We explore seven payments areas where we will see regulatory change, or renewed focus on enforcement, from global regulators over the next 12 months.
International efforts to address challenges and frictions in cross-border payments are ongoing. In February 2023, the Financial Stability Board (FSB) published a report detailing actions to be taken on payment system interoperability, legal, regulatory and supervisory frameworks and cross-border data exchange for the next phase of work under the G20 Roadmap for Enhancing Cross-Border Payments. The FSB makes clear that much remains to be done to enhance the cost, speed, access and transparency of cross-border payments ahead of the G20 Roadmap's 2027 target date.
We will see regulators forcing change, for example around instant euro payments in the EU. Given the slow uptake in the market of technology to process euro payments instantly, the Commission is proposing to introduce the so-called Instant Payments Regulation. This would require payment service providers that provide credit transfers in euro to offer instant payments in euro, with an equivalent, or a lower, charge than that applicable to non-instant euro credit transfers.
Global regulators and market players will work to drive payment system interoperability in line with the G20 Roadmap's priorities, including interlinking arrangements for payment systems that reduce reliance on intermediaries by allowing banks and other payment service providers to transact directly.
Currently, more than 114 countries, representing over 95 percent of global GDP, are exploring the opportunities that central bank digital currencies (CBDCs) – a digital representation of fiat money issued by a central bank – might bring. A few countries, including the Bahamas and Jamaica, have already launched CBDCs, while the majority are still in pilot or research stages. While some CBDCs are based on blockchain or distributed ledger technology (DLT), many jurisdictions are exploring multiple technology possibilities.
Many CBDC projects have a domestic, retail focus. However, international standardsetting bodies such as the Bank for International Settlements (BIS) are pushing for the use of CBDCs to facilitate cross-border payments. Solving the issue of interoperability between initiatives is key.
We will see the next big updates coming from key jurisdictions. China's pilot is set to expand in 2023, while the ECB is over halfway through its two-year investigation into a digital euro, with a decision expected later this year. In the UK, a Bank of England consultation on the possible introduction of a digital pound is open until 7 June 2023, following which the Bank and Government will make a decision whether to proceed.
Other jurisdictions will take a more cautious approach. The US remains nominally supportive of a US digital dollar, but two significant hurdles remain: the US Congress has yet to act on authorising legislation for a US CBDC; and there remains widespread scepticism among policymakers as to whether a US CBDC is necessary, with concern around purported risks (for example, drain on commercial bank liquidity during stress, privacy concerns), and a view that improvements to existing payment systems will deliver similar benefits.
In contrast to publicly issued CBDCs, stablecoins are a privately issued type of cryptoasset based on DLT which include a mechanism to minimise price fluctuations and 'stabilise' their value. Their aim is to provide an alternative form of low-risk digital unit which could be used directly by businesses and consumers. The most common potential stabilisation option is the collateralised stablecoin model, where stability is achieved by linking the currency to a reserve of stable real assets such as fiat currencies or commodities.
Alternatives include crypto-collateralised stablecoins (where a reserve is made of other cryptocurrencies) or uncollateralised stablecoins (which do not have any reserve but instead use central bank-like monetary policy to maintain a fixed price by controlling supply with algorithms which respond to market conditions).
Global regulators have been closely watching stablecoin market developments since the failed Libra/Diem coin, and last year's collapse of USD Terra raised further concerns. This has led several jurisdictions, including the UK, in its draft Financial Services and Markets Bill, to prioritise crafting a regulatory framework for stablecoins ahead of other cryptoassets. Japan is currently in the process of introducing regulatory framework for issuing and distributing stablecoins in addition to the regulatory framework for cryptoassets and security tokens implemented in 2020.
In contrast, the EU's new Markets in Crypto-Assets Regulation (MiCA) will introduce a comprehensive new regulatory framework for issuing and offering all cryptoassets, while layering on significant additional requirements for the offering of stablecoins.
In the US, several bills have been proposed to regulate stablecoin issuers, each imposing variations of bank-like requirements (such as FDIC insurance, chartering framework, liquidity requirements), though none have made it to a vote on the floor of the US Congress.
"Stablecoins form the backbone of the crypto economy, particularly in DeFi. And there's a concern that if you see a large failure with a stablecoin issuer similar to what we saw with the collapse of last year's Terra USD it could be devastating to the crypto economy as a whole."
Growing digitisation of customer experiences, greater automation of internal processes and increased use of third-party providers all make firms increasingly susceptible to technology disruption events. The financial, reputational and societal impact of high-profile IT failures means that operational resilience (or ensuring the continuity of key business services) remains a high priority for boards, regulators and consumers alike.
In October 2022, following a G20 request, the FSB published a consultation on Achieving Greater Convergence in Cyber Incident Reporting. The FSB proposals include recommendations to address the challenges to achieving greater international convergence in cyber incident reporting, work on establishing common terminologies related to cyber incidents and a proposal to develop a common format for incident reporting exchange.
The EU's new Digital Operational Resilience Act (DORA) is intended to establish uniform requirements for the security of network and information systems of companies operating in the financial sector, including cryptoasset service providers, as well as any critical third parties which provide information communication technologies services to them.
Following its departure from the EU, the UK has introduced a Financial Services and Markets Bill which includes proposals to regulate cloud service providers and other critical third parties supplying services to UK regulated firms and financial market infrastructures. Under the Bill, HM Treasury would have powers to designate service suppliers as 'critical' and the UK regulators would have new powers to oversee designated suppliers directly, which would be subject to new minimum resilience standards. Absent an intervening general election, the Bill should be passed and become law by the end of the current Parliamentary session (expected to be in May 2023). While the UK proposals have the same ambitions as the requirements under DORA, there are a number of differences between them including in relation to the 'critical' designation criteria and the enforcement regime.
Various jurisdictions have introduced open banking regimes, allowing third-party payment service providers (TPPs) to initiate payments or access account information on behalf of customers. Regulators expect that firms will meet their regulatory responsibilities while competing on quality and value.
Some jurisdictions have taken this further, applying the same approach to other types of accounts and financial products under a broader "open finance" initiative.
Developing comprehensive legislative frameworks for such initiatives takes time but is critical to ensure that TPPs are regulated to provide clarity around i security, consent, data use, privacy and ethics and to build customer trust. In the EU, the rules on TPP access, strong customer authentication and secure communication standards under the recast EU Payment Services Directive address some of these concerns in the context of Open Banking and may provide a blueprint for expansion.
In the US, the Consumer Financial Protection Bureau (CFPB) is in the process of developing an Open Banking rule proposal, which would give consumers more control over their financial data by allowing them to access and share it with other providers. The rule is designed to encourage competition by making it easier for consumers to "walk away" from existing providers and port their financial data to other providers via application programming interfaces (APIs).
Embedded finance allows retailers and other (traditionally) non-financial companies to improve the customer experience by incorporating payments and financing options into their products and services. This is typically achieved by using technology solutions such as banking as a service (BaaS) and API-driven platforms.
Embedded lending, including the "buy now, pay later" (BNPL) model popularised by firms such as Klarna, has seen significant growth. With regulators concerned by the possible impact on consumer finances, scrutiny is growing.
What's next?
We will begin to see BNPL specifically brought into regulatory frameworks. In the UK, in February 2023 HM Treasury published a consultation on draft legislation to bring BNPL products within the scope of the UK regulatory regime. And in the EU, a revised version of the consumer credit directive that would bring BNPL within its scope is going through the final stages of the legislative process.
Data flows related to the provision of embedded financial services will be impacted by the evolving legal landscape for cross-border data transfer. New privacy laws and changes to data governance regimes are on the horizon in 2023 – including in the USA, the UK, the EU, India and Saudi Arabia. The year ahead will also see international cooperation efforts, such as the EU-US Data Privacy Framework, seeking to ease some of the current challenges in international data transfer.
Clifford Chance’s Marian Scheele and Wouter van den Bosch are joined by Constant van der Merwe, Senior Counsel at Tencent to explore the payments market.
In 2022, antitrust authorities around the world closely scrutinised payments firms, looking at both "Big Tech" entrants and more traditional forms of payment. In the EU, the European Commission issued Apple with a Statement of Objections regarding Apple Pay, in particular looking at Apple limiting access for third-party developers to technology used for contactless payments.
As cash usage has declined, competition authorities have assessed mergers, co-operation agreements and fee arrangements relating to cash and ATMs in the Netherlands, Spain, Italy, Australia and other jurisdictions.
What's next?
In 2023, we will see the impact on the payments sector of new antitrust legislation in several jurisdictions. The EU's Digital Markets Act came into force towards the end of 2022, including rules on in-app payment mechanisms and access to near-field communication technology used for payments. In the UK, new legislation is expected to be passed and in force by the end of 2023, giving new powers to the Competition and Markets Authority's Digital Markets Unit. In the US, new antitrust legislation has also been proposed, but the future of this is less certain.
Fintech mergers and acquisitions will continue to be closely scrutinised by competition authorities. This follows high-profile deals being abandoned due to concerns raised by competition authorities, such as Visa's acquisition of Plaid and the proposed merger of Crowdcube and Seedrs.
"For 2023 when we talk about tech and antitrust, we will see even more regulation across the globe. This regulation will need to be interpreted and implemented."
Clifford Chance
