ELECTRONIC PAYMENT SYSTEMS

A CRITIQUE OF THE LEGAL ASPECTS AND REGULATORY FRAMEWORK IN KENYABY

VAYONDA SIRMAANDHENRY OGUTULECTURER: DR. DAVID GACHUKIABSTRACTThis paper seeks to investigate the impact and implications of Kenyan legislation on electronic payment services; which are increasingly being adopted by consumers of banking services as the preferred mode of effectuating payment. It discusses the various forms of electronic payments; their legal and regulatory framework; and the consumers privacy and security concerns. The investigation reveals that not only does the legal and regulatory framework not provide sufficient safeguards for consumers, but also that it does not clear up the ambiguities arising from a combination of rapidly changing technologies and the jurisdiction ambiguities regarding the responsibilities of the different sector players. Moreover, electronic payment services (as they are based on technologies designed to extend the geographical reach of banks and customers) expose both customers and banks to legal risks associated with non-compliance with different national laws and regulations including consumer protection laws, record keeping and report requirements. Our study reveals that the current and proposed law do not address the multitude of these issues.CHAPTER ONEFORMS OF ELECTRONIC PAYMENT SERVICES

INTRODUCTION Electronic payment services refer to a cluster of technologies that allow for the electronic execution of financial transactions without reference to the traditional paper-based settlement modes. Since electronic payment services are a new and evolving technology whose full impacts are unknown, they have given rise to a number of concerns their efficacy, privacy, systems security and consumer protection which are the main issues that this paper focuses on. The main push for electronic payment services, by consumers and banking institutions alike, is as a response to the dynamic interaction of the economic environment, increasing consumer sophistication, increased participation by thrift industries in the financial services sector and their cost efficiency. However, the legal and regulatory framework in respect of these services in Kenya has not faced up to the increasing consumer-protection challenges that these services evoke. These challenges can be surmised into privacy and security within context of inadequate protections afforded by the law to consumers of banking services.

Loosely defined, electronic payment services (EPS) consists of a group of technologies that electronically facilitate financial transactions. Messages sent by several forms of electronic communication cause the transfer of funds from one financial account to another, substituting the direct exchange of currency or signed cheques that would bring about the same transfer. The term EPS has also come to include transfer of information critical to such transactions without an immediate transfer of funds; for example, authorization of credit cards, telephone-bill payments or validation of financial transactions by telecommunication. In Kenya, some of these services are decentralized and are provided directly to the consumer at retail. They consist of transactions that may involve an individual, and one or more providers of financial services. In some cases, as in the use of automated teller machines, the transfer is immediate. In others (such as cheque verification services), value is conveyed by a paper instrument such as a cheque, while the electronic service provides information to the recipient that funds are being conveyed. Sometimes the consumer operates a machine that is used to provide an EPS service, whilst in other cases, the consumer gains access to the service through an intermediary.

1.1AUTOMATED TELLER MACHINES (ATMS)The most common form of EPS services that has been readily accepted and used by most consumers of financial services is the ATM. Quintessentially, they provide the banking services used most often by consumers (except loans). Most transactions can be accomplished faster and more conveniently than with human tellers and its main attraction is its availability twenty (24) hours a day. Indicatively, ATMs allow deposits to and withdrawals from customers accounts transfer between these accounts and accounts balances queries. They also permit the use of credit cards for cash advances as well as overdraft privileges for particular customers. Cash disbursements are usually limited to a predefined amount and the ATMs facilitate the daily updating of customers accounts. In most instances, the debit card used to activate the ATM is proprietary to the bank and its usage is effectuated by a personal identification number that is only supposed to be accessible by the customer card-holder. ATM networks may be proprietary to one institution or they may be operated on behalf of multiple institutions by consortia or by third party operators. 1.2POINT-OF-SALE (POS) POS is a payment service deployed in supermarkets, department stores and other commercial facilities which offer several kinds of services:

(a) Credit card authorization and validation;

(b) Direct transfer of funds from a customers accounts to the merchants account by means of a debit card; and

(c) Certain banking services: i.e.; direct withdrawal of currency from (or deposit in) a depository account using the merchants cash drawer and sales personnel.

POS services employ a terminal operated by the merchant and a telecommunication link to customer information files within banking and financial institutions. 1.3.TELEPHONE BILL PAYMENT (TBS)TBS services allow customers to pay bills using a home telephone to instruct their banks to transfer money from their accounts to that of a creditor. It is one of the EPS services that is being phased out by the rapidly evolving technology and was widely used in America and Europe in the 1970s and 1980s. TBS involved the recording of the customers verbal instructions on a tape or through the intervention of human operators to facilitate the processing of the customers instructions. One of its major drawbacks was that the customer had no proof that instructions for payment had been given until he/she had received a monthly statement; which provided the customers only proof of payment. 1.4WIRE TRANSFERWire transfers are the earliest form of EPS and are chiefly responsible for the transfer of large sums of money. Its current forms are embodied in the Electronic Funds Transfer (EFT) and Rapid Transfer Gross Settlement (RTGS).

1.5. CREDIT CARDSCredit card services are offered by banking and financial institutions to their customers on post-payment basis for which the customers pay a certain premium on top of what the amounts that they spent through that card every month. Credit card authorization services are operated by card providers through electronic terminals to determine whether a card should be honored for a particular transaction or not. There are two kinds of credit card authorization and validation services;

a) Those that have direct access to the customers account (positive files); and

b) Those that depend on information gathered from a variety of other sources (referred to as negative files as they contain only information that is used to disallow transactions). These sources include records of a customers transactions with the system and data reported by participation institutions and not on actual records. 1.6. DEBIT CARDSDebit cards could be considered as the most successful EPS in the Kenyan market to date, particularly when coupled with the proliferation of ATMs networks across the entire country. They are considered as a convenient substitute to hard currency or cheques.

1.7. AUTOMATED CLEARINGHOUSES (ACH)ACH comprise a centralized EPS service that serves institutions rather than individuals. Instead of having cheques sorted and physically dispatched to the debiting bank, an ACH receives sorts and distributes payment information electronically which instructs banks to debit and credit accounts at specific times. 1.8.Net Settlement Instructions (NSI)NSI refers to an account transfer involving multiple debits and credits, initiated by a net settlement system to settle net obligations arising from the conduct of a payment clearing system such as cheque clearing or POS clearing. Usually, NSI is a discretionary operation of the bank without much involvement of their customers and this portends a gray area when considered in light of the privacy and security concerns.

CHAPTER TWOPRIVACY, SECURITY AND LAW RELATING TO ELECTRONIC PAYMENTS SERVICES IN KENYAINTRODUCTIONThe principal concerns that have arisen about EPS relate to the extent to which personal data might be disclosed to third parties by banking and financial institutions, the possibility of unwarranted government or private surveillance through EPS systems and data files and the right of consumers to see challenge and correct personal data that might be used to their disadvantage. Particular concerns abound that with the increased adoption and use of EPS consumers privacy will likely to be violated. This is due to the fact that most of the EPS services use online terminals making intrusive surveillance a more credible possibility. Moreover, there is a higher risk of dissemination of incorrect or inaccurate data concerning consumers accounts, even if safeguards to correct these inaccuracies are facilitated. Moreover, the Constitutions clear recognition of the right to privacy, despite a lacuna in the existing laws and regulations, legitimizes these privacy concerns. This necessitates more comprehensive EPS privacy protection, whether through new legislation, modification of existing law, administrative procedures and regulations and enhanced industry standards.

Security, in respect of EPS, relates to the protection of the integrity of EPS systems and their information from illegal and unauthorized use. The need for stringent security in EPS systems has been propelled by the inherent vulnerabilities in EPS systems such as:

(a) EPS systems have many access and terminal points where transactions can be effectuated in unauthorized ways because of direct customer involvement with the dynamics of the system and the way in which data relating to customers accounts is aggregated and transmitted between institutions;

(b) EPS crime is usually difficult to detect because funds/data can be removed by instructions hidden in complex computer software beyond the purview of customers; and

(c) Arguably, EPS systems reduce the effectiveness of some of the traditional methods of controlling and auditing access to customers accounts.

An interview with a senior manager at one of Kenyas commercial banks revealed that EPS systems security violations is difficult to assess because there is underreporting of EPS systems crime, a paucity of information about EPS systems security and a general lack of informed public discussion. While players in the banking industry feel that there is a danger in exacerbating these concerns by giving them a higher visibility through public discussion. Nonetheless, the public is entitled to know what risks they are exposed in using EPS services and banking institutions and law enforcement agencies would also benefit by sharing information about vulnerabilities, defense strategies and security-enhancing technologies.2.1PRIVACY AND SECURITYMuch as it is difficult to define privacy in a precise and concise fashion, it could be reduced to the ability to keep certain kinds of personal information from other people or restrict its use, except as one freely chooses to permit its disclosure or use. The OECD Guidelines on Personal Privacy states that there may be many reasons why privacy is such a paramount concern to consumers who may wish to withhold information about themselves other than their concerns about possible government encroachments on their civil liberties. Particularly because, information may expose them to censure, or threaten their reputation, social status and more so with regards to information concerning their finances.

2.1.1Privacy and security relating to Financial TransactionsUndeniably, only transactions in which currency is the medium of payment can be accomplished with some degree of anonymity. In EPS systems, privacy is violated when data is, without the subjects consent, made available to and used by those not a party to the transaction, for purposes other than those necessary to accomplish the transaction. Those other purposes could range from organized market campaigns to intrusive surveillance to blackmail. If a person has neither explicitly nor implicitly consented to disclosure and use of information for a given purpose, personal privacy is considered to have been violated even if the same information was willingly provided by that person or to the same party for a different purpose.

Additionally, there is also the obverse of unauthorized disclosure of information to third parties; namely the ability of the individual to know what personal information has been collected and how it is being used. Consequently, there is the greater concern about privacy in EPS systems due to the following reasons;

(a) EPS systems make it easier to collect, organize, store and access large amounts of data;

(b) More data are electronically readable and processable, making them easier to manipulate and aggregate; and (c) The large number of points at which data is retained making it susceptible to unwarranted access and use by third parties.The question of EPS systems security is closely related to the concerns of privacy. Users of banking products want to be assured of the confidentiality of the information relating to their accounts with the assurance that it will be aggregated and used only for purposes integral to the payment system and necessary to the carrying out of the necessary instructions as intended by the customer. This assurance rests on the confidence both in the intent of the financial institution, and in its ability to protect the information and limit access to the institutions authorized agents. If security is breached, the institution cannot provide this protection and the users privacy may be violated. It should also be noted that some means of increasing security, especially through audit trails, increase the possibility that privacy may be infringed because additional copies of data are created at various points in an electronic payment system.2.2Legal and Regulatory Environment of Electronic Payments Services Section 4 A 1(d) of the Central Bank of Kenya Act empowers the Central Bank of Kenya to formulate and implement such policies as best promote the establishment, regulation and supervision of efficient and effective payment, clearing and settlement systems. In view of this enabling statute, the Central Bank of Kenya has directed great effort to the modernization of the payment systems in the last two decades. Initially, the objective of the modernization process was to systematically and continuously implement policies that would ultimately enable the countrys payment system to attain international standards and ensure that Kenya becomes a financial hub in the region as well as the preferred investment destination. The fundamental policy objective for payments modernization was the achievement of safety, efficiency and effectiveness of the countrys payment. 2.2.1.The Central Bank of Kenya and the key milestones in the modernization process of payment services in KenyaThe first milestone of the modernization process was realized in 1998 with the automation of the Nairobi Clearing House that saw the reduction of the cheque clearing cycle from fourteen days to four days. This was facilitated by the adoption of the Magnetic Ink Character Recognition (MICR) technology and Electronic Funds Transfer (EFT) system. The second important milestone was the amendment of the Central Bank of Kenya Act in 2003 that introduced Section 4A 1(d) into the Act, which provided a strong basis upon which the Bank could promote modernization of payment, clearing and settlement systems, including the continuing innovations in the retail payment arena. The third key milestone was the implementation of the Kenya Electronic Payments and Settlement System (KEPSS), the countrys Real Time Gross Settlement (RTGS) System in July 2005. KEPSS implementation facilitated the mitigation of risks associated with the previous paper-based inter-bank settlement system; transformed the management of liquidity in the banking industry; reduced the systemic importance of the Automated Clearing House (ACH); and enhanced financial stability while providing an efficient mechanism for monetary policy transmission. The fourth major milestone was the facilitation of mobile based funds transfer payments system. This notable innovation in Kenyas payments system environment has provided greater access and increased convenience to many low income households and micro-enterprises in Kenya, including those in rural areas who do not have access to conventional banking. The phenomenal growth in the transaction volumes and values since the rollout of the first mobile money transfer system in 2007 underlines the popularity and usage of mobile money transfer platforms, as indicated in the chart below. In view of their depth and outreach, mobile payment platforms have become an integral part of the national payments system as their scope in terms of number of transactions is wider than that of the large value payment systems. Fifthly, in October 2009, the Central Bank of Kenya in conjunction with the Kenya Bankers Association and in liaison with the Ministry of Finance, implemented the value capping policy. The policy stopped the processing of high value payments using cheques and Electronic Funds Transfers of Kenya Shillings one (1) million and above through the Nairobi Automated Clearing House. Such high value transactions are now processed through KEPSS. Sixthly, an important ongoing initiative is the Cheque Truncation Project, which seeks to reduce cheque handling costs, provide superior customer service levels, improve risk management, reduce liquidity risk and improve efficiency of our payment systems by streamlining the processing of cheques. Notably this will remove the need to physically send bank representatives to the Clearing House while at the same time settlement certificates will be distributed electronically and all cheques deposited will be stored at the point of deposit. At a regional level, the Central Bank of Kenya is working in collaboration with the other East African Central Banks to implement the East Africa Payments System (EAPS), which is intended to facilitate real time settlement of financial transactions among commercial banks in East Africa using the five East African currencies. EAPS, which is an integration of the RTGS systems in East Africa, is expected to be operational in the course of the year. The payment systems modernization achievements include: i). Promotion of greater efficiency and effectiveness of the payment, clearing and settlement systems;

ii). Provision of an enabling environment for the development of various instruments and mechanisms for an integrated, modern and technologically sound payment system for transfer of funds between transacting parties;

iii). Facilitation of irrevocability of payment and finality of settlement arrangements;

iv). Reduction in the length of payment cycles for high value payments to Same-Day settlement.

2.2.2.Existing and proposed laws and regulations The Central Bank (CBK) under its mandate under Section 4 (A) 1(d) of the Central Bank of Kenya Act, has drafted the National Payments System Bill, whose objective is to enhance the Banks oversight role over Payment Systems in Kenya. With regards to EPS, the CBK recently launched the draft Regulations for the Provision of Electronic Retail Transfers and Electronic Money. The regulations are aimed at giving certainty in the operation and regulation of the retail payment industry. Additionally, for EPS systems, the national ICT policy vide its Kenya Gazette Notice, 2006 recognizes the current body of laws relating to banking and financial institutions are inadequate in dealing with the privacy and security concerns identified in the issues pertaining to electronic commerce. It also recognises the need for a comprehensive policy, legal and regulatory framework in order to:

(a) support ICT development, investment and application;

(b) promote competition in the industry where appropriate;

(c) address issues of privacy, e-security, ICT legislation, cyber crimes, ethical and moral conduct; and(d) copyrights, intellectual property rights and piracy.The Kenya Communications (Amendment) Bill, 2008, which was to amend the Kenya Communications Act, 1998 and address some of the challenges cited by the National ICT policy as indicated above, came into operation in January 2009. One of the key sections is Part VII, on electronic transactions (e-transactions). Though it outlines what involves electronic transactions it insufficiently caters for the privacy and security concerns for such type of transactions. Electronic payment services can be clustered into decentralized or customer-oriented services and centralized or institutional-oriented services. Decentralized services are further categorized into services that facilitate the transfer of information (such as cheque and credit authorization, account status inquiry, cheque verification) and electronic services that involve direct money transfer. Centralized services include direct deposit payroll, pre-authorized debit services, corporate cash management (including automated clearing houses, interbank and intrabank transfers) and interbank settlements and clearings.

Although customers who rely on this feature are, on occasion seriously inconvenienced by finding the machines inoperative at critical moments.

In Kenya, these operation platforms are offered by PesaPoint and Kenswitch.

Thus the customer often found it very difficult to substantiate his claims in case of a dispute in respect of his instructions to the bank.

In Kenya RTGS is effectuated through the Kenya Electronic Payment and Settlement System (KEPSS). It was launched on July 29, 2005 in line with the Government of Kenya and Central Bank of Kenya's modernization initiatives for the country's National Payment System. KEPSS has enjoyed tremendous growth in its value and volume throughout; attributable to the ever increasing awareness by the public that KEPSS is a more safe and efficient system for settling high value and time critical payments and the Governments decision to stop using cheques and process all its payments electronically through KEPSS with effect from November 2009.

This type of validation, usually through credit reference bureaus, is more prevalent in Europe and the USA.

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)

Some of the players in mobile money transfers arena include; M-Pesa, Airtel Money, yuCash, Orange Money, and Tangaza, among others

The value capping policy also affected other currency transactions such as the dollar, euro and sterling pound.

This will become operational by 1st June 2011.

14