Introduction

The payments industry, once dominated by traditional financial services institutions such as banks, payment institutions and card schemes, increasingly opened its doors to new entrants. Recent developments such as the second Payment Services Directive (PSD2) and Brexit caused a further wave of new entrants in the European payments landscape.

PSD2 has introduced two new payment services for which authorization from the regulator is required. The new services are account information services, enabling financial institutions to retrieve bank account data from consumers, and payment initiation services, enabling financial institutions to initiate payments on behalf of consumer. PSD2 also resulted in the obligation for many platform business models, such as online marketplaces, to obtain authorization from the regulator for the provision of payment services. As a third driver of market entry, Brexit has urged financial institutions based in the UK to reposition and obtain payments and banking licenses from regulators at the European mainland. Thirdly, although not new, are those businesses entering the payments market for strategic purposes, for example as a logical next step to further enhance their business model through the provision of payment services or to set up a new payments business from scratch.

This is merely the tip of the iceberg. This article provides insight into the key drivers of entry into payments and wider financial services industry including recent examples of new entrants in the market. This article aims to answer the following questions;

• Why would new entrants enter the crowded European payments ecosystem?
• Which type of companies are entering into or expanding within the ecosystem?
• How do you approach a market entry and the associated license application effectively?
• Who is entering the European payments landscape?

Three prominent drivers of entry into the European payments landscape

Over the last few years there has been a rapid increase in the number of businesses entering the European payments market. Three main factors have been propelling this trend:

• PSD2
• Brexit
• Business strategic ambitions

1a. The Second Payment Services Directive (PSD2) introduced two new (regulated) payment services

Due to the risky nature of payments, regulation of the payments market is inevitable to make payments safer and more secure for the roughly 238 million daily transactions using an electronic payments instrument (cards, credit transfers, direct debits and e-money) ([ECB19]). In 2015, the European Commission replaced the Payment Services Directive stemming from 2007 with the Revised Payment Services Directive (PSD2) with the objective to harmonize European consumer protection requirements and the rights and obligations for payments providers. Another objective was to increase competition and participation, also enabling non-traditional financial service providers to enter the market.

The launch of the revised Payment Services Directive (EU) 2015/2366 (PSD2) in 2018 ([EU15]) has been instrumental to the expansion of the financial service sector. This directive with the primary goal to harmonize the regulation of payments across the European Union also provided the opportunity to increase innovation in the payments sector. The addition of two new payment services, “payment initiation” and “account information” services being a primary driver.

Figure 1 shows the payment services under PSD2, for which obtaining a license from the regulator is required; notably services 7 (PISP) and 8 (AISP) are new. Service 7 concerns payment initiation services and is defined as “initiating payment services at the request of payment service users with respect to payment accounts held with other payment service providers” ([DNB-1]). Simply put, this means that the payment service provider can start the payment process on behalf of the user. Service 8, account information services, allows for the provision of “consolidated information on one or more payment accounts held by a payment service user with one or more other payment service providers” ([DNB-1]). This essentially gives the consumer ownership of their financial banking data which enables them to provide any AISP, that they give explicit consent, access to data and information about payment account(s), breaking with the monopoly traditional banks had on people’s transaction data.

Both new services present the opportunity for innovative new business models and hence trigger the market entry of a diverse range of businesses outside the traditional financial sector. Likewise, incumbents such as Payment Institutions and Banks are also developing propositions based on these new payment services, thereby expanding service offering.

Figure 1. Payment services under PSD2. [Click on the image for a larger image]

1b. PSD2 further clarified the “commercial agent exemption”, prompting marketplaces to obtain a license

In addition to the introduction of two new payments services, PSD2 requires platform business models, such as marketplaces and other types of multi-sided platforms, to obtain a license to be able to facilitate payments between consumers (or users) and merchants (or sellers) making transactions on the platform. Before the introduction of PSD2, these types of businesses, so-called “commercial agents”, were exempt, but as PSD2 further clarified and narrowed down the applicability of this exemption, a license is now usually required, even though handling payments is not their primary business.

This has led to platform businesses exploring options and for instance obtaining a license for one or multiple payment services under PSD2, entering the payments market primarily to continue to facilitate payments in support of their platform business model in a compliant fashion. In the Netherlands, there are currently 54 licensed entities¹, authorized by the central bank of the Netherlands, De Nederlandsche Bank (DNB), to carry out the business of a payment service provider ([DNB-2]).

2. Brexit urged payment service providers to obtain authorization on the European mainland

The second key driver for regulatory led market entry is Brexit. A payment institution with registered office in one of the European Economic Area (EEA) member states and holding an authorization issued by the national (home) supervisor, may operate in any other Member State of the European Economic Area (EEA) without having to apply for authorization by local authorities. This is known as the single license or European passporting arrangement. The EEA is a trade region that unites EU Member States and three additional states – Iceland, Liechtenstein and Norway – enabling open movement of goods and services. Since the United Kingdom (UK) has left the European Union as of 31 January 2020, companies licensed in the UK wanting to continue providing payment services within the EEA are (depending on definitive Brexit arrangements between EU and UK) obliged to obtain a license in a Member State on the European mainland.

3. Strategic ambitions driving market entry

The third key driver for market entry into payments and broader financial services concerns strategic business development, for both new parties (startups/FinTechs) and incumbents. This third driver is not necessarily new and has been driving market entry for decades, however in combination with the other market entry drivers it is apparent that strategic ambitions are changing rapidly.

One such strategic reason is expanding geographic reach into Europe. This is similar to the reasons behind market entry stemming from Brexit, i.e. expanding existing activities, products and services to a new (regulatory) geography, such as the EU, requires authorization before financial services can be provided to the market. A second strategic reason driving market entry are businesses extending their business model with financial services to strengthen the business model. Even so, product/service portfolio choices can lead to the strategic decision to provide regulated services that require a license and entry into this market.

Who is entering the European payments market?

Following the introduction of why businesses are entering the European payments market, this section explores who has entered and paints a picture of how the drivers of market entry affect the actions of businesses in reality.

New PSD2 payment services PISP and AISP trigger new entry by FinTechs as well as new product development by incumbents

The new payment services under PSD2, numerous businesses have entered the arena. In Europe (excluding the United Kingdom) there are currently 399 registered payment institutions offering payment services ([EBA]).

One example of a new AISP entering the flexible credit market is Netherlands-based FinTech startup Floryn. Floryn received a license from DNB in 2019 for account information services under PSD2 ([Betl20]). Using smart algorithms and artificial intelligence, Floryn can access payment data of clients’ accounts, with prior explicit consent, to be used to give the client insight on their financial health and potentially assess their credit applications. Other examples are Amsterdam-based Peaks (investing your change) and players such as Amsterdam-based Yolt that help people manage financial goals, money and bank accounts in one app.

UK Payment Institutions are obtaining a license on the European mainland

As mentioned, Brexit is a key driver leading to companies applying for a new license in a European member state and/or (fully) relocating business to the EU. Furthermore, Brexit has even provoked some companies to exit the UK market entirely, such as N26, a FinTech based in Berlin that has decided to close all UK accounts. As another example, Alipay maintains a payments license in both the UK and Luxembourg, hence ensuring continuity of business post-Brexit. Likewise, Azimo, facilitating the transfer of money, obtained a license from DNB and is now regulated by both De Nederlandsche Bank (DNB) and the FCA in the UK ([Azim19]).

The UK was the first country to transpose the PSD2 regulation into national law and is leading in having the largest number of licensed Payment Institutions. Many license applications in EU countries are to be expected to secure European business post Brexit.

Payments as a dedicated business model

Companies such as Bunq and Adyen are prime examples of FinTechs entering into and expanding within the financial sector (both having European banking licenses). Bunq, founded in 2012 and received a banking license in 2014, is a mobile bank that focuses on user centricity and personalization and is able to compete with established banks on this front. Adyen, having obtained a banking license in 2017, focuses less on competing directly with established banks, but obtained a banking license contributing to further strengthening its end-to-end onmi-channel payment solutions.

Payments as a strategic pillar of the business model

Besides players with dedicated payments business models, for example platform organizations increasingly consider a strong payments capability as an important strategic pillar to facilitate transactions between buyers and sellers on their platform. They further build on this capability and increasingly obtain licenses from regulators. This trend is driven by both compliance and strategic reasons.

Whereas before platforms were generally exempted from having a (payments) license under the PSD1 “commercial agent exclusion”, provided PSD2 further clarification on this exemption, narrowing down its applicability. Under PSD2, the exemption only applies if the “commercial agent acts on behalf of only the payer or only the payee, if there is an agreement proving that the commercial agent is authorized by the payer or payee and that they are acting on behalf of only the payer or only the payee, and if the commercial agent negotiates or concludes the sale or purchase of goods or services between the payer and the payee” ([DNB19a]).

This has led to a variety of platforms that no longer fall under the definition of a commercial agent exclusion, requiring a payments license. Figure 2 presents nine of the biggest global platform business such as BigTech and e-commerce platforms that obtained a license in the EU, either as an E-money, Payments or Banking Institution.

Figure 2. Example of platforms with financial service licenses in Europe. [Click on the image for a larger image]

Besides the compliance angle, many global platforms are entering financial services for strategic reasons. For many platforms, if not all, a seamless payments experience is – and always has been – pivotal for the success of a platform, enabling third parties to sell products through the platform or by selling products on the platforms themselves. When taking a ride with Uber, ordering clothes at Zalando or ordering a meal through the Takeaway platform, seamless payments directly add to a frictionless customer journey and higher conversion rates for the platform and its partners (suppliers). A logical next step is to enhance and extend payments and financial services strategies, and obtain the relevant licenses.

Platforms are continuously looking to make payments more efficient and accessible. The importance of payments and the customer relationship provides an incentive to become active on the payments market and develop own payment services and eventually even broader financial services (such as e-money products, lending, bank accounts). In doing so, platforms can leverage technological capabilities and expertise, global reach, financial strength and high customer interaction, not only to improve own payments capabilities but also to develop financial services in such a way that they become competitors to banks. The role of BigTechs in payments is further elaborated in the article “Will BigTechs change the European payments market forever?” on page 12 of this edition of Compact.

Despite the huge innovation and competition potential, the disruptions by platforms and BigTechs may also result in potential concentration of market power and privacy concerns. It will also pose challenges to supervisory authorities. This triggers debate on the adequacy of current regulatory frameworks for various reasons, but first and foremost because platform and BigTech business models are by design fundamentally different compared to traditional financial institutions for which regulatory frameworks were originally built.

Payments as a sovereign need (and the presence of card schemes in the payments landscape)

Global card schemes such as MasterCard and Visa remain prominent players in the payments landscape. Last November, Benoit Cœuré of the ECB addressed the initiatives that achieved much in the back-end side of European retail systems with initiatives such as SEPA and Target Instant Payments Settlement ([ECB19]). However, the Frenchman emphasized that the front-end remains fragmented as there is no pan-European card scheme, but countries such as Germany and France respectively have Girocard and Cartes Bancaire as their local card scheme. Benoit Cœuré addressed the risks that are involved due to the dependence on non-European companies and therefore welcomes the Pan European Payment System Initiative (hereinafter “PEPS-I”) of twenty European banks to develop a harmonized standard which can handle all forms of cashless transactions.

Up until now, initiatives to set up a pan-European card scheme such as the Monnet project in 2010 and the European Alliance of Payment Schemes (EAPS), which launched in 2009, all failed. Europe’s reliance to Visa and Mastercard is evident while China has UnionPay and Russia has MIR (which was driven by sanctions as Visa and Mastercard had to deny services to several Russian banks). PEPS-I is aimed to account for at least 60% of electronic payments in Europe, when completed. As of now, Visa and Mastercard hold two thirds of the market. It will therefore be costly to replace around half a billion credit cards and billions of euros to launch the technological basis for this pan-European card scheme. For now, no official statement from any of the participants of PEPS-I has been given yet. Therefore, a potential disruptive effect of this initiative to the European payments and card scheme landscape is yet to be awaited.

How to approach market entry and an associated license application?

Regulatory framework for payment service providers

Payment service providers need authorization from national regulators (i.e. obtain a license), such as the Dutch Central Bank (DNB) in order to provide payment services. Three types of organizations are allowed to provide payment services:

1. Payment Institutions (PI): enterprises holding authorization specifically for providing payment services, issued by DNB.
2. Exempt payment service providers: enterprises exempt from the authorization requirement under the Exemption Regulation under the Dutch Financial Services Act (Wet op het financieel toezicht – Wft). An exempt payment service provider may start its operations only after DNB has entered it as such in the public register.
3. Banks and electronic money institutions (EMI): these are already authorized to act as a payment service provider under their authorizations to the extent, of course, as permitted under those authorizations. They are exempt from the authorization requirement for payment service providers.

The regulatory framework for the payments sector is highly harmonized since the introduction of PSD2, although differences prevail across European member states due to transposition of PSD2 in national law and differences in interpretation. Nevertheless, most legislation stems from Europe and takes the form of Regulations that are directly applicable to all countries or Directives that need to be transposed into national legislation (e.g. PSD2). The European Banking Authority (EBA) has the mandate to develop additional guidelines, regulatory technical standards and implement technical standards. In addition, Opinions, Q&as and Supervisory Practices on specific topics are published by the EBA. The most relevant European legislation regulating payments activity consists of:

• Payment Services Directive 2 (PSD2)
• Electronic Money Directive (EMD), for Electronic Money Institutions
• Anti-Money Laundering Directive (4AMLD)
• Diverse EBA guidelines
• Regulatory Technical Standards, e.g. on Strong Customer Authentication and Common and Secure Communication (see further the articles on payments authentication on page 26 and PSD2 risks on page 48)

Figure 3. European legislation building blocks in a nutshell. [Click on the image for a larger image]

As organizations seek authorization in a European member state, additional (national) legislation becomes applicable. For the Netherlands, for example, EU directives are transposed consisting of amongst others:

• Act on Financial Supervision (Wft)
• Decree on Prudential Rules (BPR)
• Decree on Conduct of Business Supervision of Financial Undertakings (BGFO)
• Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft)
• Sanctions Act 1977
• Dutch Corporate Governance Code (for listed companies)
• Civil Code

Focus areas for the regulator

Regulators will perform in-depth assessments of all licensing applications and licensed entities, it is therefore paramount to understand their expectations and focus areas. Regulators require licensed entities to be in full control of their processes. Therefore, outsourcing is an area of increased attention. Certain activities, such as day-to-day policy making, policy adoption and accountability for policies, cannot be outsourced. Outsourcing of certain other activities is allowed but should not hamper compliance with rules and regulations. Practically, this means that your company must have adequate policies, procedures and measures in place to adequately control outsourced activities. In addition, it requires your company to perform outsourcing risk assessments, to have adequate outsourcing agreements in place and to assess the performance of outsourced activities over time ([DNB-1]). Outsourcing is further elaborated in the article “Outsourcing” on page 41.

Secondly, ensuring ethical business operations and especially anti-money laundering and counter-terrorist financing (AML/CTF) are under increased scrutiny by regulators in Europe, illustrated by multiple investigations that have taken place at financial institutions over the past period. Based on an analysis of integrity risks relevant to your company and (payment) services, adequate policy, procedures and measures need to be implemented as to the prevention of such risks. The entity should seek a sufficient level of depth when addressing these topics. Transaction monitoring is further elaborated in the article “Transaction monitoring model validation” on page 34.

The regulatory approach to a successful license application, and building a payment institution

The regulatory approach towards a successful license application can be taken in multiple different angles. For license applications in the Netherlands, DNB has published a 10-step approach, detailing ten phases of a license application from a regulator’s perspective. If an entity is interested in becoming a payment entity, each of the ten steps are to be taken prior to operations ([DNB16]).

1. Preparations
   Applicant prepares the extensive requirements of license application documentation
2. Application for authorization
   Applicant submits the license application
3. Verification of the application file
   DNB verifies the completeness of the application
4. Start of the assessment
   When the application is marked as complete, the assessment commences (three-month period)
5. Screening of policy makers and co-policy makers
   Assessment includes integrity and suitability screening of policy makers
6. On-site visit or interview at DNB’s offices (optional)
   DNB may decide to visit the office of the applicant
7. Request for information
   Throughout assessment DNB will request additional information and further explanation on topics
8. Intention to reject (optional)
   If DNB intends to reject the application, the applicant has the opportunity to explain their view
9. Results
   DNB sends an official decision letter
10. Objection and appeal
    The applicant can object to and appeal the decision of DNB

Experience has shown that the key to a successful license application – and becoming a regulated payment institution – is establishing a steady foundation. This can be interpreted as the building blocks of a house. The house being the payments entity held up by its foundation. Although building a payment institution starts with a clear strategy and a solid strategy and business plan (top of the house), its pillars are built on sound and controlled operations, underpinned by procedures and controls. Various risk assessments (right side of the house) feed the other pillars of the house, such as policies and frameworks (in the middle of the house). On top of the pillars, a transparent and well-balanced governance manual is pivotal to secure a solid payment institution.

Figure 4. Core fundament of a payments entity. [Click on the image for a larger image]

Five practical tips for successful license application

Based on our market entry and licensing experience, we have listed five practical tips for successful license application:

1. Start with a solid, concrete and viable business plan
   A concrete strategic plan that has been translated into a viable and convincing business plan is a prerequisite to enter the market and obtain authorization from the regulator.
2. Build a European entity that is sufficiently independent from its parent and has the necessary substance
   European authorities want to ensure that licensed entities do not become “letter box entities” or “empty shells”. The licensed entity should have sufficient power and control over its European payment services and should be able to manage the associated risks independently.
3. Propose Management and Supervisory Board members that have a proven track record
   The Board members’ skills and capabilities should be complementary. Among others, they should understand payments, governance, compliance, risk management and the relevant regulatory framework. They need to have the mandate and skillset to enforce actions in the wider organization. Regulators have to approve the proposed Board members as part of fit and proper testing procedures.
4. Address Outsourcing and AML/CTF capabilities in sufficient detail
   Both PSD2 as well as regulators require the licensed entity to be in full control of its processes. Outsourcing is therefore an area of attention. Furthermore, anti-money laundering and counter-terrorist financing (AML/CTF) is under increased scrutiny by regulators throughout Europe. Applicants should seek a sufficient level of depth when addressing these topics.
5. Well-structured project management is critical
   Market entry and license applications are not done overnight and entails more than the preparation. For example, entrants should design and implement the required organization, governance, processes, policies and procedures covering all relevant regulatory requirements. A well-managed process with the right prioritization is pivotal to an efficient, first-time-right license application.

Conclusion

This article offers a bird’s-eye view of the continuously evolving payments landscape. Three main drivers of market entry, PSD2, Brexit and strategic ambitions attract a large variety of new entrants, from start-ups and FinTech, conventional financial services players expanding their payment services and BigTech seeking to offer a data-driven, seamless payment experience. Although this is merely the tip of the iceberg, it is evident that relatively new players such as FinTech and BigTech will take their share of the future payment industry. A seamless (payments) experience is essential for any successful digital business model, while legislators and regulators will keep trying to keep up with the velocity of financial innovation.

What once was an industry dominated by traditional financial sector players such as banks and card issuers is continuously evolving into an innovative, technology driven landscape, with a mixture of traditional players and unconventional new entrants shaking up the payments landscape. A highly competitive market where volume (scale) and data are drivers of success may lead to a “happy big few” or “winner takes it all” scenario. The future will tell who the “winner” will be.