HOW TO REGULATE ISSUERS OF E-MONEY?
Draft Report*
This report is part of a broader study
seeking to answer questions formulated by the European Parliament concerning
the outlook for electronic money and electronic commerce. It deals more specifically with the issue of
the rules and regulations for the issuers of electronic money. [rappeler
la question]Its objective is to answer the following question:
"How to regulate issuers of electronic money?"
The scope of the study
is to definereport reviews the which
rules are to beunder which imposed upon issuers
of electronic money should operate. It analyses the proposals and determine if of the European Commission's Commission on
the subject matter. Proposals are a sufficient
answer to the need to regulate issuers of e-money.
The report is structured in three parts: Its Objectives areThe first part ly to give alooks at possible initial
definitions of the e-money and provides an
overview of the American and of the Japanese approaches to e-money.
The second
part Secondly to highlight the key
points of the European Commission's Directive Proposal [title]. The third part
seeks to And finally to formulate some preliminary
observations
and conclusions.
The study report is
based on existing data documentation and
on interviews with selected
experts
(see Annex). Details on those data and interviews
are available in the annex at the end of the document.
The traditional approach to money is to divide it into two categories: When observing the monetary mass of a country, two kinds of
money can be marked out: cash and scriptural money. The first one
is issued by the Central Banks, while
the second one is created by private banks. The rapid
development of electronic payment systems, such as interbank payment systems,
and instruments such as debit cards and stored value
cards,
raises a question: is a new category of money, electronic
money or e-money, emerging ? Experts appear deeply divided over the question. Some features of
e-money make it appear like cash, while others allow it to be
assimilated to scriptural money. At the same
time, some
forms of e-money are issued by non-financial institutions and can be transacted
outside the traditional banking systems. Hence the interest of regulators ofand monetary policy managers. A "new kind" of money appeared 6 years ago:
electronic money. But is e-money really a new money kind? Some features of
e-money are close to cash, while others are clearly belonging to scriptural
money. Some experts pretend e-money is not even money.
The term electronic money is
often used to refers to a wide variety of proposed
retail payment mechanisms. E-money products can be defined as
"stored-value" or "prepaid" products in which a record of
the funds or "value" available to a consumer is
stored on an electronic device (hardware and/or software)e] in the consumer's possession. [Utiliser les définitions standards et citer leurs sources ! Ne pas
prétendre de tout inventer]
The electronic value is purchased by the
consumer and is reduced whenever the consumer uses the device to make
purchases. Many
stored-value devices, in all probability, their great majority, isare used for In contrast
to the many existing single-purpose purchases prepaid card schemes (such as those offered by telephone callcompanies). Such single-use devices are not considered, e-money, which should be used as products are intended to be used as a
general, even
universal, multipurpose means of payment.
Two other important distinctions are:
-
Account-based e-money, when transaction involves a
double entry into accounts on various electronic supports (card,
readers and servers) vs. token-based e-money, wheren. value is embodied in a software,
which can circulate freely, without firm linkage to a bank account. The circulation
is carried out by transfer from one electronic device to
another one. Complex networks of exchange and clearing can be
established outside the traditional financial system. Token e-money is
often referred as "digital cash". However, e-cash does not
present all the features of cash. For one thing, there is potentially an infinite number of
issuers of e-coinsash. Another
distinction is the need for specific infrastructure of readers and application software, which clearly limits the. These two characteristics limit the potential acceptance of
e-cash. [Mentionner au moins brevement l’échec du Digicash].. Another key
difference is that e-cash allow the traceeability of the owner. The degree of anonymity
in e-cash is a hotly debated issue.
-- Stored-value products and access products,
which are fundamentally security devices. The chip on the French debit card
does not store value only the security device allowing the user to access the payment systems which
then effects the transaction. Many Internet banking products are in fact the
security devices allowing to make a credit card payment or to transmit
instructions to make funds transfers between bank accounts overt the Internet. Moreover, the definition covers both prepaid cards, called
"electronic purses", and prepaid software products that use computer
networks such as the Internet, sometimes called "digital cash" or
"virtual purses". Access products may use similar
mathematical methods and electronic support as stored value products and are of interest. However, they do not
raise the same concerns as e-money schemes.
-
E-money
as just defined, differs from so-called "access products", which are
products that
allow
consumers to use electronic means of communication to access otherwise
conventional payment services. For example, use of a standard personal computer
and a computer network such as the Internet to make a credit card payment or to
transmit instructions to make funds transfers between bank accounts. These
access schemes major feature is the communication method (e.g. the use of a
computer network rather than a visit to a bank branch) and so, although they
are of interest, they do not raise the same concerns as e-money schemes.
While
"access products" appear clearly as simple transaction means for
scriptural money, e-money sounds more like cash. E-coins exist on their own and
do not need any bank account to be deposed on. E-money is just stored in the
memory of an electronic device and, during the transaction, transferred from
one device to another one. However, e-money does not present all the features
of cash. On one hand, digital money can not be used for all purposes: an
adapted device is necessary to collect the money and many systems do not allow
peer-to-peer transactions. In addition, unlike cash, in most schemes currently
available, electronic money received by the beneficiary can not be used again.
On the other hand, e-money do not fully preserve anonymity. A transaction realised with e-money can hence be considered
as an "exchange" of a good or a service against a credit issued by a
given organisation (mainly by private banks).
Various e-money
schemes are being developed and they differ considerably in their
features, many
aspects of which are still to be finalised. Firstly, e-money products differ in
their technical implementation. To store the prepaid value, card-based schemes
involve a specialised and portable computer hardware device, typically a
microprocessor chip embedded in a plastic card, while software-based schemes
use specialised software installed on a standard personal computer.
Secondly,
products differ in the way in which value is transferred. Some e-money schemes
allow transfers of
electronic balances directly from one consumer to another without any
involvement of a third party such as the issuer of the electronic value. More
usually, the only payments allowed are those from consumers to merchants, and
the merchants in turn have to redeem the value recorded (for example, at the
end of the day they transfer the total value to their bank, which then credits
their bank account with the funds).
Thirdly, in most
e-money schemes currently being developed or pilot-tested, the
"value"
stored on the
devices is denominated only in the national currency. It is possible, however,
for balances to be held and payments to be made in several different national
currencies.
In the
traditional theoretical frameworkFrom a
theoretical point of view, there is no room for e-money
as a
distinct category. can not be considered as cash
or as scriptural money and not even as money in general. Generally
accepted academic
definition of money actually describe money it as an universal instrument accepted for the
settlement of all transactions. That is clearly not ,
what is clearly not the case for e-money. On the other
hand, the development of electronic payment systems and instruments raises
serious concerns among regulators and central bankers [citation] to the extent that it modifies the
traditional architecture and relationships within the banking system.
In practice, many
central banks try to consider e-money as a new kind of scriptural money.
According to Banque de France, e-money is very closed
to traveller checks, except that checks are not divisible. No new status or regulation has have been required for traveller checks, and therefore no
new status should be created for e-money. E-money is just scriptural money stocked stored on an electronic device and does not require
separate treatment. should be integrated in
scriptural money aggregates.
Various
e-money schemes are being developed and they differ considerably in their
features,
many aspects of which are still to be finalised. Firstly, e-money products
differ in their technical implementation. To store the prepaid value,
card-based schemes involve a specialised and portable computer hardware device,
typically a microprocessor chip embedded in a plastic card, while
software-based schemes use specialised software installed on a standard
personal computer.
Secondly,
products differ in the way in which value is transferred. Some e-money schemes
allow
transfers of electronic balances directly from one consumer to another without
any involvement of a third party such as the issuer of the electronic value.
More usually, the only payments allowed are those from consumers to merchants,
and the merchants in turn have to redeem the value recorded (for example, at
the end of the day they transfer the total value to their bank, which then
credits their bank account with the funds).
Thirdly,
in most e-money schemes currently being developed or pilot-tested, the
"value"
stored
on the devices is denominated only in the national currency. It is possible,
however, for balances to be held and payments to be made in several different
national currencies.
On
the international level, sSeveral e-money projects are being developed
outside Europe. Foreign cRegulators in countries, where such
projects are being implementing those new systems are monitoring them
with interest. thinking about approaches approach
to follow, regarding e-money regulation. Those approaches are different but
have a common feature: currently e-money issuance is not forbidden to
non-banks.Let’s us consider the situation in two countries:
United States and Japan
In the United Sstates, a growing number of limited
area electronic
stored-value schemes(using the Belgian Proton and/or Mondex technology)
are being developed in controlled environment, such as on college campuses, sports stadiastadiums or, military bases (using
the Belgian Proton technology) etc. While the
various agencies of the government monitors closely those experiences, the
official position is that According
to the American government there are is no
immediate need to regulate electronic money issuance and there is, at present,
no restriction on who can issue it. This approach is partly based on the judgement that
these development are unlikely to affect the overall structure of the payment
system [quote (Weininger study)].continuing high
usage of cheques as a preferred means of non-cash payment. In May of this year [which year]1998, an
interagency Task Force on Electronic Payments, chaired by the Office of the
Comptroller of the Currency, was of the opinion that government regulation at
this time could adversely affect competition and innovation in an industry that
is still in the early stages of development and could increase the costs of electronic
money products unnecessarily (source: European Commission) [reference].
Japan has
probably the most ambitious and far-reaching electronic money scheme in the
world today, The issue is currently being
examined in Japan where a number of large pilot schemes are
already
in operation or will come on line in the near future. One of the main proposals
being
considered is the introduction of a regulatory structure for non-bank issuance
of
electronic
money. The most interesting and ambitious
project scheme is managed by NTT, the largest telephone
operator in the world, with the participation of 34 companies
[caractéristiques].. The overall
concept is to create a highly secure electronic money system. The Electronic
Money will be both anonymous and traceable. It will be issued by an Issuing
Institute, a wholesale institution, to which only the commercial banks will
have access. Settlement will take place between the Issuing Institution and
banks. These will distribute the Electronic Money and deal with customers, who
will charge electronic Money on smart cards and use it for purchases digital
content in virtual shopping malls.
|
|
The overall scheme of
the Electronic Money experiment is shown abovebelow.
JAPANESE SYSTEMJapanese Electronic Money System Architecture
From the
technological standpoint, the project is based on a proprietary NTT technology
which allows speedy encryption, considerably quicker than the existing methods.
The project raises substantial institutional issues such as: Who will the
Issuing Institution ? Will the virtual money be fungible ? What is the likely
impact of the project on monetary policy and bank intermediation ? At present,
NTT is widely seen as the Issuing Institution. The project is
closely followed by the Bank of Japan, which supports its implementation. However, BOJ has not fully
determined what are implications of NTT becoming the Issuing Institution. In
all probability, it would entail setting up a separate subsidiary, which could
then be supervised by the BOJ.
[START WITH DETAILS: WHAT ARE YOU TALKING ABOUT ] In [] In September 1998, The European Commission has issued a [directive/proposal [title]proposal for
European Parliament and Council Directives on the taking up, the pursuit and
the prudential supervision of the business of electronic money institutions.. This proposal is a result of several years of
discussion between official bodies and between the public and private sector. Through this document, European
Commission
tends to
propose
a legal framework
concerning regulation of e-money issuance by potential
non-bank
actors.
Payment sector has
always been considered as very sensitive economical sector in which, customers
confidence plays a very important role. If the payment instrument does not suit
customers needs, they will not use it. This refusal can have negative effects
on the global economy by slowing exchanges speed.
The financial
integrity and the operations of electronic money issuers must hence be secured.
On the one hand, the stability and soundness of issuers of electronic money
must be ensured. Systemic failure should be prevented in order to
avoid On the other hand, it must be ensured that
the failure of any one individual issuer does not result ina loss of
confidence in this the new and developing means of payment.
Currently, the
supervisory and regulatory approaches to the issuance of e-money have developed
on an ad hoc, national basis throughout the Union. There is no clear legal
framework for electronic money issuance and if the regulatory issues are not
addressed,
innovative payment schemes cannot be implemented. this business can be
carried out on an unregulated basis [NOT TRUE !!! NOBODY V+CAN ISSUE MONEY WITHOUT
GOVERNMENT PERMISSION. It is neither in the interests of
consumers nor markets generally that this situation be allowed to continue.
The European
Commission also insists on the importance of e-money regarding the introduction
of Euro. Electronic money represents an opportunity for consumers to
familiarise themselves with the concept of the single currency during the
transition period. This will also contribute to the growth and development of
electronic money as a simple means of cross-border payment.
In order to ensure
the soundness of e-money issuers, a prudential supervision is needed. That is
why the Commission draft proposals for directives on the issuance of electronic
money are very much calibrated modelled upon the existing banking
directives.
However, in its most
recent proposal, Commission departs from an earlier view that only banks should
be allowed to issue e-money. oes not sustain the
proposition of European Central Banks to impose banking status to all e-money
issuers. The supervisory regime applied to banks is too huge heavy and complicated and can discourage
initiatives from non-banking sector and thus hamper the development of new payment
instruments. MoreoverThus,
European Commission considers that only a restricted limited prudential control should be sufficient to
ensure the soundness of e-money issuing activities. The main thrust is to
provide for the application of those elements of banking legislation, and only
those, which are pertinent to the provision of e-money and to the risks
associated with it while at the same time ensuring, from a monetary policy
perspective, that both stability and a level playing field as
between issuers are realised.
For those reasons,
European Commission has decidedproposes to "create"
a new status for electronic money issuers.
The principal
differences between the application of the First and Second Banking
Co-ordination Directives to banks and electronic money institutions lies in the
initial capital
and on-going own
funds requirements and the investment limitations imposed on them.
The initial capital
requirement for banks is 5 million ECU while that proposed for
electronic money
institutions is set at 500,000 ECU. On an on-going basis banks are
required to maintain
a minimum own-funds requirement of 8% while the figure proposed
for electronic money
institutions is set at 2%.
For the taking-up and
the pursuit of business, e-money institutions are subject to same conditions as
credit institutions: prior authorisation - minimum capital requirement
(adapted) - fit and proper management - sound and prudent operation - initial
and ongoing owner control.
An option is left to Member States allowing for a waiver of the provisions of the proposals commensurate with the risks inherent is small e-money schemes. The waiver may only be applied to e-money institutions underpinning relatively small schemes.
In the directive
proposal, European Commission adopts a definition of e-money completely somewhat opposed different from
the academic one (see p. above) to the widely accepted one. Generally, money is
considered as an universal instrument, helping to settle any kind of transactions.
European Commission define e-money as a multi-purpose instrument. With In other words, commission define e-money as
a payment instrument helping to settle more than one kind of
transaction, while the widely accepted definition of money imposes an universal
dimension to money.
The point is to actually define which of
those definitions should be the more accurate to separate issuing institutions, needing to be
regulated, from others that should
not. The chosen definition should not be too broad, and
include systems like public phone cards, but not too narrow too, and let e-money
institutions escape regulation.
Definition from
European Commission can maybe be considered as too broad. For example, according to that definition, Club Méditéranée cards allowing to pay
various kind of products within holiday villages should be considered as electronic
money
and Club Méditéranée should be considered as an electronic money
issuer, respecting legal requirements imposed by the directive. And this, even if it remains
possible for owners of such a system to ask for a waiver on certain
provisions of the Directive to their National State (if the overall unredeemed
e-money does not exceed ECU 10 million). Another example is, what should be the status of a
telecom operator issuing cards to be used both with public phones and GSM?
On the other hand,
using the widely accepted definition of money should prove to be inaccurate too. As a matter of
fact, that
definition imposes an universal dimension to money, while none of current electronic money
system is de
facto accepted
for all kinds of transactions. Although, some of them are
universal in scope.
Using multipurpose criteria to
determine which
payment instrument must be considered as electronic money or not causes problems. Added other systems features to the definition should
help to settle their status in a more accurate
way. A suggestion,
should be to determine the acceptance level of the payment instrument, by
considering the wideness of the underlying clearing system. [Good paragraph
but need to be more diplomatic].
As its title
mentions it, the Directive Proposal clearly focuses on
the regulation of e-money issuers. It does not mention
any recommendation
concerningdiscuss the regulation of settlement
and clearing process
and institutions, the way money transactions
are settled
between those who issue the money and those who accept it.Those
institutions are extremely important in the payment area, as they determine the
acceptance level of a payment. And yet, in the money circulation and acceptance,
clearing and settlement arrangements are as essential in the determination of the scope of acceptability and universality as the
issuance approaches. An analysis of electronic money is incomplete without the consideration of its settlement and
clearing aspects. It would be interesting to study their implications in the
e-money schemes and the possible advantages of including them in the Directive
Proposal.Furthermore, it is in this area that the widespread use of
Information Technology has had the strongest impact.
Ifn an unregulated not taking into account monopoly situation,
multiple issuers and acquirers of electronic money are
coexisting on the same market, using similar the
same technologyies for issuing their
“currencies”. With some electronic products however, a consumer would
have the option of receiving a refund for an unused electronic money balance
and having the proceeds deposited in aa traditional bank account
account, typically on already linked to the device by the issuer.
. If the bank account
were not located at the issuing institution, a clearing and settlement process
would be required to redeem the issuer's stored value obligation.
As in any other As
in other retail payment systems, electronic money products
typically involve a collection process whereby a merchant's account at an
acquiring institution
is credited with funds received for payments from consumers. In some systems,
in which most or all transaction information is truncated at the point of sale,
merchants may simply deposit a single accumulated balance on their terminal through a connection
between the terminal and the acquiring institution. For other
systems, transaction details are transmitted from the merchant terminal to the
acquiring bank, where they are routed to a clearing centre.
It is the clearing and
settlement system that determine the acceptance level of a given payment
instrument.In the absence of a
clearing system between issuing
institution and acquiring one, no
transaction can take place between customers from both institutions. Those
institutions are extremely important in the payment area, as they determine the acceptance level of a payment.
Customers
Users
of such instruments from a given financial
institution can only realise transactions with customersmerchants from another one if thoseboth issuing and acquiring institutions are
part, directly or
indirectly, of a common clearing scheme.
Current electronic payment systems are
all based on banking
clearing centressystems, directly or indirectly. Even
E-money
companies likesuch as Cybercash are working with banks to settle transactions
realised via their system. It would be extremely hard, if not impossible, for
a proprietary
system to grow up to a certain pointgain a wide acceptance without a direct
or an indirect access to wide
banking clearing centres. The system is complex and hierarchical, with
various systems for various payment categories (check/card, retail/wholesale).
At the same time, those systems are interconnected by common membership and
interoperability agreements. Clearing and settlement activity is closely
supervised by Central banks, which are often directly involved in operating
such systems. This is particularly the case for large-value interbank systems
such as TARGET, which is used to settle large cross-border in euros and which
is operated by the European Central Bank. Indeed it can be argued that for central banks,
maintaining the integrity of clearing and settlement system has become a
mission-critical function, on the par with its “lender of last resort” responsability.
The European
Directive Proposal deals with one of hindranceobstacles for non-financial
institutions to issue electronic money: the status,
but does
not tackle the majorkey question problem of acceptance of the issued
electronic money.
It does not address the issue of ,
by regulatingon of alternative transactions
settlement and clearing operationssystems, which could be
created outside the traditional systems. . By doing so, it leaves to
institutions recorded by clearing
centres, namely financial institutions,
the right to decide the level of acceptance of each systems.
Of
course, it remains to non financial e-money
issuers the possibility of building up their own clearing
centres. An example of such a system This
have already been observedcan be found in mobile telecommunications in the GSM world with companies such as MACH, a Luxembourg-based
organisation. MACH core business is the clearing of call data
generated by the international and national roaming
activities of GSM mobile
phone users. Each roaming call creates a liability of a network
of a GSM terminal holder toward the
network used by this holder. MACH facilitates settling of these liabilities on
bilateral and multilateral basis. Clearing services include comprehensive data checks
and all related management reports. MACH processes, converts and reconciles between Transferred
Account Procedure (TAP) and Cellular Intercarrier Billing Exchange Roamer
(CIBER) Record formats to facilitate transactions between roaming partners
using different technical standards.
If suchmore such clearing centressystems were created by
non-financial money issuers, it would be interesting for European
Commission and the
monetary authorities to evaluate the implication of the development of such systemsstudy
the opportunity of including them in the Directive Proposal and to
define their status.
. Do they create significant
new risks ? Who would guarantee their performance and integrity ? It
would actually exist
a major difference between those kind of proprietary
clearing systems and current
ones from banking sector. Banking clearing systems have a link
to Central Banks,
which
play a role of lender of the last resort. In proprietarynon-bank clearing and
settlement
systems, Central Bank would normally not
appearnot
get involved. It
would thus be
interesting to determine who would
guaranty
the whole system and the importance of systemic risk
in such a system.Is there a need for new
regulation in this area ? If yes, what would be its principles.
According to manypractically all experts from the banking
sector,
electronic commerce will not be achieved without creation of universal payment
means for transactions realised on electronic networks. Letting non-banks issue money can
lead to the creation of a multiplicity of proprietary incompatible
systems which will slow the development of e-commerce. Consulted French
experts are convinced that in the end, only universal systems promoted by banks
will remain, evincing or absorbing proprietary systems developed
by non-banks. According to the
French central bank, restricting issuing field to financial institutions,
should not hamper the development of technological initiative. Customers and
merchants are primary looking after universal payment means and not
incompatible private initiatives.
Given the degree of
uncertainty about future technological and market developments in electronic
banking and electronic money, it is important that supervisory authorities
avoid policies that hamper useful innovation and experimentation. At the same
time, it is crucial that along with the benefits, electronic money activities
carry risks for banking organisations and these risks must be balanced against
the benefits.
Among all risks
that a bank must face when implementing a new payment system, reputational risk
is one of the most hazardous. Reputational risk is the risk of significant negative
public opinion that results in a critical loss of funding or customers.
Reputational risk may arise when systems or products do not work as expected
and cause widespread negative public reaction. A significant
breach of security, whether as a result of external or internal attacks on a
bank's system, can undermine public confidence in a bank. Reputational risk may also arise in cases where customers
experience problems with a service but have not been given adequate
information about product use and problem resolution procedure. Mistakes,
malfeasance, and fraud by third parties may also expose a bank to reputational
risk.
Reputational risk may not only be significant for a single bank but also for
the banking system as a whole. If, for instance, a globally active bank
experienced important reputational damage concerning its electronic banking or
electronic money business, the security of other banks' systems may also be
called into question. Under extreme circumstances, such a situation might lead
to systemic disruptions in the banking system as a whole. For that reason,
banks are very concerned each
time they need to share their activities with non-banking institutions because, which are not obliged to
respect all the security constraints imposed to banks.
Moreover, according to French
experts, instead of slowing the development of effective e-money systems, restricting e-money
issuance activity to the banking sector can speed-up customer acceptance regarding the new payment
instrument. In principle, in a market economy, it is the task
of the creditor to assess the creditworthiness of his debtor. As regards issuing
institutions, most customers cannot assess the quality of these institutions,
due to the asymmetric availability of information and a lack of understanding
of the technical security features of the payments systems. That is why they
will logically turn themselves towards institutions they know perfectly and
that seem to be the most reliable: banks. Moreover, the
development of an universal (or at least European) system bearing
logos from the banking sector (well known and trusted sector) should increase customers
confidence and should ease his acceptation of the product. When observing the
market, it can be noticed that e-money issuers are currently (before any
regulation) principally actors from the banking sector or are working together with that sector. For example, Discount Investment
Corporation (DIC), a non-financial institution which has bought a Mondex
franchise for Israel, is deploying its system together with Israeli banking
sector.
The position of ECB
is firm. With a view to the transition to Economic and Monetary Union, the
issuance of electronic money should be limited to credit institutions as
defined in Article 1 of the First Banking Co-ordination Directive. The ECB
would see great merit in pursuing an amendment to the First Banking
Co-ordination Directive so as to include all issuers of electronic money in the
definition of credit institution along with institutions which receive deposit
or other repayable funds from the public and grant credit for their own
account.
By non-redeemability, we consider the
situation in which the issuer is only obliged to reimburse the retailer
presenting electronic value, but refrains from redeeming the customer. European Commission
Directive Proposal does not deal with redeemability aspects. According to
European Central Bank (ECB) these aspects are very important and must be regulated.
A legal
requirement must be imposed that electronic money is redeemable at par in order
to forbid systems refraining
from redeeming the customer.
The main argument
of European Central Bank is that without a close link to central money, there could potentially
be an unlimited creation of electronic money, which could, in turn, lead to an
inflationary pressure.
Another perverse
effect of
non-redeemability would be a situation in which the retailer only accepts
electronic value below par (if the soundness of the issuer is
at stake). In such circumstances the private
provision of the medium-of-exchange and store-of value functions of money would
no longer be consistent with the simultaneous public provision of the
unit-of-account function of money.
Electronic banking
and electronic money activities are based on technology that by its very nature
is designed to extend the geographic reach of banks and customers. Such market
expansion can extend beyond national borders, highlighting certain risks.
Although banks currently face similar types of risks in international banking,
it is important to note that these risks are also relevant to the cross-border
conduct of electronic banking and electronic Banks may face different legal and regulatory
requirements when they deal with customers across national borders. For new forms of
retail electronic banking, such as Internet banking, and for electronic money, there may be
uncertainties about legal requirements in some countries. In
addition, there may be jurisdictional ambiguities with respect to the responsibilities of
different national authorities. Such considerations may expose banks to legal risk
associated with non-compliance with different national laws and regulations, including consumer
protection laws, record-keeping and reporting requirements, privacy rules, and money
laundering laws.
Even if the Directive Proposal
puts the stress on security,
insisting on the fact that financial integrity and the operations of
electronic money issuers must be secured, it does not directly tackle with
specific dimensions of security. It is true that security features constantly evolve and hence that it
would be difficult to focus on that subject. In its proposal, European Commission
currently
leaves
the control of soundness of electronic issuers to supervision authorities.
Another action
taken by the Commission regarding security is a Communication on a
Framework for Action on Combating Fraud and Counterfeiting of non-cash means of
payment (July
1, 1998).
The aim of the Joint Action plan contained in that Communication is to ensure
that fraud and counterfeit of non-cash means of payment is recognised as
criminal offence in all Member States and set out a range of measures to be
taken at National level. There is a commitment for an assessment of the implementation of the
framework by the Council based on a report from the commission by the
end of 2000.
A list of fraud
risks can be found in the Group of Ten report on security of electronic money
(August 1996). Here is a summary of that
listThey
include:
-
Duplication of devices: In
card based systems, the method of attack could be the creation of new device
that is accepted by other devices as genuine. The objective would
be to duplicate a genuine card, including its existing cryptographic keys, card
balances and other data. Alternatively, an attacker could attempt to create a
card that would function as a genuine card but would fraudulently contain
balances without a corresponding load transaction and payment to the issuer.
-
Alteration or duplication of data or software: The objective of
fraud could be to modify data stored on a genuine electronic money device in an
unauthorised manner. For example, if the balance recorded on a device were
fraudulently increased without other evidence of tampering or
damage to the card, the holder could perform transactions with
the device that would appear genuine to the merchant terminal. Another method
of attack would be to
modify the internal functions of a chip card, such as its accounting
procedures, so that calculations would not be executed as
intended.
-
Alteration of messages: Attackers could
attempt to change the data or processes of a device by deleting messages,
replaying messages, substituting an altered message for a valid one or
observing messages for the purpose of attempting a cryptographic attack.
Communications between devices could be intercepted by outside attackers when
sent across telecommunications lines, through computer networks or through direct
contact between devices.
-
Theft: An
unsophisticated method of attack would be to steal consumer or merchant devices
and fraudulently
utilise the balances recorded on them. Data stored on devices could also be
stolen via
unauthorised
copying.
Such a theft would only be detected after the issuer received the fraudulent as well as the
genuine copy of the same note for payment, by which time the attacker would probably already
have obtained a financial benefit.
-
Repudiation of transactions: Fraud could also be
attempted through repudiation of transactions made with an electronic money
payment. For example, in remote transactions, such as those conducted over the
telephone or via computer networks, a user could fraudulently claim that he or
she had not, in fact, a particular transaction. This could cause losses to the
merchant as well as to the institution issuing the particular electronic money
product.
Multiple techniques
are currently employed to prevent fraud.
The first one is, the cryptography,
is based
on software. Cryptography is
one of the most important components of fraud prevention in electronic money
systems. Cryptographic techniques provide the logical protection of electronic
money systems by ensuring the confidentiality, authenticity and
integrity of devices, data communications used in transactions. Two types of
cryptographic techniques are currently in use: DES (and triple DES) and RSA. RSA, the most secure, is based on asymmetric cryptography and can be
expensive to implement in card transactions. That is why triple DES is often
used to secure electronic-purse products. Keys needed for
cryptography are recorded on the computer hard disk (software based
solution) or on a smart card (hardware based solution). The second method
proves to be more secure than the first one.
The second one
deals with hardware protection. It only concerns smart cards. Hardware protection is
created during the manufacturing process and includes physical barriers that prevent optical or
electrical reading or physical alteration of the chip's contents. Size, in terms of the width
of the chip's wiring, is an important physical barrier for microchip cards. The smaller the wiring,
the more difficult it is to probe physically the contents of a chip without highly specialised and
expensive equipment.
Other protection
measures are detection measures. Among them, we can noticemention transaction traceability and monitoring. Other
techniques are limits on transferability and statistical analysis. Limits placed on
the transferability of stored-value balances or notes may reduce the opportunities for
fraudulent balances to be used without detection. Electronic money
systems can also implement procedures to analyse system-level data on payment
flows in order to detect unusual volumes of payments that could be indicative
of fraud. Issuers or a central system may utilise the automated procedures for
pattern recognition that have become common in the credit card industry to
detect abnormal activity.
More information on
fraud prevention and detection can be found in the G-10 report, "Security
of Electronic Money".
European Commission's
Directive Proposal does not deal with two important dimensions of electronic
money systems: traceability of electronic money and users privacy.
Individual
electronic money transactions are subject to a variety of different
security-related monitoring and verification procedures. In most of the
card-based systems analysed, each transaction can be identified by a unique number,
based on the card's serial number and its transaction counter, which increases by one
increment for each attempted transaction. In the case of note-based systems,
each note has a unique serial number.
The frequency,
location and extent of monitoring of transaction-specific information by a
central operator varies across systems and may be conducted at the option of
the operator according to the particular environment. In some systems,
transaction information, including the identity of both devices in the
transaction, is transmitted to the central point some time after the
transaction has taken place. This record could be read at a later time by a
central system. Some
systems truncate information at the level of the merchant or acquirer. Some systems verify every
transaction that is executed; this is clearly quite costly to perform. Other systems check transactions on an
ad hoc basis or in response to evidence of suspicious behaviour. Transactions can be
subject to financial verification as well as security verification. Financial
verification may involve accumulating transaction amounts for each device and
calculating "shadow balances" for devices, which are
stored in a central database. This type of active transaction monitoring
provides a very high degree of certainty that any fraudulent transactions or
alteration of balances on a card will be detected at some point. Monitoring of
transaction is considered by banks as a key point in systems security. Some systems as
Proton, allowing a very cute monitoring, are often preferred to systems,
like Mondex, with which users can transfer money from a card to another without
any record of the transaction.
This monitoring
operations by the system operator can raise some concerns about users privacy.
That privacy must be protected and systems allowing to create lists of expenses
of the consumer prohibited.
Electronic -money
is a new concept which is far from being well understood. Whether it is called
electronic money, electronic finance or electronic payments, a continuing convergence
and interpenetration between the world of finance and that of Information
Technology is a strong and irreversible trend, which is far from having run its
course. It will
continue to profoundly transform the banking business, banking and financial service activities as well as the underlying infrastructure and systems. We see electronic finance as
fundamentally positive phenomenon that will significantly contribute to the
growth of electronic commerce. At the same time, the need for an appropriate
regulatory framework should be acknowledged. Such framework would preserve the integrity of
the system and the customer trust while at the same time recognising the new configuration of
actors and issues. This
may imply changes from the current system. In order to
facilitate both development of electronic finance and the emergence of an
appropriate regulatory framework, public authorities should focus on three key
areasneeds
to be better understood and discussed before
being
regulated in an accurate way. This
can be done by improving three key aspects: Research, cCo-ordination and information
disseminationDissemination.
A fundamental The
real breakthrough of e-money occurred
three to four years ago
with the deployment of electronic purses. This
concept is still new and is not well understood
yet. prerequisite for public
policy action is a better understanding of electronic money dynamics. As we
have seen above, the
definition of e-money varies between considerably between various actors, leading to a basic
disagreement whether the e-money even exists. Furthermore, the functioning and impact of electronic instruments and
payment systems,
the way they create and transform value, are not well understood.
There is a need for a
sustained effort to enhance the understanding of various aspects of electronic
money and electronic finance:
-
Basic definitions
-
Various categories of electronic payment
instruments
-
Value chain (from issuance to clearing and
settlements)
-
Impact of technology on financial systems
-
Risk typology and evolution
-
Social impact (customer and merchant attitudes)
-
Economic impact of money dematerialisation
Many of these aspects have
already been analysed and discussed but bringing them together in a co-ordinated and integrated
programme will provide
a new perspective and contribute to build a solid background for policy work.
On
one hand, the definition of e-money
varies between actors. As
every new payment instrument, e-money evolves progressively,
its acceptance by merchants
and customers growths slowly. Its status is not clear. E-money can not be
compared with one-purpose
instruments,
as public phone cards. But can not be compared with cash
too, due to the limitation of
its acceptance points. On
the other hand, while
the issuing side of the process begins to be better understood, no
real study
has tried to highlight
mechanisms of the settlement and
clearing side of e-money.
Research
efforts must be done to improve understanding of the e-money concept,
in particularly
concerning
settlement
and clearing aspects. Many questions are still
needing an answer:
-Do private clearing houses being regulated?
-Who will be responsible for the
clearing?
-To which extend?
-…
Both Rresearch and initiatives policy discussions regarding e-money
are extremely fragmented. More than 20 non-interoperable
systems of electronic
purses are coexisting in Europe. . Working groups on various policy aspects proliferate but they
tend to follow existing institutional or sectoral arrangements. Thus central banks tend to discuss serious issues among themselves,
commercial banks are
reluctant to invite
technology
suppliers and so
on. Policy work tend to follow traditional boundaries, many of whom have been
rendered obsolete by the emergence of electronic finance and electronic
money. As a result, many bankers continue to ignore the
technology and vice versa.
Researches led by banking sector, universities
and governments draw different conclusions which need to be put together and
compared.
It is therefore important to encourage the creation
of cross-sectoral, cross-institutional working groups, bringing together public
and private sectors, technologists and financiers, suppliers and users, so that various perspectives can be brought to bear on key
issues of customer protection and privacy, risk management and prudential
supervision of the
new financial landscape. New situation requires innovative solutions,
which can be found within traditional arrangements.
Creation of working groups
gathering all the actors implied in the development of e-money must be created,
in order to help to reach aggregate solutions. Those working groups must be
international and gather experts from banks, governments
and academies, but also from retailing
sector, consumers care
associations,
etc…
Although many issues of electronic money are fairly
technical, ultimately, money touches all aspects of economic but also social and
psychological environment. General public needs to understand the implications
of the emergence of electronic money. Researches results should be widely
disseminated, with Internet and its resources providing the necessary variety
of channels. But there is a need to go further. In the United States, both the
Congress and the public authorities have held a number of public hearings of
electronic money issues. We recommend that both the Parliament and the
Commission consider holding such hearings as part of their policy-making
process. results have to be made
public, in order to stimulate exchanges on the topic. Forums can be created, to
get a feedback
on expressed propositions and solutions.
Such initiatives are
currently developed
in the United States and
can be an inspiration
source for Europeans.
BASLE COMMITTEE ON BANKING SUPERVISION (1998), Risk
Management for Electronic Banking and Electronic Money Activities.
COMMITEE ON PAYMENT AND SETTLEMENT SYSTEMS AND
GROUP OF COMPUTER EXPERTS OF THE CENTRAL BANKS OF THE GROUP OF TEN COUNTRIES
(1996), Security on Electronic Money.
GOLDFINGER CHARLES
(1997), Electronic Money in Japan.E
EUROPEAN
CENTRAL BANK (1998), Report on electronic money.
EUROPEAN COMMISSION (1998), Commission
proposal for European Parliament and Council Directives on the taking up, the
pursuit and the prudential supervision of the business of electronic money
institutions.
GOLDFINGER CHARLES (1997), Electronic Money in
Japan.
GROUP OF TEN (1997), Electronic Money: Consumer
protection, law enforcement, supervisory and cross border issues.
SOLOMON ELINOR (1997), Virtual Money.
SWISS NATIONAL BANK (1998), Electronic Money - A central
banker's perspective.
UNIVERSITY OF LONDON (1997), Digital Cash and Internet.
DE BOISSIEU CHRISTIAN, Université de Paris I, Professor.
MORAU MARC, Banque
de France, Manager, Banking Payment Services.