Regulatory Aspects of Intermediaries in Electronic Payment Acceptance ELECTRONIC PAYMENT ACCEPTANCE PACKAGE ACKNOWLEDGMENTS This report is a result of a collaborative effort across the World Bank Group’s Finance, Competitiveness, and Innovation Department and the Financial Inclusion Global Initiative’s Electronic Payment Accep- tance (EPA) Working Group, which is funded by Bill and Melinda Gates Foundation. This report was prepared by a team from the World Bank led by Ahmed Faragallah (EPA Innovations Workstream Chair, Senior Financial Sector Specialist) and including Daniel Salazar (Financial Sector Consultant) and Jeffrey Stephen Allen (Financial Sector Consultant). Additional contributions were provided by Jose Antonio Garcia, Maria Chiara Malaguti, and Bernardo Barradas (World Bank consultants), who kindly reviewed this report, as well as by Charles Hagner, who edited the report. Naylor Design, Inc. provided design and graphics of the report. The core team thanks Harish Natarajan (Lead Financial Sector Specialist) for his technical guidance and comments during development of the report and Mahesh Uttamchandani (Practice Manager) for providing the overall guidance to the working group. Comprehensive EPA Innovations and Intermediaries Workstreams consultations were undertaken while preparing and reviewing the report. The workstream comprised Amina Tirana, Wameek Noor (Visa), Heba Shams (Mastercard), Ashley Olson Onyango (GSMA), Sohail Javaad (State Bank of Paki- stan), Ma Haoyu (People’s Bank of China), Mohamed Helmy and Mohamed Abdel-Rahman (Central Bank of Egypt), Elmuez Saber (Central Bank of United Arab Emirates), Jahongir Aminjanov (National Bank of Tajikistan), Gabriela Jaramillo Gabino (CNBV Mexico), and Vijay Chugh and Oya Pinar Ardic (World Bank Group). FINANCE, COMPETITIVENESS & INNOVATION GLOBAL PRACTICE Payment Systems Development Group ©2022 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW, Washington, DC 20433 Telephone: 202-473-1000; Internet: www.worldbank.org DISCLAIMER The Financial Inclusion Global Initiative led in partnership by the World Bank Group (WBG), Interna- tional Telecommunication Union (ITU), and the Committee on Payments and Market Infrastructures (CPMI), with the support of Bill & Melinda Gates Foundation (BMGF). The FIGI program funds national implementations in three countries (China, Egypt, and Mexico), supporting topical working groups to tackle 3 sets of outstanding challenges in closing the global financial inclusion gap, and hosting 3 annual symposia to gather the engaged public on topics relevant to the grant and share intermediary learnings from its efforts. This work has been prepared for the Financial Inclusion Global Initiative by the FIGI Electronic Payments Acceptance (EPA) Working Group. The work is a product of the staff of the World Bank with external contributions prepared for the Financial Inclusion Global Initiative. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of the Financial Inclusion Global Initiative partners including The World Bank, its Board of Executive Directors, or the governments they represent, or the views of the Committee for Payments and Market Infrastructure, International Telecom- munications Union, or the Bill & Melinda Gates Foundation. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judg- ment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. RIGHTS AND PERMISSIONS The material in this work is subject to copyright. Because the World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2422; e-mail: pubrights@worldbank.org. Table of Contents Acknowledgments  inside cover Acronyms  iv 1 Introduction  1 1.1 The Financial Inclusion Global Initiative and Electronic Payments Acceptance  1 1.2 Scope of the report  2 1.3 Relation of the report to other reports and working groups  2 1.4 Target Audience  3 1.5 Overview of Content  3 2 Electronic Payment Acceptance Ecosystem  4 2.1. Key Elements of a Payment Ecosystem  4 Instruments enabling electronic payments by payors  5 Devices enabling electronic payment acceptance by payees  5 Card Schemes  6 Mobile Money Schemes  7 Merchant Acquirers  7 Mobile Money Interoperability  8 2.2. Acceptance Intermediaries  8 Payment (merchant) facilitator  9 Payment (merchant) aggregator  9 Third-party processor (TPP)  10 Payment gateway (for online transactions)  10 Bill payment aggregator  12 2.3. The Basis for Regulating Acceptance Intermediaries  13 Approaches for Regulating and Licensing Acceptance Intermediaries  14 2.4. Considerations in addressing regulatory and licensing approach  15 2.5. 3 Direct Regulation of EPA Intermediaries  16 3.1 Elements of Direct Regulation  16 A. Access to Merchant Funds  16 B. Access to Customer’s Financial Information  17 C. Consumer and Merchant Protection  18 D. Management of Risks  19 E. Compliance  20 F. Managing Outsourcing Risks  20 3.2 Authorization of Intermediaries  21 3.3 Examples of Regulatory Measures  21 Access to Customer Funds  23 Access to Customer Data  23 Customer Protections  23 REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • i Outsourcing  24 Authorization of Provider Licenses  24 4 Regulating Acquirers and Their Outsourced Services  26 4.1 Regulating Merchant Acquirers  26 4.2 Managing the Risks of Acquirer Outsourcing  29 4.3 Authorization of Acquirer Outsourcing  35 5 Regulating Payment Schemes  36 5.1 Overview of Payment Schemes  36 Two Types of Retail Payment Schemes  37 5.2 Regulating Card Payment Schemes  38 Payment card fee regulation  38 Card Scheme Components  38 5.3 Elements of card scheme management and regulation  40 Card Scheme Governance  41 Card Scheme Rules and Party Liability  41 Competition and Market Structure  41 Operational and Information Technology Security Risks  42 Financial Risks  42 Consumer and Data Protection  42 5.4 Authorization and Licensing Considerations for EPAIs  42 6 Conclusion  44 General notes about the application of the regulatory approaches  45 References  47 Figures Figure 1: EPA Reform Development Stages  2 Figure 2: EPA Package Component Relationships  3 Figure 3: Typical Payment Gateway Functions  12 Tables Table 1: Common Definitions of Merchant Acquirers  8 Table 2: Payment Facilitator Functions  9 Table 3: Definitions of Payment Aggregator  10 Table 4: US Financial Regulators’ Definitions and Descriptions of Third-Party Payment Processors  11 Table 5: Third-Party Processor Functions  11 Table 6: Definitions of Payment Gateway  12 Table 7: Payment Card Fee Regulations in Selected Economies  70 Boxes Box 1: Cases of Direct Regulation of EPAIs  22 Box 2: Regulating Merchant Acquirers  27 Box 3: Regulation of Outsourcing to EPAIs  31 Box 4: Indirect Regulation of General Acquirer Outsourcing  33 Box 5: Regulatory Frameworks for Card Payment Schemes  39 ii • FINANCIAL INCLUSION GLOBAL INITIATIVE Acronyms BNM Bank Negara Malaysia CBE Central Bank of Egypt CPMI Committee on Payments and Market Infrastructures EPA electronic payment acceptance EPAI electronic payment acceptance intermediary FDIC Federal Deposit Insurance Corporation FFIEC Federal Financial Institutions Examination Council FSB Financial Stability Board MSM micro and small merchant OCC Office of the Comptroller of the Currency POS point of sale PSD2 Revised Payment Services Directive PSP payment service provider QR quick response RBI Reserve Bank of India SME small and medium-sized enterprise TPP third-party processor REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • iii I. Introduction 1.1  THE FINANCIAL INCLUSION GLOBAL implementing solutions and incentives to increase EPA. INITIATIVE AND ELECTRONIC PAYMENT The EPA package comprises seven components: (1) EPA ACCEPTANCE Package Reference Guide (“Reference Guide”), (2) Guid- ance for the Implementation of EPA Reforms (“EPA Reform The Financial Inclusion Global Initiative is a three-year Guidance”), (3) Self-Assessment Guide, (4) Incentives for program funded by the Bill and Melinda Gates Founda- Electronic Payment Acceptance (“Incentives Report”), (5) tion in partnership with the World Bank, the Committee Innovations in Electronic Payment Acceptance (“Innova- on Payments and Market Infrastructures (CPMI), and tions Report”), (6) Regulatory Aspects of Intermediaries in the International Telecommunications Union.1 The Finan- Electronic Payment Acceptance (“Intermediaries Report”), cial Inclusion Global Initiative established the Electronic and (7) Country Assessments. This note constitutes the Payment Acceptance (EPA) Working Group to foster sixth package component, the Regulatory Aspects of effective practices for enabling and encouraging the Intermediaries in Electronic Payment Acceptance. acceptance and use of electronic payments, particularly Advancing the acceptance and usage of electronic among unserved and underserved segments. The EPA payments globally is a critical economic-development Working Group comprises national authorities, inter- imperative. As argued in the EPA package, electronic national financial institutions, donors, standard-setting payments have important benefits for key economic bodies, and a wide range of private-sector stakeholders. stakeholders, including merchants, consumers, suppliers, It is premised on the concept that wide acceptance of payment service providers (PSPs), and governments. noncash payments is a precondition for the uptake and They also have clear benefits for the broader macroeco- effective usage of transaction accounts to perform most, nomy. Moreover, electronic payments have been cru- if not all, payment needs, to store some value safely, and cial in facilitating economic activity during the ongoing to serve as a gateway to other financial services. COVID-19 pandemic. Despite the benefits of electronic The Financial Inclusion Global Initiative EPA Working payments, acceptance and usage have historically been Group, led by the World Bank, has developed a package of sluggish in certain economies and economic sectors. The guides and technical notes (hereafter, “EPA package”) that EPA package will assist national authorities and stake- are intended to guide national authorities and stakeholders holders in payment systems to advance the acceptance in the electronic-payment ecosystem while designing and and usage of electronic payments. REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 1 The EPA Working Group is premised on the concept itators or aggregators, third-party processors (TPPs), bill that giving individuals access to transaction accounts is payment aggregators, and payment gateways. The report a necessary, though not a sufficient, condition. Beyond also provides an overview of the EPA ecosystem, the risks achieving universal access—whereby all adults worldwide associated with EPAI services, and a deep dive into the will be able to have access to a transaction account or an approaches taken by different authorities to mitigate electronic instrument to store value and send and receive such risks. payments—there is also the key issue of whether a transac- tion account actually provides benefits to its users, which A number of important dimensions to consider in regu- is very often reflected in how frequently that account is lating EPA activities are highlighted in the report. These used, including to access other financial services. Wide include (i) the different types of risks associated with EPA acceptance of noncash payments is a precondition to the activities; (ii) legal and regulatory policies to overcome uptake and effective usage of transaction accounts to (i) such risks; (iii) samples of regulations in some countries/ perform most, if not all, payment needs, (ii) to store some regions; and (iv) recommendations aiming to guide regu- value safely, and (iii) to serve as a gateway to other finan- lators, policy makers, and stakeholders in electronic-pay- cial services. ment ecosystems when designing and implementing rules to discipline EPA while considering country context Yet acceptance of electronic payments remains lim- and national circumstances. ited among merchants. It has been estimated that per- son-to-merchant payments to micro, small, and medium The report has been developed with an eye toward fos- retailers (MSMRs) worldwide amount to $18.8 trillion, tering the proportional and consistent application of only 37 percent of which are made electronically (WBG regulation that is commensurate with the risks that are 2016). Moreover, there is significant regional variation in posed by underlying activities. Several important issues EPA. Only 16 percent and 14 percent of MSMR payments are addressed, including data protection, consumer pro- are made electronically in Sub-Saharan Africa and South tection, and funds protection. Finally, the report adopts Asia, respectively. MSMRs tend to reuse cash received for a “technology-neutral” approach to regulation, which the purchase of goods and services for supply-chain pay- accommodates innovation and efficiency while preserv- ments. Although 53 percent of MSMR business-to-busi- ing financial stability. ness (B2B) payments globally are made electronically, the figure is propped up by high-income economies. The share of MSMR electronic business-to-business payments RELATION OF THE REPORT TO OTHER 1.3  sits well below 53 percent in most regions. Thus, there is REPORTS AND WORKING GROUPS considerable scope for progress in expanding the accep- tance and usage of electronic payments among MSMRs. The Financial Inclusion Global Initiative EPA package has been designed to assist EPA stakeholders with the first two phases identified in figure 1—self-assessment and the 1.2 SCOPE OF THE REPORT development of an EPA reform road map. While the EPA package can help inform implementation, it does not pro- This report aims to foster effective legal and regulatory vide guidance on specific design and cost considerations, practices for enabling and encouraging EPA, one of the as these will depend heavily on local circumstances. The outstanding challenges for reaching universal financial EPA package comprises the following seven components: access. It envisages a legal and regulatory framework that includes the regulation and licensing of EPA inter- 1. Electronic Payment Acceptance Reference Guide mediaries (EPAIs)—that is, PSPs that support the accep- 2. Guidance for the Implementation of Electronic Payment tance of electronic payments in most cases by working Acceptance Reforms (“EPA Reform Guidance”) with merchant acquirers. The report covers the following types of acceptance intermediaries: the merchants’ facil- 3. Self-Assessment Guide FIGURE 1: EPA Reform Development Stages Self-Assessment Roadmap Implementation 2 • FINANCIAL INCLUSION GLOBAL INITIATIVE 4. Incentives for Electronic Payment Acceptance (“Incen- through EPAIs. These stakeholders include, but are not tives Report”) limited to, banks and other financial institutions, and non- bank PSPs, including mobile-money operators and TPPs. 5. Innovations in Electronic Payment Acceptance (“Inno- Also included are fintech entrepreneurs who would like to vations Report”) deploy innovative services to improve solutions and value 6. Regulatory Aspects of Intermediaries in Electronic propositions supporting payment acceptance. Payment Acceptance (“Intermediaries Report”) 7. Country Assessments 1.5 OVERVIEW OF CONTENT Figure 2 captures the general relationships between the six package components beyond the Reference Guide. Ide- This report focuses on regulating EPAIs. It is broken into ally, EPA stakeholders should first consult the EPA Reform five chapters. Following this introduction, chapter 2 sets Guidance for a discussion of the wide range of programs the stage by introducing critical elements of payment and policies that can be pursued to enhance EPA, as well systems, providing an overview of EPAIs, explaining the as a detailed overview of the Self-Assessment Guide and risks introduced by intermediaries, and establishing jus- Incentives, Innovations, and Intermediaries reports. Sec- tifications provided by regulatory authorities for their ond, stakeholders should leverage the Self-Assessment regulation. The positioning of EPAIs within the payment- Guide to diagnose barriers to EPA in their local economy. acceptance value chain is then highlighted. The chapter The EPA Reform Guidance and Self-Assessment Guide are concludes by laying out—at a high level—three approaches similar in that they are both guidance documents. Next, for regulating EPAIs. stakeholders can consult the Incentives, Innovations, and The next three chapters address these regulatory Intermediaries technical notes for more in-depth analysis approaches in detail. Chapter 3 focuses on the direct reg- of EPA-centric programs, policies, and innovations. Finally, ulation of intermediaries by authorities. Chapter 4 focuses the Country Assessments demonstrate how the EPA on intermediaries as outsourcing providers to acquirers, package components can be employed. The assessments describing necessary requirements for banks and non- combine elements of both self-assessment and road-map bank acquirers. Chapter 5 describes an approach focus- development. Wherever relevant, learnings from these ing on the payment scheme or payment system in which assessments have been factored into the refinement of the a scheme or system addresses intermediaries through its EPA package components. own rules. In addressing these three models, the paper focuses on several cross-cutting themes, including ele- ments of regulation, licensing approaches, and relevant 1.4 TARGET AUDIENCE examples. Different regulators possess unique resource endow- The intended audience for this report is primarily finan- ments. Furthermore, each market has its own unique char- cial-sector regulators concerned with payment systems. acteristics—institutions, resources, and level of market The report also targets various stakeholders with an inter- development. Given the unique characteristics and cor- est in expanding payment acceptance—namely, in under- responding market structure of each market, it is import- standing the approaches available to regulators to balance ant for regulators to understand the available options for risks posed by the expansion and support for acceptance addressing EPAIs within these different contexts. of micro and small enterprises to electronic payments FIGURE 2: EPA Package Component Relationships Reform Self- Country Assessment Incentives Innovations Intermediaries guidance assessments Guide REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 3 Electronic Payment Acceptance 2.  Ecosystem A successful payment system is characterized by a num- have emerged in the last decade—using definitions based ber of key components. Payment systems enable the on the functions they perform, to provide additional clar- exchange of value between payers and payees. Success- ity. Section 3 focuses on the basis for the regulation of ful payment systems—characterized by high adoption and intermediaries. The chapter concludes with a discussion usage—possess several characteristics. They consist of of three approaches to regulating intermediaries: direct, many payers, who are in possession of a payment instru- indirect through outsourcing arrangements, and through ment, and a large number of beneficiaries, who are able a payments scheme. Subsequent chapters will detail the to accept a payment instrument to conclude a transac- three regulatory approaches. tion. This report focuses on the specific type of payments where payers are individuals acting as buyers and bene- ficiaries are businesses and, in specific, merchants, acting KEY ELEMENTS OF A PAYMENT 2.1.  as sellers. A number of elements enable the transfer of ECOSYSTEM value from the buyer to the seller. These elements include relevant products and services, corresponding business This section provides an overview of some of the critical models, ecosystem participants, enabling infrastructure, features of a payment system and its supporting ecosys- and foundational rules and regulations. tems. A payment system supports the transfer of value by defining how transfers are executed, providing a rules- Payment intermediaries have emerged to support and based framework for users of the system, and often pro- extend acceptance by micro and small merchants (MSMs), viding the technical infrastructure. who, in turn, support the expansion of financial inclusion. Several questions arise regarding how best to balance the Payment acceptance is underpinned by an acceptance growth of inclusion with the mitigation of risks presented footprint. The ability to receive value for an electronic by intermediaries, and how these can best be managed. purchase is called payment acceptance. In payments—a This chapter addresses questions stemming from the two-sided market—payment acceptance is critical to the emergence of EPAIs. The first section provides detail on development and deepening of the system. Payment some of the key elements of payment systems. Section acceptance, however, has not generally received the same 2 focuses on acceptance intermediaries—many of which attention as payment issuance or the provision of pay- 4 • FINANCIAL INCLUSION GLOBAL INITIATIVE ment instruments. Acceptance growth, to achieve a rea- used in certain countries in certain use cases to purchase sonable density and corresponding footprint, is necessary goods and services and pay bills. for a payment system to expand beyond providing access and the ability to make and receive transfers to enable the Devices Enabling EPA by Payees deepening of usage and improve the economics of the Technological innovation has driven improvements in system. Payment acceptance occurs when businesses are acceptance devices. The traditional payment-acceptance willing to accept payment instruments for the purchase device is a POS terminal. The terminal has evolved over the of goods and services and are provisioned to do so. Hav- years, including changes to adjust to new types of commu- ing highlighted the two sides of the market—issuance and nication and card types. For example, advances in commu- acceptance—we now discuss and highlight developments nications have led to more connectivity options. Similarly, on each side. advances in chip technology have led to a migration in cardstock from magnetic stripe to chip cards. Further Instruments Enabling Electronic Payments by developments led to near field communications technol- Payers ogy, where a transaction may be started by tapping a POS Electronic payments have advantages over cash pay- with the card. At present, after a dip or swipe of a card, POS ments. Electronic payments gained a lot of traction with devices can leverage an internet connection or dedicated the introduction of the plastic payment card. Payment phone lines to communicate with networks to transfer cards have become ubiquitous in many parts of the necessary payment information. Recently, the tokeniza- world and synonymous with electronic payments. Like tion technology led to safer transactions over the internet cash, they are tangible, enabling customers to make pur- by completely hiding the sensitive card information from chases. Unlike cash, they enable purchases to be made transfer outside the well-fenced payment networks. The in non-face-to-face environments (for example, online), communication process facilitates the transfer of informa- transcending distance. In some cases, they can be linked tion, which results in the authorization of the transaction to additional accounts. Furthermore, electronic payment and enables its clearing and ultimate settlement. instruments provide consumers with protections against loss as well as some purchase protections through Innovation has introduced lower-cost devices and means charge-back rights. What is unique is not the card, but of acceptance. The mobile POS—also referred to as a don- the number on the card. The card is a form factor that gle—is a lower-cost alternative to a traditional POS device. enables the use of one’s account number to facilitate the Its introduction was enabled by the emergence of smart- exchange of value. phones, which provide for communication—in this case, network connectivity. The ability to leverage the commu- New payment form factors have been introduced in the nications capabilities of the smartphone has enabled the last three decades. Innovation has led to the introduction manufacture of lower-cost acceptance devices. Low-cost of new payment instruments, or form factors, to facili- mobile POS have helped to fuel the emergence of a new tate the electronic exchange of value. One is electronic payment-acceptance distribution model—enabled by money or e-money. Upon receipt of deposited funds or payment facilitators—to expand acceptance footprints. funds from a cash-in transaction, the e-money issuer will USSD had enabled the transfer of funds among per- electronically credit monetary value to the instrument. sons and from persons to merchants using basic feature E-money can be held on prepaid cards, devices such as phones. The technology made a huge shift in the use of mobile-money applications, or a server. e-money in emerging economies, since it represented Another product is the electronic wallet, e-wallet, or a low-cost option and was accessible by most of the digital wallet. An e-wallet is merely an application that mobiles, including non-smartphones. However, in some acts as a container of other payment instruments, such as countries, USSD is monopolized by mobile-network oper- payment cards, bank accounts, or e-money accounts, and ators or provided under discriminatory conditions and is can be used online or at a merchant point of sale (POS). unavailable as a service for financial institutions. The e-wallet application provides access to the actual Another mode of acceptance enabled by smartphone value stored at a card, bank account, or e-money account technology is the quick response (QR) code. A QR code in the backend. The e-wallet is used because the mobile- is a two-dimensional barcode comprised of black and phone applications can provide wide use cases to con- white squares. The patterns formed by these squares sumers and merchants and can be integrated seamlessly can be read by smartphone cameras, POS terminals, or with different user or business applications. other devices to transmit the information necessary for Further forms of electronic payments exist, such as a payment transaction. In the merchant-presented mode credit transfers and direct debits, where they are widely of QR code payments, merchants typically print a static REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 5 QR code that can be read by a phone to enable a trans- operation and management of a payments switch. These action between the buyer and seller. This method requires roles and responsibilities can be collectively described negligible investment in acceptance infrastructure. Some as a payment scheme or, in the case of card-based pay- merchants can present dynamic QR code generated from ments through debit and credit cards, a card scheme. The a mobile phone or any electronic device, where the trans- standardization achieved by a scheme facilitates the pro- action value and invoice number can be demonstrated cessing of payments between participating parties in the within the code on each transaction. The merchant-pre- payment ecosystem. sented mode enables push, as opposed to pull, pay- ments. In the push model, which costs less and therefore Switching enables the many-to-many relationships in is more relevant for our focus on MSMs, a buyer scans a electronic payments. A card switch—enabled in this case merchant’s QR code and initiates the payment from the by scheme’s network, rules, and technology—links mem- buyer’s end, often inputting the payment amount. The bers to provide three key services: authorization, which merchant then receives notification of the value credited validates a transaction and funds availability; clearing, in to the merchant’s account on the seller’s phone, at which which transaction details are transferred between relevant time the buyer can leave with the purchase. An alternative parties—issuers, acquirers, and, in some cases, the des- is the customer-presented mode, which generally requires ignated TPPs of acquirers—and settlement, in which the more expensive acceptance infrastructure. In some cases, account associated with a transaction is credited to the the customer-presented mode could be used to initiate acquirer, and the issuer is debited. A switch, in this case a request-to-pay transaction. In this transaction, a mer- a card switch, is a routing center that transfers authori- chant sends a payment-request message to the customer zation requests, authorization approvals or denials, and or payer. The payer is able to approve the request, ini- transaction information to appropriate participants in the tiating a credit-push transaction. The transaction is con- payment system. As a hub, it sits between numerous par- venient for the customer, as all payment information is ities, facilitating one-to-one interactions between scheme preentered by the merchant. It also provides benefits to members. A card scheme may possess its own card switch, the merchant in terms of speed of payments and visibility which is the case of the international card schemes and into the audit trail. most domestic schemes. In those cases where interna- As will be further discussed in section 4, QR code pro- tional schemes process payment information, they serve viders often establish standards that govern payment as the switch. There are numerous cases where domestic transactions within their merchant networks.2 These stan- networks provide card switching for domestic schemes dards typically cover supported payment methods (for and sometimes for international schemes. This is the case example, merchant-presented mode and customer-pre- in countries such as Mexico, where switching services are sented mode), authentication approaches, whether tech- provided by two entities, Prosa and E-Global, each of nical specifications are proprietary or harmonized, QR which is owned by a consortium of banks. In other cases, code types (for example, static or dynamic), and other the switch may be owned by a public authority key considerations (Nautiyal, Pors, and Martins 2020). A scheme has more control in a three-party model. In a Card Schemes three-party model, a single entity maintains the relation- ship with both the cardholder and the merchant. Stated Card payment is organized and managed by a card differently, the three-party model does not operate scheme. There are two types of card schemes for man- with intermediaries, such as issuers or acquirers. Under aging payments: a three-party and four-party model. The this structure, no fees or charges flow from an acquirer capabilities of a scheme are supported by a switch, which or issuer to the scheme operator. This model possesses may or may not be part of the scheme. In addition to the a closed-loop structure, allowing the operator to cap- elements already discussed, additional enabling elements ture more information about the payers than would be include business models, corresponding infrastructure, the case in a four-party model. This model is simpler and ecosystem participants, and rules. The organization of a easier to coordinate, since the operator sets the rules payment scheme and its key characteristics are described and no intermediaries need to incorporate rule updates in chapter 5, which emphasizes those features relevant to or changes into their operations. Because of the greater payment acceptance. control it exercises over the value chain, the operator can act more quickly to make necessary changes than would Schemes manage the activities supporting electronic be the case in a four-party model. payments. A number of activities must be coordinated Examples of payment brands using this scheme struc- to enable electronic payments. These include branding, ture are Discover Card, American Express, and, before it rules, licensing, and franchising, as well as, often, the was bought, Diners Card. More recently, schemes operat- 6 • FINANCIAL INCLUSION GLOBAL INITIATIVE ing under a three-party model have partnered with issu- payment card market, some observers, especially GSMA, ers to increase the number of their cards in circulation, have documented common practices among these mer- but this has not changed the underlying model. The issuer chant-centric services. Mobile-money schemes depend owns the customer relationship, but a branded scheme heavily on agent networks to reach out to their customers. will accept transactions through its acceptance footprint and process the transactions. Mobile-money schemes Four functions define emerging mobile-money schemes. tend to apply the three-party model; they acquire the With the introduction of mobile payment, we have seen e-money account holders and merchants directly. Some the emergence of mobile-money schemes to organize mobile-network operators acquire merchants through the activities associated with this new type of payment. intermediaries, while others prefer direct contracts with A potential working definition of mobile-money scheme the merchants. is the following: A mobile-money scheme, which is gov- erned by a mobile-money service provider, sets out oper- It is easier to build a larger acceptance footprint through ational arrangements for payments among its different a four-party model. A transaction processed over a net- segments of customers, including merchants. The scheme work using a four-party model—beyond the payment rules lay out the obligations of the provider, merchants, scheme operating the model—involves four parties: a and consumers. Mobile-money scheme rules often cover cardholder, a merchant, an issuer or the cardholder bank, the settlement process, dispute resolution, customer sup- and the acquirer, also called the merchant’s bank. The port, training, and, occasionally, other relevant issues, four-party model is distinct from the three-party model such as reversals. in separating the role of issuer and acquirer. The scheme operator establishes the rules for operating the system. Merchant Acquirers In many cases, the scheme also acts as a switch, routing Merchant acquirers are an essential part of the payment transactions between issuers and acquirers. life cycle, as they provide payment services to merchants. One advantage of the four-party model is that it scales Definitions of acquirers are extensive. Table 1 captures more easily than the three-party model. Schemes enlist a group of relevant definitions. Acquirers are integral to others to develop their payment-acceptance footprint. Visa’s and Mastercard’s scheme rules. They provide high- This makes it easier for a four-party scheme to drive the level definitions of acquirers that are better understood network effects that are critical, especially in emerging within the context of the rules as a whole. The World economies, as well as extend their reach to excluded pop- Bank Group and the Committee on Payment and Settle- ulation segments. As entities or service providers join a ment Systems (CPSS), the precursor to the CPMI, provide four-party scheme, their end customers are accessible more conventional definitions of acquirers. The European to other entities participating in the system or model. Union, meanwhile, takes a functional approach to defin- Schemes are open to any bank and, under certain condi- ing the “acquiring of payment transactions” (EU 2015a, tions, to non-bank financial institutions that wish to partic- article 4[44]).3 This approach is meant to avoid exclud- ipate as long as they comply with the rules of the scheme. ing certain types of untraditional entities that engage in For this reason, the model is often referred to as an open- acquiring services. loop system. As opposed to the closed-loop nature of the What is clear from these definitions is that a mer- three-party model, it is more difficult to capture customer chant’s ability to accept electronic payments runs directly data, because of the model’s more distributed nature. The or indirectly through an acquirer.4 A merchant can deal four-party model is deployed by well-known payment directly with an acquirer or indirectly through an interme- brands, including Visa, Mastercard, China Union Pay, JCB diary acting on behalf of an acquirer, when permissible. International, and a large number of domestic schemes. Importantly, merchant acquirers can be bank or non-bank entities. Additionally, merchant acquiring is not unique to Mobile-Money Schemes card-based transactions. Payment acceptance via other Common practices are emerging in mobile money. The form factors, such as mobile money and QR code–based use of mobile money for EPA has become common, espe- payments, also involves merchant acquirers. cially in Sub-Saharan Africa. Many mobile-money ser- Clearing and settlement are central functions of mer- vice providers offer merchant-specific services and are chant acquirers, but they often engage in an extensive working to build merchant networks (Katakam 2014). A range of other functions. To foreshadow a bit, section GSMA survey of a central African economy found that 2.2.1 lays out in detail the functions that can be performed merchants use mobile money extensively for customer by acquirers and payment facilitators, an important type payment acceptance and paying bills (Pasti and Nautiyal of acceptance intermediary. Later, table 2 (see section 2019). Though there are no industry standards akin to the 2.2.1) groups these functions into four broad categories. REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 7 TABLE 1: Common Definitions of Merchant Acquirers Entity Definition Visa A Member that signs a Merchant or Payment Facilitator agreement, provides a Cash Disbursement to a “ Cardholder, or loads funds to a Prepaid Card, and directly or indirectly enters a Transaction into Interchange” (Visa 2020, 798). Mastercard A Customer in its capacity as an acquirer of a Transaction” (Mastercard 2020, 367). “ World Bank Group The entity or entities that provide services to the card acceptors (merchants) related to clearing and settle- “ ment of the accepted transactions. In general, the services include receiving and processing the data relating to the transaction for authorization, clearing and settlement, though some only provide services for clearing and settlement. Some acquirers also hold deposit accounts for card acceptors (merchants)” (WBG 2012, 86). CPMI (formerly The entity or entities that hold(s) deposit accounts for card acceptors (merchants) and to which the card “ CPSS) acceptor transmits the data relating to the transaction. The acquirer is responsible for the collection of trans- action information and settlement with the acceptors” (CPSS 2003, 7). European Union Acquiring of payment transactions’ means a payment service provided by a payment service provider con- “‘ tracting with a payee to accept and process payment transactions, which results in a transfer of funds to the payee” (EU 2015a, article 4[44]). In the absence of an acceptance intermediary, such as a money is broader because a mobile-money account could payment facilitator, acquirers typically engage in all such be interoperable with another mobile-money account functions, in addition to maintaining the relationship with or bank account, regardless of scheme as in the case of the underlying scheme. Indeed, an acquirer always main- cards or bank. Furthermore, interoperability with a bank tains the relationship with the scheme. If an acceptance account assures fund access across a number of chan- intermediary plays a role, the acquirer bears responsibility nels and their associated touchpoints. On the other side, for the activities of the intermediary. mobile-money interoperability is not fulfilled among dif- ferent service providers in many jurisdictions, and trials Mobile-Money Interoperability for global interoperability among mobile-money service providers are very shy, contrary to cards interoperability. Interoperability drives network effects and improved sys- tem economics. Interoperability is critical for maximizing There are additional dimensions to mobile interopera- the utility of payments for consumers and merchants, bility. While not addressed by GSMA, there is a question especially small merchants. More specifically, interopera- of interoperability at the agent level, or agent sharing. bility enables the development of network effects. Net- Agents sharing is the case where an agent is not exclu- 100% 90% 80% 75% 69% 60% 40% 44% 35% 32% 20% 22% 0% Government Any form Proof of Proof of Proof of Proof of Other issued ID of ID nationality or address income employment documentation legal status in requirements country must be met to open an account Note: Percentages based on 124 jurisdictions. ID = identity document. work effects derive from the large-scale use of a payment sively bound to one mobile scheme, but is instead able system, characterized by robust issuance and acceptance to support the services of a number of schemes—mainly, of payment products. This, in turn, drives greater utility cash in and cash out, while keeping different liquidity and value for system participants. Furthermore, the usage pools. For example, the Regulatory Framework for Mobile stemming from interoperability and the network effects Payment Systems in Nigeria of 2009 provides that agents it drives improves system economics for operators and are not restricted to any one scheme operator and can participating intermediaries. serve as agents to multiple operators. This is slightly different than POS terminal interoperability in card pay- In the mobile paradigm, the focus of interoperability is ments, where the same acquirer supports the ability of a across schemes and channels. GSMA defines mobile- POS terminal to accept multiple payment marks through money account-to-account interoperability in two ways: a single device in a classic four-party model but using a (1) the ability of customers to make transfers between single pool of liquidity. accounts held with different mobile-money schemes, and (2) transfers between a mobile-money account and an account at a bank. The concept of interoperability in 2.2. ACCEPTANCE INTERMEDIARIES mobile money is constructed differently than in the case of card interoperability—in which network effects stem The following sections outline definitions and functions of from additional branded cards and the expansion of the the following acceptance intermediaries: payment (mer- associated branded acceptance footprint. While defined chant) facilitator, payment (merchant) aggregator, third- differently between cards and mobile money, interopera- party payment processor, payment gateway (for online bility in both cases is concerned with associated network transactions), and bill payment aggregator. effects. GSMA’s definition of interoperability in mobile 8 • FINANCIAL INCLUSION GLOBAL INITIATIVE Payment (Merchant) Facilitator TABLE 2: Payment Facilitator Functions9 Explicit discussions of payment facil- Functional Area Function itators are found in Visa’s and Master- Merchant onboarding Take applications and sign up merchants card’s rulebooks. Visa defines a payment Set up technical mechanism for accepting transactions facilitator as a “Third Party Agent or Customer due diligence non-Member VisaNet Processor that Market development deposits Transactions, receives settle- Payment processing Route authorization requests ment from or contracts with an Acquirer Clearing-file preparation on behalf of a Sponsored Merchant.”5 Settlement Mastercard defines a payment facilita- Pay submerchants tor as a “Service Provider registered by Ongoing security Ensure PCI-DSS compliance an Acquirer to facilitate the acquiring Monitor merchant activity of Transactions by the Acquirer from Deter fraud Submerchants.”6 In general, the Visa and Mastercard definitions appear to be Administrative Transaction reporting to merchants and acquirers and relationship Customer service very similar.7 management Card scheme rules typically stipu- Risk management late that payment facilitators are the Education and training only acceptance intermediaries that Value-added services are allowed to access funds for the purpose of paying submerchants for card-based trans- itator from other intermediaries involved in payment actions. (See, for example, Mastercard 2019, section processing is that it is directly involved in settlement and 7.3, page 146.)8 Additionally, scheme rules often require it often frees a merchant from having to open a merchant submerchants to open a merchant account directly with account with a traditional acquirer. As such, a merchant an acquirer when they eclipse specified revenue thresh- that has an account with a payment facilitator, rather than olds—$100,000 for Visa (Visa 2020, 328) and $1,000,000 an acquirer, is classified as a submerchant of the payment for Mastercard (Mastercard 2019, section 7.6.5, 149; Mas- facilitator. The payment facilitator, in turn, processes pay- tercard 2020, section 7.8, 160). Thus, payment facilitators ments on behalf of many submerchants through a single are generally geared toward MSMs. Indeed, they play a bank account. pivotal role in extending EPA capabilities to MSMs globally (Miller and Salazar 2013; Govil 2016; WBG and WEF 2016). Payment (Merchant) Aggregator Select central banks define payment facilitators similar to Visa and Mastercard. For example, the Reserve Bank of Visa and Mastercard do not discuss aggregators in their Australia defines a payment facilitator as “an entity which rulebooks. The most explicit definitions of payment arranges or procures acquiring services from an acquirer aggregators come from the Reserve Bank of India (RBI), for one or more merchants” (RBA 2016, section 2.3, 4). the CPMI, the US Chamber of Commerce, and an e-com- The Central Bank of Egypt (CBE) defines a payment facil- merce note from the World Bank Group. Table 3 cata- itator as an entity that “provides financial and technical logs definitions from these entities. The CBE also defines services through alternative delivery channels of its sub- “Technical Payment Aggregators,” which are discussed merchants with which contracts have been concluded on further below. behalf of the bank for the provision of e-Payment ser- The clear emphasis in these definitions is that pay- vices” (CBE 2019, 6). ment aggregators absolve small merchants of the need to The key functions of a payment facilitator are summa- open a merchant account with an acquirer. As the name rized in table 2 and organized into four broad functional implies, they aggregate merchant payments for process- areas, which include (i) merchant onboarding, (ii) pay- ing through their own account. From the definitions con- ment processing, (iii) ongoing security, and (iv) admin- tained in table 3, it is not clear that there is any difference istrative and relationship management. Clearly, payment between aggregators and facilitators. facilitators perform a broad range of functions across the The CBE takes a different approach. It draws a fairly acceptance value chain. clear distinction between payment facilitators and “Tech- To summarize, a payment facilitator is an intermediary nical Payment Aggregators” in Egypt (CBE 2019). The CBE that onboards and processes payments for merchants defines the latter as an entity “that provides technical ser- through its own banking relationship and merchant iden- vices to its sub-merchants on behalf of the bank through tification number. What distinguishes a payment facil- alternative delivery channels of the technical payment REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 9 TABLE 3: Definitions of Payment Aggregator Entity Definition Reserve Bank Service providers who process the payment transactions of e-commerce merchants. Aggregators allow “ of India merchants to accept card and bank transfers without having to set up a merchant account with a bank or card association” (RBI 2019a, 18). Entities that facilitate e-commerce sites and merchants to accept various payment instruments from the “ customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. PAs facilitate merchants to connect with acquirers. In the process, they receive payments (at escrow accounts) from customers, pool and transfer them on to the merchants after a time period” (RBI 2020, section 1.1.1, 2). CPMI A payment service provider through which e-commerce merchants can process their payment transactions. “ An aggregator allows merchants to accept different payment instruments such as credit card, bank transfers, e-money without having to setup a merchant account with a bank, card association etc. The aggregator provides the means for facilitating payment from the consumer to the merchant” (CPMI 2016). US Chamber of Service provider that allows merchants to process mobile or e-commerce payments. They let businesses accept “ Commerce credit and debit card payments without setting up a merchant account through a bank” (Johnson 2019). World Bank A service provider that signs up merchants directly under its own merchant identification number (MID) to “ Group10 process transactions through a single master account. One merchant account is used to represent many mer- chants opposed to the traditional model which disburses a merchant account to each merchant. It is important to note that aggregators exist also for physical merchants in addition to e-commerce” (WBG 2020, 11). aggregator, which includes providing e-payment services chant, the payer’s bank (issuing bank), and the merchant’s for paying bills/services” (CBE 2019, 6). In clear contrast bank (acquiring bank)” (WBG 2020, 11). with the definitions outlined in table 3, the CBE indicates Visa’s treatment of processors is more complex. It that a submerchant of a technical payment aggregator identifies various types of processors, including acquirer “enters into a contract with the technical payment aggre- processors (Visa 2020, 798), clearing processors (Visa gator and the bank”11 (CBE 2019, 7). Meanwhile, submer- 2020, 810), authorizing processors (Visa 2020, 804), and chants of a payment facilitator need to have a contract Visa service-specific processors, such as VisaNet proces- only with the facilitator (CBE 2019, 7).12 sors (Visa 2020, 885). Its discussion of these processors is We can conclude that most regulators and card high-level and not central to the rules. schemes do not differentiate between merchant facilita- US banking regulators use the term third-party pay- tors and aggregators. Hence, we will refer to merchant ment processor in reference to entities that are similar facilitators as the intermediaries that settle transactions to the definitions of payment facilitator discussed ear- on behalf of merchants (submerchants or sponsored mer- lier. Table 4 catalogs relevant definitions from the Federal chants). Any reference to merchant aggregator will mean Financial Institutions Examination Council (FFIEC), Fed- facilitator. eral Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and Conference of Third-Party Processor State Bank Supervisors (CSBS). The FFIEC is the examina- tion-coordinating body for the federal banking regulators The general term third-party processor is used to refer to (Federal Reserve, FDIC, OCC). The Conference of State the entity that processes transactions on behalf of a prime Bank Supervisors is the coordinating body for American entity within an outsourcing relationship. Mastercard state bank regulators and many nonbank regulators. describes a TPP as a service provider that is permitted to These definitions are similar to schemes’ and regula- provide authorization services, clearing-file preparation tors’ definitions of payment facilitators, particularly in and submission, and settlement processing, among other stressing that the intermediary often uses its own account services (Mastercard 2020, section 7.1, 292). Crucially, to process transactions on behalf of merchants. Within though, in this definition, a TPP is not permitted to pos- this report, we will use the definition of international card sess, own, and control settlement funds (Mastercard 2020, schemes for TPPs as entities that provide technical ser- section 7.1, 292). This is distinct from a payment facilitator. vices to merchants but not settlement. Mastercard’s definition of a TPP is similar to the way the Table 5 catalogs typical functions. A TPP engages World Bank Group has discussed payment processors. In in many of the same functions as a payment facilitator. a forthcoming report, the World Bank Group describes a Regarding payment processing, it can be involved in payment processor as an entity that “executes the trans- authorization, clearing-file preparation and submission, action by transmitting data between the payer, the mer- 10 • FINANCIAL INCLUSION GLOBAL INITIATIVE TABLE 4: US Financial Regulators’ Definitions and Descriptions of Third-Party Payment Processors Entity Definition FFIEC Bank customers that provide payment-processing services to merchants and other business entities. “ Third-party payment processors often use their commercial bank accounts to conduct payment processing for their merchant clients” (FFIEC 2014). FDIC A deposit customer of the financial institution and uses its customer relationship to process payments for “ merchant clients. The payment processor may use its own deposit account to process such transactions, or it may establish deposit accounts for its merchant clients to process transactions” (FDIC 2014). OCC The processor uses its bank relationship to process payments for merchant clients. Often the processor “ uses a bank account as the vehicle to conduct such payment processing… the bank often has no direct customer relationship with the merchant” (OCC 2008). CSBS Third Party Payment Processors (TPPPs or processor[s]) originate transactions for consumers or “ businesses that are not direct customers of the originating financial institution. They provide payment processing services to merchant or business clients and group these payments together to take advantage of economies of scale” (CSBS 2014, 2). TABLE 5: Third-Party Processor Functions Functional Area Function Merchant Take applications and sign up merchants onboarding Set up technical mechanism for accepting transactions Customer due diligence Market development Payment Authorization services processing Clearing-file preparation and submission Settlement processing (without taking control of funds) Charge-back processing Security Fraud control and monitoring Administrative Statement preparation and relationship Customer service management Education and awareness and aspects of the settlement process (Mastercard 2020, of data. As with TPPs, gateways do not handle funds. section 7.1, 292). Importantly, contrary to a payment facili- Rather, they play a role only in the beginning and end of tator, a TPP never controls settlement funds and does not the e-commerce payment life cycle. process transactions on behalf of merchants through its Figure 3 depicts typical payment gateway functions. own account. TPPs also play roles in merchant onboard- Gateways provide merchants with the technology infra- ing, security, and administration. structure necessary for secure web-based payment acceptance. Perhaps the most important payment gate- Payment Gateway (for Online Transactions) way function involves securely capturing and transmitting payment data. Specifically, they receive online transaction Visa and Mastercard do not include substantive discus- data via Secure Socket Layer encryption (Peek 2020), sions of payment gateways in their rules. The most direct either through a bridge established with the merchant’s definitions of payment gateways come from the RBI, Bank website or through a gateway’s own capturing mecha- of Ghana, Central Bank of Nigeria, World Bank Group, and nism, to which customers can be redirected when making Government of Australia. Similarly, although the CPMI online purchases. does not establish an independent definition of gateways, Then they securely transmit the data to the next link in it lists gateways as a prominent example of a “front-end the payment-processing chain. In addition, gateways play payment provider,” which it defines. Table 6 catalogs an important role in formatting data by translating the these relevant definitions. message format used by the system of capture (for exam- These definitions distinguish gateways quite clearly ple, internet) to the format used by the relevant network from payment facilitators in the sense that gateways are switch (for example, Banknet for Mastercard, Visanet for dedicated to the secure capture, transmission, and receipt Visa) whose payments instruments they support. Pay- REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 11 TABLE 6: Definitions of Payment Gateway Entity Definition Reserve Bank of India Entities that provide technology infrastructure to route and facilitate processing of an online payment “ transaction, without any involvement in the handling of funds” (RBI 2020, section 1.1.2, 2). Bank of Ghana An e-commerce application service provider that authorizes card payment for e-businesses and online “ retailers” (BOG 2019, 31). World Bank Group Helps initiate e-commerce transactions or in-app payments. It helps merchants securely transmit the “ online payment data to the payment processor to continue the lifecycle of the transaction. The gate- way is not directly involved in the money flow, but it is a web server to which a platform’s website is connected” (WBG 2020b, 11). Government of A service that captures payment information for certain payment methods (usually credit card details) “ Australia from customers, donors or supporters when they complete a transaction. It creates a message about a transaction in a format that a bank or financial institution can process” (Government of Australia 2012). CPMI The CPMI identifies “internet payment gateway providers” as a type of non-bank front-end payment provider, which it defines as “non-banks which typically provide an interface between end users of payment services (payers and/or payees) and the traditional clearing and settlement process. They are mostly present in the pre-transaction, initiation, and post-transaction stages of payment, but usually not in clearing and settlement” (CPMI 2014, 9). FIGURE 3: Typical Payment Gateway Functions Provide technology Securely capture and Authorization, Response code infrastructure transmit data clearing, settlement transmission ment gateways are not often involved in authorization, a payment solution that allows Cardholders to pay quali- clearing, and settlement. On the back end, gateways fying billers. A biller may or may not be a Merchant” (Visa often play a role in sending response codes to relevant 2020, section 5.13.1, 476). In the United States region, spe- parties upon transaction completion (Peek 2020). They cifically, Visa further identifies a “bill payment provider” also often provide online dashboards that allow mer- as an “entity that provides a payment solution to facilitate chants to view transactions and take other actions, such individual or business bill payments on behalf of the Obli- as reversals. Within this report, we focus on the front-end gee or their financial institution using a Card to pay a biller functions of the gateways, where gateways have direct when the payment is initiated as a bank transfer or cash business relationship with merchants, similar to TPPs, but payment” (Visa 2020, section 4.1.21.1, 228). focusing on e-commerce platforms. When the activities The US FFIEC also discusses bill “consolidation-ag- of gateways focus only on back-end functions through a gregation” as a model of electronic bill payment and relationship with the acquirer, such activities would be out presentment.13 In this model, “the consumer’s bills are of the scope of this report. consolidated by a consolidator acting on behalf of mer- chants and utilities (or aggregated on behalf of the con- Bill Payment Aggregator sumer), combining data from multiple bills and presenting a single source for the consumer to initiate payment.”14 Official definitions of bill payment aggregators are not The consolidation-aggregation model stands in contrast common, but Visa, the FFIEC, and the South Africa tothe “direct model” of electronic billing.15 Finally, the Reserve Bank include discussions of these entities in key South Africa Reserve Bank’s definition of a “beneficiary documents. Visa, for instance, defines a “consumer bill service provider” is similar to the notion of a bill payment payment service provider” as a “Merchant that provides aggregator and carves out a more direct role for retail 12 • FINANCIAL INCLUSION GLOBAL INITIATIVE agents collecting payments from payers on behalf of pay- lects funds on behalf of billers, while the back-end bank ees. The South Africa Reserve Bank further explains that acts as a fiduciary for funds collection. The fiduciary bank a “typical example” of this service is “the acceptance of is not responsible for the bill aggregator’s service quality. money or proceeds of payment instructions by a retailer Moreover, often no umbrella agreement, such as scheme or other outlets for payment of utility bills” (SARB 2007, rules, governs the bill aggregation process. section 1.3.4[a]). Despite the dearth of official definitions, bill payment Regulators tend to consider the size of the biller or the aggregators play an important role in facilitating EPA for merchant. While regulators are keen to protect MSMs recurrent payment streams, especially when the billers’ under financial consumer protection powers, the large own web acceptance platforms are lacking. The types of merchants or billers might not need to be covered by reg- payments that bill payment aggregators collect include ulatory measures to protect their rights within their rela- utilities (for example, electric, gas, and water), telecom- tionship with financial institutions and intermediaries in the munication services, financial institution payments (for same way MSMs need protection. Large merchants and example, debt repayment), real estate payments, insur- billers generally have their own lawyers and can negotiate ance premiums, taxes, and other government fees, among and change terms of service with financial institutions and others. Collectively, these constitute a significant share of intermediaries. For example, one common model of bill payments worldwide. aggregation is for the bill payment aggregator to deposit Bill payment aggregators collect payments through a an initial fund or a guarantee (including a bank letter of variety of mechanisms, including online portals, mobile credit) with the biller and limit the collection of bills up applications, and retail establishments, often offering to the value of the guarantee. By contrast, the terms of multiple options to customers. Egypt’s Fawry, for exam- acceptance aggregation or facilitation to MSMs may not ple, offers “omni-channel” collection through retail estab- be fair and may have conditions that discourage EPA by lishments, ATMs, mobile applications, and mobile wallets.16 MSMs. These circumstances may require regulatory inter- An added benefit of bill payment aggregators for mer- vention to protect MSMs. chants, to the extent that they offer bill payment collec- tion, is that these services can drive incremental revenue gains and enhance customer loyalty. The key functions of THE BASIS FOR REGULATING 2.3.  bill payment aggregators include the following: ACCEPTANCE INTERMEDIARIES • Combining data from multiple bills Regulators could have justification to regulate the activ- • Presenting a consolidated payment-initiation platform ities of intermediaries. While there is neither global con- for payers sensus that requires intervention by regulators nor a single model for such intervention, we nevertheless dis- • Distributing payments to appropriate payees cuss some of the arguments that underpin the issuance of • Protecting the security of payment data regulations to govern the operations of EPAIs. • Furnishing payers with receipts Intermediaries such as payment facilitators and bill • Performing customer verification in cases where the aggregators could have access to merchants’ and billers’ payee is not a member of relevant acceptance schemes funds. Because facilitators collect payments for goods and services and settle with an acquirer on behalf of the There are few differences between payments to mer- merchants, funds reside in the facilitator account on a chants and billers. Payments to merchants are linked to temporary basis, creating a settlement risk. The failure by receiving goods or services on an ad hoc basis, while the the facilitator to transfer funds to merchants could impair relationship between the customer and a biller is typically the trust of small merchants and that of society in digi- managed through an agreement. The agreement condi- tal payment services, harming the efforts of regulators to tions receipt of a service to payment. Thus, when pay- increase the acceptance of electronic payments. ment obligations are not fulfilled, delivery of contracted services to the customer could be affected. Another All intermediaries would have access to customers and major difference could be the contractual relationship merchants’ financial information, such as account or card between the facilitator/aggregator and the back-end numbers, card expiration dates, full names, addresses, financial institution. Merchant facilitators typically work and so on. Hence, it might be important for some reg- through an acquirer, and the acquirer is generally liable ulators to control access to and the storage and trans- for the quality of service provided by the merchant facil- fer of such information. Typically, laws and regulations itator. A bill aggregator, on the other hand, typically col- protecting data should apply to all PSPs having access REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 13 to financial data, including EPAIs. The rationale for this is APPROACHES FOR REGULATING 2.4.  that the exposure of data could damage the reputation of AND LICENSING ACCEPTANCE the financial sector. INTERMEDIARIES The regulator needs to ensure its ability to apply its The report will discuss three different approaches for reg- measures to all entities engaged in a payment transac- ulating EPAIs. By regulation, we refer to legislative powers tion, given that the payment instruments, services, and delegated to a certain agency (the regulator). Regulators systems are normally under the oversight of the central in a jurisdiction have a narrow authority to apply conduct, bank. Central banks as the payment system regulators within their areas of responsibility, that allow them to cre- can certainly address financial institutions for any lack of ate and apply the “regulations,” rules, or directives. Three conformity with its laws or regulations and will seek the approaches for regulating EPAIs are discussed with detail same powers over other entities such as intermediaries, in this report. either directly or indirectly. The regulator would need to ensure compliance of all parties to issued regulations and Direct regulation: The regulator issues regulations to set uniformity in practice across all entities. controls and limits on EPAIs directly. Regulations will typ- ically be directed at specific types of intermediaries, or Intermediaries such as facilitators and gateways actively they can target certain functions, regardless of the type of engage with customers and merchants and, hence, intermediary. Upon issuing direct regulations, the author- would affect the customer experience. Intermediaries ities will expect any entity providing or anticipating pro- introduce their own technologies and business models to viding such services to apply for a license, authorization, serve the customers and merchants directly. The technol- or to be registered. This approach addresses intermedi- ogies or business models introduced might be immature aries directly by specifying the necessary conditions for and could impair the customer experience or lead to dis- providing a specific service. trust in the service and affect customer confidence in the national payment system. Therefore, regulators may need Regulating acquirers and their outsourced services: to intervene to keep the trust in national payment system. Where the activity of an intermediary is seen as the respon- sibility of the acquirer, this activity is considered to be out- It is in the core mandate of the oversight function to take sourced by the acquirer to a third party. The regulator may necessary measures to mitigate risks associated with issue regulations to the acquiring business. The regulator the national payment system. Risks presented by EPAIs could issue regulations that address the requirements for could mainly be operational and financial or general busi- outsourcing services in general. Alternatively, the regula- ness risks. Such risks could take the form of operational tor could decide to address specific types of intermedi- failures due to bad system design, lack of business-con- aries as a special type of outsourcing, specifying certain tinuity arrangements, cybersecurity attacks, and other requirements for those intermediaries. The approach of threats, or financial failures due to business losses, bad licensing or authorizing intermediaries may differ from investments, or other financial reasons prohibiting inter- one authority to the other. Nevertheless, the acquirer is mediaries from providing their services. Because of the ultimately liable for the deeds of its intermediaries. positioning of intermediaries in the middle of the process- ing of financial transactions, it may be important to estab- Regulating the payment scheme and system: Regulators lish required measures by regulators to mitigate the risks may choose to ensure that the scheme governing body mentioned earlier. Risk mitigation is a core objective of or system operator manages all risks within the scheme, payment system regulators. including the risks presented by EPAIs. Part of the ratio- nale is that EPAIs are part of a payment scheme or sys- Regulators are always concerned with aspects of finan- tem, such as a card scheme or mobile-payment scheme. As cial integrity and compliance with customer due dili- such, scheme or system rules will include the conditions for gence requirements. Most intermediaries perform due intermediary service delivery. Within this approach, regula- diligence on their customers. For example, merchant facil- tors could apply certain conditions—either general or spe- itators and aggregators need to perform due diligence on cific—to intermediaries based on their type. Nevertheless, it the merchants they acquire. The need for due diligence would be the responsibility of the scheme governing body processes would extend to merchants selling goods or or system operator to ensure intermediary compliance services on the internet, sales that are not executed in a with the regulations. Under this approach, intermediaries physical location. Merchant due diligence is not limited to would not necessarily need to be licensed or authorized by the initial enrollment process but is a continuous process the authorities but would need to be licensed or authorized of monitoring the merchants’ activities. by the scheme governing body or system operator. 14 • FINANCIAL INCLUSION GLOBAL INITIATIVE  ONSIDERATIONS IN ADDRESSING 2.5. C be under the supervision of a different authority. Such REGULATORY AND LICENSING distinction may be relevant within the central bank itself. APPROACH Within some central banks, the oversight and supervision functions for the PSPs, including intermediaries, are per- Authorities may elect to use one or several of these formed by the payment system oversight unit. In others, three approaches, aligning the approach to the type of the supervision of non-bank financial institutions is per- the intermediary, types of risks presented, and the over- formed through the supervision unit. all regulatory environment. For example, a regulator may prefer to consider payment gateways and TPPs as out- Financial consumer protection and data protection could sourced services that could be supervised by financial be the objectives of some central banks. However, in institutions. The same regulator, however, may prefer to some jurisdictions, the responsibility for these issues may license and regulate the facilitators directly, preferring a be assigned to institutions other than the central bank. direct approach for the risk of managing customer funds. The oversight unit within some central banks may have a specific mandate for protecting the customers within Regulators are recommended to use a functional the payment transaction. To ensure legal certainty, con- approach, not an institutional approach. In chapter 2 of sideration needs to be given to encouraging innovation. this report, we clarified the list of functions provided by Regulators need to issue new laws/regulations, adjust each entity, and we use the institution type mostly for existing legal and regulatory framework, or adapt the simplicity. On the one hand, the most distinctive func- existing framework to new products and business models. tion of a payment facilitator could be collecting funds on For example, authorities might need to update existing behalf of merchants. Hence, we refer to this specific func- regulations to address new types of institutions. This is tion mostly when referring to the payment facilitators. On the case of the European Union’s update of the Payment the other hand, a certain payment gateway might provide Services Directive, as noted in the preamble (EU 2015a, both gateway and fund-collection services through its para. 27 and 28). In updating the directive, the European own account. In such a case, the regulator would treat this Union was able to put a fence around new PSPs that had entity as performing the functions of both payment gate- emerged, thereby assuring legal certainty. Authorities ways and merchant facilitators. It should be noted that, might issue a general framework that can accommo- in our report, reference to a specific intermediary means date technological development. This is the approach the functions performed by this intermediary as listed in taken, for example, in Mexico’s fintech regulation, which chapter 2. is crafted in a manner to provide flexibility for a number of areas of emerging innovation in financial technology As the overseer of the national payment system, cen- (Chamber of Deputies 2018). tral banks can achieve their objectives in different ways. Furthermore, regulations should be technology neu- The oversight function means that the central bank will tral. However, some new technologies introduce changes monitor the different components of the NPS, assess the in business models that invite the need for new regula- risks on participants, systems, and policy objectives, and tions. Regulations should be oriented to the risks of the induce changes on different components of the NPS when business, regardless of the service provider. New types of required. One oversight instrument of the central bank is service providers enhance market competitiveness and issuing regulations. Direct or indirect licensing of service should not be disregarded or segregated by regulations. providers could be another oversight instrument. Regard- The principle that should be adopted by regulators is less of the selected approach, the central bank needs to “same business, same risks, same rules.”17 monitor NPS participants closely and clearly understand the risks that those participants present to the NPS. The Finally, the level of market sophistication and structure oversight of EPAIs is out of the scope of this report. How- could be an important factor in the selection of the reg- ever, the report’s scope covers regulatory approaches as ulatory approach. A market with few dominant providers well as licensing approaches. might require a direct regulatory approach by the cen- tral bank. A market characterized by many nondominant The scope of regulations, oversight, and supervision providers might be better suited to an indirect regulatory could vary from one country jurisdiction to the other approach. Having strong and mature payment schemes based on legislative structure. For example, some author- or system operators with detailed rules and clear opera- ities may designate intermediaries as service providers tional requirements would allow the central bank to apply under the supervision and oversight of the central bank. the existing scheme rules while appending the rules with In other jurisdictions, non-bank financial institutions could country-specific conditions. REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 15 Direct Regulation of EPA 3.  Intermediaries This chapter focuses on the direct regulation of EPAIs, tory actions to mitigate these risks. The second section one of three regulatory approaches addressed in this examines the licensing and supervision of intermediaries, paper. The justification for regulating EPAIs centers on a process important to ensuring the health of regulated their role supporting financial institutions in the accep- organizations, the protection of investors, and the pro- tance value chain through processing. Some of the risks motion of market confidence in the ability of an EPAI to associated with their activities include settlement, access conduct business safely and professionally. The chapter to customer funds, operational risks, and those related to concludes with an overview of regulations actually used customers. in practice by some jurisdictions to address some of the identified issues and risks, providing examples of regula- In the direct approach to regulation, the regulation and tions that have been instituted. licensing of EPAIs typically resides with the payment sys- tem authority, which could be the central bank or any other conduct authority in charge of non-bank finan- 3.1 ELEMENTS OF DIRECT REGULATION cial institutions and PSPs. In the two other approaches considered in this paper, responsibilities reside with the Regulators have several reasons to address the risks acquirer in the outsourcing approach examined in chap- posed by EPAIs, including to ensure the integrity of a ter 4, while chapter 5 examines the role of the payment nation’s payment system, its reputation, and trust in the scheme and its interactions with EPAIs. In direct regu- system and, in turn, to facilitate the system’s continued lation, a broader set of responsibilities resides with the growth and its underlying economics. This section high- regulator. This chapter focuses on the broader role for lights key risks posed by EPAIs, details the nature of these the regulator—under direct regulation—in addressing the risks, and highlights potential regulatory avenues to miti- risks presented by EPAIs and corresponding actions that gate these risks. can be taken to mitigate these risks. A. Access to Merchant Funds This chapter is organized into three sections. The first section details the key elements that must be addressed Some acceptance intermediaries have access to their in the direct regulation of EPAIs. It does so by describing customer’s funds—whether directly through the holding the risks presented by EPAIs, then highlighting regula- and settlement of funds or indirectly through payments 16 • FINANCIAL INCLUSION GLOBAL INITIATIVE instructions. There is risk inherent in electronically holding Another area of concern with respect to merchant funds and moving customer funds. These risks compel regula- is advance payment, in which customers make payment tors to establish requirements for the funds’ safekeeping. to a merchant before the receipt of goods or services. Ensuring the protection of customer funds is critical for Risk stems from a merchant not fulfilling its obligation maintaining trust in a payment system and, in turn, its effi- in a transaction. Examples include travel-related pay- cient operation. ments, the online purchase of goods, and some services. To address the risks of these asynchronous flows, inter- Risk in accessing customer funds can be addressed by mediaries may hold funds associated with a purchase in setting obligations and controls based on the type of escrow, providing settlement once orders are fulfilled. intermediary seeking fund access. Some regulators allow Another mechanism is for the EPAI to hold reserves—a intermediaries only indirect access. In general, an inter- percentage of a merchant’s electronic payment proceeds. mediary establishes a merchant account with its partner Reserves can be adjusted based on the nature of the risk bank, with the bank treating it as an internal account. The environment. During the COVID 19 pandemic, reserve bank shall ensure that settlement to the account is limited requirements trended higher because of increased risks, to the intermediaries’ submerchants and, furthermore, putting pressure on merchants with low liquidity. that the intermediary is incapable of disposing the funds for purposes other than settlement with submerchants. In B. Access to Customer’s Financial Information turn, the intermediary needs to establish an account on Several trends are making customer information more its platform for each of its submerchants and is responsi- accessible. The types of customer data available have pro- ble for providing settlement to its submerchants through liferated, and the ability to capture, transmit, and access these accounts. The intermediary will typically provide to such data through new channels has increased. This its partner bank a daily file of transactions to be settled, information includes customers’ personal data, mer- which the bank will use for releasing funds as the trans- chants’ business data, and transactional and financial actions settle. Merchant funds are collected principally by data, including card numbers and account numbers, intermediaries, such as payment facilitators, bill aggre- among others. In addition, new applications of customer gators, and gateways having a facilitation role. The con- data are being developed along with associated business cerned intermediaries collect the funds on a temporary models, such as customer-centric payment services, such basis for distribution to merchants. as account information service providers, which are able to aggregate data from consumer payment accounts Regulators either request intermediaries to deposit using interfaces, enabling them to have an overall view funds directly to an account that’s under the control of of a consumer’s financial situation at any moment (EU the acquirer or fiduciary bank or allow intermediaries to 2015a, para. 28). Other applications include credit scor- collect the funds directly in their accounts. Additionally, ing, know-your-customer solutions, and efforts to mini- risks to these customer funds may be further mitigated by mize fraud. In fact, data has become a critical component requiring merchant funds to be held in an account distinct of new capabilities and business models and has the and segregated from the intermediary’s funds, ensuring potential to change the economics of payments—further their separation from business funds and thus protecting enhancing the ability of providers to reach the marginal- them from misappropriation. ized and excluded. The timely receipt of funds is critical to merchants, Data trends, for example, are helping to spur payment even more so for liquidity-constrained MSMs. Visibility innovation, in turn enabling the inclusion of more MSMs. on timing increases the predictability of fund receipt, Nevertheless, these trends raise issues that reinforce the facilitating financial planning by merchants. Providing need for measures to protect the financial information time limits for settlement to submerchant accounts mit- of EPAI customers. For example, how do we address the igates these risks. processing, transmission, and storage of data used to Some intermediaries require the merchants to keep a derive value in new solutions and business models? What portion of the collected funds to protect the intermediar- are the implications of regulating data for the entrance ies from credit risks associated to reversal or charge-back of new players into the market, both local start-ups and transactions. Despite the fact that a request could be established global entities? These are just a few of the justifiable, the amount of requested credit or the length questions raised by current data trends. of keeping the credit could be unfair to the merchant. Hence, requirements for mitigating credit risks should be Data Protection based on quantifiable risk measures, with consideration to transaction size, the nature of a merchant’s business, Customer financial data captured by EPAI must be pro- and reversal or charge-back rates. tected. For example, data that is retained and stored REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 17 must be protected from those who seek to compromise toral approaches, such as agriculture. These innovations the integrity of the intermediary’s systems. This requires can improve the value of payment solutions to merchants the data—which, in some cases, is becoming more con- and small businesses, support more use cases, and drive centrated with outsourced providers—to be stored safely. system efficiency through greater usage. Data must be safely captured and transmitted to partic- ipants across the acceptance value chain, with risk mit- EPAIs must ensure that they use data in a permissible igated through security measures and standards for its manner. This requires abiding by use rights that may be capture and transmission. Furthermore, permissible uses explicitly addressed by regulators. These rights might of customer information must be established—discussed include the use of customer data to validate funds avail- in more detail below—to ensure that the rights of data ability for the authorization of payment transactions and ownership are recognized, and that protocols associated for fraud mitigation.19 More broadly, fundamental issues with ownership rights are clearly understood, ensuring the of data ownership have been raised in recent efforts to legitimate and sanctioned use of customer financial infor- regulate payments. While these issues may not directly mation. Data breaches have become a greater concern affect EPAIs at this moment, they may be relevant going as more data becomes electronically available. In general, forward, as intermediaries and the services they provide privacy risks have increased as the number of customers continue to evolve. Some of these issues include owner- served by a provider increases. These risks can be com- ship rights around data and the implications for how data pounded if the provider possesses other types of data can be used. These rights need to lay out the permissi- that has been linked to customer financial information. ble uses of this data to ensure its proper use, so as to These risks may emanate from services provided directly protect consumers, merchants, business partners, and to merchants or services provided to an intermediary by intermediaries—for example, open banking models where an outsourced provider (WBG 2019). the ownership of customer data has shifted from finan- cial institutions to customers. Hence, it is the customer Security Measures and Standards who possesses the right to share data. Some regulators are requiring institutions in possession of customer data Service providers need to ensure that data captured in to obtain the consent of customers before the institutions customer interactions is done so in a secure manner. may use this customer data.20 Industry standards provide a mechanism for enhanc- ing data security. PCI-DSS (Payment Card Industry Data C. Consumer and Merchant Protection Security Standard) is a body of standards established by major card schemes to secure card transactions against EPAIs are well positioned to focus on MSMs, in turn help- data breaches, theft, and fraud. Meant to safeguard this ing to advance financial inclusion. Their customers and sensitive information, it sets standards and associated the customers of their customers tend to be relatively security measures for the capture and transmission of new to digital payments, not completely familiar with data by organizations that process payment transactions. these services and the details surrounding them. The sit- This includes, for example, standards to encrypt the trans- uation reinforces the importance of protections for EPAI mission of cardholder data.18 A separate industry standard, customers that are necessary to instill and reinforce trust PA-DSS (Payment Application Data Security Standard), in the payment system. is meant to ensure that payment applications are secure. The protection of data can be assured only when all play- Transparency about charges is essential to the predict- ers within the payment ecosystem maintain best-in-class ability of cash flows and informing business decisions. security standards (Mastercard 2017). These standards Not only do many EPAIs’ merchants serve poorer pop- address the increased complexity of the acceptance value ulations, but they, too, are often poor, struggling to man- chain, extending data security standards to mobile pay- age their cash flows, reinforcing the need for information ment-acceptance applications associated with schemes. about pricing and charges to be transparent and predict- able—minimizing the risk of surprises. Permissible Use of Customer Information Consumer protection is needed in the form of approaches Easier access to customer data is creating new oppor- for managing the resulting complaints in a manner that is tunities for innovation, but its misuse by intermediaries fair and equitable. Mistakes, both human and system gen- is also a source of risk. Data has been critical in support- erated, are inevitable, as are misunderstandings over the ing innovation and the development of new business execution of transactions. Minimizing the impact of these models, including credit scoring, fraud applications, and inevitable errors will provide a better payment experi- expanded customer-centric solutions that incorporate ence, enhancing the utility of electronic payments. payments, such as those increasingly being used in sec- 18 • FINANCIAL INCLUSION GLOBAL INITIATIVE Regulations addressing complaints can include the fol- ent in an information-based business moving people’s lowing elements: approaches and procedures for the money. effective handling of customer grievances, complaints, and disputes; protections for unauthorized and incor- Operational Risks rectly executed transactions; designation by EPAIs of an Risks stemming from the operation of an intermediary individual responsible for the complaints process; and and its underlying technology need to be mitigated. Inter- efforts to raise awareness about customer protections mediaries need to execute transactions accurately and in a and the corresponding process for recourse. timely manner. This requirement leads to operational risks stemming from the potential interruption in the continuity General consumer precautions are another avenue of of an intermediary’s operation as well as the intermediary’s regulation to protect consumers and merchants. Broad inability to recover from a disaster. EPAIs should undertake protections can be delineated and made more explicit. business-continuity planning, ensure proper systems are One example is the delineation of consumer liability under in place, and demonstrate the ability to address potential various scenarios. Another is the application of technical threats. The need to address failures in business continu- neutrality, ensuring merchant protection regardless of ity though disaster-recovery planning requires a demon- payment instrument or business model used.21 strated set of policies, tools, and procedures to be put in place to enable the recovery or continuation of vital tech- D. Management of Risks nology infrastructure and systems. As information- and technology-centric businesses, EPAIs present a number of broad overall risks. These risks require Another dimension of operational risk is the need for a risk-management framework as well as regulations for intermediaries to meet the criteria laid out in their ser- mitigating business, operational, and IT security risks. vice-level agreements. The increased complexity of coordination efforts across the payment value chain is General Governance and Risk-Management Framework just one element complicating these efforts. For exam- ple, EPAI service-level agreements may stipulate the The licensing and registration process under direct regu- elapsed time to onboard and provision an MSM for pay- lation generally has mechanisms in place for EPAI appli- ment acceptance.22 cants to demonstrate the competent governance of their firms. Competent governance helps to ensure the entities’ Other operational risks, such as IT, expose an organiza- efficient management and operations. In addition, good tion’s critical technical assets (for example, computers, risk management requires a framework to guide this activ- networks, and data) to unauthorized access. These risks ity within the management of risks to the firm. This too typically stem from the lack of robust technical infra- can be a requirement in the licensing process, with appli- structure and associated standards necessary to support cants demonstrating, for example, competence through efficient business execution. Robust infrastructure and the possession of a robust risk-management framework. standards can minimize risks of technical failure and unex- pected acts (for example, attacks, piracy, and fraud). EPAIs face general business risks stemming from their To remediate these risks, EPAIs must understand their business strategy and marketplace activities. These IT assets and the nature of risks posed to their assets, include decisions about market positioning—namely, the enabling the identification of gaps and their remediation. customer segments they have chosen to serve and the Such actions can help to protect information assets by solutions they offer, which might include a movement helping EPAIs understand and address their vulnerabili- beyond their core focus and their chosen business model. ties. Furthermore, organizations must be aware that these Some intermediaries, for example, may focus on riskier risks are not static and, instead, are continually evolving— merchant categories. In addition, there may be financial necessitating a process to make appropriate upgrades in risks stemming from losses in investments made to sup- response to developments, as necessary. One remedy is port these activities or the inability of the intermediary to require organizations to become certified ISO 27001 to continue its business or smoothly shut down due to providers. Organizations that meet the standard’s require- financial problems. Finally, negative impacts on an inter- ments can choose to be certified following successful mediary’s reputation can create business risk. Threats or completion of an audit by an accredited entity. dangers to the name and standing—to the reputation—of The storage of increased amounts of data and its poten- an intermediary stem from the inability to provide reliable tial access by outside parties present a unique cybersecu- service or address issues in a timely manner, the disclo- rity risk to EPAIs. This risk stems from potential attackers sure of confidential information, and incidents stemming seeking unauthorized access to data that may be located from the failure to address adequately the risks inher- REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 19 on an EPAI’s infrastructure, computer networks, and infor- A level playing field is required that does not favor one mation systems. The expansion of channels available for particular type of entity—new or established—to ensure data capture and transmission raise additional cyberse- a contestable and competitive marketplace.24 When the curity considerations—including navigating its increased playing field is not level, there is a risk that new entrants— complexity. not only small providers but also large players—can arbitrage regulation, because, as new entrants, they are E. Compliance not subject to the same level of regulatory scrutiny as established players (WBG 2019). Given these risks, efforts Compliance requires EPAIs to fulfill rules or standards should ensure that the playing field remains level for both to address risks external to their operating environment. current and potential entrants. A level playing field helps Compliance with regulations and laws may be addressed to guide actors by providing proper signals, ensuring that through policies or procedures. Merchant onboarding incentives are not distorted to support balanced innova- encompasses several activities across the acceptance value tion and a competitive market environment (Mastercard chain, including the solicitation of merchant applications, 2017). Market competitiveness is a market-wide objective, due diligence and enrollment, and, finally, merchant setup, and its implementation is generally addressed through training, and acceptance provisioning. During the onboard- general competition laws. However, there are cases in ing process, it is critical for EPAIs to validate the identify which a regulator has sought to address competition spe- of their potential merchant customers as well as address cifically through narrowly focused provisions. For exam- other critical decision points. They must validate business ple, this was done by including limits on funds that EPAIs ownership through know-your-customer efforts and col- may keep on behalf of their clients.25 lect information necessary to ensure proper setup of the merchant’s account. Proportionate risk-based approaches F. Managing Outsourcing Risks can be deployed to address the risks of onboarding, which could be designed so that they place less onerous informa- Firms outsource activities for several reasons. These tion requirements on low-risk merchants.23 include the ability to offer innovative services, reduce costs, or address new market segments. Outsourcing As part of the onboarding process, EPAIs must address certain activities—especially those that cannot be pro- and mitigate risks stemming from the potential for money vided competitively—can reduce fixed costs, effectively laundering and the financing of terrorism. Yet a balance lowering market entry costs and, in turn, supporting new must be achieved between the risks of money laundering entrants and increased competitiveness. Outsourcing by and the financing of terrorism and the need to financially EPAIs creates risks that regulators need to be aware of, include the MSMs. A risk-based approach, including sim- understand, and establish measures to mitigate. In direct plified requirements for low-risk merchant categories and regulatory regimes, regulatory efforts focus on address- through applying transaction limits and usage restrictions ing outsourcing by EPAIs. EPAIs may need to outsource (WB 2005; FATF 2013), can minimize risks of money laun- some of their functions. Activities outsourced by EPAIs dering and the financing of terrorism while propelling the can include merchant enrollment, IT, and data storage, growth of MSM acceptance. among others. Market Competitiveness Regulation pertaining to the auditing and supervision of EPAI outsourcing may include requirements for auditing Competitive markets are important because they pro- EPAIs as well as entities to which they, in turn, may have vide consumers with greater choice. Regulators can outsourced activities. One such area is data storage and ban exclusivity agreements between intermediaries the risks presented by outsourcing this function, such as and service providers as well as between intermediar- the security of data. This issue was raised in the section ies and merchants to support competition and increase on cybersecurity. One potential challenge is the amassing options for participants. Furthermore, regulators can put of market power by outsourcing partners. This can occur forth reasonable prudential requirements, such as capi- from specialization and consolidation among providers tal requirements, that reflect risk, ensuring easier market serving EPAIs—cloud-storage services being one exam- entry. These actions support an expanded choice set that ple (Khiaonarong and Goh 2020; FSB 2020). Increased stems from the innovation and competitive prices that market power by service providers may also make it more characterize such competitive markets and could, in turn, difficult for an EPAI to switch service providers and raise facilitate greater financial inclusion by enabling the viable issues regarding the provision of back-up services. Con- extension of financial services to difficult-to-reach under- centration may raise the potential for systemic risk, where banked and unbanked populations. a failure of a service provider may lead to a failure of the service provided by multiple banks through this service 20 • FINANCIAL INCLUSION GLOBAL INITIATIVE provider. Finally, increased specialization by providers Many authorities set the capital requirements based on associated with concentration requires regulators to pos- the nature of the business and the size of operations. sess the necessary technical skills to address service pro- vider processes fully. Regulatory purview and access are Supervisory elements associated with licensing can critical to ensure that regulators are able to exercise their include controls and contractual requirements. In the authorities. An outsourcing provider may fall outside of a licensing process, the regulator can stipulate controls in regulator’s purview because the provider is not subject the granting of the license. These controls, for example, to its regulation. The lack of purview prevents regulator might carve out areas of permissible operation for the access necessary to assess risks of their service providers intermediary, such as permitted merchant categories properly. Risk arises when, for example, a regulator has or limits on the size of merchants that can be served. In no physical access to stored data or its processing (WBG addition, mechanisms to facilitate monitoring of the delin- 2019). Hence, care must be taken in crafting regulations eated controls can be established as terms in the EPAIs to ensure that these providers do not fall outside the reg- licensing. Another vehicle is for the regulator to stipulate ulator’s purview. Alternatively, the regulator can require elements to include in contracts with participants across clauses in contracts between EPAIs and their outsourced the acceptance value chain. Contracts with acquirers providers that stipulate the right of the regulator or any might stipulate terms regarding permissible merchant delegate to audit the outsourced entity. turnover. In addition, service-level requirements can be established, including those related to client onboarding as well as other aspects of the onboarding process related 3.2 AUTHORIZATION OF INTERMEDIARIES26 to customer satisfaction and retention. Moving along the acceptance value chain, regulators may require contract- Under a direct regulation regime, authorization can be ing provisions be included in outsourcing agreements, to provided by licensing, registration, or even notification. address concerns about supervision and audit, thereby This authorization is typically granted to EPAIs by the ensuring that risks are addressed. For example, a right-to- financial-sector authority. In managing the authorization audit clause can ensure access and effective monitoring, process, the authority establishes guidelines and oversees to enable the regulator to conduct security audits on the and supervises the PSP. outsourcing provider (RBI 2020). Terms can also be included by EPAIs in their contracts In the authorization process, intermediaries must typically with merchants. Agreements may explicitly require mer- meet several macro prudential requirements intended to chants to undertake activities to comply with standards, mitigate risks. These requirements protect consumers and such as PCI-DSS and PA-DSS. In addition, agreements ensure the financial health of firms, promote market confi- may address data access in general by requiring mer- dence in the soundness of acceptance intermediaries, and chant agreements to include provisions for the security ensure the ability of EPAIs to conduct business safely and and privacy of customer data (RBI 2020, article 7.5). professionally. Requirements can potentially encompass Finally, agreements can seek to limit risks associated with several important dimensions of the applicant seeking exposure as well as to ensure compliance. The latter may authorization—for example, demonstrating that the appli- include graduated requirements of anti-money-launder- cant is a viable business entity with adequate capitaliza- ing/combating the financing of terrorism guidelines, plac- tion or showing that the firm is properly governed. Often ing limits on acceptance through the imposition of caps addressed through fit-and-proper requirements, these on daily transactions and volumes. ensure the sound, capable, and prudent management of the business. Furthermore, the regulator may require a risk-management framework from the applicant, in which 3.3 EXAMPLES OF REGULATORY MEASURES the risks faced by the firm are identified and approaches to their remediation are spelled out. Requirements for This section highlights some of the ways in which regu- authorization by regulators should be proportional to lation can be crafted to address the risks presented by the risks presented by the EPAI. Capital requirements, for EPAIs. It does so by identifying the objective of regulations example, should be proportional to the financial and oper- that have been instituted and provides some examples ational risks; intermediaries processing larger volumes of regulations from research on a number of countries. should be required to meet larger capital requirements. The focus in the last two sections is on selective risks pre- Singapore pursues a risk-based approach, requiring dif- sented by EPAIs, including customer protection, access to ferent licenses with corresponding obligations based on customer funds, access to customer financial information, processed amounts. Ghana established capital require- outsourcing, and the authorization of provider licenses. ments based on the type of intermediary seeking license. Finally, the merits of these regulations are discussed. REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 21 BOX 1 CASES OF DIRECT REGULATION OF EPAIs The box highlights several examples of the direct Singapore regulation of EPAIs, including Ghana, Thailand, Sin- Singapore’s Payment Services Act of 2019 sets gapore and the American state of Georgia. out an activities-based, risk-based, and right-sized licensing regime for certain payment services, Ghana including merchant acquisition services (Repub- The Bank of Ghana (2019), in addition to covering lic of Singapore 2019). The act sets out two types merchant acquirers, explicitly addresses payment of licenses—a standard payment institution (SPI) gateways. The bank’s definition of a gateway is con- license and a major payment institution (MPI) sistent with the definition established in chapter 2 license. SPI licensees cannot process more than $3 of this report; in addition, some standard security million in payments per month and are subject to requirements for gateway operation are stipulated capital requirements. MPI licensees have no pay- (BOG 2019). ment-processing limits and are subject to higher Ghana has separate licensing standards for accep- capital requirements than SPIs. The act also sets out tance intermediaries. Thus, the Bank of Ghana takes risk-mitigation standards for merchant-acquisition a direct approach to intermediary regulation. In its services in the areas of user protection, interoper- “License Categories and Permissible Activities,” the ability, and technology and cybersecurity (Republic Bank of Ghana outlines permissible functions of var- of Singapore 2019). Interestingly, licensees providing ious classes of “Payment Service Providers,” which merchant-acquisition services are not regulated for perform intermediary activities, including “merchant compliance with anti-money-laundering/combating aggregation,” “payment processing,” “biller/merchant the financing of terrorism requirements (Republic of aggregation,” and “third-party payment gateway ser- Singapore 2019). vices,” among other activities (BOG 2020). In Ghana, Banking institutions, including merchant banks, PSP licensing is mandated by the Payment Systems are not subject to the Payment Services Act because and Services Act of 2019 (Republic of Ghana 2019). they are already subject to a regulatory regime under the Banking Act. The Monetary Authority of Thailand Singapore indicates that banks and payment insti- Acquirers, payment facilitators, and other payment tutions are generally subject to similar requirements service businesses that provide “a service of receiv- (MAS 2019b). ing payment on behalf” must be licensed with the Ministry of Finance (Kingdom of Thailand 2018; BOT American State of Georgia 2018e). Acquirers and acceptance intermediaries are Some states in the United States have direct regu- subject to a similar regulatory regime in Thailand. latory or at least licensing jurisdiction over EPAIs. Thus, Thailand takes a direct approach to the regu- This is the case for the state of Georgia, which lation of intermediaries. The Bank of Thailand’s pay- has developed a specialized charter for merchant ment services regulations (BOT 2018e) and licensing acquirer limited purpose banks (MALPBs). The instructions (2018b) set out a variety of standards charter allows MALBPs to access payment card net- for acquirers and acceptance intermediaries. No works directly, without the sponsorship of another distinction is made between bank and non-bank regulated financial entity. In addition, it sets out a acquirers in Thailand’s standards; presumably, they number of requirements for MALPBs. PayPal and apply to both. Thus, in addition to regulating acquir- Square are licensed by the Georgia Department of ers, Thailand takes a direct approach to regulating Banking and Finance as MALPBs.27 acceptance intermediaries. 22 • FINANCIAL INCLUSION GLOBAL INITIATIVE Access to Customer Funds ownership rights associated with customer data. These changes are arising, in part, in response to innovation that Setting obligations and controls is a means to ensure provides new ways and business models for the use of the proper access by intermediaries to customer funds. payments data, including open-banking application pro- Intermediaries typically need to open accounts with a gramming interfaces.30 The questions raised by the use of bank—which are treated as internal accounts of banks—to customer data will become increasingly relevant to EPAIs facilitate their collection of payments from customers and as they continue to evolve their service offerings. merchants. One control is for regulators to require banks The key questions concerning customer data currently to ensure that such accounts are not maintained and addressed by regulators with respect to EPAIs focus on operated by intermediaries.29 Regulators often require access and legitimate use—namely, how is access pro- payment facilitators to have an escrow account with a vided, and when is access granted? More specifically, commercial bank in which they hold collected funds. A what are the sanctioned uses of customer data? Regu- regulator may treat the intermediary as a designated pay- lators have addressed access in several ways. One is to ment system (service provider).29 address the technology used in providing payment ser- Two approaches to the treatment of funds settlement vices, even highlighting technologies that could be used were observed. One treatment focused on process. This for customer authentication (Chamber of Deputies 2018). explicitly grants some intermediaries the right to per- Another approach focuses on merchant agreements, form settlement and requires controls in the form of pro- requiring the inclusion of provisions for the security and cesses and procedures (Indonesia). A second approach is privacy of customer data (RBI 2020). Two explicitly per- outcome based and provides guidance on the timing of mitted uses of EPAI customer data were observed in the settlement. An obligation on settlement timing implicitly reviewed regulations: access to customer data to validate recognizes that intermediaries conduct settlement through funds availability for the authorization of payment trans- accounts they manage directly or indirectly. The net effect actions (PSD2, article 65) and its use in fraud mitigation of an approach focused on timing is to provide greater (PSD2, article 94) (EU 2015a). predictability of funds flow. Such predictability is critical Going forward, some regulators may continue to rec- for financial planning by customers, especially micro and ognize individuals’ enhanced ownership rights over their small businesses that may face liquidity constraints. personal data. Some changes are arising in response to innovation brought by fintech and developments in open The risks associated with access to customer funds com- banking, both of which leverage payment system data pels regulators to establish requirements for the treat- and new types of intermediaries. ment and safekeeping of funds by EPAIs. Intermediaries The developments in data use highlight a trade- are generally obligated to segregate customer funds into off between enabling innovation—with its potential of separate accounts for safekeeping. A regulator may extend increasing inclusion through improved economics—and these obligations by stipulating requirements for access providing individuals with greater control over their data to customer funds, should an intermediary become insol- through the rights of ownership. It is important to struc- vent. A number of regulators have addressed the treat- ture rights and permissible uses in a manner that com- ment of payments made before the delivery of goods or plements continued innovation; the challenge lies in services. One approach to minimize the risks stemming achieving the optimal balance. from asynchronous activities is to require intermediaries to maintain reserves in an escrow account with a com- Customer Protections mercial bank (India). Though an EPAI is not the owner of funds in the escrow account, the intermediary can influ- Several approaches by regulators for protecting custom- ence the movement of funds to and from the account. ers were observed; they differ primarily in breadth and Finally, while not observed in our review, a regulator could area of focus. For example, regulations addressing com- require an intermediary to hold other types of guarantees plaints might include some of the following elements: with its bank partner. approaches and procedures for the effective handling of customer grievances, complaints, and disputes (RBI Access to Customer Data 2020; BI 2016; Chamber of Deputies 2018); extending protections to both unauthorized and incorrectly exe- Regulators have established requirements for access to cuted transactions (EU 2015a); requiring EPAIs to desig- customer data to ensure the protection of EPAIs and their nate a responsible individual for the complaints process customers. The focus of these requirements is to ensure (RBI 2020); and efforts to raise awareness through edu- the safety of customer data as well as its legitimate and cation. The RBI in 2020 established the need for EPAIs to sanctioned use. While beyond the scope of this paper, develop a policy to address complaints by payment ser- changes are emerging with respect to the underlying REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 23 vice users. Bank Indonesia in 2016 focused more broadly regulator requires that an EPAI to indicate in such a doc- on the need to provide customer protections (BI 2016). ument “how they ensure a high level of technical security Regulation issued by the RBI in 2020 focuses on aware- and data protection, including for the software and IT sys- ness and education, seeking to ensure customer access tems used by the applicant or the undertakings to which to provider policies through several channels, including it outsources the whole or part of its operations” (EU websites and mobile applications. 2015a, article 5.1). More commonly, EPAIs may enter into A broader approach to customer protections might outsourcing arrangements after they have been licensed. require the development of a dispute-management frame- Most regulators require financial institutions and EPAIs to work. This could include customer redress, to ensure the abide by existing outsourcing regulations. These typically resolution of disputes, as well as the appointment of an require an EPAI to report about their outsourcing arrange- officer to be responsible for handling customer griev- ments to the regulator. Several regulatory provisions were ances (RBI 2020). A clear delineation of roles and respon- observed with the goal of addressing concerns about sibilities around actions necessary to protect customers supervision and audit. These provisions focused primarily could be detailed in contracts between stakeholders (RBI on the inclusion of clauses into contractual agreements 2020). between EPAIs and their outsourcing partners as a mech- A more specific regulatory approach spells out afford- anism for mitigating risk concerns. For example, in this ed customer protections. For example, the European regard, the RBI states that “there shall be an outsourc- Union clarifies liability in a several scenarios. This includes ing agreement providing ‘right to audit’ clause to enable unauthorized and incorrectly executed transactions—with the entities/their appointed agencies and regulators to liability for unauthorized transactions, their correct exe- conduct security audits. Alternatively, third parties shall cution, and the burden of proof for fraud and negligence submit annual independent security audit reports to the assigned to the service provider (EU 2015a, article 71). entities” (RBI 2020, annex 2, 1.17). Other afforded protections can include providing cus- tomers with clear information, transparent pricing, and, Motivations for including clauses in EPA outsourcing finally, spelling out protections afforded to accepting contracts may differ. A right-to-audit clause can ensure merchants.31 In addition, there are stipulations for incident access and effective monitoring to enable the regulator to reporting when personal data is compromised (India). conduct security audits on the outsourcing provider (RBI Other regulators may refer to separate legislation that 2020). Other regulators may be particularly concerned comprehensively spells out rights of financial services with recourse and legal purview. Regulators need legal users. This is the case in Mexico, where consumer rights recourse to oversee relevant activities of outsourced pro- are detailed in the Law for the Protection and Defense of viders. Recourse can be addressed by contractual clauses the User of Financial Services. between EPAIs and outsourcing providers. For example, a regulator may require bank contracts with intermediar- Outsourcing ies to specify the need for bank approval of intermediary efforts to outsource activities authorized in their contract. In direct regulatory regimes, regulatory efforts address outsourcing by focusing on the activities and contractual Yet another nuance in the motivation to include contrac- arrangements of EPAIs. Regulators recognize the need tual clauses is ensuring effective monitoring. In this case, for EPAIs to outsource some functions to support their the regulator may stipulate a clause requiring that the operations. An option for mitigating these risks is for the outsourcing of important operational functions does not regulator to make an EPA fully liable for the actions of impair internal controls or the ability of authorities to mon- their outsourcing partners. This stipulation would provide itor compliance. For example, this has been the case for the incentive for additional vigilance on the part of EPAIs the outsourcing of data-storage capabilities, which raises and, in turn, provide additional protection to their bank a number of concerns for regulators. These various treat- partners. ments of outsourcing—in a direct regulatory regime—put the responsibility squarely on the intermediary. As such, Outsourcing arrangements may already exist at the time they are distinct in focus from indirect regimes, where the authorization is sought by an EPAI. Alternatively, they can burden is put directly on the acquirer. be entered into after their licensing. If outsourcing is being pursued at the time of provider authorization, the regula- Authorization of Provider Licenses tor may require the applicant to provide additional details on the nature of the proposed agreements. This could The decision to authorize an EPAI depends on the appli- include the provision of an outsourcing policy document cant demonstrating that its business is sound, well run, that addresses, among other things, security aspects. One and able to address the risks presented by the services 24 • FINANCIAL INCLUSION GLOBAL INITIATIVE it intends to provide. When risks presented by the PSPs’ the competence of the parties (BI 2016, article 13). Still activities are minimal and have not warranted licensing, others (for example, in the European Union) require a registration may prove sufficient, thus providing the reg- description of governance arrangements (EU 2015a, ulator with a means for monitoring development (EU article 5e). Regulators can also seek additional input by 2015a, para. 47). This view is echoed by the Bank for Inter- reaching out to external parities to get their views on the national Settlements, which notes that non-banks may be capability of the applicant’s management (RBI 2020, arti- licensed, but that they can also be registered with appro- cle 5.1). Regulators may also require applicants to submit priated authorities if the risk associated with the interme- a business plan and a feasibility analysis regarding their diaries’ activities do not warrant licensing (CPMI 2014). intended activities. Regulators, however, must be careful not to put forward too many licensing categories, as this could result in a loss Management of Risks of regulatory clarity. This section touches on some of the In addition to the two common requirements for suffi- authorization requirements being used by selected regu- cient as well as effective governance and management, lators in the licensing of EPAIs. regulators may require intermediaries to satisfy addi- tional requirements related to their ability to manage A key requirement for authorization is an applicant’s risk. A regulator may require applicants to submit an over- demonstration of its financial stability. Capital require- all risk-management framework, or they may stipulate the ments are a common approach for ensuring stability. They need for a technology framework. These requirements should not reflect a one-size-fits-all approach but, ideally, should not be viewed as static. Given market innovation, should be tailored to the activities of intermediaries and some regulators have put forward updates, for example, their risks. Regulators may want to consider the use of a to the authorization process to address new risks that guarantee, such as indemnity insurance, in lieu of capital. have emerged. For example, the European Union’s revised Payment Services Directive (PSD2) included updates that Authorization commonly requires a demonstration by sought to enhance the level of payment security—namely, the applicant of effective governance together with fit- requiring a security policy document as well as a descrip- and-proper management of the firm. Several approaches tion of procedures for managing security incidents, con- with varying levels of rigor have has been observed for tingency procedures, and so on.32 Another example is instituting this requirement. One requirement is to pos- requiring PSPs, as a general rule, to apply strong cus- sess a board of directors (Chamber of Deputies 2018). tomer authentication (EU 2015a, article 97). Other regulators (for example, Bank Indonesia) consider REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 25 Regulating Acquirers and 4.  Their Outsourced Services This chapter focuses on a regulatory approach to EPAIs Acquirers are required to manage different types of that treats them as outsourcing providers to merchant risks. The Bank of Thailand mandates a board-approved acquirers. The focus in this approach is on regulating an risk-management policy for acquirers. The RBI requests acquirer’s outsourcing actvities—in effect, an indirect, that acquirers seek board approval for a policy statement rather than direct, approach to regulating an interme- regarding their approach to merchant acquiring. Several diary.33 Addressing acquirer outsourcing takes up the regulators, such as the Bank Negara Malaysia (BNM), RBI, activities of intermediaries. Acquirer regulation is first FDIC, and OCC, stress the need for acquirers to perform addressed to provide context and a point of departure to adequate merchant due diligence, training, and trans- examine the regulation of acquirer outsourcing. action monitoring. US regulators focus on the merchant The chapter is organized into three sections. Section underwriting process, including review and approval 1 lays the groundwork by highlighting relevant themes in of merchants, identification of prohibited or restricted acquirer regulation. Section 2 reviews the motivation for merchants, and charge-back monitoring. The US state acquirer outsourcing, associated risks, and their mitiga- of Georgia requests acquirers to have a chief risk officer tion. Section 3 focuses on authorization of acquirer out- responsible for measuring, monitoring, reporting on, and sourcing. controlling risks inherent in payment processing, includ- ing operational and technological risk, credit risk, liquidity risk, legal and compliance risk, reputation risk, market risk, 4.1 REGULATING MERCHANT ACQUIRERS and strategic risk, among others. In many jurisdictions, regulators generally exercise direct Many regulators, such as the RBI, give specific attention authority over acquirers by enforcing acquirer regula- to IT risks, including setting standards such as PCI-DSS tions. Acquirer regulations tend to address the types of for acquirers. Some regulators may require the adoption permitted acquirers, their responsibilities and obligations, only of robust IT and data security standards. The BNM minimum macroprudential and functional requirements, requires an acquirer to manage the risks presented by its governance, and their obligations for outsourced services. technology and technology operations (for example, data In some cases, that latter includes specific obligations center infrastructure and operations, network resilience, regarding EPAIs.34 third-party service providers, cloud services, access con- 26 • FINANCIAL INCLUSION GLOBAL INITIATIVE trol, and the security of digital services) and to manage not credit institutions, the risk of greatest concern regard- its cybersecurity risks. Furthermore, regulators generally ing non-bank acquirers is their ability to manage credit stress the need to manage fraud risks and also to enforce risks associated with merchants and adequate settlement dispute-resolution measures. of merchants’ accounts. Hence, regulations for non-bank acquirers put emphasis on prudential requirements and Regulators may allow non-banks to act as acquirers. Non- credit risk mitigation. bank acquirers are direct participants in card schemes; hence, they may have access to the card scheme’s clear- The regulation of outsourcing by merchant acquirers can ing and settlement functions as well as full liability for vary for EPAIs. In addressing outsourcing to intermedi- merchants’ funds. Due to the lack of access to the domes- aries, some regulators may take a general approach by tic or international settlement systems, many non-bank establishing general rules for outsourcing financial ser- acquirers use the services of a commercial bank to act vices. Furthermore, they may treat intermediaries as TPPs as their settlement bank. A non-bank acquirer will need of acquirers. As a result, no specific regulations are devel- to be an authorized member of the card schemes they oped for intermediaries. Therefore, only general outsourc- support, but some jurisdictions may also require them to ing rules apply to them. Other regulators may choose to be registered or licensed by the domestic regulator. Regu- issue regulations specifically addressing the outsourcing lators may issue regulations for non-bank acquirers, while of activities to EPAIs. no similar regulations exist for bank acquirers. As they are BOX 2 REGULATING MERCHANT ACQUIRERS This box highlights key aspects of merchant acquirer Furthermore, the policy document’s proposed regula- regulations, proposed regulations, and supervisory tions outline specific capital requirements for non-bank standards in several jurisdictions. Where relevant, inter- acquirers (BNM 2021, article 9). actions with intermediary standards are highlighted, as The BNM makes clear that the proposed policy doc- well as observations on their implications for the regula- ument regulations do not apply directly to payment tion of outsourcing activities. The markets examined are facilitators, as the BNM has specified the criteria of mer- Nigeria, Malaysia, the United States, India, Indonesia, the chant acquirers that would be required to comply with American state of Georgia, and the European Union. the regulation. These include acquirers that are direct participants in a payment network providing merchant Nigeria acquiring services (BNM 2021, 2.1), namely: “The criteria The Central Bank of Nigeria has issued the “Regulatory would cause third party acquirers/payment facilitators Framework for Non-bank Acquiring in Nigeria,” which to be scoped out from the requirements in this policy spell out roles, responsibilities, and other requirements document. Therefore, current third-party acquirers/pay- for merchant non-bank acquirers (CBN 2021). The central bank’s framework regulates aspects such ment facilitators will not be within the purview of FSA, as requirements for merchant agreements, merchant although still allowed to conduct their business” (BNM underwriting, merchant risk monitoring, third-party 2020, 2). Importantly, though, the proposed regula- agent risk, settlement arrangements, and risk manage- tions outline a variety of requirements for acquirers with ment, among other factors. respect to EPAIs. Malaysia’s proposed regulations repre- In a number of cases, the regulatory framework of the sent an example where service providers are considered Central Bank of Nigeria directs non-bank acquirers to an outsourced business. adhere to card scheme rules. United States Malaysia Two of the three US federal banking regulators—the The Bank Negara Malaysia (BNM) has issued a policy Federal Deposit Insurance Corporation and Office of document detailing the regulatory requirements for pro- the Comptroller of the Currency (OCC)—have specific posed detailed regulation of registered merchant acquir- sections in their examination manuals dedicated to mer- ers, covering governance, operational requirements, and chant processing (FDIC 2007; OCC 2014). These manuals IT security controls (BNM 2021). Malaysia’s proposed set out expectations for bank acquirers and bank exam- regulations apply to both bank and non-bank acquirers. iners reviewing merchant processing activities. Though REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 27 BOX 2, continued the manuals are fairly similar, the OCC’s is more recent The RBI merchant acquiring standards maintain that and addresses a wider variety of issues. Both manuals “wherever the activities are outsourced, the respective identify similar risks associated with merchant process- acquiring banks would still be responsible for ensuring ing, including strategic risk, credit risk, operational or adherence to the standards” (RBI 2011a, 38). This rep- transaction risk, compliance risk, and reputational risk. resents an outsourcing relationship. However, in 2020, The manuals also lay out key risk-management and con- the RBI issued specific regulations related to payment trol imperatives for acquirers. The referenced manuals aggregators and payment gateways (RBI 2020b), rep- do not include non-bank acquirers. Non-bank acquirers resenting a new direct approach to EPAI regulation. are addressed at the state level; an example, the Amer- Indonesia ican state of Georgia, is provided below.35 The regula- Merchant acquirers are required to be licensed in Indo- tion of non-bank acquirers currently falls to the state nesia through Bank Indonesia’s card-based payment financial regulators. However, the OCC has recently sig- instrument regulations (BI 2009a). Acquirers must naled that it would like to pursue a national “payments demonstrate business feasibility and operational read- charter” that would likely cover non-bank acquirers. As iness. They must have a risk-management plan that with its proposed fintech charter, the move faces legal outlines measures for mitigating liquidity risk, credit challenges from state regulators (Beyoud 2020). risk, operational risk, and reputation risk (BI 2009b). At the federal level, two of the three banking reg- Additionally, acquirers need to have adequate security ulators currently consider intermediaries under out- procedures in place for protecting data and authenti- sourcing regulation. If approved, the OCC’s proposed cating the identity of customers. Further, Bank Indo- payments charter would represent a more direct nesia’s card regulations stipulate that the bank will approach to intermediary regulation. Currently, some supervise acquirers, focusing on risk management, reg- intermediaries, such as payment facilitators, are consid- ulatory compliance, and customer protection. The bank ered money services businesses by the state financial (2009a) defines an acquirer as a “Bank or Non-Bank regulators and have to obtain licenses to operate in the Institution cooperating with merchant in the process- states. PayPal and Square, for example, are licensed by ing of data for card-based payment instruments issued most American state financial regulators. by other parties” (BI 2009a, article 1.10, 5). Article 7 of India the regulations (BI 2009a) makes clear that banks or The Reserve Bank of India (RBI) adopted standards non-banks can serve as acquirers, and both require a on merchant sourcing and monitoring for commercial license. banks in 2011 that include merchant acquiring risk-man- American State of Georgia agement elements (RBI 2011a, 2011b). The standards In 2012, the American state of Georgia developed a spe- were to be implemented by September 2012. In 2016, cialized charter for merchant acquirer limited purpose in an effort to “encourage banks to expand card accep- banks (MALPBs) (Georgia General Assembly 2012). tance infrastructure to a wider segment of merchants,” MALPBs “perform merchant acquiring activities or set- the RBI emphasized that banks “may put in place their tlement activities” (Georgia General Assembly 2012, own Board approved policy on merchant acquisition” 7-9-2[4]). MALPBs must be chartered by the Geor- (RBI 2016, 1). In 2017 and 2020, the RBI began permit- gia Department of Banking and Finance. The charter ting cooperative banks (RBI 2017a) and regional rural allows them to access payment card networks directly, banks (RBI 2020a) to serve as merchant acquirers. without the sponsorship of another regulated financial However, equivalent regulation is unavailable for non- institution, effectively enabling non-bank acquiring. bank acquirers. These measures were taken to further The MALPB Act and the department’s policy statement expand EPA to unserved merchant segments. The on MALPBs (GDBF 2014) set out of a variety of require- notices establishing these standards include risk-man- ments for these entities. The MALPB charter discussed agement requirements similar to those outlined by the above applies to entities that would otherwise be con- RBI (2011a) for commercial banks. They also stipulate sidered non-banks. As with the other state banking reg- standards for financial soundness, including minimum ulators in the United States, the Georgia Department of capital and maximum nonperforming asset ratios for Banking and Finance has regulatory jurisdiction, along cooperative and regional reserve banks seeking to with either the Federal Deposit Insurance Corporation serve as acquirers. continued 28 • FINANCIAL INCLUSION GLOBAL INITIATIVE BOX 2, continued or the Federal Reserve, over commercial banks that are transactions,” which “means a payment service pro- chartered in Georgia. Therefore, it would likely regulate vided by a payment service provider contracting with commercial bank acquirers through its general-purpose a payee to accept and process payment transactions, bank regulatory standards. States generally have more which results in a transfer of funds to the payee” (EU direct regulatory jurisdiction over non-bank payment 2015a, article 4[44]). The European Union indicates that companies than federal regulators. the directive “introduces a neutral definition of acquir- At the American state level, states may have some ing of payment transactions in order to capture not direct regulatory, or at least licensing jurisdiction, over only the traditional acquiring models structured around certain EPAIs. This is applicable for the state of Geor- the use of payment cards, but also different business gia. For example, PayPal and Square are licensed by the models, including those where more than one acquirer Georgia Department of Banking and Finance. is involved” (EU 2015a, para. 10). It does not, however, address non-bank acquirers. PSD2 stipulates that “pay- European Union ment institutions” must be authorized and subject to The European Union’s revised Payment Services Direc- capital requirements and safeguarding requirements, tive (PSD2) authorizes acquirers as payment institu- among other standards (EU 2015a, articles 7–10). tions, and the rules are applied equally. Among other functions, the definition includes “acquiring of payment MANAGING THE RISKS OF ACQUIRER 4.2  In indirect regulation, there are two approaches to the OUTSOURCING regulation of acquirer outsourcing. A regulator can gen- erally address outsourcing to EPAIs through general Acquirers face barriers that can prevent them from outsourcing regulations. Alternatively, a regulator can achieving commercially viable economics and scale in address acquirer outsourcing to EPAIs explicitly. This efforts focused on financial inclusion. Outsourcing some may include the stipulation of acquirer requirements spe- functions can help them to address some of the follow- cifically addressing the activities of EPAIs. Under both ing barriers: organizational inertia, which prevents align- approaches, the responsibility for outsourced activities ment with segment needs; high costs, which prevent the ultimately rests with acquirers.36 achievement of viable business economics; and a lack of innovation focused on segment needs. In many markets, The scope of regulations addressing acquirers and their especially those with poorly developed acceptance foot- outsourced services to intermediaries varies across juris- prints, the focus has been on business models and products dictions. Regulation in the United States, by focusing on that do not address the needs of small and medium-sized the management of processor relationships, addresses a enterprises (SMEs), ill equipping many acquirers to serve broad cross section of EPAIs, as does Malaysia, by address- this segment. Outsourcing provides an opportunity for ing all outsourced parties. Egypt, on the other hand, specif- merchant acquirers to quickly refocus on the growing ically focus on payment facilitators, payment aggregators, SME opportunity—for example, through quick and agile and gateways. An explicit focus on EPAIs addresses sev- deployment of necessary capabilities. Outsourcing pro- eral of the same issues tackled in direct regulation but vides an approach to deploy lower-cost business models with oversight responsibilities placed on the sponsoring and delivery approaches to reach SMEs quickly. Improved bank or acquirer. Furthermore, the risks presented to bank economics help to reach smaller merchants. Appropri- and non-bank acquirers by outsourcing, and specifically ate outsourcing arrangements are focused better on by intermediaries, are similar. The difference between the segment needs, equipping acquirers to reach SMEs with two, however, is that non-bank acquirers cannot rely on propositions that resonate. This may include, for example, a legacy bank regulation as a vehicle in mitigating these products and associated processes, staffing models, agile risks. In general treatments of outsourcing, it is common systems, and distribution channels better aligned to the for regulators to point out the need for regulatory compli- needs of the SME segment. Outsourcing partners may be ance by their partners with local laws and regulation (RBI younger, nimble firms, generally not burdened by legacy 2006; CBK 2014; FSB 2020). For example, similar to PSD2, technology and processes. Kenya’s national payment system regulations make clear REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 29 that PSPs cannot outsource core functions if the outsourc- Regulation through outsourcing may also misread reality, ing arrangement would impair PSPs’ internal controls or as outsourcers vary, and since the dimension of players the Central Bank of Kenya’s ability to supervise the PSP; might vary, or these operators may combine activities furthermore, several authorities note the regulation of out- that might increase risk, reinforcing the need for due sourcing should not be a hurdle for supervision. diligence, monitoring, and the ability to audit. The FDIC provides guidance that banks adopt board-approved Acquirers face strategic, legal, and compliance risks in payment processor approval programs that establish a outsourcing to EPAIs. Merchant acquisition encompasses bank acquirer’s risk tolerance with respect to payment several activities to identify, recruit, and contract with processors, verification approaches, and ongoing moni- approved merchant prospects. An acquirer may not pos- toring mechanisms. (See box 3.) These efforts may signal sess the appropriate staffing models, expertise, and asso- the need to implement an exit strategy. This is addressed ciated processes to address the economic needs of MSMs. in a later section on outsourcing contracts. By outsourcing this function, some acquirers may be able to open up the MSM segment. One risk that may emerge Regulators can seek to protect consumer data by high- is aligning the merchant mix onboarded by the interme- lighting existing requirements and the need for acquirers diary with the portfolio and targeted market goals of the to comply with measures. One avenue for protecting con- acquirer, identified as the strategic risk (FDIC 2014; OCC sumer data is to require outsourcing providers to abide by 2008). This also includes reputational risks that stem from bank standards regarding risk-management practices and the failure of an intermediary to perform its obligations information security policies regarding such information properly. Another risk is ensuring that partners adhere to (CBE 2019, article 6-1-4, 14). This is a gap that may need to required processes, as the acquirer bares ultimate risk. The be addressed for non-bank acquirers. Another avenue is to Bank for International Settlements’ Joint Forum points out provide outsourcers with guidance on the permissible use the need to address these risks in its guidelines on bank of customer data, given the importance of data in innova- outsourcing (BCBS 2005). A regulator can mitigate such tive new products and business models.37 Finally, there is risks by developing clear policies for working with accep- potential for outsourcing partners to outsource to fourth tance intermediaries and outsourcing in general (FSB parties such data-sensitive activities as data storage.38,39 2020; RBI 2006). Furthermore, an acquirer can address This practice activity raises new risks around regulatory many of these risks by incorporating provisions and obli- purview, regulator access, and the need for a regulator to gations into its provider agreements. possess the technical skills needed to assess such special- ized fourth parties. One mechanism for addressing such Regulators may require due diligence by acquirers before risks is to require approval by the acquirer bank for inter- they can enter into a contract with an intermediary. Risks mediaries’ outsourcing activities. identified during due diligence can be addressed through appropriate measures to control and manage risks, as well The protection of consumer funds can be addressed as on-going acquirer monitoring. These measures should by requirements on both acquirers and EPAIs. Require- ensure the adequacy of systems, staff capabilities, appro- ments can be tailored to the nature of acquirer control priateness of procedures, and roles of management and over settlement—namely, by the acquirer or through an the board. At a high level, requirements can address due intermediary settlement to the accounts of its submer- diligence and assessment reporting, such as risk assess- chants. Regulators generally stipulate that acquirers ments highlighted earlier in this section (BCBS 2005; RBI are ultimately responsible for payment and settlement 2006; CBE 2019, article 6-1-5, 14). Another area of miti- risk (BNM 2021), while specific requirements may differ gation is intermediary monitoring reports. And yet, while depending on the services an intermediary provides (that “regulation through outsourcing” may rationalize monitor- is, provision of merchant acceptance or enablement of ing, focusing the regulator on key players—the acquirer, in different payment types). Intermediaries, for example, this case—it can concentrate risk and responsibility over might be required to settle funds within a specific time such key players. Among other things, monitoring can frame to submerchants’ accounts, ensuring the predict- include transaction monitoring of financial institutions to ability of cash flows. Regulators may also stipulate that an ensure compliance with agreed upon service-level agree- acquirer establishes a mechanism to ensure the complete ments, charge-backs, consumer complaints, and sub- control of settlement to submerchants based on the value merchant monitoring, as well as suspicious activities, and of a predefined guarantee (CBE 2019, article 6-2-5, 15). incidents (CBE 2019, article 4-3, 12; FDIC 2014; OCC 2008; Submerchant funds may be required to be segregated in BNM 2020). Such reporting requires access to acquirer a separate account, with the sponsoring acquirer (CBE information and the ability to audit service providers (FDIC 2019, article 6-2-16-4, 17). 2014; OCC 2008; BNM 2021). 30 • FINANCIAL INCLUSION GLOBAL INITIATIVE Customer protection requires clear rules, a system for payment system, based on the delivery channel used. recourse, and an awareness of rights. In an indirect reg- Malaysian regulators, on the other hand, require acquir- ulatory regime, the emphasis is on acquirer efforts to ers to ensure that their outsourcing partners have dis- establish a risk policy addressing consumer protections pute-resolution mechanisms for merchants (BNM 2020). (for example, refunds, fraud, and disputes). Clear rules are Regulators may also require that acquirers ensure that needed for settling disputes between the system users. their intermediaries undertake activities to raise aware- The Egyptian regulator, for example, requires the spon- ness among submerchants on how to exercise these soring acquirer to establish clear rules for the resolution rights, including how to use the system, extract required of disputes that may arise between the parties using the reports, and access data on specific transactions, and the BOX 3 REGULATION OF OUTSOURCING TO EPAIs This box illustrates several examples of regulating out- related to strategic risks, operational and transaction sourcing to EPAIs. The examples focus on regulations risks, compliance and legal risks, and reputational risks tailored to EPAIs and address the cases of Egypt, the (CBE 2019, article 3). Further, they stipulate standards United States, and Malaysia.40 for anti-money-laundering/combating the financing of terrorism, suspicious activity reporting, and expecta- Egypt tions for information-security policy (CBE 2019, arti- The Central Bank of Egypt’s (CBE) 2019 standard “Tech- cles 4 and 5). More broadly, the standards set a wide nical Payment Aggregators & Payment Facilitators Reg- variety of “general rules for banks” using these inter- ulations” represents perhaps the clearest example of mediaries (CBE 2019, article 6). an indirect approach to EPAI regulation. The CBE stip- ulates several requirements for banks41 vis-à-vis their United States acquirer relationships with intermediaries that are tai- The United States represents another example of reg- lored to intermediary activities. The regulations apply ulating acquirers’ outsourced activities, with a focus to banks’ relationships with payment facilitators and on acceptance intermediaries. Specifically, the FDIC technical payment aggregators.42 and OCC have issued guidance on managing payment The minimum standards lay out a wide range of processor relationships (FDIC 2014; OCC 2008). It is requirements for banks. Above all, banks seeking to important to note that these agencies discuss payment use technical payment aggregators or payment facil- processors in a broad sense, encompassing payment itators must obtain a license from the CBE to do so facilitators/aggregators and third-party payment pro- (CBE 2019, article 10). Further, banks must set out cessors. These guidance publications are complemen- board-approved policies and strategies (CBE 2019, arti- tary to the FDIC’s and OCC’s merchant processing cle 2) with respect to intermediary relationships that examination manuals. address, among other things, risk-analysis approaches, The FDIC guidance stresses that banks should estab- risk monitoring, control and mitigation, on-site inspec- lish contracts with payment processors that ensure tion, due diligence, and risks related to refunds, fraud, their timely access to relevant information and their disputes, and bankruptcy. The standards go on to lay ability to close accounts or terminate contracts when out more specific considerations and expectations necessary. The contracts should also stipulate ade- Responsibility Specific Imperatives Due diligence and underwriting Perform background checks of payment processors and merchants Verify that merchants are legitimate businesses Ensure that payment processors verify and review merchants Ongoing monitoring Ensure that payment processor provides information on merchants Monitor levels of unauthorized returns, charge-backs, and other suspicious activity Actively monitor consumer complaints against processors Conduct periodic audits of payment processors File suspicious activities reports and terminate relationships when necessary continued REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 31 BOX 3, continued quate reserve requirements for charge-backs. The FDIC and gateways. In addition, the proposed regulations guidance further requests that banks adopt board-ap- specifically mention merchant recruitment agents and proved payment processor approval programs that IT service providers. Key outsourcing imperatives for establish banks’ risk tolerance with respect to payment acquirers include the following: processors, verification approaches, and ongoing mon- • Maintaining responsibility for outsourced activities itoring mechanisms. The FDIC and OCC guidance publications are similar, • Ensuring that outsourcing partners verify that mer- focusing on due diligence, underwriting, and ongoing chants are legitimate and not involved in fraudulent monitoring of payment processors and their merchant or illegal activities clients. The guidance publications argue that these • Ensuring that payment facilitator partners can han- relationships often present heightened risks of various dle payment and settlement risk and settle transac- forms, due to the fact that banks—as acquirers oper- tions for merchants in a timely manner ating with intermediaries—often will not have a direct • Assuming responsibility for settlement when pay- relationship with merchants. Such risks include strategic ment facilitators fail risk, credit risk, operational or transaction risk, compli- • Conducting ongoing monitoring and periodic audits ance risk, and reputational risk. The FDIC guidance also of outsourcing partners, including the periodic mon- discusses the potential for heightened fraud risk, mon- itoring of submerchant transactions ey-laundering risk, consumer protection risk, and legal risk. The table below catalogs selected risk-manage- • Ensuring that outsourcing partners have dispute-res- ment and control responsibilities assigned to banks in olution mechanisms for merchants their relationships with payment processors as outlined • Conducting due diligence of outsourcing partners, in the OCC’s and FDIC’s guidance including the assessment of their financial viability and risk-management capacity. In addition, assessing Malaysia the extent of the concentration of risk with respect to One of the pillars of Malaysia’s proposed acquirer regu- a single provider and mitigations measures. lations (BNM 2021) is promoting the use of outsourcing arrangements. The proposed regulations address spe- • Establishing detailed outsourcing agreements with cific issues related to acquirer relationships with accep- service provide. Furthermore, subcontracting by the tance intermediaries, including payment facilitators service provider will not dilute its accountability. ability to raise and research objections as well as docu- payments, including monitoring policies, measures, and ment such transactions (CBE 2019, articles 6-2-12 and controls, individual responsibility, and execution mech- 6-2-13, 16). In sum, a regulator can strengthen consumer anisms and measures (CBE 2019, article 5-1, 13). In protections by mandating the establishment of customer addressing outsourcing in general, the guidelines of the protection policies, rules, and associated processes. Some Basel Committee on Banking Supervision point to the regulators mandate the acquirers and service providers to need for contingency plans (BCBS 2005), while others send reports to keep them abreast of complaints as well note the need to address continuity (FSB 2020). Finally, as incidents. the Basel committee’s guidelines also point out the need to address issues around IT, such as data and cybersecu- Outsourcing of operations and IT can expose an acquirer rity (BCBS 2005). to financial loss. These risks stem from fraud, refunds, and disputes; defects in the work-system; and service Financial risk is inherent in outsourcing. A critical finan- unavailability, cyberattacks, and so on. In an indirect reg- cial risk is the potential need for a sponsoring acquirer ulatory approach, regulators can compel acquirers to to shut down an outsourcer. This need could arise due take several actions to mitigate these risks. As noted at to insolvency or investment losses, among other causes. the beginning of the section, some of these may explic- This risk can be mitigated by monitoring an outsourcing itly address EPAIs but with responsibility placed on provider’s financial status, annual reports, and cash-flow the sponsoring acquirer. Acquirers can be required to reports; implementing reserve requirements, if applica- ensure that their information security policy is updated ble; and adopting an exit strategy, such as transferring regularly and that it appropriately addresses electronic the business to another third-party provider. The Malay- 32 • FINANCIAL INCLUSION GLOBAL INITIATIVE sian regulator, for example, requires a registered spon- concentrated with a single provider, or several activities soring acquirer to assume responsibility for settlement might be outsourced to a single provider, creating con- to a merchant should a payment facilitator fail (BNM centration risk and potentially leading to systemic risk in 2021). US regulators put forth the need for enhanced due the case of the operational or financial failure of an out- diligence and monitoring to address outsourcing risks as sourcing provider with significant market power (BCBS well as the need for reserve requirements, if applicable, 2005). A regulator or acquirer might lack the purview, to address charge-backs (FDIC 2014; OCC 2008). physical access, or capability to address outsourced activities (BCBS 2005; CBK 2014).43 This is particularly Other outsourcing risks include concentration and cross- problematic when the outsourcing provider is located border risks. Outsourcing activities can potentially be outside the bank’s jurisdiction.44 BOX 4 INDIRECT REGULATION OF GENERAL ACQUIRER OUTSOURCING This box focuses on the more general treatment of out- outsourcing firm, negotiate appropriate outsourcing sourcing. The review encompasses guidelines for out- contracts, and analyze the financial and infrastructure sourcing from the Bank for International Settlement and resources of the service provider” (BCBS 2005, 2). a consultative document from the Financial Stability Financial Stability Board Board (FSB). Two cases are presented, addressing gen- The FSB issued a more recent consultative document eral acquirer outsourcing in India and Kenya. in 2020 that discusses the regulatory and supervisory Basel Committee on Banking Supervision landscape with respect to outsourcing and third-party The Basel Committee on Banking Supervision’s Joint risk management (FSB 2020). The document is based Forum issued outsourcing guidelines for financial ser- on the results of a survey of supervisors in member vices firms and regulators in 2005.45 The Joint Forum countries. As a discussion paper that contains a request defines outsourcing as a “regulated entity’s use of a for comment, this document could serve as a baseline third party (either an affiliated entity within a corpo- for future standards in this area. rate group or an entity that is external to the corporate The FSB explains that outsourcing has become more group) to perform activities on a continuing basis that common and more complex. Similar to the findings of would normally be undertaken by the regulated entity, the Basel Committee on Banking Supervision (2005), now or in the future” (BCBS 2005, 4). At the time the outsourcing in the area of information and communica- guidelines were issued, IT and administrative functions tions technology (ICT) is still the most prevalent type, were the most frequently outsourced areas, but finan- especially as financial institutions increase their reliance cial activities and others were increasingly being out- of cloud-based services. Importantly, the FSB specu- sourced. lates that the COVID-19 pandemic has likely deepened The Joint Forum’s primary concern revolved around reliance on outsourcing. All respondents to the FSB the outsourcing of core functions and the potential to survey have outsourcing standards in place. The survey transfer risk, management, and compliance to unregu- further reveals a universal regulatory theme: that out- lated entities. According to the Joint Forum, a wide vari- sourcing does not absolve management from liability ety of potential risks are associated with outsourcing, for third parties’ activities. Other key areas in outsourc- including strategic, reputation, compliance, operational, ing standards involve risk management, business conti- exit-strategy, counterparty, country, contractual, access, nuity and exit strategies, cybersecurity, data protection, concentration, and systemic risks (BCBS 2005, 11–12). and operational resilience, among other areas. Some The Joint Forum lays out nine guiding principles related standards give regulators direct supervisory access to to outsourcing, which deal with outsourcing policies, risk third parties. Despite some cases of direct access to management, core functions, due diligence, contracts, third parties, all responding authorities generally rely contingency plans, confidentiality, regulators’ assess- on the regulated entity to manage the outsourcing ment of outsourcing, and regulators’ risk awareness. The risks themselves. In general, the FSB emphasizes that Joint Forum summarizes key actions financial institu- outsourcing contracts should not interfere with regu- tions can take as follows: “draw up comprehensive and lated entities’ compliance obligations. clear outsourcing policies, establish effective risk-man- The FSB also flags several areas of emerging concern. agement programs, require contingency planning by the First, supervisors face practical challenges to oversee- continued REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 33 BOX 4, continued ing outsourcing arrangements, including resource con- • Business continuity straints, access limitations, and increasingly complex • Monitoring outsourced activities supply chains. On this final point, though some supervi- • Handling complaints with respect to outsourced sors spell out standards related to third parties’ subcon- activities tractors, authority is often on shaky ground in this area. Further, supply chains are becoming increasingly deep, • Reporting suspicious activity with fifth- and sixth-level outsourcing arrangements. The RBI has released a number of follow-up standards Second, cross-border arrangements are common and since the 2006 guidelines. First, in 2015, the RBI was pose regulatory challenges. Finally, concentration and compelled to issue a circular emphasizing that the systemic risk in the outsourcing space is an increasing 2006 standards apply to the area of subcontracting, concern. after observing increased noncompliance with the guidelines in the area of subcontracting (RBI 2015). Fur- Country Cases ther, in 2017, the RBI released outsourcing standards for India non-bank financial companies (RBI 2017b). The content The RBI (Reserve Bank of India) has been active in regu- of the 2017 standards is very similar to that of the 2006 lating outsourcing. In 2006, it released its “Guidelines on guidelines. Recently, the RBI released “Framework for Managing Risks and Code of Conduct in Outsourcing of Outsourcing of Payment and Settlement-related activ- Financial Services by Banks” (RBI 2006). The guidelines ities by PSOs” (RBI 2021) and guidelines on the regula- incorporate the outsourcing guidelines of the Bank for tion of both payment aggregators and gateways (RBI International Settlements’ Joint Forum (BCBS 2005). 2020b). The release of these guidelines has moved the Recently, in August 2021, the RBI issued “Framework RBI to a direct regulatory approach of EPAIs detailed for Outsourcing of Payment and Settlement-Related in chapter 3. Activities by PSOs” (RBI 2021). The RBI guidelines make Kenya clear that outsourcing does not absolve management In addition to specific standards for the retail agents of of liability for outsourcing functions. Further, they insist payment service providers (PSPs), the Central Bank of that outsourcing cannot interfere with regulatory com- Kenya’s National Payment System Regulations (NPSR) pliance. In general, the RBI maintains that the “underly- spell out requirements for PSPs seeking to outsource ing principles for these guidelines are that the regulated operational functions (CBK 2014). The central bank entity should ensure that outsourcing arrangements strongly emphasizes that outsourcing arrangements neither diminish its ability to fulfill its obligations to should not impair PSPs’ compliance with the NPSR. In customers and RBI nor impede effective supervision by particular, the NPSR make clear that PSPs cannot out- RBI” (RBI 2021). source core functions if the outsourcing arrangement More specifically, the guidelines address a wide vari- would impair PSPs’ internal controls or the bank’s abil- ety of outsourcing expectations related to the following: ity to supervise the PSP. Further, the Central Bank of • Risk management, including the needs to establish Kenya requires outsourcing contracts to grant it super- an outsourcing policy and to evaluate, monitor, and visory access to the third party (CBK 2014, 23: 5a). control the myriad risks posed by outsourcing, such The central bank clarifies that it considers an out- as strategic, reputation, compliance, operational, sourced function to be “material” if it interferes with legal, exit-strategy, counterparty, country, contrac- regulatory compliance, impairs financial performance, tual, and concentration and system risks or harms the “soundness or the continuity” of payment • Due diligence services (CBK 2014, 23: 4). Further, the NPSR make clear that management is liable for the activities of the • Outsourcing contracts third party. • Confidentiality and security 34 • FINANCIAL INCLUSION GLOBAL INITIATIVE AUTHORIZATION OF ACQUIRER 4.3  specific sections in their examination manuals dedicated OUTSOURCING to merchant processing (FDIC 2007; OCC 2014).49 Both manuals acknowledge that regulatory capital rules do In the indirect approach, regulators authorize acquirers not specifically address merchant processing, but banks to work with outsourcing partners, which can include should nevertheless hold appropriate capital for mer- EPAIs. The regulator will typically have no role in assess- chant processing, including higher levels of capital for ing or performing due diligence on intermediaries. riskier merchant processing activities. The manuals stress Instead, acquirers will be required to perform these activ- that regulators have flexible authority to require banks to ities before their partners can provide their services on hold more capital associated with these activities. Both the market. These requirements, while similar to some of manuals point out that card scheme rules generally stip- those outlined in the chapter on direct regulation, differ ulate limits related to processing volumes relative to cap- in focus, putting the onus on the acquirer, rather than the ital, but regulators may set stricter limits for higher-risk intermediary. It is the acquirer that makes the decision to activities, including for high-risk merchant categories and work with an outsourcing partner such as an EPAI, and excessive charge-backs, among other reasons. it is this entity that bears ultimate responsibility for their partners.46.47 Regulators can establish additional controls on outsourc- ing providers. One control directed at EPAIs is to place Some regulators might require acquirers seeking to limits on the size of submerchants’ annual electronic turn- outsource services to EPAIs to obtain an approval or over. While scheme rules impose limits, regulators can authorization from the supervisory authority, while other impose stricter limits—indirectly on EPAIs through their regulators may just request a notification by the acquirer sponsoring bank—better suited for market conditions, if or stipulate the need for other actions by acquirers that they feel these to be warranted. Another area is to pro- outsource activities. To obtain consent, an acquirer could hibit intermediaries from contracting with risky merchant detail its plans for engaging an EPAI, addressing, for categories (for example, pyramid marketing, jewelry sales, example, its market-development objectives, provision lottery shops, crypto currency, and crowd funding) (CBE of compliance reporting, and proposal for system inspec- 2019, article 6-2-14, 17). Some regulators may allow facil- tions by the regulator. In addition, an acquirer’s board of itators and gateways to acquire unregistered merchants, directors may be responsible for ratifying a work strategy while other regulators may require intermediaries to ver- developed by its senior management. ify the legal standing of submerchants.50 This may have To address financial and operational concerns, an the effect of preventing many MSMs from being able to acquirer might be required to conduct due diligence on the offer electronic acceptance services. financial and operational capabilities of an intermediary prior to entering into an agreement. The CBE, BNM, FDIC, Regulators may stipulate that outsourcing contracts and OCC underscore the responsibility of the acquirer to address specific concerns. Insertion of explicit clauses conduct due diligence on intermediaries, while the Basel and terms into contracts can explicitly address several of Committee on Banking Supervision notes the need for an the risks that regulators seek to mitigate. Malaysia requires acquirer to perform due diligence on potential outsourc- the establishment of detailed outsourcing agreements. ing partners.48 Furthermore, acquirers may need to ensure The Kenyan regulator requires outsourcing contracts to that their plan to use the intermediary’s services aligns grant the Central Bank of Kenya supervisory access to with their strategic direction (CBE 2019, article 2-1, 9; FDIC the third party (CBK 2014, 23, 5a). In the United States, 2014; OCC 2008; BNM 2021). In governance, a bank can the FDIC guidance stresses that banks should establish detail the responsibilities of its provider’s board and senior contracts with payment processors that ensure their management. Regulators tend to request the acquirer to timely access to relevant information and their ability to perform continuous auditing and risk monitoring of the close accounts or terminate contracts when necessary, intermediary’s activities. effectively using a contract to define an exit strategy. Exit strategies might include measures to ensure the conti- Prudential requirements are generally applicable to non- nuity of the service by addressing its transferability to bank acquirers. Regulators may require minimum capital another third party and continuation-of-security clauses requirements to ensure financial soundness. The FDIC even after the contract termination.51 and OCC, two of the three US financial regulators, have REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 35 Regulating Payment Schemes 5.  This chapter focuses on the regulation of payment 5.1 OVERVIEW OF PAYMENT SCHEMES schemes by examining their characteristics, rules, and interaction with EPAIs. A scheme establishes the rules, Payment schemes, with their associated rules and stan- standards, and requirements and provides the coordina- dards, govern how PSPs may become scheme members tion that enables the electronic transfer of value through as well as use scheme products and their networks to a payment instrument between its members. Businesses execute payments. This section examines two types of such as EPAIs become scheme members by meeting payment schemes: card schemes and mobile-money scheme-imposed obligations and standards. Through schemes. A payment scheme is a set of rules and associ- membership and associated scheme rules, EPAIs and ated arrangements, functions, and procedures that enable other entities play a well-defined role across the payment the holder of a payment instrument to effect a payment value chain to support the electronic transfer of value or cash-withdrawal transaction with a party other than the through a scheme payment instrument. To understand issuer of the payment instrument. This enables schemes the legal environment in which schemes operate and set to organize and manage the activities supporting elec- their rules, the paper takes a step back to examine cases tronic payments. A payment system is the set of instru- of scheme regulation that set the context for the role of ments, procedures, and rules for the transfer of funds schemes and their interaction with EPAIs. This context is between or among participants. The system includes the useful in understanding the role of a scheme in rule mak- participants and the entity operating the arrangement, ing, licensing EPAIs, and schemes’ interactions with EPAIs. according to the CPMI (CPMI 2016). The payment sys- The chapter is organized as follows: The first section tem includes the infrastructure that processes payment describes card schemes and their key elements and transactions executed through a payment instrument in touches on mobile-money schemes. It highlights efforts line with the rules defined by the system operator. There to regulate card payment schemes in general, as well as are several types of payment systems, including elec- efforts to regulate card pricing. The second section char- tronic as well as paper-based systems, such as checks. acterizes scheme management, addressing issues of rele- Schemes rules enable the exchange of value between vance to EPAIs. The third section focuses on authorization members. Scheme rules govern critical dimensions of and oversight considerations for EPAIs working within electronic payments that enable the exchange of value payment schemes. between members. An EPAI, for example, by becom- 36 • FINANCIAL INCLUSION GLOBAL INITIATIVE ing a scheme member, can facilitate the acceptance of These rules and associated standards govern member- transactions through a scheme-branded payment instru- ship, assure equal and predictable treatment, and, finally, ment (for example, card or direct debit) issued by that enable integration into the scheme network, to ensure the scheme’s members. The EPAI’s acceptance activities are efficient execution of payment transactions. governed by the scheme’s rules, agreed to by the EPAI when it became a scheme member. Furthermore, the Mobile-money schemes are different from card schemes. EPAI will have agreed to specific terms by entering into A rich landscape has emerged in mobile payments since a contractual agreement with a scheme-registered mer- mobile-money operators entered the fray around 2008, chant acquirer, including scheme-mandated provisions when they realized customers could save their money such as submerchant obligations, the need to comply and transact through them without the need for a bank with scheme rules, and entering into an agreement with account. Mobile-money schemes could either follow a each submerchant (McCarty 2012). The combination of three-party model—where the customer and merchant are these elements enables payment services to be offered in clients of the same mobile-money service provider, such as a predictable manner to achieve the benefits afforded by Alipay, PayTM, and OrangeMoney—or be organized under a payment network. a four-party model, where the customer and merchant are Regulators have typically focused their efforts on pay- clients of two different mobile-money service providers ment system operators, the system rules, and the actors that are connected through an interoperability platform, that participate in these systems. Authorities in some such as Mowali. The GSMA identified several characteris- cases regulate the payment scheme as a payment sys- tics for mobile-money scheme: (1) the ability of custom- tem, taking into consideration the system operations. This ers to participate in the scheme without having a bank chapter focuses on payment schemes that provide the account (unless required by the regulator); (2) the ability general framework where specific rules for intermediar- of customers to access and withdraw funds easily using ies exist. However, any reference to a scheme could be an extensive agent network; and (3) the ability of custom- applicable to the payment system as long as the system ers to use the service through simple devices, which do maintains similar rules of coverage. not necessarily need to be smart devices.52 Mobile-money schemes for the most part have remained in their own Two Types of Retail Payment Schemes closed ecosystems. Nevertheless, under such three-party arrangements, the scheme operator may outsource mer- Schemes support standardization and predictability. chant acceptance to other entities. Mobile-money scheme Card schemes that are managed by the international and rules often cover the settlement process, dispute resolu- domestic card schemes have been dominated by four- tion, customer support, and training. party models and focused on person-to-merchant pay- ments. Mobile-money schemes have been dominated by As mobile-money schemes develop, there are several three-party models and person-to-person payments, and paths to expanded interoperability. The GSMA has many of them enable merchant acceptance. What these detailed several technical options that mobile-money pro- schemes have in common are their efforts to create an viders may consider to achieve interoperability between enabling environment that is standardized, including themselves. Examples include both domestic and global standards for messages, application programming inter- hubs as technical models for enabling interoperability faces, security, complaint management, and so on, to pro- between participants. One example of such a deployment mote efficient payments. The mechanisms for achieving is provided by the announcement by Orange Group and this differ and are related in some ways to the scheme’s MTN Group of Mowali (Mobile Wallet Interoperability) in history, level of development, and the nature of interoper- November 2018 of a joint venture hosting interoperabil- ability that is enabled between scheme members. ity services for domestic and international mobile-money transactions. Mowali is built on the open-source platform A card scheme has established rules that address pay- Mojaloop (GSMA 2020a), which, in turn, provides a scheme ment instruments, each with its own rules, under the model to support real-time transactions between mobile- same brand. Card schemes use either a three- or four- money providers. It offers flexibility to customize a number party model to manage their payments business. Scheme of scheme dimensions regarding ownership, participation, capabilities are supported by an interbank switch that the scope of rules, and applicable use cases, among others.53 may or may not be operated by the scheme. A scheme In addition to Mowali’s hub-based model, other examples has more control in a three-party model, while it is eas- of interoperable schemes exist in Ghana, also a hub-based ier to build a larger acceptance footprint through a four- model; Uganda, an aggregator model; and Tanzania and party model because of the greater ease of building a Madagascar, which are based on bilateral arrangements network effect. Scheme rules specific to a PSP enable the (GSMA 2020b). Mobile-money interoperability is able to provider to execute transactions through a payment card. REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 37 support a large number of use cases, including person to ulators have focused on discrete aspects, such as pro- person, person to business, person to application, person moting competition (EU 2015a), promoting access rules to government, application to person, business to person, (RBA 2004a, 2004b), efforts to encourage self-regula- and government to person, among others. The responsi- tion (HKMA 2016), scheme registration (BSP 2019), and bility for managing agents or merchant aggregators is typ- scheme licensing (BOT 2018a, 2018c), as well as the reg- ically assigned to mobile-money service providers ulation of interchange fees, which is addressed in detail in box 5. Direct regulation of payment systems and pay- Many mobile-money service providers offer a merchant- ment system operators, on the other hand, has been specific platform that allows merchants to receive pay- more systematic. In many jurisdictions, the payment ments from customers and pay bills, suppliers, and system regulations are implicitly applicable to payment employees. Typically, providers equip merchants with a schemes. In such cases, the regulators focus both on special SIM card for this purpose. In many cases, this plat- the operations of the payment system and on all issues form is provided by a third party with which the mobile- related to system rules. money provider contracts. Mobile-to-mobile payments are the most common manner of payments, but providers Payment Card Fee Regulation are working on more seamless solutions (McCarty 2012). While schemes have not been regulated systematically, Traditional mobile-to-mobile payments are cumbersome, it sometimes happens that authorities regulate rates of because payers need to enter payment amounts and the interchange fees or merchant discounts. National author- merchant’s account number. Recent developments, such ities have begun to shift their focus from litigation to reg- as merchant-initiated QR payment and request to pay, ulation in recent years (Hayashi and Maniff 2014). Table embed merchant payment information in the QR code, 7 catalogs practices for regulating payment card fees in facilitating the payment process. Mobile-money schemes may rely on TABLE 7: Payment Card Fee Regulations in Selected Economies bilateral contractual agreements and other commercial agreements. Some of these Jurisdiction Standard schemes have emerging merchant accep- Australia The weighted average interchange fee benchmark for credit tance (for example, the case of M-Pesa card transactions is 0.5 percent, and the ceiling for any individual in part as a result of its relationship with transaction is of 0.8 percent (RBA 2016a). The weighted aver- age interchange fee benchmark for debit cards is $A 0.08, with Kopo Kopo). A short terms-and-conditions a ceiling of $A 0.15, or 0.2 percent, for any individual transaction document, which accompanies merchant (RBA 2016b). agreements, is the closest structure akin Brazil Debit card interchange fees are capped at 0.8 percent for any to payment card scheme rules (Safaricom given transaction, and the weighted average fee is 0.5 percent 2014, d). Some notable clauses make clear (Ayres and Mandl 2018; Hayashi and Maniff 2020). that Safaricom bears no liability for errors, China Interchange fees are capped at 0.35 percent for debit cards and such as underpayment and incorrect entry 0.45 percent for credit cards (Hayashi and Maniff 2020). of merchant numbers (Safaricom 2014, India For small merchants, merchant discount rates for debit card 8.5.2). The terms and conditions do state transactions are capped at 0.4 percent for physical point-of-sale that the merchant shall conduct reversals infrastructure, including online transactions, and at 0.3 percent when there is clearly a payment error (Safa- for QR code–based acceptance. For all other merchants, debit ricom 2014, 5.1). The terms and conditions card merchant discount rates are capped at 0.9 percent and 0.8 percent for the separate infrastructure categories, respectively also spell out some of Safaricom’s obliga- (RBI 2017).{-2017a -OR- 2017b?-} tions, including settlement, providing cus- European Interchange fees are capped at 0.3 percent and 0.2 percent for tomer service, and secure website access. Union card-present credit and debit card transactions, respectively Safaricom establishes detailed know- (EU 2015b). They are generally capped at 1.5 percent and 1.15 your-customer requirements for mer- percent for card-not-present credit and debit card transactions, chants (Safaricom 2019). respectively (EU 2019). South Africa Interchange fees vary between 0.36 percent and 0.53 percent for debit cards and between 1.41 percent and 1.89 percent for 5.2 REGULATING CARD credit cards, based on whether transactions are card-present or PAYMENT SCHEMES card-not-present and whether issuers and acquirers are EMV or 3D Secure compliant (SARB 2014). Payment schemes, unlike payment sys- United States The Federal Reserve sets an interchange fee cap for debit card tem operators, have not been regulated issuers at $0.21 plus 5 basis points of the transaction’s value in a systematic manner. In those cases (Federal Reserve 2011, 43420). Issuers with less than $10 billion in assets are exempt from the rule. where schemes have been regulated, reg- 38 • FINANCIAL INCLUSION GLOBAL INITIATIVE BOX 5 REGULATORY FRAMEWORKS FOR CARD PAYMENT SCHEMES This box provides an overview of several frameworks diligence for outsourcing arrangements, and data secu- used by regulators to address card payment schemes. rity, among many other standards. Most of the stan- The frameworks highlight a range of experiences. dards related to four-party schemes are framed within the context of “encouraging” their acquirers and issuers Australia to adhere to the code. The Reserve Bank of Australia has designated Master- card (credit, debit, and prepaid), Visa (credit, debit, and Philippines prepaid), American Express companion cards, and EFT- Payment card schemes are considered operators POS (narrow definition) as “payment systems.” Desig- of payment systems and must be registered by the nated payment systems may be subject to rules, such Bangko Sentral ng Pilipinas (BSP 2019). The registra- as access regimes and interchange-fee regulations. The tion requirements are not significant. Visa and Master- reserve bank has established access regimes only for card are registered as operators of payment systems by Mastercard and Visa credit card schemes (RBA 2004a, the central bank (BSP 2021). 2004b). The access regimes entail some basic criteria Pakistan related to applying to participate in the schemes, such The State Bank of Pakistan’s Rules for Payment System as eligibility, assessment of applications, transparency, Operators and Payment Service Providers (SBP 2014) and certification and reporting. Scheme administrators describe payment system operators and PSPs as enti- must certify that participants meet risk-related eligibil- ties “engaged in operating and/or providing Payment ity and assessment criteria annually, but the standards Systems related services like electronic payment gate- are not prescriptive about the types of risk-manage- way, payment scheme, clearing house, ATM Switch, ment criteria that should be evaluated. POS Gateway, E-Commerce Gateway etc. acting as European Union an intermediary for multilateral routing, switching and In addition to setting interchange fees for credit and processing of payment transactions” (SBP 2014, 3). To debit cards at 0.3 percent and 0.2 percent, respectively, the extent that card schemes are considered payment the European Union’s Interchange Fee Regulation (EU system operators in Pakistan, they would be subject 2015b) sets various fee-related transparency standards to a variety of standards, including minimum capital, that schemes must follow. Importantly, it also requires operational, risk-management, security, confidentiality, independence between card schemes and processing dispute-resolution, and reporting requirements, among entities (EU 2015b, A7.1a) and prohibits bundling scheme others. and processing fees (EU 2015b, A7.1b). These separation Thailand standards are intended to increase competition in the Payment card networks are considered “designated processing market by allowing independent processors payment systems” in Thailand, according to the Pay- to compete for schemes’ customers (EU 2015b, [33]). ment System Act (Kingdom of Thailand 2017). Payment Hong Kong card networks must be licensed, according to the Bank Hong Kong’s “Code of Practice for Payment Card of Thailand (2018a). Many networks are licensed as Scheme Operators” (HKMA 2016) is a code of conduct “payment card network services” in Thailand, includ- designed by and applicable to the scheme operators ing American Express, JCB International, Mastercard, and is endorsed by the Honk Kong Monetary Authority. UnionPay, Visa, Thai Payment Network, and National Thus, it is a “self-regulation” approach for the schemes. ITMX. Further, the bank (2018b) lays out financial, gov- It is not a legally binding regulation; rather, the mone- ernance, risk-management, security, system-user-pro- tary authority works with scheme operators to ensure tection, efficiency, and competitiveness standards for compliance with the code. designated payment systems. It is important to note The code outlines a range of safety, efficiency, transpar- that these regulations exist in addition to Thailand’s ency, and monitoring expectations for schemes. These separate regulations governing both merchant acquir- include establishing clear scheme rules and procedures, ers and EPAIs. Indeed, Thailand takes a direct approach ensuring operational reliability and business continuity, to regulating intermediaries, acquirers, and schemes. risk management, fraud monitoring and awareness, due REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 39 selected large markets across the globe. While most of example, to address the evolution of acceptance and the regulators addressed the rates of interchange fees among emergence in the acceptance value chain of new interme- issuer and acquirer banks, the RBI focused on the mer- diaries, such as payment facilitators. These rules address chant discount rate. the responsibilities and obligations of actors across the acceptance value chain and establish pricing through Card Scheme Components interchange. Six principal components underpin a payment card The rules laid out by a scheme detail the execution of scheme. These are governance arrangements, contracts, payment transactions through a specific payment instru- payment instruments, scheme rules, clearing and settle- ment. A scheme may support several payment instru- ment rules, and complaints and dispute management. ments, and its rules may be unique to that particular These components govern members and ensure the instrument (for example, debit card, credit card, or mobile standardization necessary to execute electronic pay- wallet). ments through a payment instrument. The standardiza- tion, predictability, and coordination provided by these Schemes have established rules for clearing and set- components allow new members to join the scheme and tlement. These rules are extended to EPAIs in defining enable transactions between the customers of other their obligations and rights for settlement. Mastercard, scheme members. for example, notes that acquirers may permit payment facilitators to access settlement funds for the purpose Governance by the scheme of its members is executed of paying submerchants in accordance with the terms of through rules and requirements established by the their submerchant agreements (Mastercard 2020, section scheme. These rules govern most aspects of card issu- 7.6.5, 109, 156). The schemes provide additional require- ing, authorization, clearing, and acquiring. They can be ments regarding settlement, such as the timing obliga- general, regulating such criteria as network membership, tions for crediting a merchant account.55 brand standards, technical and acceptance standards, settlement procedures, and standards for arbitrating Finally, scheme rules put forth standards for addressing disputes. They can also be more specific, governing the complaints and resolving disputes. Schemes establish relationship between the scheme and its members as standards and guidelines to address complaints and dis- well as their agents—for example, the admission of new putes arising for a number of reasons, including address- members into the scheme. Scheme rules have been aug- ing charge-backs or disputed transactions. Such rules mented in recent years to address the membership of establish clear, transparent, and predictable arbitration EPAIs, such as payment facilitators and their obligations. processes. In addition to managing rules, schemes enforce the rules and may impose assessments on members that fail to comply. ELEMENTS OF CARD SCHEME 5.3.  MANAGEMENT AND REGULATION In establishing contractual relationships with members, schemes impose obligations to promote the smooth and This section touches on key elements of scheme rules that predictable functioning of the scheme. Contracts are interact with EPAIs along critical regulatory dimensions established under the auspices of the rules and set con- and, more specifically, areas that help promote the effi- ditions for PSPs, including requirements on the use of the cient functioning of schemes and minimize risk, akin to scheme’s marks, processes, and operational infrastructure, the mandate of regulators. Given this similarity in objec- among others. Other details stipulated within an EPAI con- tives, there is a parallel focus between regulators and the tract might include obligations for scheme participation card schemes with their well-developed rules. as well as rights for contract termination. The obligations included in contracts will depend on the functional role of Card Scheme Governance an organization in the scheme. For example, contractual obligations will differ between acquirers, payment facili- Rules, standards, and other requirements are the mech- tators, payment gateways, and merchants. Furthermore, anisms by which a scheme governs its relationships with there are required terms that must be included in mer- its members. At the member level, scheme rules gov- chant agreements (Mastercard 2020, section 5.1.2, 95). ern the relationship between a scheme and its mem- bers, as well as between the scheme and the members’ Schemes have established rules and develop new rules agents. The responsibility for developing, implementing, in response to the evolving nature of payments—for and enforcing these rules and associated requirements 40 • FINANCIAL INCLUSION GLOBAL INITIATIVE resides with the payment scheme. The establishment of a ing merchants and the need to include required language scheme-governing body and representation of customers in merchant agreements. The rules issued by international and merchants on the scheme-governing body depends major schemes furthermore specify that an acquirer bears on the nature of scheme ownership. All participants in a the ultimate liability for acceptance. Schemes reserve sev- scheme are subject to and bound by the scheme’s charter eral rights for themselves, to ensure the integrity of the documents and its rules. payment system they manage, including the ability to apply fees for noncompliance61 and the right to terminate Schemes undertake direct monitoring to identify and merchant agreements, among others.62 The latter enables gauge risks and mandate members to undertake certain them to intervene directly and address risks stemming activities. Scheme rules, for example, stipulate that they from EPAIs. may audit and review a member to ensure compliance with scheme rules and standards56 These rules encompass Merchant onboarding illustrates an EPAI’s scheme obli- EPAIs and their outsourced providers. While schemes gations. Scheme rules stipulate that, before contracting members are required to comply with applicable laws on with a prospective merchant, a payment facilitator must anti-money-laundering and combating the financing of perform a due diligence review of the prospective mer- terrorism, they also maintain anti-money-laundering pro- chant candidate considered adequate by the scheme. This grams.57 Visa states that its program is designed within includes a site visit, if applicable, to the business prem- the context of regulations applicable to schemes to pre- ises or a suitable alternative. Upon successful completion vent the schemes’ systems from being used to facilitate of onboarding requirements and before doing business money laundering and the financing of terrorist activi- with a merchant, a payment facilitator needs to execute a ties (Visa 2020, section 10.1.3, 554). Scheme rules also merchant agreement that contains clauses requiring mer- stipulate the need for members to monitor their agents. chants to comply with scheme rules and obligations.63 Acquirers, for example, are required to monitor payment This may require merchants to comply with applicable facilitators with whom they have contracted for accep- laws and regulations and comply with scheme rules, and tance services.58 Other examples include acquirer-moni- include the right of the scheme to terminate the payment toring programs and merchant fraud monitoring.59 facilitator’s agreement with a sponsored merchant.64 Card Scheme Rules and Party Liability Card schemes have actively addressed clearing and settlement. Schemes have stipulated rules to address Card scheme rules define the parameters for participa- settlement by payment facilitators. Namely, a payment tion by PSPs and their associated liabilities. Rules lay out facilitator must pay its submerchants for all transactions the roles and obligations for organizations, such as EPAIs, it has submitted on their behalf. This obligation is not that become scheme members. Scheme rules touch on fulfilled until a submerchant has received payment, not- a broad range of themes, including branding, risk man- withstanding any payment arrangements. Furthermore, agement, clearing, and settlement. For example, clearing submerchant agreements provide a vehicle for addressing and settlement is of concern, because it may give rise to charge-back reserves to be held back by the facilitator. default or insolvency of the service provider. In particular, a PSP acting as acquirer might face liquidity or credit risk Competition and Market Structure if an issuer is unable to settle an obligation (ECB 2019, 8). Schemes publish rules and additional guidelines as neces- Card schemes have established clear guidelines for the sary.60 Furthermore, scheme rules lay out the unique roles participation of payment service intermediaries. These of members, such as issuers and acquirers. Both major guidelines delineate requirements, obligations, and stan- international schemes address payment facilitators. dards to which PSPs must adhere. Yet it should be noted that schemes generally rely on the acquirer members The obligations and liabilities of different types of mem- to monitor payment facilitators. While in the case of bers are detailed by card scheme rules. Rules addressing acceptance, scheme rules apply to members and include acquirers, for example, require them to monitor their pay- specific provisions on monitoring payment facilitators, ment facilitators for compliance with scheme rules. Put acquirers remain responsible for the acts of payment differently, acquirers possess and are required to exercise facilitators, as payment facilitators sign merchant accep- “supervisory powers” over EPAIs. Furthermore, acquir- tance agreements on behalf of acquirers. Furthermore, ers are responsible for the acts of payment facilitators, additional requirements are placed on acquirers that as payment facilitators sign merchant acceptance agree- enroll payment facilitators. In the case of EPAIs, they ments on behalf of acquirers. Obligations placed directly are required first to become registered with a scheme; upon EPAIs include necessary due diligence in onboard- then they may enter into a contract with a scheme mem- REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 41 ber, such as an acquirer, to start enrolling merchants. To A third area of financial risk addressed is intermediary become a registered payment facilitator, an applicant payments to those accepting cards. Scheme rules pro- needs to be financially sound. In the case of Visa, this vide for payment to the payment facilitator on behalf of requires a minimum equity of $100 million. Visa’s rules a sponsored merchant, noting that the payment facili- state that this amount may be waived in exchange for tator needs to credit the sponsored merchants account assurances and evidence of risk controls and other promptly after the deposit of funds.72 Scheme rules, unlike requirements.65 Among other things, such requirements rules issued by regulators, don’t go as far as to require may include the sponsoring acquirer attesting to a due segregated accounts to prevent the comingling of mer- diligence review of the payment facilitator with which it chant funds with those of an acceptance intermediary. wants to contract.66 A payment facilitator must enter into a merchant Time limits for crediting a beneficiary account are agreement with each of its sponsored merchants to for- addressed by scheme rules. Scheme rules provide guid- malize their arrangements. At this point, there are obliga- ance on acquirer funding of payment facilitator accounts tions and requirements that must be met regarding the and, in turn, by payment facilitators to submerchants. Visa merchants with which the payment facilitator seeks to do rules, for example, extend this to provide explicit timing business.67 Schemes can impose fees and noncompliance guidelines for Brazil.73 assessments on payment facilitators that do not meet its rules and standards.68 Other rules include the need for Consumer and Data Protection payment facilitators to meet several operational and pro- Schemes seek to protect consumers and data. This pro- cessing requirements, such as the assignment and use of tection is important for the integrity of payment systems merchant identifiers and other critical information. and for the consumer confidence and trust necessary to support their active use. Schemes have put limitations on Operational and IT Security Risks the disclosure of transaction information.74 Both interna- Card scheme rules address operational and IT secu- tional schemes, for example, do not allow their members rity risks that can affect their payment networks. These to convey or disclose personal or proprietary data with- efforts focus on operational risks, the continuity of opera- out express permission.75 Furthermore, rules have been tions, and the security of data, both stored data and data developed to address data sharing to support open bank- in motion, as addressed through cybersecurity standards ing. The requirements include the need for intermediaries and programs, such as PCI. These cybersecurity standards to ensure compliance with local laws, provide appropriate and programs are relevant to all customers, merchants, notice to customers of their intended processing of per- and service providers, such as EPAIs, that store, process, sonal information, and adopt appropriate security mea- or transmit account, card, cardholder, or transaction data sures around the storage and processing of personal data, (Mastercard 2021, chapter 2). among others.76 Financial Risks AUTHORIZATION AND LICENSING 5.4  Schemes address several types of financial risks, through CONSIDERATIONS FOR EPAIS both their rules and the requirements they impose on intermediaries to become members. One critical finan- There are similarities in the objectives of both scheme cial risk presented by merchants to EPAIs is their sol- and regulator efforts to register members and autho- vency and the associated risk that they may be unable rize EPAIs. To reiterate a point made earlier, both are to meet their obligations. Such obligations may arise motivated to promote efficient networks and minimize from customer charge-back or prepaid customer goods risk. The major differences between them is the profit or services, among others. Schemes require mecha- motivation of schemes and the broader focus of the nisms in merchant agreements by EPAIs to address such regulator. risks—namely, by allowing merchant agreements to give payment facilitators the ability to withhold amounts for Regulators have not licensed or authorized international charge-back reserves or similar purposes in accordance schemes systematically. Nevertheless, there are cases with scheme standards.69, 70 Another potential area of risk where domestic schemes have received authorization that schemes could address is general business risk. In from the local regulator. This is the case in the Philippines, Mexico, for example, the Mexican regulators put require- with the requirement for scheme registrations (BSP 2019), ments on PSPs when moving into adjacent businesses.71 and the requirement for scheme licensing in Thailand 42 • FINANCIAL INCLUSION GLOBAL INITIATIVE (BOT 2018a, 2018b). Some regulators designate domes- transaction volume of a submerchant working through a tic or international schemes as systemically77 or promi- payment facilitator,79 some regulators may apply amend- nently78 important payment systems and, hence, require a ments to increase or decrease this limit. Finally, regulators sort of authorization and regular monitoring. may request transparency in the application of fees and may intervene to address applied fees for interchange or Card schemes typically authorize intermediaries to oper- merchant discount rates. Schemes may adjust their rules ate as members through their registration, while acquir- at a regional or country level to be consistent with local ers are responsible of monitoring the contracted EPAIs, laws or regulations. For example, Mastercard adjusted its and specifically facilitators. International schemes gen- rules on data protection as they apply to its European erally require registration, while domestic schemes are region to align with developments in the regulation of sometimes reluctant to authorize domestic intermediar- open banking and the introduction of new PSPs in that ies. Registration requirements include criteria for network region.80 membership, such as financial strength, competent man- agement, and the need to comply with scheme require- Schemes use contracts to expand definitions of the obli- ments and obligations. Once registered as a scheme gations of EPAI members. These obligations are imposed member, an intermediary is subject to scheme require- through their acquirer agreements and their submerchant ments. These include the need for EPAIs to enter into agreements. In addition to the obligations associated with provider agreements with merchants for activities to facil- becoming members of a scheme, EPAIs sign an agree- itate electronic payments through payment cards. ment with a merchant acquirer to provide acceptance services on behalf of that acquirer. Under this relationship, In regulating domestic or international schemes, regula- the scheme is clear that the acquirer is ultimately respon- tors, after reviewing scheme rules, may apply changes. sible and, hence, must take actions to ensure the proper Scheme or system rules function as the governing body, behavior by the EPAI. Under this agreement, however, the addressing most aspects of acquiring, card issuing, autho- payment facilitator agrees to comply with scheme rules rization, and clearing. Regulators may impose changes and is responsible for cardholder disputes and customer that affect some of the applicable rules. This is espe- service issues that may arise among others. In addition cially true of submerchant volume limits established by to acquirer agreements, EPAIs must enter into merchant international schemes on payment facilitators. For exam- agreements with each of their submerchants. ple, while Visa applies a limit of $100,000 on the annual REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 43 6. Conclusion An approach to financial inclusion grounded in payments they are quick to deploy new and lower-cost business holds tremendous promise. Among other things, digi- models to reach SMEs. Yet the introduction of EPAIs into tal payments reduce direct costs for banks and service the acceptance value chain extends a number of existing providers and reduce transaction costs, such as time, for risks and introduces new considerations. A key rationale users. EPA has huge potential to harness networks effects for regulating EPAIs is to achieve balance between the and economies of scope in the provision of an expanded benefits of greater inclusion and the risks introduced by array of valuable services, improving access to different EPAIs—or to put it differently, to achieve policy objectives, sectors of the economy. Crucial to the success of a pay- such as facilitating the extension of financial services to ments-centered financial-inclusion program is the need excluded populations in a manner that balances the risks for a robust acceptance footprint that is aligned with the of doing so. payment behaviors of the target population for inclusion. More than 180 million MSMs are estimated to be in the This paper has highlighted and elaborated on these risks, developing countries, most of which don’t accept elec- which include, among others, financial risks, such as the tronic payments. EPA would not only extend to this huge liquidity of intermediaries; risk to consumers, in the form merchant sector but also cover the 4.5 billion customers of unauthorized transactions and disputes; risks to con- who regularly transact with them daily. sumer—merchants—funds and data through unauthorized access; and the risks to IT and operations, with impacts to Merchant acquirers, the traditional vehicle for develop- their safety and the continuity of operations. Addressing ing payment acceptance, lag in their efforts to build out and mitigating these risks can maintain and build trust acceptance for underserved and unbanked populations. in electronic payments—a foundational requirement for EPAIs, on the other hand, address several barriers pre- end-user engagement and usage—promoting the viability venting the expansion of payment acceptance by acquir- of systems serving the underserved and unbanked. ers to those merchants and businesses frequented by the underbanked and the unbanked. First, they are nimble and The paper encourages regulators to take a proactive quick to align to segment needs, overcoming inertia by leadership role in understanding the risks of EPAIs to acquirers. Second, intermediaries incorporate innovative develop the appropriate balance of regulations. Some technology into their products and solutions. And finally, regulators may choose not to intervene in the affairs 44 • FINANCIAL INCLUSION GLOBAL INITIATIVE of intermediaries. Still others may choose to regulate Part of the rationale is that EPAIs are part of a payment them directly, while others may address intermediaries scheme or system, such as a card scheme or mobile-pay- through regulations focused on acquirer outsourcing— ment scheme. As such, scheme or system rules will focused generally on outsourcing or explicitly focused include the conditions for intermediary service delivery. on EPAIs. Some regulators may choose to focus on the With this approach, regulators could apply certain condi- regulation of schemes. Finally, regulators may choose tions—either general or specific—to intermediaries based to employ elements of several approaches at the same on their type. Nevertheless, it would be the responsibility time. For a number of reasons, regulators may pursue of the scheme governing body or the direct participant different approaches to the regulation of EPAIs. These of the scheme (acquirers) to ensure EPAIs’ compliance reasons may include their regulatory capabilities, cur- with the regulations. Under this approach, intermediaries rent regulatory approach, and development, as well as would not necessarily need to be licensed by the authori- market characteristics, such as the level of development, ties but would need to be authorized by the scheme gov- among others. erning body or system operator. Various approaches being undertaken by regulators have been highlighted in this paper. It has not sought to opine on the efficacy or appropriateness of the GENERAL NOTES ABOUT THE APPLICATION approaches discussed, but to lay out the topography of OF THE REGULATORY APPROACHES the landscape, so that others may benefit from an under- standing of efforts that have been undertaken. In so doing, While applying one or more of the previous approaches, it provides those facing the same issues both insights and the authorities may consider the legal, regulatory, and some direction for moving forward. supervisory environment and the scope of authorities. We reiterate several issues that have been raised earlier about The direct regulation approach applies when the regulator the implementation of these approaches within different issues regulations that address EPAIs directly. Regulations jurisdictions. will typically be directed at specific types of intermedi- aries or can target certain functions, regardless of the The scope of regulations, oversight, and supervision type of intermediary. Upon issuing direct regulations, the could vary from one jurisdiction to the other based on authorities will expect any entity providing or anticipating legislative structure. For example, some authorities may providing such services to apply for a license or authori- designate intermediaries as service providers under the zation from the regulator. This approach addresses inter- supervision and oversight of the central bank. In other mediaries directly by specifying the necessary conditions jurisdictions, non-bank financial institutions could be for providing a specific service. under the supervision of a different authority. Such dis- tinctions may be relevant within the central bank itself. When the regulation of intermediaries occurs indirectly, Within some central banks, the oversight and supervision through acquirers and their outsourced services, the functions for the PSPs, including intermediaries, are per- activities of EPAIs are seen as the responsibility of the formed by the payment system oversight unit. In others, acquirer, and these activities are considered to be out- the supervision of non-bank financial institutions is per- sourced by the acquirer to a third party. The regulator formed through the supervision unit. may issue regulations that are specific to the acquiring business. The regulator could decide to address specific Besides payment systems safety and efficiency, finan- types of intermediaries as special types of outsourcing, cial consumer protection and data protection could be specifying certain requirements for those intermediar- the objectives of some central banks. However, in some ies. Alternatively, the regulator could issue regulations jurisdictions, the responsibility for these objectives may that address the requirements for outsourcing services in be assigned to institutions other than the central bank. general. The approach chosen for licensing or authoriz- The oversight unit within some central banks may have ing intermediaries may differ from one authority to the a specific mandate for protecting the customers of the other. Nevertheless, the acquirer is ultimately liable for the payment systems or users of payment instruments. Alter- deeds of its intermediaries. natively, the mandate could be assigned to different authorities in other jurisdictions. The same might be true The third approach addresses the whole payment for a financial data-protection mandate. Central banks scheme with all its participants, including intermediar- should be vigilant about issuing regulations out of their ies. Regulators may choose to ensure that the scheme legal mandate and ensure that the scope and objectives governing body or system operator manages all risks of their regulations are within the central bank mandate. within the scheme, including the risks presented by EPAIs. REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 45 The burden of each approach on regulatory resources vices might be subject to the regulations associated with should be considered. In some cases, regulatory resources each of those services. The same applies for an entity that may be constrained. In such circumstances, consideration could provide switching services and third-party process- should be given to the resource requirements of a partic- ing of card management or ATM terminal processing. In ular regulatory approach. For example, some authorities doing so, the overseer or supervisor should be sensitive might prefer the direct regulation approach, as it allows to the supervisory burden on the supervised entities and the authorities to monitor the risks of EPAIs closely. How- ensure harmonization of activities. ever, this approach might increase the burden on the cen- tral bank. Other approaches may put more responsibility The regulator should encourage innovation and the on the regulated financial institutions acting as acquirers, introduction of new business models. Innovative models as opposed to the regulator, in overseeing or monitoring typically address gaps in the market structure. The emer- the activities of intermediaries. The regulator may be able gence of EPAIs in many jurisdictions can fill the gap where to rely on the skills and capabilities of the regulated finan- typical acquirers can’t reach to MSMs due to the business cial institutions to oversee the intermediary effectively. In models applied by these acquirers. EPAIs cooperate with addition to freeing up the regulator’s scarce resources, acquirers to extend the reach of acceptance services. The there are other potential advantages to the regulator, financial authorities should realize the market’s need for such as the ability to leverage the business acumen of such players and issue regulations that encourage entre- their commercial banks. However, this approach might preneurs to innovate such models. The regulator should increase risks, as some financial institutions are not well avoid restrictive requirements that might discourage new equipped to monitor and oversee the activities of the players, such as high capital or operational requirements. intermediaries. Having one intermediary outsourced by The regulator should enhance the market competitive- multiple financial institutions could increase the oversight ness through having a level playing field for all players. burden on this intermediary. In this specific case, concen- tration risk might be seen by neither the monitoring enti- Finally, the level of market sophistication and structure ties nor the central bank. could be an important factor in the selection of the reg- ulatory approach. A market with few dominant providers The regulator should consider a functional approach, might require the central bank to take a direct regulatory instead of an institutional approach, where the require- approach. A market characterized by many nondominant ments are associated with risks of a specific function or providers might be better suited to an indirect regulatory business. In a functional approach, requirements would be approach. Having strong and mature payment schemes consistent for banks and non-banks to avoid regulatory or system operators with detailed rules and clear opera- arbitrage. In applying this approach, regulators should tional requirements would allow the central bank to apply be very clear about the separation of different products the existing scheme rules while appending the rules with provided by the same service provider. For example, an country-specific conditions. entity that provides payment gateway and facilitation ser- 46 • FINANCIAL INCLUSION GLOBAL INITIATIVE References AFI (Alliance for Financial Inclusion). 2018. Fintech for Financial BI (Bank Indonesia). 2009b. “Management of Card-Based Pay- Inclusion: A Framework for Digital Financial Transformation. ment Instrument Activities.” Circular Letter No. 11/10/DASP. AFI, September 2018. https://www.bi.go.id/en/publikasi/peraturan/Documents/ Arkwright. 2020. Managing Merchant Credit Risk: Post Covid 19 SE%20Nomor%2011.10.DASP%20tentang%20APMK.pdf. Acquiring and Acceptance. May 20, 2020. BI (Bank Indonesia). 2016. Regulation No. 18/40/PBI/2016 Con- Ayres, Marcela, and Carolina Mandl. 2018. “Brazil Caps Debit cerning Payment Transaction Processes. https://www.bi.go. Card Fees, May Limit Them Further.” Reuters, March 26, 2018. id/id/publikasi/peraturan/Pages/pbi_184016.aspx#. https://www.reuters.com/article/us-brazil-cenbank-regula- BIS (Bank for International Settlements). 2019. The Design of tion/brazil-caps-debit-card-fees-may-limit-them-further- Digital Financial Infrastructure: Lessons from India. BIS Paper idUSKBN1H22XL. No. 106. BIS, December 2019. BCBS (Basel Committee on Banking Supervision). 2005. The BNM (Bank Negara Malaysia). 2020. Merchant Acquiring Joint Forum: Outsourcing in Financial Services. BIS, February Services. Exposure Draft BNM/RH/ED 032-5. July 17, 2020. 2005. https://www.bis.org/publ/joint12.pdf. https://www.bnm.gov.my/documents/20124/943361/Mer- BCBS (Basel Committee on Banking Supervision). 2018. Sound chant+Acquiring+Services+-+Exposure+Draft.pdf/4aed917a- Practices: Implications of Fintech Developments for Banks 4ad1-5cab-400b-a1e0e3996341?t=1600348844368. and Bank Supervisors. BIS, February 2018. BNM (Bank Negara Malaysia). 2021. Merchant Acquiring Ser- BCBS (Basel Committee on Banking Supervision). 2019. Report vices. BNM/RH/PD 028-119, September 15, 2021. on Open Banking and Application Programming Interfaces. BOG (Bank of Ghana). 2019. Guideline on Operations of Elec- BIS, November 2019. tronic Payment Channels in Ghana. https://www.bog.gov. Beyoud, Lydia. 2020. “Payments Shaping Up as Next Turf Battle gh/wp-content/uploads/2019/08/Guidelines-on-Opera- between OCC, States.” Bloomberg Law, July 17, 2020. https:// tions-of-Electronic-Payment-Channels-in-Ghana.pdf. news.bloomberglaw.com/banking-law/payments-shaping- BOG (Bank of Ghana). 2020. “License Categories & Permis- up-as-next-turf-battle-between-occ-states. sible Activities.” https://www.bog.gov.gh/wp-content/ BI (Bank Indonesia). 2009a. Bank Indonesia Regulation Num- uploads/2020/07/License-Categories-with-Secretarys-com- ber: 11/11/PBI/2009 Concerning Management of Card-Based ments_2.pdf. Payment Instrument Activities. https://www.bi.go.id/en/ Bossone, Biagio, and Massimo Cirasino. 2001. The Oversight of publikasi/peraturan/Documents/PBI%20Nomor%2011.11. the Payments Systems: A Framework for the Development PBI.2009%20tentang%20APMK%2031%20Maret%202009. and Governance of Payment Systems in Emerging Econ- pdf. omies. Payment and Securities Clearance and Settlement Systems Research Series No. 1. CEMLA and World Bank, July 2001. REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 47 BOT (Bank of Thailand). 2018a. Regulations on General Super- Chamber of Deputies of the Congress of the Union (Cámara de vision of Undertaking Designated Payment Service Business. Diputados del H. Congreso de la Unión). 2018. Mexican Fin- April 2018. https://www.bot.or.th/Thai/FIPCS/Documents/ tech Law (Ley para Regular las Instituciones de Tecnología FPG/2561/EngPDF/25610082.pdf. Financeria), March 9, 2018. BOT (Bank of Thailand). 2018b. Regulations on Supervision of Chang, Howard, David S. Evans, and Daniel D. Garcia Swartz. the Designated Payment Systems Business. April. https:// 2005. “The Effect of Regulatory Intervention in Two-Sided www.bot.or.th/Thai/FIPCS/Documents/FPG/2561/Eng- Markets: An Assessment of Interchange-Fee Capping in Aus- PDF/25610087.pdf. tralia.” Review of Network Economics 4, No. 4 (December): BOT (Bank of Thailand). 2018c. Regulations, Procedures and 328–58. Conditions on Application for License and Registration to CPMI (Committee on Payments and Market Infrastructures). Undertake Designated Payment Services Business. April 2014. Non-Banks in Retail Payments. September 2014. 2018. https://www.bot.or.th/Thai/FIPCS/Documents/ https://www.bis.org/cpmi/publ/d118.pdf. FPG/2561/EngPDF/25610088.pdf. CPMI (Committee on Payments and Market Infrastructures). BOT (Bank of Thailand). 2018d. Regulations, Procedures, and 2016. “Glossary” (web page). https://www.bis.org/cpmi/publ/ Conditions on Application for License to Undertake Desig- d00b.htm. nated Payment Systems Business. April. https://www.bot. CPSS (Committee on Payment and Settlement Systems). 2003. or.th/Thai/FIPCS/Documents/FPG/2561/EngPDF/25610086. A Glossary of Terms Used in Payments and Settlement pdf. Systems. BIS, March 2003. https://www.bis.org/cpmi/glos- BOT (Bank of Thailand). 2018e. Stipulation on Designated Pay- sary_030301.pdf. ment Services. https://www.bot.or.th/Thai/FIPCS/ CPSS (Committee on Payment and Settlement Systems). 2012. Documents/FPG/2561/EngPDF/25610195.pdf Innovations in Retail Payments. BIS, May 2012. https://www. BSP (Bangko Sentral ng Pilipinas). 2019. “Rules and Regula- bis.org/cpmi/publ/d102.pdf. tions on the Registration of Operators of Payment Systems.” CSBS (Conference of State Bank Supervisors). 2014. Third Office of the Governor Circular No. 1049. September 2019. Party Payment Processors Job Aid. February 2004, rev. https://www.bsp.gov.ph/Regulations/Issuances/2019/c1049. August 2014. https://www.csbs.org/system/files/2017-11/ pdf. Third_Party_Payment_Processor_Job_Aid%20revised%20 BSP (Bangko Sentral ng Pilipinas). 2021. “List of OPS with Certif- Aug14.pdf. icate of Registration (COR).” March. https://www.bsp.gov.ph/ Daly, Jim. 2020. “Merchants Bracing for Higher Reserve PaymentAndSettlement/COR.pdf. Requirements from Acquirers.” Digital Transactions, June 8, CBE (Central Bank of Egypt). 2019. Technical Payment Aggrega- 2020. https://www.digitaltransactions.net/merchants-brac- tors & Payment Facilitators Regulations. https://www.cbe.org. ing-for-higher-reserve-requirements-from-acquirers/. eg/_layouts/download.aspx?SourceUrl=%2Fen%2FPayment- Dodd-Frank Wall Street Reform and Consumer Protection Systems%2FRegulationsDL%2FTechnical%20Payment%20 Act. Pub. L. No. 111-203, 124 Stat. 1376 (2010). https://www. Aggregators%20%26%20Payment%20Facilitators%20Regu- govinfo.gov/content/pkg/PLAW-111publ203/pdf/PLAW- lations.pdf. 111publ203.pdf. CBK (Central Bank of Kenya). 2014. The National Payment D’Silva, Derryl, Zuzana Filková, Frank Packer, and Siddharth System Regulations, 2014. https://www.centralbank.go.ke/ Tiwari. 2019. The Design of Digital Financial Infrastructure: wp-content/uploads/2018/12/NPSRegulationsNew2014-1.pdf. Lessons from India. BIS Paper No. 106. BIS, December 2019. CBN (Central Bank of Nigeria). 2018a. Regulatory Requirements Durbin, Dick. 2010. “Durbin Statement on His Debit Card Swipe for Non-Bank Merchant Acquiring in Nigeria. Exposure Draft Fee Amendment.” Press release, May 13, 2010. https://www. PSM/DIR/GEN/CIR/01/003. September 7, 2018. https:// durbin.senate.gov/newsroom/press-releases/durbin-state- www.cbn.gov.ng/Out/2018/BPSD/Exposure%20Draft%20 ment-on-his-debit-card-swipe-fee-amendment. of%20Regulatory%20Requirementsfor%20NonBank%20Mer- EBA (European Banking Authority). 2017. Final Report on the chant%20Acquiring%20in%20Nigeria.pdf. EBA Guidelines under Directive (EU) 2015/2366 (PSD2) CBN (Central Bank of Nigeria). 2018b. “Circular on the Expo- on the Information to Be Provided for the Authorisation of sure Draft of New CBN Licensing Regime (License Tiering) Payment Institutions and E-Money Institutions and for the for Payment System Providers.” BPS/DIR/GEN/CIR/05/012. Registration of Account Information Service Providers. EBA/ October 15, 2018. https://www.cbn.gov.ng/Out/2018/PSMD/ GL/2017/09, November 7, 2017. https://eba.europa.eu/regu- Circular%20on%20the%20exposure%20draft%20of%20 lation-and-policy/payment-services-and-electronic-money/ new%20CBN%20licensing%20regime%20(Licence%20tier- guidelines-on-authorisation-and-registration-under-psd2. ing)%20for%20payment%20system%20providers%20.pdf. EBA (European Banking Authority). 2019. Final Report on EBA CBN (Central Bank of Nigeria). 2020a. Guidelines on Opera- Guidelines on Outsourcing Arrangements. EBA/GL/2019/02. tions of Electronic Payment Channels in Nigeria. June 2020. February 25, 2019. https://www.eba.europa.eu/sites/default/ https://www.cbn.gov.ng/Out/2020/CCD/Reviewed%20 documents/files/documents/10180/2551996/38c80601- and%20Approved%20Guidelines%20on%20Operations%20 f5d7-4855-8ba3-702423665479/EBA%20revised%20Guide- of%20Electronic%20Payment%20Channels%20in%20Nige- lines%20on%20outsourcing%20arrangements.pdf?retry=1. ria%202020.pdf. EC (European Commission). 2016. “Antitrust: Regulation on CBN (Central Bank of Nigeria). 2020b. “New License Categori- Interchange Fees.” Memo, June 9, 2016. https://ec.europa.eu/ sations for the Nigerian Payment System.” Circular PSM/CIR/ commission/presscorner/detail/en/MEMO_16_2162. GEN/CIR/01/22. December 9, 2020. EC (European Commission). 2019. “Antitrust: Commission CBN (Central Bank of Nigeria). 2021. Regulatory Framework for Accepts Commitments by Mastercard and Visa to Cut Non-Bank Acquiring in Nigeria. May 2021. Inter-Regional Interchange Fees.” Press release, April 29, 48 • FINANCIAL INCLUSION GLOBAL INITIATIVE 2019. https://ec.europa.eu/commission/presscorner/detail/ Manual for Credit Card Activities. https://www.fdic.gov/regu- en/IP_19_2311. lations/examinations/credit_card/pdf_version/ch19.pdf. ECB (European Central Bank). 2019. Card Payments in Europe— Federal Reserve System. 2011. Debit Card Interchange Fees and Current Landscape and Future Prospects: A Eurosystem Routing, Final Rule. Federal Register 76, No. 139 (July 20, Perspective. ECB, April 2019. https://www.ecb.europa.eu/ 2011). https://www.govinfo.gov/content/pkg/FR-2011-07-20/ pub/pdf/other/ecb.cardpaymentsineu_currentlandscapeand- pdf/2011-16861.pdf. futureprospects201904~30d4de2fc4.en.pdf. FDIC (Federal Deposit Insurance Corporation). 2014. “Guidance EcoCash. 2020a. “Merchants” (web page). https://www.ecocash. on Payment Processor Relationships.” Financial Institution co.zw/about/merchants. Letters. https://www.fdic.gov/news/financial-institution-let- Edgar, Dunn & Company. 2020. Interchange Fee Regulation ters/2008/fil08127a.html. Impact Assessment Study. January 2020. FFIEC (Federal Financial Institutions Examination Council). EU (European Union). 2007. Directive 2007/64/EC of the Euro- 2014. “Third-Party Payment Processors—Overview.” BSA/ pean Parliament and of the Council of 13 November 2007 on AML Manual. https://bsaaml.ffiec.gov/manual/RisksAssociat- Payment Services in the Internal Market Amending Direc- edWithMoneyLaunderingAndTerroristFinancing/11. tives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC FSB (Financial Stability Board). 2020. Regulatory and Supervi- and Repealing Directive 97/5/EC. https://eur-lex.europa.eu/ sory Issues Relating to Outsourcing and Third-Party Relation- legal-content/EN/ALL/?uri=CELEX:32007L0064. ships. Discussion Paper, November 9, 2020. https://www.fsb. EU (European Union). 2015a. Directive 2015/2366/EU of the org/wp-content/uploads/P091120.pdf. European Parliament and of the Council of 25 November GDBF (Georgia Department of Banking and Finance). 2014. Mer- 2015 on Payment Services in the Internal Market, Amending chant Acquirer Limited Purpose Banks. https://dbf.georgia. Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and gov/sites/dbf.georgia.gov/files/related_files/document/ Regulation (EU) No 1093/2010, and Repealing Directive MALPB-PolicyStatement.pdf. 2007/64/EC. https://eur-lex.europa.eu/legal-content/EN/ Georgia General Assembly. 2012. Georgia Merchant Acquirer TXT/?uri=CELEX:32015L2366. Limited Purpose Bank Act. https://www.legis.ga.gov/legisla- EU (European Union). 2015b. Regulation (EU) 2015/751 of the tion/35642. European Parliament and of the Council of 29 April 2015 Government of Australia. 2012. “E-Commerce: Payment Gate- on Interchange Fees for Card-Based Payment Transactions. ways.” https://web.archive.org/web/20121118194457/http:// https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex- www.digitalbusiness.gov.au/online-payments-and-dona- %3A32015R0751. tions-benefits-of-e-commerce/e-commerce-payment-gate- EU (European Union). 2019. Summary of Commission Decision ways/. of 29 April 2019 Relating to a Proceeding under Article 101 Govil, Sameer. 2016. Perspectives on Accelerating Global of the Treaty on the Functioning of the European Union and Payment Acceptance. Visa. https://usa.visa.com/dam/ Article 53 of the EEA Agreement. VCOM/download/visa-everywhere/global-impact/perspec- EY and CE (Copenhagen Economics). 2020. Study on the Appli- tives-on-accelerating-global-payment-acceptance.pdf. cation of the Interchange Fee Regulation. European Commis- GSMA. 2020a. The Many Paths to Mobile Money Interoperability: sion, 2020. Selecting the Right Technical Model for Your Market. GSMA, FATF (Financial Action Task Force). 2013. Guidance for a Risk June 2020. https://www.gsma.com/mobilefordevelopment/ Based-Approach: Prepaid Cards, Mobile Payments and Inter- wp-content/uploads/2020/06/GSMA_Many-paths-to-mo- net-Based Payment Services. FATF and OECD, June 2013. bile-money-interoperability-2.pdf. {-DELETE COMMENT?- Not sure what is it – You may keep it for GSMA. 2020b. Tracking the Journey towards Mobile Money further internal processing }See FIGI Innovation Paper and Interoperability: Emerging Evidence from Six Markets: Tan- check FATF references in Mexico Section zania, Pakistan, Madagascar, Ghana, Jordan and Uganda. FCA (Financial Conduct Authority). 2019a. Payment Services GSMA, June 2020. https://www.gsma.com/mobileforde- Regulations and Electronic Money—Our Approach. June velopment/wp-content/uploads/2020/06/GSMA_Track- 2019. https://www.fca.org.uk/publication/finalised-guidance/ ing-the-journey-towards-mobile-money-interoperability-1.pdf. fca-approach-payment-services-electronic-money-2017.pdf. Hayashi, Fumiko, and Jesse Leigh Maniff. 2014. “Interchange FCA (Financial Conduct Authority). 2019b. “Payment Services Fees and Network Rules: A Shift from Antitrust Litigation to Regulations 2017 and Electronic Money Regulations 2011.” Regulatory Measures in Various Countries.” Payment System September 2019. https://www.fca.org.uk/firms/payment-ser- Research Briefing, October 2014. Federal Reserve Bank of vices-regulations-e-money-regulations. Kansas City. FCA (Financial Conduct Authority). 2021a. Payment Services Hayashi, Fumiko, and Jesse Leigh Maniff. 2020. “Public Author- and Electronic Money—Our Approach: The FCS’s Role under ity Involvement in Payment Card Markets: Various Coun- the Payment Services Regulations 2017 and the Electronic tries—August 2020 Update.” Federal Reserve Bank of Kansas Money Regulations 2011. November 2021 (version 5). https:// City. https://www.kansascityfed.org/~/media/files/publicat/ www.fca.org.uk/publication/finalised-guidance/fca-ap- psr/dataset/pub-auth_payments_var_countries_august2020. proach-payment-services-electronic-money-2017.pdf. pdf. FCA (Financial Conduct Authority). 2021b. “Payment Services HKMA (Hong Kong Monetary Authority). 2016. Code of Practice Regulations 2017 and Electronic Money Regulations 2011,” for Payment Card Scheme Operators. September. https:// (web page). https://www.fca.org.uk/firms/payment-ser- www.hkma.gov.hk/media/eng/doc/key-functions/finan- vices-regulations-e-money-regulations. cial-infrastructure/Payment_card.pdf. FDIC (Federal Deposit Insurance Corporation). 2007. “Merchant Processing,” chapter 19 in Risk Management Examination REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 49 Johnson, Jamie. 2019. “What Is a Payment Aggregator?” CO by Miller, Phillip M., and Daniel G. Salazar. 2013. Expanding Card US Chamber of Commerce. https://www.uschamber.com/co/ Acceptance to Small Merchants Globally through Mobile run/finance/payment-aggregator-explained. Point of Sale (MPOS). MasterCard Advisors, May 2013. Katakam, Arunjay. 2014. Setting Up Shop: Strategies for Building https://mpos.mastercard.com/corporate/_assets/img/fea- Effective Merchant Payment Networks. GSMA, October 2014. tures/mpos_white_paper_final_0507.pdf. https://www.gsma.com/mobilefordevelopment/wp-con- Mukharlyamov, Vladimir, and Natasha Sarin. 2019. The Impact of tent/uploads/2014/10/2014_DI_Setting-up-shop_Strate- the Durbin Amendment on Banks, Merchants, and Consum- gies-for-building-effective-merchant-payment-networks.pdf. ers. Faculty Scholarship at Penn Law. Khiaonarong, Tanai, and Terry Goh. 2020. Fintech and Payments Nautiyal, Anant, Bart-Jan Pors, and Bruno Martins. 2020. Regulation: Analytical Framework. IMF Working Paper QR Code Merchant Payments: A Growth Opportunity for WP/20/75, May 2020. Mobile Money Providers. GSMA. https://www.gsma.com/ Kingdom of Thailand. 2017. Payment System Act. October 16, mobilefordevelopment/wp-content/uploads/2020/08/ 2017. https://www.bot.or.th/English/AboutBOT/LawsAnd- QR-Code-Merchant-Payments-A-growth-opportuni- Regulations/SiteAssets/Law_E40_Payment.pdf. ty-for-mobile-money-providers-incl-full-appendices.pdf. Kingdom of Thailand. 2018. Stipulation on Designated Payment OCC (Office of the Comptroller of the Currency). 2008. “Pay- Services. Ministry of Finance. April 17, 2018. https://www.bot. ment Processors: Risk Management Guidance.” OCC Bulletin or.th/Thai/FIPCS/Documents/FPG/2561/EngPDF/25610195. 2008-12, April 24, 2008. https://www.occ.treas.gov/news-is- pdf. suances/bulletins/2008/bulletin-2008-12.html. Lopez, Mariana. 2020. Mobile Money: Driving Formalisation OCC (Office of the Comptroller of the Currency). 2014. Mer- and Building the Resilience of MSMEs. GSMA, June 2020. chant Processing. Version 1.0, August 2014. Booklet in https://www.gsma.com/mobilefordevelopment/wp-con- Comptroller’s Handbook. https://www.occ.gov/publica- tent/uploads/2020/06/Mobile-Money-Driving-formalisa- tions-and-resources/publications/comptrollers-handbook/ tion-and-building-the-resilience-of-MSMEs.pdf. files/merchant-processing/pub-ch-merchant-processing.pdf. MAS (Monetary Authority of Singapore). 2020a. A Guide to Pasti, Francesco, and Anant Nautiyal. 2019. Mobile Money for the Essential Aspects of the Payment Services Act 2019. Enterprise Customers: Addressing the Financial Services https://www.mas.gov.sg/-/media/MAS/Regulations-and-Fi- Needs of MSMEs in Sub-Saharan Africa. GSMA, Febru- nancial-Stability/Regulations-Guidance-and-Licensing/ ary 2019. https://www.gsma.com/mobilefordevelopment/ Payment-Service-Providers/Guide-to-the-Payment-Services- wp-content/uploads/2019/02/GSMA-Mobile-Money-for-En- Act-2019.pdf?la=en&hash=B03712F4EEEE907C39BA2C- terprise-Customers.pdf. 12DE63A545495EE1C2. Peek, Sean. 2020. “A Complete Guide to Payment Gateways.” MAS (Monetary Authority of Singapore). 2020b. Frequently CO by US Chamber of Commerce. https://www.uschamber. Asked Questions (FAQs) on the Payment Services Act (PS com/co/run/finance/payment-gateways-for-business. Act). April 13, 2020. https://www.mas.gov.sg/-/media/MAS/ RBA (Reserve Bank of Australia). 2002. Reform of Credit Card Fintech/Payment-Services-Act/Payment-Services-Act-FAQ- Schemes in Australia IV: Final Reforms and Regulations 13-April-2020.pdf. Impact Statement. August 2002. https://www.rba.gov.au/ Mastercard. 2001. Submission to Reserve Bank of Australia, payments-and-infrastructure/credit-cards/final-reforms/ June 8, 2001 (as revised July 20, 2001). https://www.rba. complete-stmt.pdf. gov.au/payments-and-infrastructure/credit-cards/iii-submis- RBA (Reserve Bank of Australia). 2003. Payments System Board sions-vol2/o1-mastercard-final.pdf. Annual Report 2003. https://www.rba.gov.au/publications/ Mastercard. 2016. “Submission to the RBA Review of Card Pay- annual-reports/psb/2003/pdf/2003-psb-ann-report.pdf. ments Regulation.” February 3, 2016. https://www.rba.gov. RBA (Reserve Bank of Australia). 2004a. Access Regime for au/payments-and-infrastructure/submissions/standards-for- the MasterCard Credit Card System. https://www.rba.gov.au/ card-payments-systems/pdf/mastercard.pdf. media-releases/2014/pdf/mr-14-22-gazette-notice-master- Mastercard. 2017. Building Electronic Payment Acceptance at card.pdf. the Base of the Pyramid to Advance Financial Inclusion. Mas- RBA (Reserve Bank of Australia). 2004b. Access Regime for the tercard, October 2017. Visa Credit Card System. https://www.rba.gov.au/media-re- Mastercard. 2019. Mastercard Rules. December 19. https://www. leases/2014/pdf/mr-14-22-gazette-notice-visa.pdf. mastercard.us/content/dam/mccom/global/documents/mas- RBA (Reserve Bank of Australia). 2016a. The Setting of Inter- tercard-rules.pdf. change Fees in the Designated Credit Card Schemes and Net Mastercard. 2020. Mastercard Switch Rules. December 8, 2020. Payments to Issuers. Standard No. 1 of 2016. https://www. https://www.mastercard.us/content/dam/mccom/global/ rba.gov.au/payments-and-infrastructure/review-of-card-pay- documents/mastercard-switch-rules-manual.pdf. ments-regulation/pdf/standard-no-1-of-2016-credit-card-in- terchange-2017-11-20.pdf. Mastercard. 2021. Mastercard Rules. September 28, 2021. https:// www.mastercard.us/content/dam/mccom/global/docu- RBA (Reserve Bank of Australia). 2016b. The Setting of Inter- ments/mastercard-rules.pdf. change Fees in the Designated Debit and Prepaid Card Schemes and Net Payments to Issuers. Standard No. 2 of McCarty, M. Yasmina. 2012. eWallet Merchant Payments: 2016. https://www.rba.gov.au/payments-and-infrastructure/ GSMA Discussion Paper. GSMA, October 2012. https:// review-of-card-payments-regulation/pdf/standard-no-2-of- www.gsma.com/mobilefordevelopment/wp-content/ 2016-debit-and-prepaid-card-interchange-2017-11-20.pdf. uploads/2012/10/2012_MMU_eWallet-Merchant-Payments. pdf. RBA (Reserve Bank of Australia). 2016c. Scheme Rules Relating to Merchant Pricing for Credit, Debit and Prepaid Card Trans- actions. Standard No. 3 of 2016. https://www.rba.gov.au/ 50 • FINANCIAL INCLUSION GLOBAL INITIATIVE payments-and-infrastructure/review-of-card-payments-reg- RBI (Reserve Bank of India). 2020a. Guidelines on Merchant ulation/pdf/standard-no-3-of-2016-scheme-rules-relating-to- Acquiring Business—Regional Rural Banks. RBI/2019-20/156. merchant-pricing-2016-05-26.pdf. February 6, 2020. https://rbidocs.rbi.org.in/rdocs/notifica- RBA (Reserve Bank of Australia). 2016d. Review of Card Pay- tion/PDFs/NT15652ECFBEA7EA34CD4BA0B069A59DEB- ments Regulation. Conclusions Paper. May 2016. https://www. CFC.PDF. rba.gov.au/payments-and-infrastructure/review-of-card-pay- RBI (Reserve Bank of India). 2020b. Guidelines on Regulation ments-regulation/pdf/review-of-card-payments-regula- of Payment Aggregators and Payment Gateways. RBI/ tion-conclusions-paper-2016-05.pdf. DPSS/2019-20/174, March 17, 2020. https://rbidocs.rbi.org. RBA (Reserve Bank of Australia) and ACCC (Australian Com- in/rdocs/notification/PDFs/NT17460E0944781414C47951B- petition and Consumer Commission). 2000. Debit and 6D79AE4B211C.PDF. Credit Card Schemes in Australia: A Study of Interchange RBI (Reserve Bank of India). 2021a. Framework for Outsourcing Fees and Access. October 2000. https://www.rba.gov.au/ of Payment and Settlement-related Activities by Payment payments-and-infrastructure/resources/publications/pay- System Operators. RBI/2021-22/76, August 3, 2021. https:// ments-au/interchg-fees-study.pdf. rbidocs.rbi.org.in/rdocs/notification/PDFs/NOT765729DDE- RBI (Reserve Bank of India). 2006. Guidelines on Managing 076804962B2A6A35CA343D2F2.PDF. Risks and Code of Conduct in Outsourcing of Financial Ser- RBI (Reserve Bank of India). 2021b. “Statement on Devel- vices by Banks. RBI/2006/167. November 3, 2006. https:// opmental and Regulatory Policies.” February 5, 2021. rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.PDF. https://rbidocs.rbi.org.in/rdocs/PressRelease/PDFs/ RBI (Reserve Bank of India). 2009. Directions for Opening and PR105160464FA5D1484207801CF6B4402501C1.PDF. Operation of Accounts and Settlement of Payments for Republic of Ghana. 2019. Payment Systems and Services Electronic Payment Transactions Involving Intermediaries. Act, 2019. Act 987. https://www.bog.gov.gh/wp-content/ RBI/2009-10231, November 24, 2009. uploads/2019/08/Payment-Systems-and-Services-Act-2019- RBI (Reserve Bank of India). 2011a. Working Group on Securing Act-987-.pdf. Card Present Transactions: Report and Recommendations. Republic of Kenya. 2011. The National Payment System Act, 2011. May 31, 2011. https://rbidocs.rbi.org.in/rdocs/PublicationRe- No. 39 of 2011. https://www.centralbank.go.ke/wp-content/ port/Pdfs/SCP020611FS.pdf. uploads/2016/08/NATIONAL-PAYMENT-SYSTEM-ACT-No- RBI (Reserve Bank of India). 2011b. Security Issues and Risk Mit- 39-of-2011-21.pdf. igation Measures Related to Card Present (CP) Transactions. Republic of Singapore. 2019. Payment Services Act 2019. https:// RBI/2011-12/194. September 22, 2011. https://rbidocs.rbi.org. sso.agc.gov.sg/Acts-Supp/2-2019/Published/20190220?Doc- in/rdocs/notification/PDFs/CPS22092011.PDF. Date=20190220. RBI (Reserve Bank of India). 2015. Guidelines on Managing Risks Safaricom. 2014. Lipa Na M-Pesa Terms and Conditions (2014). and Code of Conduct in Outsourcing of Financial Services https://www.safaricom.co.ke/images/Downloads/Terms_ by Banks. RBI/2014-15/497. March 11, 2015. https://rbidocs.rbi. and_Conditions/lipa_na_m-pesa_terms_and_conditions.pdf. org.in/rdocs/notification/PDFs/497OGCC0315.pdf. Safaricom. 2019. Lipa Na M-Pesa Requirements (2019). https:// RBI (Reserve Bank of India). 2016. Merchant Acquisition for www.safaricom.co.ke/images/LIPA_NA_M-PESA_KYC_ Card Transactions. RBI/2015-2016/410. May 26, 2016. https:// Requirements_2019.pdf. rbidocs.rbi.org.in/rdocs/notification/PDFs/NT410EDB19F- Safaricom. 2020. Do More with the M-Pesa Business Till. https:// 37B07A46D9A6192AA99D7B9732.PDF. www.safaricom.co.ke/images/Downloads/Resources_Down- RBI (Reserve Bank of India). 2017a. Guidelines on Mer- loads/M-PESA_BUSINESS_TILL_Booklet.pdf. chant Acquisition for Card Transactions. RBI/2016- SARB (South African Reserve Bank). 2007. Directive for 17/296. April 28, 2017. https://www.gujfed.com/uploads/ Conduct within the National Payment System in Respect career/0951797001526714599.PDF. of Payments to Third Persons. Directive No. 1 of 2007. RBI (Reserve Bank of India). 2017b. Directions on Manag- https://www.gov.za/sites/default/files/gcis_docu- ing Risks and Code of Conduct in Outsourcing of Finan- ment/201409/3026111100.pdf. cial Services by NBFCs. RBI/2017-18/87. November 9, SARB (South African Reserve Bank). 2014. “Card Results of 2017. https://rbidocs.rbi.org.in/rdocs/Notification/PDFs/ the Interchange Determination Project—Phase 2.” March 20, NT87_091117658624E4F2D041A699F73068D55BF6C5.PDF. 2014. https://www.gov.za/card-results-interchange-determi- RBI (Reserve Bank of India). 2017c. Rationalisation of Merchant nation-project-phase-2. Discount Rate (MDR) for Debit Card Transactions. RBI/2017- SARB (South African Reserve Bank). 2016. Oversight of the 18/105. December 6, 2017. https://www.rbi.org.in/Scripts/ South African National Payment System. https://www. NotificationUser.aspx?Id=11183&Mode=0. resbank.co.za/content/dam/sarb/what-we-do/pay- RBI (Reserve Bank of India). 2019a. Benchmarking India’s ments-and-settlements/regulation-oversight/Oversight.pdf. Payment Systems. Department of Payment and Settlement SBP (State Bank of Pakistan) 2014. Rules for Payment System Systems, June 4, 2019. https://www.rbi.org.in/Scripts/Publi- Operators and Payment Service Providers. PSD Circular No. cationReportDetails.aspx?UrlPage=&ID=923#ANQ. 03 of 2014. https://www.sbp.org.pk/psd/2014/C3.htm. RBI (Reserve Bank of India). 2019b. Discussion Paper on Uzialko, Adam C. 2019. Payment Gateway vs. Payment Proces- Guidelines for Payment Gateways and Payment Aggregators. sor. Business.com, October 29, 2019. https://www.business. Department of Payment and Settlement Systems, September com/articles/payment-gateway-vs-payment-processor/. 17, 2019. https://www.rbi.org.in/Scripts/PublicationReportDe- Visa. 2011. Credit Card Schemes in Australia: A Response to the tails.aspx?UrlPage=&ID=943. Reserve Bank of Australia and Australian Competition and Consumer Commission Joint Study. January 2001. https:// REGULATORY ASPECTS OF INTERMEDIARIES IN ELECTRONIC PAYMENT ACCEPTANCE • 51 www.rba.gov.au/payments-and-infrastructure/credit-cards/ curated/en/839121469729131991/pdf/84076-REPLACE- iii-submissions-vol2/t1-visa-0101.pdf. MENT-FILE-PUBLIC-Developing-comprehensive-national-re- Visa. 2020. Visa Core Rules and Visa Product and Service Rules. tail-payments-strategy.pdf. Public Version 1.2 (1 June). https://usa.visa.com/dam/VCOM/ WBG (World Bank Group). 2016. Cash vs. Electronic Payments in download/about-visa/visa-rules-public.pdf. Small Retailing: Estimating the Global Size. Wadsworth, Jim. 2020. “Why Collaboration and Partnerships WBG (World Bank Group). 2019. Prudential Regulatory and Will Beat the Fraudsters in Open Banking.” Fintech Futures, Supervisory Practices for Fintech: Payments, Credit and June 9, 2020. Deposits. WBG, 2019. Wang, Zhu, Scarlett Schwartz, and Neil Mitchell. 2014. “The WBG (World Bank Group). 2020a. Payment Systems World- Impact of the Durbin Amendment on Merchants: A Survey wide: A Snapshot—Summary Outcomes of the Fifth Global Study.” Economic Quarterly 100, No. 3: 183-208. Payment Systems Survey. June 2020. http://documents1. WB (World Bank). 2005. AML/CFT Regulation: Implications for worldbank.org/curated/en/115211594375402373/pdf/A-Snap- Financial Service Providers That Serve Low-Income People. shot.pdf. Focus Note No. 29, July 2005. World Bank, 2005. https:// WBG (World Bank Group). 2020b. Embedding Digital Finance openknowledge.worldbank.org/handle/10986/12495 License: in e-Commerce Platforms during the COVID-19 Pandemic. CC BY 3.0 IGO. Discussion Note. https://doi.org/10.1596/35001. WBG (World Bank Group). 2012. Developing a Comprehen- WBG (World Bank Group) and WEF (World Economic Forum). sive National Retail Payments Strategy. Financial Infra- 2016. Innovation in Electronic Payment Adoption: The Case of structure Series: Payment Systems Policy and Research, Small Retailers. WBG, June 2016. October 2012. http://documents1.worldbank.org/ 52 • FINANCIAL INCLUSION GLOBAL INITIATIVE