Presentation given at the event organised by ACTE and BATM on 31 January 2019 addressing a few questions on the payments legislation that are relevant for travel and expense manager.

1. EU legislation’s impact on
the payment landscape
Brussels Education Forum – 31 January 2019
Tommy Vandepitte
Data Protection Officer (ext)
Note: personal views, no legal advice

2. Legislation with an impact
Anti-Money Laundering
• 4th AML Directive
2015/849
• Reg. 2015/847
(payment info)
• 5th AML Directive
2018/843 (2020)
• Act 18 september 2017
• RD 14 augustus 2018
Payment Services
• IFR 2015/751
• PSD2 2015/2366
• Book VII, T 3 ELC
Data Protection
• GDPR 2016/679
• Dir. 2016/680
• Act 30 July 2018
• Act 3 December 2017
(DPA)
• Act 5 September 2018
(info committee)

3. Approach
Which questions might
users of (card) payment systems
have in relation to
recent or (near) future regulation?

4. Will 2019 regulation impact
pricing of card payments?
IFR

5. Short answer
Likely.

6. Pricing
• Non-client facing revenue
• Interchange fee
• Non-commercial cards (art. 3-5 IFR)
• Commercial card (review in 2019)
9/12/2015
2018
max. 0.2%
(credit: 0.3%)
97-99 100
Scheme
Processor
• Client facing “revenue”
• Card fee (= generic)
• Transaction based fees
• Foreign exchange
• Cash withdrawal (/ ATM cost)
• Administration related
• Manual handling
• Collection cost
• Late payment / insolvency
• Subsidies by cross-sold services

7. What is it: are surcharges
allowed or not?
IFR and PSD2

8. Short answer
No.

9. Surcharges
• Prohibition to surcharge (art. 62 §4-5 PSD2)
• Never allowed
• for cards that are that have a limited interchange fee (art. 3-4 IFR) [this a.o. still allows surcharges for
commercial cards]
• For credit transfer and direct debit transactions in euro between two PSPs established in the EU
• Member states can decide to broaden the prohibition (“goldplating”)
• Belgium decided to goldplate and to prohibit all surcharging (art. VII.30§3 ELC, in force since 9 August
2018)
• Beyond that: steering per se allowed (art. 11§1 IFR and 62 §3 PSD2))
• by offering a discount
• by charging a surcharge in cases the prohibition does not apply (so for Belgium this never
applies), but not exceeding “the direct costs borne by the payee for the use of the specific
payment instrument”
• by Informing payer of the cost / interchange fee (art. 11 §2 IFR), by friendly asking, etc.

10. What is it I hear about a
UBO-register?
AML4

11. Short answer
Belgium has implemented it.
First notification required
by end of March 2019.

12. UBO register
• Duty for the Board of Directors of each corporation
• First registration UBOs: 31 March 2019
• Thereafter: within one month of a change
• Via MyMinFin(Pro) [https://eservices.minfin.fgov.be/mym-portal/public/citizen/external_services]
• Implementation of AML4
• Act of 18 September 2017
• Royal Decree of 14 August 2018, entry into force 31 oktober 2018
• Good source: https://financiën.belgium.be/nl/ubo-register

14. Do I need a “data processing
agreement” with my payment
service provider?
GDPR

15. Short answer
No.

16. Data protection – Parties (small circle)
• Individual card • Corporate card
controller Controller
(payment)
Controller
(employer)
(exp.man.)
data subject
data subject
data subjects
program
manager
(legal)
representative UBO
staff
processors
controllers
staff
processors
controllers

17. Data protection – Parties (bigger circle)
Scheme
Processor
Issuer
acquirer
Insurance company
Loyalty program
expense
management
platform
(for employer)
hosting
specific applications
Authentic sources
Commercial DBs
website
communication support
- email campaigns
- print campaigns (e.g.
statements)
physical card creation
merchant

18. Data Protection – employer / PSP
Corporation - employer
• purpose: expense management, accounting
• legitimacy: execution of the agreement? legal
requirement? legitimate interest?
• transparency: staff privacy statement,
corporate card policy, internal card allocation
process,…
• responsibility: information asset owner, tasks
of program manager, expense manager,
accounting team, HR, …
• security: upload via platform, local storage,
internal transfer, …
• rights of data subjets: staff rights process
Issuer
• purpose: AML, underwriting, fraud and risk
management
• legitimacy: entering into an agreement, legal
requirement, legitimate interest
• transparency: customer privacy statement,
application (and other) forms,…
• responsibility: information asset owner, tasks
of onboarding team, relationship manager,
underwriting team, …
• security: download from platform, local
storage, internal transfer, …
• rights of data subjets: customer / cardholder
rights process
controller-to-controller: no agreement required

19. Do I need a “data processing
agreement” with the provider of
my expense management tool?
GDPR

20. Short answer
Yes.

21. Data flows
Issuer
expense
management
platform
(for employer)
website
communication support
- email campaigns
- print campaigns (e.g.
statements)

22. Data Protection – employer / expense man.
Corporation - employer
• purpose: expense management, accounting
• legitimacy: depending on the data set received
• execution of the agreement? legal requirement? legitimate
interest?
• consent
• transparency: staff privacy statement, corporate card policy,
internal card allocation process,…
• responsibility: information asset owner, tasks of program
manager, expense manager, accounting team, HR, …
• security: access and download via platform, local storage,
internal transfer, agreement with processor, …
• rights of data subjets: staff rights process
Expense management tool
• Selection: should provide “sufficient guarantees”
• Agreement:
• purpose: must respect it
• legitimacy: n/a (controller’s responsibility)
• transparency: n/a (controller’s responsibility)
• responsibility: information asset owner, tasks of maintenance
team, developpers, …
• security: generic clause or minimum level
• support the controller: DPIA, security, data breach notification,
data breach communication, rights of data subjets
• Own obligations
• data processing records (art. 30 §2 GPDR)
• security: access rights for staff, do not use production data for
test, network security, etc. … [note: art. 32 GDPR],
• data breach: notification of controller (art. 33 §2 GDPR)
• Follow up to be done by controller on a risk-basis (e.g.
ISO27000 cerficiation)
controller-to-processor: agreement required (art. 28 §3 GDPR)

23. Is virtual currency the next
big thing for global payment?
eMoney + AML

24. Short answer
Perhaps,
but it is unlikely it will be that in the
front end in the near future.

25. The card payment scheme
Source: MasterCard Annual Report
Scheme
• Centralized
• Based on “trust”,
supported by
• Rules of the scheme
and supervision
(private)
• Prudential legislation
and supervision (public)
• Conduct of business
legislation and
supervision (public)
Processor
art. 7 IFR

26. Virtual currencies
• Decentralized
• Internet based and thus
international since
• Not based on trust, but
on the process
• Distributed ledger
• Mining: hashing
transactions and adding
to the next block
• Consensus

27. Acceptance of means of payment
• Currency
• Function 1: measure value (<> barter)
• Function 2: store value (<> perishable
goods)
• Function 3: exchange of value
(payment)
• Fiat currency (must be accepted by
the payee)
• cash [Note: limited for reasons
of fraud and tracibility (AML)]
• eMoney (Dir. 2009/110, amended)
• wire transfer
• Cards
• Acquiring agreement (with acquirer)
• Steering per se allowed (art. 11§1
IFR)
• No distinction based on issuer of the
card (art. 10§1 IFR)
• Virtual currency
• Merchant can accept at own risk
• Latency of confirmation of a
transaction (block length)
• Change virtual currency to fiat
currency is not always easy
(reluctance of banks)
• Virtual currency often considered
“financial instrument”)

28. Questions