- Email: [email protected]
Electronic Payments — The Smart Card
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 307
Electronic Payments - The Smart Card
ELECTRONIC PAYMENTS - THE SMART CARD SMART CARDS, E-PAYMENTS, & LAW - PART II Dr Simon Newman and Gavin Sutter, Queen Mary College, University of London This article, in three parts, examines the legal issues raised by the development of the smart card. It explores contractual, liability and intellectual property rights issues and assesses whether a suitable legal framework exists in which smart card use can flourish and grow.
B. WHAT KIND OF LEGAL ISSUES DOES THE USE OF ELECTRONIC PAYMENT SYSTEMS RAISE? 1. Data Protection The internet in general has raised many data protection issues in recent years. For example, many websites, e.g., offer mailing list facilities, keeping the user up to date on the latest developments in a specific area.A variety of personal information may be sought for these purposes, such as, for example, name, address, email address, information about hobbies and interests, and so on.The websites concerned are globally accessible and may originate in states without the same level of protection as exists in the UK – for example (although this may change in the near future), the US. Or a website may use a ‘cookie’ to store information about a particular user on his or her own computer – is this information, clearly stored in the UK, also collected and processed there? Is it subject to the requirements of the UK legislation, even though the company responsible for the cookie has no location there? In the case of a database held by a company on its own servers, there is a question as to whether the appropriate law is that of the jurisdiction that the company responsible for collecting and holding the information is based in, its headquarters, or the particular wing of the company which is directly responsible (in the case of a large multi-national), or where the actual servers on which the information is processed and stored are located. Such issues seem of little interest to the average internet user. However, while consumers are often prepared to give out some personal information, many are extremely reluctant to give out information such as credit card number and expiry date for fear that it will be intercepted by a third party and fraudulently used or will be otherwise susceptible to misuse while in the possession of a retailer. Others prefer not to use credit cards, wishing to preserve their privacy and anonymity online. The relevant legislation across the EU is the Data Protection Directive 1995 (OJ 1995 L281/31). The Directive sets out, inter alia, basic principles and rules for the collation
and keeping of computerized personal data about individuals, placing clear obligations upon those who wish to do so in respect of how that data may be gathered, for what purposes it may be used (i.e. those for which it was collected) and confidential and secure processing. Under the Directive, personal data may be collected and processed, inter alia, where ‘processing is necessary for the performance of a contract to which the data subject is party…’ (Article 7 (b)). Data collected must be held ‘for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.’(Article 6 (e)).The definitions given ‘personal data’ and ‘processing of personal data’ in the Directive (Article 2 (a) & Article 2 (b) respectively ) are sufficiently broad as to encompass collection and processing of credit card details by a merchant in order to accept payment in an online transaction. The Directive’s provisions impose certain requirements upon the data processor, for instance, it must guarantee that the data remains confidential (Article 16), and that ‘appropriate technical and organizational measures’ be taken ‘to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing…’ (Article 17). Use of secure channels such as the SSL protocol can help to ensure that such guarantees are met. SSL and encryption are designed to prevent unauthorized third party access to the data in transmission. The SET standard ensures a further measure of security, as the merchant has no access to the encoded credit card data. In all cases, of course, the Directives provisions apply not only to the merchant seeking payment but also to the bank or credit card company with which the consumer’s account lies. In general there is no need for a merchant to retain personal data acquired for the purposes of completing a transaction once payment has been received. There are, however, some systems such as Amazon’s accounts and its 1-Click ordering service, or CyberCash’s InstaBuy, which rely for their operation upon the maintenance of a database of personal information on customers, including payment details. This
Computer Law & Security Report Vol. 18 no. 5 2002 ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved
307
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 308
Electronic Payments - The Smart Card
information is collected automatically upon the consumer’s first purchase from Amazon or a site using the InstaBuy system. The consumer is informed that this information will be retained on first purchase at a point where, if (s)he does not wish this to be done, the transaction may be cancelled.This is in compliance with Article 7 (a) of the Directive, which provides that personal data may be processed if ‘the data subject has unambiguously given his consent.’The same confidentiality and security requirements are imposed here, although in the context of a database which will be maintained long term as opposed to information which is to be retained for only so long as is necessary to receive payment,such requirements are of much greater importance.These requirements place a clear liability upon the data controller to protect against fraudulent access by another to an individual’s account. In the event of that happening, the Directive entitles the wronged party to a judicial remedy (Article 22). Further,‘any person who has suffered damage as a result of an unlawful processing operation…is entitled to receive compensation from the controller for the damage suffered’(Article 23 (1)), (unless the controller can prove ‘that he is not responsible for the event giving rise to the damage’, in which case (s)he will have a valid defence Article 23 (2)). Again data is communicated between consumer and merchant by means of a secure channel, using the SSL protocol. Data is typically held on more secure firewalled servers, designed to be inaccessible to hackers. Digital cheques raise similar issues of security to credit card transactions insofar as an account holder’s digital signature must be kept secure in order to avoid fraudulent usage by others. The data contained in a digital cheque must be treated the same as that in a credit card transaction for all data processing purposes. Again SSL is typically used in order to offer further security to the transaction. The chief attraction for the consumer of digital cash systems is that they are in theory anonymous – just as with real cash, a particular transaction cannot be traced to a particular consumer. However, in practice this is not the case.With the notable exceptions of Mondex, and of the DigiCash’s eCash system (The DigiCash Company may have gone into voluntary bankruptcy, but the technology is still used) and its ‘blind signatures’, transactions made using all of the digital cash solutions currently available are ultimately traceable back to an individual consumer. Often – as is the case with, for example, Millicent– while the payee cannot directly know the identity of the consumer, this is traceable by the issuer of the electronic cash system used. Beenz, and other such tokenbased systems, require no credit card nor other banking details – indeed, it may prove to be the case that such systems, which bear no financial risk to the consumer, encourage them to take up use of internet payment systems gradually by building trust in the technology. For now, however, the chief issue surrounds the personal details – name, town of residence, age, gender, as well as monitoring of websites visited (for purposes of consumer research) – that these systems hold. Any such data identifying the consumer and consisting personal information is protected by the Directive and so the issuer is subject to the same conditions and protections. Mondex cards, for example, are issued with a PIN, which the issuing bank can match to a customer’s personal details.The payee cannot access these and thus the cardholder’s privacy is protected as against the payee, but the bank collects the
308
personal data used in the transaction and is thus bound by the data protection rules. By the same logic, credit card information encoded into a Twin/Tone Records watermark is inaccessible to all but those who can decipher the watermark, upon whom the same data protection duties are laid. (There should be no jurisdictional question here, as the data, being stored in music downloaded from the Twin/Tone website on the purchaser’s PC or a CD which (s)he has burned it onto, is clearly processed where the purchaser resides – in the case of an EU citizen the Directive is applicable.) Biometric identification systems, such as Iriscan, also require a database of personal information in order to match an individual’s appropriate bodily characteristic(s) to the correct account information.Again the same considerations should apply as to the applicability of the Directive. Perhaps the most significant aspect of the Directive from the perspective of online payment systems is Chapter IV, which deals with the transfer of personal data to third countries. Under Article 25 (1): ‘The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if…the third country in question ensures an adequate level of protection.’
Such a provision has important implications for processing of personal data in the context of online payment systems: typically processing is done where cheapest – all processing by the CyberCash network, for example, is done in the United States. What qualifies as ‘adequate’ is of great importance, as third countries deemed by the Commission not to offer such protection are, under the Directive, to be prevented from having qualifying data transferred to them.13 As initially proposed, the Directive did not clarify what was meant by ‘adequate’ – if interpreted so as to mean an equal level of data protection, the US for example would be excluded. The US is currently considered to offer an inadequate level of protection, as it lacks any comprehensive national legislation on data protection. What does exist varies from state to state, as well as between sectors; in addition, regulation is often by means of industry self-regulation rather than legislation. However, the US Department of Commerce has been in ongoing negotiations with the EC, and it is expected that at some point in the near future an agreement will be brokered which will bring about a solution to this impasse.The Directive as passed, however, provides broader criteria as to what should be considered here: this includes, in particular,‘the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.’14 Given that an online payment system may so easily be set up so as to do all its processing potentially anywhere in the world that its issuers decide, with the exact location not necessarily being known by the user, it does seem that there could be some difficulty encountered in enforcing this particular protection. Perhaps such problems could be circumnavigated by a licensing system which required that such systems wishing to trade with EU customers should provide all relevant information about where processing takes place, and
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 309
Electronic Payments - The Smart Card
whether that location is subject to the protections offered under European Union law. In the UK, the Data Protection Directive has been enacted as the 1998 Data Protection Act,15 however, it is not yet in force.The UK has taken full advantage of the transition provisions, and it will be 2007 before the Directive as passed by the European Parliament is given full effect in British law. However, the 1998 Act does create a significantly stronger data protection regime.
2. The Payments Recommendation The 1997 Payments Recommendation16 sets out various requirements relating to the minimum information which should be given to consumers using electronic payment instruments within the scope of the Directive, and the minimum information contained in the terms and conditions governing the issuing and use of an electronic payment instrument; the obligations and liabilities of the parties to a contract; notification of the loss or theft of an electronic payment instrument, and settlement of disputes. The Recommendation includes some positive steps in the regulation of new methods of payment, however, it does not apply to all types of electronic payment instrument discussed above. It is explicitly stated that the Recommendation’s provisions do not apply to ‘payments by cheques’,17 and presumably this includes electronic cheques. The definition given to ‘electronic money instrument’ refers specifically to a ‘reloadable’ device18 while the preamble makes it clear that the Recommendation ‘is…limited to instruments of the reloadable type.’19 Disposable cards, such as those offered by VisaCash, for example, are thus not covered. This may well be a common sense measure designed to exclude from the Recommendation’s ambit payment cards such as disposable phonecards. It would of course be impractical to offer in respect of a fixed value nonreloadable card the same rights as granted where a reloadable smart card or electronic wallet is used. In fact, such a disposable card is treated in the same manner as ‘real’ cash – if lost it is lost, with no specific legal comeback. Other limitations are placed upon the use of reloadable electronic money instruments under certain conditions.20 It would seem prima facie undesirable to place limitations upon the legitimate interests of consumers in making online transactions on the web in relation to, for example, minimum legal standards as to rights under the contract governing the issue and use of a payment instrument on the ground that it is disposable, however, it should be borne in mind that other, general provisions of EU and national consumer law will apply irrespective of the payment method used. For instance, the Distance Selling Directive21 provides that the consumer must be given certain information, such as ‘the price of the goods or services including all taxes’,‘delivery costs, where appropriate’, duration of an offer’s validity, etc.22 confirmed in ‘writing’, at the appropriate time.23 A ‘right of withdrawal’ from the contract is also granted to the consumer who may, within ‘a period of at least seven working days…withdraw from the contract without penalty and without giving any reason. The only charge that may be made to the consumer because of the exercise of his right of withdrawal is the direct cost of returning the goods.’24
3. Systemic Risk Electronic Cash systems place a liability upon the issuer to redeem the electronic units for value, whether from a payee or an account holder to whom the units were initially issued. There are certain risks associated with a digital system, for example, loss occasioned by the redemption of counterfeit tokens. Various electronic means may be adopted in order to prevent forgery. In the DigiCash eCash system, for example, only the issuing bank is enabled to create the electronic coins - thus the only way of creating a forgery is to duplicate coins which are already in circulation. As a preventative measure, the eCash system maintains a database of spent coins’ serial numbers. User anonymity is protected due to the ‘blind signature’ method, however, a ‘coin’ cannot be spent twice. Illicit access to a consumer’s account by another can be prevented by use of various password and encryption devices.25 Due to poor investment decisions, the money held against the digital units issued is diminished. Such risks, and the potential domino effect on other business interests, have led some to call for a restriction of the power to issue digital cash to banks, who are subjected to a variety of requirements for the purposes of capital protection etc. Such concerns are to be addressed by the Electronic Money Directive.26
4. Liability and other issues relating to Multi-Functional Devices The use of multi-functional smartcard technology in particular raises liability issues which have yet to receive full legal consideration. Liability for loss, damage, fraudulent usage, etc of a standard magnetic strip payment card (credit, debit, etc) is subject to a clear contract between the issuer and the user. However, when a multi-functional smart card is involved, the issues become much more complex. For example, in the case of loss or theft, who bears the responsibility if not the user? Is there a single application which will be responsible for ensuring adequate security for the card’s general functions, for example, prevention of fraudulent use of the card in payment, or of a digital signature encoded into it in order to identify the rightful user? Security, fraud prevention, and so on will also arise as issues of consumer protection provisions. The application of data protection requirements will be of great significance in ensuring adequate consumer protection strategies are in place.This is likely to entail the use of some method of encryption, raising further issues as to availability of decryption information, etc. Another important question is that of ownership. Standard, single use magnetic strip cards are commonly understood to be issued by, for instance, a bank, to be used by the customer but remaining the property of the issuer. Multifunctional cards may have several different applications from several different sources loaded on them – banking details, credit card, health records – so who owns the card? Is there a single card owner, or will each interested party be said to own only their own application stored on the card? A related question asks who is permitted to issue a smart card. Will this be limited to banks? Will such cards be issued instead by governments? (In countries such as, for instance, Germany or France, where a government-issued ID card is a necessity, could the government in such a state issue its own smart cards for ID purposes which the user would then add
309
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 310
Electronic Payments - The Smart Card
other applications such as payment facilities to?) Government owned cards would raise the further issue of citizens’ rights to access government information as relating to themselves. Alternatively, will it be legally (as it is technically) possible for a company simply to produce and sell ‘empty’ smartcards which the user can then add his own details to? Or must the issuer be a licensed person (real or legal)? A further important issue requiring analysis is whether the user of a card will be permitted to add and remove applications from the smartcard at will, or whether it will carry fixed applications as installed by the relevant companies with which the user may not tamper. The contractual issues involved will require consideration. For instance, the contractual relationship between issuer and user will remain substantially similar as for the issue of a standard magnetic strip single use card. However, a multifunctional card raises a number of other relationships such as that between card issuer and application provider, or between one application and another. At present, there would appear to be no clearly defined answer to these questions in European law: it is, however, anticipated that current consumer protections will be expanded to encompass the complex issues raised by multifunctionality as such payment technologies become more common. However, the following chapters will investigate these issues as they relate to smartcard use in more depth.
5. The Regulatory Framework Applicable to Issuers of Electronic Money The regulations applicable to electronic money issuers will depend on the type of activities carried out. In most countries institutions carrying out banking activities are subject to various banking specific regulations. In general the central bank of the country will carry out a supervisory function in relation to institutions which accept deposits.The question therefore is whether issuing electronic value will bring the institution within the scope of the banking regulations. In Europe the First and Second Banking Directives27 provide for a supervisory regime applicable to credit institutions in the Member States.A credit institution is defined as ‘an undertaking whose business is to receive deposits or other repayable funds from the public and to grant credit from its own account’. (Article 1 of the First Banking Directive as amended by the Second Banking Directive.) According to the UK Banking Act 1987, if a person or institution accepts deposits in the course of carrying on a deposittaking business then they will require authorization from the Financial Services Authority. In the UK a deposit is defined as a sum of money which is paid to an institution on the understanding that: • it will be repaid (with or without interest at an agreed time or on demand), and • it was not paid in return for the provision of property or services or as security28 A deposit-taking business is one which lends the deposits received to others, or finances other business (wholly or to a large extent) out of the capital or interest received by deposits. It would appear therefore that whether or not an electronic money issuer’s activities fall within the banking regulations
310
depends on how the system actually works. Systems which facilitate the use of credit cards online such as Cybercash29 provide a service and accept money from their customers as consideration for the service.They are not therefore under any obligation to repay the money unless they fail to provide the service and so are not accepting deposits. Likewise, systems which involve an intermediary holding funds which are to be delivered to the seller on receipt of a notice from the buyer do not amount to deposit taking because they are not repaying the money to the original lodger of the funds. Rather they act as a payment intermediary by issuing the funds to someone else.30 Furthermore if a system is created without any provision for repayment then this may be an effective way for it to avoid coming within the scope of the banking regulations. It is therefore only likely that a system which requires the users to lodge repayable funds in an account will bring the issuer within the scope of the banking regulations. It is the requirement for customers to set up a repayable account which would constitute deposit taking activity. Accepting deposits is not by itself sufficient to bring the activities of an institution within the scope of banking regulations, there must exist a deposit taking business. Under UK law if businesses lend the funds received or finance any activity out of the capital or interest on the deposit, for example by using the interest earned from placing the deposit in a bank or building society account, then this would fall within the scope of the definition. If issuers of electronic value fall under the deposit taking rules they will require authorization under banking legislation.31 The main purpose of requiring banking supervision is to ensure that the institution maintains adequate capital to support its business activities.This supervisory role of the central bank ensures the banks’ obligation to maintain solvency and liquidity and to possess adequate funds to cover normal banking risks and liabilities.32 Adequate levels of security will be demanded by the bank to prevent the circulation of forged coins or cards which would pose a risk to the liquidity of a bank. It is clear that many electronic payment systems will not fall within the scope of the banking regulations. Does this have a great impact on the user? If an issuer encounters financial difficulties then more remedies may be available from bank issuers of digital money than from non-bank issuers. In the case of the institution becoming insolvent, deposit protection schemes33 protect funds deposited with authorised institutions. Banks contribute to the scheme which pays out a percentage of the deposit, up to a fixed amount, if the bank becomes insolvent.The question therefore is whether digital money would constitute a deposit and so be covered by the insurance.The UK Banking Code, a voluntary code produced by the British Bankers’ Association, The Building Societies Association and the Association for Payment Clearing Services, followed by banks and building societies in the UK in relation to their dealings with personal customers, states that an electronic purse should be treated in the same way as cash in a wallet. Therefore if it is lost or stolen the value would be lost just as the cash in a wallet would be forfeited. If however a scheme did involve depositing money in an account to be withdrawn when needed, the value in the account may constitute a deposit and therefore be covered by the scheme.
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 311
Electronic Payments - The Smart Card
However, money in an e-purse or wallet would not be covered, at least at the present time. It is clear from the UK perspective that only systems which involve ‘accepting deposits as part of a deposit taking business’ would be subject to the banking regulations and therefore other systems which did not require the depositing of repayable funds would not be governed by the supervisory regime applicable to credit institutions. Five other Member States also follow this approach.34 In some of the Member States however (Denmark, Spain, France35 Germany, Italy, Portugal, Netherlands and Austria) the issuer of electronic money on a multi-purpose smartcard must be a credit institution, and in the following countries (Austria, Denmark, France, Italy and the Netherlands) the issuance of softwarebased electronic money products is also confined to credit institutions. Denmark has special provisions in relation to multipurpose smartcards allowing non-banks to issue them so long as they adhere to certain requirements. Although most of the currently available systems issue digital money through banks, digital money could be issued by other commercial organisations in some of the Member States if the system used did not involve accepting deposits. If consumers are dealing with very small amounts then they may be quite happy to obtain their digital money from a commercial organisation other than a bank. Owing to the lack of a clear regulatory framework for issuers of electronic money in Europe various reports36 have been produced reviewing the position and calling for the establishment of a supervisory regime.
6. Directives on Electronic Money In response to concerns that commercial bodies issuing electronic money may not be regulated by current regulations the European Commission drafted proposals for two directives on the issuing of electronic money: the Council Common Position on a European Parliament and Council Directive on the taking up, the pursuit and the prudential supervision of the business of electronic money institutions, and Council Common Position on a European Parliament and Council Directive amending Directive 77/780/EEC on the co-ordination of laws, regulations and administrative provisions relating to the taking up and pursuit of the business of credit institutions. In late 1999 the Proposals were amended and the Council reached a Common Position. The Directives were adopted by the Council on 16 June 2000.37 Their final form was adopted by the Parliament on 18th September 2000.38 The Directives seek to establish a level playing field for electronic money issuers and credit institutions by imposing a supervisory regime on all electronic money issuers. This supervisory regime, although similar in framework to that applicable to credit institutions (through the creation of a prudential regime ensuring the stability and soundness of electronic money institutions) takes into account the differing natures of such institutions by stipulating different requirements for certain features of the regime such as capital requirements and restrictions on investments. The Directives also aim to improve the single market in financial services by introducing the concept of mutual recognition of home supervision (i.e. a single passport) to electronic money institutions within a framework of harmonized prudential rules.
The first of the Directives39 brings electronic money institutions within the scope of the First and Second Banking Directives by including them in the definition of credit institutions. The second Directive40 introduces the term ‘electronic money institution’ to apply to all establishments issuing electronic money.These institutions are subject to various provisions which include prior authorization, minimum capital requirement, fit and proper management, sound and prudent operation, initial and on-going owner control. The Directive defines ‘electronic money’ as monetary value which is: •‘stored electronically on an electronic device; • issued on receipt of funds of an amount not less in value than the monetary value issued; • accepted as a means of payment by undertakings other than the issuer.’ This definition was amended from the original proposal which came under some criticism41 for focusing too much on the technical features of electronic money. A previous reference to ‘…limited value payments’ in the definition has also been omitted, presumably as this may have implied that large value payments were not covered by the Directive. The Directive restricts the business activities of electronic money institutions other than the issuing of electronic money to: •‘the provision of closely related financial and non-financial services….’ and •‘the storage of data on the electronic device on behalf of other undertakings.’ The Directive also makes it clear that the funds received in exchange for electronic money shall not be considered to be a deposit if the funds received are immediately exchanged for electronic money and are not advanced with a view to receiving electronic money at a later stage. This clarifies the position in relation to the applicable regulatory framework and therefore prevents Member States from applying banking regulations to such issuers rather than the provisions in the Directives. The Directive provides that electronic money shall be redeemable.This is also an amendment from the earlier proposal and is perhaps in response to concerns that without redeemability, differences might emerge in the value of electronic money issued by different issuers. The European Central Bank stated that ‘from the monetary policy point of view, the redeemability requirement is necessary in order to preserve the unit-of-account function of money, to maintain price stability by avoiding the unconstrained issuance of electronic money, and to safeguard both the controllability of liquidity conditions and the short-term interest rates’.42 They also state that redemption should be allowed until a certain date after the expiry date of such electronic money and that disposable and reloadable cards should be treated equally in respect of this redeemability requirement. A further reason for requiring redeemability is consumer acceptance. At least in the near future consumers may be unwilling to use electronic money which is not redeemable because most electronic money products are accepted only by a small number of retailers. If a consumer was unable to spend all of the electronic money purchased, perhaps because he/she could not find all of the desired goods or services from
311
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 312
Electronic Payments - The Smart Card
the specific retailers who accept it, and was unable to redeem it with the issuer, it would become worthless. The Directive lays down clear capital and on-going funds requirements. These require an electronic money institution to have both an initial capital of 1 million euros and have own funds of at least 2% of the current amount or the average of the six preceding months’ total amount of their financial liabilities.The purpose of such an ‘own-funds’ requirement is to ensure that the issuer maintains a certain proportion of the amount invested. This ensures that if the money invested makes a loss, there will be sufficient funds from the issuer to act as a cushion so that retailers who have accepted electronic money can redeem the value. There are also requirements to ensure the liquidity of the issuer by placing limitations on the types of investments in which money can be placed. As with bank deposits, the issuers of electronic money invest the value received. However, if the investment policy pursued by the issuer is not adequately sound the value may decrease. Furthermore, if an issuer has invested all of the money in long term investments and the electronic money is being spent within the space of a few weeks the issuer will have difficulty in making the requisite payments to the retailers and in an attempt to do so may liquidate assets quickly resulting in heavy losses. The Directive therefore requires the issuer to maintain a certain proportion of its assets in easily accessible, liquid form. The issuer must place an amount at least equal to its financial liabilities in one or both of the following: • assets which attract a zero credit risk and which are sufficiently liquid according to Article 6(1)(a)(1), (2), (3) and (4) and Article 7(1) of Directive 89/647/EEC; • sight deposits held with Zone A credit institutions and debt instruments which are sufficiently liquid. These must not exceed 20 times the own funds of the issuer. Although the purpose of such restrictions is intended to ensure stability and soundness by imposing a relatively lowrisk investment policy unfortunately assets kept in such easily accessible form are likely to yield a low rate of return. This requirement is particularly restrictive to the profit making capacity of the issuer and has been heavily criticized. Although the capital adequacy requirements are lower than for banks, one million euros as opposed to five million euros and there are lower on-going funds requirements these do not seem to adequately balance the strict limitations on investments. The Directive also requires competent authorities to verify periodically compliance with the capital and investment requirements. The issuer should have sound and prudent management, sound administrative and accounting procedures and adequate internal control mechanisms which should respond to the financial and non-financial risks to which the institution is exposed, including technical risks. There is also provision for the waiver of certain regulations to small issuers. This applies to issuers whose unredeemed electronic money does not exceed 6 million euro, which issue electronic money with a maximum storage capacity of 150 euro, and which operate only within a defined group or area. These issuers will not however benefit from the single passport provisions.This has been criticized by the ECB who have suggested that there should be a minimum level of regulation for all issuers irrespective of their size.
312
In August 1998 the ECB issued a report on the issuance of electronic money43 which outlined some of the requirements it thought necessary to maintain stability in the financial markets, to maintain effective monetary policy and to avoid systemic risk. Two objectives which it deemed desirable to pursue were: • ‘the interoperability of electronic money schemes; and • the adoption of adequate guarantee,insurance or loss sharing schemes aimed at protecting customers against losses and at preserving confidence in electronic money.’ Neither of these objectives has been included in the Directive. Considering the barriers to payment systems which the lack of interoperability has posed, this first omission may prove short-sighted. In addition to allowing smaller systems to develop and compete and decreasing costs for retailers as they would not have install the hardware or software for a vast array of systems it would help to create universally accepted payments.The second would help to enhance harmonized protection for the consumer using electronic money which is issued by electronic money issuers and banks. It would be fair to argue that some customers will not be aware of the differences in levels of protection afforded by banks issuing electronic money and commercial electronic money issuers. In a few countries44 some of the electronic money schemes would be covered by the national depositguarantee or insurance schemes whereas in other countries the funds are not covered unless they are deemed to be deposits taken by a bank. Even then it is only the money which is held in the account which is covered by the scheme and not the value held on the smartcard or software. However in Belgium, an agreement with the Finance Ministry has extended the protection to the value stored on the chip of a smart card. Surprisingly such protection has not also been extended to the money stored on the merchant card reader before it is transferred through the network. In the UK it is made clear in section 14.945 of the current Banking Code that any money left in an electronic purse when lost or stolen will be lost in the same way as real cash in a wallet: “If you lose your electronic purse or it is stolen, you will lose any money in it,in just the same way as if you lost your wallet.”
By s. 14.10, liability for unauthorized withdrawals from one’s account into a lost electronic purse, prior to notification, will normally be limited to £50: “If your electronic purse is credited by unauthorized withdrawals from your account before you tell us it has been lost, stolen or misused, the most you will lose is £50.”
This parallels the law on misuse of credit cards (Consumer Credit Act 1974). Directive 2000/46/EC allows an electronic money instrument to be used for storing electronic data: “5. The business activities of electronic money institutions other than the issuing of electronic money shall be restricted to: (a) the provision of closely related financial and nonfinancial services such as the administering of electronic money by the performance of operational and other ancillary functions related to its issuance, and the issuing and administering of other means of payment but excluding the granting of any form of credit; and (b) the storing of data on the electronic device on
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 313
Electronic Payments - The Smart Card
behalf of other undertakings or public institutions. Electronic money institutions shall not have any holdings in other undertakings except where these undertakings perform operational or other ancillary functions related to electronic money issued or distributed by the institution concerned.”
Creating financial stability and ensuring that the failure of one issuer does not have a knock on effect on the others will be beneficial to all parties as it helps to avoid systemic risk and to ensure the stability of the financial markets. However, although intended to maintain financial stability and consumer confidence and provide a clear regulatory framework the measures may in fact adversely affect competition and innovation in a field which is still in the early stages of development. Although a low initial capital requirement and a lower own funds requirement have been introduced for electronic money issuers in order not to discourage new entrants and enhance profitability the very tight restrictions on investments may stunt the development of such systems in Europe by making them less likely to be profitable.As other countries outwith Europe do not as yet seem to be taking a regulatory approach to issuers at this early stage European consumers may find that there are greater payment options available outside of Europe which although less financially stable may provide more immediate benefits in terms of cost and universal acceptance.
FOOTNOTES 13 Article
25 (4). 14 Article 25 (2). 15 Halsbury’s Statutes 1998 Ch 29. 16 97/489/EC OJ NO. L 208, 02/08/1997 P. 0052 – 0058. 17 Article 1 (3) (a). 18 Article 2 (c). 19 Paragraph (3). 20 See Article 1 (2). 21 97/7/EC. 22 Article 4. 23 Article 5. 24 Article 6. 25 See further Schoenmakers B ‘Basic Security of the eCash Payment System’, available at:. 26 (98/C 317/06) COM (1998) 461 final – 98/0252 (COD). 27 First Banking Directive (77/780/EEC) L322/30 17/12/77 and Second Banking Directive (89/646/EEC) 1989 OJ L 386/1. 28 section 5(1). 29 . 30 See Nicholson Graham & Jones Report to the European Commission (DG XV) on the Legal and Regulatory Aspects of the Issue and Use of Pre-Paid Cards. 31 Second Banking Directive 89/646/EEC, 1989 OJ L 386/1. 32 This is covered by various directives including the Own Funds Directive 89/299/EEC, 1989 OJ L124/16, Solvency Ratio Directive 89/647/EEC, OJ L386/14 and the Council Directive on the supervision of credit institutions on a consolidated basis OJ L110/53 28/4/92. It is also covered by The Bank of England Act 1998. For further information see ‘Legal Regulation of Internet Banking- A European Perspective’ 1996 Chris Reed, QM, University of London.
The differences between banking activities and issuing electronic money should not be ignored. Deposit-taking activity is regulated because it involves customers being exposed to the credit risks of the bank. If the bank collapses then the deposits may not be repaid and therefore the regulations seek to limit the risks to which customers are faced. However the issuers of electronic money are not in the same position as banks as they provide a different service. Banks accept customer deposits of unlimited value and retain these until the customer wishes to withdraw the money whereas electronic money issuers provide electronic value of a limited value to customers to spend in the near future.The risk to the customer is far lower with electronic money as there is generally only a very small amount at stake and only for a short period of time.The risk which the customer takes with electronic money is a short term, low value risk whereas for bank customers the risk is often for a higher value over a longer period of time. It would not be beneficial for the ordinary consumer to maintain large sums of money in electronic money as this would prevent him or her obtaining interest on the money as he/she could in a bank. Dr Simon Newman and Gavin Sutter, Centre for Commercial Law Studies, Queen Mary College, University of London.
33
. Belgium, Ireland, Finland, Luxembourg and Sweden, though in Belgium the issuance of electronic money is de facto restricted to credit institutions. 35 In France there is an exception for single purpose cards. 36 For example the Report by the European Central Bank, August 1998 at . 37 The Council’s Common Position to the two Proposals was published in OJ C026 of 28 January 2000, pp.1-14. 38 Directive 2000/46/EC of the European Parliament and of the Council of 18 September 2000 on the taking up, pursuit of and prudential supervision of the business of electronic money institutions. Directive 2000/28/EC of the European Parliament and of the Council of 18 September 2000 amending Directive 2000/12/EC relating to the taking up and pursuit of the business of credit institutions. For text see: . 39 Council Common Position on a European Parliament and Council Directive amending Directive 77/780/EEC on the co-ordination of laws, regulations and administrative provisions relating to the taking up and pursuit of the business of credit institutions. 40 Council Common Position on a European Parliament and Council Directive on the taking up, the pursuit and the prudential supervision of the business of electronic money institutions. 41 Opinion of the European Central Bank of 18/1/99 at . 42 . 43 Report by the European Central Bank, August 1998 at . 44 Austria, Denmark, Spain, France, Italy and Sweden. 45 The Banking Code, January 2001. 34
313
9/3/02
2:18 PM
Page 307
Electronic Payments - The Smart Card
ELECTRONIC PAYMENTS - THE SMART CARD SMART CARDS, E-PAYMENTS, & LAW - PART II Dr Simon Newman and Gavin Sutter, Queen Mary College, University of London This article, in three parts, examines the legal issues raised by the development of the smart card. It explores contractual, liability and intellectual property rights issues and assesses whether a suitable legal framework exists in which smart card use can flourish and grow.
B. WHAT KIND OF LEGAL ISSUES DOES THE USE OF ELECTRONIC PAYMENT SYSTEMS RAISE? 1. Data Protection The internet in general has raised many data protection issues in recent years. For example, many websites, e.g.
and keeping of computerized personal data about individuals, placing clear obligations upon those who wish to do so in respect of how that data may be gathered, for what purposes it may be used (i.e. those for which it was collected) and confidential and secure processing. Under the Directive, personal data may be collected and processed, inter alia, where ‘processing is necessary for the performance of a contract to which the data subject is party…’ (Article 7 (b)). Data collected must be held ‘for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.’(Article 6 (e)).The definitions given ‘personal data’ and ‘processing of personal data’ in the Directive (Article 2 (a) & Article 2 (b) respectively ) are sufficiently broad as to encompass collection and processing of credit card details by a merchant in order to accept payment in an online transaction. The Directive’s provisions impose certain requirements upon the data processor, for instance, it must guarantee that the data remains confidential (Article 16), and that ‘appropriate technical and organizational measures’ be taken ‘to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing…’ (Article 17). Use of secure channels such as the SSL protocol can help to ensure that such guarantees are met. SSL and encryption are designed to prevent unauthorized third party access to the data in transmission. The SET standard ensures a further measure of security, as the merchant has no access to the encoded credit card data. In all cases, of course, the Directives provisions apply not only to the merchant seeking payment but also to the bank or credit card company with which the consumer’s account lies. In general there is no need for a merchant to retain personal data acquired for the purposes of completing a transaction once payment has been received. There are, however, some systems such as Amazon’s accounts and its 1-Click ordering service, or CyberCash’s InstaBuy, which rely for their operation upon the maintenance of a database of personal information on customers, including payment details. This
Computer Law & Security Report Vol. 18 no. 5 2002 ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved
307
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 308
Electronic Payments - The Smart Card
information is collected automatically upon the consumer’s first purchase from Amazon or a site using the InstaBuy system. The consumer is informed that this information will be retained on first purchase at a point where, if (s)he does not wish this to be done, the transaction may be cancelled.This is in compliance with Article 7 (a) of the Directive, which provides that personal data may be processed if ‘the data subject has unambiguously given his consent.’The same confidentiality and security requirements are imposed here, although in the context of a database which will be maintained long term as opposed to information which is to be retained for only so long as is necessary to receive payment,such requirements are of much greater importance.These requirements place a clear liability upon the data controller to protect against fraudulent access by another to an individual’s account. In the event of that happening, the Directive entitles the wronged party to a judicial remedy (Article 22). Further,‘any person who has suffered damage as a result of an unlawful processing operation…is entitled to receive compensation from the controller for the damage suffered’(Article 23 (1)), (unless the controller can prove ‘that he is not responsible for the event giving rise to the damage’, in which case (s)he will have a valid defence Article 23 (2)). Again data is communicated between consumer and merchant by means of a secure channel, using the SSL protocol. Data is typically held on more secure firewalled servers, designed to be inaccessible to hackers. Digital cheques raise similar issues of security to credit card transactions insofar as an account holder’s digital signature must be kept secure in order to avoid fraudulent usage by others. The data contained in a digital cheque must be treated the same as that in a credit card transaction for all data processing purposes. Again SSL is typically used in order to offer further security to the transaction. The chief attraction for the consumer of digital cash systems is that they are in theory anonymous – just as with real cash, a particular transaction cannot be traced to a particular consumer. However, in practice this is not the case.With the notable exceptions of Mondex, and of the DigiCash’s eCash system (The DigiCash Company may have gone into voluntary bankruptcy, but the technology is still used) and its ‘blind signatures’, transactions made using all of the digital cash solutions currently available are ultimately traceable back to an individual consumer. Often – as is the case with, for example, Millicent– while the payee cannot directly know the identity of the consumer, this is traceable by the issuer of the electronic cash system used. Beenz, and other such tokenbased systems, require no credit card nor other banking details – indeed, it may prove to be the case that such systems, which bear no financial risk to the consumer, encourage them to take up use of internet payment systems gradually by building trust in the technology. For now, however, the chief issue surrounds the personal details – name, town of residence, age, gender, as well as monitoring of websites visited (for purposes of consumer research) – that these systems hold. Any such data identifying the consumer and consisting personal information is protected by the Directive and so the issuer is subject to the same conditions and protections. Mondex cards, for example, are issued with a PIN, which the issuing bank can match to a customer’s personal details.The payee cannot access these and thus the cardholder’s privacy is protected as against the payee, but the bank collects the
308
personal data used in the transaction and is thus bound by the data protection rules. By the same logic, credit card information encoded into a Twin/Tone Records watermark is inaccessible to all but those who can decipher the watermark, upon whom the same data protection duties are laid. (There should be no jurisdictional question here, as the data, being stored in music downloaded from the Twin/Tone website on the purchaser’s PC or a CD which (s)he has burned it onto, is clearly processed where the purchaser resides – in the case of an EU citizen the Directive is applicable.) Biometric identification systems, such as Iriscan, also require a database of personal information in order to match an individual’s appropriate bodily characteristic(s) to the correct account information.Again the same considerations should apply as to the applicability of the Directive. Perhaps the most significant aspect of the Directive from the perspective of online payment systems is Chapter IV, which deals with the transfer of personal data to third countries. Under Article 25 (1): ‘The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if…the third country in question ensures an adequate level of protection.’
Such a provision has important implications for processing of personal data in the context of online payment systems: typically processing is done where cheapest – all processing by the CyberCash network, for example, is done in the United States. What qualifies as ‘adequate’ is of great importance, as third countries deemed by the Commission not to offer such protection are, under the Directive, to be prevented from having qualifying data transferred to them.13 As initially proposed, the Directive did not clarify what was meant by ‘adequate’ – if interpreted so as to mean an equal level of data protection, the US for example would be excluded. The US is currently considered to offer an inadequate level of protection, as it lacks any comprehensive national legislation on data protection. What does exist varies from state to state, as well as between sectors; in addition, regulation is often by means of industry self-regulation rather than legislation. However, the US Department of Commerce has been in ongoing negotiations with the EC, and it is expected that at some point in the near future an agreement will be brokered which will bring about a solution to this impasse.The Directive as passed, however, provides broader criteria as to what should be considered here: this includes, in particular,‘the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.’14 Given that an online payment system may so easily be set up so as to do all its processing potentially anywhere in the world that its issuers decide, with the exact location not necessarily being known by the user, it does seem that there could be some difficulty encountered in enforcing this particular protection. Perhaps such problems could be circumnavigated by a licensing system which required that such systems wishing to trade with EU customers should provide all relevant information about where processing takes place, and
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 309
Electronic Payments - The Smart Card
whether that location is subject to the protections offered under European Union law. In the UK, the Data Protection Directive has been enacted as the 1998 Data Protection Act,15 however, it is not yet in force.The UK has taken full advantage of the transition provisions, and it will be 2007 before the Directive as passed by the European Parliament is given full effect in British law. However, the 1998 Act does create a significantly stronger data protection regime.
2. The Payments Recommendation The 1997 Payments Recommendation16 sets out various requirements relating to the minimum information which should be given to consumers using electronic payment instruments within the scope of the Directive, and the minimum information contained in the terms and conditions governing the issuing and use of an electronic payment instrument; the obligations and liabilities of the parties to a contract; notification of the loss or theft of an electronic payment instrument, and settlement of disputes. The Recommendation includes some positive steps in the regulation of new methods of payment, however, it does not apply to all types of electronic payment instrument discussed above. It is explicitly stated that the Recommendation’s provisions do not apply to ‘payments by cheques’,17 and presumably this includes electronic cheques. The definition given to ‘electronic money instrument’ refers specifically to a ‘reloadable’ device18 while the preamble makes it clear that the Recommendation ‘is…limited to instruments of the reloadable type.’19 Disposable cards, such as those offered by VisaCash, for example, are thus not covered. This may well be a common sense measure designed to exclude from the Recommendation’s ambit payment cards such as disposable phonecards. It would of course be impractical to offer in respect of a fixed value nonreloadable card the same rights as granted where a reloadable smart card or electronic wallet is used. In fact, such a disposable card is treated in the same manner as ‘real’ cash – if lost it is lost, with no specific legal comeback. Other limitations are placed upon the use of reloadable electronic money instruments under certain conditions.20 It would seem prima facie undesirable to place limitations upon the legitimate interests of consumers in making online transactions on the web in relation to, for example, minimum legal standards as to rights under the contract governing the issue and use of a payment instrument on the ground that it is disposable, however, it should be borne in mind that other, general provisions of EU and national consumer law will apply irrespective of the payment method used. For instance, the Distance Selling Directive21 provides that the consumer must be given certain information, such as ‘the price of the goods or services including all taxes’,‘delivery costs, where appropriate’, duration of an offer’s validity, etc.22 confirmed in ‘writing’, at the appropriate time.23 A ‘right of withdrawal’ from the contract is also granted to the consumer who may, within ‘a period of at least seven working days…withdraw from the contract without penalty and without giving any reason. The only charge that may be made to the consumer because of the exercise of his right of withdrawal is the direct cost of returning the goods.’24
3. Systemic Risk Electronic Cash systems place a liability upon the issuer to redeem the electronic units for value, whether from a payee or an account holder to whom the units were initially issued. There are certain risks associated with a digital system, for example, loss occasioned by the redemption of counterfeit tokens. Various electronic means may be adopted in order to prevent forgery. In the DigiCash eCash system, for example, only the issuing bank is enabled to create the electronic coins - thus the only way of creating a forgery is to duplicate coins which are already in circulation. As a preventative measure, the eCash system maintains a database of spent coins’ serial numbers. User anonymity is protected due to the ‘blind signature’ method, however, a ‘coin’ cannot be spent twice. Illicit access to a consumer’s account by another can be prevented by use of various password and encryption devices.25 Due to poor investment decisions, the money held against the digital units issued is diminished. Such risks, and the potential domino effect on other business interests, have led some to call for a restriction of the power to issue digital cash to banks, who are subjected to a variety of requirements for the purposes of capital protection etc. Such concerns are to be addressed by the Electronic Money Directive.26
4. Liability and other issues relating to Multi-Functional Devices The use of multi-functional smartcard technology in particular raises liability issues which have yet to receive full legal consideration. Liability for loss, damage, fraudulent usage, etc of a standard magnetic strip payment card (credit, debit, etc) is subject to a clear contract between the issuer and the user. However, when a multi-functional smart card is involved, the issues become much more complex. For example, in the case of loss or theft, who bears the responsibility if not the user? Is there a single application which will be responsible for ensuring adequate security for the card’s general functions, for example, prevention of fraudulent use of the card in payment, or of a digital signature encoded into it in order to identify the rightful user? Security, fraud prevention, and so on will also arise as issues of consumer protection provisions. The application of data protection requirements will be of great significance in ensuring adequate consumer protection strategies are in place.This is likely to entail the use of some method of encryption, raising further issues as to availability of decryption information, etc. Another important question is that of ownership. Standard, single use magnetic strip cards are commonly understood to be issued by, for instance, a bank, to be used by the customer but remaining the property of the issuer. Multifunctional cards may have several different applications from several different sources loaded on them – banking details, credit card, health records – so who owns the card? Is there a single card owner, or will each interested party be said to own only their own application stored on the card? A related question asks who is permitted to issue a smart card. Will this be limited to banks? Will such cards be issued instead by governments? (In countries such as, for instance, Germany or France, where a government-issued ID card is a necessity, could the government in such a state issue its own smart cards for ID purposes which the user would then add
309
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 310
Electronic Payments - The Smart Card
other applications such as payment facilities to?) Government owned cards would raise the further issue of citizens’ rights to access government information as relating to themselves. Alternatively, will it be legally (as it is technically) possible for a company simply to produce and sell ‘empty’ smartcards which the user can then add his own details to? Or must the issuer be a licensed person (real or legal)? A further important issue requiring analysis is whether the user of a card will be permitted to add and remove applications from the smartcard at will, or whether it will carry fixed applications as installed by the relevant companies with which the user may not tamper. The contractual issues involved will require consideration. For instance, the contractual relationship between issuer and user will remain substantially similar as for the issue of a standard magnetic strip single use card. However, a multifunctional card raises a number of other relationships such as that between card issuer and application provider, or between one application and another. At present, there would appear to be no clearly defined answer to these questions in European law: it is, however, anticipated that current consumer protections will be expanded to encompass the complex issues raised by multifunctionality as such payment technologies become more common. However, the following chapters will investigate these issues as they relate to smartcard use in more depth.
5. The Regulatory Framework Applicable to Issuers of Electronic Money The regulations applicable to electronic money issuers will depend on the type of activities carried out. In most countries institutions carrying out banking activities are subject to various banking specific regulations. In general the central bank of the country will carry out a supervisory function in relation to institutions which accept deposits.The question therefore is whether issuing electronic value will bring the institution within the scope of the banking regulations. In Europe the First and Second Banking Directives27 provide for a supervisory regime applicable to credit institutions in the Member States.A credit institution is defined as ‘an undertaking whose business is to receive deposits or other repayable funds from the public and to grant credit from its own account’. (Article 1 of the First Banking Directive as amended by the Second Banking Directive.) According to the UK Banking Act 1987, if a person or institution accepts deposits in the course of carrying on a deposittaking business then they will require authorization from the Financial Services Authority. In the UK a deposit is defined as a sum of money which is paid to an institution on the understanding that: • it will be repaid (with or without interest at an agreed time or on demand), and • it was not paid in return for the provision of property or services or as security28 A deposit-taking business is one which lends the deposits received to others, or finances other business (wholly or to a large extent) out of the capital or interest received by deposits. It would appear therefore that whether or not an electronic money issuer’s activities fall within the banking regulations
310
depends on how the system actually works. Systems which facilitate the use of credit cards online such as Cybercash29 provide a service and accept money from their customers as consideration for the service.They are not therefore under any obligation to repay the money unless they fail to provide the service and so are not accepting deposits. Likewise, systems which involve an intermediary holding funds which are to be delivered to the seller on receipt of a notice from the buyer do not amount to deposit taking because they are not repaying the money to the original lodger of the funds. Rather they act as a payment intermediary by issuing the funds to someone else.30 Furthermore if a system is created without any provision for repayment then this may be an effective way for it to avoid coming within the scope of the banking regulations. It is therefore only likely that a system which requires the users to lodge repayable funds in an account will bring the issuer within the scope of the banking regulations. It is the requirement for customers to set up a repayable account which would constitute deposit taking activity. Accepting deposits is not by itself sufficient to bring the activities of an institution within the scope of banking regulations, there must exist a deposit taking business. Under UK law if businesses lend the funds received or finance any activity out of the capital or interest on the deposit, for example by using the interest earned from placing the deposit in a bank or building society account, then this would fall within the scope of the definition. If issuers of electronic value fall under the deposit taking rules they will require authorization under banking legislation.31 The main purpose of requiring banking supervision is to ensure that the institution maintains adequate capital to support its business activities.This supervisory role of the central bank ensures the banks’ obligation to maintain solvency and liquidity and to possess adequate funds to cover normal banking risks and liabilities.32 Adequate levels of security will be demanded by the bank to prevent the circulation of forged coins or cards which would pose a risk to the liquidity of a bank. It is clear that many electronic payment systems will not fall within the scope of the banking regulations. Does this have a great impact on the user? If an issuer encounters financial difficulties then more remedies may be available from bank issuers of digital money than from non-bank issuers. In the case of the institution becoming insolvent, deposit protection schemes33 protect funds deposited with authorised institutions. Banks contribute to the scheme which pays out a percentage of the deposit, up to a fixed amount, if the bank becomes insolvent.The question therefore is whether digital money would constitute a deposit and so be covered by the insurance.The UK Banking Code, a voluntary code produced by the British Bankers’ Association, The Building Societies Association and the Association for Payment Clearing Services, followed by banks and building societies in the UK in relation to their dealings with personal customers, states that an electronic purse should be treated in the same way as cash in a wallet. Therefore if it is lost or stolen the value would be lost just as the cash in a wallet would be forfeited. If however a scheme did involve depositing money in an account to be withdrawn when needed, the value in the account may constitute a deposit and therefore be covered by the scheme.
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 311
Electronic Payments - The Smart Card
However, money in an e-purse or wallet would not be covered, at least at the present time. It is clear from the UK perspective that only systems which involve ‘accepting deposits as part of a deposit taking business’ would be subject to the banking regulations and therefore other systems which did not require the depositing of repayable funds would not be governed by the supervisory regime applicable to credit institutions. Five other Member States also follow this approach.34 In some of the Member States however (Denmark, Spain, France35 Germany, Italy, Portugal, Netherlands and Austria) the issuer of electronic money on a multi-purpose smartcard must be a credit institution, and in the following countries (Austria, Denmark, France, Italy and the Netherlands) the issuance of softwarebased electronic money products is also confined to credit institutions. Denmark has special provisions in relation to multipurpose smartcards allowing non-banks to issue them so long as they adhere to certain requirements. Although most of the currently available systems issue digital money through banks, digital money could be issued by other commercial organisations in some of the Member States if the system used did not involve accepting deposits. If consumers are dealing with very small amounts then they may be quite happy to obtain their digital money from a commercial organisation other than a bank. Owing to the lack of a clear regulatory framework for issuers of electronic money in Europe various reports36 have been produced reviewing the position and calling for the establishment of a supervisory regime.
6. Directives on Electronic Money In response to concerns that commercial bodies issuing electronic money may not be regulated by current regulations the European Commission drafted proposals for two directives on the issuing of electronic money: the Council Common Position on a European Parliament and Council Directive on the taking up, the pursuit and the prudential supervision of the business of electronic money institutions, and Council Common Position on a European Parliament and Council Directive amending Directive 77/780/EEC on the co-ordination of laws, regulations and administrative provisions relating to the taking up and pursuit of the business of credit institutions. In late 1999 the Proposals were amended and the Council reached a Common Position. The Directives were adopted by the Council on 16 June 2000.37 Their final form was adopted by the Parliament on 18th September 2000.38 The Directives seek to establish a level playing field for electronic money issuers and credit institutions by imposing a supervisory regime on all electronic money issuers. This supervisory regime, although similar in framework to that applicable to credit institutions (through the creation of a prudential regime ensuring the stability and soundness of electronic money institutions) takes into account the differing natures of such institutions by stipulating different requirements for certain features of the regime such as capital requirements and restrictions on investments. The Directives also aim to improve the single market in financial services by introducing the concept of mutual recognition of home supervision (i.e. a single passport) to electronic money institutions within a framework of harmonized prudential rules.
The first of the Directives39 brings electronic money institutions within the scope of the First and Second Banking Directives by including them in the definition of credit institutions. The second Directive40 introduces the term ‘electronic money institution’ to apply to all establishments issuing electronic money.These institutions are subject to various provisions which include prior authorization, minimum capital requirement, fit and proper management, sound and prudent operation, initial and on-going owner control. The Directive defines ‘electronic money’ as monetary value which is: •‘stored electronically on an electronic device; • issued on receipt of funds of an amount not less in value than the monetary value issued; • accepted as a means of payment by undertakings other than the issuer.’ This definition was amended from the original proposal which came under some criticism41 for focusing too much on the technical features of electronic money. A previous reference to ‘…limited value payments’ in the definition has also been omitted, presumably as this may have implied that large value payments were not covered by the Directive. The Directive restricts the business activities of electronic money institutions other than the issuing of electronic money to: •‘the provision of closely related financial and non-financial services….’ and •‘the storage of data on the electronic device on behalf of other undertakings.’ The Directive also makes it clear that the funds received in exchange for electronic money shall not be considered to be a deposit if the funds received are immediately exchanged for electronic money and are not advanced with a view to receiving electronic money at a later stage. This clarifies the position in relation to the applicable regulatory framework and therefore prevents Member States from applying banking regulations to such issuers rather than the provisions in the Directives. The Directive provides that electronic money shall be redeemable.This is also an amendment from the earlier proposal and is perhaps in response to concerns that without redeemability, differences might emerge in the value of electronic money issued by different issuers. The European Central Bank stated that ‘from the monetary policy point of view, the redeemability requirement is necessary in order to preserve the unit-of-account function of money, to maintain price stability by avoiding the unconstrained issuance of electronic money, and to safeguard both the controllability of liquidity conditions and the short-term interest rates’.42 They also state that redemption should be allowed until a certain date after the expiry date of such electronic money and that disposable and reloadable cards should be treated equally in respect of this redeemability requirement. A further reason for requiring redeemability is consumer acceptance. At least in the near future consumers may be unwilling to use electronic money which is not redeemable because most electronic money products are accepted only by a small number of retailers. If a consumer was unable to spend all of the electronic money purchased, perhaps because he/she could not find all of the desired goods or services from
311
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 312
Electronic Payments - The Smart Card
the specific retailers who accept it, and was unable to redeem it with the issuer, it would become worthless. The Directive lays down clear capital and on-going funds requirements. These require an electronic money institution to have both an initial capital of 1 million euros and have own funds of at least 2% of the current amount or the average of the six preceding months’ total amount of their financial liabilities.The purpose of such an ‘own-funds’ requirement is to ensure that the issuer maintains a certain proportion of the amount invested. This ensures that if the money invested makes a loss, there will be sufficient funds from the issuer to act as a cushion so that retailers who have accepted electronic money can redeem the value. There are also requirements to ensure the liquidity of the issuer by placing limitations on the types of investments in which money can be placed. As with bank deposits, the issuers of electronic money invest the value received. However, if the investment policy pursued by the issuer is not adequately sound the value may decrease. Furthermore, if an issuer has invested all of the money in long term investments and the electronic money is being spent within the space of a few weeks the issuer will have difficulty in making the requisite payments to the retailers and in an attempt to do so may liquidate assets quickly resulting in heavy losses. The Directive therefore requires the issuer to maintain a certain proportion of its assets in easily accessible, liquid form. The issuer must place an amount at least equal to its financial liabilities in one or both of the following: • assets which attract a zero credit risk and which are sufficiently liquid according to Article 6(1)(a)(1), (2), (3) and (4) and Article 7(1) of Directive 89/647/EEC; • sight deposits held with Zone A credit institutions and debt instruments which are sufficiently liquid. These must not exceed 20 times the own funds of the issuer. Although the purpose of such restrictions is intended to ensure stability and soundness by imposing a relatively lowrisk investment policy unfortunately assets kept in such easily accessible form are likely to yield a low rate of return. This requirement is particularly restrictive to the profit making capacity of the issuer and has been heavily criticized. Although the capital adequacy requirements are lower than for banks, one million euros as opposed to five million euros and there are lower on-going funds requirements these do not seem to adequately balance the strict limitations on investments. The Directive also requires competent authorities to verify periodically compliance with the capital and investment requirements. The issuer should have sound and prudent management, sound administrative and accounting procedures and adequate internal control mechanisms which should respond to the financial and non-financial risks to which the institution is exposed, including technical risks. There is also provision for the waiver of certain regulations to small issuers. This applies to issuers whose unredeemed electronic money does not exceed 6 million euro, which issue electronic money with a maximum storage capacity of 150 euro, and which operate only within a defined group or area. These issuers will not however benefit from the single passport provisions.This has been criticized by the ECB who have suggested that there should be a minimum level of regulation for all issuers irrespective of their size.
312
In August 1998 the ECB issued a report on the issuance of electronic money43 which outlined some of the requirements it thought necessary to maintain stability in the financial markets, to maintain effective monetary policy and to avoid systemic risk. Two objectives which it deemed desirable to pursue were: • ‘the interoperability of electronic money schemes; and • the adoption of adequate guarantee,insurance or loss sharing schemes aimed at protecting customers against losses and at preserving confidence in electronic money.’ Neither of these objectives has been included in the Directive. Considering the barriers to payment systems which the lack of interoperability has posed, this first omission may prove short-sighted. In addition to allowing smaller systems to develop and compete and decreasing costs for retailers as they would not have install the hardware or software for a vast array of systems it would help to create universally accepted payments.The second would help to enhance harmonized protection for the consumer using electronic money which is issued by electronic money issuers and banks. It would be fair to argue that some customers will not be aware of the differences in levels of protection afforded by banks issuing electronic money and commercial electronic money issuers. In a few countries44 some of the electronic money schemes would be covered by the national depositguarantee or insurance schemes whereas in other countries the funds are not covered unless they are deemed to be deposits taken by a bank. Even then it is only the money which is held in the account which is covered by the scheme and not the value held on the smartcard or software. However in Belgium, an agreement with the Finance Ministry has extended the protection to the value stored on the chip of a smart card. Surprisingly such protection has not also been extended to the money stored on the merchant card reader before it is transferred through the network. In the UK it is made clear in section 14.945 of the current Banking Code that any money left in an electronic purse when lost or stolen will be lost in the same way as real cash in a wallet: “If you lose your electronic purse or it is stolen, you will lose any money in it,in just the same way as if you lost your wallet.”
By s. 14.10, liability for unauthorized withdrawals from one’s account into a lost electronic purse, prior to notification, will normally be limited to £50: “If your electronic purse is credited by unauthorized withdrawals from your account before you tell us it has been lost, stolen or misused, the most you will lose is £50.”
This parallels the law on misuse of credit cards (Consumer Credit Act 1974). Directive 2000/46/EC allows an electronic money instrument to be used for storing electronic data: “5. The business activities of electronic money institutions other than the issuing of electronic money shall be restricted to: (a) the provision of closely related financial and nonfinancial services such as the administering of electronic money by the performance of operational and other ancillary functions related to its issuance, and the issuing and administering of other means of payment but excluding the granting of any form of credit; and (b) the storing of data on the electronic device on
CLSR SepOct.qxd
9/3/02
2:18 PM
Page 313
Electronic Payments - The Smart Card
behalf of other undertakings or public institutions. Electronic money institutions shall not have any holdings in other undertakings except where these undertakings perform operational or other ancillary functions related to electronic money issued or distributed by the institution concerned.”
Creating financial stability and ensuring that the failure of one issuer does not have a knock on effect on the others will be beneficial to all parties as it helps to avoid systemic risk and to ensure the stability of the financial markets. However, although intended to maintain financial stability and consumer confidence and provide a clear regulatory framework the measures may in fact adversely affect competition and innovation in a field which is still in the early stages of development. Although a low initial capital requirement and a lower own funds requirement have been introduced for electronic money issuers in order not to discourage new entrants and enhance profitability the very tight restrictions on investments may stunt the development of such systems in Europe by making them less likely to be profitable.As other countries outwith Europe do not as yet seem to be taking a regulatory approach to issuers at this early stage European consumers may find that there are greater payment options available outside of Europe which although less financially stable may provide more immediate benefits in terms of cost and universal acceptance.
FOOTNOTES 13 Article
25 (4). 14 Article 25 (2). 15 Halsbury’s Statutes 1998 Ch 29. 16 97/489/EC OJ NO. L 208, 02/08/1997 P. 0052 – 0058. 17 Article 1 (3) (a). 18 Article 2 (c). 19 Paragraph (3). 20 See Article 1 (2). 21 97/7/EC. 22 Article 4. 23 Article 5. 24 Article 6. 25 See further Schoenmakers B ‘Basic Security of the eCash Payment System’, available at:
The differences between banking activities and issuing electronic money should not be ignored. Deposit-taking activity is regulated because it involves customers being exposed to the credit risks of the bank. If the bank collapses then the deposits may not be repaid and therefore the regulations seek to limit the risks to which customers are faced. However the issuers of electronic money are not in the same position as banks as they provide a different service. Banks accept customer deposits of unlimited value and retain these until the customer wishes to withdraw the money whereas electronic money issuers provide electronic value of a limited value to customers to spend in the near future.The risk to the customer is far lower with electronic money as there is generally only a very small amount at stake and only for a short period of time.The risk which the customer takes with electronic money is a short term, low value risk whereas for bank customers the risk is often for a higher value over a longer period of time. It would not be beneficial for the ordinary consumer to maintain large sums of money in electronic money as this would prevent him or her obtaining interest on the money as he/she could in a bank. Dr Simon Newman and Gavin Sutter, Centre for Commercial Law Studies, Queen Mary College, University of London.
33
313