The access to technical infrastructure shall be opened.
As part of the implementation of the fifth Anti-Money Laundering Directive (AMLD5), the German Parliament has decided to require providers of technical infrastructures, such as Apple in relation to the Near Field Communication (NFC) antenna contained in iPhones, to grant access to those technical infrastructures to payment service providers (PSPs). This new legal requirement is applicable since 1 January 2020.
This German initiative comes while the European Commission (EC) is already investigating Apple to determine if Apple has breached the EU competition law rules by refusing to grant access to the NFC antenna to card stored in other e-wallets on iPhones than the Apple Pay e-wallet (e.g. a bank e-wallet).
We address below in turn the background to this German initiative, as well as its provisions and possible outcomes.
What's the problem that the law seeks to address?
Payments with a mobile phone are becoming increasingly popular in Europe. Most of those mobile payments rely on:
- a token, i.e. a dematerialised version of a plastic card, stored either on the phone (e.g. in the Secure Element (SE)) or in the cloud, and
- an exchange of data between that the phone and the merchant's contactless terminal, through the phone's NFC antenna (or chip).
- all large phone manufacturers have left the NFC antenna in the phone "open", meaning that a card stored in any e-wallet on the phone will be able to access that NFC antenna in order to perform mobile contactless payments;
- Except Apple, which has "closed" the NFC antenna in the iPhone so that only a card/token stored in the Apple wallet will be able to access the NFC antenna and communicate with a contactless terminal. A card/token stored in another e-wallet on the phone (e.g. in a bank wallet) cannot have access to the NFC antenna and therefore cannot be used to make a mobile contactless payment. In order for a mobile contactless payment to take place with an iPhone, the card issuer needs to first enter into an agreement with Apple that will allow the cards it issues to be loaded into the Apple Pay wallet, and then used to make mobile contactless payments. It is our understanding that such agreement comes with a fee that the issuer needs to pay to Apple; in economic terms this means that the issuer has to share its interchange fee revenue (which is regulated for consumer cards in the EEA) with Apple. It is also our understanding that the Apple Pay standard agreement is pretty much imposed by Apple upon issuers on a "take it or leave it" basis.
- Other handset manufacturers or other mobile OS providers than Apple who also offer an e-wallet (e.g. Samsung Pay, Google Pay) have not placed a lock on the NFC antenna, and as a result are providing access to their own e-wallet free of charge. This makes it attractive for issuers to get connected to those e-wallets, and therefore offer their customers the possibility to make mobile contactless payments with their phone. This can put the issuer in a situation where its customers that hold an iPhone sometimes feel "discriminated against" since customers with e.g. a Samsung phone or other Android operated phone are able to make Samsung Pay/Android Pay contactless mobile payments, whereas customers with a (typically more expensive) iPhone are not able to make mobile contactless payments.
- There are precedents of large issuers in some EU countries deciding not to connect to Apple Pay (perhaps because they do not want to share their regulated interchange fee revenue with Apple?), but Apple managed to convince smaller issuers in those EU countries to get connected to Apple Pay (perhaps by giving them a discount on the standard Apple Pay fee?). This in turn has put pressure on the larger card issuers to, in turn, get connected to Apple Pay for fear of perhaps losing customers to the smaller issuer(s) – i.e. a "domino effect". As has become clear by now, consumers are more likely to switch their card issuer than to switch the brand of their mobile phone…
This requirement is imposed on so-called "system enterprises", but a PSP may also qualify as a system enterprise if it owns a technical infrastructure to which other PSPs would need access in order to provide payment services or e-money services.
As an exception to the above access requirement, infrastructures that are only used by 10 or less PSPs are not subject to the access requirement. Furthermore, a system enterprise is not subject to the obligation if it has less than 2 million registered users. Those thresholds are to be assessed at the level of the entire corporate group to which the system enterprise belongs (rather than on an individual company level). In terms of timing, those thresholds are assessed on the day that the PSP makes the request for access.
System enterprises can legally refuse to grant access to an infrastructure if there are objective reasons to deny that access, such as for example a concrete threat to the safety and integrity of its technical infrastructure services. The system enterprise bears the burden of proof of the existence of a "concrete threat". In addition, the system enterprise should be able to demonstrate that it has made reasonable efforts in order to minimise the security risk of that concrete threat materialising.
- Perhaps other EU countries to adopt similar legislation?