Fintech and the payment ecosystem: Cyprus and the world
Xenia Kalogirou and Ioannis Sidiropoulos of Elias Neocleous & Co consider how Cyprus is faring amid the accelerated pace of e-commerce development across the globe
Fintech is not just a term referring to revolutionary but abstract developments anymore. It is not a remote prospect of practice, but, on the contrary, it is already here claiming an increasingly broad share of the financial transactions. The evolution of innovative technological solutions has not only expedited the digital transformation, but it has also rapidly redefined the payment marketplace.
Covid-19 has been a catalyst for digital payments and the acceleration of e-commerce. Online spending during lockdowns and the use of cards as a payment form instead of cash or performing contactless payments have been widely observed and experienced. Furthermore, the revolution of cryptocurrency, being integrated by payment service providers into the available payment methods, and its increasing acceptance and support by merchants and payment networks has been another factor reshaping the payment ecosystem.
Latest trends across the globe
The significant technological developments in payment services include the convergence of software company (Software-as-a-Service or SaaS) or a non-financial service provider (such as a retailer) with payment processing and the evolution of alternative payment infrastructure through application programming interfaces (APIs), mobile applications, QR codes, blockchain, cloud technology, artificial intelligence (AI) and the internet of things (IoT). The inevitable rise of the following alternative payment methods, is strongly evident in the payment marketplace:
Account-to-account (A2A) payments;
Buy now, pay later (BNPL) schemes which offer instalments and deferred payment options without interest fees on the consumer side; and
Subscription models (Zoom, Netflix, and Spotify are notable examples of platforms offering subscription service).
An institutional aspect of the developments is the revised Payment Services Directive ((EU) 2015/2366) (commonly referred to as PSD2). It encouraged innovation and creativity within the payment ecosystem in many European Union member states, mandated opening banks’ APIs to third parties, and introduced new forms of payment institutions. Cyprus has transposed the PSD2 into national legislation through the Provision and Use of Payment Services and Access to Payment Systems Law of 2018 (Ν. 31(I)/2018) as amended (the PI Law).
In this context, the European Banking Authority (EBA) has identified in its ‘EBA report on the use of digital platforms in the EU’s banking and payments sector’ (EBA/REP/2021/26) published in September 2021, a rapid growth and acceleration in the digitalisation of both front and back-office processes in the EU’s banking and payment sector. It also notes the respective use of digital platforms to ‘bridge’ customers and financial institutions by developing or engaging third-party technologies to facilitate customers in identifying and accessing products and services through digital means.
The insolvency aspect: the UK paradigm
Of course, a prudent approach to the above-mentioned innovative trend must also consider the aspect of corporate/debtor failure and the impact that this may have on individual business relationships and the broader market in general. Various jurisdictions have already been considering regulations and legal frameworks to accommodate the need for greater clarity.
On July 8 2021, the Payment and Electronic Money Institution Insolvency Regulations 2021 (the Regulations) came into force in the UK. The Regulations introduced a new special administration regime for insolvent payment institutions (PIs) and electronic money institutions (EMIs). Insolvent PIs and EMIs will be able to enter into special administration under the Regulations via a court order.
The grounds for applying for an order will depend on the kind and the nature of the activities of the organisation making the application. In any case, the organisation must show that either the PI or EMI is (or is likely to become) unable to pay its debts within the meaning of the Insolvency Act 1986, or that it is fair or in the public interest for the PI or EMI to enter into the special administration. The new special administration procedures under the Regulations are designed to ensure returns to consumer creditors, minimise shortfalls in the amounts available and improve the speed of the process, compared with an administration process under Schedule B1 to the Insolvency Act 1986.
Agreements between PIs and EMIs may include arrangements on safeguarding customer funds, access to identity and financial information and data processing, cloud hosting (or other outsourcing services), and purchasing hardware and software to ensure secure electronic communication infrastructure and networks.
In the case of a special administrator being appointed, the supplier is required to continue to provide the services or goods to the PI or EMI, as applicable, under the terms of the agreement unless the special administrator consents to the termination of the agreement or the supplier remains unpaid for more than 28 days, or the courts have granted permission to the supplier to terminate the agreement.
Developments in Cyprus
Based on a recent study by KPMG International, there has been a substantial increase in the use of digital payments as opposed to the use of cash. More precisely, following March 2020, a significant number of consumers in Cyprus, reaching 81%, chose digital payment methods such as direct debits and electronic transfers, compared to 62% in the period prior to the pandemic.
Payments by card-based payment instrument
On June 16 2021, the Council of Ministers, exercising its powers under the Assessment and Collection of Taxes Laws of 1978 to 2021, issued a decree (the Decree) imposing the obligation on certain categories of businesses (covering mostly wholesale, retail, services and health) in Cyprus to accept card-based payment instruments upon completion of payment transactions by consumers (as published in the Government Gazette on June 18 2021 (ΚΔΠ 259/2021)).
Specifically, ‘card-based payment instruments’ are defined as any payment instruments, including a card, mobile phone, computer or any other technological device containing the appropriate payment application that enables the payer to initiate a card-based payment transaction which is not a credit transfer or a direct debit as defined by Article 2 of Regulation (EU) No 260/2012.
The Decree determines that the obliged entities (i.e. payment beneficiaries) can be considered as conforming with its provisions if the payment is made through a wired or wireless point of sales (POS), a mobile POS, and methods and applications such as virtual POS terminals. It is explained that a cardless credit transfer, cardless direct debit, or alternative means of service such as e-banking cannot be considered a card terminal.
The Decree provides further that the obliged entities must accept payment cards issued through a four-party scheme such as Visa, Mastercard, Maestro, Union Pay, and similar. It is not mandatory to accept payment cards issued through a three-party scheme (i.e. a payment card scheme in which the scheme itself provides acquiring and issuing services and card-based payment transactions are made from the payment account of a payer to the payment account of a payee within the scheme). Furthermore, the Decree obligates the entities to contract with payment system providers licensed under the PI Law to comply with the Decree.
On August 4 2021, the Cyprus’s tax department issued an Enforcement Directive 20/2021, which clarified that the obliged entities shall accept card-based payment instruments regardless of the amount of the payment, the turnover of the business, and irrespective of whether the obliged entity is registered or obliged to register in the VAT register. It was further clarified that the obliged entities shall maintain POS terminal devices at all cash desks and have relevant signs prominently displayed in the entrance and at the cash desks of the business for the information of consumers.
Crypto-asset service providers (the CASPs)
Crypto-assets regulation is still considered terra incognita, with many jurisdictions only now making their first steps on this foggy landscape. Against this background, Cyprus is taking some considerable initiatives to bring clarity to the sector and thus become a more attractive investment venue for this kind of business.
In the context of the implementation of pan-EU requirements, including crypto-asset service providers (CASPs) under the Fifth Anti-Money Laundering Directive (5AMLD), Cyprus recently updated its definition of obliged entities under the Prevention and Suppression of Money Laundering and Terrorist Financing Law 2007 (AML/CFT Law), as amended, to bring CASPs into its scope. Moreover, Cyprus authorities have also decided that Cyprus CASPs should become approved and registered with the Cyprus Securities and Exchange Commission (CySEC).
In particular, on June 25 2021, CySEC, exercising its powers under the section 61E of the AML/CFT Law, issued Directive 269/2021 for the prevention and suppression of money laundering and terrorist financing (Register of Crypto Asset Service Providers) as amended by the Directive 384/2021
(the CASP Directive). CASPs are obliged entities under the AML/CFT Law. Therefore, they shall comply with their obligations arising from the AML/CFT Law, the CASP Directive, and the CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing (collectively hereinafter the CASP Regulations).
Under the AML/CFT Law, the following entities shall be registered with CySEC:
CASPs which provide or exercise services or activities on a professional basis from Cyprus, regardless of their registration in another EEA member state;
CASPs which provide or exercise services or activities on a professional basis in Cyprus, except persons who provide or exercise services or activities regarding crypto-assets and have been registered in another EEA member state; and
CASPs registered in a third country which provide or exercise services or activities on a professional basis in or from Cyprus.
Pursuant to the provisions of the AML/CFT Law, ‘crypto-asset’ is defined as a digital representation of value that is neither issued nor guaranteed by a central bank or a public authority, it is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but natural or legal persons accept it as a means of exchange and which can be transferred, stored, and traded electronically, and it is not:
Electronic money, as defined under the Electronic Money Law (L. 81(I)/2012) as amended (the EMI Law) as electronically, including magnetically, stored monetary value as represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions and which is accepted by a natural or legal person other than the issuer of electronic money, but with certain exceptions of the EMI Law; or
Financial instruments, as these are specified in Part III of the First Appendix to the Investment Services and Activities and Regulated Markets Law (L.87(I)/2017) as amended (the IF Law).
Further, according to the AML/CFT Law, ‘CASP’ means a person who provides or exercises one or more of the following services or activities to another person or on behalf of another person, which do not fall under the services or activities of the obliged entities mentioned in paragraphs (a) to (h) of Article 2A of the AML/CFT Law (including banking institutions, auditors, tax advisors, legal professionals, real estate agents):
Exchange between crypto-assets and fiat currencies;
Exchange between crypto-assets;
Management, transfer, holding and/or safekeeping, including custody, of crypto-assets or cryptographic keys or means which allow the exercise of control over crypto-assets;
Offering and/or sale of crypto-assets, including the initial offering; and
Participation and/or provision of financial services regarding the distribution, offer and/or sale of crypto assets, including the initial offering.
On September 13 2021, CySEC issued a policy statement on the registration and operations of crypto-asset services providers through the PS-01-2021 (the Policy Statement), which outlines and clarifies the rules under the CASPs Regulations. In anticipation of further elaboration via AML/CFT Directive, the Policy Statement in paragraph 2.2.3 also includes guidance on the travel rule regarding transactions with a value equal to or in excess of one thousand Euros and refers to the obligations of the obliged entities (in their capacity either as originators or beneficiaries) in this respect.
The CASP Regulations are expected to reduce some of the risks involved in crypto-asset activities which are anticipated to be further addressed at the EU level under the proposed Regulation on Markets in Crypto Assets.
Draft Bill on ‘The Distributed Ledger Technology Law of 2021’
In June 2019, the Council of Ministers of Cyprus approved the National Strategy for Decentralized Technologies-Blockchain. The strategy came as a result of the efforts made within the framework of the European Cooperation in Blockchain, which was entered into on June 4 2018 between Cyprus, Greece, Malta, Italy, France, Spain, and Portugal, subject to the relevant Declaration of the Southern Mediterranean Countries on Distributed Ledger Technologies (DLT) of December 4 2018.
This initiative encouraged the use of these technologies in both the public and private sectors (particularly relevant for the financial services sector, where banking and investment transactions will be transformed in the coming years). One of the most interesting points in this strategy was that the Ministry of Finance, in cooperation with the Tax Department and the Registrar of Companies, would coordinate the drafting of a regulatory framework based on certain principles set out in the strategy, to be implemented in Cyprus.
Based on the provisions of the above, a Draft Bill on ‘The Distributed Ledger Technology Law of 2021’ (the DLT Bill) has been prepared under the coordination of the Ministry of Finance.
The DLT Bill seeks to cover inter alia the following topics:
Provision of definitions for distributed ledger technology and crypto-assets;
Creation of legal certainty regarding smart contracts and crypto-assets as an asset; and
Granting powers to CySEC as the competent authority for the issuance of secondary legislation, within the framework of its responsibilities for the supervision of CASPs.
According to the authorities, the DLT Bill aims to facilitate the application of DLT, including blockchain technology, in a technologically neutral way. It seeks to strike a balance between the need for promotion and proper use of new technologies, on the one hand, and the need to avoid money laundering and to safeguard consumer rights, on the other. Additionally, other important matters are included in this legislative initiative, such as the proof and the transfer of ownership of digital assets and the issue of digital signatures. It is considered a pioneering legislative effort, expected to yield solid results earlier than many other jurisdictions.
For the purposes of the potential application of DLT in the Cypriot financial sector, including in the area of payment, clearing, and settlement, it is important to take into account inter alia the guidelines issued under the National Strategy and the work conducted by other European and international organisations as further underlined in the National Strategy such as the report on ‘Distributed ledger technology in payment clearing and settlement’ of the Committee on Payments and Market Infrastructures of the Bank for International Settlements issued in February 2017 (the BIS DLT Report) which sets out an analytical framework for central banks and other authorities to review and analyse the use of this technology for payment, clearing, and settlement.
According to the BIS DLT Report, the framework focuses on the potential implications for:
Efficiency, covering speed of end-to-end processing, cost of processing, speed and transparency in reconciliation, cost of credit and liquidity management, and efficiency gains from automated contract tools;
Safety, covering operational and security risk, settlement issue, legal risk, governance and data management, and protection; and
Broader financial markets, covering connectivity issues and standards development, financial market architecture, and broader financial market risks.
As the size of e-commerce is growing at an accelerated pace across the globe, there is an unprecedented opportunity to create new payment instruments and products, provide more financial choices to customers tailored to their specific needs, use innovative and interoperable technologies and embrace alternative business models under the PSD2 and other regulatory frameworks which stimulate innovation.
Senior associate, Elias Neocleous & Co
Associate, Elias Neocleous & Co