The Central Bank of Ireland (Central Bank) issued a statement to consumers emphasising the importance of continued access to payments and normal payment processing during the COVID-19 pandemic. Irish regulated firms operating in the payments space will be well aware of their BAU regulatory obligations. This article focuses on the COVID-19 related points that payment services providers (PSPs) should consider.
Ireland's Minister for Finance requested that contactless payments be increased from €30 to €50 in order to minimise cash handling by consumers and retail staff. The European Banking Authority (EBA) in a statement on 25 March called on PSPs to facilitate consumers' ability to make contactless payments at the point of sale. The EBA also encouraged PSPs to increase the limits up to the maximum EUR 50. Banks and other PSPs reacted quickly to roll out this increase in record time.
Strong Customer Authentication
Strong customer authentication (SCA) under PSD2 required the rollout of an additional security step for certain payments. National competent authorities were required to report by 31 March 2020 on their readiness to meet the SCA requirements. The EBA removed this deadline so as to support PSPs' efforts to focus on their customers at this time. The EBA indicates that it will continue to monitor events and will continue to assess any additional measures that may need to be taken.
The Irish Government indicated that banking and financial services were essential services during the COVID-19 pandemic under guidance published by the Department of the Taoiseach on 28 March 2020. The Central Bank issued a statement on 31 March 2020 outlining the expectations of financial services firms at this time. In its COVID-19 Hub the Central Bank also specifically mentions PSPs, indicating that they are responsible for continuity of payment processes and access to payments systems for their customers during the pandemic. Given the significance of the payments sector at this time it is clear that staff in PSPs are essential and boards of PSPs should be especially vigilant to ensure business continuity plans are keeping pace with the evolving situation. Staff capacity, welfare and the potential for staff illness should be kept under review. We are seeing increasing use of e-signatures as firms seek to continue business and recruit staff while observing social distancing.
The Central Bank indicated in early March that firms are expected to have appropriate contingency plans in place to deal with major operational events. For PSPs, the Central Bank has indicated that it is monitoring their continuity arrangements daily. Continuity management will involve careful scrutiny of IT risk to address disaster recovery. Contingency plans must be tested and should ensure the recovery, resumption and maintenance of all business aspects. Documented analysis and complete reviews of business critical processes and interdependencies are required. Firms must consider a range of plausible event and disaster scenarios. PSPs should report to the Central Bank as soon as possible, where circumstances present a risk to the maintenance of services to consumers, industry or markets.
There are obvious AML/CTF implications as more transactions migrate online. There have also been an increasing number of scams and frauds. The Central Bank has reminded all relevant regulated firms that effective systems and controls should continue to be implemented. The regulator's current guidance is that firms should remain alert to changing techniques and should update their risk assessments accordingly. Firms should continue to monitor transactions and monitor suspicious or unusual patterns in customer behaviour and financial flows. Suspicious Transaction Reports should be made to the Financial Intelligence Unit of An Garda Síochána using the GoAML electronic process. The usual requirement to report to the Revenue Commissioners may not be possible with working from home arrangements. The Revenue Commissioners have indicated that MLROs can provide a paper filing when they return to the office.
Where critical business areas are outsourced, PSPs should ensure that they have adequate governance and risk management processes in place to address outsourcing risks. Outsourcing arrangements should be reviewed with the current risk environment in mind to ensure that effective risk management and continuity planning is in place.
The Competition and Consumer Protection Commission and the Central Bank have indicated that normal protections for consumers continue to apply. The Central Bank has added that consumers must be provided with whatever reasonable arrangement and/or assistance they need in dealings with regulated entities. All regulated firms have been told by the regulator that they should take a consumer-focused approach and act in customers' best interests. Consumers will be carefully managing their personal liquidity and PSPs will be experiencing a higher than usual number of requests for chargebacks given that consumers will have paid for products and services that cannot now be provided as a result of the pandemic. This will have consequences for capital and liquidity for PSPs in addition to being a key area for resourcing.