A handful of new and updated regulations have been introduced in the European Union (EU) in the past few years that are changing the way international companies do business — and the changes are far from over. To protect your business, it is important to understand the nuances of each regulation, what is still uncertain, and the implications of non-compliance.
General Data Protection Regulation (GDPR)
The GDPR took effect on May 25, 2018. Designed to set a uniform standard for how organizations collect, use and share the personal data of EU citizens, it impacts any company that transacts with an EU citizen — regardless of where the company or citizen is located. The GDPR replaced the Data Protection Directive of 1995 and the national data protection laws of the EU.
There has been a significant amount of coverage around the GDPR due to its hefty potential fines for non-compliance. The maximum penalty of 4% of global annual turnover or €20 million (whichever is higher) for a data breach resulting in the loss of personal data is enough to put some companies out of business completely. So, if you are not already GDPR compliant, or if you are planning to expand your business into the EU, here are the basics:
- Transparency: Let EU consumers know what data is being collected, explain why you’re collecting it, how long you plan to keep it, and who else you may share it with. This is often done via cookies on a website, along with a page that provides all the details and ways a consumer can opt out. If a data breach does occur, provide full disclosure and information on how the issue is being addressed.
- Opt-In: Obtain opt-in consent (not opt-out!) before collecting any personal data. If you have older information in a marketing database, don’t assume that it’s ok to keep using it if those customers did not expressly opt-in.
- Data Ownership: Provide methods for EU consumers to access their data and request their data be deleted (and if they request, make sure you follow through).
The Revised Payment Service Directive (PSD2)
The revised Payment Service Directive (PSD2) came into force on January 13, 2018. It aims to support an integrated EU payments market, create a level playing field for payment service providers, improve the safety and security of payments, and protect consumers from fraud. PSD2 addresses all players in the space, including banks and payment services providers.
Key components of PSD2 include:
- Licensing: Any business providing electronic payments must be registered, licensed and regulated in order to operate in the EU market. This includes platforms that receive payments on behalf of buyers to credit sellers, such as online marketplaces.
- Open Banking: Banks or Financial Institutions must make account information available to AISPs (Account Information Service Providers) with the account holder’s consent. This allows for AISPs to provide data aggregation insights and offerings from different financial institutions to one account holder. PISPs (Payment Initiation Service Providers) enable payments from the payment account directly to a beneficiary account. Financial institutions are required to grant access to PISPs, typically through APIs. Both AISPs and PISPs require regulatory approval to operate.
- Strong Customer Authentication (SCA): A form of two-factor authentication that is required for payment transactions in Europe. This aims to increase security and reduce fraud, while increasing authorization rates. The most common SCA compliant method for card payments is called 3DS 2.0.
Fifth and Sixth EU Anti-Money Laundering Directives (AMLD5 and AMLD6)
Money laundering is the process by which criminals attempt to make it look like their ill-gotten gains were obtained by legal means. On June 19, 2018, the fifth EU Anti-Money Laundering Directive (AMLD5) was published, amending AMLD4, which went into effect in 2015. EU Member States must transpose the directive into local laws by January 10, 2020. Just a few months later, the EU Directive on combating money laundering by criminal law (known as AMLD6) was introduced. EU Member States have time to transpose it to local legislation by December 3, 2020. The European Parliament and the European Commission created this directive to complement the application of the 4th and the 5th AML Directives.
The goal of AMLD5 is to:
- Substantially reduce the use of anonymous prepaid cards.
- Require each Member State and any international organization accredited to it to keep an up-to-date list of exact functions which qualify as prominent public functions (PEP).
- Highlight that the identification and verification of customers (CDD) must be based on documents, data or information from a reliable and independent source.
- Allow any member of the public to have access to beneficial ownership information held in the register for corporate and other legal entities.
- Add a new article which aims to harmonize the enhanced due diligence (EDD) measures that obligated entities across Member States should apply to business relationships with high risk third countries.
Additionally, AMLD5 requires Member States to create a better environment for information sharing by creating centralized automated mechanisms, such as central registries or central electronic data retrieval systems. This will allow financial intelligence units (FIUs) and competent authorities to identify account holders in a timely manner. FIUs will now be able to acquire any information they need from any obliged entity, even without a previous suspicious transaction report being made.
AMLD6, which lists 22 specific predicate offenses (an offense that is part of a larger criminal offense or scheme) for money laundering that all EU Member States must criminalize and sign into law by December 3, 2020. Regulated entities will have until June 3, 2021 to implement relevant regulations.
AMLD6 will expand the list of money laundering offenses, including “aiding and abetting,” and will crack down harder on offenders. All EU states will be required to set a minimum imprisonment of at least four years for money laundering offenses (up from one year). Any sentence may be supplemented with ‘effective, proportionate and dissuasive sanctions’ which can be combined with fines. This includes the full shut-down of a business. And the penalties are not limited just to businesses. With AMLD6, criminal liability may be extended to individuals who commit offenses for the benefit of their organization.
Due to the continuing evolution of anti-money laundering directives and definitions, it can be challenging for organizations to keep up with the requirements surrounding payments. This is therefore another area that many companies outsource to experts in the field.
Brexit, or the British exit from the European Union, was originally scheduled for March 29, 2019. But that date has been delayed twice as the EU and UK have failed to come to an agreement over the terms of their future relationship. The current date set for Brexit is January 31, 2020.
What does that mean for the application of EU regulations to and for the UK? Depending on the withdrawal agreement at the moment, not much — but nothing is certain at this time. When it comes down to it, it appears that:
- GDPR will continue to apply.
- PSD2 will continue to apply, even with the rollout of SCA.
- AMLD5 / AMLD6 — the Brexit transitional period will likely extend past the implementation date, binding the UK to implement the directive’s requirements.
Payoneer in the Wake of Changing Regulations
Payoneer operates under a robust, risk-based compliance program that addresses and adapts to the evolving regulatory requirements of each country in which we operate.
We are actively monitoring Brexit. If the UK does exit the European Union, we have measures in place to ensure we will seamlessly continue to conduct business in all regions with no impact to our customers.