Monday, December 23, 2024

The PayTech Papers – Regulatory Challenge in Fighting Cybercrime

Spread financial intelligence

The revised Payment Services Directive (PSD2) to regulate payment services throughout the EU and EEA came into force in January 2018 and officially kicked-off the “Open Banking Era” with FinTech unicorns TransferWise, Revolut, Monzo, or N26 leading the pack. The number of licensed PayTechs in the EEA exploded as statistics published in July 2020 shows. Unfortunately, the number of unregulated and therefore unauthorized acting PayTechs specializing in scams and cybercrime also exploded. This is part 1 of our “PayTech Papers” series.


PayTechs and Regulation in a nutshell

PSD2 provides the legal framework for retail payments innovation in the EU and EEA by setting rules for Third-Party Providers (“TPPs”) service providers. It was intended to enhance consumer protection and increases security for payment services. In PSD2 new Access to Account Services (XS2A) services and roles were added to the regulatory playground:

  • Account Information Services (AIS) – online service consisting in providing consolidated information on at least one payment account held by a given payment service user with one or more other payment service providers (‘read-only’ access)
  • Payment Initiation Services (PIS) – the ability to initiate a payment transaction by a third party at the request of the payer from an account maintained by the payment service provider (‘read-write’ access)
  • Card-Based Payment Instruments Issuing (CBPII) – Issuing of card-based payment instruments and/or acquiring of payment transactions online.

These new regulated services pose a challenge to the traditional model of banks’ operation because they allow TTPs, to obtain information, and initiate payments from consumer payment accounts operated by these banks. This new environment is called “open banking.” Additional regulations accompanying PSD2 encompass Regulatory Technical Standards (RTS), including Strong Customer Authentication (SCA).

As a result of PSD2 we have three types of PayTech licenses:

  • Payment Institutions (PI) including PISP and CBPII
  • Electronic Money Institutions (EMI) and
  • Account Information Service Providers (AISP)

In its very essence, all Open Banking-enabled PayTechs are characterized by the fact that their business model as well as their operation is based on digital technologies and the Internet as the term already suggests. The teleological interpretation of PSD2 leaves no doubt that the Directive’s intention was to define ALL payment services in the best possible way and subject them to regulation. Hence, there should be no space left for unauthorized payment services or PayTechs. Still, many PayTechs claim to have a business model that doesn’t demand regulation. It’s just technology, you know?

The dark PayTech universe

The findings in the scientific article The impact of Payment Services Directive 2 on the PayTech sector development in Europe from July 2020 published in the Journal of Economic Behavior & Organization in October 2020 and the statistical data contained therein refers only to the licensed and/or regulated PayTechs in the EEA. Currently, there is no statistical data on the number of unlicensed and mostly unauthorized and/or illegally operating PayTechs.

The fact is that many unlicensed PayTechs take advantage of the legal and regulatory uncertainty surrounding PSD2. Many PayTechs in Cyprus and Estonia but also in Germany and other EU member states offer their payment services as unregulated entities to scammers and cybercrime organizations. They take advantage of the lack of knowledge of regulators when it comes to technology and tech-enabled payment processes. In fact, we know of cybercrime organizations that establish their own unlicensed PayTechs to handle their illegal sales and launder money.

We estimate that the number of unregulated PayTechs in the EEA is at least 10 times the number of licensed PayTechs. Moreover, there are currently payment licenses available in the EU that seems not to fit into the PSD2 in the first place, such as the Crypto licenses in Estonia. The FIU in Estonia alone, as the responsible regulatory authority, has issued more than 3,000 licenses through which payment services are processed in a combination of Crypto and FIAT (read this FinTelegram report here).

What exactly then is the legal and regulatory basis on which PayTechs like Praxis Cashier or BridgerPay operate? We will try to answer this question in the next articles in our PayTech Papers.

Stay tuned