The European Commission has exempted corporate payments from draft security
authentication measures that had threatened
to make lodge cards, virtual cards and other forms of business travel payment
unworkable. The exemption to regulatory technical standards for the revised
Payment Services Directive, or PSD2, follows two months of concerted lobbying by
payment and travel industry representatives like the Global Business Travel
Association and European travel agents association ECTAA, as well as major
issuers and card schemes.
However, the story is far from finished. The exemption's wording for
the definition of corporate payments is unusually vague, leaving it vulnerable
to varying interpretations by the national payment regulatory authorities of
each member state of the European Union. The exemption requires those national
authorities to determine whether different corporate payment options will meet
the security standards PSD2 is intended to achieve.
"We have won the battle but not yet the whole war," warned
Sari Viljamaa, managing director of the Finnish Business Travel Association,
which, along with the Swedish Business Travel Association, initiated the lobbying
by GBTA. "This is a very, very important issue for us. More than 90 percent
of our buyer members use business travel accounts. Having them taken away from
us would undermine the whole travel management process, not just make
difficulties with payment."
For corporate travel, the crisis started after the European Banking
Authority created a draft technical standard on behalf of the European
Commission. The draft insisted that, with few exceptions, all cardholder not
present transactions must be verified with strong customer authentication. SCA is
an additional form of payment verification, such as a four-digit PIN sent to a
cardholder by text. The EBA rejected arguments that, while SCA is intended to reduce
fraud for consumer payments, it is impractical to apply to corporate payments,
where fraud rates are much lower in any case. "The whole industry
considered it impossible to perform SCA, where there is no one-to-one
relationship between the cardholder and the payment instrument," said
Francesco Cerlienco, EMEA head of product for commercial cards at Citi.
However, the European Commission proved more receptive; it exempted corporate
payments in one of several amendments to the EBA's draft. The new Article 17,
entitled "Secure corporate payment systems," reads: "Payment
service providers shall be allowed not to apply strong customer authentication
in respect of legal persons initiating electronic payment transactions through
the use of dedicated corporate payment processes or protocols where the
competent authorities are satisfied that those processes or protocols guarantee
at least equivalent levels of security to those aimed for by [PSD2]."
The EBA has until July to pronounce whether it accepts the European Commission's
amendments, but ultimately the commission, European Parliament and European
Council of member states will make the decision. "We believe the
Commission's wishes will prevail," said Thomas Harris, VP for market
product management at MasterCard. "This is one of the first times I've
seen the commission take notice that corporate payments are different, so that's
very heartening."
While the exemption has been greeted with widespread relief, there
is division over how to respond to its loose wording. Citi is among those
campaigning for a redraft, especially to delegate oversight to a single
pan-European authority. It worries in particular about who will oversee the
exemption process. "We welcome that this takes into account that corporate
payments need to be treated separately," said Cerlienco. "However, we
are concerned about the principle of equivalence and the additional parameter
of assessment and judgment by competent authorities. We have seen before that
different regulators take different views, so we might end up with different
interpretations because the wording has been left so vague. You could have a U.K.-issued
card given to a French cardholder making a payment in Germany. Who are the competent
authorities in that case?"
Citi believes any corporate payments transacted through a secure,
regularly contracted third party, such as a travel management company, is potentially
exempted by Article 17, "but we don't know because the wording is vague
and open to interpretation."
AirPlus International has adopted a less interventionist approach.
It is using relationships in the European Parliament to advocate two changes to
Article 17. One would be to replace "legal persons" with "where
the payment service user is not a consumer" and to replace "guarantee"
with "achieve." AirPlus director of regulatory affairs Steven Modler
said, "In the end we agreed that maybe the vague wording offers more
opportunities to cover any new products we create. We might have use cases that
would not fall 100 percent under specific requirements."
MasterCard's Harris also believes that asking for clarification will
achieve nothing at best and perhaps undesired new twists at worst. "All
the indications are this is the language that will be adopted," he said. "We
would be best served by going to the local authorities on controls and access
procedures."
Given that pan-European oversight would likely
fall to the EBA, which obdurately refused to recognize corporate payments as a
special case, some issuers would rather take their chances with persuading
national payment regulators to police Article 17 sensibly.