Three key regulations you should know about when launching your payments business in Europe
Every founder needs to understand their market. That means navigating the often complex regulatory environment.
Launching a payments business in Europe requires every founder to understand their market. That means doing customer research, scoping out competitors, and – perhaps the trickiest of them all – navigating the regulatory environment.
Whilst certain regulations will differ country-to-country, the EU’s 27 member states are bound by overarching European regulation. Even the UK, which left the EU on 31 January 2020, still enforces a host of EU laws it adopted whilst it was a member state.
There are three main regulations every fintech needs to comply with before pressing the go-live button in Europe:
The first is the Anti-Money Laundering Directive (AMLD). It sets out rules for entities operating in the EU to combat money laundering and terrorist financing.
The second key legislation, the Payment Services Directive (PSD2), was created to encourage competition and establish payment security in Europe.
Whilst the third, which stretches across far more industries than just the financial services sector, is the General Data Protection Regulation (GDPR). It addresses the issues surrounding companies’ storage and protection of personal data.
Why we’re talking about this
Europe’s financial sector has long been reigned by stringent regulation. But in the last ten years, the advent of fintech as a disruptor to traditional banking models has driven regulation to adapt, evolve, and ultimately become more inclusive.
“The arrival of fintech has ushered in new ways of handling and making money, and thus, have created a grey area for regulations,” Mayank Pratap, co-founder of supersourcing.com, explained back in 2019. “This has been drawing the attention of lawmakers.” Most recently, the French central bank issued a warning to firms which refer to themselves as “neobanks”, but are not credit institutions.
Compound this with Europe’s particularly strict attitude towards consumer protection compared to the likes of the US and China, and the barriers to entry throughout the continent suddenly seem scarily complex. When in actual fact, they’re completely manageable. You just need to take a moment to break down the three core laws: AMLD, PSD2, and GDPR.
“I’d encourage anyone looking to start a new payments business to first dig deep into these three regulations,” says Moorwand’s head of compliance, Gareth Mahoney.
“That way, you’re going to be far better prepared for what will be expected of you – not just by the regulators, but also by the different tech partners you choose to integrate with. At the end of the day, the fintech industry relies on compliance at the ecosystem level. If there’s just one weak link in the chain, it can cause a serious ripple effect.”
Anti-Money Laundering Directive (AMLD)
The first AMLD, issued in 1991, arrived at a time when international cooperation was high on the agenda, particularly in an era when political worries around the drug trade were rife. Until the 1990s, countries had taken AML tactics into their own hands – resulting in authorities unable to join up the dots across borders.
The legislation is now on its sixth iteration, which must be adopted by EU member states by 3 June 2021. The UK opted out of the last revision, which seeks to harmonise the definition of ‘money laundering’ across borders, extend criminal liability to individuals, introduce tougher punishments, and implement new information sharing requirements.
But let’s take a step back for a moment and look at what sits at AMLD’s core. It’s designed to prevent the EU’s financial system from facilitating money laundering and terrorist financing. ‘Money laundering’ is currently defined as the transfer of assets derived from criminal activity, whilst ‘terrorist financing’ means the provision or collection of funds on behalf of a terrorist-related account.
The directive lays out key processes firms must put in place to steer clear of these two illegalities. They center around the concept of ‘Know Your Customer’, or KYC, which requires every firm operating under AMLD to verify the identity of each account holder. This means firms are required, by law, to hold certain details on every customer. As the European Commission explains, “traceability of financial information has an important deterrent effect”.
AMLD also extends to monitoring customers’ transactions. In the case of suspicious financial activity, it must be reported. To fulfill these requirements, companies need to partner with providers with suitable solutions, purpose-built to meet KYC verification and AML reporting standards.
Payment Services Directive (PSD2)
PSD2 has long been hailed as a watershed moment for the fintech industry. It gave start-ups the entry point they needed into a traditional financial market to provide consumers with a host of new services. Regulators hoped the legislation would open up the sector and spur more competition, particularly amongst the big high street banks.
The first Payment Services Directive (PSD), which was enacted in 2007, created a new payment market in the Eurozone. Then in 2013, the directive was revised with a fresh focus on competition. Specifically, it wanted to achieve “a better integrated internal market for electronic payments within the EU”. PSD2 officially came into force across Europe on 13 January 2018, though not every country on the continent was ready to implement it by then.
At the very center of PSD2 is the phenomenon of open banking. With customer consent, banks have to facilitate customer account access to what the law calls ‘third-party payment service providers’ (TPPs) – i.e. fintechs.
Through the use of APIs, or application programme interfaces, banks and fintechs can feed data and initiate payments between each other. APIs essentially act as the plumbing upon which fintechs can layer additional services, such as personal financial management (PFM) tools, or bank account payment initiation.
But firms must loop in licensed entities to complete these actions. PISPs, or ‘Payment Initiation Services Providers’, allow firms to facilitate direct payments to a company from a customer’s bank account. Whilst AISPs, or ‘Account Information Service Providers, allow firms to access bank customer information they can then turn into new products.
General Data Protection Regulation (GDPR)
Leading up to the eve of GDPR on 25 May 2018, swathes of firms – particularly those headquartered outside of Europe with international offices on the continent – were in a state of panic. With proposed fines reaching 4% of annual global turnover or €20 million (whichever is greater), stakes felt uncomfortably high. Some firms went as far as to discontinue EU operations, or prevent EU citizens from accessing certain services.
But three years on, and the majority of firms have a much better grasp of GDPR, and its implications for their business. One of the most important components of the law is asking consumers for consent before obtaining their data. This also means consumers have the “right to be forgotten”. In other words, companies have to dispose of data which is no longer relevant to the services they provide. And any third-party partner contracts have to be reviewed so data is not shared or sold without a user’s permission.
Those businesses just starting are in prime position to adopt what the EU calls a “privacy by design” approach to customer data. This means building your infrastructure from the ground up with GDPR in mind. This will make it a lot easier to comply with day-to-day requirements and to deal with far more infrequent incidents – such as data breaches, which should be reported to the relevant authorities within 72 hours.
But as Milica Vojnic, Wisetek’s marketing head, points out in Finance Magnates: “Fintech companies are proving to be better positioned for GDPR compliance than the more established financial institutions like banks.” One point Vojnic makes is that “a more vigilant customer base is more likely to trust brands that are perceived as being tech-savvy”.
Despite Brexit, the European Commission (EC) will continue letting personal data flow freely between the EU and the UK. In a statement published in February 2021, the EC said the UK’s data protection standards are “essentially equivalent” to the EU’s, and can therefore be considered “adequate”.
A starting point
To fully prepare for these three key regulations, and any other regulations which might apply to your new payments business, it’s best practice to set some time aside to read the fine print.
Whilst summaries like ours will save you time, they are ultimately just high-level overviews. When in reality, every firm and its requirements are different. Which means the way you apply each law throughout your organisation could markedly differ from another firm.