Executive Summary

The EU Court of Justice’s (CJEU)  July 2020 Schrems II decision generated significant uncertainty, as well as enforcement actions in various EU countries, as it questioned the lawfulness of transferring data to the United States under the General Data Protection Regulation (GDPR)[1] while relying on “standard contractual clauses.”

President Joe Biden signed an executive order in October 2022 establishing a new data-protection framework to address this uncertainty. The European Commission responded in July 2023 by adopting an “Adequacy Decision” under Article 45(3) of the GDPR, formally deeming U.S. data-protection commitments to be adequate.

A member of the French Parliament has already filed the first legal challenge to the Adequacy Decision and another from Austrian privacy activist Max Schrems is expected soon.

This paper discusses key legal issues likely to be litigated:

1. The legal standard of an “adequate level of protection” for personal data. Although we know that the “adequate level” and “essential equivalence” of protection do not necessarily mean identical protection, the precise degree of flexibility remains an open question that the EU Court may need to clarify to a much greater extent.
2. The issue of proportionality of “bulk” data collection by the U.S. government. It examines whether the objectives pursued can be considered legitimate under EU law and, if so, whether the existing CJEU precedents preclude such collection from being considered proportionate under the GDPR.
3. The problem of effective redress—a cornerstone of the Schrems II decision. This paper explores debates around Article 47 of the EU Charter of Fundamental Rights, whether the new U.S. framework offers redress through an impartial tribunal, and whether EU persons can effectively access the redress procedure.
4. The issue of access to information about U.S. intelligence agencies’ data-processing activities.

I.        Introduction

Since the EU Court of Justice’s (CJEU) Schrems II decision,[2] it has been precarious whether transfers of personal data from the EU to the United States are lawful. It’s true that U.S. intelligence-collection rules and practices have changed since 2016, when the European Commission issued its assessment in the “Privacy Shield Decision” and to which facts the CJEU limited its reasoning. There has, however, also been a vocal movement among NGOs, European politicians, and—recently—national data-protection authorities to treat Schrems II as if it conclusively decided that exports of personal data to the United States could not be justified through standard contractual clauses (“SCC”) in most contexts (i.e., when data can be accessed in the United States). This interpretation has now led to a series of enforcement actions by national authorities in Austria, France, and likely in several other member states (notably in the “Google Analytics” cases, as well as the French “Doctolib/Amazon Web Services” case).[3]

Aiming to address this precarious situation, the White House adopted a new data-protection framework for intelligence-collection activities. On Oct. 7, 2022, President Joe Biden signed an executive order codifying that framework,[4] which had been awaited since U.S. and EU officials reached an agreement in principle on a new data-privacy framework in March 2022.[5] The European Commission responded by preparing a draft “Adequacy Decision” for the United States under Article 45(3) of the General Data Protection Regulation (GDPR), which was released in December 2022.[6] In July 2023, the European Commission formally adopted the Adequacy Decision.[7]

The first legal challenge to the decision has already been filed by Philippe Latombe, a member of the French Parliament and a commissioner of the French Data Protection Authority (CNIL).[8] Latombe is acting in his personal capacity, not as a French MP or a member of CNIL. He chose a direct action for annulment under Article 263 of the Treaty on the Functioning of the European Union (TFEU), which means that his case faces strict admissibility conditions. Based on precedent, it would not be surprising if the EU courts refuse to consider its merits.[9] Regarding the substance of Latombe’s action, he described it in very general terms in his press release (working translation from French):

The text resulting from these negotiations violates the Charter of Fundamental Rights of the Union, due to the insufficient guarantees of respect for private and family life with regard to the bulk collection of personal data, and the General Data Protection Regulation (GDPR), due to the absence of guarantees of a right to an effective remedy and access to an impartial tribunal, the absence of a framework for automated decisions or lack of guarantees relating to the security of the data processed: all violations of our law which I develop in the 33-page brief (+ 283 pages of annexes) filed with the TJUE yesterday.[10]

Latombe also complained about the Adequacy Decision being published only in English.[11] Irrespective of the legal merits of that complaint, however, it is already moot because the Adequacy Decision was subsequently published in the Official Journal of the European Union in all official EU languages.[12]

Reportedly, Max Schrems also plans to bring a legal challenge against the Adequacy Decision,[13] as he has successfully done with the two predecessors of the current EU-US framework.[14] This time, however, Schrems plans to begin the suit in the Austrian courts, hoping for a speedy preliminary reference to the EU Court of Justice (“CJEU”).[15]

This paper aims to present and discuss the key legal issues surrounding the European Commission’s Adequacy Decision, which are likely to be the subject of litigation. In Section II, I begin by problematizing the applicable legal standard of an “adequate level of protection” of personal data in a third country, noting that this issue remains open for the CJEU to address. This makes it more challenging to assess the Adequacy Decision’s chances before the Court and suggests that the conclusive tone adopted by some commentators is premature.

I then turn, in Section III, to the question of proportionality of bulk data collection by the U.S. government. I consider whether the objectives for which U.S. intelligence agencies collect personal data may constitute “legitimate objectives” under EU law. Secondly, I discuss whether bulk collection of personal data may be done in a way that does not jeopardize adequacy under the GDPR.

The second part of Section III is devoted to the problem of effective redress, which was the critical issue on which the CJEU relied in making its Schrems II decision. I note some confusion among the commentators about the precise role of Article 47 of the EU Charter of Fundamental Rights for a third-country adequacy assessment under the GDPR. I then outline the disagreement between the Commission and some commentators on whether the new U.S. data-protection framework provides redress through an independent and impartial tribunal with binding powers.

Finally, I discuss the issue of access to information about U.S. intelligence agencies’ data-processing activities.

II.      The Applicable Legal Standard: What Does ‘Adequacy’ Mean?

The overarching legal question that the CJEU will likely need to answer is whether the United States “ensures an adequate level of protection for personal data essentially equivalent to that guaranteed in the European Union by the GDPR, read in the light of Articles 7 and 8 of the [EU Charter of Fundamental Rights].”[16]

The words “essentially equivalent” are not to be found in the GDPR’s provision on adequacy decisions—i.e., in its Article 45, which merely refers to an “adequate level of protection” of personal data in a third country. Instead, we find them in the GDPR’s recital 104: “[t]he third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union (…).” This phrasing goes back to the CJEU’s Schrems I decision,[17] where the Court interpreted the old Data Protection Directive (Directive 95/46).[18] In Schrems I, the Court stated:

The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter.[19]

As Christakis, Propp, & have Swire noted,[20] the critical point that “a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order” was also accepted by the Advocate General Øe in Schrems II.[21]

In 2020, the European Data Protection Board (EDPB) issued recommendations “on the European Essential Guarantees for surveillance measures.”[22] The recommendations aim to “form part of the assessment to conduct in order to determine whether a third country provides a level of protection essentially equivalent to that guaranteed within the EU.”[23] The EDPB’s document is, of course, not a source of law binding the Court of Justice, but it attempts to interpret the law in light of the CJEU’s jurisprudence. The Court is free not to follow the EDPB’s legal interpretation, and thus the importance of the recommendations should not be overstated, either in favor or against the Adequacy Decision.

While we know that the “adequate level” and “essential equivalence” of protection do not necessarily mean identical protection, the precise degree of flexibility remains an open question—and one that the EU Court may need to clarify to a much greater extent.

III.    Arguments Likely to Be Made Against the Adequacy Decision

A.     Proportionality and Bulk Data Collection

Under Article 52(1) of the EU Charter of Fundamental Rights, restrictions on the right to privacy and the protection of personal data must meet several conditions. They must be “provided for by law” and “respect the essence” of the right. Moreover, “subject to the principle of proportionality, limitations may be made only if they are necessary” and meet one of the objectives recognized by EU law or “the need to protect the rights and freedoms of others.”

The October 2022 executive order supplemented the phrasing “as tailored as possible” present in 2014’s Presidential Policy Directive on Signals Intelligence Activities (PPD-28) with language explicitly drawn from EU law: mentions of the “necessity” and “proportionality” of signals-intelligence activities related to “validated intelligence priorities.”[24]

Doubts have been raised, however, as to whether this is sufficient. I consider two potential issues. First, whether the objectives for which U.S. intelligence agencies collect personal data may constitute “legitimate objectives” under EU law. Second, whether the bulk collection of personal data may be done in a way that does not jeopardize adequacy under the GDPR.

1.        Legitimate objectives

In his analysis of the adequacy under EU law of the new U.S. data-protection framework, Douwe Korff argues that:

The purposes for which the Presidential Executive Order allows the use of signal intelligence and bulk data collection capabilities are clearly not limited to what the EU Court of Justice regards as legitimate national security purposes.[25]

Korff’s concern is that the legitimate objectives listed in the executive order are too broad and could be interpreted to include, e.g., criminal or economic threats, which do not rise to the level of “national security” as defined by the CJEU.[26] Korff referred to the EDPB Recommendations, which reference CJEU decisions in La Quadrature du Net and Privacy International. Unlike Korff, however, the EDPB stresses that those CJEU decisions were “in relation to the law of a Member State and not to a third country law.”[27]

In contrast, in Schrems II, the Court did not consider legitimate objectives when assessing whether a third country provides adequate protection. In its recommendations, the EDPB discussed the legal material that was available, i.e., the CJEU decisions on intra-EU matters. Still, this approach can be taken too far without sufficient care. Just because some guidance is available (on intra-EU issues), it does not follow that it applies to data transfers outside the EU. It is instructive to consider, in this context, what Advocate General Øe said in Schrems II:

It also follows from that judgment [Schrems I – MB], in my view, that the law of the third State of destination may reflect its own scale of values according to which the respective weight of the various interests involved may diverge from that attributed to them in the EU legal order. Moreover, the protection of personal data that prevails within the European Union meets a particularly high standard by comparison with the level of protection in force in the rest of the world. The ‘essential equivalence’ test should therefore in my view be applied in such a way as to preserve a certain flexibility in order to take the various legal and cultural traditions into account. That test implies, however, if it is not to be deprived of its substance, that certain minimum safeguards and general requirements for the protection of fundamental rights that follow from the Charter and the ECHR have an equivalent in the legal order of the third country of destination.[28]

Hence, exclusive focus on what the EU law requires within the EU—however convenient this method may be—may be misleading in assessing the adequacy of a third country under Article 45.

Aside from the lack of direct guidance on the question of legitimate objectives under Article 45 GDPR, there is a second reason not to be too quick to conclude that the U.S. framework fails on this point. As the Commission noted in the Adequacy Decision:

(…) the legitimate objectives laid down in EO 14086 cannot by themselves be relied upon by intelligence agencies to justify signals intelligence collection but must be further substantiated, for operational purposes, into more concrete priorities for which signals intelligence may be collected. In other words, actual collection can only take place to advance a more specific priority. Such priorities are established through a dedicated process aimed at ensuring compliance with the applicable legal requirements, including those relating to privacy and civil liberties.[29]

It may be a formalistic mistake to consider the list of “legitimate objectives” in isolation from such additional requirements and process. The assessment of third-country adequacy cannot be constrained by the mere choice of words, even if they seem to correspond to an established concept in EU law. (Note that this also applies to “necessity” and “proportionality” as used in the executive order.)

2.        Can bulk collection be ‘adequate’?

As Max Schrems’ organization NOYB stated in response to the executive order’s publication:

(…) there is no indication that US mass surveillance will change in practice. So-called “bulk surveillance” will continue under the new Executive Order (see Section 2 (c)(ii)) and any data sent to US providers will still end up in programs like PRISM or Upstream, despite of the CJEU declaring US surveillance laws and practices as not “proportionate” (under the European understanding of the word) twice.[30]

Korff echoed this view, noting, e.g.:

(…) – the EO [Executive Order – MB] does not stand in the way of the indiscriminate bulk collection of e-communications content data that the EU Court held does not respect the “essence” of data protection and privacy and that therefore, under EU law, must always be prohibited, even in relation to national security issues (as narrowly defined);

– the EO allows for indiscriminate bulk collection of e-communications metadata outside of the extreme scenarios in which the EU Court only, exceptionally, allows it in Europe; and

– the EO allows for indiscriminate bulk collection of those and other data for broadly defined not national security-related purposes in relation to which such collection is regarded as clearly not “necessary” or “proportionate” under EU law.[31]

The Schrems II Court indeed held that U.S. law and practices do not “[correlate] to the minimum safeguards resulting, under EU law, from the principle of proportionality.”[32] As, however, the EDPB noted in its opinion on a draft of the Adequacy Decision:

… the CJEU did not exclude, by principle, bulk collection, but considered in its Schrems II decision that for such bulk collection to take place lawfully, sufficiently clear and precise limits must be in place to delimit the scope of such bulk collection. (…)

The EDPB also recognizes that while replacing the PPD-28, the EO 14086 provides for new safeguards and limits to the collection and use of data collected outside the U.S., as the limitations of FISA or other more specific U.S. laws do not apply.[33]

As Korff observed, the CJEU has considered the question of bulk collection of electronic communication data, in an intra-EU context, in cases like Digital Rights Ireland[34] and La Quadrature du Net.[35] In Schrems I, the Court referenced Digital Rights Ireland, while stating:

(…) legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (…)[36]

This is potentially important, because the Court concluded the discussion included in this paragraph by saying that “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order” is “apparent in particular from the preceding paragraphs.”[37] This could suggest that, as under the Data Protection Directive in Schrems I, the Court may see the issue of bulk collection of the contents of electronic communications as a serious problem for adequacy under Article 45 GDPR.

The Commission addressed this in the Adequacy Decision as follows:

(…) collection of data within the United States, which is the most relevant for the present adequacy finding as it concerns data that has been transferred to organisations in the U.S., must always be targeted (…) ‘Bulk collection’ may only be carried out outside the United States, on the basis of EO 12333.[38]

The Commission relies on a distinction between data collection that the U.S. government does within the United States and outside of the United States. This likely refers to an argument—discussed by, e.g., Christakis[39] —that adequacy assessment should only concern the processing of personal data that takes place due to a data transfer to the country in question. In other words, it should only concern domestic surveillance, not international surveillance (if personal data transferred from the EU would fall under domestic surveillance in that third country).

The Commission also made a second relevant point:

(…) bulk collection under EO 12333 takes place only when necessary to advance specific validated intelligence priorities and is subject to a number of limitations and safeguards designed to ensure that data is not accessed on an indiscriminate basis. Bulk collection is therefore to be contrasted to collection taking place on a generalised and indiscriminate basis (‘mass surveillance’) without limitations and safeguards.[40]

In the Commission’s view, there is a categorical distinction between “bulk collection” as practiced by the United States and the “generalized and indiscriminate” mass surveillance that the CJEU scrutinized in Digital Rights Ireland and other cases. This may seem like an unnatural reading of “generalized and indiscriminate,” given that it is meant not to apply to “the collection of large quantities of signals intelligence that, due to technical or operational considerations, is acquired without the use of discriminants (for example, without the use of specific identifiers or selection terms).”[41] There may, however, be analogies in EU law that could lead the Court to agree with the Commission on this point.

Consider the Court’s interpretation of the prohibition on “general monitoring” obligations from Article 15(1) of the eCommerce Directive.[42] In Glawischnig-Piesczek, the Court interpreted this rule as not precluding member states from requiring hosting providers to monitor all the content they host in order to identify content identical to “the content of information which was previously declared to be unlawful.”[43] In other words, “general monitoring” was interpreted as not covering indiscriminate processing of all data stored by a hosting provider in order to find content identical to some other content.[44] The Court adopted an analogous approach with respect to Article 17 of the Copyright Directive.[45] This suggests that, in somewhat similar contexts, the Court is willing to see activities that may technically appear to be “general” as “not general,” if some procedural or substantive limitations are present.

B.     Effective Redress

The lack of effective redress available to EU citizens against potential restrictions of their right to privacy from U.S. intelligence activities was central to the Schrems II decision. Among the Court’s key findings were that “PPD-28 does not grant data subjects actionable rights before the courts against the US authorities”[46] and that, under Executive Order 12333, “access to data in transit to the United States [is possible] without that access being subject to any judicial review.”[47]

The new executive order introduced redress mechanisms that include creating a civil-liberties-protection officer in the Office of the Director of National Intelligence (DNI), as well as a new Data Protection Review Court (DPRC). The DPRC is proposed as an independent review body that will make decisions binding on U.S. intelligence agencies. The old framework had sparked concerns about the independence of the DNI’s ombudsperson, and what was seen as insufficient safeguards against external pressures, including the threat of removal. Under the new framework, the independence and binding powers of the DPRC are grounded in regulations issued by the U.S. attorney general.

In a recent public debate, Max Schrems argued that the CJEU would have a difficult time finding that this judicial procedure satisfies Article 47 of the EU Charter, while at the same time holding that some courts in Poland and Hungary do not satisfy it.[48]

1.        Article 47 of the Charter ‘contributes’ to the benchmark level of protection

Schrems’ comment raises two distinct issues. First, Schrems seems to suggest that an adequacy decision can only be granted if the available redress mechanism satisfies the requirements of Article 47 of the Charter of Fundamental Rights.[49] But this is a hasty conclusion. The CJEU’s phrasing in Schrems II is more cautious:

…Article 47 of the Charter, which also contributes to the required level of protection in the European Union, compliance with which must be determined by the Commission before it adopts an adequacy decision pursuant to Article 45(1) of the GDPR.[50]

In arguing that Article 47 “also contributes to the required level of protection,” the Court is not saying that it determines the required level of protection. This is potentially significant, given that the standard of adequacy is “essential equivalence,” not that it be procedurally and substantively identical. Moreover, the Court did not say that the Commission must determine compliance with Article 47 itself, but with the “required level of protection” (which, again, must be “essentially equivalent”). Hence, it is far from clear how the CJEU’s jurisprudence interpreting Article 47 of the Charter is to be applied in the context of an adequacy assessment under Article 45 GDPR.

2.        Is there an independent and impartial tribunal with binding powers?

Second, there is the related but distinct question of whether the redress mechanism is effective under the applicable standard of “required level of protection.” Christakis, Propp, & Swire offer helpful analysis suggesting that it is, considering the proposed DPRC’s independence, effective investigative powers, and authority to issue binding determinations.[51] Gorski & Korff argue that this is not the case, because the DPRC is not “wholly autonomous” and “free from hierarchical constraint.”[52]

The Commission stated in the Adequacy Decision that the available avenues of redress “allow individuals to have access to their personal data, to have the lawfulness of government access to their data reviewed and, if a violation is found, to have such violation remedied, including through the rectification or erasure of their personal data.”[53] Moreover:

(…) the executive branch (the Attorney General and intelligence agencies) are barred from interfering with or improperly influencing the DPRC’s review. The DPRC itself is required to impartially adjudicate cases and operates according to its own rules of procedure (adopted by majority vote) (…)[54]

Likely the most serious objection to this assessment (raised by Gorski) is that:

(…) the court’s decisions can be overruled by the President. Indeed, the President could presumably overrule these decisions in secret, since the court’s opinions are not issued publicly.[55]

Given that Christakis, Propp, & Swire appear to disagree,[56] this question of U.S. law may require further scrutiny. Even if the scenario sketched by Gorski is theoretically possible, however, the CJEU may take the view that it would not be appropriate to rule based on the assumption that the U.S. government would act to mislead the EU. And without that assumption, then the possibility of future changes to U.S. law appear to be adequately addressed by the adequacy-monitoring process (Article 45(4) GDPR).

3.        Do EU persons have effective access to the redress mechanism?

In the already-cited public debate, Max Schrems argued that it may be practically impossible for EU persons to benefit from the new redress mechanism, due to the requirements imposed on “qualifying complaints” under the executive order.[57] Presumably, Schrems implicitly refers to the requirements that a complaint:

(i) “alleges a covered violation has occurred that pertains to personal information of or about the complainant, a natural person, reasonably believed to have been transferred to the United States from a qualifying state after” the official designation of that country by the Attorney General;

(ii) includes “information that forms the basis for alleging that a covered violation has occurred, which need not demonstrate that the complainant’s data has in fact been subject to United States signals intelligence activities; the nature of the relief sought; the specific means by which personal information of or about the complainant was believed to have been transmitted to the United States; the identities of the United States Government entities believed to be involved in the alleged violation (if known); and any other measures the complainant pursued to obtain the relief requested and the response received through those other measures;”

(iii) “is not frivolous, vexatious, or made in bad faith”[58]

Given the qualifications that a complaint need only to “allege” a violation and “need not demonstrate that the complainant’s data has in fact been subject to United States signals intelligence activities,” it is unclear what Schrems’ basis for suggesting that it will not be possible for EU persons to benefit from this redress mechanism is.

C.     Access to Information About Data Processing

Finally, Schrems’ NOYB raised a concern that “judgment by ‘Court’ [is] already spelled out in Executive Order.”[59] This concern seems to be based on the view that a decision of the DPRC (“the judgment”) and what the DPRC communicates to the complainant are the same thing. In other words, the legal effects of a DPRC decision are exhausted by providing the individual with the neither-confirm-nor-deny statement set out in Section 3 of the executive order. This is clearly incorrect. The DPRC has the power to issue binding directions to intelligence agencies. The actual binding determinations of the DPRC are not predetermined by the executive order; only the information to be provided to the complainant is.

Relatedly, Korff argues that:

(…) the meaningless “boilerplate” responses that are spelled out in the rules also violate the principle, enshrined in the ECHR and therefore also applicable under the Charter, that any judgment of a court must be “pronounced publicly”. The “boilerplate” responses, in my opinion, do not constitute the “judgment” reached (…)[60]

Here, as before, Korff appears to elide the question of the legal standard of “adequacy,” directly applying to a third country what he argues is required under the European Convention of Human Rights and thus under the EU Charter.

The issues of access to information and data may, however, call for closer consideration. For example, in La Quadrature du Net, the CJEU looked at the difficult problem of notifying persons whose data has been subject to state surveillance, requiring individual notification “only to the extent that and as soon as it is no longer liable to jeopardise” the law-enforcement tasks in question.[61] Nevertheless, given the “essential equivalence” standard applicable to third-country adequacy assessments, it does not automatically follow that individual notification is at all required in that context.

Moreover, it also does not necessarily follow that adequacy requires that EU citizens have a right to access the data processed by foreign government agencies. The fact that there are significant restrictions on rights to information and access in some EU member states,[62] though not definitive (after all, those countries may be violating EU law), may be instructive for the purposes of assessing the adequacy of data protection in a third country, where EU law requires only “essential equivalence.”

The Commission’s Adequacy Decision accepted that individuals would have access to their personal data processed by U.S. public authorities, but clarifies that this access may be legitimately limited—e.g., by national-security considerations.[63] The Commission did not take the simplistic view that access to personal data must be guaranteed by the same procedure that provides binding redress, including through the Data Protection Review Court. Instead, the Commission accepts that other avenues, such as requests under the Freedom of Information Act, may perform that function.

IV.    Conclusion

With the Adequacy Decision, the European Commission announced that it has favorably assessed the October 2022 executive order’s changes to the U.S. data-protection framework, which apply to foreigners from friendly jurisdictions (presumed to include the EU). The Adequacy Decision is certain to be challenged before the CJEU by privacy advocates. As discussed above, the key legal concerns will likely be the proportionality of data collection and the availability of effective redress.

Opponents of granting an adequacy decision tend to rely on the assumption that a finding of adequacy requires virtually identical substantive and procedural privacy safeguards as required within the EU. As noted by the European Commission in its decision, this position is not well-supported by CJEU case law, which clearly recognizes that only “adequate level” and “essential equivalence” of protection are required from third-party countries under the GDPR. To date, the CJEU has not had to specify in greater detail precisely what, in their view, these provisions mean. Instead, the Court has been able to point to certain features of U.S. law and practice that were significantly below the GDPR standard (e.g., that the official responsible for providing individual redress was not guaranteed to be independent of political pressure). Future legal challenges to a new Adequacy Decision will most likely require the CJEU to provide more guidance on what “adequate” and “essentially equivalent” mean.

In the Adequacy Decision, the Commission carefully considered the features of U.S. law and practice that the Court previously found inadequate under the GDPR. Nearly half of the explanatory part of the decision is devoted to “access and use of personal data transferred from the [EU] by public authorities in the” United States, with the analysis grounded in CJEU’s Schrems II decision.

Overall, the Commission presents a sophisticated, yet uncynical, picture of U.S. law and practice. The lack of cynicism about, e.g., the independence of the DPRC adjudicative process, will undoubtedly be seen by some as naïve and unrealistic, even if the “realism” in this case is based on speculations of what might happen (e.g., secret changes to U.S. policy), rather than evidence. Litigants will likely invite the CJEU to assume that the U.S. government cannot be trusted and that it will attempt to mislead the European Commission and thus undermine the adequacy-monitoring process (Article 45(3) GDPR). It is not clear, however, that the Court will be willing to go that way—not least due to respect for comity in international law.

[1] Regulation (EU) 2016/679 (General Data Protection Regulation).

[2] Case C-311/18, Data Protection Comm’r v. Facebook Ireland Ltd. & Maximillian Schrems, ECLI:EU:C:2019:1145 (CJ, Jul. 16, 2020), available at http://curia.europa.eu/juris/liste.jsf?num=C-311/18 [hereinafter “Schrems II”].

[3] See, e.g., Ariane Mole, Willy Mikalef, & Juliette Terrioux, Why This French Court Decision Has Far-Reaching Consequences for Many Businesses, IAPP.org (Mar. 15, 2021), https://iapp.org/news/a/why-this-french-court-decision-has-far-reaching-consequences-for-many-businesses; Gabriela Zanfir-Fortuna, Understanding Why the First Pieces Fell in the Transatlantic Transfers Domino, The Future of Privacy Forum (2022), https://fpf.org/blog/understanding-why-the-first-pieces-fell-in-the-transatlantic-transfers-domino; Caitlin Fennessy, The Austrian Google Analytics decision: The Race Is On, IAPP Privacy Perspectives (Feb. 7, 2022) https://iapp.org/news/a/the-austrian-google-analytics-decision-the-race-is-on; Italian SA Bans Use of Google Analytics: No Adequate Safeguards for Data Transfers to the USA (Jun. 23, 2022), https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9782874.

[4] Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, The White House (2022), https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities.

[5] European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework, European Commission (Mar. 25, 2022), https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087.

[6] Draft Commission Implementing Decision Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the Adequate Level of Protection of Personal Data Under the EU-US Data Privacy Framework, European Commission (2022), available at https://commission.europa.eu/system/files/2022-12/Draft%20adequacy%20decision%20on%20EU-US%20Data%20Privacy%20Framework_0.pdf.

[7]  Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, OJ L 231, 20.9.2023, European Commission (2023), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023D1795 (hereinafter “Adequacy Decision”).

[8] See Patrice Navarro & Julie Schwartz, Member of French Parliament Lodges First Request for Annulment of EU-US Data Privacy Framework, Hogan Lovells Engage (Sep. 8, 2023), https://www.engage.hoganlovells.com/knowledgeservices/news/member-of-french-parliament-lodges-first-request-for-annulment-of-eu-us-data-privacy-framework; Philippe Latombe, Communiqué de Presse (Sep. 7, 2023), available at https://www.politico.eu/wp-content/uploads/2023/09/07/4_6039685923346583457.pdf.

[9] See, e.g., Joe Jones, EU-US Data Adequacy Litigation Negins, IAPP.org (Sep. 8, 2023), https://iapp.org/news/a/eu-u-s-data-adequacy-litigation-begins.

[10] Latombe, supra note 9.

[11] Id.

[12] See supra note 8.

[13] Mark Scott, We Don’t Talk About Fixing Social Media, Digital Bridge from Politico (Aug. 3, 2023), https://www.politico.eu/newsletter/digital-bridge/we-dont-talk-about-fixing-social-media. See also New Trans-Atlantic Data Privacy Framework Largely a Copy of “Privacy Shield”. NOYB Will Challenge the Decision, noyb.eu (2023), https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.

[14] Case C-362/14, Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, available at https://curia.europa.eu/juris/liste.jsf?num=C-362/14 [hereinafter “Schrems I”].

[15] Scott, supra note 13.

[16] Schrems II [178].

[17] Case C?362/14, Maximillian Schrems v Data Protection Commissioner, EU:C:2015:650 (CJEU judgment of 6 October 2015) [hereinafter: “Schrems I”].

[18] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (“Data Protection Directive”).

[19] Schrems I [73].

[20] Theodore Christakis, Kenneth Propp, & Peter Swire, EU/US Adequacy Negotiations and the Redress Challenge: Whether a New U.S. Statute is Necessary to Produce an “Essentially Equivalent” Solution, European Law Blog (2022), https://europeanlawblog.eu/2022/01/31/eu-us-adequacy-negotiations-and-the-redress-challenge-whether-a-new-u-s-statute-is-necessary-to-produce-an-essentially-equivalent-solution.

[21] Opinion of Advocate General Saugmandsgaard Øe delivered on 19 December 2019, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, ECLI:EU:C:2019:1145 [248].

[22] European Data Protection Board, Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, available at https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf (hereinafter: “EDPB Recommendations on surveillance measures”).

[23] EDPB Recommendations on surveillance measures [8].

[24] Executive Order, supra note 5, Sec. 2(a)(ii)(B).

[25] Douwe Korff, The Inadequacy of the October 2022 New US Presidential Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities, 13 (2022), https://www.ianbrown.tech/2022/11/11/the-inadequacy-of-the-us-executive-order-on-enhancing-safeguards-for-us-signals-intelligence-activities.

[26] Id. at 10–13.

[27] EDPB Recommendations on surveillance measures [34].

[28] Opinion of Advocate General Saugmandsgaard Øe in Schrems II [249].

[29] European Commission, supra note 8, Recital 135.

[30] New US Executive Order Unlikely to Satisfy EU Law, NOYB (Oct. 7, 2022), https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law.

[31] Korff, supra note 25 at 19.

[32] Schrems II [184].

[33] European Data Protection Supervisor, Opinion 5/2023 on the European Commission Draft Implementing Decision on the Adequate Protection of Personal Data Under the EU-US Data Privacy Framework, [134]-[135] (2023), https://edpb.europa.eu/our-work-tools/our-documents/opinion-art-70/opinion-52023-european-commission-draft-implementing_en. See also Alex Joel, Necessity, Proportionality, and Executive Order 14086, Joint PIJIP/TLS Research Paper Series (2023), https://digitalcommons.wcl.american.edu/research/99.

[34] Digital Rights Ireland and Others, Cases C?293/12 and C?594/12, EU:C:2014:238.

[35] La Quadrature du Net and Others v Premier Ministre and Others, Case C-511/18, ECLI:EU:C:2020:791.

[36] Schrems I [94].

[37] Schrems I [96].

[38] European Commission, supra note 8, Recitals 140-141 (footnotes omitted).

[39] Theodore Christakis, Squaring the Circle? International Surveillance, Underwater Cables and EU-US Adequacy Negotiations (Part 1), European Law Blog (2021), https://europeanlawblog.eu/2021/04/12/squaring-the-circle-international-surveillance-underwater-cables-and-eu-us-adequacy-negotiations-part1; Theodore Christakis, Squaring the Circle? International Surveillance, Underwater Cables and EU-US Adequacy Negotiations (Part 2), European Law Blog (2021), https://europeanlawblog.eu/2021/04/13/squaring-the-circle-international-surveillance-underwater-cables-and-eu-us-adequacy-negotiations-part2.

[40] European Commission, supra note 8, Recital 141, footnote 250 (emphasis added).

[41] Id., Recital 141, footnote 250.

[42] Directive (EU) 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market (‘Directive on Electronic Commerce’) [2000] OJ L178/1.

[43] Case C-18/18, Eva Glawischnig-Piesczek v Facebook [2019] ECLI:EU:C:2019:821. See also Daphne Keller, Facebook Filters, Fundamental Rights, and the CJEU’s Glawischnig-Piesczek Ruling, 69 GRUR International 616 (2020).

[44] As Keller puts it: “Instead of defining prohibited ‘general’ monitoring as monitoring that affects every user, the Court effectively defines it as monitoring for content that was not specified in advance by a court.” Id. at 620.

[45] Case C?401/19, Poland v Parliament and Council [2022] ECLI:EU:C:2022:297; Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on Copyright and Related Rights in the Digital Single Market and Amending Directives 96/9/EC and 2001/29/EC (OJ 2019 L 130, p. 92). For background, see Christophe Geiger & Bernd Justin Jütte, Platform Liability Under Art. 17 of the Copyright in the Digital Single Market Directive, Automated Filtering and Fundamental Rights: An Impossible Match, 70 GRUR International 517 (2021).

[46] Schrems II [181].

[47] Schrems II [183].

[48] @MBarczentewicz, Twitter (Aug. 24, 2023, 9:43 AM), https://twitter.com/MBarczentewicz/status/1694707035659813023. See also Max Schrems, Open Letter on the Future of EU-US Data Transfers (May 23, 2022), https://noyb.eu/en/open-letter-future-eu-us-data-transfers.

[49] Similar phrasing can be found in Ashley Gorski, The Biden Administration’s SIGINT Executive Order, Part II: Redress for Unlawful Surveillance, Just Security (2022), https://www.justsecurity.org/83927/the-biden-administrations-sigint-executive-order-part-ii. Gorski’s text shows well how easy it is to elide, even unintentionally, the distinction between the Article 47 being a standard that must be satisfied by a third country, and it merely contributing to the level of protection that constitutes a benchmark for an adequacy assessment. At one point she notes that “the CJEU held that U.S. law failed to provide an avenue of redress ‘essentially equivalent’ to that required by Article 47.” In other places, however, she adopts the phrasing of “satisfying” Article 47.

[50] Schrems II [186].

[51] Theodore Christakis, Kenneth Propp & Peter Swire, The Redress Mechanism in the Privacy Shield Successor: On the Independence and Effective Powers of the DPRC, IAPP.org (2022), https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc.

[52] Gorski, supra note 49; Korff, supra note 25 at 21.

[53] European Commission, supra note 8, Recital 175.

[54] Id., Recital 187 (footnotes omitted).

[55] Gorski, supra note 49.

[56] According to them: “(…) key U.S. Supreme Court decisions have affirmed the binding force of a DOJ regulation and the legal conclusion that all of the executive branch, including the president and the attorney general, are bound by it.” Christakis, Propp, & Swire, supra note 51.

[57] @MBarczentewicz, Twitter (Aug. 24, 2023, 9:43 AM), https://twitter.com/MBarczentewicz/status/1694707035659813023.

[58] Executive Order, section 5(k)(i)-(iv).

[59] NOYB, New US Executive Order Unlikely to Satisfy EU Law (Oct. 7, 2022), https://noyb.eu/en/new-us-executive-order-unlikely-satisfy-eu-law. See also NOYB, supra note 13.

[60] Korff, supra note 25 at 25.

[61] Joined cases C-511/18, C-512/18 and C-520/18, La Quadrature du Net and others, ECLI:EU:C:2020:791 [191].

[62] European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU – Volume II: Field Perspectives and Legal Update (2017) https://fra.europa.eu/en/publication/2017/surveillance-intelligence-services-fundamental-rights-safeguards-and-remedies-eu.

[63] European Commission, supra note 8, Recitals 199-200.

Abstract

English-architecture company law describes the distinct and diverse group of company or corporate law used in more than 60 jurisdictions worldwide. English-architecture company law provides a robust platform for innovation and development due to its permissive structure, opportunity for choice of law in an entity’s internal governance, and scalability permitting variation for small and large entities. It is the dominant form among International Financial Centers (IFCs), many of which have legal systems with a British connection. This body of law responds to competition and maintains dynamism by engaging its practice community through “learning by doing” and “frictioneering.” An architecture approach permits a broader review of developments in company law that more closely captures the reality of global law practice. The IFC experience of climbing the value chain from tax arbitrage to provide solutions for entities or structures left out in the corporate law of larger jurisdictions provides a useful global governance model to maintain normative, jurisprudential, and regulatory coherence even as it responds to more specialized and unanticipated needs. This Article explores what makes English-architecture company law so successful and how IFCs use it to compete in the global law market.

Abstract

We study the evolution of corporate governance (CG) practices in Brazil over 2010-2019, using a country-specific Brazil Corporate Governance Index (BCGI) validated in prior work. We study separately firms in high-governance and low-governance legal regimes, in a single country. CG improved considerably in Brazil over 2010-2015, with much smaller changes over 2015-2019. Positive CG changes are much more common than negative changes. Some firms made only minimal changes, despite low initial CG levels. We also study which firm financial factors predict both CG levels and changes in levels. None of the firm financial variables we study consistently predicts CG levels. However, for CG changes, a measure of equity financing need predicts CG improvements in the first half of the sample period, but only for firms in the lower governance regime, not for firms in the higher regime. This is the first article to find evidence for firm financial characteristics predicting CG changes, consistent with theoretical predictions, including stronger effects for firms in the lower governance regime.

Abstract

China is making an active push to enlarge its role in the development of Internet-related technical standards. The prevailing narrative surrounding this trend suggests that Beijing is aiming to uproot the liberal, democratic values embedded in the Internet’s technical foundation and governance arrangements in favor of authoritarian-friendly alternatives. For many, these fears were fully realized when Chinese tech giant Huawei came to the UN-affiliated International Telecommunications Union (ITU) and proposed the development of a future core Internet protocol called “New IP”. This proposal allegedly sought to redesign the architecture of the Internet in a way that would both enhance and export the Chinese government’s capacity for digital repression. Informed by the understanding of Chinese standards influence as a geopolitical and ideological threat, many are now calling for a more aggressive response to countering Chinese engagement in Internet standards bodies.

Yet, the conventional narrative seems to be missing something. Specifically, it overlooks the fact that the sophisticated Internet control apparatus China has developed over the years can already censor and surveil quite effectively at present and that shifting responsibility for core protocol development to the state-driven ITU would not necessarily enhance its ability to do so. A more comprehensive understanding of this trend is needed.

Using New IP as the primary case study, this article examines China’s standard-setting push, its potential motivations, and its implications for the future of the global Internet. We conclude that it is far from clear that New IP was indeed intended as a trojan horse for digital authoritarianism. Observing that technical evolution of the Internet—particularly the type endorsed in Huawei’s proposal—plays a prominent role in China’s long-term industrial policy strategy, we find it equally plausible that New IP was motivated by economic considerations, something that has largely been absent from the debate over China’s standards ambitions. We thus caution against the presumption that Chinese-developed standards are intended to advance the cause of digital repression as well as against politically driven opposition to growing Chinese participation at Internet standard-setting bodies. This insight is crucial, as the way American policymakers and Internet stakeholders respond to this trend will undoubtedly impact both the future of the global Internet and U.S. technological leadership in this domain.

Executive Summary

Under the auspices of Legislative Decree 9831, the Central Bank of Costa Rica (BCCR) has set maximum fees for acquiring and issuing banks in payment-card markets, with maximum acquisition fees (MDR) and interchange fees (IRF). Different fees were set for domestic transactions (i.e., those made using locally issued cards) and for cross-border transactions (i.e., those made using foreign-issued cards).

In November 2022, BCCR issued a proposal to retain the cross-border MDR cap at 2.5% and either to leave the cap on cross-border IRF unchanged at 2%, or to lower it to 1.25%. In the same document, BCCR proposed that the MDR for domestically issued cards would be capped at 2% and the IRF capped at 1.5%.

IRF for cross-border transactions typically are significantly higher than those for domestic transactions, primarily because cross-border transactions carry much higher risk of fraud. If BCCR caps cross-border interchange fees at the lower level it has proposed, foreign issuers are likely to respond by de-risking payment requests from acquirers in Costa Rica. This could take various forms, including rejecting payments from certain merchants, or simply increasing rejections rates across the board. Whatever approach, or mix of approaches, is taken, it is likely to cause problems both for merchants in Costa Rica and for their customers.

Prior to the COVID-19 pandemic, roughly 6.25% of Costa Rica’s gross domestic product (GDP) came from tourism, with a significant proportion of those tourist dollars spent using payment cards. Indeed, in 2021, even without a full resumption of pre-COVID rates of tourism, approximately 16% of credit-card payments in Costa Rica were cross-border. If tourists find that they are unable to make reservations at hotels in Costa Rica using their credit or debit cards because the payment is rejected by their issuer, they may well choose an alternative destination for their trip. Meanwhile, if tourists in Costa Rica are unable to pay for goods and services using their credit and debit cards, many will simply not make those payments. This could have a substantial negative effect on Costa Rica’s tourism and business-travel industries.

Introduction

Costa Rica Legislative Decree No. 9831—issued March 24, 2020—created a mandate to regulate acquisition fees (commonly known as the “merchant discount rate,” or MDR) and interchange reimbursement fees (IRF) charged by service providers on “the processing of transactions that use payment devices and the operation of the card system.”[1] The legislation’s stated objective was “to promote its efficiency and security, and guarantee the lowest possible cost for affiliates.”

Implementation was delegated to the Central Bank of Costa Rica (BCCR), which was tasked with responsibility to issue regulations and monitor compliance; ensure that the rule is “in the public interest”; and guarantee that fees charged to “affiliates” (i.e., merchants) are “the lowest possible … following international best practices.” Beginning Nov. 24, 2020, BCCR set the maximum IRF for domestic cards at 2.00% and the maximum MDR at 2.50%. These fell to 1.75% and 2.25%, respectively, in an updated regulation published in January 2022, and to 1.5% and 2% in February 2023.

In a study published in May 2022, we reviewed the available evidence regarding interchange fees and argued that it would be contrary to international best practices for Costa Rica to cap acquisition fees and interchange fees.[2] In particular, we raised specific concerns regarding the likely harmful effects of capping fees on cross-border transactions, owing to the higher risks and other costs associated with such transactions.

BCCR developed a technical study that considered the effects of different levels of caps on fees for both domestic and cross-border payment-card transactions and, in November 2022, issued a proposal to retain the cross-border MDR cap at 2.5% and either (1) leave the cap on cross-border IRF unchanged at 2%, or (2) lower the IRF cap for cross-border transactions to 1.25%.

If BCCR leaves the cross-border MDR cap unchanged but reduces the cross-border IRF cap to 1.25%, it might, in principle, appear to solve the immediate problem faced by acquiring banks. It would, however, create new problems for those banks, their customers, and the wider economy. It will also put Costa Rica in the unenviable position of being the only country in the world with a cross-border interchange fee that is below the domestic interchange fee.

This brief considers the international experience with cross-border payment-card transactions, with a focus on issues related to fraud, as well as the negative implications of imposing price caps. It begins with a brief discussion of the economics of interchange fees. Section II describes Costa Rica’s price controls on merchant acquisition and interchange fees. Section III discusses fraud and other costs associated with cross-border and card-not-present transactions. Section IV describes ways in which payment-card networks address issues related to fraud. And Section V assesses the likely implications for Costa Rica of price caps on cross-border interchange fees.

I.        The Economics of Interchange Fees

Payment systems are two-sided markets, with consumers on one side and merchants on the other; the payment network acts as a platform that facilitates interactions between the two sides.7F[3] For such a system to be successful, both merchants and consumers must perceive it as beneficial. If too few merchants accept a particular form of payment, consumers will have little reason to obtain it and issuers will have little incentive to issue it. Likewise, if too few consumers possess a form of payment, merchants will have little reason to accept it.

In any two-sided market, platform operators seek to encourage participation on each side of the market in ways that maximize the joint net benefits of the network to all participants—and to allocate system costs accordingly.8F[4] Among the means they employ to achieve this balance is by setting prices charged, respectively, to participants on each side of the market.9F[5] In the case of payments, if the platform operator sets the price too high for some consumers, they will be unwilling to use the platform; similarly, if the operator sets the price too high for some merchants, they will not be willing to use the platform.

In general, the costs of operating a platform will tend to fall on the party who is least sensitive to such costs (i.e., the party with the lower price elasticity). In the case of payment cards, that party is the merchant.13F[6] Merchants often pay, through transaction fees, not only all the costs of accessing the network, but also effectively subsidize participation by consumers—e.g., through cashback and other rewards programs, insurance, fraud protection, and other cardholder benefits that serve as incentives to card usage.

Merchants are willing to do this because they receive significant benefits from the use of payment cards, including: ticket lift (i.e., higher spending, due to the fact that consumers are not constrained by the cash in their pockets or, in the case of credit cards, the amount of cash currently in their bank accounts), guaranteed payment, reduced cash-management costs, and faster checkout times.

II.      Costa Rica’s Price Controls on Payment Card Fees

Article 14 of Legislative Decree 9831 requires the BCCR to undertake “ordinary reviews” of the price controls on MDR and IRF at least once annually. Its first such review, published in November 2021, set a timetable for maximum domestic-acquisition and interchange fees (see table below) and set maximum cross-border MDR at 2.5% and IRF at 2%.[7]

SOURCE: Banco Central de Costa Rica[8]

BCCR subsequently established a task force to develop proposals for setting payment-card fees. On Nov. 2, 2022, BCCR published the task force’s recommendations, which included, inter alia, the following:[9]

• Use international comparisons of IRFs and MDRs “as the best technical tool currently available to the BCCR to ensure the lowest possible cost for affiliates, in accordance with Legislative Decree 9831.”
• Maintain the differentiation of the ceilings on IRF and MDR between local and cross-border payment transactions, in accordance with Article 4 of Legislative Decree 9831, “as this leads to the proper functioning, efficiency and security of the Costa Rican payment system and the lowest cost for affiliates.”
• For 2023, set maximum fees for local payment transactions at 1.50% for IRF and 2.00% for MDR. This is in line with the proposal made in 2021.
• Maintain the cap of 2.50% on cross-border MDR, “since the information available in the international comparison does not allow modifications to be made to the limit established since 2020.”
• Propose two alternative options regarding the maximum cross-border IRF:
  • Option 1: maintain the current maximum, e., 2.00%; or
  • Option 2: reduce the maximum to 1.25%.

The BCCR offers various putative justifications for these proposed caps. For example, it notes that Option 2 would result in a maximum cross-border IRF that is midway between “the minimum cross-border IRF established by Mastercard and Visa card brands for the United States and Canada, as well as Visa for Australia in the case of non-Asia Pacific issuers” (i.e., 1.00%) and the IRF “agreed by Mastercard and Visa card brands for card-not-present payments in the EEA” (i.e., 1.50%).

Such justifications, however, are fundamentally inconsistent with the economics of two-sided markets. The current and proposed price caps thus represent essentially arbitrary interventions. By focusing narrowly on the costs incurred by merchants through IRFs and MDRs, BCCR fails to account adequately for the offsetting benefits that accrue to consumers and merchants—and the costs to provide those benefits.

Legislative Decree 9831 does, however, permit BCCR to take into consideration “[a]ny other element that reasonably allows the Central Bank of Costa Rica to guarantee the efficiency and security of the card systems.”[10] As discussed below, one such element that should be considered by BCCR is the potential effect of regulating international IRFs on merchants in Costa Rica, especially those catering to tourists and business travelers, and the wider effects on the economy.

III.    Fraud Risks Associated with Cross-Border Payments

In comparison to domestic payments, cross-border payments entail significantly higher risks of fraud, as be seen by looking at the incidence of payments fraud in the European Union (EU). Data from the European Central Bank (ECB) show unambiguously that the rates of fraud on cross-border transactions—both between EU member states and from outside the EU—is much higher than fraud on domestic transactions. In its 2021 Report on Card Fraud, the ECB found that, between 2015 and 2019, cross-border transactions represented only 10% of transactions by value but 65% of all fraud by value, as can be seen in Figure I.[11] Thus, in value terms, cross-border fraud represents a risk more than six times greater than domestic fraud.

SOURCE: European Central Bank[12]

For most EU member states, the situation is even more dramatic, with cross-border fraud representing more than 90% of all card fraud, as can be seen in Table II.

SOURCE: European Central Bank[13]

Looking at the types of transaction involved in card fraud, the vast majority (83%) are card-not-present (CNP) fraud, as can be seen in Figure II.

SOURCE: European Central Bank[14]

While these data relate to payments fraud in the EU, they are likely indicative of broader international trends. As such, they suggest that cross-border fraud in general and CNP cross-border fraud in particular is a far more significant problem than domestic fraud of all kinds.

IV.    How Card Networks Address Payment-Card Fraud

Card networks have developed numerous processes and technologies to address payment-card fraud, including the following.

Zero liability protection for cardholders. Card networks’ standard terms and conditions include clauses requiring issuers to protect personal cardholders from unauthorized transactions (subject to certain conditions, such as that cardholders report such transactions promptly to the card issuer).[15] This protection is an important benefit to cardholders, who otherwise might be wary of using their cards, especially for online transactions or in foreign countries.

Liability protection for merchants. Just as cardholders are protected from liability for unauthorized transactions, so too are merchants. Issuers are, by default, liable for unauthorized transactions. This is an important benefit to merchants, who might otherwise be reluctant to accept card-based payments.

Chargebacks. The above liability protections apply only to unauthorized transactions. Where a cardholder has authorized a payment, they will be liable. Meanwhile, if a merchant has processed a payment without obtaining the necessary authorization, and where that payment has been disputed by the cardholder, the issuer may initiate a “chargeback”: effectively reversing the payment.

Authorization, verification, and fraud monitoring. To complement the system of liability protection and chargebacks, payment networks have developed increasingly sophisticated and effective systems for transaction authorization and fraud monitoring, including:

• Tokenization—which underpins EMV (Europay, Mastercard, and Visa) chips, contactless cards, and smartphone-based payments—uses encrypted data to enable authorization without sharing personal account numbers;
• Machine-learning-based transaction monitoring, which creates a dynamic model of each cardholder’s transactions and flags as potentially fraudulent those payments that do not fit the model; and
• Contingent multifactor authentication, whereby transactions flagged as potentially fraudulent result in the cardholder being asked for secondary authentication.

These systems reduce the incidence of fraud and thereby reduce the liability of card issuers. For example, in 2015, payment networks changed the liability rules for U.S. merchants to encourage adoption of EMV cards. Estimates by Visa suggest that merchants that subsequently adopted EMV-compliant point-of-sale (POS) machines experienced an 87.5% reduction in fraud.[16] Nonetheless, as is clear from Section III, fraud remains a problem, especially for cross-border and CNP transactions.

The liability rules summarized above mean that the cost of fraud falls disproportionately on card issuers. In 2020, issuers bore nearly two-thirds of all card fraud losses worldwide.[17] The equitable and economically efficient solution is for issuers to charge higher fees for transactions that are more likely to be fraudulent.

In some cases, it may make sense to pass on some or all of these costs to consumers. In the case of cross-border transactions, some issuers do this by charging foreign-transaction fees on some cards.[18] Such fees can, however, discourage consumers from using their cards, so it may be preferable for merchants to pay higher fees instead. Thus, cards aimed at international travelers typically offer cardholders “no foreign-transaction fee” as a benefit. These cards instead charge a higher interchange fee for foreign transactions. Holders of such premium cards typically spend more, thereby benefiting the merchants (who pay slightly higher fees, if they are not on a blended rate).

V.      Possible Responses to Caps on Cross-Border Interchange Fees

As noted in Section II, the BCCR Task Force made two alternative proposals with respect to cross-border IRFs. The first would leave the current cap unchanged at 2.00%, while the second would reduce the cap to 1.25%.

Even the current cap is lower than the standard IRF charged for many credit cards that offer no foreign-transaction fee. Payments made using such cards in Costa Rica are thus effectively subsidized by merchants in other jurisdictions that do not impose such caps.

At the lower proposed rate, foreign issuers will receive a lower IRF than domestic-card issuers. Given the much higher fraud rate on cross-border payments, this is likely to cause significant problems, especially for premium cards that offer cardholders “no foreign-transaction fee” as well as other benefits, such as vehicle insurance, purchase-protection insurance, and rewards. The IRF revenue simply will not be sufficient to cover these benefits. As such, to reduce fraud, payments using such cards will be subject to greater scrutiny and many may well simply be rejected.

This is a problem not only for the cardholders, who will be frustrated when attempting to make purchases. It is also a problem for Costa Rica’s tourism and business-travel sectors. Consider what might happen when a prospective visitor attempts to book a room at a resort such as Tortuga Lodge, which takes bookings directly on its website and processes payments through its acquirer in Costa Rica.[19] The prospective visitor first tries their World Elite Mastercard and finds that it is rejected; they then try their Visa Infinite card and again find that the payment is rejected. Frustrated but undaunted, they instead decide to book rooms at Tortuga Lodge on Expedia.com, which uses a U.S. acquirer; this time, they have no problem making and paying for the booking, albeit at a higher price than was offered directly by the hotel. When they arrive in Costa Rica, however, they find that, once again, their cards are repeatedly rejected when they attempt to make purchases, whether it be at restaurants, tour agencies, or even an art gallery where they had hoped to buy a beautiful piece of local artwork.

The above scenario might already be happening, because the standard IRF for such transactions on the cards mentioned is higher than the current capped rate of 2.00%.[20] At the alternative lower proposed rate of 1.25%, rejections are a near certainty for at least some travelers. Worse, some prospective travelers who are looking for a more bespoke offering and want to book directly with the hotel are likely to abandon their plans to travel to Costa Rica at all and choose a different destination where they do not encounter such difficulties.

Ironically, prospective visitors who have standard debit or credit cards that charge foreign-transaction fees are much less likely to have their payments rejected.

Some other payment methods are not covered by the caps on MDRs and IRFs: specifically, wire transfers and other bank-to-bank transfers that do not involve the use of payment-card networks. Most likely, there will be a shift toward the use of such payment methods, as a result both of individuals paying directly through such transfers and an increase in payments from overseas agencies. In general, such alternative payment methods involve greater counterparty risk than payments made using cards due to their greater finality, which means it is more difficult to reverse a payment once made, and the lack of purchase insurance. To the extent that visitors to Costa Rica are limited to wire and bank transfers, as a result of their payment cards being declined, they are likely to reduce their spending.

These anecdotes and observations suggest a number of likely effects of the cap on interchange fees:

• First, booking and payment for accommodation and other pre-bookable tourism activities will shift from Costa Rica-based agents and acquirers to U.S.-based agents and acquirers. This will reduce margins for Costa Rican hotels and other tourism businesses.
• Second, higher–end tourists will likely spend less in Costa Rica because they will be less able to use their payment cards.
• Third, there will likely be an overall reduction in high-spending tourists visiting Costa Rica, with a concomitant reduction in total spending.

In 2019, Costa Rica received about 3.1 million visitors who stayed for one night or more, spending about $4 billion, roughly 6.25% of the country’s GDP.[21] The tourism industry employed more than 170,000 people, about 5% of the country’s working-age population.[22] Tourist numbers fell dramatically in 2020 due to the COVID-19 pandemic, leading to a dramatic decline in income and employment. Visitor numbers began to rise again in 2021 and, while total numbers remained below their pre-COVID highs, the number of visitors from the United States (245,000) was not far off the number for 2019 (280,000). In March 2022. Costa Rica announced its national tourism plan for 2022-2027, in which it sought to increase the number of annual visitors to 3.8 million by 2027, targeting tourism revenue of $4.8 billion.[23]

In 2019, Costa Rican merchants processed around 19 million cross-border payment-card transactions, with a total value of around $2 billion—representing about half the total tourism revenue and 16% of the value of all card transactions.[24] After falling in 2020, the number of cross-border payment-card transactions rose in 2021 to nearly 23 million, with a total value of $2 billion, which is consistent with the return of higher-spending tourists from the United States.[25]

If BCCR chooses to cap interchange fees on cross-border transactions at 1.25%, it is likely to impede Costa Rica’s national tourism plan, both by discouraging tourism and, more importantly, by reducing revenue from higher-spending tourists.

VI.    Conclusion

Based on this assessment, there are significant costs associated with caps on cross-border MDRs and IFRs. As noted above, Legislative Decree 9831 permits BCCR to take into consideration such costs to the extent that they affect BCCR’s ability “to guarantee the efficiency and security of the card systems.”[26] As such it is incumbent on BCCR to consider the potential economic harm that is likely to arise if it were to lower the cap on cross-border IFR to 1.25%.

[1] Note, translations from the Spanish original are approximate.

[2] Julian Morris, Regulating Payment Card Fees: International Best Practice and Lessons for Costa Rica, International Center for Law & Economics (May 25, 2022), https://laweconcenter.org/resources/regulating-payment-card-fees-international-best-practices-and-lessons-for-costa-rica.

[3] Jean-Charles Rochet & Jean Tirole, Two-Sided Markets: A Progress Report, 37 Rand J. Econ. 645 (2006); See also Todd J. Zywicki, The Economics of Payment Card Interchange Fees and the Limits of Regulation, International Center for Law and Economics, ICLE Financial Regulatory Program White Paper Series (Jun. 2, 2010), available at http://laweconcenter.org/images/articles/zywicki_interchange.pdf.

[4] Bruno Jullien, Alessandro Pavan, & Marc Rysman, Two-Sided Markets, Pricing, and Network Effects, in Handbook of Industrial Organization (Vol. 4), 485-592 (2021).

[5] Thomas Eisenmann, Geoffrey Parker, & Marshall W. Van Alstyne, Strategies for Two-Sided Markets, Harv. Bus. Rev. (Oct. 2006).

[6] Id., at 33.

[7] Fijación Ordinaria de Comisiones Máximas del Sistema de Tarjetas de Pago 2021, Banco Central de Costa Rica, (Nov. 2021).

[8] Id. at 3.

[9] Alcance No 237 A La Gaceta No 212, Imprenta Nacional de Costa Rica (Nov. 7, 2022).

[10] Decreta: Comisiones Máximas Del Sistema De Tarjetas, No. 9831, Art. 15(j), Legislative Assembly of the Republic of Costa Rica, (“Cualquier otro elemento que razonablemente permita al Banco Central de Costa Rica garantizar la eficiencia y seguridad de los sistemas de tarjetas.”), http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NRTC&nValor1=1&nValor2=90791&nValor3=119755&strTipM=TC (last visited Apr. 12, 2023).

[11]Seventh Report on Card Fraud, European Central Bank 2022 (Feb. 1, 2022), https://www.ecb.europa.eu/pub/cardfraud/html/ecb.cardfraudreport202110~cac4c418e8.en.html#toc1.

[12] Id. SEPA refers to the Single Euro Payments Area.

[13] Id.

[14] Id. EA19 refers to the 19 EU member states that are members of the Euro zone.

[15] Zero Liability Protection, Mastercard (Oct. 17, 2014), https://www.mastercard.us/en-us/personal/get-support/zero-liability-terms-conditions.html; Zero Liability Policy, Visa, https://usa.visa.com/pay-with-visa/visa-chip-technology-consumers/zero-liability-policy.html (last visited Apr. 12, 2023).

[16] Visa EMV Chip Cards Help Reduce Counterfeit Fraud by 87 Percent, Visa (Sep. 3, 2019), https://usa.visa.com/visa-everywhere/blog/bdp/2019/09/03/visa-emv-chip-1567530138363.html.

[17] Card Issuers Accounted for 65.40% of Gross Losses to Fraud Worldwide in 2020, Nilson Report (Dec. 2021), Issue 1209, at 6.

[18] Jacqueline DeMarco & Poonkulali Thangavelu, A Guide to Foreign Transaction Fees, Bankrate.com (Feb. 24, 2023), https://www.bankrate.com/finance/credit-cards/a-guide-to-foreign-transaction-fees.

[19] Author’s personal communication with reservation specialist at Tortuga Lodge, April 2023.

[20] Mastercard 2022–2023 U.S. Region Interchange Programs and Rates, Effective April 22, 2022, Mastercard (2022), available at https://www.mastercard.us/content/dam/public/mastercardcom/na/us/en/documents/merchant-rates-2022-2023-apr22-2022.pdf; Visa USA Interchange Reimbursement Fees, Visa (Apr. 23, 2022), available at   https://usa.visa.com/content/dam/VCOM/download/merchants/visa-usa-interchange-reimbursement-fees.pdf.

[21] OECD Tourism Trends and Policies 2022: Costa Rica, Organisation for Economic Cooperation and Development (2022), https://www.oecd-ilibrary.org/sites/a99a4da2-en/index.html?itemId=/content/component/a99a4da2-en.

[22] Id.; see also, OECD Economic Surveys: Costa Rica 2023, Organisation for Economic Cooperation and Development (2023), https://www.oecd-ilibrary.org/sites/8e8171b0-en/1/2/2/index.html?itemId=/content/publication/8e8171b0-en&_csp_=0b8e1c4cf7b4fb558e396a4008a8398a&itemIGO=oecd&itemContentType=book.

[23] Plan Nacional de Turismo de Costa Rica 2022-2027, Aprobado en la sesión N° 6210 de la Junta Directiva del Instituto Costarricense de Turismo, Apartado 3.II, celebrada (Mar. 21, 2022),English summary: Costa Rica: National Tourism Development Plan 2022–2027, Tourism Analytics, https://tourismanalytics.com/news-articles/costa-rica-national-tourism-development-plan-2022-2027.

[24] Supra note 9, Table 9. Assumes an average Colones:USD exchange rate during 2019 of 0.0017.

[25] Id. The Colones:USD exchange rate averaged around 0.0016 during 2021.

[26] Decreta: Comisiones Máximas Del Sistema De Tarjetas, No. 9831, Art. 15(j), Legislative Assembly of the Republic of Costa Rica, (“Cualquier otro elemento que razonablemente permita al Banco Central de Costa Rica garantizar la eficiencia y seguridad de los sistemas de tarjetas.”), http://www.pgrweb.go.cr/scij/Busqueda/Normativa/Normas/nrm_texto_completo.aspx?param1=NRTC&nValor1=1&nValor2=90791&nValor3=119755&strTipM=TC (last visited Apr. 12, 2023).

Spring is here, and hope springs eternal in the human breast that competition enforcers will focus on welfare-enhancing initiatives, rather than on welfare-reducing interventionism that fails the consumer welfare standard.

Read the full piece here.

Introduction

The UK Payment System Regulator (PSR) is currently in the process of conducting two market reviews related to card payments. One of the two regards consumer cross-border interchange fees between the United Kingdom and the European Economic Area (EEA),[1] while the other relates to card scheme and processing fees.[2] This brief raises some initial concerns regarding the two reviews.

The most significant concern these market reviews raise is the implied “market” under investigation. By focusing narrowly on two very specific aspects of the overall payment system, the reviews almost by definition rule out a full analysis of the ecosystem. This is most unfortunate. Decades of research shows categorically that payment systems are highly complex multi-sided markets that have evolved over many decades—and continue to evolve—into a delicately balanced, technologically advanced ecosystem.

Payment systems and the thousands of banks that interoperate over them have invested tens of billions of dollars into their development. These investments, and associated innovations in technologies and the rules governing the systems, have been driven by a decades-long process of dynamic competition. That process has involved not only the main payment-system operators, but also many other businesses involved in payments processing. As a result, billions of consumers are now able to use payment cards and millions of merchants accept them. The system’s economic benefits unquestionably far outweigh the costs.

While it is always possible to conceive of models against which extant payment systems may appear “imperfect,” that does not necessarily mean there is any “market failure”; models are not reality. By considering only very narrow questions relating to specific aspects of the operations of payment systems, the PSR is likely to make inappropriate conclusions.

This brief begins with a description of some of the primary benefits that payment-card systems deliver. Section II offers a description of the economics of payment systems. Section III discusses some common misconceptions regarding payment systems, which have arisen due to misunderstanding the economics that underpins them and failing to appreciate the history and nature of the dynamic competition that explains the existing market structure. Section IV considers the market reviews in the context of the PSR’s overall remit. Section V draws some conclusions.

I. The Benefits of Payment-Card Systems

The PSR acknowledges that payment cards “are critical to the smooth running of the UK economy as they enable people to pay for their purchases and merchants to accept payments for goods and services.”[3] But it is worth spelling out why payment cards are so critical. In no small part, this comes down to the numerous inherent advantages that payment cards and their associated systems have over other types of payment, such as cash and checks. These include: [4]

• They enable consumers to spend more than they have in their wallet at the time of the purchase, which in turn reduces the amount of cash that they need to withdraw from the bank.
• Credit cards enable consumers to spend more than they have in their bank accounts at the time of the purchase. Because credit-card issuers typically charge no interest if the statement balance is paid by the due date (usually a month after issuance), cardholders are able to smooth their consumption patterns at much lower cost than if they were required to hold cash in their account or use an overdraft facility.
• By increasing the ability of consumers to spend, payment cards benefit merchants, who sell more goods and services.
• Merchants also benefit from reduced costs associated with handling cash, including the need for float and the risk of theft.

Payment cards have been essential to the development of e-commerce and were literally a lifeline during the COVID-19 pandemic, both for consumers and for businesses (especially smaller businesses), when millions of people were unable to leave their homes and primarily purchased essential goods through online merchants.

Figure I: Use of Cash in the UK Since COVID-19

SOURCE: PSR[5]

Despite these benefits, merchants have for decades complained about the prohibitive cost of processing card transactions. As explained below, these complaints reflect a misunderstanding of the nature and benefits of card-payment systems.

II.      The Economics of Payment Systems

A proper economic assessment of any payment system must account for the fact that both merchants and consumers must perceive benefits for such systems to be successful.  If too few merchants accept a particular form of payment, consumers will have little reason to possess it and issuers will have little incentive to issue it. Likewise, if too few consumers possess a form of payment, merchants will have little reason to accept it.

Conceptually, economists describe such situations as “two-sided markets”: consumers are on one side, merchants on the other, and the payment system acts as the platform facilitating interactions between them.7F[6] Other examples of two-sided markets include newspapers, shopping malls, social-networking sites, and search engines.

The challenge for any two-sided market platform is to attract and retain sufficient participants on one side of the market to persuade participants on the other side to adopt and stay on the platform, thereby making the system self-sustaining and maximising the joint net benefits of the platform to all participants.8F[7] To achieve this, platforms must allocate the costs and benefits of the system among the various parties, which is typically done by charging different fees to the different sets of participants on each side of the market in such a way as to create an equitable and efficient balancing.9F[8] Often this means that participants on one side will pay a larger share of the overall costs than participants on the other side.

Take newspapers, which as noted are a classic example of a two-sided market, with consumers on one side, advertisers on the other, and the newspaper acting as the platform in the middle. In essence, advertisers seek to target their adverts to specific consumers, while consumers are mainly interested in reading news, opinions, and other content. A newspaper thus provides content that appeals to consumers so that they read the paper. By attracting readers who might also view advertisements, the newspaper is able to sell advertisements, which help to cover the costs of producing and distributing the newspaper.

In the case of payment-card systems, the larger the number of holders of cards from a particular system (e.g., Visa, Mastercard, or American Express), the larger will be the number of merchants willing to accept cards on that system. Meanwhile, the larger the number of merchants that accept cards on a particular system, the larger will be the number of consumers who wish to hold cards on that system.

Maintaining such a system is challenging and expensive. In no small part, this is because payments are subject to counterparty risks—in particular, risks of default (non-payment), fraud, and theft. This problem so bedevilled early payment cards that many floundered within a few years.[9] The systems that succeeded did so because they figured out how to encourage adoption by both sides of the market and to limit counterparty risk. This entailed the introduction of effective security systems, setting appropriate liability rules, and charging fees that covered all the costs of operating the system. Perhaps most importantly, the systems that flourished were those that realised merchants had stronger incentives than consumers to bear the costs of the system, due to the significant benefits they receive, and introduced fee structures that reflected those incentives.

In three-party card systems, the merchants’ transaction fee is charged directly by the system operator. In four-party systems, merchants pay acquirers a “merchant service charge” (MSC), which includes the acquirer’s processing costs and the “interchange fee.” The default interchange fee is a charge made by the system operator that is paid to the issuer (in the form of a deduction from the amount sent by the issuer to the acquirer when settling the transaction).[10] In addition, the system operator charges fees to both acquirers and issuers, called “scheme” and “processing” fees, that cover the system costs. Figure II, which is taken from the PSR, provides a simplified schematic of the four-party card system. In practice, there are often other parties involved, including payment gateways and payment processors.[11]

Figure II: Simplified Schematic of Four-Party Card Payment System

SOURCE: PSR[12]

As discussed below, the various three- and four-party payment systems have been engaged in a decades-long process of dynamic competition in which each has sought—and continues to seek—to discover how to maximise value to their merchants and consumers. Card-payment systems also compete with other payment methods, including legacy methods such as cash and cheques, as well as the many methods that have emerged more recently, such as online transfers of various kinds. This has involved considerable investment in innovative products, including more effective ways to encourage participation, as well as the identification and prevention of fraud and theft.

Payment-card systems seek to optimise interchange fees to maximise the benefits of the system to participants on both sides of the market. Revenue from these fees thus covers a wide range of things, including: system operations, card issuance, customer service, fraud prevention and resolution, rewards, fraud-protection cover, and car-rental insurance (where these are offered). Moreover, these services are today often offered for free to cardholders (no annual fee) or even at a negative price, such as when rewards are provided. Finance charges on revolving balances also generate substantial revenue, much of which covers the costs of underwriting, servicing, and charge-offs on credit balances.

Similarly, many banks provide free current accounts to those who maintain positive balances (and in some cases even fee-free overdraft facilities up to a limit). The costs of such accounts are covered by other charges, including debit-card interchange fees.

III.    Misunderstanding the Economics of Payment Systems

While it may seem iniquitous for a platform to charge one side of the market more than the other, it is often efficient and ultimately socially beneficial.[13] In the case of payment systems, if the operator sets the price too high for some consumers, they will be unwilling to use the platform; similarly, if the operator sets the price too high for some merchants, they will not be willing to use the platform.

Since one side of the market is typically more price sensitive than the other side, joint net benefits are maximised when participants on the less price-sensitive side of the market incur a greater proportion of the system costs. This enables overall greater participation in the system, thereby achieving greater economies of scale. In the case of card-payment systems, the relatively large benefits merchants receive from accepting cards makes them less price sensitive than consumers, so it makes sense for them to pay a larger share of the transaction fees. This was true even when cards were a tiny fraction of payments and there were few, if any, competing cards for consumers to choose among. This demonstrates that it is not due to any perception among merchants that they lack choice.

The ineluctable benefits of such cross-market subsidies have, unfortunately, often been misconstrued as harmful by regulators, especially in markets where there are few competitors. In many cases, what seems to have happened is that the economies of scale entailed in the development and maintenance of certain systems has meant that only a small number of competing firms can operate efficiently. Regulators typically assume axiomatically, however, that the largest firms in markets with only a small number of competitors have a dominant position that has been created and is reinforced by those firms’ anticompetitive conduct. They thus automatically view all such conduct with suspicion.

Globally, there are many card-payment systems, although most of these operate only at a national level.[14] In the UK, as the PSR notes, two payment systems, Mastercard and Visa, represent the vast majority of consumer-debit and credit-card transactions.[15] But as the history shows, these large market shares were acquired through the development of technologies and rules that limited fraud and other counterparty risk, as well as by improving the efficiency and efficacy of payments, thereby creating enormous benefits to both consumers and merchants. While all markets are imperfect when compared to theoretical models of “perfect competition,” there is simply no evidence of “market failure” that might justify regulatory intervention.

It is also worth noting that, while card payments represent a large proportion of retail payments in the UK, they represent a relatively small fraction of all payments. Table 1 shows the value of payments made using various non-cash methods over the year from November 2021 to October 2022. This excludes higher-value payments settled directly over CHAPS, which accounted for more than £90 trillion in value.[16] As can be seen, the vast majority of payments were made over BACS and the Faster Payments systems, while cards (debit and credit) accounted for only about 11 per cent.

Table 1: Transaction Values of Selected UK Payments Systems, November 2021-October 2022

SOURCES: PayUK[17] and UK Finance[18]

A.      A Brief History of Payment-Card Systems

While merchant-specific charge cards had existed since the early 20^th Century, the first multi-merchant payment-card systems in the United States were Diners Club and American Express. These were and in most cases are three-party cards; that is, they operate a closed ecosystem in which they have direct relationships with both merchants and cardholders (Amex now also acts as a third-party provider).[19]

Diners Club began in 1950 as a limited-purpose card that could be used at restaurants.[20] Starting with restaurants in New York City, the card gradually expanded to other cities and other hospitality services before becoming fully multipurpose. In 1953, Diners Club became the first international payment card, with acceptance in the UK, Canada, Cuba, and Mexico. International expansion continued gradually and, by 1967, Diners Club had a presence in 130 countries.

The American Express Card started as an alternative to Travellers’ Cheques, which were an already-popular payment product.[21] From an initial presence in the United States and Canada, American Express expanded its card issuance internationally in 1972.

While numerous banks experimented with their own credit cards, the first truly successful such card venture was BankAmericard, which began in 1958.[22] Initially a three-party card operated exclusively by Bank of America, in 1966, Bank of America began issuing licenses to other banks.[23] In 1970, National BankAmericard became a separate company owned by its member banks and, in 1976, it was rebranded as Visa.[24]

The precursors to Mastercard were regional associations of U.S. banks that had developed in response to restrictions on branch banking in 15 states, which meant that banks could only operate as individual units.[25] In 1966, several of these regional associations formed the Interbank Card Association (ICA), which established the authorisation, clearing, and settlement rules for all the banks in the ICA.[26] In 1969, ICA rebranded its cards as Interbank: the Master Charge card and, in 1979, the ICA became MasterCard.

The history of credit cards in the UK is similar. Finders Services was the first payment-card operator in the nation, launching its charge card here in 1951.[27] In 1962, Finders Services merged with Diners Club, becoming the UK’s first international payment card.[28] Amex followed in 1963.[29] Then, in 1966, Barclays became the first international licensee of BankAmericard, initially launching the Barclaycard as a charge card.[30] The following year, the Bank of England issued the first license to operate a credit card to Barclays and Barclaycard became the UK’s first credit card.[31] Barclaycard became a founding member of International BankAmericard Inc (IBANCO) when that was formed in 1974.[32] In 1977, IBANCO was rebranded Visa.[33] From 1981, Visa International was reorganised into five semi-autonomous international divisions, with their own boards and operational regulations, but subject to framework rules set at headquarters.[34]

The history of Mastercard in the UK is intertwined with Eurocard, which was founded in 1964 in Sweden and moved its corporate base to Belgium in 1965, from where it operated a pan-European not-for-profit association of card-issuing banks.[35] In 1968, Eurocard and the Interbank Card Association formed a strategic alliance. In 1971, Lloyds Bank, Midland Bank, National Westminster Bank, and (slightly later) Royal Bank of Scotland/Williams and Glyn formed a joint venture, the Joint Credit Card Company (JCCC), which launched the Access credit card in 1972.[36] In 1973, Access purchased a 15% share of Eurocard and, the following year, joined the Interbank Card Association.[37] In 1992, MasterCard merged with Europay International (which itself was a merger of Eurocard and Eurocheque).[38] In 1996, MasterCard purchased Access.[39]

B.      Dynamic Competition in Payment Systems

This brief history of the evolution of payment-card systems over the past 70 years shows how those systems gradually expanded. Underpinning that expansion was a process of dynamic competition, with payment networks continuously innovating ways to increase their security, scale, and efficiency. Among the major technological innovations have been:

• The plastic card (previously, cards had used card stock).
• Electronic systems for authentication, clearing, and settling transactions.
• The magnetic stripe (magstripe) and associated data standards, which enabled more secure authentication.
• The personal identification number (PIN), which was initially developed to enable the use of cards to withdraw cash directly from bank accounts using cash machines.
• The EMV Chip—developed by a consortium of card networks that initially comprised Eurocard, MasterCard and Visa (EMVCo)—stores card information using public-key encryption technology and sends a one-time token to the POS machine. EMV chips are more difficult to “skim” than magstripes and, because the card number is not shared with the POS machine, dramatically reduce the potential for hackers to steal and use stored card information from merchants.
• Contactless Tokens (cEMV), which are similar to the tokens produced by EMV Chips and enable similar protections for contactless transactions, whether using a card or a mobile phone.
• Address verification (AVS), which is mainly used during card-not-present (CNP) transactions, such as telephone and online sales.
• The card verification code (CVC/CVV), which is a three- or four-digit number unique to the card that is not held in merchant databases, and which is also primarily used during CNP transactions.
• Two-factor authentication (2FA) entails the use of at least two independent proofs that the card user is legitimate, such as the CVV and a one-time password. 2FA is most commonly used for CNP transactions but is also sometimes used as a second line of defense for point-of-sale (POS) transactions identified as unusual.
• Machine-learning-based systems that identify potentially fraudulent transactions by comparing transactions in real time with cardholders’ spending patterns, enabling issuers to block transactions.
• 3D-Secure (3DS), which is an authentication system developed by EMVCo primarily for online transactions. It is a two-stage process: stage one involves using the information sent in the first (authorization) message to check against a cardholder’s profile; if the proposed payment fits the profile, it is permitted, and if not, then the cardholder is asked to complete 2FA on the transaction.[40]

We are now so used to making payments with cards that it is difficult to imagine just how important these innovations have been, let alone the scale of investment that went into them (and the many others, including those that were rejected or discarded). With that in mind, it is worth noting the dramatic impact of the introduction of one of the more recent innovations: contactless cEMV tokens. Over the past decade, these have facilitated a veritable revolution in contactless payments made using cards and cell phones. As Figure III shows, the number of contactless payments in the UK grew from almost nothing to more 1.2 billion by the end of 2021, representing about half of all card-payment-system transactions.

Figure III: Number of Contactless Payment Transactions, UK, 2015-2021 (Millions)

SOURCE: Statista[41]

Contactless payments dramatically reduce the time needed to complete a transaction at checkout, relative to cash or chip and PIN, with clear benefits for both merchants and consumers.[42] During the COVID pandemic, the ability to transact without touching a terminal or signing a payment-authorization slip also reduced the cost and difficulty of complying with rules intended to limit exposure through contact.[43] In addition, cEMV has gradually been integrated into public-transport systems, enabling riders on buses and trains in London, and increasingly across the UK, to use their payment card or mobile phone to tap in and out, eliminating the need for cash or additional transactions.[44]

There have also been many important innovations in incentive systems, the most notable being:

• Merchant liability for non-authenticated fraudulent transactions above a certain minimum amount, which incentivises merchants to undertake authentication.
• Prohibiting merchants who accept cards from a payment system from discriminating against that system by imposing surcharges on payments made using that system.
• Guaranteeing zero liability for card users who have been subject to fraud on certain conditions (such as that the card user has notified the issuer that their card has been stolen).
• Various forms of insurance, including purchase protection, return protection, extended warranty protection, cell-phone protection, price protection, rental-car liability protection, and travel insurance.
• Rewards, including cashback and merchant-specific rewards (often on co-branded cards)

By offering these incentives, card issuers encourage adoption and use by cardholders. In addition, merchant-specific rewards encourage loyalty to that merchant. And, importantly, these incentives and technological innovations have been made possible by the system of fees, including most notably the interchange fee but also the scheme fees, processing fees, and acquiring fees.

Furthermore, there have been important business-model innovations over time that have improved the scale efficiency, responsiveness, and effectiveness of the systems. As noted, Visa and Mastercard initially deployed quite different ownership and management models. BankAmericard initially adopted a franchise model and then, from 1970, National BankAmericard/Visa operated as a joint-venture company, thereby overcoming conflicts of interest that arose from one bank acting as an issuer and an acquirer, while also setting the rules of the system for other issuers and acquirers.[45] By contrast, Mastercard and Eurocard both began as non-profit associations, which enabled them rapidly to scale, including by absorbing Access (which until then had operated as a profit-sharing joint venture), but this resulted in management challenges. The merger of Mastercard and Europay International in 1992 addressed some of those problems by creating a more streamlined structure and a more coherent global brand. Then, in 2006, MasterCard reorganised as a for-profit company and listed on the New York Stock Exchange through an initial public offering, enabling more centralised decision-making. In 2008, Visa also listed on the NYSE.

In short, the two largest global-payment systems emerged, survived, and thrived first and foremost by identifying and implementing superior solutions to the challenges of building and maintaining payment systems locally, nationally, regionally, and eventually, globally.

The large market share of these two firms operating at a global level is clearly not a consequence of some pre-existing market structure. On the contrary, the structure of the market for payments is a consequence of dynamic competition in technology, incentives, and business models.

C.      The Ongoing Process of Dynamic Competition

This dynamic competition continues, with innovative technologies and new global players emerging and deploying different business models. For example, PayPal offers users the ability to pay for services and goods purchased online and provides them with some of the same protections offered by credit cards, such as fraud monitoring and purchase protection.[46] PayPal operates a dual model in which users may fund payments either using their payment card or by making an ACH transfer to their PayPal account.[47] PayPal also offers users the ability to “buy-now-pay-later” (BNPL) at some merchants, with options either to make four bi-weekly payments with zero interest, or to spread the payment over a longer period (6, 12, 18, or 24 months), paying an interest rate that currently ranges from 0% to 29.99%, depending on the user’s credit score.[48]

In the past decade, several standalone BNPLs have entered the market, including Afterpay, Affirm, Flexpay, Klarna, Sezzle, Splitit, and Zip.[49] In 2021, merchant-payment-gateway provider Square purchased Afterpay, enabling the use of BNPL for in-store purchases in the United States.[50] In the UK, Square has partnered with BNPL provider ClearPay, enabling it to provide a similar offering.[51] Meanwhile, Stripe, another gateway provider, has partnered with several BNPL companies, enabling it to make similar offerings in several countries, including the UK.[52]

When offering zero-interest payment solutions to consumers, BNPLs typically charge the retailer a transaction fee of between 2% and 8%, depending on the consumer’s credit score and the type of merchant.[53] In the United States, Square/Afterpay charges the purchaser a standard rate of 6% plus a transaction fee of 30c.[54] By contrast, when offering longer-term payment solutions, the merchant pays a transaction fee and the consumer pays the interest.[55]

In addition to consumer-oriented BNPLs, there are business-to-business BNPLs. For example, in the UK, Funding Circle’s Flexipay (not to be confused with Flexpay or Payflex, a South African BNPL) offers loans of between £2,000 and £250,000, with the ability to spread payments over three months at an interest rate of 3% (as of the time of writing).[56]

Another example is real-time payments (RTP) systems, such as the UK’s Faster Payment System, which enable users to make near-instant peer-to-peer payments online and using mobile apps.[57] RTP systems typically do not replicate the fraud-protection and other counter-party risk offerings of traditional payment cards, nor do they enable consumers to defer payment, so they are likely less attractive than payment cards for making payments to merchants—especially when those merchants are unfamiliar and/or the size of the payment is large.[58] While the UK’s Confirmation of Payee system has somewhat reduced problems—such as, as the PSR notes,[59] automated push payment (APP) fraud—APP fraud remains very high, leading the PSR to propose that payment-service providers (PSPs) guarantee refunds for fraudulent payments in excess of £100.[60] Such a requirement would impose considerable additional costs on PSPs. By effectively transferring a considerable proportion of liability to those PSPs, it also would reduce payors’ incentives to undertake due diligence on payees. This, in turn, might lead PSPs to introduce more extensive screening of payments, which could well lead to overinclusive restrictions that harm smaller, less well-known but nonetheless legitimate payees.

At the same time, card issuers and payment systems continue to invest in improved methods for verifying the identity of persons making transactions, including most notably the development and deployment of a range of biometric technologies.[61] Meanwhile, many payment-card issuers are partnering with BNPL operators to provide alternative payment options for cardholders.[62]

IV.    The Market Reviews in the Context of the PSR’s Remit

Unfortunately, there is no evidence that the PSR intends to investigate the broader market for payments in the UK, of which payment cards represent only about 11%.[63] Instead, it has proposed to undertake two discrete reviews of very specific and narrow aspects of payments card systems’ operations, seemingly without any intention to consider the implications on the wider ecosystem. This seems doomed to draw inappropriate conclusions.

This section outlines the PSR’s remit and then discusses the two market reviews in the context of that remit, taking into consideration the foregoing discussion of the nature of payment systems and the dynamic competition that has driven their evolution.

A.      The PSR’s Remit

Section 49 of the Financial Services (Banking Reform) Act 2013 (FSBRA) states that “In discharging its general functions relating to payment systems the Payment Systems Regulator must, so far as is reasonably possible, act in a way which advances one or more of its payment systems objectives.”[64] It then lists three objectives: (a) the competition objective, (b) the innovation objective, and (c) the service-user objective, which are defined in the subsequent sections.[65]

Section 50 (1) of the FSBRA states that: “The competition objective is to promote effective competition in—(a) the market for payment systems, and (b) the markets for services provided by payment systems, in the interests of those who use, or are likely to use, services provided by payment systems.”

Section 50 (2) of the FSBRA states that: “The reference in subsection (1) to promoting effective competition includes, in particular, promoting effective competition— (a) between different operators of payment systems, (b) between different payment service providers, and (c) between different infrastructure providers.”

Section 50 (3) of the FSBRA states that:

The matters to which the Payment Systems Regulator may have regard in considering the effectiveness of competition in a market mentioned in subsection (1) include—

• the needs of different persons who use, or may use, services provided by payment systems;

• the ease with which persons who may wish to use those services can do so;

• the ease with which persons who obtain those services can change the person from whom they obtain them;

• the needs of different payment service providers or persons who wish to become payment service providers;

• the ease with which payment service providers, or persons who wish to become payment service providers, can provide services using payment systems;

• the ease with which payment service providers can change the payment system they use to provide their services;

• the needs of different infrastructure providers or persons who wish to become infrastructure providers;

• the ease with which infrastructure providers, or persons who wish to become infrastructure providers, can provide infrastructure for the purposes of operating payment systems;

• the needs of different operators of payment systems;

• the ease with which operators of payment systems can change the infrastructure used to operate the payment systems;

• the level and structure of fees, charges or other costs associated with participation in payment systems;

• the ease with which new entrants can enter the market;

• how far competition is contributing to the development of efficient and effective infrastructure for the purposes of operating payment systems;

• how far competition is encouraging innovation.

Section 51 (1) of the FSBRA states that: “The innovation objective is to promote the development of, and innovation in, payment systems in the interests of those who use, or are likely to use, services provided by payment systems, with a view to improving the quality, efficiency and economy of payment systems.” While Section 51 (2) states that: “The reference in subsection (1) to promoting the development of, and innovation in, payment systems includes, in particular, a reference to promoting the development of, and innovation in, infrastructure to be used for the purposes of operating payment systems.”

Section 52 of the FSBRA states that: “The service-user objective is to ensure that payment systems are operated and developed in a way that takes account of, and promotes, the interests of those who use, or are likely to use, services provided by payment systems.”

It is thus clear that, in principle, the PSR has a broad remit to investigate the functioning of payment systems. As such, it could undertake a broad review that considers the dynamic competition described earlier in this brief.

B.      The Market Reviews

Despite the PSR’s broad remit, it has chosen instead to undertake two very narrow market reviews. There is a grave danger that, in so doing, it will misconstrue the nature of the market for payments.

One is reminded of the rather wonderful 1986 “points of view” TV advertisement for The Guardian newspaper.[66] The ad began with a brief clip, from one angle, of a skinhead apparently running away from something. This was followed by a clip of the skinhead from another angle which shows him apparently trying to steal a besuited gentleman’s briefcase. Then, finally, we were shown an aerial view in which one can see that the skinhead is actually trying to save the other man from being crushed by a pallet of falling bricks. The point being that, if a policeman or other bystander had intervened to stop the skinhead on the presumption that he had committed or was about to commit a crime, based on seeing the situation only from the perspective of the first or second clips, the man in the suit might well have died or been grievously injured. As the advert notes at the end, “It’s only when you get the whole picture you can fully understand what’s going on.”

1.        Market review of UK-EEA cross-border interchange fees

In the case of the market review of UK-EEA consumer cross-border interchange fees, the PSR states:

We want to understand the rationale for and the impact of the rises in CNP IF levels for UK-EEA consumer debit and credit CNP transactions. We are concerned that the ability of Mastercard and Visa to increase these fees is an indication that there are market(s) which are not working well and may not support our statutory competition, innovation or service-user objectives.[67]

Here, the PSR seems to have assumed that an increase in prices is prima facie evidence of market failure. But a mere rise in prices does not provide such evidence. The fact is that, following the introduction of the IFR and prior to Brexit, the IFs were set by the EU, not by the market. Since then, domestic rates have been regulated at the same levels,[68] making it more likely that those IFs were (and, within the EEA, still are) not set at a level that reflects an optimal balance for the payments ecosystem.

Where prices for CNP IFs are set by market participants, they are generally higher than for card-present transactions. This is a straightforward consequence of the higher risks of fraud associated with CNP transactions.[69] Meanwhile, in markets where IFs for international transactions are set by market participants, those IFs include a premium to cover additional costs associated with operating the international system, as well as the higher counterparty risks (fraud and default) associated with such transactions. This leads to two conclusions:

1. The appropriate prima facie assumption of the PSR, in response to the increase in IFRs for UK-EEA CNP transactions, should have been that it is a sign that the market is working well—e., the very opposite of the assumption that the PSR seems to have made.
2. To investigate the appropriateness or otherwise of any IFR, it is necessary to understand fully the market in which it is being applied. In this case, the market is the entire global payments system, since UK-EEU transactions are but a tiny fraction of that system, which as discussed above has evolved over decades. At the very least, it entails a full analysis of both CNP and UK-EEA payments systems, not merely the narrow aspect of (and costs associated with) UK-EEA interchange fees.

2.        Market review of card scheme and processing fees.

In the case of the market review of cards’ scheme and processing fees, the PSR states:

We found that scheme and processing fees (which we referred to as ‘scheme fees’ in the market review) paid by acquirers increased significantly over the period 2014 to 2018 as shown in Figure 1.5 We also found that a substantial proportion of these increases are not explained by changes in the volume, value or mix of transactions.[70]

The PSR has decided emphatically to focus narrowly on how Mastercard and Visa set scheme and processing fees:

We will assess the factors that may influence and constrain how Mastercard and Visa set scheme and processing fees, and the impact of this. Such factors may include:

• The extent of any barriers to entry or network effects involved in setting up and running card payment systems, which alone or in combination may mean that Mastercard and Visa face limited constraints when it comes to setting scheme and processing fees.

• Whether Mastercard and Visa have a ‘must take’ status for merchants, which may mean that Mastercard and Visa face limited constraints from the ability of merchants (and their acquirers) to exercise choice about their acceptance when setting acquirer scheme and processing fees.[71]

Meanwhile, the PSR has already ruled out any consideration of the wider payments ecosystem, noting:

A number of comments in the consultation asked us to consider extending the market review to charges levied by other participants in the payments ecosystem (other card schemes, and other payment methods, including digital wallets). We agree that constraints from other participants and other payment methods could play an important role in Mastercard’s and Visa’s decisions about card scheme and processing fees. The scope of the market review we proposed in our draft ToR, however, would assess competitive constraints that may arise from other participants than Visa and Mastercard, to the extent this applies. We, therefore, do not think that it is necessary to extend the scope of the market review; and so, our market review will focus on card scheme and processing fees.[72]

This is troubling because, as discussed above, the payment systems in the UK and globally have evolved over many decades in such a way as to balance the two sides of the market: merchants on one side and consumers on the other. The fees charged by payment systems reflect this balance, not only within the card-payments ecosystem but also within the wider payments ecosystem of which card payments are only a relatively small part—about 11% in the UK.[73] Moreover, the scheme fees that appear to be a specific focus of the market review are only a small part of the total fees paid during a transaction. Visa offers the following example: when a consumer purchases a jumper for £30 at a small retailer using a Visa card, the MSC would be around £0.63, of which the scheme fee would be about £0.01.[74] So, the question is: why is the PSR focusing on a fee that makes up only 1.6% of the transaction fee and only 0.03% of the total transaction amount?

By seeking to investigate only a subset of card fees and not all the fees—which would necessitate also considering the effects of any adjustments to such fees on related offerings (such as rewards and cobranded cards, insurance, security upgrades, and new payment modes), let alone the wider payments ecosystem)—the PSR precludes a proper analysis of whether the market is operating efficiently.

In sum, intentionally or otherwise, the statements made by the PSR with respect to the terms of reference (ToR) for both market reviews look very much like the regulator has already decided its conclusions and is now looking for evidence to support its case, while expressly avoiding evidence that might point to other conclusions. They are classic examples of asking the wrong question and therefore getting the wrong answer.

V.      Conclusions

Payment systems have developed through a process of dynamic competition that has led to the emergence of extraordinarily complex and finely balanced ecosystems featuring an increasingly wide array of innovative technologies, incentives, and business models. As such, it is a little odd that the PSR should have chosen to undertake several discrete and very narrow reviews, rather than a more comprehensive review.

If the PSR were to undertake a more comprehensive review of payments, which would be more consistent with its remit under the FSBR, it might extend that to the wider payments ecosystem, of which card payments are only a relatively small part—approximately 11% in the UK, if larger payments made over CHAPS are excluded.

Despite stating—in the final ToR for the market review of card schemes and processing fees—that it does not intend to extend the market review, it left a window open by stating: “We expect our thinking to develop over the course of the market review, including the possibility that further issues or areas of analysis are added (if they relate to potential harm to competition, innovation or service users) or some issues are dropped.”[75] One can only hope that such thinking extends to a fuller examination of the payments ecosystem. If the PSR were to adopt such an approach, it might also drop the even more absurdly narrow market review of UK-EEA consumer cross-border interchange fees, a fuller (proper) review of which would entail looking not only at payments in the UK, but also internationally.

 

[1] Market Review of UK-EEA Consumer Cross-Border Interchange Fees, Payment System Regulator (Jun. 21, 2022), https://www.psr.org.uk/publications/market-reviews/mr22-2-1-market-review-of-uk-eea-consumer-cross-border-interchange-fees.

[2] Market Review of Card Scheme and Processing Fees, Payment System Regulator (Jun. 21, 2022), https://www.psr.org.uk/publications/market-reviews/mr22-1-1-market-review-of-card-scheme-and-processing-fees.

[3] Id.

[4] Todd J. Zywicki, The Economics of Credit Cards, 3 Chap. L. Rev. 79, 7 (2000), available at https://digitalcommons.chapman.edu/chapman-law-review/vol3/iss1/6.

[5] Snapshot of Payments in the UK Over Time, Payment Systems Regulator (Jan. 2, 2022), available at https://www.psr.org.uk/media/20ob5wee/payments-over-time.pdf.

 

[6] William F. Baxter, Bank Interchange of Transactional Paper: Legal and Economic Perspectives, 26 J. L. & Econ. 541 (1983); Jean-Charles Rochet & Jean Tirole, Two-Sided Markets: A Progress Report, 37 Rand J. Econ. 645 (2006); see also, Todd J. Zywicki, The Economics of Payment Card Interchange Fees and the Limits of Regulation, International Center for Law & Economics, ICLE Financial Regulatory Program White Paper Series (Jun. 2, 2010), available at http://laweconcenter.org/images/articles/zywicki_interchange.pdf.

[7] Bruno Jullien, Alessandro Pavan, & Marc Rysman, Two-Sided Markets, Pricing, and Network Effects, 4 Handbook of Indus. Org. 485-592 (2021).

[8] Thomas Eisenmann, Geoffrey Parker, & Marshall W. Van Alstyne, Strategies for Two-Sided Markets, Harv. Bus. Rev. (Oct. 2006), https://hbr.org/2006/10/strategies-for-two-sided-markets.

[9] David L. Stearns, Think of it as Money: A History of the VISA Payment System, 1970–1984, PhD Thesis, University of Edinburgh, at 42–43; Timothy Wolters, Carry Your Credit in Your Pocket: The Early History of the Credit Card at Bank of America and Chase Manhattan, 1 Enterprise & Society 315, (2000).

[10] In some cases, the interchange fee is established bilaterally by agreement between issuers and acquirers. The default interchange fee applies when such agreements are not in place.

[11] See, e.g., UK Payment Processing Companies & Merchant Account Providers, MerchantSavvy, https://www.merchantsavvy.co.uk/payment-processors (last visited Feb. 22, 2023).

[12] PSR, supra note 1, at 13.

[13] Zywicki, supra note 6.

[14] For example, 10 EU members had a domestic card scheme in 2018: Card Payments in Europe- Current Landscape and Future Prospects, European Central Bank (Apr. 2019), https://www.ecb.europa.eu/paym/intro/mip-online/2019/html/1904_card_payments_europe.en.html.

[15] PSR, supra note 2, at 7.

[16] Payment and Settlement Statistics, Bank of England (Feb. 16, 2023), https://www.bankofengland.co.uk/payment-and-settlement/payment-and-settlement-statistics.

[17] BACS Monthly Volumes and Values 1990-2022, Pay.uk (2023), https://newseventsinsights.wearepay.uk/media/iyral1oo/historical-monthly-payment-statistics-1990-to-dec-2022.xls.

[18] Card Spending, UK Finance (Feb. 16, 2023), https://www.ukfinance.org.uk/data-and-research/data/card-spending.

[19] Emily Sherman & Holly Johnson, Understanding Third-Party American Express Cards, credicards.com (Mar. 30, 2022), https://www.creditcards.com/card-advice/american-express-third-party-cards.

[20] Diners Club History, Diners Club International, https://www.dinersclub.com/about-us/history (last visited Feb. 22, 2023).

[21] Who We Are, American Express, https://about.americanexpress.com/our-company/who-we-are/who-we-are/default.aspx (last visited Feb. 22, 2023).

[22] Stearns, supra note 9.

[23] Id.

[24] Id.

[25] Dave Ahern, The Amazing Story of Mastercard: History and Making Money, eB (Nov. 10, 2021), https://einvestingforbeginners.com/the-history-of-mastercard-daah/#:~:text=of%20America%2C%20ironically.-,How%20Did%20Mastercard%20Start%3F,became%20known%20globally%20as%20Visa.

[26] Brand History, Mastercard, https://brand.mastercard.com/brandcenter/more-about-our-brands/brand-history.html (last visited Feb. 22, 2023).

[27] 1963: American Express Comes to Britain, BBC, http://news.bbc.co.uk/onthisday/hi/dates/stories/september/10/newsid_3031000/3031968.stm (last visited Feb. 22, 2023).

[28] Id.

[29] Id.

[30] Stearns, supra note 9, at 120.

[31] BBC, supra note 27.

[32] Stearns, supra note 9, at 120.

[33] Id. at 131.

[34] Id. at 180.

[35] Eurocard (Credit Card), Wikipedia, https://en.wikipedia.org/wiki/Eurocard_(credit_card) (last visited Feb. 22, 2023).

[36] History 1966-72, Access, https://www.accesscreditcard.info/history66-72.aspx (last visited Feb. 22, 2023).

[37] History 1973-77, Access, https://www.accesscreditcard.info/history73-77.aspx (last visited Feb. 22, 2023).

[38] Paul Doocey, MasterCard and Europay Merge to Form a Global Payments Company, BankTech (Jul. 16, 2002), https://www.banktech.com/payments/mastercard-and-europay-merge-to-form-a-global-payments-company/d/d-id/1288945.html.

[39] Sean Brierley, Mastercard and UK Banks Strike 40m Access Deal, MarketingWeek (Apr. 19, 1996), https://www.marketingweek.com/mastercard-and-uk-banks-strike-40m-access-deal.

[40] EMV 3-D Secure, EMVCo, https://www.emvco.com/emv-technologies/3-d-secure (last visited Feb. 22, 2023).

[41] Raynor de Best, Total Number of In-Store Debit or Credit Card Payments that Are Contactless, or Done with NFC, in the United Kingdom (UK) from January 2015 to October 2021, Statista (Jan. 11, 2023), https://www.statista.com/statistics/488054/number-of-contactless-cards-transactions-united-kingdom.

[42] David Bounie & Youssouf Camara, Card-Sales Response to Merchant Contactless Payment Acceptance, 119 J. of Banking & Fin. 105938 (Oct. 2020), available at https://www.sciencedirect.com/science/article/abs/pii/S0378426620302004; Emma Marie Fleck & Michael E. Ozlanski, Cash: Never Leave Home with It? 17 The CASE J. 182–201 (2021), available at https://www.emerald.com/insight/content/doi/10.1108/TCJ-06-2019-0055/full/html.

[43] Adrian Buckle, The Impact of Covid-19 on UK Card Payments In 2020, UK Finance (Jun. 16, 2021), https://www.ukfinance.org.uk/news-and-insight/blogs/impact-covid-19-uk-card-payments-2020.

[44] UK’s First Major Rollout of CEMV Outside of London Commences in Oxfordshire, VIX Technology (Nov. 14, 2016), https://vixtechnology.com/press-release/uks-first-major-rollout-of-cemv-outside-of-london-commences-in-oxfordshire; Dan Balaban, UK Transit Agency Plans London-Style Multimodal Contactless System with Fare Capping, Mobility Payments (Sep. 12, 2022), https://www.mobility-payments.com/2022/09/12/uk-agency-plans-london-style-multimodal-contactless-system-with-fare-capping.

[45] Stearns, supra note 9.

[46] Protection You Need, Peace of Mind You Deserve, PayPal, https://www.paypal.com/us/webapps/mpp/paypal-safety-and-security (last visited Feb. 22, 2023).

[47] Add Cards and Banks, PayPal, https://www.paypal.com/us/digital-wallet/ways-to-pay/add-payment-method (last visited Feb. 22, 2023).

[48] Buy Now, Pay Later with PayPal, PayPal, https://www.paypal.com/us/digital-wallet/ways-to-pay/buy-now-pay-later (last visited Feb. 22, 2023).

[49] Erin Gregory, How Does Buy Now Pay Later (BNPL) Work for Businesses?, Techradar (Mar. 4, 2022), https://www.techradar.com/features/how-does-buy-now-pay-later-bnpl-work-for-businesses; Jaros?aw ?ci?lak, Top 10 Buy Now Pay Later Companies to Watch in 2022, Code & Pepper (May 8, 2022), https://codeandpepper.com/buy-now-pay-later-2022.

[50] Square, Inc. Announces Plans to Acquire Afterpay, Strengthening and Enabling Further Integration Between Its Seller and Cash App Ecosystems, Square (Aug. 1, 2021), https://squareup.com/us/en/press/square-announces-plans-to-acquire-afterpay; Bring in More Business with Buy Now, Pay Later, Square, https://squareup.com/us/en/buy-now-pay-later (last visited Feb. 22, 2023).

[51] John Stewart, As Consumers Embrace BNPL, Square Brings It to the U.K. Across All Platforms, Digital Transactions (Aug. 23, 2022), https://www.digitaltransactions.net/as-consumers-embrace-bnpl-square-brings-it-to-the-u-k-across-all-platforms.

[52] Buy Now, Pay Later, Stripe, https://stripe.com/docs/payments/buy-now-pay-later (last visited Feb. 22, 2023).

[53] Id.

[54] Bring in More Business with Buy Now, Pay Later, Square, https://squareup.com/us/en/buy-now-pay-later (last visited Feb. 22, 2023).

[55] Id.

[56] Free Your Cash Flow with Flexipay, Funding Circle, https://www.fundingcircle.com/uk/payments/flexipay (last visited Feb. 22, 2023).

[57] £1 Million Faster Payments Now Possible, Pay.UK (Feb. 10, 2022), https://newseventsinsights.wearepay.uk/media-centre/press-releases/1-million-faster-payments-now-possible.

[58] Julian Morris, Is Pix Really the End of Credit Cards?, Truth on the Market (Sep. 28, 2022), https://truthonthemarket.com/2022/09/28/is-pix-really-the-end-of-credit-cards.

[59] PSR Finalizes Plans for Wider Implementation of Fraud Prevention Tool, Confirmation of Payee, Payment Systems Regulator, https://www.psr.org.uk/news-and-updates/latest-news/news/psr-finalises-plans-for-the-wider-implementation-of-fraud-prevention-tool-confirmation-of-payee/#:~:text=account%20to%20another.-,Confirmation%20of%20Payee,details%20provided%20by%20a%20payer (last visited Feb. 22, 2023).

[60] PSR Sets Out Proposals to Give Greater Protection Against APP Scams, Payment Systems Regulator (Nov. 25, 2022), https://www.psr.org.uk/news-and-updates/latest-news/news/psr-sets-out-proposals-to-give-greater-protection-against-app-scams.

[61] MasterCard Biometric Card Driving Cardholder Security and Convenience, MasterCard, https://www.mastercard.us/en-us/business/overview/safety-and-security/authentication-services/biometrics/biometrics-card.html (last visited Feb. 22, 2023); Fingerprint Authentication Moves from Phones to Payment, Visa, https://usa.visa.com/visa-everywhere/security/biometric-payment-card.html (last visited Feb. 22, 2023).

[62] Kimberly Palmer & Melissa Lambarena, Buy Now, Pay Later Already Comes Standard on Many Credit Cards, Nerdwallet (Dec. 9, 2022), https://www.nerdwallet.com/article/credit-cards/buy-now-pay-later-is-already-standard-on-some-credit-cards.

[63] Supra Section III.

[64] Financial Services (Banking Reform) Act 2013, c. 33, §49 (UK).

[65] Id.

[66] The Guardian, Cannes Lion Award-Winning “Three Little Pigs Advert”, YouTube (Feb. 29, 2012), https://www.youtube.com/watch?v=_SsccRkLLzU.

[67] PSR, supra note 1, at 7.

[68] The Interchange Fee (Amendment) (EU Exit) Regulations 2019, SI 2019/284, https://www.legislation.gov.uk/uksi/2019/284/contents.

[69] Board of Governors of the Federal Reserve System, Changes in U.S. Payments Fraud from 2012 to 2016, Federal Reserve (Oct. 2018), https://www.federalreserve.gov/publications/2018-payment-systems-fraud.htm.

[70] PSR, supra note 2, at 5.

[71] Id. at 10.

[72] Id. at 7.

[73] See Section III above.

[74] Paying with Visa: How Retailers and Consumers Benefit, Visa (Oct. 22, 2020), https://www.visa.co.uk/visa-everywhere/blog/bdp/2020/10/20/what-happens-when-1603211979840.html.

[75] PSR, supra note 1, at 11.

The blistering pace at which the European Union put forward and adopted the Digital Markets Act (DMA) has attracted the attention of legislators across the globe. In its wake, countries such as South Africa, India, Brazil, and Turkey have all contemplated digital-market regulations inspired by the DMA (and other models of regulation, such as the United Kingdom’s Digital Markets Unit and Australia’s sectoral codes of conduct).

Read the full piece here.

European Union officials insist that the executive order President Joe Biden signed Oct. 7 to implement a new U.S.-EU data-privacy framework must address European concerns about U.S. agencies’ surveillance practices. Awaited since March, when U.S. and EU officials reached an agreement in principle on a new framework, the order is intended to replace an earlier data-privacy framework that was invalidated in 2020 by the Court of Justice of the European Union (CJEU) in its Schrems II judgment.

Read the full piece here.