E-Finance & Payments Law & Policy, March 2013

THE NEWSLETTER FOR THE E-FINANCE INDUSTRY
MARCH 2013 VOLUME 07 ISSUE 03
WWW.E-COMLAW.COM

Bankinter app
is “another
way” for NFC
Bankinter, the Spanish bank,
unveiled on 4 March a contactless m-payments service which
eliminates the need for a secure
element inside the handset,
marking the first time a service
provider can offer an NFC
service without needing a
manufacturer or telco to
produce the secure element.
“The Bankinter solution is
not necessarily the complete
answer but it proves there’s
another way of doing it,” said
Chris
Jones,
Principal
Consultant at PSE Consulting.
“The fact this is workable as a
proof of concept is interesting.”
Each
time
Bankinter
customers use the service, a
unique virtual version of the
consumer’s card is downloaded
via an app, enabling payment.
Commenting on Bankinter’s
move, Richard Kemp, Senior
Partner at Kemp Little, adds
that banks “are majoring on
avoiding fragmentation” but
“who best answers the question
‘who owns the customer?’ could
well emerge the winners.”
Jones, meanwhile, believes
that “A software solution that
overcomes a technical problem
and presents a simple model for
consumers: will lead to a gamechanging approach to mpayments.”

IN THIS ISSUE

Editorial 03
AML HSBC failures 04
Cramming FTC
settlement 06
M-Commerce Joint
ventures 08
FATCA Regulations 10
Q&A Jason Oxman,
CEO of the ETA 13
Europe The 4th AML
Directive 14
E-Money France 16

FTC issues privacy focussed
mobile payments report
The Federal Trade Commission
issued a staff report on 8 March
as part of its efforts to increase
consumer protection in the
emergent mobile payments
marketplace, highlighting key
consumer protection issues.
“The FTC has determined
that providers can do more to
advance m-payments,” said
Michelle Cohen, Member of
Ifrah Law, “in other words, the
FTC actually thinks mpayments are a solid option for
consumers, but wants to ensure
consumers feel secure and are
protected from fraud and unfair
practices.”
The report ‘Paper, Plastic…or
Mobile? An FTC Workshop on
Mobile Payments,’ compliments
a workshop held by the
Commission in 2012, and
explores three areas of concern:
“Disputes concerning fraudulent payments and unauthorised charges, data security, and
privacy,” explains Cohen. “A

key take away is the FTC’s view
that m-payment providers
should deliver disclosures
clearly and conspicuously,
afford consumers a reasonable
mechanism for disputing
charges, and be mindful of
establishing protocols to protect
consumer privacy,” explains
Ryan H. Rogers, Associate at
Morrison & Foerster.
“When the FTC convened a
workshop on m-payments last
year, more than anything else –
it was to put concerns about
customer privacy, front and
centre of the m-payments
narrative,” said Cherian
Abraham, Mobile Commerce
Lead at Experian Global
Consulting. The FTC recommends that m-payment
providers practise ‘privacy by
design’ when developing
products.
One particular concern
highlighted by the report
involves ‘cramming,’ whereby

third parties place unauthorised charges on mobile phone
bills (an issue that will be
discussed at an additional FTC
roundtable in May). However,
Dax Hansen, Attorney-At-Law
at Perkins Coie LLP, questions
whether cramming is really a
big issue. “Reports from direct
carrier billing aggregators
suggest a low level of
complaints in regards to
wireless cramming,” explains
Hansen.
“While all players in the
ecosystem need to remain
focused on providing good
consumer protections,” continues Hansen, “we should be
cautious not to burden with
regulation a convenient, low
cost, consumer payment
solution.” Rogers agrees:
“Regulatory prescriptions are
unnecessary at this time and
especially so in the absence of
any evidence that mobile
payments are not secure.”

EC drops 18-month investigation
into EPC standardisation process
The European Commission
(EC) closed on 22 February its
18-month investigation into the
European Payments Council’s
(EPC) proposed standardisation process for e-payments.
“The EC was concerned that
the standardisation process
would have excluded non-bank
players from the sector, because
only banks would have been
able to meet the relevant
criteria,” explains Paul Stone,
Partner at Charles Russell.
EU
Competition
Commissioner
Joaquín
Almunia said the investigation

ended as the “EPC decided to
abandon its work in [the
standardisation] area.” The EC
has advised that legislative
proposals due in summer will,
inter alia, address market entry
barriers. “The EC has flagged
that it will keep standardisation
under review as it sees the area
as an important part of creating
and maintaining an effective
open market,” said John
Worthy, Partner at Field Fisher
Waterhouse.
“The introduction of epayment services ties in very
closely with the EC’s aims of

ensuring that the EU single
market is a world leader in ecommerce,” said Nathalie
Moreno, Partner at Speechly
Bircham. Moreno highlights the
EC’s 2012 paper, ‘Towards an
integrated European market for
card, internet and mobile
payments,’ “which discusses
plans to promote and instigate
standardisation in order to
achieve interoperability. A
policy of broad, integrated
standardisation in paperless
payment services might therefore have been a factor behind
the EC dropping the EPC case.”

THE NEWSLETTER FOR THE E-FINANCE INDUSTRY
VOLUME 07 ISSUE 03 MARCH 2013
WWW.E-COMLAW.COM

editorial board
We are delighted to welcome Erin Fonté, shareholder and payments lawyer at Cox Smith, to the E-Finance & Payments Law &
Policy Editorial Board.
John M. Casanova Editor
Sidley Austin LLP
John M. Casanova is a partner in the
London office of Sidley Austin LLP.
Casanova advises clients on a wide
variety of US and English financial
services regulatory and transactional
matters, including payments and
consumer credit. Casanova is a regular
contributor to legal journals including the
Review of Banking and Financial
Services, the Journal of International
Banking Law and the American Bar
Association’s Business Law Journal.
Casanova is a contributing editor on
electronic money and payment systems
to Butterworths Financial Regulation
Service.
jcasanova@sidley.com
William R.M. Long Editor
Sidley Austin LLP
William R.M. Long is a partner in the
London office of Sidley Austin LLP. Long
advises international clients on a wide
variety of regulatory and transactional
matters relating to payments, e-money,
data protection, outsourcing and IT. Long
has been a member of a number of
working groups in London and Europe
looking at the EU regulation of on-line
financial services and spent a year at the
UK’s Financial Law Panel, as assistant to
the Chief Executive. Long is a regular
contributor to legal journals including the
Journal of Electronic Business Law, ECommerce Law and Policy and the
Journal of International Banking and
Finance Law.
wlong@sidley.com
David Birch
Consult Hyperion
David Birch is a Director of Consult
Hyperion, the IT management
consultancy that specialises in electronic
transactions, where he provides specialist
consultancy support to clients around the
world. Birch is a member of the advisory
board for European Business Review, a
columnist for SPEED and UK
correspondent to the Journal of Internet
Banking and Commerce.
He is well-known for his more than 100
Second Sight columns in The Guardian.
He is a media commentator on
electronic business issues and has
appeared on BBC television and radio,
Sky and other channels around the
world. Visiting Tutor at the Visa Business
School since 2001, and lecturer at the
annual Bank Card Business School.
mail@dgwbirch.com
David Butterworth
Skanco Business Systems Ltd
David Butterworth is the Managing
Director of Isle of Man based corporate
IT service providers Skanco Business
Systems. Skanco works with a variety of
offshore concerns, including developing
holistic solutions for major players in the
eGaming and financial services sectors.
David manages the deployment of
innovative software and networking
solutions within these areas. Formerly the
CEO of a significant electronic funds
transfer company, he has expertise
across a wide range of technology
based industries. David is also involved
with public-private partnerships
promoting education on cybercrime

02

prevention and other key areas of
industry concern and policy.
John Chaplin
Ixaris Payments
John Chaplin has been at the forefront of
European card payments in Europe for
25 years. He held a number of senior
executive positions at Visa International
including running their European
processing business. He also was a key
player at First Data for several years and
an adviser to the European Commission
on SEPA. He is currently Chairman of
Ixaris Payments (the open platform
provider), a director of Anthemis Edge
(payments advisory) and a Board
Director of Interswitch Nigeria (payment
networks and card schemes). He is the
organiser of the Global Payments
Innovation Jury that convenes every 2
years.
Michelle Cohen
Ifrah Law PLLC
Michelle is a Member and Chairs the ECommerce practice in the Washington,
D.C. law firm Ifrah Law PLLC. She
advises clients on a broad range of ebusiness, privacy and data security,
consumer protection and
communications-related matters. Cohen
is a Certified Information Privacy
Professional (CIPP-US), as credentialed
by a rigorous examination conducted by
the International Association of Privacy
Professionals. An ALM 2012 Top Rated
Lawyer – Technology Law, Michelle is a
graduate of Brandeis University and
Emory University School of Law, and is
admitted to the District of Columbia and
New York Bars. She frequently speaks
and writes about online commerce,
cybersecurity, and advertising and
marketing.
michelle@ifrahlaw.com
Erin Fonté
Cox Smith
Erin Fonté is a shareholder and
payments lawyer in the Austin, TX office
of Cox Smith. She advises financial
institutions (on both retail and
commercial banking products), stored
value/alternative payments providers,
mobile banking and mobile payments
providers, vendors and retailers regarding
financial services issues, payments
systems laws (including card network
association rules), and all related legal,
regulatory and licensing issues. She has
specific experience with the development
and roll-out of mobile wallet products,
including associated mobile loyalty and
advertising components, as well as ‘xcommerce’ or ‘anywhere commerce’
products that include e-commerce,
mobile commerce, and television/set-top
commerce. Erin chairs the firm's Privacy
and Data Security Practice, is a Certified
Information Privacy Professional (CIPPUS) as certified by the International
Association of Privacy Professionals, and
has experience with a broad range of
matters related to privacy/data protection
laws and cybersecurity issues. Erin is a
graduate of the University of Texas at
Austin and Stanford Law School, and is
admitted to the California and Texas
bars.
efonte@coxsmith.com

Darren Hodder
Fraud Consulting Ltd
Darren is the director of Fraud Consulting
Ltd, which was incorporated in July 2009
to provide vendor neutral fraud
consultancy services to clients covering
financial services, banking,
telecommunications, insurance industries
and public sector bodies, both in the UK
and internationally. A frequent speaker
and contributor to forums such as The
Fraud Advisory Panel, IAFCI and The
Fraud Prevention Forum, Darren has
established himself as a domain expert
and specialist on technical, data, and
software solutions for fraud risk issues
with specific expertise in data sharing,
identity management, originations and
payments fraud, and fraud risk for online
transactions & payments.
darren.hodder@fraudconsulting.co.uk
Chris Jones
PSE Consulting
Chris Jones is a Principal Consultant with
over 11 years experience working for
PSE Consulting and Accenture. He has
worked for many of the major mobile
telecommunication companies, assisting
in developing their business strategies
and implementing change programmes
and the use of mobile technology for
micro, internet and physical world
payments.
Dr Nathalie Moreno
Speechly Bircham
Dr Nathalie Moreno is a highly qualified
international technology partner, with
over twenty years experience in advising
clients operating in the communications,
information technology and e-commerce
sectors across EMEA and globally.
Nathalie advises multinational Information
and Communication Technology (ICT)
Service Providers (including
telecommunications operators) on
transactions, ranging from commercial
agreements to complex outsourcing
deals. She also has in-depth expertise
on telecommunications and satellite
licensing and regulations. She heads a
team of EU dual-qualified lawyers who
have a unique expertise in managing
multi-jurisdictional projects whether on
cross border IT/BPO outsourcing and
managed services, or on IT and
telecommunications implementation and
infrastructure in EMEA or on global data
protection audit and compliance data
protection. She is ranked among the top
lawyers in IT and Telecoms in the Europe
Legal Expert 2012.
nathalie.moreno@speechlys.com
Michael Robertson
HSBC
Michael Robertson is a Managing
Director and global head of Transactional
Foreign Exchange for HSBC. Based in
London, he is responsible for the
strategic direction and management of all
payments-related FX that runs through
the bank's internal business units as well
as that which they manage on behalf of
clients across the bank's 94 country
footprint. With over 20 years of banking,
marketing and technology experience,
Michael is deeply interested in payment
flows and instruments, traditional as well
as emerging.

CECILE PARK PUBLISHING
Managing Editor Lindsey Greig
lindsey.greig@e-comlaw.com
Associate Editor Sophie Cameron
sophie.cameron@e-comlaw.com
Editorial Assistant Simon Fuller
simon.fuller@e-comlaw.com
Subscriptions David Guati
david.guati@e-comlaw.com
telephone +44 (0)20 7012 1387
Design MadeInEarnest
www.madeinearnest.com
E-Finance & Payments Law & Policy
is published monthly by Cecile Park
Publishing Limited, 17 The Timber Yard,
Drysdale Street, London N1 6ND
telephone +44 (0)20 7012 1380
facsimile +44 (0)20 7729 6093
www.e-comlaw.com
© Cecile Park Publishing Limited.
All rights reserved. Publication in whole or in
part in any medium, electronic or otherwise,
without written permission is strictly
prohibited. ISSN 1752-6957. Please note the
opinions of the editors and contributors are
their own and do not necessarily represent
those of any firm or organisation.
CECILE PARK PUBLICATIONS
E-Commerce Law & Policy
Monthly: launched February 1999
E-Commerce Law & Policy is a unique source
of analysis and commentary on global
developments in e-business legislation.
PRICE: £480 (£500 overseas).
E-Commerce Law Reports
Six issues a year: launched May 2001
The reports are authoritative, topical and
relevant, the definitive practitioners’ guide to ecommerce cases. Each case is summarised,
with commentary by practising lawyers from
leading firms specialising in e-commerce.
E-Finance & Payments Law & Policy
Monthly: launched October 2006
E-Finance & Payments Law & Policy provides
all those involved in this fast evolving sector
with practical information on legal, regulatory
and policy developments.
Data Protection Law & Policy
Monthly: launched February 2004
Data Protection Law & Policy is dedicated to
making sure that businesses and public
services alike can find their way through the
regulatory maze to win the rewards of
effective, well-regulated use of data.
PRICE: £450 (£470 overseas / £345 Govt).
World Online Gambling Law Report
Monthly: launched April 2002
World Online Gambling Law Report provides
up-to-date information and opinion on the key
issues confronting the industry.
World Sports Law Report
Monthly: launched September 2003
World Sports Law Report is designed to
address the key legal and business issues
that face those involved in the sports industry.
DataGuidance
Launched December 2007
The global platform for data protection
and privacy compliance.
www.dataguidance.com

EDITORIAL

Editorial
Mobile: The developing regulatory landscape
Over the last decade the capabilities of mobile phones has
increased dramatically particularly with the huge growth in use
of the smartphone and tablet. This has also led to the rapid
increase in mobile payments. An average smartphone user is
now reported to download 37 apps with over 1,600 new apps
added to app stores daily and over 45 billion apps forecasted to
have been downloaded in 2012.
Although this rapid growth in mobile commerce is of
enormous value to the economy it can result in unique
challenges. Mobile phones process increasingly large amounts of
personal data including data on location, contacts, identifiers,
browsing history, email as well as credit card and payment data.
This data also may be shared with third parties, for example, to
send consumers targeted advertisements. There are also many
different parties involved in development, distribution and
operation of apps including app developers, manufacturers of
the Operating System and device, the app stores, third parties
such as analytics providers and commications service providers
and not forgeting the end user.
In the EU, the Article 29 Working Party published last week its
Opinion on apps on smart devices. At the same time, in the US
the Federal Trade Commission recently issued a series of
recommendations aimed at improving privacy protections in
respect of mobile payments following a workshop they held on
30 May 2012.
The Working Party identify that the key data protection risk to
end users is the lack of transparency and awareness of the types
of processing an app may undertake combined with a lack of
meaningful consent from end users before the processing takes
place. The Working Party comments that many apps do not
have a privacy policy and strongly recommends use of icons and
layered notices. The requirements are not just limited to
businesses in the EU with the Working Party commenting that
the consent requirements in the ePrivacy Directive applies to
every entity that places on or reads information from smart
devices where the services are to individuals living in the
European Economic Area. In relation to consent, app developers
are required to ask for consent before the app starts to retrieve
or place information on the device with consent for each type of
data that the app will access, including credit card and payment
data. Users must also be able to revoke their consent and
uninstall the app and delete the data where appropiate.
The Working Party also identifies another data protection risk,
disregard for the principle of purpose limitation which requires
that personal data may only be collected and processed for
specific and legitimate purposes and also excludes sudden
changes in key conditions of the processing. The purpose
limitation goes together with the principle of data minimisation
to only collect data strictly necessary to perform the desired
functionality. Device identifiers are also required not to be used
for advertsing or analytics due to the inability of users to revoke
E-Finance & Payments Law & Policy - March 2013

their consent. Users should also be able to exercise their rights
of access, rectification, erasure and the right to object to data
processing with the Working Party recommending online access
tools where the user can get instant access to the data being
processed about them.
Security is a key issue for mobile and particularly mobile
payments due to the potential loss of financial information. The
Working Party provides that all parties should take the
principles of privacy by design and privacy be default into
account at all stages of the design and implementation of the
app with an ongoing assessment of data protection risks and
use of mitigating measures. One suggestion put forward by the
FTC is the use of end-to-end data encryption throughout the
mobile payment system. It has also been suggested that more
secure methods, such as voice or facial recognition, could be
used to enhance authentication in mobile payment systems.
According to the Working Party the fragmented nature of the
mobile app ecosystem, the wide range of technical access
possibilites to data stored in or generated by mobile devices and
the lack of legal awareness amongst developers creates data
protection risks for app users. At the same time other parties
involved in mobile and mobile payments, such as device
manufacturers, app stores and third parties also have to
collaborate to achieve high privacy standards and encourage
trust among customers to ensure the continued sucess of
mobile and mobile payments.
William Long Partner
Sidley Austin LLP
WLong@Sidley.com

03

AML

Systematic anti-money
laundering failures at HSBC
The scale of the allegations,
concerning failures to implement
anti-money laundering controls,
made by US authorities against the
UK-based bank HSBC, are striking as is the size of the settlement
signed by HSBC in response to the
investigation by the US Senate
Permanent Subcommittee. The
Subcommittee's report catalogued
HSBC's failures to protect the US
financial system from exposure to
vulnerabilities. Steven Philippsohn,
of PCB Litigation, examines the
allegations made against HSBC and
the conclusions that can be drawn
from the Subcommittee's report.
In December 2012 it was widely
reported1 that HSBC, one of the
largest financial institutions in the
world with operations in 80
countries, had entered into a
record settlement agreement with
financial sector regulators in the
United States worth USD 1.9bn
(approximately GBP 1.17bn) in
relation to allegations that the
global banking giant and its US
affiliate exposed the US financial
system to significant risks arising
out of money laundering, terrorist
financing and drug trafficking due
to a systemic failure to implement
strict anti-money laundering
(AML) controls, failures which
stemmed from negligence or, in the
most egregious cases, even
collusion by top management.
The settlement has resulted in
HSBC signing a Deferred
Prosecution Agreement for
breaches of various US financial
legislative and regulatory measures,
including the Bank Secrecy Act, the
Trading with the Enemy Act and
assorted money laundering
offences. This agreement has the
effect of deferring any further

04

action by the US authorities on the
condition that the issues raised are
addressed by the bank and
measures put in place to prevent
such widespread abuse of the
financial system from taking place
again. This is, in effect, "putting the
bank on probation."2
The accusations were set out in a
report published by the US Senate
Permanent Subcommittee on
Investigations (PSI) published in
July 2012 following investigations,
subpoenas and a series of hearings
in which top executives in place at
HSBC both before and after the
events in question took place were
questioned and gave testimony3.
The PSI was tasked with carrying
out a broad examination into the
issue of money laundering and
terrorist financing vulnerabilities
created when a global bank uses its
US affiliate to provide US dollars,
US dollar services, and access to
the US financial system to high risk
affiliates, high risk correspondent
banks, and high risk clients. HSBC
which, through its US affiliate
HSBC Bank USA N.A. (HBUS),
operates more than 470 bank
branches throughout the United
States, manages assets totalling
about USD 200bn and serves
around 3.8 million customers, was
used as a case study for the
purposes of the investigation, and
the report made a number of
findings of fact putting HSBC in
the frame for various breaches of
financial regulations.
The list of allegations levelled
against the UK-based bank reads
like a charge sheet for a major
international crime syndicate. The
report highlights the most flagrant
breaches which can be summarised
as follows:
Providing banking services for
high risk affiliates
HBUS offered various
correspondent banking services to
other financial institutions,

enabling the latter to move funds,
exchange currencies, cash
monetary instruments or carry out
other financial transactions. The
PSI found that these services were
being offered to an affiliated bank
in Mexico in respect of which, as a
result of a HSBC group policy
designating all affiliated
institutions as low risk, only very
limited AML procedures were
carried out. However, due to the
fact that Mexico was 'a country
under siege from drug crime,
violence and money laundering,'4
and due to the fact that the
Mexican bank had high-risk
clients, additional checks and due
diligence should have been carried
out.
Circumventing regulatory
safeguards designed to block
transactions
There are various regulatory
safeguards in place in the US
designed to prevent some of the
most dangerous persons and
jurisdictions in the world from
having access to the US financial
system. These measures include the
maintenance of a black list of
prohibited persons and countries
which banks use to create filters,
flagging potentially prohibited
transactions for review by
compliance personnel. It was
found that HSBC had taken active
steps to circumvent this filter when
processing transactions with
potentially blacklisted
counterparties through its account
by stripping the wire transfers of
any sensitive information, resulting
in transactions worth more than
USD 367 million being carried out
involving Iran, Burma, Cuba,
North Korea, Sudan and other
prohibited countries or persons,
many of which are likely to have
either directly or indirectly
financed terrorism5.
Terrorist financing connections

AML

A large proportion of HSBC's
business has typically been carried
out in Asia, Africa and the Middle
East, in particular Saudi Arabia, a
region in respect of which players
in the financial markets need to be
particularly vigilant as a result of
the increased possibility of parties
having links to terrorist
organisations. The Report
highlights the transactions carried
out with Al Rajhi Bank, one of
Saudi Arabia's largest private
financial institutions, whose key
founder was an early financial
benefactor of Al Quaeda. Due to
concerns over such links with
terrorist organisations, HSBC
attempted to sever ties with the
Saudi bank, only to relent to
pressure from its owners to reestablish the relationship. It was
revealed that HBUS had provided
Al Rajhi Bank with almost USD
1bn in US banknotes up until 2010
when a global decision was taken
by HSBC to shut down its
banknotes programme.
Offering bearer share accounts
Bearer share companies are
corporate entities whose ownership
is proved by the fact of possession
of the share certificate in that
company. Without a share register
and without records being taken of
dealings in the shares, it can be
very difficult to establish beneficial
ownership and, therefore, this type
of corporation is often used as an
instrument of fraud. Use of such
accounts has largely been phased
out globally but HBUS resisted
attempts to shut down this side of
its business and failed to
implement more stringent AML
controls in respect of it. Over the
course of a decade, HBUS opened
over 2,000 accounts in the name of
bearer share corporations, holding
billions of dollars worth of assets6.
Clearing suspicious bulk
travellers cheques

It is clear
from the
above
examples of
the numerous
breaches of
AML
regulations
that took
place at
HSBC and
HBUS that
there was a
systemic
failure of the
banks'
compliance
procedures,
ranging from
oversight and
negligence at
one end of
the spectrum
to collusion
and fraud at
the other.

The Report describes how HBUS
cleared more than USD 290
million in bulk travellers cheques
for a Japanese bank with
inadequate AML controls7. The
travellers cheques had been
purchased by individuals in Russia,
a country at high risk of money
laundering.
Conclusions
It is clear from the above examples
of the numerous breaches of AML
regulations that took place at
HSBC and HBUS that there was a
systemic failure of the banks'
compliance procedures, ranging
from oversight and negligence at
one end of the spectrum to
collusion and fraud at the other.
What is also clear from the Report
and the reaction of the
management to its findings and
recommendations is that this was a
systemic failure of personnel, from
bank staff and compliance officers
on the ground all the way up to the
upper echelons of executive
management8. However, even in a
situation where managers and
executives are intent on
circumventing restrictions in order
to carry out lucrative transactions,
the physical systems that are in
place surely have a significant role
to play in preventing such
transactions being carried out
unimpeded. For example, the
Report highlights how transactions
associated with non-US dollar
transactions raised payment
messages displaying sensitive
information. These messages were
stored electronically on servers in
the US and should have been
processed through the appropriate
black-list filters by bank personnel,
but it was revealed how these filters
were switched off9. The ease with
which this was carried out and the
lack of any kind of feedback or flag
being raised with the regulatory
authorities as a result of this system
being routinely overridden is surely

concerning for regulators
overseeing the financial system and
participants in that system whose
faith in its integrity will inevitably
be shaken by these findings. Whilst
the measures and sanctions taken
by the US regulators in response to
these failures will of course focus
upon the personnel element of the
system (all of the
recommendations set out in the
Report are directed at improving
the monitoring and relationship
management functions crucial to
any effective compliance
function10) it goes without saying
that improvements will also need
to be made to the physical systems
in place within the bank and across
the financial system as a whole. It is
likely that, in response to the
HSBC money laundering scandal,
regulators may demand greater
direct access to a firm's monitoring
systems and the compulsory
implementation of processes which
facilitate anonymous whistleblowing in order to detect any
potential risk at an early stage.
Steven Philippsohn
PCB Litigation LLP
SNP@pcblitigation.com
1. See: http://online.wsj.com/article/
SB10001424127887324478304578171
650887467568.html#printMode;
http://www.telegraph.co.uk/finance/finan
cial-crime/9736167/HSBC-pays-1.92bnto-settle-US-money-laundering-claims.
html
2. http://www.bbc.co.uk/news/business20673466
3. US Vulnerabilities to Money
Laundering, Drugs, and Terrorist
Financing: HSBC Case History, 17 July
2012 (http://www.hsgac.senate.gov
/subcommittees/investigations/hearings/
us-vulnerabilities-to-money-launderingdrugs-and-terrorist-financing-hsbc-casehistory).
4. Report, page 4.
5. Report, page 6.
6. Report, page 8.
7. Report, page 7.
8. See: http://www.guardian.co.uk/
business/2012/dec/14/hsbc-moneylaundering-fine-management
9. Report, page 183.
10. Report, pages 11 and 12.

05

CRAMMING

FTC shuts down pervasive
'cramming' operation
The Federal Trade Commission has
initiated an action to the Nevada
federal court against a selfdescribed 'pioneer in the
automation of financial systems,'
Ideal, and other companies, over
allegations that the Defendants were
engaging in 'cramming,' a practice
whereby a person or company
charges consumer debit or credit
cards or bank accounts, having
acquired that information elsewhere,
for purchases the consumer had
not asked for. Matthew E. Liebson,
a Partner at Thompson Hine LLP,
discusses the FTC's complaint and
explains how 'cramming' works in
practice.
In an action initiated in Nevada
federal court on 28 January 2013,
the Federal Trade Commission
alleges that Ideal Financial
Solutions, Inc., ('Ideal') together
with several officers and executives
of Ideal and a group of allegedly
interconnected companies engaged
in a pervasive 'cramming' scheme.
The FTC alleges that Ideal and its
affiliates purchased consumer
information from third parties,
then charged the consumers' credit
cards or debited their bank
accounts without authorisation for
alleged financial services or
products that were neither ordered
by the consumers nor delivered to
them. The complaint alleged
claims of unfair billing practices,
deceptive billing practices, and
deceptive statements that
consumers authorised payment in
violation of Section 5 of the FTC
Act.
Judge Miranda M. Du granted
the FTC's motion for a temporary
restraining order on 30 January
2013 and the FTC's subsequent ex
parte motion for preliminary

06

injunction on 15 February 2013. A
temporary receiver has been
appointed to take possession of the
defendants' business premises and
websites (alleged to include more
than 230 domain names). The
litigation remains pending, and the
Defendants have not yet responded
to the FTC's allegations. While the
court's grant of a temporary
restraining order and preliminary
injunction indicate the Court's
view that the FTC is likely to
succeed on the merits of its action,
there has been no final
adjudication.
Ideal, publicly traded 'over the
counter' and listed on OTCBB,
described itself as a 'pioneer in the
automation of financial systems
and processes.' Ideal's website
offered a software tool called
'CashFlow Management,' designed
to assist individuals in determining
how to optimise debt payments.
The FTC, on the other hand,
alleges that Ideal, through dozens
of alleged shell companies,
obtained merchant accounts with
payment processors and used those
accounts to bill consumers without
their consent for products or
services they did not order or
receive, using a name of a 'billing
campaign' and a phone number.
Of note, a number of Ideal
executives and officers have
previously been investigated for
other financial or consumer frauds,
have had cease and desist orders
issued against them, or are
involved in consumer fraud
litigation.
According to the FTC, many
consumers did not notice the
charges, but Ideal and its affiliates
nonetheless received thousands of
complaint calls stemming from the
charges and billings. Using its own
call centre in St. George, Utah, as
well as another call centre vendor,
it is alleged that Ideal then
attempted to fend off thousands of
consumer complaints by making

false representations regarding the
source of the charges, and making
refunds if consumers persisted in
their complaints. In some debiting
'campaigns,' the FTC alleges that
up to 57% and 68% of consumers
rejected the charges. The FTC also
alleges that call centre agents were
unable or unwilling to identify to
consumers how their account
numbers were obtained, and that
agents were instructed to 'tell
consumers that the agents do not
[know] the source of consumers'
information' or to actively
misrepresent that the caller had
purchased a product from Ideal.
According to the preliminary
injunction entered on 15 February
2013, consumers were told that the
allegedly purchased products were
'financial consulting services
relating to payday loans, or
insurance policies that protected
against defaults of payday loans, or
similar phony services connected
to payday loans that consumers
had applied for.'
The FTC alleges that the
Defendants obtained over $24
million - in transactions rarely
exceeding $30 at a time - through
their unauthorised billing schemes
and that the schemes continued
even after Ideal affiliate Avanix LLC
learned that it was under
investigation by the Utah Attorney
General's office. The court-ordered
temporary restraining order and
preliminary investigation includes
an asset freeze, expedited discovery
to determine the extent of
Defendants' dealings and assets, as
well as the consumer information
in their possession, and the
appointment of a temporary
receiver to take possession of
defendants' business premises and
web domains.
Ideal's operations, as described by
the FTC, depended on careful
manipulation of electric billing
practices and the merchant
accounts with payment processors

CRAMMING

necessary to obtain funds from
consumers. Ideal is alleged to have
purchased consumer information including bank account numbers from third parties, notably
internet-based payday lenders. The
FTC noted in the memorandum in
support of its motion for a
temporary restraining order that
XM Brands, identified by Ideal in
an SEC Filing as its primary source
of consumer leads, has itself been
sued by the states of Florida and
North Dakota in the wake of
consumer complaints that they
were billed by XM for products
they did not order. Some
consumers whose accounts were
charged by Ideal claim that they
merely typed - but did not submit
- information on payday loan
websites, raising the possibility that
the loan sites may be utilising
keystroke capture techniques.
The FTC alleges that Ideal utilised
a series of shell companies to
acquire merchant accounts to
process credit card and bank
account debit transactions.
Constant reshuffling of entities and
merchants accounts was required,
because the merchant accounts
were frequently shut down due to
what the FTC describes as 'sky
high' return rates for both credit
card and debit card transactions.
The FTC indicated that
Defendant's chargeback rates for
credit cards reached 12%, even
though credit card companies view
even a 1% chargeback rate as
sufficient cause to place a merchant
in a fraud monitoring program,
and that one of the Defendants
had its Visa merchant account
terminated in 2010. With respect to
debit cards, the FTC alleged that
Defendants' 'Unauthorised Return
Rate' (the percentage of
transactions reversed by the
processor as unauthorised, divided
by the total number of debits
initiated by the merchant) was near
3%, more than 90 times the

Ideal's
alleged
'cramming'
operations
are notable
not only for
their sheer
scope and
alleged
audacity, but
also for
making the
transition
from
'cramming' of
phone bills to
'cramming' of
credit cards
and bank
accounts.

industry average Unauthorised
Return Rate of 0.03%, and that the
Average Total Return rate
(transactions reversed by the
processor for any reason, including
closed accounts or insufficient
funds in addition to lack of
authorisation) for Defendants
ranged from 54 to 63 percent, a
high multiple of the industry
average of $1.52%.
Ideal itself apparently offered a
different explanation for the
transition from credit card billing
to direct debiting of bank accounts.
The Wikipedia entry for Ideal
states that in 2010, ‘[t]he company
also became increasingly less
reliant on credit cards for its
payments, a move it declared in
press releases was a necessity due to
perceived instability in the credit
card processing arena and due to
the company's core belief that
consumers should avoid high
interest rate credit cards.’
Nonetheless, according to the FTC,
elevated return rates persisted, even
after Defendants attempted to
manipulate them by utilising
multiple 'penny debits' (that were
then returned in a single
transaction) to inflate total
transaction numbers. It is alleged
that many merchant accounts were
obtained through use of fictitious
business names with a 'virtual
storefront' and distinct phone
numbers, mail drops, billing
descriptors and bank accounts.
Ideal's alleged 'cramming'
operations are notable not only for
their sheer scope and alleged
audacity, but also for making the
transition from 'cramming' of
phone bills to 'cramming' of credit
cards and bank accounts. For
consumers, the Ideal complaint
underscores both the need for
careful line-by-line review of credit
card and bank statements and for
increased sensitivity regarding the
dissemination of financial account
information using the internet. For

processors, the FTC's recent
actions serve as a reminder for
vigilance in flagging merchant
accounts experiencing high
chargeback or unauthorised return
rates, as well as the potential for
the use of 'penny debiting' as a
mechanism for return rate
manipulation.
Matthew E. Liebson Partner
Thompson Hine LLP
Matthew.Liebson@thompsonhine.com

07

M-COMMERCE

The merits of collaboration in
mobile commerce
Mobile commerce has a lot of
promise - but it has for a long time.
For nearly a decade now, various
players have been trying to build
mobile payment services. PayPal
first enabled SMS-based payments
in 2006 and app-based payments in
2010. European telecoms came
together in 2003 to build Simpay,
which was intended to enable panEuropean mobile payment services,
but was called off two years later.
And the major American telecoms
have been working on their Isis
mobile wallet joint venture for over
three years now. Clearly the
challenges to mobile commerce are
real, explains Ben Brown, a
Consultant specialising in mobile
commerce at First Annapolis
Consulting, Amsterdam.
Creating a 'blue ocean' business
requires making many unclear
strategic choices. From product
concept to technology solution to
business model, innovators must
make bold - and risky - decisions
without the luxury of following a
path laid down by others. For
many years, this was all true in
mobile commerce. What works
and what doesn't is becoming
somewhat clearer, but there is still a
high amount of uncertainty.
Building a mobile commerce
business not only involves
uncertainty, it requires huge
investment. First off, mobile
commerce involves a number of
technically complex businesses:
payments, loyalty, couponing, etc.
But more importantly, consumers
don't want a service they can't use
and merchants won't enable a
service that has no consumer.
There is only one proven catalyst to
get over this 'chicken-and-egg'

08

problem: lots of money. Money
for product development, money
for above-the-line marketing,
money for direct subsidies to
merchants, money for consumer
incentives. In mobile commerce,
the cost can reach a hundred
million dollars or more in a major
market.
Any player that wants to get into
mobile commerce has a choice to
make: 'do I go-it-alone, or do I
collaborate with partners?'
(Collaboration can take a few
forms, though the joint venture /
coalition is most common). The
natural choice in a competitive
market is to go-it-alone in order to
build a uniquely valuable business.
But the challenges in mobile
commerce have been so great that
both banks and telecoms have
gravitated towards collaboration.
Collaboration has its merits. The
most obvious is financial: few
companies are eager to spend the
kind of money outlined above, so
coalitions are a way to share the
bill. But collaboration also delivers
a raft of other benefits. Coalitions
can bring together the best-ofbreed experts from telecoms,
banks, and merchants. It also helps
avoid the proliferation of
competing, incompatible technical
solutions. Businesspeople
remember the lessons of Betamax
vs. VHS or HD-DVD vs. Blu-Ray
all too well; anxiety over adopting
the wrong technology has been an
investment roadblock for
merchants, so anything that
reduces uncertainty is a positive.
(Many merchants still question
whether it will be NFC or barcode
or some alternative cloud-based
tech like geo-fencing that
dominates most mobile wallets,
especially as players like Apple and
Square and MCX line up behind
NFC alternatives).
Coalitions are also able to reach a
'critical mass' of consumers.
Network effects in the two-sided

payments market mean new
services need penetration in the
double-digit percentages to reach a
tipping point. This requires massmarket marketing reach. There are
markets where a single telecom can
do this on their own (e.g., Japan,
Switzerland, Turkey) but it's
uncommon. The largest telecom
in the US, for example, is Verizon
Wireless with 35% share - which is
not really large enough to build a
self-sustaining payment scheme
without 100% penetration of its
own base or substantial sales into
the base of other telecoms. By
working together on Isis, Verizon,
AT&T and T-Mobile are able to
offer one solution to 80% of
consumers.
Despite the benefits, coalitions
have a mixed track record. From
Sixpack in Holland to Mobipay in
Spain to enStream in Canada,
recent history is littered with
examples of failed coalitions.
Failures are generally the product
of partner conflict: differing
visions, unequal resources, or
overlapping assets. Problems are
usually foreseeable, though
partners almost always over-look
'small' issues and under-estimate
the cost of realising big ambitions.
Even when partners are in
alignment on the strategic
questions, execution is the Achilles'
heel of the collaborative model.
Most coalitions are complex and
slow-moving. Decision-making
must consider multiple
stakeholders and parent companies
often stay involved in day-to-day
management, all of which slows
progress. Furthermore, early staff
are a mix of sequestered employees
from the parent companies (plus
external consultants and contract
developers), which can result in
organisational confusion and
cultural conflicts.
It's not a surprise, then, that
many early m-commerce offerings
are not actually from coalitions. In

M-COMMERCE

the US, for example, innovative
incumbents and Silicon Valley
start-ups are leading the market.
Google was first-to-market with a
mobile NFC wallet. Launched in
2011, Google Wallet can store
payment cards, loyalty credentials,
and coupons. About 15 large US
retailers have accepted Google
Wallet, though the product has
been challenged in finding
consumer adoption and broader
merchant acceptance.
Shopkick is the most notable
mobile loyalty scheme. Over 4
million consumers now use the
Shopkick app, which works at over
7,500 stores. On the merchant side
of the market, Square has used
mobile technology to disrupt the
acceptance business. The company
claims over 3 million merchants
accept payments via its service and
a quarter-million of those accept
the Square Wallet.
Even individual merchants have
brought compelling solutions to
market. Starbucks has the largest
closed-loop merchant 'wallet'
today; it is used to initiate over 2
million in-store payments a week.
Instead of waiting for complex
open-loop solutions, Starbucks
started working with mFoundry in
2009 to develop the simple
Starbucks Card Mobile App, which
uses barcode technology at the
POS. Today, the mobile Starbucks
Card is enabled on barcode-based
wallets from Square and Apple.
Even though they generally aren't
first movers, important coalitions
do exist around the world today.
ISIS, MCX, Weve, and AFSCM
each represent a distinct model of
mobile commerce coalition.
ISIS is the prototypical telecombacked mobile wallet joint venture.
Backed by three US mobile
networks (Verizon Wireless, AT&T,
and T-Mobile), ISIS provides an
NFC-based mobile wallet app
capable of managing payment
cards, loyalty accounts, and

Even though
they
generally
aren't first
movers,
important
coalitions do
exist around
the world
today. ISIS,
MCX, Weve,
and AFSCM
each
represent a
distinct
model of
mobile
commerce
coalition.

coupons. ISIS' business model is
to be a platform for banks to
provision cards to phones and a
distribution channel for marketing
on behalf of merchants and
brands. ISIS is a relatively
ambitious concept because it has
created a new brand, it is going
after parallel opportunities
(payments, loyalty, coupons), and
the joint venture plays both a
commercial and technical role.
Merchant Customer Exchange, or
MCX, is a coalition of 35 major US
retailers who generate over $1
trillion in sales annually. MCX was
first announced in autumn 2012,
which makes it a relative latecomer to the US market. MCX
came to life for two reasons: to
protect merchants' customer data
and to reduce payment acceptance
costs. MCX will launch as a cloudbased wallet platform that uses
barcodes to communicate with the
merchant POS. (This likely means
MCX will also focus on alternative
payments such as prepaid or PLCC
since Visa and MasterCard don't
support barcodes). It's unclear
whether there will be an MCX
wallet app or whether individual
merchants will offer wallets which
operate on a common platform.
MCX is the largest merchant-led
coalition and it is unique in its
strategic rationale to protect data
and lower acceptance costs.
In the United Kingdom, Weve is
the mobile commerce joint venture
of EE, Telefonica UK (O2), and
Vodafone UK launched in autumn
2012. These operators contributed
'tens of millions of pounds' to
Weve to create a joint mobile
marketing platform. Weve will
develop mobile payment
technology (such as a mobile
wallet) in the future, but is initially
focused on the advertising side of
the mobile commerce equation.
Weve will provide a common
technical platform for mobile
advertising and act as a single

commercial entity to sell those
services into the market. On the
latter point, Weve is relatively
unique among coalitions.
French telecoms and banks took a
different approach in 2008 with the
creation of AFSCM and AEPM.
These bodies focus on setting
technical standards and conducting
marketing to advocate for mobile
NFC payments. They are not
direct service providers, nor do
they seek to play a commercial role
in the marketplace. Service
providers are free to contract
directly with any telco and vice
versa.
Collaboration has clear benefits and challenges. Coalitions must
have the right goals and structure
to succeed. We see a few key
success factors in this area:
G A common vision;
G Strong, independent
leadership;
G Substantial capital and
sustained investment;
G Well-defined and narrow
ambitions;
G Useful, scalable infrastructure
(i.e., must be more than a
commercial cooperation); and
G A clear business case.
All of these points are table stakes
for success of the collaborative
model. Serious deficiency on any
one of these points could be
enough to threaten a coalition.
Figuring out how to play in this
space is still not a straightforward
exercise, even with the lessons of
past initiatives. Some players will
choose the coalition approach,
some will choose to go-it-alone.
Independent players are likely to
move quicker, but coalitions will
bring mass-market reach to their
solutions. Both business models
are likely to exist in the market
going forward.
Ben Brown Consultant
First Annapolis Consulting, Amsterdam
ben.brown@firstannapolis.com

09

FATCA

FATCA: the end of hiding US
accounts in foreign banks?
On 17 January 2013, the US
Department of Treasury and the
Internal Revenue Service issued
comprehensive final regulations
implementing the information
reporting and withholding
requirements that were mandated
by the Foreign Account Tax
Compliance Act (‘FATCA’) - an act
targeting offshore tax shelters.
Michelle W. Cohen and Steven
Eichorn, of Ifrah PLLC, discuss the
legislative history of FACTA, the
causes for concern and the
likelihood of successful
implementation.
Legislative history of FATCA
Congress enacted FATCA in 2010
as a component of the Hiring
Incentives to Restore Employment
(HIRE) Act. FATCA was part of a
congressional response to address
and curb perceived tax abuses by
US persons with offshore bank
accounts and/or investments. The
pervasive belief behind the
legislation was that many offshore
accounts were created to evade or
minimise US tax liability.
Therefore, Congress wanted to
ensure that persons with offshore
accounts also pay their 'fair share'
of taxes. In its efforts to curb the
abuse of offshore accounts by US
persons, Congress passed broadsweeping legislation that was
intended to cast a wide net and
greatly increase the US authorities'
ability to collect data about
offshore accounts and thereby aid
in combating offshore tax evasion.
While there are certain 'de minimis'
rules exempting individual
accounts of less than $50,000 and
other exceptions, the law also
allows for aggregation of accounts
by an account holder.
The FATCA statute only provided

10

general guidance regarding the new
withholding and reporting rules.
The law deferred much of the
administration and
implementation of the new
reporting regime to the US
Department of Treasury
('Treasury') and the Internal
Revenue Service ('IRS'). The final
regulations issued by Treasury and
the IRS clarify the responsibilities
and obligations imposed on
financial institutions and/or
foreign government counterparts.
They also provide a step-by-step
due diligence process for US
account identification, information
reporting, and withholding
requirements for foreign financial
institutions (FFIs), other foreign
entities, and US withholding
agents. FATCA has a nearly
universal application - it applies to
virtually all non-US entities,
receiving most types of US source
income, including gross proceeds
from the sale or disposition of US
property that can produce interest
or dividends. Additionally, US
entities, both financial and nonfinancial, that make payments of
most types of US source income to
non-US persons may potentially be
required to withhold a 30% tax on
that income paid to a non-US
person under FATCA.
Requirements & agreements
As expected, the final regulations
did not materially change the
reporting and withholding
requirements from the proposed
regulations. Generally, FATCA
requires FFIs and non-financial
foreign entities ('NFFEs') to
comply with certain due diligence
and reporting requirements with
respect to their US accountholders
and substantial US owners,
respectively. In order to reduce
administrative burdens for
financial institutions with
operations in multiple
jurisdictions, the final regulations

provide for the coordination of the
obligations for financial
institutions under the regulations
and the intergovernmental
agreements. Notably, the issuance
of the final regulations also marked
a key step in establishing a
common intergovernmental
approach to combating tax
evasion. Because many foreign
jurisdictions have laws that do not
permit direct compliance by FFIs
with FATCA's reporting and
withholding requirements, the
Treasury Department has been
negotiating intergovernmental
agreements to address these
impediments. The Treasury
Department has collaborated with
foreign governments to develop
and sign intergovernmental
agreements that facilitate the
effective and efficient
implementation of FATCA by
eliminating legal barriers to
participation, reducing
administrative burdens, and
ensuring the participation of all
non-exempt financial institutions
in a partner jurisdiction. (To date,
intergovernmental agreements
have been signed by Denmark,
Ireland, Mexico, Norway, Spain,
Switzerland and the United
Kingdom. The Treasury
Department has further indicated
that it is conducting ongoing
negotiations for similar
with at least 50 other countries).
Treasury's collaboration with
foreign governments has yielded
the development of two alternative
model intergovernmental
agreements that facilitate the
effective and efficient
implementation of FATCA - a
reciprocal version and a
nonreciprocal version. The model
agreements contain many of the
same provisions. For example, both
versions establish a framework for
reporting by financial institutions
of certain financial account

FATCA

information to respective tax
authorities, followed by the
exchange of such information
under existing bilateral tax treaties
or tax information exchange
agreements. Both versions of the
model agreement also address the
legal issues that had been raised in
connection with FATCA, and
simplify its implementation for
financial institutions.
More specifically, the two
alternative intergovernmental
agreements that have been
developed are as follows.
In the first model agreement, the
partner jurisdiction agrees to enact
legislation that will require local
financial institutions to report
FATCA information directly to the
foreign partner jurisdiction. The
foreign partner jurisdiction will
then provide this information to
the IRS. While FFIs in such a
country will be deemed to be in
compliance with the requirements
under FATCA by reporting directly
to that country (instead of to the
IRS), they will still be required to
register and confirm their status
through the IRS portal (a secure,
worldwide accessible portal that
will be developed as part of the
implementation of FATCA).
This version of the model also
provides for the United States to
exchange information currently
collected on accounts held in US
financial institutions by residents
of partner countries, and includes
a policy commitment to pursue
regulations and support legislation
that would provide for equivalent
levels of exchange by the United
States. This version will be available
only to jurisdictions with which
the United States has in effect an
income tax treaty or tax
information exchange agreement.
Further, it is only available in
instances where the Treasury
Department and the IRS have
determined that the recipient
government has in place robust

Although the
main goal of
FATCA was
to target
evasion of US
tax liability by
US taxpayers
using foreign
accounts, the
final
regulations
provide for a
very broad
reach by US
authorities to
obtain a
tremendous
amount of
sensitive data
on both
foreign
account
assets and
account
holder
information.

protections and practices to ensure
that the information remains
confidential and that it is used
solely for tax purposes.
In the second model agreement,
the partner jurisdiction agrees to
enact legislation that will enable
and direct local financial
institutions to report directly to the
US IRS, thereby complying with
FATCA's reporting and
withholding requirements. In order
to enter into the second model
agreement, the jurisdiction is
required to have a local law that
would permit the exchange of
information with the United States.
Data collection and privacy
concerns
Although the main goal of FATCA
was to target evasion of US tax
liability by US taxpayers using
foreign accounts, the final
regulations provide for a very
broad reach by US authorities to
obtain a tremendous amount of
sensitive data on both foreign
account assets and account holder
information. There is also little
chance of escaping FATCA's reach
by hiding behind the banking
secrecy laws of other nations
because the FATCA rules require
that FFIs ask any US customer to
waive their rights under the privacy
or secrecy rules so that the FFI can
report their information to the US
Government. If the customer
refuses to provide this waiver, then
the FFI is required to close the
account.
Consequently, in addition to the
obvious ramifications to US
persons with offshore assets that
may have run afoul of US tax laws,
there will also be a significant
quantity and quality of data
collected on perfectly compliant
US persons with offshore accounts
- in many ways, even more
significant than the data collected
on accounts located in the US.
This poses significant data and

privacy concerns as many
countries have stricter privacy laws
concerning data transfer than does
the United States. And some, like
Switzerland, have already expressed
concerns that the model agreement
does not conform to data privacy
regulation. Certain countries may
refuse to enter into
because of these privacy concerns.
Strong likelihood of
successful implementation
Despite the potentially
burdensome requirements, the
cooperation by foreign financial
institutions is virtually assured
because of the severe consequences
to financial institutions (which will
be passed onto their clients) for
non-compliance. Specifically,
FATCA incorporated a new
reporting regime that imposes a
significant withholding tax (up to
30%) on certain foreign entities
that refuse to comply with all of
the reporting requirements. If an
FFI or NFFE fails to comply with
these requirements and is
otherwise not excepted, exempted
or deemed compliant by the
applicable regulations, a 30%
withholding tax will be imposed
on US-source interest, dividends,
rents, and salaries (generally
referred to as US-source FDAP
income) as well as gross proceeds
from the sale of debt and equity
instruments that produce USsource FDAP income.
While placing the primary
burden on the financial
institutions may seem to be a
somewhat circuitous method of
encouraging compliance by US
persons with foreign accounts, this
method has been utilised
successfully by the US government
in other areas. For example, the
Unlawful Internet Gambling
Enforcement Act of 2006 (or
UIGEA) was legislation that
attempted (and was pretty

11

FATCA

successful) at regulating online
gambling by preventing the
financial institutions from
processing gambling proceeds.
UIGEA 'prohibits gambling
businesses from knowingly
accepting payments in connection
with the participation of another
person in a bet or wager that
involves the use of the internet and
that is unlawful under any federal
or state law.' UIGEA also required
Treasury and the Federal Reserve
Board (in consultation with the US
Attorney General) to promulgate
regulations requiring certain
participants in payment systems
that could be used for unlawful
internet gambling to implement
and enforce policies and
procedures designed to identify
and block, or otherwise prevent,
the processing of restricted
transactions. The US government's
success against online poker
gaming operators and other online
payment processors stemmed
largely from these regulations that
were aimed at the underlying
financial system. Likewise, the
Treasury regulations implementing
FATCA are squarely focused on the
financial institutions, and not on
the individual account owners.
This approach is definitely more
efficient (by focusing on
institutions that have numerous
account owners and are already
significantly regulated) rather than
individual audits and/or
monitoring, and promises to be
quite successful, just like the
regulations under UIGEA.
Certifications, verification &
consolidated compliance
As noted earlier, an FFI will be
subject to the FATCA withholding
tax unless it enters into an
agreement with Treasury and
becomes a 'participating FFI' (or
'PFFI') (or it otherwise qualifies for
an exemption). The agreement
with Treasury will mandate the

12

PFFI perform certain due
diligence, reporting and
withholding functions. For
example, a PFFI will be required to
obtain and report certain
information with respect to
financial accounts held by specified
US persons or US-owned foreign
entities. In addition, it will be
required to withhold FATCA tax
from defined categories of
payments that it makes to
recalcitrant account holders (e.g.
those not waiving the protection of
local banking secrecy regulations).
The final regulations also
paralleled the proposed regulations
in regard to periodic certifications
from a PFFI's responsible officer.
Pursuant to the final regulations,
the initial certification will relate to
the more immediate
implementation of policies and
procedures, and, a written
assurance that the due diligence
procedures have been carried out
in the time frame set forth in the
regulations.
In addition, the responsible
officer must certify that there were
no formal or informal practices in
place to assist account holders to
avoid the impact of the new
FATCA rules. In response to
interested party requests, Treasury
and the IRS listed a few examples
of the types of unacceptable
practices to avoid the impact of the
new FATCA rules. A sampling of
the examples was: suggesting the
bifurcation of accounts to avoid
certain account identification
requirements, suggesting an
account holder remove US indicia
from the account, or suggesting
that the account holder close the
account.
Further, as it relates to
compliance, the final regulations
provide that a PFFI must establish
and implement a compliance
program for satisfying its
requirements under its FFI
Agreement. As part of the

compliance program, the PFFI
must appoint a responsible officer
to establish and oversee its
compliance program. The
compliance program must include
policies, procedures, and processes
sufficient for the PFFI to satisfy its
requirements under its FFI
Agreement. In addition, the
responsible officer must
periodically review the sufficiency
of the established compliance
program. The results of these
reviews must be considered when
the responsible officer makes
periodic compliance certifications
to the IRS.
Conclusion
It was always understood that
FATCA would have a huge impact
on the FFIs and the costs of doing
business with US clients. However,
it is now equally clear that FATCA
has enabled the US government to
obtain access to large quantities of
data on the foreign accounts of US
citizens. While the US will need to
conclude many additional
intergovernmental agreements, and
some nations may refuse to enter
into these agreements (like China),
it is nevertheless accurate to state
that Americans seeking to avoid
tax liability by maintaining
offshore accounts will face a
substantial foe under FATCA.
Michelle W. Cohen Member and
Certified Information Privacy Professional
Steven Eichorn Associate
Ifrah PLLC
michelle@ifrahlaw.com
seichorn@ifrahlaw.com


Q&A

Interview: Jason Oxman, Chief
Executive Officer of the ETA
On the FTC’s mobile payments report
Following the release of the FTC’s staff report on mobile payments,
Sophie Cameron spoke to Jason Oxman, CEO of the Electronic
Transactions Association, about the FTC report and industry
efforts to increase shared security standards.
Why has the FTC deemed it necessary to examine mobile
payments? With the rapid growth, innovation and adoption in
mobile payments technology - the market is predicted to hit $1
trillion by 2015 - the industry is focused on issues of data
security. Because electronic handheld devices like cell phones
are not solely used as point-of-sale tools but also carry out other
functions, the FTC is concerned that security risks may need to
be addressed. The industry has developed solutions, and in
many ways paying via phone is more secure than via plastic
card. But as more businesses adopt these devices for payment
acceptance, it is no surprise the FTC is taking a closer look at
this important issue.
What guidance does the FTC’s report provide for mobile payment
service providers? The FTC urged companies to develop clear
policies regarding fraudulent and unauthorised charges and
clearly convey those policies to customers. The report suggests
that mobile payment providers increase data security and
encourage the adoption of strong security measures - for
example, end-to-end data encryption - throughout the system.
The report also encourages stakeholders to help raise awareness
about the security issues involved and the steps consumers can
take to protect themselves. Finally, the report calls on industry
to adopt three basic practices: privacy by design, simplified
choice for businesses and consumers, and greater transparency.
The report highlights a number of consumer concerns - how
important is appeasing these concerns to the success of mobile
payments? Payments professionals are committed to protecting
the confidentiality and security of their customers’ credit, debit,
and other non-public financial account information, whether
there is significant consumer concern or not. This protection
ensures the free flow of information vital to helping consumers
access and use electronic payments, ensures the free flow of
commerce, promotes competition, and maintains public
confidence. Because this is a new, largely unknown area for
consumers, early opinions will drive ongoing innovation.
The report encourages industry-wide adoption of measures to
ensure security thought-out the mobile payments process - are such
shared standards being developed? There is definitely industry
appetite for shared security standards. The ETA has assembled
the Mobile Payments Committee, an industry-wide task force of
100 representatives from top companies in the mobile payments
sector, to address the important issue of consumer protection.
Other self-regulatory efforts for the protection of personal

information are already underway as well. The Payment Card
Industry Data Security Standard (PCI-DSS) is an important
industry effort. ETA believes that a uniform standard for data
security and breach notification with respect to personal
financial information would best address the rights of
consumers to be notified of a breach when the security of their
information is truly at risk, while minimising the compliance
and legal risk to businesses.
The PCI Security Standards Council (PCI SSC) recently issued
mobility guidance, urging merchants to examine the factors and
risks to be addressed in order to protect card data when using
mobile devices to accept payments. The new guidance for
merchants focuses on scenarios and specifically the payment
software that operates on these devices. The PCI Mobile
Payment Acceptance Security Guidelines for Merchants as EndUsers leverages industry best practices to educate merchants on
what is needed to isolate and prevent card data from exposure.
Do you think regulation/mandatory standards are needed in this
area? We should begin with industry-driven efforts like those
proposed by the ETA or the PCI-DSS model. Regulations and
mandatory standards imposed on the industry tend to stymie
innovation and often lead to further government involvement.
ETA supports voluntary security standards and industry best
practices created with stakeholder input.
Do you think widespread adoption will be achieved by 2015 as
predicted by the FTC? Yes, mobile payments are on the rise. In
fact, more than 21% of mobile device owners used some form
of mobile payments in 2012, up more than threefold from just
four years ago. Gartner Inc., predicts that in just four years,
more than 448 million consumers worldwide will be using
mobile payments technology for an estimated $617 billion in
transaction value. (That’s equivalent to trading the entire value
of Manchester United via smartphone every working day and
most Saturdays.) The Yankee Group research firm is even more
aggressive, predicting that by 2015, worldwide transactions via
mobile payments will exceed $1 trillion.
How useful is the FTC’s report on mobile payments? The report
from the FTC is useful but unavoidably failed to recognise the
accomplishments of the industry in the year since the FTC
workshop on which the report was based. This is an incredibly
dynamic industry, and much has changed in a short amount of
time. Today our industry provides merchants and consumers
access to a wide variety of safe and reliable mobile payments
products and services.
Jason Oxman CEO
Electronic Transactions Association
Contact via the editorial team

13

EUROPE

The 4th EU Money Laundering
Directive: key changes
The European Commission
published the Fourth Money
Laundering Directive and the new
Wire Transfer Regulation, which if
enacted will impact online financial
service and payments services
providers. Rachpal Thind and Kai
Zhang, of Sidley Austin LLP, discuss
the key changes proposed and
what they mean for service
providers within the context of
customer due diligence
requirements and cross-border
operations.
On 5 February 2013, the European
Commission adopted two
legislative proposals for a new
Money Laundering Directive1 (the
'Fourth MLD') and a new Wire
Transfer Regulation2 (the 'New
WTR'). Once passed into law, the
Fourth MLD will repeal the
current Money Laundering
Directive3 (the 'Third MLD') and
the New WTR will replace the
existing Wire Transfer Regulation4
(the '2006 WTR').
The framework and requirements
of the Fourth MLD are generally
the same as what currently stands
under the Third MLD, in that it is
a minimum harmonisation
directive5 requiring firms to
maintain internal policies and
procedures covering risk-based
customer due diligence and
transaction monitoring
requirements, reporting of
suspicious transactions, staff
training and record keeping
requirements. However, there are
some areas in which the Fourth
MLD has introduced new
requirements and revised existing
ones in an attempt to strengthen
anti-money laundering ('AML')
co-operation and harmonisation
across the EU Member States.

14

Customer due diligence
A number of changes are being
proposed to the customer due
diligence requirements that will
require firms to revisit their due
diligence procedures. These are
discussed in turn below:
Risk-based approach
The Fourth MLD enshrines the
risk-based approach formed under
the Third MLD, but also
introduces a requirement for firms
to have written assessments of their
money laundering and terrorist
financing risks, as well as processes
for keeping the assessments up to
date. The impact of this
requirement should not be
significant, given that firms will
have generally undertaken this
exercise in connection with their
existing customer due diligence
procedures. However, unlike the
Third MLD, the Fourth MLD
embodies guidance on the various
risk variables that firms will need
to consider. There will also be
supplementary assessments of the
risks affecting the internal market
undertaken by the European
Supervisory Authorities6 and
national risk assessments by
Member States that firms will need
to build into their internal
assessments. Although this process
should provide firms with greater
guidance going forward, it remains
to be seen how firms operating on
a cross-border basis will address
diverging risks across the various
countries they service.
Occasional transactions
There are proposals to reduce the
threshold for occasional
transactions that are exempt from
the customer due diligence
requirements from €15,000 to
€7,500. Firms that have structured
their products around the
exemption will need to consider
the implications of the proposals
not just from a systems perspective

but also how the reduction in the
threshold may impact the
marketability of the relevant
product lines.
Simplified due diligence ('SDD')
The Fourth MLD proposes to
revise the structure of the SDD
regime by replacing the
circumstances in which (i) firms
are exempt from undertaking due
diligence; and (ii) Member States
have the discretion to apply a
derogation in respect of the due
diligence requirements (as is the
case with e-money products
meeting specified value and
redemption thresholds7) with
guidance issued by Member States
and the European Supervisory
Authorities on low risk
relationships that may be eligible
for SDD. Going forward, firms will
need to consider their customer
relationships and transactions
within the context of the guidelines
and determine whether they
qualify for SDD.
The Fourth MLD identifies a
non-exhaustive list of factors that
would point to low risk situations
including transactions with listed
companies and customers in lower
risk geographical locations.
However, the Fourth MLD does
not provide any detail on the level
of due diligence that will be
required in such circumstances.
The devil will be in the detail of
the guidance provided by the
European Supervisory Authorities.
Enhanced due diligence ('EDD')
Like the Third MLD, the Fourth
MLD will specify the
circumstances in which EDD will
be mandatory and the measures
that should be applied in those
circumstances (e.g. transactions
with politically exposed persons).
However, a proposed amendment
that will be of particular interest to
firms providing online services is
the removal of non face-to-face

EUROPE

transactions from the list. Whilst
non face-to-face business
relationships and transactions will
still be identified as potentially
high risk scenarios (and thus, firms
will still need to consider whether a
particular relationship or
transaction requires EDD) they
will not warrant mandatory EDD.
This will provide firms with some
flexibility as regards the level of
due diligence required for their
online customer base.
As will be the case with the SDD,
firms will also be required to
follow guidance issued by the
Member States and the European
Supervisory Authorities on the
types of high risk factors (e.g.
geography, customer type, delivery
channel) that may give rise to
EDD.
Reliance on third parties
As under the Third MLD, the
Fourth MLD will continue to allow
firms to rely on others for
customer due diligence purposes in
order to ease the burden of AML
compliance. However, there will be
a reversal in terms of the parties'
obligations; currently under the
Third MLD, the relying party is
ultimately responsible for
compliance, yet the Third MLD
imposes (conflictingly) the relevant
requirements on the third party.
clarify this by requiring the relying
party to ensure it obtains all the
relevant information from the
third party. The Fourth MLD will
also permit groups to rely on the
due diligence undertaken by other
group companies in circumstances
where the group policy follows
either the Fourth MLD or
equivalent rules.
The new WTR
The 2006 WTR (Wire Transfer
Reports) impose requirements as
to payer information that must
accompany electronic transfers of

There will be
a large
degree of
uncertainty
as to
precisely
what the
Fourth MLD
will and will
not require of
firms until the
European
Supervisory
Authorities
publish their
guidance and
technical
standards.

money. Additional information
requirements are being proposed
under the new WTR that will
require the payer's payment service
provider to provide information in
respect of both the payer and payee
going forward. The scope of the
new WTR will also be extended to
include credit and debit card,
mobile phones and other
electronic devices when used to
transfer funds.
Cross-border provisions
Currently, there are significant
inconsistencies amongst the EU
Member States in their
implementation and application of
the Third MLD with respect to
firms providing services crossborder8.
reduce such inconsistencies by
clarifying that branches or
subsidiaries of firms in the host
Member States will need to comply
with the rules of the host Member
States implementing the Fourth
MLD9. Although it is not expressly
provided for, this seems to suggest
that firms providing services on a
purely cross-border basis will only
need to comply with their home
Member States rules.
Timing
The European Commission is
aiming for the European
Parliament and the Council to
adopt the Fourth MLD and the
new WTR by the end of 2013. The
European Supervisory Authorities
will then need to issue various
guidance and technical standards
as required under the Fourth MLD
within two years of the Directive
coming into force10. This will
consequently mean that there will
be a large degree of uncertainty as
to precisely what the Fourth MLD
will and will not require of firms
until the European Supervisory
Authorities publish their guidance
and technical standards.

A final thought
The Fourth MLD is proposing the
introduction of a three-tier
approach to risk assessment:
G the European Supervisory
Authorities will assess risks faced
by the European Union as a whole;
G each Member State will assess
the risks faced at national level
taking into account the assessment
of European Supervisory
Authorities; and
G individual firms will be
required to assess their own risks
taking into account their Member
State assessments.
It remains to be seen whether
such an approach will actually
foster the convergence and
harmonisation it anticipates across
the EU Member States or whether
it will just add to the current
uncertainties and inconsistencies
between the Member State AML
regimes.
Rachpal Thind Partner
Kai Zhang Associate
Sidley Austin LLP
RThind@Sidley.com
1. http://eurlex.europa.eu/LexUriServ/
LexUriServ.do?uri=CELEX:52013PC004
5:EN:NOT
2. http://eur-lex.europa.eu/LexUriServ/
LexUriServ.do?uri=CELEX:52013PC004
4:EN:NOT
3. Directive 2005/60/EC.
4. (EC) No 1781/2006.
5. This will allow Member State
discretion to impose stricter national
provisions.
6. The European Banking Authority, the
European Securities and Markets
Authority and the European Insurance
and Occupational Pensions Authority.
7. The Third MLD currently permits
Member States to apply a derogation in
respect of e-money products.
8. See the joint report of the European
Supervisory Authorities published on 7
December at: https://eiopa.europa.eu/
fileadmin/tx_dam/files/publications/report
s/JC_2012_086__E-Money_Report___December_2012.pdf
9. Art. 45(4) of the Fourth MLD.
10. The New WTR being a regulation will
be directly applicable in the Member
States and thus will not need national
implementation.

15

E-MONEY

France implements Second
Electronic Money Directive
After a long wait, the Second
Electronic Money Directive was
transposed into French law by Law
No. 2013-100 of 28 January 2013
containing various provisions
adapting legislation to EU Law in
economic and financial matters
(known as the 'DADU Law').
The text entered into force is
immediately applicable, except for
those provisions that require
implementing decrees or Arrêtés
(second level legislation). These
implementing regulations will
include the conditions for EMI
licences, the rules applicable to
foreign institutions 'passporting' in
France, and the conditions for the
distribution of e-money.
New rules on applicable fees
The old regulations allowed the
charging of fees relating to
reimbursement during the period
of validity of e-money. In addition,
it was possible not to reimburse
when outstanding e-money was
less than €10. These rules have
now been amended. The law
stipulates the obligation to
reimburse at any time, even after
the validity period, even if the
balance is less than €10.
When the contract between the
issuer and the e-money holder
does not provide for a limited
period of validity, reimbursement
must always be free of charge.
When it stipulates a limited period
of validity, reimbursement fees are
possible before the term of the
contract, and from one year and
one day after it ends. In all cases,
these fees must be proportionate to
the costs incurred by the issuer.
The client must always be able to
obtain reimbursement in cash, if

desired. In this case, the costs are
paid entirely by the issuer. In
addition, the DADU Law provides
that reimbursement in cash can, by
mutual agreement, be in the form
of a money order. The wording
could also be compatible with
reimbursement by ATM
withdrawal. However, this should
be confirmed by the regulator.
Another new provision is that
distributors of e-money may be
authorised to reimburse. Issuers
who wish to use this option will
have to amend their distribution
contracts. Finally, while
maintaining the principle of
reimbursement, the Law provides
that issuers may stipulate
derogations to the obligations
when e-money is taken out for
'professional' purposes.
Mediation procedure
The DADU Law now requires the
provision of a mediation process
for any disputes which persist
between the issuer and the client.
The client must be informed of
this on the e-money support or
medium.
Payment services contracts
The contract between the issuer
and the client will now be
governed by rules applicable to
payment services framework
contracts. This new rule will
involve taking into account all
clauses required by Decree of 29
July 2009. This will likely result in a
significant increase of the T&Cs.
The reference to the Decree of 29
July 2009 will certainly pose
problems of interpretation - some
of the clauses imposed by the
Decree cannot be applied to e-

money or may conflict with rules
specific to e-money. The reference
to the payment services framework
contract may pose another
practical problem: the Monetary
and Financial Code (Article L. 31413 II) provides for, in certain cases,
the obligation to obtain the client's
written signature. It should be
confirmed with the regulator that
this constraint can be waived for emoney instruments.
Application of the new law to
existing contracts
Article 32 of the DADU Law
considers issues in transitional law
for T&Cs concluded prior to 29
January 2013:
G The provisions of T&Cs
contrary to the law are
immediately null and void;
G The issuer must update its
T&Cs to comply with the new law
within six months;
G Within the same period, the
issuer must inform clients of the
existence of the updated contract,
and its provision.
During this six month period,
any issuer who has not yet brought
its T&Cs into line must provide
clients with written information on
the consequences of the new law,
and its immediate applicability.
Finally, the new law provides for a
period of three months for
compliance in respect of
distribution. Licensed institutions
which use intermediaries to
distribute e-money will have to
comply with applicable rules on
outsourcing of financial services.
Benjamin May Partner
Aramis Law
may@aramis-law.com

:
READ MORE EXCLUSIVE CONTENT ONLINE: www.e-comlaw.com/e-finance-and-payments-law-and-policy
Read an exclusive analysis of the FTC’s settlement with HTC over software security issues by Mark Brennan and
Harriet Pearson of Hogan Lovells; the case represents a significant development for both equipment
manufacturers and service providers in the technology space.

16


E-Finance & Payments Law & Policy, March 2013

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à E-Finance & Payments Law & Policy, March 2013

Similaire à E-Finance & Payments Law & Policy, March 2013 (20)

Dernier

Dernier (20)

E-Finance & Payments Law & Policy, March 2013