wording to cover this brave new world: crypto-assets or virtual assets.

As ESMA noted in their warning on ICO's at the time:
Where ICOs qualify as financial instruments, it is likely that firms involved in ICOs conduct regulated investment activities, in which case they need to comply with the relevant legislation.
So the essential discussion of application of financial law was left to local supervisors interpretations and definition of financial instruments.

The definition-side remained quite weak, with crypto-assets being loosely described as:
Crypto-assets are a type of private asset that depends primarily on cryptography and Distributed Ledger Technology (DLT). There are a wide variety of crypto-assets. Examples of crypto-assets range from so-called cryptocurrencies or virtual currencies, like Bitcoin, to so-called digital tokens issued through Initial Coin Offerings (ICOs). Some crypto-assets have attached profit or governance rights while others provide some consumption value. Still others are meant to be used as a means of exchange. Many have hybrid features. 

ESMA noted then that there were many variations and that it was not necessary to regulate all forms of crypto-assets. In 2019 they published an updated analysis with still a very weak definition of crypto-assets:
Crypto-assets are a type of private asset that depend primarily on cryptography and distributed ledger technology as part of their perceived or inherent value. A wide range of crypto-assets exist, including payment/exchange-type tokens (for example, the so-called virtual currencies (VCs)), investment-type tokens, and tokens applied to access a good or service (so-called ‘utility’ tokens).

In their report they distinguish between payment, investment and utility token, to immediately outline that this distinction does not cover everything. So the definition issue remains as well as the question: which type of digital token falls under which type of regulation. Hence the EU is in need of more EU clarity on the subject.

On the other side of the ocean, the SEC has further fleshed out how to interpret generic financial sector rules to digital asset issuance/use. In a long awaited guidance note the answer ends up being: it depends on the way you structure the functionality of the token/asset and the use between investors and issuer. So depending on those features, it may well be a regular financial instrument and facilitating trading may constitute a regulated business of operating an exchange.

The FATF-approach: hammering financial services law into hardly defined virtual assets
In essence, the idea of the FATF is now to make sure all crypto-related business is covered in a layer of regulation that at the least ensures proper KYC and AML/CTF rules. As such, this can be appreciated and understood as a recognition of the fact that cryptocurrencies and crypto-assets are here to stay. If we bring the sale of high-value items such as diamonds or gold watches under the FATF-KYC/AML remit, it makes sense to also do so for digital goods/assets/cryptocurrencies (whichever legal status they have).

We do have a problem however, which is that the definition used by FATF, since October 2018, is still shaky:
A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations. 

This definition is so wide, that the FATF needs to explain:
The FATF emphasises that virtual assets are distinct from fiat currency (a.k.a. “real currency,” “real money,” or “national currency”), which is the money of a country that is designated as its legal tender.

The further definitions of virtual asset service provider clarify the intent of the FATF-definition: they wish to cover both former virtual currencies and the ICO area and use a very broad definition to describe virtual asset service providers. These are companies that for a business conduct:
i. exchange between virtual assets and fiat currencies; 
ii. exchange between one or more forms of virtual assets; 
iii. transfer of virtual assets; 
iv. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; 
v. participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset

These definitions are very shaky grounds to use. One particular troublesome issue is that the virtual asset definition has a negative part: it does not cover currencies, securities and other financial assets that are already covered elsewhere in the FATF-recommendations. It is a catch all phrase that brings all loyalty points in the world under the FATF-remit. Now, the FATF will of course outline that that was not their intent, but as soon as you devise a crypto-based loyalty scheme, who is going to decide?

And taking it one step further: if I convert my multilevel marketing scheme into digitally represented agreements on a blockchain, do these new tokens qualify as a contract (not covered) or as their value and virtual assets? And how does this interpretation play out in the US vs the EU legislative context?

I am certain there is a host of applications/use cases where we will find the FATF definitions being not suitable for use. How about CO2-emission rights. World of Warcraft-tools. Shared ownership of my house or my bycicle. I would urge the FATF to do some more thinking in that respect. The negative catch-all in a definition (it is a virtual asset when all other definitions in our recommendations fail) is just not good enough.

I can only commend the FATF on one point however. The positive thing about the definition is that it speaks of representation of value. This implies a monetary or self-invented value/currency. It does not state that it is about the representation of physical assets or objects (such as real estate). Or that value can also be understood to consist of anything in the real world, to which value can be attributed (ie. everything).

Applying FATF-money transmission rules to crypto-assets: technicalities!
Right now the FATF has closed its public consultation on applying the money transmission rules to crypto-assets. They are hammering a payments-network idea onto cryptocurrencies and crypto-assets alike to not just demand identification and transaction monitoring. The idea is to also apply the addition of originator and beneficiary into crypto-transactions:

(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16

Where the approach worked in 2001 in a world where a payment was a payment, funds are funds and wire transfers are wire transfers how can it work in a world where fundamentally the core definition of virtual asset or crypto-asset is as vague as it is in EU and the US?

The whole exercises strikes me as a hasty effort, given that the authors have not noticed that also the interpretative note for Recommendation 16 should be changed to include virtual assets (exempting intra-VASP payments and e-commerce virtual currency payments from the scope). And it is clear that the US is driving the FATF to adopt the above change hastily - and without solid analysis - by June 2019.

To me, there is only one logical conclusion: in the decentralised world of virtual assets, with jurisdictions each applying different boundaries to crypto-stuff, there is no sufficiently harmonised basis to enforce the attachment of data to each transaction. Requiring service providers to hold the info and make it available by request is not a problem, but sending it out as we did with the former FATF7-rules is impossible due to the patchwork of diverging definitions.

In my response to the FATF-consultation I have outlined this problem:

In addition I would like to note that the divergent legal status of virtual assets (considering its wide definition) in different countries may have the consequence that under some local laws the transfer is not financial in nature and will not be covered under the financial legislation and AML/TF frameworks. It is possible that a sufficient legal basis is lacking in some jurisdictions to apply the crossborder wire transfer regime to such non-financial transactions and that data protection regulations take prevalence. This could be solved by applying the domestic wire transfer regime to transfers of virtual assets, regardless of their potential cross-border nature. The further application of this regime on the domestic level can then be geared to the specific legal qualifications for virtual assets in that specific jurisdiction.

My proposal is to follow the most efficiënt way. Strike out the part that says: submit the above information to beneficiary VASPs and counterparts (if any).  It is simply not proportional and economically sensible to demand as the FATF to include privacy-sensitive information in crypto-transactions. Officers can can have access by asking and demonstrating lawfulness of the request via international channels. But the day and age of using local tricks and harvesting local companies for EU-data should be over.

The area of digital assets, virtual assets is so ill-defined that the FATF cannot claim a full competency, as the legal basis in a number of jurisdictions will not be there. We should also keep in mind that the catch all definition - not elsewhere regulated under these FATF-rules - is still written under from the FATF role of being Financial Action Task Force, focusing on financial industry and financial services as the main objective. So if my home country defines certain digital goods as digital goods and not in scope of crypto legislation, that to me would be the end of the remit for the FATF (and it would remain out of scope of the catch-all clause as well).

So much for the technicalities.

Applying FATF-money transmission rules to crypto-assets: geopolitics
We should recognize that we are in a different moment in time than in 2001, when the FATF-7 rules were introduced. At that point in time the US was a beacon for democracy and rule of law. But it isn't any more.

It's role became fuzzy when it turned out that US law enforcers had used US based servers of EU companies (Swift) to get hold of EU-data. And this made the EU sensitive to the protection of its citizens against unwarranted overly ambitious law enforcing in other countries.

We should again be sensitive. The EU, but also the FATF, also have an obligation to protect their citizens from unduly harassment and intrusion by law enforcement authorities. And creating tons of data outside the consent-scope of the citizen does not sound like a good protection at all.

Right now, we can witness around the world, an increase in countries with all kinds of 'strong leaders' that violate human rights agreements, do not obey the rule of law, that are involved in money laundering schemes, do not listen to lawful requests of their constituents and ignore climate agreements.

I think the EU has a duty to not cooperate with implementation of so-called FATF-requirements when it is clear they are increasingly unable to protect the privacy and guarantuee the lawfulness of the data exchange. Requesting other states to go get the data (and ensure that it is proportional) is a better way forward.

In sum: improve definitions and reconsider the worldwide distribution of transaction data for virtual assets/currencies
While I think that FATF should fully reconsider its definitions and redo its homework, this virtual-asset momentum and this train that is being pushed by the US may be rolling too fast to stop it. So as a stop-gap one could propose to eliminat 7b or at least strike out the distribution line:

(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16

The FATF-proposal is disproportional, technically unsound and uneconomic. We'd better store the citizens data locally and ensure distribution on piecemeal basis, based on solid legal grounds, only when there is a true virtual asset under local definitions.

To the EU I ask to protect my reasonable concerns as a private citizen and not implement the proposal that comes out, until it ensures that my data stay local where they are and are not distributed at large to possibly evil states, dubious countries and their law enforcers.

The latter holds particularly true when we can observe that the chair of the FATF, the US Treasury Secretary, is not living up to his national constitutional obligations to comply with the US law himself.


PS. I noted that the interpretative note to recommendation actually also holds an additional new definition, apart from the main text:
1. For the purposes of applying the FATF Recommendations, countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”. Countries should apply the relevant measures under the FATF Recommendations to virtual assets and virtual asset service providers (VASPs).

Dutch central bank can further encourage innovation for payment institutions with a quick win

Article 18.2 in PSD2 (Article 15 in PSD1) on the nature of funds
 in a payment account of a payment institution

It's a logical thing. As the bakery provides bread, banks provide loans and allow savings, e-money institutions offer e-money, payment institutions are allowed to provide payment accounts to their customers. These accounts would neither be redeemable deposits or repayable funds, nor e-money, as the article in the PSD(2) states.

Stricter interpretation by De Nederlandsche Bank 
De Nederlandsche Bank, our local supervisor, however does not appear to allow the above flavour in the Netherlands easily. Companies that have business models in which payment accounts (whether with or without IBAN) are offered, should not be surprised if they are told that the funds would qualify either as redeemable deposits or e-money, with little inbetween.

 As a result, one will not encounter a lot of payment-account issuing by payment institutions in the Netherlands. And this is in spite of the fact that even the Explanatory Memorandum of our Financial Supervision Act explicitly mentioned this possibility.

Other supervisors follow the EU-approach 
Thus we can see issuers from other countries, such as Pocopay from Estonia, offer payment services and payment accounts to students where these can't be offered by local players. On their website, we see this issuer outlining (USING CAPITALS) in the terms and conditions that the funds are not redeemable, to be used for payments and not covered by deposit insurance of any kind.

Other instances can be found in German or French markets, leading to the situation that Dutch payment institutions are restrained in product innovation and less able to compete with PIs from other countries, which may offer a broader solution range to their customers.

Quick win to facilitate innovation in payments in the Netherlands 
There is a clear quick win here in the Netherlands in terms of payment regulation. Instead of claiming that funds are either deposits or e-money, De Nederlandsche Bank should more easily allow payment institutions to also offer the third flavour: non-redeemable funds on payment accounts, used for payment purposes.

Of course, one could raise the question whether it is possible to make such a business model work, but it should be the market that decides rather than the supervisor.

This article is a translation of a contribution to the Financieel Dagblad of July 29, 2017.

Response to FCA consultation: please clarify what will happen to the payment in 'payment instrument' in article 3k?

This April, the FCA launched its consultation on the Implementation of the revisedPayment Services Directive(PSD2): draft Approach Documentand draft Handbook changes. When reading this I was in particular paying close attention to the discussion of the limited network exemption in article 3k.

Background: limited network exemption
The limited network exemption has its background in the fact that many retailer-based shopping or payment solutions exist, that have a function similar to that of a payment, albeit on a local scale or for a limited range of goods. In order not to be burdened with a huge supervisory obligation, the regulator has taken this class of activities out of the scope of the Payment Service Directive and rightly so.

There is a relevant difference between providing EU wide, reachable payment instruments and solutions that solve a specific niche retailer problem. But getting this right in all detail is tough and therefore the wording of article 3k is somewhat vague.

(k) services based on instruments that can be used to acquire
goods or services only in the premises used by the issuer or
under a commercial agreement with the issuer either within
a limited network of service providers or for a limited range
of goods or services;

This allows supervisors to apply the article in a sensible way, in line with the spirit of the regulation.

Changes in PSD2: from instruments to payment instruments
The Paysys report of March 2014, describes the following on the evolution of the article:

In its final report on the PSD II (11 March 201412) the ECON Committee accepted the Recital 12 with the statement of the Commission of the existence of “massive payment volumes and values” offering “hundreds or thousands of different products and services” which are wrongfully operating under the exception of the limited networks of the Payment Services Directive (2007/64/EC). In order to improve consumer protection, these huge payment schemes should no longer be waivered.

Therefore, the Commission proposed a narrowed definition of “limited network/limited range” (Article 3 k) and a very restrictive implementation. In general, the ECON Committee followed the proposal of the Commission by taking over uncritically its assumption of the existence of non-regulated “massive payment volumes” in the market.

In phrasing the new article however, something did happen that may have been legally quite relevant. The wording instruments changed into payment instruments. This means that instruments which do not qualify as payment instruments and are not used to deliver payment services under the PSD2, will not qualify.

(k) services based on specific payment instruments that can be used only in a limited
way, that meet one of the following conditions:

• (i) instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issue;
• (ii) instruments which can be used only to acquire a very limited range of goods or services;
• (iii) instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer; 

Effectively this takes out a lot of retailer instruments, which sometimes can be card-based, as they are not truly payment instruments but tools to add purchases into a shopping basket (which can be paid monthly via direct debit payment for example). It also means that petrol cards or fuel cards that are based on a similar mechanism - and may include a chain sale - will not fall under the exemption but can be considered out of scope.

Now, my personal guess is that while this legal consequence is clear, supervisors may want to ignore the relevant adjective 'payments' in order to keep their hold on near-payment mechanisms, even when they are not in scope of the PSD2 and do not fit under this definition. For that reason I was very interested to see what the FCA did with the difference between instruments and payment instruments.

What does the FCA propose to do with this?
It' turns out that in the consultation document the FCA sometimes pays lip service to the original definition, but mostly conveniently forgets the 'payment' part of 'payment instrument' in the definition of 3k. See for example their summary phrasing on page 19:

Limited network exclusion

2.18 Under the PSRs 2009, a business that offers a payment service may be excluded from regulation if its service is based on instruments that can be used only in a limited way to acquire goods or services in certain limited circumstances (often called the “limited network exclusion”) e.g. some gift or store cards.   

2.19 PSD2 aims to standardise the application of the limited network exclusion across the EU, and makes changes to the exclusion which mean it now applies less widely. One limb of the exclusion’s application is narrowed so that it relates to instruments used to acquire a “very” limited range of goods and services (rather than “limited range” set out previously in PSD). A new limb excludes certain instruments provided for social or tax purposes from regulation under the PSRs 2017. Our proposed amendments to Q40 and Q41 in PERG 15 give guidance on the scope of the amended exclusion. 

Then again, the formal notification form does state that the respondent should clarify if the notification tix all the boxes of the law:

Please explain how the product or service falls within the limited network exclusion specified, including details of the following where relevant:

• the payment instrument; 

• where and how the payment instrument can be used; 

• where the customers or users are based; 

• etc.....

Well, this proposed approach is pretty confusing, so therefore I sent in a reply to the consultation asking to clarify the FCA interpretation of article 3k. In doing so I also referred to the fuel card situation and the set up with chain sales.

Clarify the confusion: are you reading payment instruments as 'instruments' in 3k or not?

We are wondering why the FCA is properly using the delineation payment instruments in a lot of the texts on limited network exclusions, but when it comes down to the actual formulation of excluded activities in Perimeter Guidance, it chooses to forget the word "payments" and sticks to: payment services based on instruments used within a limited network of service providers or for a very limited range of goods or services (“limited network exclusion”). This would create an inconsistency in which the old understanding of limited network is moved towards the new PSD2-interpretations although the legal wording is substantially different.

Should we understand the changed wording to be merely an omission or a situation of intended regulatory scope creep, to include all kind of non payment instruments under the scope of the payments directive? 

When the final document comes in, we'll have a look at the response of the FCA, to see if things have become more clear.

The Euro Retail Payments Board: first meeting and outlook

On Friday, the 16^th of May, the Euro Retail Payments Board (ERPB) held its first meeting (with this agenda) in Frankfurt. The ERPB is the successor to the SEPA Council, which aimed at realising the SEPA-project. Whereas the SEPA Council was co-chaired by the ECB and the European Commission, the chair of the ERPB is Yves Mersch, Member of the Executive Board of the ECB.

First Meeting

The first meeting was dedicated to agree to the mandate, functioning and work plan of the ERPB. The ERPB Members decided to set up a working groups on post-migration issues relating to the SEPA credit transfer and SEPA direct debit schemes as well as one working group on pan-European electronicmandate solutions for SEPA direct debits. In addition the ERPB acknowledged and asked the Cards Stakeholder Group (CSG) to carry out a stock-taking exercise and devise a work plan with respect to card standardization.

The ERPB further discussed the expansion of the SEPA Direct Debit scheme (SDD) with a non-refundable (one-off) direct debit. It was agreed that the EU legislators would be asked to clarify legal refund-conditions when evaluating the Payment Services Directive and that a possible scheme would be launched only after this review was complete.

In order to further investigate the future use of pan-European electronic mandatesfor SDD, the ERPB set up a separate working group. Finally, the EPC presented the latest update on the migration to SEPA. Whereas the migration to credit-transfers was very close to completion, there remained work done for direct debits. The ERPB called upon all stakeholders in the euro area to complete their migration to SEPA payment instruments as early as possible and before the deadline. 

Outlook for the ERPB

The launch of the European Retail Payments Board marks a new starting point for discussing the future of European payments with all stakeholders involved. The inclusion of payment institutions and e-money industry can add considerable value given their different approach and background. These providers live and breathe Internet-based technology, seek EU-standardisation and do not have similar legacy-systems as the banks. I expect this to lead to fruitful debates and exchange of insights.

Some observers may cite the lack of legislative powers as a disadvantage of the ERPB. Others may wonder if it is possible to achieve results in a body that only meets twice a year. I would submit however that in ten year’s time, the sceptics will look back in surprise to see how the ERPB has positively shaped the outcome of the European debate on retail payments. The Dutch experience with similar standing committees (see this separate blog) demonstrates that there is a lot of unlocked potential that lies in the trust and bonds that will be formed and shaped by this collective effort. 

ECB provides outlook on retail payments in Europe at EPCA-conference

Pierre Petit, deputy director general (payments and market infrastructure) of the European Central Bank, has outlined the ECB’s  views on European retail payments. He made his remarks at the EPCA Summit 2014, where he defined the role of the European Retail Payments Board (ERPB) and the follow-up on the SecurePay recommendations on access to payment accounts.

New players to be part of drive towards integrated European payments market

The ERPB is to become a forum for driving the further development towards an integrated European payments market in the post-SEPA situation. Petit confirmed that the first meeting of this group is to take place in May, and new industries such as e-money providers and payment services institutions are to join in these discussions, along with other representatives of both consumers and providers.

The ERPB will aim to further stimulate the development of the European retail payments market by working together on topics such as innovation and integration.  The group will identify  and address strategic issues and work priorities, including business practices, requirements and standards. Issues could include the development of a single e-mandate solution or the improvement of interoperability between national e-payment schemes.

Security requirements for payment account access services

The ECB announced that it would this month publish the responses and the results of the consultations on security for payment access to the accounts. The publication would be for information only, given that the European Banking Authority will be providing guidelines on security measures under the revised Payment Services Directive.

Although the ECB does not want to impose formal requirements as there is a risk that the EBA could take a different position, it is likely that the two-factor authentication model of the SecurePay forum will remain the norm for retail payments account access services and mobile payments.

Towards a more flexible approach of authentication

In July last year, the European Commission published a proposalfor a revised Payment Services Directive (PSD). The proposal draws on the work of the SecuRePay forum of supervisors and requires ‘strong customer authentication’ when a payer initiates an electronic payment transaction.

Strong authentication
Strong authentication is defined as a procedure for the validation of the identification of a natural or legal person based on two or more elements categorized as knowledge, possession and inherence. These elements are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

The concept of strong authentication is in itself nothing new. What is new however, is its appearance as a detailed regulatory requirement. So far, both the Payment Services Directive and the Electronic Money Directive contained a more generic requirement for licensed operators to demonstrate that their governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate. This allows for a system wide supervisory review of risks and security measures.

The current approach in both the envisaged PSD and Recommendations of the supervisors in Europe is however to take out and stress one element of the risk/security puzzle. This approach may turn out to be counterproductive and be an impediment to achieve retail payments that are as secure, efficient and as frictionless as possible.

Different market approaches to customer authentication
Traditionally the banking sector and card schemes have played a major role in the payments industry. For a long time they acted as the main channel through which new technological developments were introduced. In this process, strong authentication in a range of countries became a standard for use in payments. Further security measures for use in transactions over the Internet were then being developed as an add-on to the basic design.

More recently, Electronic Money Institutions (EMIs) and Payment Service Providers (PSPs) have entered the payments value chain using the Internet as their basic transaction processing initiation channel. As a result, their approach to payment security tends to be based on a variety of methods, to be able to counter a range of attacks associated with this inherently unsafe environment. PSPs have had to move very quickly up the e-payment security learning curve and found out that they must remain vigilant with respect to new threats. PSPs are consistently using additional information (geo-location information, IP address matching, IP address pattern detection, industry blacklists, comparison against a customer’s existing “profile” etc.) to validate the interaction with a user.

There is still much to gain by combining the expertise of both the “classic” and more recently-established providers of payment services. Customers will be using all kinds of devices as a service entry point; this requires a flexible approach to authentication. Rather than two-factor authentication we could speak of multi-factor authentication, which would include the specific user-payment service provider interaction context. But that is not all.

Stuck with two-factor customer authentication?
The analytical flaw that underlies the SecurePay recommendations is its strong focus on too detailed a part of the business and security process: customer authentication. Of course this is quite an important element of the transaction process, but the overall security of (mobile) retail payments is always achieved by a proper combination of security measures.

Customers, devices, processes and issuers should all be authenticated properly. And any risk control structure does not just rest on authentication but on a wide array of logical and functional controls. These controls may sometimes be labeled: 'fraud detection' but the quality of the risk prevention that they achieve can be just as good as one of the classic factors, that are not in the definition of strong authentication.

It is evident that new authentication measures and security challenges are being used and developed to achieve a level of security in retail payments which is contingent on the risks that are relevant in the user-transaction-device context. We can witness this in the bank, card, Internet and mobile payment domain. As these developments occur, it is unwise to freeze one detailed building block of security measures into a regulatory requirement. This will skew the market into less efficient and more cumbersome customer experiences, while technically not necessarily safeguarding a strong level of security.

In particular the mobile domain allows for a wide array of additional capabilities to achieve the security levels that supervisors desire. It would therefore be wrong to make the low-value threshold of the PSD the dividing line between strong and alternative customer authentication measures. A better approach is to link the degree of authentication to the degree of risks and the further security measures that are in place. This will allow the market to develop solutions that achieve both ease of use to the consumer and the desired level of security.

A more future-proof approach
It is not unlikely that the envisaged inclusion of a detailed requirement on strong customer authentication may distort the current market developments rather than allow for further innovation and market development. A more future-proof approach is desirable.

In my view such an approach would be to allow for a broader 'multi-factor authentication' which includes authentication based on the user-interaction context. In addition it would be good to recognise that the quality of some of the security measures which are often labeled: 'fraud detection' may have become such that they achieve a similar level of security as the traditional authentication factors.

We should also allow alternative authentication mechanisms to be used, dependent on the risk involved, rather than a certain value threshold. It would then be up to the supervisors to make the context-based and risk-based assessments on the whole array of security measures as a part of their supervisor reviews.

This approach should ideally be complemented by excluding todays specific definitions of strong authentication from the wording of the Payment Services Directive and replacing them with a generic reference to the relevant security recommendations.

The result would then be that we will have a clear and flexible security requirements framework in Europe that sets the boundaries within which the market can futher innovate and develop.

The ECB-report on virtual currency schemes: some reflections

The last month, the ECB published a report on virtual currency schemes. I have been reading this with great interest as it signals the involvement of the central banks in a new area: virtual currrencies. The relevance of this report must therefore not be misunderstood. We should remember that in 1994, the EMI-report on pre-paid cards signalled the start of the regulation of prepaid-cards and electronic money products. And in a similar style, this report may become the starting point for regulation of virtual currencies.

In general, central banks are to be commended for monitoring the developments in the area of money, retail payments and near-money products. If you're a central bank, an institution that is responsible for true money, than it it always good to know what other forms of money are in circulation. And as such the report of the ECB demonstrates that the European central banks are alert.

Analytical basis could improve
I must say however that I was also somewhat disappointed. The analytical framework presented in the report is a bit shaky in my view.  It does not rest on the nature of the subject discussed (virtual tokens and currencies), but on how they are 'regulated'. As an approach, I find this little convincing. Furthermore I noted that 'unregulated' is not defined. Does it mean that central banks or supervisors are not involved or that no regulation applies at all?

As an alternative I would point out the possibility of using frameworks suchs as this one (taken from the American Law Review):

It is interesting to note that the empty box in this table can now be filled with: Bitcoin as an example of a system where money can circulate freely without returning to a central mint.

Which electronic tokens are currency of money and which are not?
The ECB distinghuishes between three virtual currency types, in terms of openness of the systems involved.

Type 1 is a closed link system in which the digital tokens are only usable in the system itself. The example the ECB provides is the World of Warcraft Gold. And although the picture suggests that there is no link to the real economy, the ECB notes: However, there seems to be a black market for buying and selling WoW Gold outside the virtual currency scheme. If Blizzard Entertainment discovers any illegal exchange, it can suspend or ban a player’s account. 

Type 2 contains systems where users pre-pay services of a supplier in the form of private issuer tokens such as facebook credits. And type 3 systems are open systems of privately issued tokens/currency that can be bought and sold. It is in this category that bitcoin and Linden dollars are placed.

What is lacking in this model, is the Type of model 1b where there is no formal buying or selling of tokens, but there is a relation to the physical world. It is the world of loyalty points and tokens, which can be earned and redeemed, but never exchanged for money itself. The ECB places these under the category II.

It appears to me that in doing so, the ECB doesn't distinguish sufficiently between loyalty tokens and payment tokens,which each have a different role to play in the business model of their issuer. An alternative table might have been:

	User cannot buy tokens at all (loyalty-type)	User earns tokens and can buy additional (hybrid of loyalty/payment)	User buys and sells  tokens (payment-type)
Tokens used in digital issuer-domain only		World of Warcraft	World of Warcraft Lynden Dollar
Tokens used in digital or physical issuer-domain only	Starbucks	Nintendo Points -Digital Payment loyalty schemes for single retailers
Tokens used at other entities than the issuer	Frequent Flyer Programmes	Frequent Flyer Programmes	Bitcoin, e-money on mobile phone's

The missing element: mobile money
What intrigues me is that the digital money on mobile phones is not a part of the discussion. It is by its definition (an exemption in the e-money directive) an unregulated form of digital money. Yet, the ECB has been so long accustomed to the strange sequence of events that made the European Commission decide that money on antenna's of MNO"s is not electronic money, that they forgot to include it in the analysis.

The reputation argument.....
Finally I noticed that the ECB finds, that if these virtual currency schemes (however defined) grow too much, they might give rise to a reputation issue for the central banks. Here again I think the analysis is a bit too strongly worded. Central banks can simply outline their scope of work and responsibility by stating that they  are not in any way responsible for money that they didn't issue and supervise. By clearly and repeatedly informing the public of this fact, the public can then choose to take a risk with the virtual currencies or stay out of them.

Yet, I wouldn't be surprised if this reputation argument (or a comparable public policy objective: transparancy) becomes the main angle from which future supervision of these schemes will be justified.