Bulgarian National Bank : Publication of Ms. Nina Stoyanova, BNB Deputy Governor, Banking Department, in the Quarterly Bulletin of the Association of Banks in Bulgaria, issue 65, January 2021

Publication of Ms. Nina Stoyanova, BNB Deputy Governor, Banking Department, in the Quarterly Bulletin of the Association of Banks in Bulgaria, issue 65, January 2021

FORTHCOMING NEW DEVELOPMENTS IN THE
AREA OF PAYMENT SERVICES AND DIGITALISATION

Digital technologies have changed the financial services provision business, and the payment sector is the leader in this trend. The speed of development of innovations and the scale of technological changes in it require concrete and targeted effort. The pending strategic projects and directions of development of the European payment infrastructure in the short term, as presented in the digital finance package of the European Commission of November 2020¹, are related to the development of instant payments, digitalisation of financial services and support of secure, profitable and interoperable payment solutions within the single market.

1. Forthcoming review of the Second Payment Services Directive

In 2021, there will be a review of the Second Payment Services Directive² (PSD2) adopted in 2015 and transposed in the national legislation at the beginning of 2018 with the new Law on Payment Services and Payment Systems. An analysis of the results of the directive's implementation is expected to cover the following areas:

- Updating the requirements to technical solutions used by payment services providers for strong customer authentication, which are to ensure high level of security to customers, while being convenient and user-friendly. Emphasis will be placed on the so-called 'non-transmittable' elements, such as biometrics. This presupposes gradual decrease in the use of elements with lower degree of security, such as static passwords, and limiting the use of older technologies and communication channels that are prone to attacks (such as SMS text messages);

- Prevention of new types of fraud, particularly in the context of instant payments, as well as strengthening payer's protection and regulating a chargeback procedure in specific cases (e.g. an error), which would make instant payments come close to card transactions;

- Review of the possible exceptions from applying strong customer authentication, such as contactless card payments, also exploring the possibilities for introduction of an individual limit set by the customer, for which no PIN entry is required;

- Potential measures to reduce the risk of fraud due to 'social engineering' or 'targeted phishing', with a possible requirement for a match between the names of the payee to the payment transaction and the account holder, and the implementation of technological solutions for validation of the e-mail correspondence sender;

- Possibility for additional standardisation in terms of the information provided to users in their account statements, particularly for card payments. The sophisticated business models using multiple intermediaries result in users' confusion, e.g. where the name of a merchant from the account statement does not coincide with the merchant's trademark and thus hinders the identification of unauthorised payment transactions;

- Unifying the regulatory regime applicable to electronic money institutions and payment institutions, by repealing the Electronic Money Directive³, and including issuance of electronic money as a new type of a payment service;

- Standardisation of the application programming interfaces (APIs) used by the industry. Regulation of the concept of the so-called 'open finances'- access to financial and non-financial institutions to a broad range of financial information regarding the customers with the latter's consent with a view the provision of innovative services is expected to be proposed by mid-2022 building on the experience gained in the implementation of 'open banking';

- Review of the services falling within the remit of the Directive. Presently, PSD2 does not cover services provided by 'technical services providers', who support the provision of payment services without coming into possession of the funds. Due to the growing dependence of the provision of payment services on the provision of outsourced ancillary services by subcontractors that are currently non-regulated entities, some of these services and their providers may possibly be included in the scope of the Directive and become subject of supervision;

- In addition to the review of PSD2, a review will also be carried out of the Settlement Finality Directive⁴, and assessment will be made if payment institutions and electronic money institutions should be eligible for direct participation in designated payments systems, subject to certain conditions and risk mitigating measures.

2. General trends in payment digitalisation

Amendments to the legislation are an important prerequisite for the quick take-up of innovations in the market, but no less contribution to it have the standardisation activities pursued by the industry itself. Main developments, trends and technologies in the payment area, as well as the required regulatory activities, will cover:

- Standardisation and achievement of interoperability between end-user applications used for payment transactions, including standardisation of the QR codes used in Europe;

- Expanding the access to the necessary technical infrastructure for payment execution - e.g. to NFC chips in mobile phones and to the kernels for contactless payments in POS terminals, thus facilitating contactless payments with cards issued within national card schemes in the EU Member States;

- Encouraging the use of electronic identity and solutions based on trust services, improvement of electronic identification and trust services with a view to meeting the requirements for strong customer authentication and other regulatory requirements;

- Improved acceptance of digital payments by both the public and private sector, including by legislative amendments in 2022, if needed;

- Standardisation of additional functionalities by establishing special SEPA schemes aimed at greater convenience in initiating instant payments, such as the services 'request-to-pay', payment by mobile phone number (proxy look-up), electronic invoice and electronic receipt, etc.;

- Ensuringthe full potential of the SEPA project and the strict application of the requirements of Regulation (EU) 260/2012⁵, including the requirements against IBAN discrimination (inability to initiate international payment transactions) in the execution of direct debits;

- Assessing the possibility for Western Balkan countries to join SEPA, thus deepening their convergencewith the EU;

- More comprehensive implementation of global international standards, such as ISO 20022, which facilitate the inclusion of richer data in the payment messages by the end of 2022 at the latest.

3. Forthcoming developments in the field of immediate payments

Instant credit transfers are the basis on which pan-European payment solutions are expected to be built. Combined with the development of mobile technologies, instant payments have the potential to create affordable, convenient and secure payment solutions in both physical stores and the Internet, with funds being available to the recipient within seconds. The ambition is to complete the full introduction of instant payments in the European Union by the end of 2021. The following steps are needed to achieve this goal:

- Assess the need for mandatory adherence to theSEPA Instant Credit Transfer scheme in euro (SCT Inst.) by theend of 2021 and determining thecriteria according to which payment service providers will be subject by this obligation;

- Assess whetherto adopt a legislative prohibition on charging instant payments higher than standard credit transfers;

- Ensuring cross-border connectivity and interoperability of payment systems for instant payments in euro through the TIPS service of the ECB-operated TARGET 2 payment system. All payment service providers that have joined the SEPA Instant Credit Transfer scheme (SCT Inst.) and are reachable in TARGET 2, should be reachableeither as a participant or as an reachable party (i.e., through another payment service provider that is a participant) and in the TARGET 2 instant payment service TIPS by the end of 2021;

- Developing cross-currency instant payments in the European Union, which will be ensured by the inclusion of currencies other than the euro in the TARGET 2 service for instant payments - TIPS, as was the case with the Swedish krona in 2020;

- Encouraging the establishment of links between payment systems processing instantpayments in the European Union and those of third countries offering the same service, provided that the standards for fraud prevention, money laundering, etc. are met.

4. Further steps to digitise financial services in the EU

The further development of digitisation will continue to be among the main priorities, and the following measuresare expected to be taken in order to accelerate these processes and reach their full potential at European level:

4.1. Eliminatethe fragmentation of the digital single market by:

- Legislative changes aimed at creating opportunities for interoperable use of digital identity throughout the European Union. This will allow easy 'onboarding' of new customers entirely online, in fullcompliance with the requirements for combatting money laundering and terrorist financing;

- Facilitating cross-border provision of financial services, including by introduction of a harmonised regime for new activities such as crowdfunding, credit intermediation, and cryptocurrency services;

4.2. Adaptation of EU legislation to facilitate digital innovation:

- Regulation of activities with cryptocurrencies and financial instruments based on tokens by introducing a comprehensive regulatory framework by 2024, allowing the implementation in the financial service sector of distributed ledger technology (DLT) and cryptocurrencies, taking into account the related risks;

- Promoting cooperation and use of cloud computing infrastructure, including through the development of a legislative framework for the supervision of information and communication technology (ICT) providers for the financial sector;

- Promoting the use of artificial intelligence tools in the financial services sector;

- Adherence to the principle of technology neutrality of legislation, combined with the issuance of interpretative guidelines on how existing legislation on financial services should be applied to new technologies in order to reduce legal uncertainty.

4.3.Promoting innovation based on financial data by creating a common space for financial data

- Facilitating digital access to legally required financial information disclosed by financial institutionsthrough standardised and machine-readable formats;

- Promoting innovativecomputer technologies to facilitate reporting and supervision (so-called reg-tech and sup-tech);

- Encourage data sharing between companiesin the financial services sector inside and outside the EU ('open finance').

4.4. Meeting the challenges and risks related to the implementation of digital technologies:

- Keeping financial stability, protecting investors and consumers on the principle of 'same business, same risks, same rules', regulating the business of the big tech corporations involved in provision of financial services;

- Protecting consumers and the public interest - adapting the rules of consumer protection and personal data protection to digital financial services, ensuring the effectiveness of and making the legislation on money laundering, financing of terrorism, and tax avoidance fit for the digital age;

- Enhancing the digital operational resilience.

5. Legislativeproposals

As part of the Digital finance package, the European Commission published proposals for the development of three regulations:

5.1. Proposal for a Regulationon digital operational resilience for the financial sector⁶

The Regulation contains the following basic concepts:

- introducing requirements for the management by financial entities of the ICT-related risks and for the reporting to the competent authorities of major ICT-related incidents and digital operational resilience testing;

- sharing information on cyber threats and vulnerabilities;

- prescribing measures for the sound management by financial entities of the risk related to ICT third-party service providers;

- introducing requirements for the contractual arrangements between ICT third-party service providers and financial entities;

- establishing an oversight framework for critical ICT third-party providers when providing services to financial entities.

5.2.Proposal for a Regulation on Markets in Crypto-assets⁷

The Regulation defines the notion 'crypto-asset'⁸ and lists the main types of crypto-assets, distinguishing between three sub-categories of crypto-assets:

- Asset-referenced tokens⁹. Such tokens may be offered to the public only by credit institutions authorised to operate in the EU or by entities which hold the authorisation referred to in the Regulation. However, issuers should always draw up and publish a crypto-asset white paper - a special information document which must comply with mandatory content and form requirements. This Regulation imposes an obligation on issuers of asset-referenced tokens to constitute and maintain a reserve of assets backing those tokens at all times, including rules for the composition of the reserve assets, the management and allocation and investment of assets,

- E-money tokens¹⁰. They may be issued only by authorised credit institutions or electronic money institutions, again after publishing a 'white paper' and in keeping with some business-specific requirements.

- 'standard tokens' do not fall under any of the above categories. The only requirement for these to be offered to the public is that the issuer must be established as a legal entity in the European Union and must have published a crypto-asset white paper.

This Regulation defines a new group of financial institutions, different from issuers of tokens, which are called 'crypto-asset service providers'. This new group of financial entities will be subject to authorisation, and, depending on the scope of their authorisation, these providers will be able to provide the following ancillary services:

- the custody and administration of crypto-assets on behalf of third parties;

- the operation of a trading platform for crypto-assets;

- the exchange of crypto-assets for fiat currency that is legal tender;

- the exchange of crypto-assets for other crypto-assets;

- the execution of orders for crypto-assets on behalf of third parties and placing of crypto-assets;

- the reception and transmission of orders for crypto-assets on behalf of third parties;

- providing advice on crypto-assets.

If a crypto-asset service provider needs the execution of payment transactions, that crypto-asset service provider itself must have authorisation to provide payment services or it must use a third party authorised to provide payment services.

The Regulation introduces stricter supervisory requirements, including direct supervision by the European Banking Authority, for the issuers of so-called 'significant tokens' - tokens the total value of which exceeds a certain threshold.

The Regulation puts in place rules and requirements to prevent market abuse involving crypto-assets, such as the obligation for disclosing inside information and conditions for delaying disclosure of inside information; prohibitions on insider dealing, on unlawful disclosure of inside information and on market manipulation.

5.3. Proposal for a Regulation on a pilot regime for market infrastructures based on distributed ledger technology (DLT)¹¹.

This Regulation puts in place requirements for multilateral trading facilities and securities settlement systems which use the distributed ledger technology (DLT) ('market infrastructures based on DLT') and have received specific permissions granting one or several exemptions from certain provisions of Directive 2014/65/EU¹² and Regulation (EU) No 909/2014¹³. Only an entity authorised under Directive 2014/65/EU or an entity authorised under Regulation (EU) No 909/2014 as a central securities depository may apply for permission to establish a DLT market infrastructure.

The Regulation provides that the new regime may only be applied to shares, the issuer of which has a market capitalisation or a tentative market capitalisation of less than EUR 200 million; or convertible bonds, covered bonds, corporate bonds, other public bonds and other bonds, with an issuance size of less than EUR 500 million. Sovereign bonds are explicitly excluded from the scope of this Regulation.

____________

¹https://ec.europa.eu/info/publications/200924-digital-finance-proposals_en

² Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC

³ Directive 2009/110/ЕC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC

⁴ Directive 98/26/ЕC of the European Parliament and of the Council of 19 May 1998 on settlement finality in payment and securities settlement systems

⁵ Regulation (EU) No 260/2012 of the European Parliament and of the Council of 14 March 2012 laying down technical and business requirements for credit transfers and direct debits in euro and amending Regulation (EC) No 924/2009

⁶https://eur-lex.europa.eu/legal-content/BG/TXT/HTML/?uri=CELEX:52020PC0595

⁷https://eur-lex.europa.eu/legal-content/BG/TXT/HTML/?uri=CELEX:52020PC0593

⁸ 'Crypto-asset' means a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology;

⁹ 'Asset-referenced token' means a type of crypto-asset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender, one or several commodities or one or several crypto-assets, or a combination of such assets. 'Commodity' means any goods of a fungible nature that are capable of being delivered, including metals and their ores and alloys, agricultural products, and energy such as electricity;

¹⁰ 'Electronic money token' or 'e-money token' means a type of crypto-asset the main purpose of which is to be used as a means of exchange and that purports to maintain a stable value by referring to the value of a fiat currency that is legal tender;

¹¹https://eur-lex.europa.eu/legal-content/BG/TXT/HTML/?uri=CELEX:52020PC0594

¹² Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU

¹³ Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012