Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

7
Computer Law & Security Report Vol. 18 no. 5 2002 ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved 307 Electronic Payments - The Smart Card This article, in three parts, examines the legal issues raised by the development of the smart card. It explores contractual, liability and intellectual property rights issues and assesses whether a suitable legal framework exists in which smart card use can flourish and grow. ELECTRONIC PAYMENTS - THE SMART CARD SMART CARDS, E-PAYMENTS, & LAW - PART II Dr Simon Newman and Gavin Sutter, Queen Mary College, University of London B. WHAT KIND OF LEGAL ISSUES DOES THE USE OF ELECTRONIC PAYMENT SYSTEMS RAISE? 1. Data Protection The internet in general has raised many data protection issues in recent years. For example, many websites, e.g. <Wired.com>, offer mailing list facilities, keeping the user up to date on the latest developments in a specific area.A variety of personal information may be sought for these purposes, such as, for example, name, address, email address, informa- tion about hobbies and interests, and so on.The websites con- cerned are globally accessible and may originate in states without the same level of protection as exists in the UK – for example (although this may change in the near future), the US. Or a website may use a ‘cookie’ to store information about a particular user on his or her own computer – is this infor- mation, clearly stored in the UK, also collected and processed there? Is it subject to the requirements of the UK legislation, even though the company responsible for the cookie has no location there? In the case of a database held by a company on its own servers, there is a question as to whether the appropriate law is that of the jurisdiction that the company responsible for collecting and holding the information is based in, its headquarters, or the particular wing of the com- pany which is directly responsible (in the case of a large multi-national), or where the actual servers on which the information is processed and stored are located. Such issues seem of little interest to the average internet user. However, while consumers are often prepared to give out some personal information, many are extremely reluctant to give out information such as credit card number and expiry date for fear that it will be intercepted by a third party and fraudulently used or will be otherwise susceptible to mis- use while in the possession of a retailer. Others prefer not to use credit cards, wishing to preserve their privacy and anonymity online. The relevant legislation across the EU is the Data Protection Directive 1995 (OJ 1995 L281/31). The Directive sets out, inter alia, basic principles and rules for the collation and keeping of computerized personal data about individu- als, placing clear obligations upon those who wish to do so in respect of how that data may be gathered, for what purposes it may be used (i.e. those for which it was collected) and con- fidential and secure processing. Under the Directive, personal data may be collected and processed, inter alia, where ‘processing is necessary for the performance of a contract to which the data subject is party…’ (Article 7 (b)). Data collected must be held ‘for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.’(Article 6 (e)).The def- initions given ‘personal data’ and ‘processing of personal data’ in the Directive (Article 2 (a) & Article 2 (b) respectively ) are sufficiently broad as to encompass collection and processing of credit card details by a merchant in order to accept payment in an online transaction. The Directive’s provisions impose certain requirements upon the data processor, for instance, it must guarantee that the data remains confidential (Article 16), and that ‘appropri- ate technical and organizational measures’ be taken ‘to pro- tect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the trans- mission of data over a network,and against all other unlawful forms of processing…’ (Article 17). Use of secure channels such as the SSL protocol can help to ensure that such guar- antees are met. SSL and encryption are designed to prevent unauthorized third party access to the data in transmission. The SET standard ensures a further measure of security, as the merchant has no access to the encoded credit card data. In all cases, of course, the Directives provisions apply not only to the merchant seeking payment but also to the bank or credit card company with which the consumer’s account lies. In general there is no need for a merchant to retain per- sonal data acquired for the purposes of completing a transac- tion once payment has been received. There are, however, some systems such as Amazon’s accounts and its 1-Click order- ing service, or CyberCash’s InstaBuy, which rely for their oper- ation upon the maintenance of a database of personal information on customers, including payment details. This

Transcript of Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

Page 1: Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

Computer Law & Security Report Vol. 18 no. 5 2002ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved

307

Electronic Payments - The Smart Card

This article, in three parts, examines the legal issues raised by the development of the smart card. It explorescontractual, liability and intellectual property rights issues and assesses whether a suitable legal frameworkexists in which smart card use can flourish and grow.

ELECTRONIC PAYMENTS - THESMART CARDSMART CARDS, E-PAYMENTS, & LAW - PART IIDr Simon Newman and Gavin Sutter, Queen Mary College, University of London

B. WHAT KIND OF LEGAL ISSUES DOESTHE USE OF ELECTRONIC PAYMENT SYSTEMS RAISE?

1. Data ProtectionThe internet in general has raised many data protection issuesin recent years. For example, many websites, e.g.<Wired.com>, offer mailing list facilities, keeping the user upto date on the latest developments in a specific area.A varietyof personal information may be sought for these purposes,such as, for example, name, address, email address, informa-tion about hobbies and interests, and so on.The websites con-cerned are globally accessible and may originate in stateswithout the same level of protection as exists in the UK – forexample (although this may change in the near future), theUS.Or a website may use a ‘cookie’ to store information abouta particular user on his or her own computer – is this infor-mation, clearly stored in the UK, also collected and processedthere? Is it subject to the requirements of the UK legislation,even though the company responsible for the cookie has nolocation there? In the case of a database held by a companyon its own servers, there is a question as to whether theappropriate law is that of the jurisdiction that the companyresponsible for collecting and holding the information isbased in, its headquarters, or the particular wing of the com-pany which is directly responsible (in the case of a largemulti-national), or where the actual servers on which theinformation is processed and stored are located.

Such issues seem of little interest to the average internetuser. However, while consumers are often prepared to giveout some personal information, many are extremely reluctantto give out information such as credit card number andexpiry date for fear that it will be intercepted by a third partyand fraudulently used or will be otherwise susceptible to mis-use while in the possession of a retailer. Others prefer not touse credit cards, wishing to preserve their privacy andanonymity online.

The relevant legislation across the EU is the DataProtection Directive 1995 (OJ 1995 L281/31).The Directivesets out, inter alia, basic principles and rules for the collation

and keeping of computerized personal data about individu-als,placing clear obligations upon those who wish to do so inrespect of how that data may be gathered, for what purposesit may be used (i.e. those for which it was collected) and con-fidential and secure processing.

Under the Directive, personal data may be collected andprocessed, inter alia, where ‘processing is necessary for theperformance of a contract to which the data subject is party…’(Article 7 (b)). Data collected must be held ‘for no longer thanis necessary for the purposes for which the data were collectedor for which they are further processed.’(Article 6 (e)).The def-initions given ‘personal data’ and ‘processing of personal data’in the Directive (Article 2 (a) & Article 2 (b) respectively ) aresufficiently broad as to encompass collection and processing ofcredit card details by a merchant in order to accept payment inan online transaction.

The Directive’s provisions impose certain requirementsupon the data processor, for instance, it must guarantee thatthe data remains confidential (Article 16), and that ‘appropri-ate technical and organizational measures’ be taken ‘to pro-tect personal data against accidental or unlawful destructionor accidental loss, alteration, unauthorized disclosure oraccess, in particular where the processing involves the trans-mission of data over a network,and against all other unlawfulforms of processing…’ (Article 17). Use of secure channelssuch as the SSL protocol can help to ensure that such guar-antees are met. SSL and encryption are designed to preventunauthorized third party access to the data in transmission.The SET standard ensures a further measure of security, asthe merchant has no access to the encoded credit card data.In all cases, of course, the Directives provisions apply notonly to the merchant seeking payment but also to the bankor credit card company with which the consumer’s accountlies.

In general there is no need for a merchant to retain per-sonal data acquired for the purposes of completing a transac-tion once payment has been received. There are, however,some systems such as Amazon’s accounts and its 1-Click order-ing service,or CyberCash’s InstaBuy,which rely for their oper-ation upon the maintenance of a database of personalinformation on customers, including payment details. This

CLSR SepOct.qxd 9/3/02 2:18 PM Page 307

Page 2: Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

Electronic Payments - The Smart Card

information is collected automatically upon the consumer’sfirst purchase from Amazon or a site using the InstaBuy sys-tem.The consumer is informed that this information will beretained on first purchase at a point where, if (s)he does notwish this to be done, the transaction may be cancelled.This isin compliance with Article 7 (a) of the Directive, which pro-vides that personal data may be processed if ‘the data subjecthas unambiguously given his consent.’The same confidentiali-ty and security requirements are imposed here, although inthe context of a database which will be maintained long termas opposed to information which is to be retained for only solong as is necessary to receive payment,such requirements areof much greater importance.These requirements place a clearliability upon the data controller to protect against fraudulentaccess by another to an individual’s account. In the event ofthat happening, the Directive entitles the wronged party to ajudicial remedy (Article 22). Further,‘any person who has suf-fered damage as a result of an unlawful processing opera-tion…is entitled to receive compensation from the controllerfor the damage suffered’(Article 23 (1)), (unless the controllercan prove ‘that he is not responsible for the event giving riseto the damage’, in which case (s)he will have a valid defence -Article 23 (2)). Again data is communicated between con-sumer and merchant by means of a secure channel, using theSSL protocol. Data is typically held on more secure firewalledservers, designed to be inaccessible to hackers.

Digital cheques raise similar issues of security to creditcard transactions insofar as an account holder’s digital signa-ture must be kept secure in order to avoid fraudulent usageby others. The data contained in a digital cheque must betreated the same as that in a credit card transaction for all dataprocessing purposes. Again SSL is typically used in order tooffer further security to the transaction.

The chief attraction for the consumer of digital cash sys-tems is that they are in theory anonymous – just as with realcash, a particular transaction cannot be traced to a particularconsumer. However, in practice this is not the case.With thenotable exceptions of Mondex, and of the DigiCash’s eCashsystem (The DigiCash Company may have gone into volun-tary bankruptcy,but the technology is still used) and its ‘blindsignatures’, transactions made using all of the digital cashsolutions currently available are ultimately traceable back toan individual consumer. Often – as is the case with, for exam-ple,Millicent– while the payee cannot directly know the iden-tity of the consumer, this is traceable by the issuer of theelectronic cash system used. Beenz, and other such token-based systems, require no credit card nor other bankingdetails – indeed, it may prove to be the case that such sys-tems,which bear no financial risk to the consumer,encouragethem to take up use of internet payment systems gradually bybuilding trust in the technology. For now, however, the chiefissue surrounds the personal details – name, town of resi-dence, age, gender, as well as monitoring of websites visited(for purposes of consumer research) – that these systemshold.Any such data identifying the consumer and consistingpersonal information is protected by the Directive and so theissuer is subject to the same conditions and protections.Mondex cards, for example, are issued with a PIN, which theissuing bank can match to a customer’s personal details.Thepayee cannot access these and thus the cardholder’s privacyis protected as against the payee, but the bank collects the

personal data used in the transaction and is thus bound bythe data protection rules. By the same logic, credit card infor-mation encoded into a Twin/Tone Records watermark is inac-cessible to all but those who can decipher the watermark,upon whom the same data protection duties are laid. (Thereshould be no jurisdictional question here, as the data, beingstored in music downloaded from the Twin/Tone website onthe purchaser’s PC or a CD which (s)he has burned it onto, isclearly processed where the purchaser resides – in the case ofan EU citizen the Directive is applicable.) Biometric identifi-cation systems, such as Iriscan, also require a database of per-sonal information in order to match an individual’sappropriate bodily characteristic(s) to the correct accountinformation.Again the same considerations should apply as tothe applicability of the Directive.

Perhaps the most significant aspect of the Directive fromthe perspective of online payment systems is Chapter IV,which deals with the transfer of personal data to third coun-tries. Under Article 25 (1):

‘The Member States shall provide that the transfer to a thirdcountry of personal data which are undergoing processingor are intended for processing after transfer may take placeonly if…the third country in question ensures an adequatelevel of protection.’Such a provision has important implications for process-

ing of personal data in the context of online payment sys-tems: typically processing is done where cheapest – allprocessing by the CyberCash network, for example, is done inthe United States.

What qualifies as ‘adequate’ is of great importance,as thirdcountries deemed by the Commission not to offer such pro-tection are, under the Directive, to be prevented from havingqualifying data transferred to them.13 As initially proposed,the Directive did not clarify what was meant by ‘adequate’– ifinterpreted so as to mean an equal level of data protection,the US for example would be excluded.The US is currentlyconsidered to offer an inadequate level of protection, as itlacks any comprehensive national legislation on data protec-tion. What does exist varies from state to state, as well asbetween sectors; in addition, regulation is often by means ofindustry self-regulation rather than legislation. However, theUS Department of Commerce has been in ongoing negotia-tions with the EC, and it is expected that at some point in thenear future an agreement will be brokered which will bringabout a solution to this impasse.The Directive as passed,how-ever, provides broader criteria as to what should be consid-ered here: this includes, in particular,‘the nature of the data,the purpose and duration of the proposed processing opera-tion or operations, the country of origin and country of finaldestination, the rules of law, both general and sectoral, inforce in the third country in question and the professionalrules and security measures which are complied with in thatcountry.’14 Given that an online payment system may so easilybe set up so as to do all its processing potentially anywhere inthe world that its issuers decide, with the exact location notnecessarily being known by the user, it does seem that therecould be some difficulty encountered in enforcing this partic-ular protection. Perhaps such problems could be circumnavi-gated by a licensing system which required that such systemswishing to trade with EU customers should provide all rele-vant information about where processing takes place, and

308

CLSR SepOct.qxd 9/3/02 2:18 PM Page 308

Page 3: Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

309

Electronic Payments - The Smart Card

whether that location is subject to the protections offeredunder European Union law.

In the UK, the Data Protection Directive has been enactedas the 1998 Data Protection Act,15 however, it is not yet inforce.The UK has taken full advantage of the transition provi-sions, and it will be 2007 before the Directive as passed bythe European Parliament is given full effect in British law.However, the 1998 Act does create a significantly strongerdata protection regime.

2.The Payments RecommendationThe 1997 Payments Recommendation16 sets out variousrequirements relating to the minimum information whichshould be given to consumers using electronic paymentinstruments within the scope of the Directive, and the mini-mum information contained in the terms and conditions gov-erning the issuing and use of an electronic paymentinstrument; the obligations and liabilities of the parties to acontract; notification of the loss or theft of an electronic pay-ment instrument, and settlement of disputes.

The Recommendation includes some positive steps inthe regulation of new methods of payment, however, it doesnot apply to all types of electronic payment instrument dis-cussed above. It is explicitly stated that theRecommendation’s provisions do not apply to ‘payments bycheques’,17 and presumably this includes electroniccheques. The definition given to ‘electronic money instru-ment’ refers specifically to a ‘reloadable’ device18 while thepreamble makes it clear that the Recommendation ‘is…limit-ed to instruments of the reloadable type.’19 Disposable cards,such as those offered by VisaCash, for example, are thus notcovered. This may well be a common sense measuredesigned to exclude from the Recommendation’s ambit pay-ment cards such as disposable phonecards. It would ofcourse be impractical to offer in respect of a fixed value non-reloadable card the same rights as granted where a reload-able smart card or electronic wallet is used. In fact, such adisposable card is treated in the same manner as ‘real’ cash –if lost it is lost, with no specific legal comeback. Other limita-tions are placed upon the use of reloadable electronicmoney instruments under certain conditions.20 It wouldseem prima facie undesirable to place limitations upon thelegitimate interests of consumers in making online transac-tions on the web in relation to, for example, minimum legalstandards as to rights under the contract governing the issueand use of a payment instrument on the ground that it is dis-posable, however, it should be borne in mind that other, gen-eral provisions of EU and national consumer law will applyirrespective of the payment method used. For instance, theDistance Selling Directive21 provides that the consumer mustbe given certain information, such as ‘the price of the goodsor services including all taxes’,‘delivery costs, where appro-priate’, duration of an offer’s validity, etc.22 confirmed in‘writing’, at the appropriate time.23 A ‘right of withdrawal’from the contract is also granted to the consumer who may,within ‘a period of at least seven working days…withdrawfrom the contract without penalty and without giving anyreason.The only charge that may be made to the consumerbecause of the exercise of his right of withdrawal is thedirect cost of returning the goods.’24

3. Systemic RiskElectronic Cash systems place a liability upon the issuer toredeem the electronic units for value, whether from a payeeor an account holder to whom the units were initially issued.There are certain risks associated with a digital system, forexample, loss occasioned by the redemption of counterfeittokens. Various electronic means may be adopted in order toprevent forgery. In the DigiCash eCash system, for example,only the issuing bank is enabled to create the electronic coins- thus the only way of creating a forgery is to duplicate coinswhich are already in circulation. As a preventative measure,the eCash system maintains a database of spent coins’ serialnumbers. User anonymity is protected due to the ‘blind signa-ture’ method, however, a ‘coin’ cannot be spent twice. Illicitaccess to a consumer’s account by another can be preventedby use of various password and encryption devices.25 Due topoor investment decisions, the money held against the digitalunits issued is diminished. Such risks, and the potential domi-no effect on other business interests,have led some to call fora restriction of the power to issue digital cash to banks, whoare subjected to a variety of requirements for the purposes ofcapital protection etc. Such concerns are to be addressed bythe Electronic Money Directive.26

4. Liability and other issues relating toMulti-Functional DevicesThe use of multi-functional smartcard technology in particu-lar raises liability issues which have yet to receive full legalconsideration. Liability for loss, damage, fraudulent usage, etcof a standard magnetic strip payment card (credit, debit, etc)is subject to a clear contract between the issuer and the user.However, when a multi-functional smart card is involved, theissues become much more complex. For example, in the caseof loss or theft,who bears the responsibility if not the user? Isthere a single application which will be responsible for ensur-ing adequate security for the card’s general functions, forexample, prevention of fraudulent use of the card in pay-ment,or of a digital signature encoded into it in order to iden-tify the rightful user? Security, fraud prevention, and so onwill also arise as issues of consumer protection provisions.The application of data protection requirements will be ofgreat significance in ensuring adequate consumer protectionstrategies are in place.This is likely to entail the use of somemethod of encryption, raising further issues as to availabilityof decryption information, etc.

Another important question is that of ownership.Standard, single use magnetic strip cards are commonlyunderstood to be issued by, for instance, a bank, to be used bythe customer but remaining the property of the issuer. Multi-functional cards may have several different applications fromseveral different sources loaded on them – banking details,credit card, health records – so who owns the card? Is there asingle card owner, or will each interested party be said toown only their own application stored on the card?

A related question asks who is permitted to issue a smartcard.Will this be limited to banks? Will such cards be issuedinstead by governments? (In countries such as, for instance,Germany or France, where a government-issued ID card is anecessity, could the government in such a state issue its ownsmart cards for ID purposes which the user would then add

CLSR SepOct.qxd 9/3/02 2:18 PM Page 309

Page 4: Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

Electronic Payments - The Smart Card

other applications such as payment facilities to?)Government owned cards would raise the further issue of

citizens’ rights to access government information as relatingto themselves. Alternatively, will it be legally (as it is techni-cally) possible for a company simply to produce and sell‘empty’ smartcards which the user can then add his owndetails to? Or must the issuer be a licensed person (real orlegal)? A further important issue requiring analysis is whetherthe user of a card will be permitted to add and remove appli-cations from the smartcard at will, or whether it will carryfixed applications as installed by the relevant companies withwhich the user may not tamper.

The contractual issues involved will require considera-tion.For instance, the contractual relationship between issuerand user will remain substantially similar as for the issue of astandard magnetic strip single use card. However, a multi-functional card raises a number of other relationships such asthat between card issuer and application provider, orbetween one application and another.

At present, there would appear to be no clearly definedanswer to these questions in European law: it is, however,anticipated that current consumer protections will beexpanded to encompass the complex issues raised by multi-functionality as such payment technologies become morecommon. However, the following chapters will investigatethese issues as they relate to smartcard use in more depth.

5.The Regulatory Framework Applicable toIssuers of Electronic MoneyThe regulations applicable to electronic money issuers willdepend on the type of activities carried out. In most countriesinstitutions carrying out banking activities are subject to vari-ous banking specific regulations. In general the central bankof the country will carry out a supervisory function in rela-tion to institutions which accept deposits.The question there-fore is whether issuing electronic value will bring theinstitution within the scope of the banking regulations. InEurope the First and Second Banking Directives27 provide fora supervisory regime applicable to credit institutions in theMember States.A credit institution is defined as ‘an undertak-ing whose business is to receive deposits or other repayablefunds from the public and to grant credit from its ownaccount’. (Article 1 of the First Banking Directive as amendedby the Second Banking Directive.)

According to the UK Banking Act 1987, if a person or insti-tution accepts deposits in the course of carrying on a deposit-taking business then they will require authorization from theFinancial Services Authority. In the UK a deposit is defined asa sum of money which is paid to an institution on the under-standing that:• it will be repaid (with or without interest at an agreed time

or on demand), and• it was not paid in return for the provision of property or

services or as security28

A deposit-taking business is one which lends the depositsreceived to others, or finances other business (wholly or to alarge extent) out of the capital or interest received bydeposits.

It would appear therefore that whether or not an electron-ic money issuer’s activities fall within the banking regulations

depends on how the system actually works. Systems whichfacilitate the use of credit cards online such as Cybercash29

provide a service and accept money from their customers asconsideration for the service.They are not therefore under anyobligation to repay the money unless they fail to provide theservice and so are not accepting deposits. Likewise, systemswhich involve an intermediary holding funds which are to bedelivered to the seller on receipt of a notice from the buyer donot amount to deposit taking because they are not repayingthe money to the original lodger of the funds. Rather they actas a payment intermediary by issuing the funds to someoneelse.30 Furthermore if a system is created without any provi-sion for repayment then this may be an effective way for it toavoid coming within the scope of the banking regulations.

It is therefore only likely that a system which requires theusers to lodge repayable funds in an account will bring theissuer within the scope of the banking regulations. It is therequirement for customers to set up a repayable accountwhich would constitute deposit taking activity.

Accepting deposits is not by itself sufficient to bring theactivities of an institution within the scope of banking regula-tions, there must exist a deposit taking business. Under UKlaw if businesses lend the funds received or finance any activ-ity out of the capital or interest on the deposit, for exampleby using the interest earned from placing the deposit in abank or building society account, then this would fall withinthe scope of the definition.

If issuers of electronic value fall under the deposit takingrules they will require authorization under banking legisla-tion.31 The main purpose of requiring banking supervision is toensure that the institution maintains adequate capital to sup-port its business activities.This supervisory role of the centralbank ensures the banks’obligation to maintain solvency and liq-uidity and to possess adequate funds to cover normal bankingrisks and liabilities.32 Adequate levels of security will bedemanded by the bank to prevent the circulation of forgedcoins or cards which would pose a risk to the liquidity of abank.

It is clear that many electronic payment systems will notfall within the scope of the banking regulations. Does thishave a great impact on the user? If an issuer encountersfinancial difficulties then more remedies may be availablefrom bank issuers of digital money than from non-bankissuers. In the case of the institution becoming insolvent,deposit protection schemes33 protect funds deposited withauthorised institutions. Banks contribute to the schemewhich pays out a percentage of the deposit, up to a fixedamount, if the bank becomes insolvent.The question there-fore is whether digital money would constitute a depositand so be covered by the insurance.The UK Banking Code, avoluntary code produced by the British Bankers’Association, The Building Societies Association and theAssociation for Payment Clearing Services, followed bybanks and building societies in the UK in relation to theirdealings with personal customers, states that an electronicpurse should be treated in the same way as cash in a wallet.Therefore if it is lost or stolen the value would be lost just asthe cash in a wallet would be forfeited. If however ascheme did involve depositing money in an account to bewithdrawn when needed, the value in the account may con-stitute a deposit and therefore be covered by the scheme.

310

CLSR SepOct.qxd 9/3/02 2:18 PM Page 310

Page 5: Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

311

Electronic Payments - The Smart Card

However, money in an e-purse or wallet would not be cov-ered, at least at the present time.

It is clear from the UK perspective that only systemswhich involve ‘accepting deposits as part of a deposit takingbusiness’ would be subject to the banking regulations andtherefore other systems which did not require the depositingof repayable funds would not be governed by the supervisoryregime applicable to credit institutions. Five other MemberStates also follow this approach.34 In some of the MemberStates however (Denmark, Spain, France35 Germany, Italy,Portugal, Netherlands and Austria) the issuer of electronicmoney on a multi-purpose smartcard must be a credit institu-tion, and in the following countries (Austria, Denmark,France, Italy and the Netherlands) the issuance of software-based electronic money products is also confined to creditinstitutions. Denmark has special provisions in relation tomultipurpose smartcards allowing non-banks to issue themso long as they adhere to certain requirements.

Although most of the currently available systems issuedigital money through banks, digital money could be issuedby other commercial organisations in some of the MemberStates if the system used did not involve accepting deposits. Ifconsumers are dealing with very small amounts then theymay be quite happy to obtain their digital money from a com-mercial organisation other than a bank.Owing to the lack of aclear regulatory framework for issuers of electronic money inEurope various reports36 have been produced reviewing theposition and calling for the establishment of a supervisoryregime.

6. Directives on Electronic MoneyIn response to concerns that commercial bodies issuing

electronic money may not be regulated by current regulationsthe European Commission drafted proposals for two direc-tives on the issuing of electronic money:the Council CommonPosition on a European Parliament and Council Directive onthe taking up, the pursuit and the prudential supervision ofthe business of electronic money institutions, and CouncilCommon Position on a European Parliament and CouncilDirective amending Directive 77/780/EEC on the co-ordina-tion of laws, regulations and administrative provisions relatingto the taking up and pursuit of the business of credit institu-tions. In late 1999 the Proposals were amended and theCouncil reached a Common Position. The Directives wereadopted by the Council on 16 June 2000.37 Their final formwas adopted by the Parliament on 18th September 2000.38

The Directives seek to establish a level playing field for elec-tronic money issuers and credit institutions by imposing asupervisory regime on all electronic money issuers. Thissupervisory regime, although similar in framework to thatapplicable to credit institutions (through the creation of a pru-dential regime ensuring the stability and soundness of elec-tronic money institutions) takes into account the differingnatures of such institutions by stipulating different require-ments for certain features of the regime such as capitalrequirements and restrictions on investments.The Directivesalso aim to improve the single market in financial services byintroducing the concept of mutual recognition of home super-vision (i.e. a single passport) to electronic money institutionswithin a framework of harmonized prudential rules.

The first of the Directives39 brings electronic money insti-tutions within the scope of the First and Second BankingDirectives by including them in the definition of credit institutions.

The second Directive40 introduces the term ‘electronicmoney institution’ to apply to all establishments issuing elec-tronic money.These institutions are subject to various provi-sions which include prior authorization, minimum capitalrequirement, fit and proper management, sound and prudentoperation, initial and on-going owner control.

The Directive defines ‘electronic money’ as monetaryvalue which is:•‘stored electronically on an electronic device;• issued on receipt of funds of an amount not less in value

than the monetary value issued;• accepted as a means of payment by undertakings other

than the issuer.’This definition was amended from the original proposal

which came under some criticism41 for focusing too much onthe technical features of electronic money. A previous refer-ence to ‘…limited value payments’ in the definition has alsobeen omitted, presumably as this may have implied that largevalue payments were not covered by the Directive. TheDirective restricts the business activities of electronic moneyinstitutions other than the issuing of electronic money to:• ‘the provision of closely related financial and non-financial

services….’and•‘the storage of data on the electronic device on behalf of

other undertakings.’The Directive also makes it clear that the funds received

in exchange for electronic money shall not be considered tobe a deposit if the funds received are immediately exchangedfor electronic money and are not advanced with a view toreceiving electronic money at a later stage.This clarifies theposition in relation to the applicable regulatory frameworkand therefore prevents Member States from applying bankingregulations to such issuers rather than the provisions in theDirectives.

The Directive provides that electronic money shall beredeemable.This is also an amendment from the earlier pro-posal and is perhaps in response to concerns that withoutredeemability, differences might emerge in the value of elec-tronic money issued by different issuers. The EuropeanCentral Bank stated that ‘from the monetary policy point ofview, the redeemability requirement is necessary in order topreserve the unit-of-account function of money, to maintainprice stability by avoiding the unconstrained issuance of elec-tronic money, and to safeguard both the controllability of liq-uidity conditions and the short-term interest rates’.42 Theyalso state that redemption should be allowed until a certaindate after the expiry date of such electronic money and thatdisposable and reloadable cards should be treated equally inrespect of this redeemability requirement.

A further reason for requiring redeemability is consumeracceptance. At least in the near future consumers may beunwilling to use electronic money which is not redeemablebecause most electronic money products are accepted onlyby a small number of retailers. If a consumer was unable tospend all of the electronic money purchased,perhaps becausehe/she could not find all of the desired goods or services from

CLSR SepOct.qxd 9/3/02 2:18 PM Page 311

Page 6: Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

Electronic Payments - The Smart Card

the specific retailers who accept it, and was unable to redeemit with the issuer, it would become worthless.

The Directive lays down clear capital and on-going fundsrequirements.These require an electronic money institutionto have both an initial capital of 1 million euros and have ownfunds of at least 2% of the current amount or the average ofthe six preceding months’ total amount of their financial lia-bilities.The purpose of such an ‘own-funds’ requirement is toensure that the issuer maintains a certain proportion of theamount invested. This ensures that if the money investedmakes a loss, there will be sufficient funds from the issuer toact as a cushion so that retailers who have accepted electron-ic money can redeem the value.

There are also requirements to ensure the liquidity of theissuer by placing limitations on the types of investments inwhich money can be placed. As with bank deposits, theissuers of electronic money invest the value received.However, if the investment policy pursued by the issuer is notadequately sound the value may decrease. Furthermore, if anissuer has invested all of the money in long term investmentsand the electronic money is being spent within the space of afew weeks the issuer will have difficulty in making the requi-site payments to the retailers and in an attempt to do so mayliquidate assets quickly resulting in heavy losses. TheDirective therefore requires the issuer to maintain a certainproportion of its assets in easily accessible, liquid form.Theissuer must place an amount at least equal to its financial lia-bilities in one or both of the following:• assets which attract a zero credit risk and which are sufficiently

liquid according to Article 6(1)(a)(1),(2),(3) and (4) and Article7(1) of Directive 89/647/EEC;

• sight deposits held with Zone A credit institutions and debtinstruments which are sufficiently liquid. These must notexceed 20 times the own funds of the issuer.

Although the purpose of such restrictions is intended toensure stability and soundness by imposing a relatively low-risk investment policy unfortunately assets kept in such easilyaccessible form are likely to yield a low rate of return. Thisrequirement is particularly restrictive to the profit makingcapacity of the issuer and has been heavily criticized.Although the capital adequacy requirements are lower thanfor banks, one million euros as opposed to five million eurosand there are lower on-going funds requirements these donot seem to adequately balance the strict limitations oninvestments.

The Directive also requires competent authorities to veri-fy periodically compliance with the capital and investmentrequirements. The issuer should have sound and prudentmanagement, sound administrative and accounting proce-dures and adequate internal control mechanisms whichshould respond to the financial and non-financial risks towhich the institution is exposed, including technical risks.

There is also provision for the waiver of certain regulationsto small issuers. This applies to issuers whose unredeemedelectronic money does not exceed 6 million euro, which issueelectronic money with a maximum storage capacity of 150euro, and which operate only within a defined group or area.These issuers will not however benefit from the single pass-port provisions.This has been criticized by the ECB who havesuggested that there should be a minimum level of regulationfor all issuers irrespective of their size.

In August 1998 the ECB issued a report on the issuance ofelectronic money43 which outlined some of the requirementsit thought necessary to maintain stability in the financial mar-kets, to maintain effective monetary policy and to avoid sys-temic risk. Two objectives which it deemed desirable topursue were:• ‘the interoperability of electronic money schemes;and• the adoption of adequate guarantee,insurance or loss sharing

schemes aimed at protecting customers against losses and atpreserving confidence in electronic money.’

Neither of these objectives has been included in theDirective.Considering the barriers to payment systems whichthe lack of interoperability has posed, this first omission mayprove short-sighted. In addition to allowing smaller systemsto develop and compete and decreasing costs for retailers asthey would not have install the hardware or software for avast array of systems it would help to create universallyaccepted payments.The second would help to enhance har-monized protection for the consumer using electronicmoney which is issued by electronic money issuers andbanks. It would be fair to argue that some customers will notbe aware of the differences in levels of protection afforded bybanks issuing electronic money and commercial electronicmoney issuers. In a few countries44 some of the electronicmoney schemes would be covered by the national deposit-guarantee or insurance schemes whereas in other countriesthe funds are not covered unless they are deemed to bedeposits taken by a bank. Even then it is only the moneywhich is held in the account which is covered by the schemeand not the value held on the smartcard or software.However in Belgium, an agreement with the Finance Ministryhas extended the protection to the value stored on the chipof a smart card. Surprisingly such protection has not alsobeen extended to the money stored on the merchant cardreader before it is transferred through the network. In the UKit is made clear in section 14.945 of the current Banking Codethat any money left in an electronic purse when lost or stolenwill be lost in the same way as real cash in a wallet:

“If you lose your eelleeccttrroonniicc ppuurrssee or it is stolen, you will loseany money in it, in just the same way as if you lost your wallet.”By s. 14.10, liability for unauthorized withdrawals from

one’s account into a lost electronic purse, prior to notifica-tion, will normally be limited to £50:

“If your electronic purse is credited by unauthorized with-drawals from your account before you tell us it has been lost,stolen or misused, the most you will lose is £50.”This parallels the law on misuse of credit cards

(Consumer Credit Act 1974). Directive 2000/46/EC allows anelectronic money instrument to be used for storing electron-ic data:

“5. The business activities of electronic money institutionsother than the issuing of electronic money shall be restrictedto:

(a) the provision of closely related financial and non-financial services such as the administering of elec-tronic money by the performance of operational andother ancillary functions related to its issuance, andthe issuing and administering of other means of pay-ment but excluding the granting of any form of credit;and (b) the storing of data on the electronic device on

312

CLSR SepOct.qxd 9/3/02 2:18 PM Page 312

Page 7: Electronic Payments — The Smart Card: Smart Cards, e-Payments, & Law — Part II

313

Electronic Payments - The Smart Card

behalf of other undertakings or public institutions.Electronic money institutions shall not have any hold-ings in other undertakings except where these under-takings perform operational or other ancillaryfunctions related to electronic money issued or distrib-uted by the institution concerned.”

Creating financial stability and ensuring that the failure ofone issuer does not have a knock on effect on the others willbe beneficial to all parties as it helps to avoid systemic riskand to ensure the stability of the financial markets. However,although intended to maintain financial stability and con-sumer confidence and provide a clear regulatory frameworkthe measures may in fact adversely affect competition andinnovation in a field which is still in the early stages of devel-opment. Although a low initial capital requirement and alower own funds requirement have been introduced for elec-tronic money issuers in order not to discourage new entrantsand enhance profitability the very tight restrictions on invest-ments may stunt the development of such systems in Europeby making them less likely to be profitable.As other countriesoutwith Europe do not as yet seem to be taking a regulatoryapproach to issuers at this early stage European consumersmay find that there are greater payment options available out-side of Europe which although less financially stable may pro-vide more immediate benefits in terms of cost and universalacceptance.

The differences between banking activities and issuingelectronic money should not be ignored. Deposit-takingactivity is regulated because it involves customers beingexposed to the credit risks of the bank. If the bank collapsesthen the deposits may not be repaid and therefore the regu-lations seek to limit the risks to which customers are faced.However the issuers of electronic money are not in thesame position as banks as they provide a different service.Banks accept customer deposits of unlimited value andretain these until the customer wishes to withdraw themoney whereas electronic money issuers provide electron-ic value of a limited value to customers to spend in the nearfuture.The risk to the customer is far lower with electronicmoney as there is generally only a very small amount atstake and only for a short period of time.The risk which thecustomer takes with electronic money is a short term, lowvalue risk whereas for bank customers the risk is often for ahigher value over a longer period of time. It would not bebeneficial for the ordinary consumer to maintain large sumsof money in electronic money as this would prevent him orher obtaining interest on the money as he/she could in abank.

DDrr SSiimmoonn NNeewwmmaann and GGaavviinn SSuutttteerr, Centre for CommercialLaw Studies, Queen Mary College, University of London.

FOOTNOTES 13 Article 25 (4).14 Article 25 (2).15 Halsbury’s Statutes 1998 Ch 29.16 97/489/EC OJ NO. L 208, 02/08/1997 P. 0052 – 0058.17 Article 1 (3) (a).18 Article 2 (c).19 Paragraph (3).20 See Article 1 (2).21 97/7/EC.22 Article 4.23 Article 5.24 Article 6.25 See further Schoenmakers B ‘Basic Security of the eCash PaymentSystem’, available at:<http://www.digicash.com/index_e.html>.26 (98/C 317/06) COM (1998) 461 final – 98/0252 (COD).27 First Banking Directive (77/780/EEC) L322/30 17/12/77 andSecond Banking Directive (89/646/EEC) 1989 OJ L 386/1.28 section 5(1).29 <www.cybercash.com>.30 See Nicholson Graham & Jones Report to the EuropeanCommission (DG XV) on the Legal and Regulatory Aspects of theIssue and Use of Pre-Paid Cards.31 Second Banking Directive 89/646/EEC, 1989 OJ L 386/1.32 This is covered by various directives including the Own FundsDirective 89/299/EEC, 1989 OJ L124/16, Solvency Ratio Directive89/647/EEC, OJ L386/14 and the Council Directive on the supervi-sion of credit institutions on a consolidated basis OJ L110/5328/4/92. It is also covered by The Bank of England Act 1998. For fur-ther information see ‘Legal Regulation of Internet Banking- AEuropean Perspective’ 1996 Chris Reed, QM, University of London.

33 <http://www.fsa.gov.uk/bank/deprosch.htm>.34 Belgium, Ireland, Finland, Luxembourg and Sweden, though inBelgium the issuance of electronic money is de facto restricted tocredit institutions.35 In France there is an exception for single purpose cards.36 For example the Report by the European Central Bank, August1998 at <www.ecb.int>.37 The Council’s Common Position to the two Proposals was pub-lished in OJ C026 of 28 January 2000, pp.1-14.38 Directive 2000/46/EC of the European Parliament and of the Councilof 18 September 2000 on the taking up, pursuit of and prudentialsupervision of the business of electronic money institutions. Directive2000/28/EC of the European Parliament and of the Council of 18September 2000 amending Directive 2000/12/EC relating to the takingup and pursuit of the business of credit institutions. For text see:<europa.eu.int/eur-lex/en/lif/dat/2000/en_300L0028.html><europa.eu.int/eur-lex/en/lif/dat/2000/en_300L0046.html>.39 Council Common Position on a European Parliament and CouncilDirective amending Directive 77/780/EEC on the co-ordination oflaws, regulations and administrative provisions relating to the takingup and pursuit of the business of credit institutions.40 Council Common Position on a European Parliament and CouncilDirective on the taking up, the pursuit and the prudential supervi-sion of the business of electronic money institutions.41 Opinion of the European Central Bank of 18/1/99 at<www.ecb.int/pub/legal/op9856en.htm>.42 <http://www.ecb.int/pub/legal/op9856en.htm>.43 Report by the European Central Bank, August 1998 at<www.ecb.int>.44 Austria, Denmark, Spain, France, Italy and Sweden.45 The Banking Code, January 2001.

CLSR SepOct.qxd 9/3/02 2:18 PM Page 313