Loading...

Payment Institutions (PIs) and Electronic Money Institutions (EMIs) in the EEA

topic

As with all sectors of the financial system, the payments and banking sector is also undergoing an important transformation with new technology-based innovative products and services.

Since 2007 when the first Payment Services Directive was adopted, the expansion of financial technology which reshaped the industry resulted in the emergence of new services and alternative payment and banking solutions by new players. In turn, these gave rise to legal uncertainty and regulatory challenges.

Against this context, the EU regulatory bodies have achieved an important regulatory milestone in this area with Directive (EU) 2015/2366 on payment services in the internal market (the “Directive”), also known as “PSD2”) which entered into force in 2016 and went into full effect by 2019. The said Directive regulates electronic money institutions (EMIs). The Directive aims to increase consumer protection, strengthen the safety of payments and foster innovation and competition in the payments market. Significantly, the Directive promotes the entrance of new players that had previously operated outside the regulatory perimeter, in the payments and e-money sector now as either payments institutions (PIs) or EMIs. Notably, Brexit was also an important driver behind some of the new licences, as some institutions were seeking to maintain passporting benefits.

On the 11th January 2023, the European Banking Authority (the “EBA”) published its Peer Review report (the “Report”) on the authorisation of PIs and EMIs under the revised PSD2. The Report is insightful in terms of matters concerning applicants around issues of the authorisation process under the PSD2, timelines and country-specific compliance with the EBA Guidelines under Directive (EU) 2015/2366 (PSD2) on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers (the “Guidelines”).

  1. The report's assessment

The Report identifies an implementation of the Guidelines by National Competent Authorities (“NCAs”) to a large extent, and where implemented, this has achieved the desired consistency and transparency in the authorisation information.

However, the Report also identifies divergent approaches in how NCAs assess and the extent to which they scrutinize applications. More specifically, divergent practices are identified in relation to the assessment of, amongst others:

  • Business plans (scope and intensity of assessment varies);
  • Applicants’ governance arrangements and internal control mechanisms (supervisory expectations vary);
  • Shareholders with qualifying holdings (scope and intensity of scrutiny varies);
  • ‘Local substance’ requirement i.e. the need for a payment institution to have its head office in the Member State in which it is seeking authorisation and to conduct part of their activities there (the requirement is interpreted differently by each NCA thereby leading to divergence in supervisory expectations and practices).

Taking as an example the local substance requirement, and specifically the head office requirement, while Cyprus requires a significant senior management presence in Cyprus, Netherlands requires a minimum of 2 executive directors to be present locally, while Estonia requires at least 1 board member/director to be present locally. Significantly, Sweden does not require local presence at all, but instead requires half of the board members and the CEO to be domiciled within the EEA. The Peer Review Committee recommended to the European Commission to assess Sweden’s transposition of PSD2.

The divergence identified in the supervisory expectations of competent authorities as regards the requirements for authorisation as a PI or EMI in the EU exposes this sector to forum shopping which would undermine the objectives of the Directive and the Guidelines of establishing a single EU Payments Market. Consequently, the Peer Review Committee identified the NCAs which fall short in the above, suggests follow up measures to be taken by the specific NCAs and identifies best practices developed by other NCAs that should be taken as an example to be followed.

  1. The position in Cyprus

In Cyprus, the requirements for authorisation of PIs and EMIs are regulated by the Payment Services Law 2018 (L. 31(I)/2018), as amended, which aims to harmonise Cypriot legislation with the European Directive 2015/2366, as amended, on payment services in the internal market and the Electronic Money Laws of 2012 (L. 81(I)/2012), as amended, respectively.

The length of the authorisation process of EMIs and PIs in Cyprus is reported to be approximately 13 to 15 months. The extended authorisation period in Cyprus appears to be predominantly due to the reported lack of resources by the competent authority of Cyprus, the Central Bank of Cyprus (the “CBA”). The CBA explained that the number of new applications received in 2020-2021 increased significantly compared to previous years as a result of PIs and EMIs that were authorised in the UK seeking authorisation in CY following Brexit, as well as a wider boom of other fintech companies in seeking authorisation. The CBA is taking measures to address this resource gap.

Most significantly, despite the resource constraints which are being addressed, the above ‘authorisation boom’ demonstrates an important vote of confidence in Cyprus as a jurisdiction to obtain a PI/EMI authorisation by interested parties.

Cyprus offers a business-friendly eco-system with low establishment and operational costs, English is the main business language and it constitutes a hub of a highly qualified and experienced workforce. Finally, its legal system based on English common law is also often favoured by businesses and investors.

  1. Recommendations

Besides NCA-specific recommendations made by the Peer Review Committee throughout the Report, the Report concludes with an overview of the three main follow-up measures recommended for all NCAs:

  • review their authorisation resources and processes to ensure that they remain adequate to scrutinise applications within a reasonable timeframe;
  • ensure that applicants have a ‘three lines of defence’ model that includes the functions of risk management, compliance and internal audit, where the nature, scale and complexity of their activities makes this appropriate; and
  • ensure that applicants are effectively managed and controlled from the jurisdiction in which they seek authorisation.

The Peer Review Committee further pinpointed the specific guidelines which have not been fully implemented by specific NCAs and that would constitute a problematic divergence in the authorisation requirements. As a result, it suggested those NCAs take measures to address this.

In addition, the Report expands on the recommendations of EBA to the European Commission as regards the PSD2, and recommends to the EC, amongst others, to clarify:

  • the delineation criteria between the different categories of payment services and e-money issuance,
  • the applicable governance arrangements for PIs and EMIs,
  • the criteria that national competent authorities should use in assessing the suitability of directors and management, and
  • the requirements that applicants must meet in order to comply with the local criteria.
  1. Concluding Remarks

Besides the problematic divergences identified, PSD2 is a maximum harmonisation Directive, therefore the flexibility given to Member States in how they transpose the provisions into national law is minimal.

Given the above, with the follow-up measures and recommendations made in the Report to the NCAs, to EBA and the European Commission, the supervisory playing field is expected to be levelled, mitigating against forum shopping. Equally, the legal framework for establishing PIs and EMIs in the EU is expected to become clearer, more consistent and transparent.

This is essential for a market with safe electronic payments which will ensure that consumers, merchants and companies enjoy choice and transparency of payment services to benefit to the full extent from this area. The result of implementing the follow-up measures will be subject to review in two years and the results remain to be seen.

The content of this article is valid as at the date of its first publication. It is intended to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on your specific matter before acting on any information provided. For further information or advice, please contact Stephanos Ayiomamitis , Senior Associate and Christina Tifa, Associate at our Limassol office by telephone at +357 25363685 or email at stephanos.ayiomamitis@kyprianou.com or christina.tifa@kyprianou.com