E-Finance & Payments Law & Policy, March 2013

INTH

ISISSU

E

The Federal TradeCommissionissued a staff report on 8Marchas part of its efforts to increaseconsumer protection in theemergent mobile paymentsmarketplace, highlighting keyconsumer protection issues.“The FTC has determinedthat providers can do more toadvance m-payments,” saidMichelle Cohen, Member ofIfrah Law, “in other words, theFTC actually thinks m-payments are a solid option forconsumers, but wants to ensureconsumers feel secure and areprotected from fraud andunfairpractices.”The report ‘Paper, Plastic…orMobile? An FTCWorkshop onMobile Payments,’ complimentsa workshop held by theCommission in 2012, andexplores three areas of concern:“Disputes concerning fraudu-lent payments and unautho-rised charges, data security, andprivacy,” explains Cohen. “A

key take away is the FTC’s viewthat m-payment providersshould deliver disclosuresclearly and conspicuously,afford consumers a reasonablemechanism for disputingcharges, and be mindful ofestablishing protocols to protectconsumer privacy,” explainsRyan H. Rogers, Associate atMorrison & Foerster.“When the FTC convened aworkshop on m-payments lastyear,more than anything else –it was to put concerns aboutcustomer privacy, front andcentre of the m-paymentsnarrative,” said CherianAbraham, Mobile CommerceLead at Experian GlobalConsulting. The FTC recom-mends that m-paymentproviders practise ‘privacy bydesign’ when developingproducts.One particular concernhighlighted by the reportinvolves ‘cramming,’ whereby

third parties place unautho-rised charges on mobile phonebills (an issue that will bediscussed at an additional FTCroundtable in May). However,Dax Hansen, Attorney-At-Lawat Perkins Coie LLP, questionswhether cramming is really abig issue. “Reports from directcarrier billing aggregatorssuggest a low level ofcomplaints in regards towireless cramming,” explainsHansen.“While all players in theecosystem need to remainfocused on providing goodconsumer protections,”contin-ues Hansen, “we should becautious not to burden withregulation a convenient, lowcost, consumer paymentsolution.” Rogers agrees:“Regulatory prescriptions areunnecessary at this time andespecially so in the absence ofany evidence that mobilepayments are not secure.”

The European Commission(EC) closed on 22 February its18-month investigation into theEuropean Payments Council’s(EPC) proposed standardisa-tion process for e-payments.“The EC was concerned thatthe standardisation processwould have excluded non-bankplayers from the sector, becauseonly banks would have beenable to meet the relevantcriteria,” explains Paul Stone,Partner at Charles Russell.EU CompetitionCommissioner JoaquínAlmunia said the investigation

ended as the “EPC decided toabandon its work in [thestandardisation] area.” The EChas advised that legislativeproposals due in summer will,inter alia, address market entrybarriers. “The EC has flaggedthat it will keep standardisationunder review as it sees the areaas an important part of creatingand maintaining an effectiveopen market,” said JohnWorthy, Partner at Field FisherWaterhouse.“The introduction of e-payment services ties in veryclosely with the EC’s aims of

ensuring that the EU singlemarket is a world leader in e-commerce,” said NathalieMoreno, Partner at SpeechlyBircham.Morenohighlights theEC’s 2012 paper, ‘Towards anintegrated Europeanmarket forcard, internet and mobilepayments,’ “which discussesplans to promote and instigatestandardisation in order toachieve interoperability. Apolicy of broad, integratedstandardisation in paperlesspayment services might there-fore have been a factor behindthe EC dropping the EPC case.”

FTC issues privacy focussedmobile payments report

Bankinter, the Spanish bank,unveiled on 4March a contact-less m-payments service whicheliminates the need for a secureelement inside the handset,marking the first time a serviceprovider can offer an NFCservice without needing amanufacturer or telco toproduce the secure element.“The Bankinter solution isnot necessarily the completeanswer but it proves there’sanother way of doing it,” saidChris Jones, PrincipalConsultant at PSE Consulting.“The fact this is workable as aproof of concept is interesting.”Each time Bankintercustomers use the service, aunique virtual version of theconsumer’s card is downloadedvia an app, enabling payment.Commenting on Bankinter’smove, Richard Kemp, SeniorPartner at Kemp Little, addsthat banks “are majoring onavoiding fragmentation” but“who best answers the question‘whoowns the customer?’couldwell emerge the winners.”Jones, meanwhile, believesthat “A software solution thatovercomes a technical problemandpresents a simplemodel forconsumers: will lead to a game-changing approach to m-payments.”

Bankinter appis “anotherway” for NFC

EC drops 18-month investigationinto EPC standardisation process

Editorial 03AML HSBC failures 04Cramming FTCsettlement 06M-Commerce Jointventures 08FATCA Regulations 10Q&A Jason Oxman,CEO of the ETA 13Europe The 4th AMLDirective 14E-Money France 16

ä~ïCéçäáÅóÉJÑáå~åÅÉCé~óãÉåíëTHE NEWSLETTER FOR THE E-FINANCE INDUSTRYMARCH 2013 VOLUME 07 ISSUE 03WWW.E-COMLAW.COM

02

CECILE PARK PUBLISHINGManaging Editor Lindsey [email protected] Editor Sophie [email protected] Assistant Simon [email protected] David [email protected] +44 (0)20 7012 1387Design MadeInEarnestwww.madeinearnest.com

E-Finance & Payments Law & Policyis published monthly by Cecile ParkPublishing Limited, 17 The Timber Yard,Drysdale Street, London N1 6NDtelephone +44 (0)20 7012 1380facsimile +44 (0)20 7729 6093www.e-comlaw.com© Cecile Park Publishing Limited.All rights reserved. Publication in whole or inpart in any medium, electronic or otherwise,without written permission is strictlyprohibited. ISSN 1752-6957. Please note theopinions of the editors and contributors aretheir own and do not necessarily representthose of any firm or organisation.

CECILE PARK PUBLICATIONSE-Commerce Law & PolicyMonthly: launched February 1999E-Commerce Law & Policy is a unique sourceof analysis and commentary on globaldevelopments in e-business legislation.PRICE: £480 (£500 overseas).

E-Commerce Law ReportsSix issues a year: launched May 2001The reports are authoritative, topical andrelevant, the definitive practitioners’ guide to e-commerce cases. Each case is summarised,with commentary by practising lawyers fromleading firms specialising in e-commerce.PRICE: £480 (£500 overseas).

E-Finance & Payments Law & PolicyMonthly: launched October 2006E-Finance & Payments Law & Policy providesall those involved in this fast evolving sectorwith practical information on legal, regulatoryand policy developments.PRICE: £600 (£620 overseas).

Data Protection Law & PolicyMonthly: launched February 2004Data Protection Law & Policy is dedicated tomaking sure that businesses and publicservices alike can find their way through theregulatory maze to win the rewards ofeffective, well-regulated use of data.PRICE: £450 (£470 overseas / £345 Govt).

World Online Gambling Law ReportMonthly: launched April 2002World Online Gambling Law Report providesup-to-date information and opinion on the keyissues confronting the industry.PRICE: £600 (£620 overseas).

World Sports Law ReportMonthly: launched September 2003World Sports Law Report is designed toaddress the key legal and business issuesthat face those involved in the sports industry.PRICE: £600 (£620 overseas).

DataGuidanceLaunched December 2007The global platform for data protectionand privacy compliance.www.dataguidance.com

John M. Casanova EditorSidley Austin LLPJohn M. Casanova is a partner in theLondon office of Sidley Austin LLP.Casanova advises clients on a widevariety of US and English financialservices regulatory and transactionalmatters, including payments andconsumer credit. Casanova is a regularcontributor to legal journals including theReview of Banking and FinancialServices, the Journal of InternationalBanking Law and the American BarAssociation’s Business Law Journal.Casanova is a contributing editor onelectronic money and payment systemsto Butterworths Financial [email protected]

William R.M. Long EditorSidley Austin LLPWilliam R.M. Long is a partner in theLondon office of Sidley Austin LLP. Longadvises international clients on a widevariety of regulatory and transactionalmatters relating to payments, e-money,data protection, outsourcing and IT. Longhas been a member of a number ofworking groups in London and Europelooking at the EU regulation of on-linefinancial services and spent a year at theUK’s Financial Law Panel, as assistant tothe Chief Executive. Long is a regularcontributor to legal journals including theJournal of Electronic Business Law, E-Commerce Law and Policy and theJournal of International Banking andFinance [email protected]

David BirchConsult HyperionDavid Birch is a Director of ConsultHyperion, the IT managementconsultancy that specialises in electronictransactions, where he provides specialistconsultancy support to clients around theworld. Birch is a member of the advisoryboard for European Business Review, acolumnist for SPEED and UKcorrespondent to the Journal of InternetBanking and Commerce.He is well-known for his more than 100Second Sight columns in The Guardian.He is a media commentator onelectronic business issues and hasappeared on BBC television and radio,Sky and other channels around theworld. Visiting Tutor at the Visa BusinessSchool since 2001, and lecturer at theannual Bank Card Business [email protected]

David ButterworthSkanco Business Systems LtdDavid Butterworth is the ManagingDirector of Isle of Man based corporateIT service providers Skanco BusinessSystems. Skanco works with a variety ofoffshore concerns, including developingholistic solutions for major players in theeGaming and financial services sectors.David manages the deployment ofinnovative software and networkingsolutions within these areas. Formerly theCEO of a significant electronic fundstransfer company, he has expertiseacross a wide range of technologybased industries. David is also involvedwith public-private partnershipspromoting education on cybercrime

prevention and other key areas ofindustry concern and policy.

John ChaplinIxaris PaymentsJohn Chaplin has been at the forefront ofEuropean card payments in Europe for25 years. He held a number of seniorexecutive positions at Visa Internationalincluding running their Europeanprocessing business. He also was a keyplayer at First Data for several years andan adviser to the European Commissionon SEPA. He is currently Chairman ofIxaris Payments (the open platformprovider), a director of Anthemis Edge(payments advisory) and a BoardDirector of Interswitch Nigeria (paymentnetworks and card schemes). He is theorganiser of the Global PaymentsInnovation Jury that convenes every 2years.

Michelle CohenIfrah Law PLLCMichelle is a Member and Chairs the E-Commerce practice in the Washington,D.C. law firm Ifrah Law PLLC. Sheadvises clients on a broad range of e-business, privacy and data security,consumer protection andcommunications-related matters. Cohenis a Certified Information PrivacyProfessional (CIPP-US), as credentialedby a rigorous examination conducted bythe International Association of PrivacyProfessionals. An ALM 2012 Top RatedLawyer – Technology Law, Michelle is agraduate of Brandeis University andEmory University School of Law, and isadmitted to the District of Columbia andNew York Bars. She frequently speaksand writes about online commerce,cybersecurity, and advertising [email protected]

Erin FontéCox SmithErin Fonté is a shareholder andpayments lawyer in the Austin, TX officeof Cox Smith. She advises financialinstitutions (on both retail andcommercial banking products), storedvalue/alternative payments providers,mobile banking and mobile paymentsproviders, vendors and retailers regardingfinancial services issues, paymentssystems laws (including card networkassociation rules), and all related legal,regulatory and licensing issues. She hasspecific experience with the developmentand roll-out of mobile wallet products,including associated mobile loyalty andadvertising components, as well as ‘x-commerce’ or ‘anywhere commerce’products that include e-commerce,mobile commerce, and television/set-topcommerce. Erin chairs the firm's Privacyand Data Security Practice, is a CertifiedInformation Privacy Professional (CIPP-US) as certified by the InternationalAssociation of Privacy Professionals, andhas experience with a broad range ofmatters related to privacy/data protectionlaws and cybersecurity issues. Erin is agraduate of the University of Texas atAustin and Stanford Law School, and isadmitted to the California and [email protected]

Darren HodderFraud Consulting LtdDarren is the director of Fraud ConsultingLtd, which was incorporated in July 2009to provide vendor neutral fraudconsultancy services to clients coveringfinancial services, banking,telecommunications, insurance industriesand public sector bodies, both in the UKand internationally. A frequent speakerand contributor to forums such as TheFraud Advisory Panel, IAFCI and TheFraud Prevention Forum, Darren hasestablished himself as a domain expertand specialist on technical, data, andsoftware solutions for fraud risk issueswith specific expertise in data sharing,identity management, originations andpayments fraud, and fraud risk for onlinetransactions & [email protected]

Chris JonesPSE ConsultingChris Jones is a Principal Consultant withover 11 years experience working forPSE Consulting and Accenture. He hasworked for many of the major mobiletelecommunication companies, assistingin developing their business strategiesand implementing change programmesand the use of mobile technology formicro, internet and physical worldpayments.

Dr Nathalie MorenoSpeechly BirchamDr Nathalie Moreno is a highly qualifiedinternational technology partner, withover twenty years experience in advisingclients operating in the communications,information technology and e-commercesectors across EMEA and globally.Nathalie advises multinational Informationand Communication Technology (ICT)Service Providers (includingtelecommunications operators) ontransactions, ranging from commercialagreements to complex outsourcingdeals. She also has in-depth expertiseon telecommunications and satellitelicensing and regulations. She heads ateam of EU dual-qualified lawyers whohave a unique expertise in managingmulti-jurisdictional projects whether oncross border IT/BPO outsourcing andmanaged services, or on IT andtelecommunications implementation andinfrastructure in EMEA or on global dataprotection audit and compliance dataprotection. She is ranked among the toplawyers in IT and Telecoms in the EuropeLegal Expert [email protected]

Michael RobertsonHSBCMichael Robertson is a ManagingDirector and global head of TransactionalForeign Exchange for HSBC. Based inLondon, he is responsible for thestrategic direction and management of allpayments-related FX that runs throughthe bank's internal business units as wellas that which they manage on behalf ofclients across the bank's 94 countryfootprint. With over 20 years of banking,marketing and technology experience,Michael is deeply interested in paymentflows and instruments, traditional as wellas emerging.

THE NEWSLETTER FOR THE E-FINANCE INDUSTRYVOLUME 07 ISSUE 03 MARCH 2013WWW.E-COMLAW.COM

editorial board

ÉJÑáå~åÅÉCé~óãÉåíëä~ïCéçäáÅó

WWee aarree ddeelliigghhtteedd ttoo wweellccoommee EErriinn FFoonnttéé,, sshhaarreehhoollddeerr aanndd ppaayymmeennttss llaawwyyeerr aatt CCooxx SSmmiitthh,, ttoo tthhee EE--FFiinnaannccee && PPaayymmeennttss LLaaww &&PPoolliiccyy EEddiittoorriiaall BBooaarrdd..

E-Finance & Payments Law & Policy - March 2013 03

Mobile: The developing regulatory landscape

EDITORIAL

Editorial

Over the last decade the capabilities of mobile phones hasincreased dramatically particularly with the huge growth in useof the smartphone and tablet. This has also led to the rapidincrease in mobile payments. An average smartphone user isnow reported to download 37 apps with over 1,600 new appsadded to app stores daily and over 45 billion apps forecasted tohave been downloaded in 2012. Although this rapid growth in mobile commerce is ofenormous value to the economy it can result in uniquechallenges. Mobile phones process increasingly large amounts ofpersonal data including data on location, contacts, identifiers,browsing history, email as well as credit card and payment data.This data also may be shared with third parties, for example, tosend consumers targeted advertisements. There are also manydifferent parties involved in development, distribution andoperation of apps including app developers, manufacturers ofthe Operating System and device, the app stores, third partiessuch as analytics providers and commications service providersand not forgeting the end user. In the EU, the Article 29 Working Party published last week itsOpinion on apps on smart devices. At the same time, in the USthe Federal Trade Commission recently issued a series ofrecommendations aimed at improving privacy protections inrespect of mobile payments following a workshop they held on30 May 2012. The Working Party identify that the key data protection risk toend users is the lack of transparency and awareness of the typesof processing an app may undertake combined with a lack ofmeaningful consent from end users before the processing takesplace. The Working Party comments that many apps do nothave a privacy policy and strongly recommends use of icons andlayered notices. The requirements are not just limited tobusinesses in the EU with the Working Party commenting thatthe consent requirements in the ePrivacy Directive applies toevery entity that places on or reads information from smartdevices where the services are to individuals living in theEuropean Economic Area. In relation to consent, app developersare required to ask for consent before the app starts to retrieveor place information on the device with consent for each type ofdata that the app will access, including credit card and paymentdata. Users must also be able to revoke their consent anduninstall the app and delete the data where appropiate. The Working Party also identifies another data protection risk,disregard for the principle of purpose limitation which requiresthat personal data may only be collected and processed forspecific and legitimate purposes and also excludes suddenchanges in key conditions of the processing. The purposelimitation goes together with the principle of data minimisationto only collect data strictly necessary to perform the desiredfunctionality. Device identifiers are also required not to be usedfor advertsing or analytics due to the inability of users to revoke

their consent. Users should also be able to exercise their rightsof access, rectification, erasure and the right to object to dataprocessing with the Working Party recommending online accesstools where the user can get instant access to the data beingprocessed about them. Security is a key issue for mobile and particularly mobilepayments due to the potential loss of financial information. TheWorking Party provides that all parties should take theprinciples of privacy by design and privacy be default intoaccount at all stages of the design and implementation of theapp with an ongoing assessment of data protection risks anduse of mitigating measures. One suggestion put forward by theFTC is the use of end-to-end data encryption throughout themobile payment system. It has also been suggested that moresecure methods, such as voice or facial recognition, could beused to enhance authentication in mobile payment systems. According to the Working Party the fragmented nature of themobile app ecosystem, the wide range of technical accesspossibilites to data stored in or generated by mobile devices andthe lack of legal awareness amongst developers creates dataprotection risks for app users. At the same time other partiesinvolved in mobile and mobile payments, such as devicemanufacturers, app stores and third parties also have tocollaborate to achieve high privacy standards and encouragetrust among customers to ensure the continued sucess ofmobile and mobile payments.

William Long PartnerSidley Austin [email protected]

E-Finance & Payments Law & Policy - March 2013

action by the US authorities on thecondition that the issues raised areaddressed by the bank andmeasures put in place to preventsuch widespread abuse of thefinancial system from taking placeagain. This is, in effect, "putting thebank on probation."2

The accusations were set out in areport published by the US SenatePermanent Subcommittee onInvestigations (PSI) published inJuly 2012 following investigations,subpoenas and a series of hearingsin which top executives in place atHSBC both before and after theevents in question took place werequestioned and gave testimony3.The PSI was tasked with carryingout a broad examination into theissue of money laundering andterrorist financing vulnerabilitiescreated when a global bank uses itsUS affiliate to provide US dollars,US dollar services, and access tothe US financial system to high riskaffiliates, high risk correspondentbanks, and high risk clients. HSBCwhich, through its US affiliateHSBC Bank USA N.A. (HBUS),operates more than 470 bankbranches throughout the UnitedStates, manages assets totallingabout USD 200bn and servesaround 3.8 million customers, wasused as a case study for thepurposes of the investigation, andthe report made a number offindings of fact putting HSBC inthe frame for various breaches offinancial regulations.The list of allegations levelledagainst the UK-based bank readslike a charge sheet for a majorinternational crime syndicate. Thereport highlights the most flagrantbreaches which can be summarisedas follows:

Providing banking services forhigh risk affiliatesHBUS offered variouscorrespondent banking services toother financial institutions,

enabling the latter to move funds,exchange currencies, cashmonetary instruments or carry outother financial transactions. ThePSI found that these services werebeing offered to an affiliated bankin Mexico in respect of which, as aresult of a HSBC group policydesignating all affiliatedinstitutions as low risk, only verylimited AML procedures werecarried out. However, due to thefact that Mexico was 'a countryunder siege from drug crime,violence and money laundering,'4

and due to the fact that theMexican bank had high-riskclients, additional checks and duediligence should have been carriedout.

Circumventing regulatorysafeguards designed to blocktransactions There are various regulatorysafeguards in place in the USdesigned to prevent some of themost dangerous persons andjurisdictions in the world fromhaving access to the US financialsystem. These measures include themaintenance of a black list ofprohibited persons and countrieswhich banks use to create filters,flagging potentially prohibitedtransactions for review bycompliance personnel. It wasfound that HSBC had taken activesteps to circumvent this filter whenprocessing transactions withpotentially blacklistedcounterparties through its accountby stripping the wire transfers ofany sensitive information, resultingin transactions worth more thanUSD 367 million being carried outinvolving Iran, Burma, Cuba,North Korea, Sudan and otherprohibited countries or persons,many of which are likely to haveeither directly or indirectlyfinanced terrorism5.

Terrorist financing connections

AML

04

In December 2012 it was widelyreported1 that HSBC, one of thelargest financial institutions in theworld with operations in 80countries, had entered into arecord settlement agreement withfinancial sector regulators in theUnited States worth USD 1.9bn(approximately GBP 1.17bn) inrelation to allegations that theglobal banking giant and its USaffiliate exposed the US financialsystem to significant risks arisingout of money laundering, terroristfinancing and drug trafficking dueto a systemic failure to implementstrict anti-money laundering(AML) controls, failures whichstemmed from negligence or, in themost egregious cases, evencollusion by top management. The settlement has resulted inHSBC signing a DeferredProsecution Agreement forbreaches of various US financiallegislative and regulatory measures,including the Bank Secrecy Act, theTrading with the Enemy Act andassorted money launderingoffences. This agreement has theeffect of deferring any further

Systematic anti-moneylaundering failures at HSBCThe scale of the allegations,concerning failures to implementanti-money laundering controls,made by US authorities against theUK-based bank HSBC, are striking -as is the size of the settlementsigned by HSBC in response to theinvestigation by the US SenatePermanent Subcommittee. TheSubcommittee's report cataloguedHSBC's failures to protect the USfinancial system from exposure tovulnerabilities. Steven Philippsohn,of PCB Litigation, examines theallegations made against HSBC andthe conclusions that can be drawnfrom the Subcommittee's report.

A large proportion of HSBC'sbusiness has typically been carriedout in Asia, Africa and the MiddleEast, in particular Saudi Arabia, aregion in respect of which playersin the financial markets need to beparticularly vigilant as a result ofthe increased possibility of partieshaving links to terroristorganisations. The Reporthighlights the transactions carriedout with Al Rajhi Bank, one ofSaudi Arabia's largest privatefinancial institutions, whose keyfounder was an early financialbenefactor of Al Quaeda. Due toconcerns over such links withterrorist organisations, HSBCattempted to sever ties with theSaudi bank, only to relent topressure from its owners to re-establish the relationship. It wasrevealed that HBUS had providedAl Rajhi Bank with almost USD1bn in US banknotes up until 2010when a global decision was takenby HSBC to shut down itsbanknotes programme.

Offering bearer share accountsBearer share companies arecorporate entities whose ownershipis proved by the fact of possessionof the share certificate in thatcompany. Without a share registerand without records being taken ofdealings in the shares, it can bevery difficult to establish beneficialownership and, therefore, this typeof corporation is often used as aninstrument of fraud. Use of suchaccounts has largely been phasedout globally but HBUS resistedattempts to shut down this side ofits business and failed toimplement more stringent AMLcontrols in respect of it. Over thecourse of a decade, HBUS openedover 2,000 accounts in the name ofbearer share corporations, holdingbillions of dollars worth of assets6.

Clearing suspicious bulktravellers cheques

The Report describes how HBUScleared more than USD 290million in bulk travellers chequesfor a Japanese bank withinadequate AML controls7. Thetravellers cheques had beenpurchased by individuals in Russia,a country at high risk of moneylaundering.

Conclusions It is clear from the above examplesof the numerous breaches of AMLregulations that took place atHSBC and HBUS that there was asystemic failure of the banks'compliance procedures, rangingfrom oversight and negligence atone end of the spectrum tocollusion and fraud at the other.What is also clear from the Reportand the reaction of themanagement to its findings andrecommendations is that this was asystemic failure of personnel, frombank staff and compliance officerson the ground all the way up to theupper echelons of executivemanagement8. However, even in asituation where managers andexecutives are intent oncircumventing restrictions in orderto carry out lucrative transactions,the physical systems that are inplace surely have a significant roleto play in preventing suchtransactions being carried outunimpeded. For example, theReport highlights how transactionsassociated with non-US dollartransactions raised paymentmessages displaying sensitiveinformation. These messages werestored electronically on servers inthe US and should have beenprocessed through the appropriateblack-list filters by bank personnel,but it was revealed how these filterswere switched off9. The ease withwhich this was carried out and thelack of any kind of feedback or flagbeing raised with the regulatoryauthorities as a result of this systembeing routinely overridden is surely

concerning for regulatorsoverseeing the financial system andparticipants in that system whosefaith in its integrity will inevitablybe shaken by these findings. Whilstthe measures and sanctions takenby the US regulators in response tothese failures will of course focusupon the personnel element of thesystem (all of therecommendations set out in theReport are directed at improvingthe monitoring and relationshipmanagement functions crucial toany effective compliancefunction10) it goes without sayingthat improvements will also needto be made to the physical systemsin place within the bank and acrossthe financial system as a whole. It islikely that, in response to theHSBC money laundering scandal,regulators may demand greaterdirect access to a firm's monitoringsystems and the compulsoryimplementation of processes whichfacilitate anonymous whistle-blowing in order to detect anypotential risk at an early stage.

Steven PhilippsohnPCB Litigation [email protected]

1. See: http://online.wsj.com/article/SB10001424127887324478304578171650887467568.html#printMode;http://www.telegraph.co.uk/finance/financial-crime/9736167/HSBC-pays-1.92bn-to-settle-US-money-laundering-claims.html 2. http://www.bbc.co.uk/news/business-206734663. US Vulnerabilities to MoneyLaundering, Drugs, and TerroristFinancing: HSBC Case History, 17 July2012 (http://www.hsgac.senate.gov/subcommittees/investigations/hearings/us-vulnerabilities-to-money-laundering-drugs-and-terrorist-financing-hsbc-case-history). 4. Report, page 4.5. Report, page 6.6. Report, page 8.7. Report, page 7.8. See: http://www.guardian.co.uk/business/2012/dec/14/hsbc-money-laundering-fine-management9. Report, page 183.10. Report, pages 11 and 12.


AML

It is clearfrom theaboveexamples ofthe numerousbreaches ofAMLregulationsthat tookplace atHSBC andHBUS thatthere was asystemicfailure of thebanks'complianceprocedures,ranging fromoversight andnegligence atone end ofthe spectrumto collusionand fraud atthe other.


injunction on 15 February 2013. Atemporary receiver has beenappointed to take possession of thedefendants' business premises andwebsites (alleged to include morethan 230 domain names). Thelitigation remains pending, and theDefendants have not yet respondedto the FTC's allegations. While thecourt's grant of a temporaryrestraining order and preliminaryinjunction indicate the Court'sview that the FTC is likely tosucceed on the merits of its action,there has been no finaladjudication.Ideal, publicly traded 'over thecounter' and listed on OTCBB,described itself as a 'pioneer in theautomation of financial systemsand processes.' Ideal's websiteoffered a software tool called'CashFlow Management,' designedto assist individuals in determininghow to optimise debt payments.The FTC, on the other hand,alleges that Ideal, through dozensof alleged shell companies,obtained merchant accounts withpayment processors and used thoseaccounts to bill consumers withouttheir consent for products orservices they did not order orreceive, using a name of a 'billingcampaign' and a phone number.Of note, a number of Idealexecutives and officers havepreviously been investigated forother financial or consumer frauds,have had cease and desist ordersissued against them, or areinvolved in consumer fraudlitigation.According to the FTC, manyconsumers did not notice thecharges, but Ideal and its affiliatesnonetheless received thousands ofcomplaint calls stemming from thecharges and billings. Using its owncall centre in St. George, Utah, aswell as another call centre vendor,it is alleged that Ideal thenattempted to fend off thousands ofconsumer complaints by making

false representations regarding thesource of the charges, and makingrefunds if consumers persisted intheir complaints. In some debiting'campaigns,' the FTC alleges thatup to 57% and 68% of consumersrejected the charges. The FTC alsoalleges that call centre agents wereunable or unwilling to identify toconsumers how their accountnumbers were obtained, and thatagents were instructed to 'tellconsumers that the agents do not[know] the source of consumers'information' or to activelymisrepresent that the caller hadpurchased a product from Ideal.According to the preliminaryinjunction entered on 15 February2013, consumers were told that theallegedly purchased products were'financial consulting servicesrelating to payday loans, orinsurance policies that protectedagainst defaults of payday loans, orsimilar phony services connectedto payday loans that consumershad applied for.' The FTC alleges that theDefendants obtained over $24million - in transactions rarelyexceeding $30 at a time - throughtheir unauthorised billing schemesand that the schemes continuedeven after Ideal affiliate Avanix LLClearned that it was underinvestigation by the Utah AttorneyGeneral's office. The court-orderedtemporary restraining order andpreliminary investigation includesan asset freeze, expedited discoveryto determine the extent ofDefendants' dealings and assets, aswell as the consumer informationin their possession, and theappointment of a temporaryreceiver to take possession ofdefendants' business premises andweb domains. Ideal's operations, as described bythe FTC, depended on carefulmanipulation of electric billingpractices and the merchantaccounts with payment processors

CRAMMING

06

In an action initiated in Nevadafederal court on 28 January 2013,the Federal Trade Commissionalleges that Ideal FinancialSolutions, Inc., ('Ideal') togetherwith several officers and executivesof Ideal and a group of allegedlyinterconnected companies engagedin a pervasive 'cramming' scheme.The FTC alleges that Ideal and itsaffiliates purchased consumerinformation from third parties,then charged the consumers' creditcards or debited their bankaccounts without authorisation foralleged financial services orproducts that were neither orderedby the consumers nor delivered tothem. The complaint allegedclaims of unfair billing practices,deceptive billing practices, anddeceptive statements thatconsumers authorised payment inviolation of Section 5 of the FTCAct. Judge Miranda M. Du grantedthe FTC's motion for a temporaryrestraining order on 30 January2013 and the FTC's subsequent expartemotion for preliminary

FTC shuts down pervasive'cramming' operationThe Federal Trade Commission hasinitiated an action to the Nevadafederal court against a self-described 'pioneer in theautomation of financial systems,'Ideal, and other companies, overallegations that the Defendants wereengaging in 'cramming,' a practicewhereby a person or companycharges consumer debit or creditcards or bank accounts, havingacquired that information elsewhere,for purchases the consumer hadnot asked for. Matthew E. Liebson,a Partner at Thompson Hine LLP,discusses the FTC's complaint andexplains how 'cramming' works inpractice.

necessary to obtain funds fromconsumers. Ideal is alleged to havepurchased consumer information -including bank account numbers -from third parties, notablyinternet-based payday lenders. TheFTC noted in the memorandum insupport of its motion for atemporary restraining order thatXM Brands, identified by Ideal inan SEC Filing as its primary sourceof consumer leads, has itself beensued by the states of Florida andNorth Dakota in the wake ofconsumer complaints that theywere billed by XM for productsthey did not order. Someconsumers whose accounts werecharged by Ideal claim that theymerely typed - but did not submit- information on payday loanwebsites, raising the possibility thatthe loan sites may be utilisingkeystroke capture techniques.The FTC alleges that Ideal utiliseda series of shell companies toacquire merchant accounts toprocess credit card and bankaccount debit transactions.Constant reshuffling of entities andmerchants accounts was required,because the merchant accountswere frequently shut down due towhat the FTC describes as 'skyhigh' return rates for both creditcard and debit card transactions.The FTC indicated thatDefendant's chargeback rates forcredit cards reached 12%, eventhough credit card companies vieweven a 1% chargeback rate assufficient cause to place a merchantin a fraud monitoring program,and that one of the Defendantshad its Visa merchant accountterminated in 2010. With respect todebit cards, the FTC alleged thatDefendants' 'Unauthorised ReturnRate' (the percentage oftransactions reversed by theprocessor as unauthorised, dividedby the total number of debitsinitiated by the merchant) was near3%, more than 90 times the

industry average UnauthorisedReturn Rate of 0.03%, and that theAverage Total Return rate(transactions reversed by theprocessor for any reason, includingclosed accounts or insufficientfunds in addition to lack ofauthorisation) for Defendantsranged from 54 to 63 percent, ahigh multiple of the industryaverage of $1.52%. Ideal itself apparently offered adifferent explanation for thetransition from credit card billingto direct debiting of bank accounts.The Wikipedia entry for Idealstates that in 2010, ‘[t]he companyalso became increasingly lessreliant on credit cards for itspayments, a move it declared inpress releases was a necessity due toperceived instability in the creditcard processing arena and due tothe company's core belief thatconsumers should avoid highinterest rate credit cards.’Nonetheless, according to the FTC,elevated return rates persisted, evenafter Defendants attempted tomanipulate them by utilisingmultiple 'penny debits' (that werethen returned in a singletransaction) to inflate totaltransaction numbers. It is allegedthat many merchant accounts wereobtained through use of fictitiousbusiness names with a 'virtualstorefront' and distinct phonenumbers, mail drops, billingdescriptors and bank accounts.Ideal's alleged 'cramming'operations are notable not only fortheir sheer scope and allegedaudacity, but also for making thetransition from 'cramming' ofphone bills to 'cramming' of creditcards and bank accounts. Forconsumers, the Ideal complaintunderscores both the need forcareful line-by-line review of creditcard and bank statements and forincreased sensitivity regarding thedissemination of financial accountinformation using the internet. For

processors, the FTC's recentactions serve as a reminder forvigilance in flagging merchantaccounts experiencing highchargeback or unauthorised returnrates, as well as the potential forthe use of 'penny debiting' as amechanism for return ratemanipulation.

Matthew E. Liebson PartnerThompson Hine [email protected]


CRAMMING

Ideal'salleged'cramming'operationsare notablenot only fortheir sheerscope andallegedaudacity, butalso formaking thetransitionfrom'cramming' ofphone bills to'cramming' ofcredit cardsand bankaccounts.


problem: lots of money. Moneyfor product development, moneyfor above-the-line marketing,money for direct subsidies tomerchants, money for consumerincentives. In mobile commerce,the cost can reach a hundredmillion dollars or more in a majormarket. Any player that wants to get intomobile commerce has a choice tomake: 'do I go-it-alone, or do Icollaborate with partners?'(Collaboration can take a fewforms, though the joint venture /coalition is most common). Thenatural choice in a competitivemarket is to go-it-alone in order tobuild a uniquely valuable business.But the challenges in mobilecommerce have been so great thatboth banks and telecoms havegravitated towards collaboration.Collaboration has its merits. Themost obvious is financial: fewcompanies are eager to spend thekind of money outlined above, socoalitions are a way to share thebill. But collaboration also deliversa raft of other benefits. Coalitionscan bring together the best-of-breed experts from telecoms,banks, and merchants. It also helpsavoid the proliferation ofcompeting, incompatible technicalsolutions. Businesspeopleremember the lessons of Betamaxvs. VHS or HD-DVD vs. Blu-Rayall too well; anxiety over adoptingthe wrong technology has been aninvestment roadblock formerchants, so anything thatreduces uncertainty is a positive.(Many merchants still questionwhether it will be NFC or barcodeor some alternative cloud-basedtech like geo-fencing thatdominates most mobile wallets,especially as players like Apple andSquare and MCX line up behindNFC alternatives).Coalitions are also able to reach a'critical mass' of consumers.Network effects in the two-sided

payments market mean newservices need penetration in thedouble-digit percentages to reach atipping point. This requires mass-market marketing reach. There aremarkets where a single telecom cando this on their own (e.g., Japan,Switzerland, Turkey) but it'suncommon. The largest telecomin the US, for example, is VerizonWireless with 35% share - which isnot really large enough to build aself-sustaining payment schemewithout 100% penetration of itsown base or substantial sales intothe base of other telecoms. Byworking together on Isis, Verizon,AT&T and T-Mobile are able tooffer one solution to 80% ofconsumers.Despite the benefits, coalitionshave a mixed track record. FromSixpack in Holland to Mobipay inSpain to enStream in Canada,recent history is littered withexamples of failed coalitions.Failures are generally the productof partner conflict: differingvisions, unequal resources, oroverlapping assets. Problems areusually foreseeable, thoughpartners almost always over-look'small' issues and under-estimatethe cost of realising big ambitions.Even when partners are inalignment on the strategicquestions, execution is the Achilles'heel of the collaborative model.Most coalitions are complex andslow-moving. Decision-makingmust consider multiplestakeholders and parent companiesoften stay involved in day-to-daymanagement, all of which slowsprogress. Furthermore, early staffare a mix of sequestered employeesfrom the parent companies (plusexternal consultants and contractdevelopers), which can result inorganisational confusion andcultural conflicts. It's not a surprise, then, thatmany early m-commerce offeringsare not actually from coalitions. In

M-COMMERCE

08

Creating a 'blue ocean' businessrequires making many unclearstrategic choices. From productconcept to technology solution tobusiness model, innovators mustmake bold - and risky - decisionswithout the luxury of following apath laid down by others. Formany years, this was all true inmobile commerce. What worksand what doesn't is becomingsomewhat clearer, but there is still ahigh amount of uncertainty.Building a mobile commercebusiness not only involvesuncertainty, it requires hugeinvestment. First off, mobilecommerce involves a number oftechnically complex businesses:payments, loyalty, couponing, etc.But more importantly, consumersdon't want a service they can't useand merchants won't enable aservice that has no consumer.There is only one proven catalyst toget over this 'chicken-and-egg'

The merits of collaboration inmobile commerceMobile commerce has a lot ofpromise - but it has for a long time.For nearly a decade now, variousplayers have been trying to buildmobile payment services. PayPalfirst enabled SMS-based paymentsin 2006 and app-based payments in2010. European telecoms cametogether in 2003 to build Simpay,which was intended to enable pan-European mobile payment services,but was called off two years later.And the major American telecomshave been working on their Isismobile wallet joint venture for overthree years now. Clearly thechallenges to mobile commerce arereal, explains Ben Brown, aConsultant specialising in mobilecommerce at First AnnapolisConsulting, Amsterdam.

the US, for example, innovativeincumbents and Silicon Valleystart-ups are leading the market.Google was first-to-market with amobile NFC wallet. Launched in2011, Google Wallet can storepayment cards, loyalty credentials,and coupons. About 15 large USretailers have accepted GoogleWallet, though the product hasbeen challenged in findingconsumer adoption and broadermerchant acceptance.Shopkick is the most notablemobile loyalty scheme. Over 4million consumers now use theShopkick app, which works at over7,500 stores. On the merchant sideof the market, Square has usedmobile technology to disrupt theacceptance business. The companyclaims over 3 million merchantsaccept payments via its service anda quarter-million of those acceptthe Square Wallet. Even individual merchants havebrought compelling solutions tomarket. Starbucks has the largestclosed-loop merchant 'wallet'today; it is used to initiate over 2million in-store payments a week.Instead of waiting for complexopen-loop solutions, Starbucksstarted working with mFoundry in2009 to develop the simpleStarbucks Card Mobile App, whichuses barcode technology at thePOS. Today, the mobile StarbucksCard is enabled on barcode-basedwallets from Square and Apple.Even though they generally aren'tfirst movers, important coalitionsdo exist around the world today.ISIS, MCX, Weve, and AFSCMeach represent a distinct model ofmobile commerce coalition.ISIS is the prototypical telecom-backed mobile wallet joint venture.Backed by three US mobilenetworks (Verizon Wireless, AT&T,and T-Mobile), ISIS provides anNFC-based mobile wallet appcapable of managing paymentcards, loyalty accounts, and

coupons. ISIS' business model isto be a platform for banks toprovision cards to phones and adistribution channel for marketingon behalf of merchants andbrands. ISIS is a relativelyambitious concept because it hascreated a new brand, it is goingafter parallel opportunities(payments, loyalty, coupons), andthe joint venture plays both acommercial and technical role.Merchant Customer Exchange, orMCX, is a coalition of 35 major USretailers who generate over $1trillion in sales annually. MCX wasfirst announced in autumn 2012,which makes it a relative late-comer to the US market. MCXcame to life for two reasons: toprotect merchants' customer dataand to reduce payment acceptancecosts. MCX will launch as a cloud-based wallet platform that usesbarcodes to communicate with themerchant POS. (This likely meansMCX will also focus on alternativepayments such as prepaid or PLCCsince Visa and MasterCard don'tsupport barcodes). It's unclearwhether there will be an MCXwallet app or whether individualmerchants will offer wallets whichoperate on a common platform.MCX is the largest merchant-ledcoalition and it is unique in itsstrategic rationale to protect dataand lower acceptance costs.In the United Kingdom, Weve isthe mobile commerce joint ventureof EE, Telefonica UK (O2), andVodafone UK launched in autumn2012. These operators contributed'tens of millions of pounds' toWeve to create a joint mobilemarketing platform. Weve willdevelop mobile paymenttechnology (such as a mobilewallet) in the future, but is initiallyfocused on the advertising side ofthe mobile commerce equation.Weve will provide a commontechnical platform for mobileadvertising and act as a single

commercial entity to sell thoseservices into the market. On thelatter point, Weve is relativelyunique among coalitions.French telecoms and banks took adifferent approach in 2008 with thecreation of AFSCM and AEPM.These bodies focus on settingtechnical standards and conductingmarketing to advocate for mobileNFC payments. They are notdirect service providers, nor dothey seek to play a commercial rolein the marketplace. Serviceproviders are free to contractdirectly with any telco and viceversa. Collaboration has clear benefits -and challenges. Coalitions musthave the right goals and structureto succeed. We see a few keysuccess factors in this area:

�A common vision;� Strong, independentleadership;

� Substantial capital andsustained investment;

�Well-defined and narrowambitions;

�Useful, scalable infrastructure(i.e., must be more than acommercial cooperation); and

�A clear business case. All of these points are table stakesfor success of the collaborativemodel. Serious deficiency on anyone of these points could beenough to threaten a coalition.Figuring out how to play in thisspace is still not a straightforwardexercise, even with the lessons ofpast initiatives. Some players willchoose the coalition approach,some will choose to go-it-alone.Independent players are likely tomove quicker, but coalitions willbring mass-market reach to theirsolutions. Both business modelsare likely to exist in the marketgoing forward.

Ben Brown ConsultantFirst Annapolis Consulting, [email protected]


M-COMMERCE

Even thoughtheygenerallyaren't firstmovers,importantcoalitions doexist aroundthe worldtoday. ISIS,MCX, Weve,and AFSCMeachrepresent adistinctmodel ofmobilecommercecoalition.


general guidance regarding the newwithholding and reporting rules.The law deferred much of theadministration andimplementation of the newreporting regime to the USDepartment of Treasury('Treasury') and the InternalRevenue Service ('IRS'). The finalregulations issued by Treasury andthe IRS clarify the responsibilitiesand obligations imposed onfinancial institutions and/orforeign government counterparts.They also provide a step-by-stepdue diligence process for USaccount identification, informationreporting, and withholdingrequirements for foreign financialinstitutions (FFIs), other foreignentities, and US withholdingagents. FATCA has a nearlyuniversal application - it applies tovirtually all non-US entities,receiving most types of US sourceincome, including gross proceedsfrom the sale or disposition of USproperty that can produce interestor dividends. Additionally, USentities, both financial and non-financial, that make payments ofmost types of US source income tonon-US persons may potentially berequired to withhold a 30% tax onthat income paid to a non-USperson under FATCA.

Requirements & agreementsAs expected, the final regulationsdid not materially change thereporting and withholdingrequirements from the proposedregulations. Generally, FATCArequires FFIs and non-financialforeign entities ('NFFEs') tocomply with certain due diligenceand reporting requirements withrespect to their US accountholdersand substantial US owners,respectively. In order to reduceadministrative burdens forfinancial institutions withoperations in multiplejurisdictions, the final regulations

provide for the coordination of theobligations for financialinstitutions under the regulationsand the intergovernmentalagreements. Notably, the issuanceof the final regulations also markeda key step in establishing acommon intergovernmentalapproach to combating taxevasion. Because many foreignjurisdictions have laws that do notpermit direct compliance by FFIswith FATCA's reporting andwithholding requirements, theTreasury Department has beennegotiating intergovernmentalagreements to address theseimpediments. The TreasuryDepartment has collaborated withforeign governments to developand sign intergovernmentalagreements that facilitate theeffective and efficientimplementation of FATCA byeliminating legal barriers toparticipation, reducingadministrative burdens, andensuring the participation of allnon-exempt financial institutionsin a partner jurisdiction. (To date,intergovernmental agreementshave been signed by Denmark,Ireland, Mexico, Norway, Spain,Switzerland and the UnitedKingdom. The TreasuryDepartment has further indicatedthat it is conducting ongoingnegotiations for similarintergovernmental agreementswith at least 50 other countries).Treasury's collaboration withforeign governments has yieldedthe development of two alternativemodel intergovernmentalagreements that facilitate theeffective and efficientimplementation of FATCA - areciprocal version and anonreciprocal version. The modelagreements contain many of thesame provisions. For example, bothversions establish a framework forreporting by financial institutionsof certain financial account

FATCA

10

Legislative history of FATCACongress enacted FATCA in 2010as a component of the HiringIncentives to Restore Employment(HIRE) Act. FATCA was part of acongressional response to addressand curb perceived tax abuses byUS persons with offshore bankaccounts and/or investments. Thepervasive belief behind thelegislation was that many offshoreaccounts were created to evade orminimise US tax liability.Therefore, Congress wanted toensure that persons with offshoreaccounts also pay their 'fair share'of taxes. In its efforts to curb theabuse of offshore accounts by USpersons, Congress passed broad-sweeping legislation that wasintended to cast a wide net andgreatly increase the US authorities'ability to collect data aboutoffshore accounts and thereby aidin combating offshore tax evasion.While there are certain 'de minimis'rules exempting individualaccounts of less than $50,000 andother exceptions, the law alsoallows for aggregation of accountsby an account holder. The FATCA statute only provided

FATCA: the end of hiding USaccounts in foreign banks?On 17 January 2013, the USDepartment of Treasury and theInternal Revenue Service issuedcomprehensive final regulationsimplementing the informationreporting and withholdingrequirements that were mandatedby the Foreign Account TaxCompliance Act (‘FATCA’) - an acttargeting offshore tax shelters.Michelle W. Cohen and StevenEichorn, of Ifrah PLLC, discuss thelegislative history of FACTA, thecauses for concern and thelikelihood of successfulimplementation.

information to respective taxauthorities, followed by theexchange of such informationunder existing bilateral tax treatiesor tax information exchangeagreements. Both versions of themodel agreement also address thelegal issues that had been raised inconnection with FATCA, andsimplify its implementation forfinancial institutions.More specifically, the twoalternative intergovernmentalagreements that have beendeveloped are as follows.In the first model agreement, thepartner jurisdiction agrees to enactlegislation that will require localfinancial institutions to reportFATCA information directly to theforeign partner jurisdiction. Theforeign partner jurisdiction willthen provide this information tothe IRS. While FFIs in such acountry will be deemed to be incompliance with the requirementsunder FATCA by reporting directlyto that country (instead of to theIRS), they will still be required toregister and confirm their statusthrough the IRS portal (a secure,worldwide accessible portal thatwill be developed as part of theimplementation of FATCA).This version of the model alsoprovides for the United States toexchange information currentlycollected on accounts held in USfinancial institutions by residentsof partner countries, and includesa policy commitment to pursueregulations and support legislationthat would provide for equivalentlevels of exchange by the UnitedStates. This version will be availableonly to jurisdictions with whichthe United States has in effect anincome tax treaty or taxinformation exchange agreement.Further, it is only available ininstances where the TreasuryDepartment and the IRS havedetermined that the recipientgovernment has in place robust

protections and practices to ensurethat the information remainsconfidential and that it is usedsolely for tax purposes.In the second model agreement,the partner jurisdiction agrees toenact legislation that will enableand direct local financialinstitutions to report directly to theUS IRS, thereby complying withFATCA's reporting andwithholding requirements. In orderto enter into the second modelagreement, the jurisdiction isrequired to have a local law thatwould permit the exchange ofinformation with the United States.

Data collection and privacyconcerns Although the main goal of FATCAwas to target evasion of US taxliability by US taxpayers usingforeign accounts, the finalregulations provide for a verybroad reach by US authorities toobtain a tremendous amount ofsensitive data on both foreignaccount assets and account holderinformation. There is also littlechance of escaping FATCA's reachby hiding behind the bankingsecrecy laws of other nationsbecause the FATCA rules requirethat FFIs ask any US customer towaive their rights under the privacyor secrecy rules so that the FFI canreport their information to the USGovernment. If the customerrefuses to provide this waiver, thenthe FFI is required to close theaccount.Consequently, in addition to theobvious ramifications to USpersons with offshore assets thatmay have run afoul of US tax laws,there will also be a significantquantity and quality of datacollected on perfectly compliantUS persons with offshore accounts- in many ways, even moresignificant than the data collectedon accounts located in the US. This poses significant data and

privacy concerns as manycountries have stricter privacy lawsconcerning data transfer than doesthe United States. And some, likeSwitzerland, have already expressedconcerns that the model agreementdoes not conform to data privacyregulation. Certain countries mayrefuse to enter intointergovernmental agreementsbecause of these privacy concerns.

Strong likelihood ofsuccessful implementation Despite the potentiallyburdensome requirements, thecooperation by foreign financialinstitutions is virtually assuredbecause of the severe consequencesto financial institutions (which willbe passed onto their clients) fornon-compliance. Specifically,FATCA incorporated a newreporting regime that imposes asignificant withholding tax (up to30%) on certain foreign entitiesthat refuse to comply with all ofthe reporting requirements. If anFFI or NFFE fails to comply withthese requirements and isotherwise not excepted, exemptedor deemed compliant by theapplicable regulations, a 30%withholding tax will be imposedon US-source interest, dividends,rents, and salaries (generallyreferred to as US-source FDAPincome) as well as gross proceedsfrom the sale of debt and equityinstruments that produce US-source FDAP income. While placing the primaryburden on the financialinstitutions may seem to be asomewhat circuitous method ofencouraging compliance by USpersons with foreign accounts, thismethod has been utilisedsuccessfully by the US governmentin other areas. For example, theUnlawful Internet GamblingEnforcement Act of 2006 (orUIGEA) was legislation thatattempted (and was pretty


FATCA

Although themain goal ofFATCA wasto targetevasion of UStax liability byUS taxpayersusing foreignaccounts, thefinalregulationsprovide for avery broadreach by USauthorities toobtain atremendousamount ofsensitive dataon bothforeignaccountassets andaccountholderinformation.


PFFI perform certain duediligence, reporting andwithholding functions. Forexample, a PFFI will be required toobtain and report certaininformation with respect tofinancial accounts held by specifiedUS persons or US-owned foreignentities. In addition, it will berequired to withhold FATCA taxfrom defined categories ofpayments that it makes torecalcitrant account holders (e.g.those not waiving the protection oflocal banking secrecy regulations).The final regulations alsoparalleled the proposed regulationsin regard to periodic certificationsfrom a PFFI's responsible officer.Pursuant to the final regulations,the initial certification will relate tothe more immediateimplementation of policies andprocedures, and, a writtenassurance that the due diligenceprocedures have been carried outin the time frame set forth in theregulations. In addition, the responsibleofficer must certify that there wereno formal or informal practices inplace to assist account holders toavoid the impact of the newFATCA rules. In response tointerested party requests, Treasuryand the IRS listed a few examplesof the types of unacceptablepractices to avoid the impact of thenew FATCA rules. A sampling ofthe examples was: suggesting thebifurcation of accounts to avoidcertain account identificationrequirements, suggesting anaccount holder remove US indiciafrom the account, or suggestingthat the account holder close theaccount. Further, as it relates tocompliance, the final regulationsprovide that a PFFI must establishand implement a complianceprogram for satisfying itsrequirements under its FFIAgreement. As part of the

compliance program, the PFFImust appoint a responsible officerto establish and oversee itscompliance program. Thecompliance program must includepolicies, procedures, and processessufficient for the PFFI to satisfy itsrequirements under its FFIAgreement. In addition, theresponsible officer mustperiodically review the sufficiencyof the established complianceprogram. The results of thesereviews must be considered whenthe responsible officer makesperiodic compliance certificationsto the IRS.

ConclusionIt was always understood thatFATCA would have a huge impacton the FFIs and the costs of doingbusiness with US clients. However,it is now equally clear that FATCAhas enabled the US government toobtain access to large quantities ofdata on the foreign accounts of UScitizens. While the US will need toconclude many additionalintergovernmental agreements, andsome nations may refuse to enterinto these agreements (like China),it is nevertheless accurate to statethat Americans seeking to avoidtax liability by maintainingoffshore accounts will face asubstantial foe under FATCA.

Michelle W. Cohen Member andCertified Information Privacy ProfessionalSteven Eichorn AssociateIfrah PLLC [email protected]@ifrahlaw.com

FATCA

12

successful) at regulating onlinegambling by preventing thefinancial institutions fromprocessing gambling proceeds.UIGEA 'prohibits gamblingbusinesses from knowinglyaccepting payments in connectionwith the participation of anotherperson in a bet or wager thatinvolves the use of the internet andthat is unlawful under any federalor state law.' UIGEA also requiredTreasury and the Federal ReserveBoard (in consultation with the USAttorney General) to promulgateregulations requiring certainparticipants in payment systemsthat could be used for unlawfulinternet gambling to implementand enforce policies andprocedures designed to identifyand block, or otherwise prevent,the processing of restrictedtransactions. The US government'ssuccess against online pokergaming operators and other onlinepayment processors stemmedlargely from these regulations thatwere aimed at the underlyingfinancial system. Likewise, theTreasury regulations implementingFATCA are squarely focused on thefinancial institutions, and not onthe individual account owners.This approach is definitely moreefficient (by focusing oninstitutions that have numerousaccount owners and are alreadysignificantly regulated) rather thanindividual audits and/ormonitoring, and promises to bequite successful, just like theregulations under UIGEA.

Certifications, verification &consolidated compliance As noted earlier, an FFI will besubject to the FATCA withholdingtax unless it enters into anagreement with Treasury andbecomes a 'participating FFI' (or'PFFI') (or it otherwise qualifies foran exemption). The agreementwith Treasury will mandate the


Q&A

Interview: Jason Oxman, ChiefExecutive Officer of the ETAFollowing the release of the FTC’s staff report on mobile payments,Sophie Cameron spoke to Jason Oxman, CEO of the ElectronicTransactions Association, about the FTC report and industryefforts to increase shared security standards.

Why has the FTC deemed it necessary to examine mobilepayments? With the rapid growth, innovation and adoption inmobile payments technology - the market is predicted to hit $1trillion by 2015 - the industry is focused on issues of datasecurity. Because electronic handheld devices like cell phonesare not solely used as point-of-sale tools but also carry out otherfunctions, the FTC is concerned that security risks may need tobe addressed. The industry has developed solutions, and inmany ways paying via phone is more secure than via plasticcard. But as more businesses adopt these devices for paymentacceptance, it is no surprise the FTC is taking a closer look atthis important issue.

What guidance does the FTC’s report provide for mobile paymentservice providers? The FTC urged companies to develop clearpolicies regarding fraudulent and unauthorised charges andclearly convey those policies to customers. The report suggeststhat mobile payment providers increase data security andencourage the adoption of strong security measures - forexample, end-to-end data encryption - throughout the system.The report also encourages stakeholders to help raise awarenessabout the security issues involved and the steps consumers cantake to protect themselves. Finally, the report calls on industryto adopt three basic practices: privacy by design, simplifiedchoice for businesses and consumers, and greater transparency.

The report highlights a number of consumer concerns - howimportant is appeasing these concerns to the success of mobilepayments? Payments professionals are committed to protectingthe confidentiality and security of their customers’ credit, debit,and other non-public financial account information, whetherthere is significant consumer concern or not. This protectionensures the free flow of information vital to helping consumersaccess and use electronic payments, ensures the free flow ofcommerce, promotes competition, and maintains publicconfidence. Because this is a new, largely unknown area forconsumers, early opinions will drive ongoing innovation.

The report encourages industry-wide adoption of measures toensure security thought-out the mobile payments process - are suchshared standards being developed? There is definitely industryappetite for shared security standards. The ETA has assembledthe Mobile Payments Committee, an industry-wide task force of100 representatives from top companies in the mobile paymentssector, to address the important issue of consumer protection. Other self-regulatory efforts for the protection of personal

On the FTC’s mobile payments reportinformation are already underway as well. The Payment CardIndustry Data Security Standard (PCI-DSS) is an importantindustry effort. ETA believes that a uniform standard for datasecurity and breach notification with respect to personalfinancial information would best address the rights ofconsumers to be notified of a breach when the security of theirinformation is truly at risk, while minimising the complianceand legal risk to businesses. The PCI Security Standards Council (PCI SSC) recently issuedmobility guidance, urging merchants to examine the factors andrisks to be addressed in order to protect card data when usingmobile devices to accept payments. The new guidance formerchants focuses on scenarios and specifically the paymentsoftware that operates on these devices. The PCI MobilePayment Acceptance Security Guidelines for Merchants as End-Users leverages industry best practices to educate merchants onwhat is needed to isolate and prevent card data from exposure.

Do you think regulation/mandatory standards are needed in thisarea? We should begin with industry-driven efforts like thoseproposed by the ETA or the PCI-DSS model. Regulations andmandatory standards imposed on the industry tend to stymieinnovation and often lead to further government involvement.ETA supports voluntary security standards and industry bestpractices created with stakeholder input.

Do you think widespread adoption will be achieved by 2015 aspredicted by the FTC? Yes, mobile payments are on the rise. Infact, more than 21% of mobile device owners used some formof mobile payments in 2012, up more than threefold from justfour years ago. Gartner Inc., predicts that in just four years,more than 448 million consumers worldwide will be usingmobile payments technology for an estimated $617 billion intransaction value. (That’s equivalent to trading the entire valueof Manchester United via smartphone every working day andmost Saturdays.) The Yankee Group research firm is even moreaggressive, predicting that by 2015, worldwide transactions viamobile payments will exceed $1 trillion.

How useful is the FTC’s report on mobile payments? The reportfrom the FTC is useful but unavoidably failed to recognise theaccomplishments of the industry in the year since the FTCworkshop on which the report was based. This is an incrediblydynamic industry, and much has changed in a short amount oftime. Today our industry provides merchants and consumersaccess to a wide variety of safe and reliable mobile paymentsproducts and services.

Jason Oxman CEOElectronic Transactions AssociationContact via the editorial team


Customer due diligenceA number of changes are beingproposed to the customer duediligence requirements that willrequire firms to revisit their duediligence procedures. These arediscussed in turn below:

Risk-based approachThe Fourth MLD enshrines therisk-based approach formed underthe Third MLD, but alsointroduces a requirement for firmsto have written assessments of theirmoney laundering and terroristfinancing risks, as well as processesfor keeping the assessments up todate. The impact of thisrequirement should not besignificant, given that firms willhave generally undertaken thisexercise in connection with theirexisting customer due diligenceprocedures. However, unlike theThird MLD, the Fourth MLDembodies guidance on the variousrisk variables that firms will needto consider. There will also besupplementary assessments of therisks affecting the internal marketundertaken by the EuropeanSupervisory Authorities6 andnational risk assessments byMember States that firms will needto build into their internalassessments. Although this processshould provide firms with greaterguidance going forward, it remainsto be seen how firms operating ona cross-border basis will addressdiverging risks across the variouscountries they service.

Occasional transactionsThere are proposals to reduce thethreshold for occasionaltransactions that are exempt fromthe customer due diligencerequirements from €15,000 to€7,500. Firms that have structuredtheir products around theexemption will need to considerthe implications of the proposalsnot just from a systems perspective

but also how the reduction in thethreshold may impact themarketability of the relevantproduct lines.

Simplified due diligence ('SDD')The Fourth MLD proposes torevise the structure of the SDDregime by replacing thecircumstances in which (i) firmsare exempt from undertaking duediligence; and (ii) Member Stateshave the discretion to apply aderogation in respect of the duediligence requirements (as is thecase with e-money productsmeeting specified value andredemption thresholds7) withguidance issued by Member Statesand the European SupervisoryAuthorities on low riskrelationships that may be eligiblefor SDD. Going forward, firms willneed to consider their customerrelationships and transactionswithin the context of the guidelinesand determine whether theyqualify for SDD. The Fourth MLD identifies anon-exhaustive list of factors thatwould point to low risk situationsincluding transactions with listedcompanies and customers in lowerrisk geographical locations.However, the Fourth MLD doesnot provide any detail on the levelof due diligence that will berequired in such circumstances.The devil will be in the detail ofthe guidance provided by theEuropean Supervisory Authorities.

Enhanced due diligence ('EDD')Like the Third MLD, the FourthMLD will specify thecircumstances in which EDD willbe mandatory and the measuresthat should be applied in thosecircumstances (e.g. transactionswith politically exposed persons).However, a proposed amendmentthat will be of particular interest tofirms providing online services isthe removal of non face-to-face

EUROPE

14

On 5 February 2013, the EuropeanCommission adopted twolegislative proposals for a newMoney Laundering Directive1 (the'Fourth MLD') and a new WireTransfer Regulation2 (the 'NewWTR'). Once passed into law, theFourth MLD will repeal thecurrent Money LaunderingDirective3 (the 'Third MLD') andthe New WTR will replace theexisting Wire Transfer Regulation4

(the '2006 WTR'). The framework and requirementsof the Fourth MLD are generallythe same as what currently standsunder the Third MLD, in that it isa minimum harmonisationdirective5 requiring firms tomaintain internal policies andprocedures covering risk-basedcustomer due diligence andtransaction monitoringrequirements, reporting ofsuspicious transactions, stafftraining and record keepingrequirements. However, there aresome areas in which the FourthMLD has introduced newrequirements and revised existingones in an attempt to strengthenanti-money laundering ('AML')co-operation and harmonisationacross the EU Member States.

The 4th EU Money LaunderingDirective: key changes The European Commissionpublished the Fourth MoneyLaundering Directive and the newWire Transfer Regulation, which ifenacted will impact online financialservice and payments servicesproviders. Rachpal Thind and KaiZhang, of Sidley Austin LLP, discussthe key changes proposed andwhat they mean for serviceproviders within the context ofcustomer due diligencerequirements and cross-borderoperations.

transactions from the list. Whilstnon face-to-face businessrelationships and transactions willstill be identified as potentiallyhigh risk scenarios (and thus, firmswill still need to consider whether aparticular relationship ortransaction requires EDD) theywill not warrant mandatory EDD.This will provide firms with someflexibility as regards the level ofdue diligence required for theironline customer base. As will be the case with the SDD,firms will also be required tofollow guidance issued by theMember States and the EuropeanSupervisory Authorities on thetypes of high risk factors (e.g.geography, customer type, deliverychannel) that may give rise toEDD.

Reliance on third partiesAs under the Third MLD, theFourth MLD will continue to allowfirms to rely on others forcustomer due diligence purposes inorder to ease the burden of AMLcompliance. However, there will bea reversal in terms of the parties'obligations; currently under theThird MLD, the relying party isultimately responsible forcompliance, yet the Third MLDimposes (conflictingly) the relevantrequirements on the third party.The Fourth MLD proposes toclarify this by requiring the relyingparty to ensure it obtains all therelevant information from thethird party. The Fourth MLD willalso permit groups to rely on thedue diligence undertaken by othergroup companies in circumstanceswhere the group policy followseither the Fourth MLD orequivalent rules.

The new WTR The 2006 WTR (Wire TransferReports) impose requirements asto payer information that mustaccompany electronic transfers of

money. Additional informationrequirements are being proposedunder the new WTR that willrequire the payer's payment serviceprovider to provide information inrespect of both the payer and payeegoing forward. The scope of thenew WTR will also be extended toinclude credit and debit card,mobile phones and otherelectronic devices when used totransfer funds.

Cross-border provisionsCurrently, there are significantinconsistencies amongst the EUMember States in theirimplementation and application ofthe Third MLD with respect tofirms providing services cross-border8.The Fourth MLD proposes toreduce such inconsistencies byclarifying that branches orsubsidiaries of firms in the hostMember States will need to complywith the rules of the host MemberStates implementing the FourthMLD9. Although it is not expresslyprovided for, this seems to suggestthat firms providing services on apurely cross-border basis will onlyneed to comply with their homeMember States rules.

TimingThe European Commission isaiming for the EuropeanParliament and the Council toadopt the Fourth MLD and thenew WTR by the end of 2013. TheEuropean Supervisory Authoritieswill then need to issue variousguidance and technical standardsas required under the Fourth MLDwithin two years of the Directivecoming into force10. This willconsequently mean that there willbe a large degree of uncertainty asto precisely what the Fourth MLDwill and will not require of firmsuntil the European SupervisoryAuthorities publish their guidanceand technical standards.

A final thoughtThe Fourth MLD is proposing theintroduction of a three-tierapproach to risk assessment:

� the European SupervisoryAuthorities will assess risks facedby the European Union as a whole;

� each Member State will assessthe risks faced at national leveltaking into account the assessmentof European SupervisoryAuthorities; and

� individual firms will berequired to assess their own riskstaking into account their MemberState assessments. It remains to be seen whethersuch an approach will actuallyfoster the convergence andharmonisation it anticipates acrossthe EU Member States or whetherit will just add to the currentuncertainties and inconsistenciesbetween the Member State AMLregimes.

Rachpal Thind PartnerKai Zhang AssociateSidley Austin [email protected]

1. http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52013PC0045:EN:NOT 2. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52013PC0044:EN:NOT 3. Directive 2005/60/EC.4. (EC) No 1781/2006.5. This will allow Member Statediscretion to impose stricter nationalprovisions.6. The European Banking Authority, theEuropean Securities and MarketsAuthority and the European Insuranceand Occupational Pensions Authority.7. The Third MLD currently permitsMember States to apply a derogation inrespect of e-money products. 8. See the joint report of the EuropeanSupervisory Authorities published on 7December at: https://eiopa.europa.eu/fileadmin/tx_dam/files/publications/reports/JC_2012_086__E-Money_Report__-_December_2012.pdf9. Art. 45(4) of the Fourth MLD.10. The New WTR being a regulation willbe directly applicable in the MemberStates and thus will not need nationalimplementation.


EUROPE

There will bea largedegree ofuncertaintyas topreciselywhat theFourth MLDwill and willnot require offirms until theEuropeanSupervisoryAuthoritiespublish theirguidance andtechnicalstandards.


E-MONEY

16

France implements SecondElectronic Money Directive

desired. In this case, the costs arepaid entirely by the issuer. Inaddition, the DADU Law providesthat reimbursement in cash can, bymutual agreement, be in the formof a money order. The wordingcould also be compatible withreimbursement by ATMwithdrawal. However, this shouldbe confirmed by the regulator. Another new provision is thatdistributors of e-money may beauthorised to reimburse. Issuerswho wish to use this option willhave to amend their distributioncontracts. Finally, whilemaintaining the principle ofreimbursement, the Law providesthat issuers may stipulatederogations to the obligationswhen e-money is taken out for'professional' purposes.

Mediation procedure The DADU Law now requires theprovision of a mediation processfor any disputes which persistbetween the issuer and the client.The client must be informed ofthis on the e-money support ormedium.

Payment services contractsThe contract between the issuerand the client will now begoverned by rules applicable topayment services frameworkcontracts. This new rule willinvolve taking into account allclauses required by Decree of 29July 2009. This will likely result in asignificant increase of the T&Cs.The reference to the Decree of 29July 2009 will certainly poseproblems of interpretation - someof the clauses imposed by theDecree cannot be applied to e-

money or may conflict with rulesspecific to e-money. The referenceto the payment services frameworkcontract may pose anotherpractical problem: the Monetaryand Financial Code (Article L. 314-13 II) provides for, in certain cases,the obligation to obtain the client'swritten signature. It should beconfirmed with the regulator thatthis constraint can be waived for e-money instruments.

Application of the new law toexisting contractsArticle 32 of the DADU Lawconsiders issues in transitional lawfor T&Cs concluded prior to 29January 2013:

� The provisions of T&Cscontrary to the law areimmediately null and void; � The issuer must update itsT&Cs to comply with the new lawwithin six months;

�Within the same period, theissuer must inform clients of theexistence of the updated contract,and its provision. During this six month period,any issuer who has not yet broughtits T&Cs into line must provideclients with written information onthe consequences of the new law,and its immediate applicability.Finally, the new law provides for aperiod of three months forcompliance in respect ofdistribution. Licensed institutionswhich use intermediaries todistribute e-money will have tocomply with applicable rules onoutsourcing of financial services.

Benjamin May PartnerAramis [email protected]

After a long wait, the SecondElectronic Money Directive wastransposed into French law by LawNo. 2013-100 of 28 January 2013containing various provisionsadapting legislation to EU Law ineconomic and financial matters(known as the 'DADU Law').The text entered into force isimmediately applicable, except forthose provisions that requireimplementing decrees or Arrêtés(second level legislation). Theseimplementing regulations willinclude the conditions for EMIlicences, the rules applicable toforeign institutions 'passporting' inFrance, and the conditions for thedistribution of e-money.

New rules on applicable fees The old regulations allowed thecharging of fees relating toreimbursement during the periodof validity of e-money. In addition,it was possible not to reimbursewhen outstanding e-money wasless than €10. These rules havenow been amended. The lawstipulates the obligation toreimburse at any time, even afterthe validity period, even if thebalance is less than €10. When the contract between theissuer and the e-money holderdoes not provide for a limitedperiod of validity, reimbursementmust always be free of charge.When it stipulates a limited periodof validity, reimbursement fees arepossible before the term of thecontract, and from one year andone day after it ends. In all cases,these fees must be proportionate tothe costs incurred by the issuer. The client must always be able toobtain reimbursement in cash, if

READ MORE EXCLUSIVE CONTENT ONLINE:: wwwwww..ee--ccoommllaaww..ccoomm//ee--ffiinnaannccee--aanndd--ppaayymmeennttss--llaaww--aanndd--ppoolliiccyy

Read an exclusive analysis of the FTC’s settlement with HTC over software security issues by Mark Brennan andHarriet Pearson of Hogan Lovells; the case represents a significant development for both equipmentmanufacturers and service providers in the technology space.

E-Finance & Payments Law & Policy, March 2013

Economy & Finance

Transcript of E-Finance & Payments Law & Policy, March 2013