With the digitalisation of working methods and consumption, the payments sector is becoming increasingly innovative and attractive. Numerous players have entered this rapidly changing field in the past few years. Here is some information to help you better understand their activities and your rights as a user.
The past few years have seen the emergence of so-called alternative payment methods, which allow transactions to be carried out in units other than legal tender. These include crypto-assets, which do not constitute payment instruments in the legal sense.
A crypto-asset is a digital asset created using cryptographic technologies. They are so named because they resemble financial assets and are created and used by means of encryption technologies. Crypto-assets are sometimes incorrectly referred to as cryptocurrencies, but they should not be regarded as a currency.
There are several types of crypto-asset. First-generation crypto-assets, such as Bitcoin and Ethereum, are not legal tender and have no intrinsic value. They are therefore speculative and highly risky assets. More recently, "stablecoin" projects (such as DIEM) have been trying to overcome these limitations by aiming to have a more stable value. To achieve this, their price is supposedly linked to that of a benchmark asset (gold, the euro, the dollar, a group of currencies, etc.), which anchors their movement to the real economy and reduces the amount the fluctuate – hence their name. Stablecoins can be regarded as the second generation of crypto-assets.
In the absence of international regulation of crypto-asset services, a number of initiatives have been launched in recent years in various countries. France is at the forefront of jurisdictions that have very quickly provided responses to players in this segment. The PACTE Law (Law No. 2019-486 of 22 May 2019 on the growth and transformation of companies) introduced the status of digital asset service provider (DASP), which covers the following activities: custody of digital assets on behalf of third parties, purchase/sale of digital assets in exchange for legal tender (or other digital assets), operation of a digital asset trading platform, reception and transmission of orders on behalf of third parties, portfolio management on behalf of third parties – as well as other complementary services (consultancy, underwriting, guaranteed and non-guaranteed investment). The custody of digital assets on behalf of third parties and the purchase/sale of digital assets in exchange for legal tender must be registered with the Autorité des marchés financiers (AMF – Financial Markets Authority). DASPs wishing to do so may also apply for an optional licence from this institution.
To provide a European solution to these issues, in 2020 the European Commission published a draft regulation on markets in crypto-assets (MiCA), which introduces a pilot scheme for market infrastructures wishing to trade and settle transactions in financial instruments in the form of crypto-assets.
The term "Big Tech" refers to the companies that dominate the information and communication technology sector. These include the US GAFAM corporations (Google, Apple, Facebook, Amazon and Microsoft), but also the Chinese companies known by the acronym BATX (Baidu, Alibaba, Tencent and Xiaomi).
Although present across a wide range of activities, from e-commerce to electronic equipment, these companies are increasingly investing in financial services. They are capitalising on the data collected in the course of their activities, and taking advantage of their position as an interface to offer payment services to their customers. At present, their main segment of activity in the payment sphere is digital wallets.
Digital or electronic wallets allow you to entrust your payment card or bank details to a trusted third party.
These days, most major e-commerce retailers allow customers to register their payment card details to make it easier to make payments, which amounts to creating a number of so-called merchant wallets (not linked to the card issuer). In addition, the digital giants have taken advantage of the growing use of smartphones to provide the same digital wallet model for so-called "proximity" payments, i.e. in physical shops on an electronic payment terminal. These apps allow customers to digitise their payment card so that it can be stored on a phone, thereby turning the smartphone into a payment card. The cards are "tokenised": the card number is turned into a token, with the list of payment card numbers and corresponding tokens held by a service provider. The token is stored in a secure environment on the smartphone, either physically (in a secure element) or in software (host card emulation). These security features make it more difficult to use the payment card without the user's knowledge. In addition to tokenisation, mobile digital wallets are based on the development of contactless technology for card payments and the equipping of smartphones with NFC (near field communication) technology.
Other mobile payment apps have been developed by new players or commercial banks. These apps generally provide a digital wallet and a person-to-person payment solution. The latter utilises users' telephone numbers to replace bank details for credit transfers (proxies). While several solutions of this type have met with moderate success in France (Paylib, Lydia, etc.), they have the potential to be very widely adopted by users. In Sweden, Swish is used by 70% of the country's citizens. In the Netherlands, the iDEAL solution is used by 10 million people. Blik (in Poland) and Bizum (in Spain) are also highly successful.
Request-to-pay (RTP) is a messaging service used to transmit a claim accompanied by a request for payment, and to obtain the debtor's agreement (or otherwise), on the basis of which payment can then be initiated where appropriate. It is part of the changes that have taken place in the payments landscape in recent years, with the growth in the use of SEPA payments, the digital economy and the digitalisation of the invoicing-payment process.
As RTP is not a payment service, its provision is not restricted to payment services providers licensed by the supervisory authorities. To providers are reliable, however, they must be approved and comply with the rules laid down by the European Payments Council (EPC).
The second European Payment Services Directive (PSD2), which has been in force in the European Union since 13 January 2018, comprises a set of regulatory provisions designed to provide a framework for the provision of payment services and strengthen the security of payments across Europe.
Account aggregators provide customers with an interface that offers a consolidated view of their payment account(s) held at one or more institutions. Account aggregators have been covered by a legal framework since the second Payment Services Directive. In particular, they receive authorisation from the Autorité de contrôle prudentiel et de résolution (ACPR – Prudential Supervision and Resolution Authority) to carry out their activities, which are also subject to the ACPR's oversight.
Yes. PSD2 requires these institutions to implement security measures to guarantee the protection of users' personal data. The ACPR only issues authorisations when the aggregators have provided all the necessary security guarantees. It is assisted in this task by the Banque de France departments responsible for overseeing cashless payment instruments, which assess the security of the institutions' technical infrastructures.
PSD2 and the delegated regulation on strong authentication stipulate that users must carry out strong authentication every 180 days for the aggregator to be able to access their payment account data. Therefore, if after 180 days you have not renewed your authentication, the service provider can no longer access your account data.
In addition, you can cancel the service with the service provider at any time. The service provider is then required by law to cease accessing your account details.
Finally, if unauthorised access is suspected, the user may ask their account-holding institution to revoke the service provider's rights.
Payment initiators enable users to make payments without going through their online banking portal and without having to fill in the beneficiary's details, thanks to an interface provided by the initiator. In particular, they make it possible to make a payment to a merchant on the internet. PSD2 has provided a legal framework for payment initiators, who receive authorisation from the ACPR.
A card payment does not involve exactly the same players and the same technical processes. When a user makes a card payment, a payment authorisation request is sent by the merchant's bank (acquirer) to the customer's bank (issuer) on what are known as authorisation servers. The banks are linked by payment schemes (in France, these notably include Cartes Bancaires, Visa, Mastercard and American Express). When the customer's bank authorises the transaction, it guarantees payment to the merchant's bank. The goods can then be dispatched.
A payment via an initiator involves only the initiator and the customer's bank. The initiator invites the user to select their bank. The user is then redirected to an authentication page. Once authentication has been completed, the payment is made. The initiator receives confirmation from the customer's bank, informs the merchant and the goods can be dispatched.
The regulations prohibit payment initiators from storing sensitive payment details concerning the user. Moreover, authentication is required each time a payment is made. If a payment initiator were to retain such data, it would face sanctions from the ACPR.