As part of the implementation of the fifth Anti-Money Laundering Directive (AMLD5), the German Parliament has decided to require providers of technical infrastructures, such as Apple in relation to the Near Field Communication (NFC) antenna contained in iPhones, to grant access to those technical infrastructures to payment service providers (PSPs). This new legal requirement is applicable since 1 January 2020.
This German initiative comes while the European Commission (EC) is already investigating Apple to determine if Apple has breached the EU competition law rules by refusing to grant access to the NFC antenna to card stored in other e-wallets on iPhones than the Apple Pay e-wallet (e.g. a bank e-wallet).
We address below in turn the background to this German initiative, as well as its provisions and possible outcomes.
What’s the problem that the law seeks to address?
Payments with a mobile phone are becoming increasingly popular in Europe. Most of those mobile payments rely on:
– a token, i.e. a dematerialised version of a plastic card, stored either on the phone (e.g. in the Secure Element (SE)) or in the cloud, and
– an exchange of data between that the phone and the merchant’s contactless terminal, through the phone’s NFC antenna (or chip).
To our knowledge:
– all large phone manufacturers have left the NFC antenna in the phone “open”, meaning that a card stored in any e-wallet on the phone will be able to access that NFC antenna in order to perform mobile contactless payments;
– Except Apple, which has “closed” the NFC antenna in the iPhone so that only a card/token stored in the Apple wallet will be able to access the NFC antenna and communicate with a contactless terminal. A card/token stored in another e-wallet on the phone (e.g. in a bank wallet) cannot have access to the NFC antenna and therefore cannot be used to make a mobile contactless payment. In order for a mobile contactless payment to take place with an iPhone, the card issuer needs to first enter into an agreement with Apple that will allow the cards it issues to be loaded into the Apple Pay wallet, and then used to make mobile contactless payments. It is our understanding that such agreement comes with a fee that the issuer needs to pay to Apple; in economic terms this means that the issuer has to share its interchange fee revenue (which is regulated for consumer cards in the EEA) with Apple. It is also our understanding that the Apple Pay standard agreement is pretty much imposed by Apple upon issuers on a “take it or leave it” basis.
For quite some time, issuers have been complaining that the “lock” applied by Apple on the NFC antenna was a measure adopted by Apple in order to monetise payments. Indeed, without the lock on the NFC antenna, it is to be expected that issuers would generally encourage their customers to provision their card/token into another wallet on the iPhone than the Apple Pay wallet (perhaps a bank wallet), so that transactions taking place through that other wallet would not require the issuer to have to pay a fee to Apple. Faced with such behaviour, it could be expected that Apple would stop charging a fee for payments made via the Apple Wallet in order to get issuers and cardholders to send more transactions via the Apple Pay wallet, rather than a competing wallet on the iPhone. This would potentially prevent Apple from monetising payments.
In response to the above issuer criticism about the Apple “lock” on the NFC antenna, one could argue that no issuer is required to allow its customers (i.e. cardholders) to make mobile payments with iPhone – i.e. iPhone holders can continue paying with their (contactless) plastic card; no card issuer is expected to allow its cardholders to pay with their iPhone. However:- Other handset manufacturers or other mobile OS providers than Apple who also offer an e-wallet (e.g. Samsung Pay, Google Pay) have not placed a lock on the NFC antenna, and as a result are providing access to their own e-wallet free of charge. This makes it attractive for issuers to get connected to those e-wallets, and therefore offer their customers the possibility to make mobile contactless payments with their phone. This can put the issuer in a situation where its customers that hold an iPhone sometimes feel “discriminated against” since customers with e.g. a Samsung phone or other Android operated phone are able to make Samsung Pay/Android Pay contactless mobile payments, whereas customers with a (typically more expensive) iPhone are not able to make mobile contactless payments.
– There are precedents of large issuers in some EU countries deciding not to connect to Apple Pay (perhaps because they do not want to share their regulated interchange fee revenue with Apple?), but Apple managed to convince smaller issuers in those EU countries to get connected to Apple Pay (perhaps by giving them a discount on the standard Apple Pay fee?). This in turn has put pressure on the larger card issuers to, in turn, get connected to Apple Pay for fear of perhaps losing customers to the smaller issuer(s) – i.e. a “domino effect”. As has become clear by now, consumers are more likely to switch their card issuer than to switch the brand of their mobile phone…
The recently adopted German legislation
It is also against the above background that, as part of the implementation of AMLD5 into German law, the German legislator has decided to impose a requirement, effective 1 January 2020, that providers of technical infrastructures that may contribute to the provision of payment services or the operation of e-money activities should give access to those infrastructures (see Section 58a of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG)). The preparatory documents refer specifically to the example of the iPhone NFC antenna as being one of the primary focuses of this legislation. According to the new law, PSPs should be entitled to have access to those technical infrastructures that are necessary and reasonable for them to be able to provide payment and e-money services.
This requirement is imposed on so-called “system enterprises”, but a PSP may also qualify as a system enterprise if it owns a technical infrastructure to which other PSPs would need access in order to provide payment services or e-money services.
As an exception to the above access requirement, infrastructures that are only used by 10 or less PSPs are not subject to the access requirement. Furthermore, a system enterprise is not subject to the obligation if it has less than 2 million registered users. Those thresholds are to be assessed at the level of the entire corporate group to which the system enterprise belongs (rather than on an individual company level). In terms of timing, those thresholds are assessed on the day that the PSP makes the request for access.
System enterprises can legally refuse to grant access to an infrastructure if there are objective reasons to deny that access, such as for example a concrete threat to the safety and integrity of its technical infrastructure services. The system enterprise bears the burden of proof of the existence of a “concrete threat”. In addition, the system enterprise should be able to demonstrate that it has made reasonable efforts in order to minimise the security risk of that concrete threat materialising.
The system enterprise is entitled to charge “an appropriate fee” for granting access to the PSP. Obviously what constitutes an appropriate fee will be up for discussion.
If an infrastructure provider were found to have illegally denied access to a PSP, the PSP could introduce civil law litigation before the ordinary courts seeking damages from the system enterprise.
The new regulation has no effect on obligations based on other legal grounds, such German competition law (GWB) and/or a contract.
As mentioned above, the new legal requirement only became applicable on 1 January 2020. It is therefore too early to draw any conclusions in terms of its potential impact on the market.
In principle, this new requirement should allow PSPs operating in Germany to equip iPhone holders with wallets other than the Apple Pay wallet, in which they could store their card credentials/tokens and allow them to make mobile contactless payments with an iPhone through those wallets other than the Apple Pay wallet. It should therefore allow for competition between the Apple Pay wallet and other wallets for mobile contactless payments with iPhones which does not exist today.
– Perhaps other EU countries to adopt similar legislation?