Overview of the New Central Bank Measures for E-Wallets
Pursuant to of Communiques "A" 7462 and 7463, the Central Bank issued a set of measures to mitigate fraud and reinforce security in e-wallet transactions.
On February 24, 2022, the Argentine Central Bank (the “BCRA”, after its acronym in Spanish) issued Communiques "A" 7462 and 7463 (the "Communiques"). While Communique "A" 7462 introduces many regulatory changes, mainly by significantly amending the rules on "Payment Service Providers" (the "PSP Rules") through the introduction of new definitions and the creation of new registries, Communique "A" 7463 is more technical by requiring fraud prevention and management measures for transfer schemes.
The most significant changes and novelties introduced by the Communiques are summarized below.
• Communique “A” 7462
o New definitions
First, Communique "A" 7462 provides a definition of the "e-wallet" service, a concept that the BCRA had already introduced (and regulated) in previous regulations such as Communiques "A" 7328 and 7363, but had not defined. Thus, the digital wallet service is defined as "the service offered by a financial institution or payment service provider ("PSP") through an application in a mobile device or in a web browser that must allow -among other transactions- payments by transfer and/or other payment instruments -such as debit, credit, purchase or prepaid cards-".
Likewise, the BCRA clarifies that the accounts (bank or payment accounts) to be debited for payments by transfers and the other payment instruments may be provided:
- by the same financial institution or payment service provider offering payment accounts ("PSPOCP", after its acronym in Spanish) that provides the e-wallet service; and/or
- by other financial institutions and/or PSPOCPs, where the digital wallet service provider only performs the initiation function (as explained below).
Secondly, the concept of PSP is broadened by incorporating new functions that PSPs can fulfill within a payment scheme.
Thus, the new functions explicitly incorporated into the PSP Rules are:
- Initiation: sending a valid payment instruction at the request of an ordering client to the provider of a payment or bank account or issuer of a payment instrument.
- ATM networks: administering transactions ordered through ATMs.
- Electronic transfer networks (processing or operation): transmit electronic instructions of funds movements between financial institutions and, if applicable, notify the PSPOCP of the credits to its own demand account, so that the latter may proceed with the effective fulfillment of its transfer function as defined in point 1.3.11. of the rules on the "National Payment System - Transfers - Complementary Rules".
In this way, companies or enterprises that previously could not be considered PSPs (such as ATM network companies), now undoubtedly belong within the scope of this generic regulatory figure.
o PSP initiator that does not offer payment accounts
One of the features of Communique "A" 7462 is that it introduces a figure that was not previously explicitly regulated by the PSP Rules: the PSP that performs the initiation function (hereinafter, "PSPI", after its acronym in Spanish).
In most cases the PSP initiating a payment (PSPI) also offers its clients a payment account (PSPOCP), from which funds are debited in case of a payment with transfer. When offering payment accounts, these PSPOCPs were already regulated and had to comply with all the requirements of section 2 of the PSP Rules and even with the security and fraud mitigation provisions introduced by Communique "A" 7328.
However, it may happen that a PSP fulfills only the initiation function (PSPI) and does not offer payment accounts (it is not a PSPOCP). With the publication of this new rule, the provisions introduced by Communique "A" 7328 are extended to PSPIs. Thus, PSPIs offering the e-wallet service must:
- Comply with the KYC standards and requirements that the BCRA establishes for the opening of savings accounts.
- Link to e-wallets only those payment instruments or accounts whose holder (or one of the co-holders) is the same as the holder of the “e-wallet.”.
- Use strong authentication mechanisms (2FA) for accessing the wallet.
Therefore, any financial institution, PSPOCP or PSPI offering the e-wallet service must comply with these requirements.
o Modifications to the PSP Registry
Prior to this regulation, only PSPOCPs were required to register with the BCRA, by virtue of Communique "A" 6885. Therefore, the registry was called "Registry of payment service providers offering payment accounts".
As from the issuance of this new regulation, and based on the new functions introduced, the BCRA changes the name of the registry to "Registry of Payment Service Providers" and establishes that, in addition to the PSPOCPs, those PSPs that perform the functions of "initiation", "ATM networks" and "electronic transfer networks" must be registered in such registry (hereinafter, the "PSP Registry").
The BCRA clarified that PSPs performing more than one function subject to registration must identify each function separately in the PSP Registry and complete the sections corresponding to the "Operational and commercial description" of each function, except in the case of PSPs that simultaneously perform the functions of initiation and provision of payment accounts, in which case only the registration of the latter function will be required.
In addition, the BCRA made adjustments to the information that must be provided to apply for registration, indicating that the articles of incorporation or bylaws must now be submitted with proof of registration in the public registry of the jurisdiction involved and that the corporate purpose must explicitly contemplate the development of the activities related to the provision of payment services that motivate the registration in the PSP Registry. In turn, according to the type of PSP involved, the following additional information is required in the operational and commercial description:
- for PSPOCPs and PSPIs offering e-wallet service, to indicate whether such service will allow initiating payments by reading QR codes and to detail with which instruments -such as payment by transfer and credit card- such payments may be made.
- for ATM networks and electronic funds transfer networks, the presentation of (i) an operating regulation or manual containing the specifications of the service and the responsibilities assumed by the participants, and (ii) a list of their participants, grouped by type or function assumed.
o Information Regime
As a result of the extension of the scope of the Register, the BCRA established that PSPs registered in the "Register of Payment Service Providers" must comply with the information regime (reports to the BCRA) to be established.
Likewise, financial institutions that provide e-wallet services must also comply with this information regime.
o New Register of interoperable e-wallets
Another major novelty introduced by Communique "A" 7462 is a series of points regarding payments with interoperable QR codes. Since the launching of the Transfers 3.0 program, the BCRA has been promoting this widely used credential for payments in Argentina in order to achieve interoperability among the different e-wallets.
Thus, in the first place, the BCRA creates the "Register of interoperable digital wallets", to which all PSPs and financial institutions that provide an e-wallet service and allow making payments with transfers initiated by reading QR codes must register.
Registration requires the following:
- A certification issued by the legal representative of each immediate transfer scheme administrator authorized by the BCRA stating -as a sworn statement- that the wallet successfully completed the integration with each of the acceptors who adhered to its scheme and that it is in conditions to be used by the general public to make payments with transfer by reading the QR codes generated by each and every one of those acceptors.
- Information on (i) the person responsible for information technology and systems tasks, (ii) the person responsible for tasks related to information security and asset protection, (iii) the location of the main and alternative processing center(s), and (iv) a list of the suppliers providing IT, computer systems and IT security services.
- In case of PSP, to be previously registered as PSPOCP or PSPI.
• Communique “A” 7463
Communique "A" 7463 sets forth measures related to the mitigation, prevention and management of fraud in transfer transactions.
Firstly, the BCRA established that the e-wallet service provider must enable the technical means for the client to give simple and immediate consent at the financial institution or the PSPCP, as the case may be, at the time of enrollment of his bank or payment account. This measure follows the measure adopted by the BCRA last year through Communique "A" 7363, which allowed wallet holders to associate their demand and payment accounts with the wallets.
Likewise, with respect to financial institutions and PSPOCP, the BCRA established the analogous measure that clients may give their consent in a simple and immediate manner, and in turn (i) confirm in the authorization of any payment instruction ordered by the client through the e-wallet service, that the consent given is in force, and (ii) provide the ordering client the possibility of establishing, viewing and modifying parameters of use of the digital wallet services (e.g., limits of amounts per periods and number of transactions), as well as unlinking that account from the e-wallet.
Finally, the BCRA reinforced, through different technical requirements, the fraud mitigation guidelines established so far in point 2.6 of the rules on "National Payment System - Transfers - Complementary Rules.
This insight is a brief comment on legal news in Argentina; it does not purport to be an exhaustive analysis or to provide legal advice.