The new payment services, payment initiation and account aggregation, have sparked a revolution, not only for traditional financial institutions but also for new operators. Garrigues explains all the implications of these new services from corporate law, tax and data protection standpoints.
The new Spanish regulations on payment services are one more step toward the harmonization and modernization of payment systems at European level (the main objective of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, also known as the Payment Services Directive or PSD2), as well as an effective answer to the need to provide greater security for e-commerce transactions. The new statutory regime on payment services came hand in hand with Royal Decree-Law 19/2018, of November 23, 2018, on payment services and other urgent financial measures, which partially transposed the aforesaid Second Payment Services Directive into Spanish law. Equally important in this connection was Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing the Second Payment Directive with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.
Aimed at attaining these objectives, one of the main aspects of the new payment service regulations in Spain is, without a doubt, the regulation of two new payment services: the payment initiation service and the account information service (also known as account or payment aggregation).
The most novel feature of these new services is that they grant third parties access to user accounts opened in other payment service providers (account managers), without their provision being conditional on the prior existence of a contractual relationship between the providers of these new payment services and the providers of the account manager payment services, and being provided at all times on the basis of the explicit consent of the user of the payment services.
The payment initiation service is a “bridge” service through which the user is offered the possibility of initiating a payment order without the direct use of a bank card or bank account, with respect to a payment account opened at the payment service provider.
Thus, when the user wishes to make a payment, it sends a payment order to the payment initiation service provider which, in turn, forwards the order to the manager of the user’s account. After receiving the payment initiation order, the user’s account manager will furnish or make available to the payment initiation service provider all information related to the initiation of the transaction and its subsequent performance.
The payment initiation service therefore enables the user to pay for any transaction more quickly, more economically and more securely, without having to access his online banking system or use a traditional method of payment. It is important to note that the provider of this payment initiation service will at no time take possession of the user’s funds, nor can it modify the amount, use or other essential elements of the transaction, but merely acts as transmitter of the payment initiation order through secure and efficient channels, by using the related authentication systems and guaranteeing the security of the user’s data at all times.
On the other hand, the account information or account/payment aggregation service consists of the online aggregation of all information related to one or more accounts held by the user of the service, open and kept at other payment service providers, thus offering the user global and immediate access to aggregated information regarding their financial position. Access by the aggregation service provider is limited to information on the payment accounts designated by the user and the related payment transactions.
The provision of these new payment services also requires prior authorization from the Bank of Spain, which means complying with obligations regarding solvency and user protection, meeting requirements on the commercial and professional good repute of the service provider’s directors, having professional civil liability insurance or an equivalent guarantee, and other requirements and demands specific to payment entities. With a view to preventing entities that provide such services from being used to carry out criminal activities related to money laundering and terrorism financing, such entities are also treated as subject to the anti-money laundering and counter-terrorism financing obligations imposed by Law 10/2010, of April 28, 2010 and its implementing provisions, with which they must comply.
According to the Bank of Spain Administrative Register, at present at least six entities have been authorized in Spain (or passported from their States of origin) for the provision of the payment initiation service. In turn, at least four entities have been authorized to provide the account aggregation service.
The foregoing notwithstanding, most Spanish banks began to provide payment initiation and account aggregation services after the new Law entered into force, either directly or under cooperation agreements or through joint ventures with the main market operators.
Tax treatment of ‘Fintech’ services
The increase in the use of payment gateways, virtual POS terminals or instant transfers via mobile phone will intensify the need for greater clarity regarding the tax treatment of these ‘Fintech’ services, since their provision gives rise to numerous requests for tax rulings, most of which relate to the value added tax (VAT) treatment of these services.
In general, these VAT requests can be broken down into two large groups. On one hand, those regarding the place where the service is supplied (place-of-supply rules), which will depend on the type of service and whether it is a B2B or B2C relationship. On the other, those regarding the whether the service supplied could be exempt from VAT.
Accordingly, the first thing to determine is whether the service comprises only technical/administrative aspects of management (“Tech”) which would mean that the service is not exempt from VAT, or whether, on the contrary, it extends to the specific and essential elements of the payment orders (“Fin”) and would therefore be exempt.
Having regard to the foregoing, if the task performed by the payment entity is treated as payment intermediation, because the requesting taxpayer supplies a financial service (payment at a virtual POS or similar tool) and acts at all times as the liable party in the payment chain (in other words, if there were non-payments or returns, losses could be incurred on its activity), then the services supplied would be exempt from value added tax.
Nonetheless, if the entity is in charge of managing the payment through an electronic system and therefore simply receives payments in its bank account from its customers’ customers and then, after applying a commission, makes a transfer to its customers, the activity should be treated as collection management (within the meaning of the judgment handed down by the Court of Justice of the European Union on AXA, Case 175-09, 25 October 2010) and would therefore be subject to and not exempt from VAT. In such case, the Directorate-General of Taxes took the view that a payment gateway service, consisting of connecting the servers of the main credit cards, was an administrative (not a financial) service and, accordingly, its supply, alone, should be treated as subject to and not exempt from VAT.
Data protection regulations
Through the use of applications for mobile or fixed devices, which permit easy payment management and easy access to aggregated banking information, the user can ask the service provider not only to manage a payment but also to aggregate their banking information. For all of this to work, the payment service provider, at the request of the final user, must connect with the financial institution’s systems and access the related user information.
Obviously, all these processes entail the intensive processing of the user’s data and information through the use of technology and applications, which means that regard must also be had to the legislation regulating information society services, such as the regulations protecting the privacy of users and their personal data. In Spain, they are found in Law 34/2002, on Information Society Services and Electronic Commerce and in the European Union General Data Protection Regulation (GDPR), in conjunction with Organic Law 3/2018, on personal data protection and guarantee of digital rights.
Accordingly, in order for these services to be provided risk free, it is essential for the development of applications, from the start, and for their functioning, to have taken into account the demands of both regulations, so as to avoid risks that could turn out to be extremely significant in terms of possible penalties or indemnities.