7 March 2024

Regulation of Payment Services in Israel – Latest Developments

The Regulation of the Engagement in Payment and Payment Initiation Services Law, promulgated on June 6, 2023, will come into effect in a few months (on June 6, 2024). This law will obligate companies engaging in payment services to obtain a license from the Israel Securities Authority (ISA).

Since its inception, the ISA has released various directives and regulations in accordance with the law, along with drafts of important directives applicable to license applicants. These documents outline the regulatory framework and expectations for potential license holders. All of the directives examine the corresponding arrangements under the relevant European regulations: the Payment Services Directive (PSD2) and the Electronic Money Directive (EMD).

The ISA’s publications in recent months do not reflect the final version of the directives, but indicate the ISA’s approach when regulating payment services.

Exemption from the Licensing Requirement

The purpose of the proposed exemption regulations is to define the entities exempt from the licensing requirement, under the exemption alternatives prescribed in the law for entities providing payment services on a limited scale, at a limited sum, to a small number of customers, or in a small number of transactions. The proposal focuses on exemptions for activities in a closed system.

According to the draft, entities providing payment services, provided the payment service does not include money transfers to and from Israel, will be exempt from the licensing requirement in each of the following alternatives:

Limited Scale of Activities

Issuance of means of payment or acquiring of payment transactions at sums not exceeding ILS 5 million per month.

Regarding payment account management, an entity will fulfill the limited scale and limited sum criteria if the daily value of the balance of customers’ funds does not exceed ILS 5 million and the maximum sum a payment account can accumulate is ILS 1,500, or, if the payment account is designated for use by a particular payer, ILS 3,000.

Closed System

Service enabling a payer to purchase products or services from the controlling shareholder of the payment service provider, an entity controlled by the payment service provider, or an entity controlled by the controlling shareholder of the payment service provider, provided the maximum sum a payment account can accumulate is ILS 1,500, or, if the payment account is designated for use by a particular payer, ILS 3,000. The purpose of this directive is to apply it to issuers of inter-chain gift certificates, which aim to enable purchases in stores within the same chain or group and thus fulfill the closed system requirement.

Benefit Plans

The licensing obligation will not apply to retailers engaging in sales of products or services and providing payment services to their customers who are members of a benefit plan under their management, i.e., to point plans and other similar benefit plans operated by retailers.

Upon the promulgation of these exemption regulations, an examination of the exemptions from the consumer provisions of the Payment Services Law, as set out in the Payment Services Regulations (Exemption from Provisions of the Law), will also be necessary. Please note that these regulations grant reliefs and exemptions only in relation to nonreloadable means of payment not issued to a particular holder (anonymous gift cards) at sums of up to ILS 1,500. Their term was intentionally limited, with the intent to align in the future with the licensing exemptions.

The second aspect the draft addresses is the “commercial agent exemption” under PSD2 and situations in which online platforms act as intermediaries between sellers and buyers and charge a fee for the service, which also includes money transfers from buyers to sellers (such as e-commerce websites, food delivery websites, etc.). Within this context, the ISA did not adopt a designated exemption, similar to the arrangements in effect in some European countries, and focused on an exemption according to volumes of activity. Therefore, such platforms, whether they provide service to both parties or only to one, must consider if they fall within the exemption based on the financial scope of the transactions or if they need to apply for a license.

The draft also includes a proposal to amend the Seventh Addendum to the law that excludes particular services from the definition of “payment services” and therefore also from the licensing obligation. According to this proposal, payment companies will be able to offer currency conversion services that are not incidental to payment services, at a volume not exceeding 10% of the volume of the payment company’s activities, without having to obtain a financial asset service license.

The updated directive is scheduled for promulgation by early April 2024.

Licensing Procedure

On February 28th, the ISA published for public comments proposed rules for applying for a payment services license or basic initiation services. This draft outlines the procedures for submitting a license application, both for new applicants and for those requesting to migrate to a payment license from their license or receive an additional license.

In addition, the draft includes provisions relating to foreign license applicants seeking to operate in Israel and the mechanism for applying for exemption from certain requirements of the law based on foreign supervision.

The draft details the documents required as part of the licensing process, referencing both the scope of the process and the manner in which the ISA will examine the applications.

The applicant must specify, inter alia, the types of payment services it intends to engage in and present a business plan addressing the manner in which it will offer services. The applicant must also detail execution and settlement arrangements, customer fund custody arrangements, an outsourcing framework, and marketing activities, as well as provide documents attesting to organizational structure, the controlling owners and the control structure, officers’ identities, compliance with equity and insurance requirements, and more.

A significant portion of the draft is dedicated to the technological aspects of the IT systems and business continuity, for which a draft of technological regulations has been published.

Regarding foreign companies and foreign license holders, the draft notes that a foreign company must specify how it can comply with the law and how the applicable provisions can be enforced.

Additionally, a foreign license holder seeking exemption from certain legal provisions will submit a license request according to the procedure and requests for specific exemptions under Israeli law while addressing the following points: the foreign law it is subject to, the type of license it holds, the identity of its foreign regulator, and the foreign regulatory framework that regulates this subject, all supported by appropriate documentation.

The draft is open to public comments until March 31, 2024.

Technological Means and Information Security

The ISA published for public comments a proposal for a directive for license holders or approved licensees for payment services or basic initiation services in the matter of technological means and information security.

The draft focuses on the technological aspects payment services providers must comply with, as already at the stage of submitting the license application, an opinion from an auditor on the applicant’s compliance with these requirements will be required.

The ISA notes that the regulations are built on several pillars and are based on the guidelines of the European Banking Authority regarding the management of information security risks and guidelines for license applications in the field of information technology, as adopted by the FCA in England.

Inter alia, license holders and license applicants must comply with the following conditions:

Implementing best practice standards in the field of information technology and information security in accordance with the regulations.
First and foremost complying with corporate governance requirements with respect to information technology risk management.
The corporation’s board of directors is responsible for formulating the data management strategy, the risk management policy, and the audit plan rests with the corporation’s board of directors, as appoints appropriate officers, including an information security officer. The ISO will operate independently in its role, separate from the technological activities of the license holder and from the audit functions.
The corporation will appoint an auditor with expertise in information systems, who is not in conflict of interest with the license applicant. This auditor will conduct independent and impartial audits of the license applicant’s IT systems.
Presenting an information technology strategy as part of the business strategy. This plan will require a review at least once every three years.
Adhering to obligations in the area of information technology risk management and mitigation. The emphasis in the regulations will be on setting measurable goals, risk appetite determination, monitoring, and remediation.

License applicants must implement various requirements regarding the information held in information systems. This demands a comprehensive information security plan covering all aspects, including corporate governance, logical security, and physical security.

The regulations also address principles of information technology operations management –efficiency, documentation, and monitoring – for various systems according to their criticality to business operations. They also address various aspects related to the management of development and procurement of information systems, in order to ensure that all technological developments meet the required standards for information security and risk reduction.

According to the regulations, license holders must address issues of business continuity management, response, and recovery according to the norms accepted in financial systems.

Another issue addressed in the regulations relates to customer relationship management (users), providing options for users to manage certain payment functions and disable such and receive notifications, as well as support for information security and privacy issues.

These requirements will not exempt payment service providers from complying with the provisions of the Privacy Protection Law and the regulations enacted thereunder.
To read the full draft (in Hebrew), click here. The draft is open for public comments until March 31, 2024.

Regulation of Minimum Equity

This draft directive regulates the minimum equity required pursuant to Section 25(a) of the law for licensees by virtue of the law. This draft proposes an equity model comprised of two main components:

Initial Capital Requirement

The regulatory framework mandates an initial capital requirement for those applying for payment services licenses or approval of basic payment initiation services. Additionally, licensees or permit holders must fulfill ongoing capital requirements. These measures are aimed at evaluating and quantifying the risks associated with their activities, ensuring that they maintain sufficient financial resources to manage these risks effectively.

The draft differentiates between the various payment services in order to ascertain the risk involved in the service using a “next risk” scale. For instance, a money remittance service poses the lowest degree of risk (clause a), while a payment account management service poses the highest degree of risk (clause d).

Every company must fulfill the initial capital requirements component according to the following details:

Payment remittance service only – minimum initial capital of ILS 80,000.
Basic or advanced payment initiation service – minimum initial capital of ILS 200,000.
Services of issuing means of payment and acquiring payment transactions (excluding payment remittance services) – minimum initial capital of ILS 500,000.
Payment account management – minimum initial capital of ILS 1,400,000.

According to the proposal, any company applying to engage in the provision of more than one service must hold minimum capital on the application filing date at the highest level among the relevant minimum initial capital requirements.

The proposal also prescribes that any payment company not holding a license to provide credit, which is applying to engage in the provision of credit incidental to payment transactions, must hold an additional sum of minimum capital on the license application filing date according to its classification in the cumulative credit scale, i.e., at the volumes required pursuant to the Supervision of Regulated Financial Services Law.

ISA will consider these requirements at the license request stage, as provided by the license procedure.

Current Capital Requirement for Companies with Limited Volumes of Activity

The regulator will define the current capital requirement as a percentage of the payment company’s average monthly volume of activity.

According to the proposal, the initial equity will, in fact, be the minimum capital requirement, even for companies with limited volumes of activity.

Companies that provide only basic or advanced payment initiation services must hold initial capital only and will not have to hold minimum current capital. However, these companies must maintain professional liability insurance or a deposit as a supplementary means to the initial capital, similar to the provisions applying to companies providing financial information services that the ISA considers as having some affinity with payment initiation services.

The draft directive also proposes that the ISA should be able to order a particular company to hold additional equity at a ratio not exceeding 20% of the capital requirements according to the directive, if it finds that the company is not holding adequate capital considering the company’s volume of activity. To read the full draft, click here (in Hebrew).

Safeguarding and Protecting Customers’ Funds

The law regulates the safeguarding and protection of customers’ funds transferred to a payment company for providing payment services, emphasizing it as a crucial principle. This ensures the security and integrity of customers’ funds within the payment system. This principle is anchored in Section 24 of the law, which prescribes that customers’ assets must be kept separate from the payment company’s assets.

Within the scope of a proposed directive to payment companies regarding the safeguarding and protection of customers’ funds (in Hebrew), the ISA recommends to prescribe several key directives.

Custodians

Defining entities (custodians) that may hold customers’ funds for payment service providers:

A banking corporation.
The postal bank
A licensee for the provision of deposit and credit services
A stable payment service provider (the three incumbent credit card companies).
Banks licensed outside of Israel that are included in a specific list of countries, likely to include the following: European Union member states, Switzerland, the United Kingdom, the United States, Singapore, Hong Kong, and Australia.

The custodian must have a rating from one of the rating companies according to that prescribed in the directive.

Investments of Customers’ Funds

The draft directive proposes that payment companies may only invest in low-risk, highly liquid assets. It also proposes to prescribe additional conditions under which payment companies may apply to the ISA for a permit to invest in additional assets. Another proposal is to prescribe that the average lifetime of the funds and assets through which a company safeguards its customers’ funds should not exceed 60 days, in order to maintain the liquidity of the investment. Additionally, the draft directive states that payment companies must formulate a clear and transparent interest payment policy and design and maintain internal and external controls to ensure the adequacy of the interest entitlement and payment process.

Volumes of Insurance

The draft directive suggests that insurance coverage or guarantees should exceed the amount retained by the company to manage fluctuations in its customers’ funds effectively. This ensures the company can handle positive changes in fund balances without risk. In addition, the terms of the insurance policy should guarantee coverage in instances of insolvency. Maintaining such an insurance policy is not compulsory, but rather is an alternative that payment companies can use.

Corporate Governance and Control Arrangements

The draft directive suggests implementing organizational arrangements and mechanisms to reinforce the segregation of customers’ funds from the company’s assets, aiming to reduce the risk of financial harm due to fraud, failure, or negligence. These measures aim to enhance customer protection and ensure greater accountability within the financial system. The proposed arrangements take their basis from European regulation and include:

Rules about when and how payment companies must deposit customers’ funds.
Formulation of a comprehensive policy for safeguarding customers’ funds, as approved by the board of directors.
Obligation to appoint a senior officer responsible for the company’s compliance with the directives regarding the safeguarding of customers’ funds.
Obligation to perform a risk assessment of entities retaining customers’ funds before engaging with them and on an ongoing basis.

Prohibition of Money Laundering

Following a round of public comments, the regulator published an updated version in November 2023. This draft order is structured similarly to other Prohibition of Money Laundering Orders, with several adjustments to cover payment services.

The order proposes to exclude “payment cards” from the definition of a “payment account,” provided the potential cumulative balance is limited to an equivalent of up to ILS 1,000 and the cumulative loadable sum per calendar year does not exceed ILS 10,000.

This order’s key innovation is less stringent identification procedures for low-risk, basic payment initiation services.

Similar to the previous orders, this order eases the rules governing transactions in closed and semi-closed systems.

The draft order also allows payment companies to opt to continue reporting pursuant to the Banking Order or the Financial Service Providers Order during the interim until a determined date.

To read the full draft, click here (in Hebrew).

Fees Regulations

In November 2023, the ISA plenum approved the draft fee regulations, which will impose fees on payment service licensees and license applicants.

According to the draft, the ISA intends to impose a fee for registration as a payment service provider, as well as an annual fee. The registration fee will be payable already upon submission of the license application, with an eye toward the complexity of examining applications. The regulator will determine the annual fee licensees must pay according to the anticipated supervision costs. The rate of the fee will depend on the volume and type of activity requested.

Foreign Corporations’ Access to Financial Systems in Israel

The law prescribes that foreign corporations holding a license to engage in payment services in a foreign country will be able to receive various exemptions in the licensing process from the ISA, provided the ISA is indeed convinced the corporation abroad is under adequate supervision.

Foreign payment service providers from recognized countries (the EU, UK, or USA) have already received an exemption allowing them to begin offering services in Israel under particular conditions.</

The Bank of Israel has announced that it will allow foreign payment companies from recognized countries that fulfill the exemption criteria to begin the process of joining as participants in a payment services system, in order to encourage their entry. They will be able to do so without actually commencing purchasing activities and before submitting a license application enabling the provision of services in Israel.

Honesty and Integrity

The ISA previously published a list of circumstances warranting examination of supervised entities’ reliability (in Hebrew). This list will also apply to applicants for a payment services license.

This is a uniform examination of all supervised entities, including those providing payment services and payment initiation services.

Circumstances requiring an examination of reliability, and which may result in the revocation of a license or permit or the rejection of a license application, include not only criminal investigations, but also findings of civil proceedings, findings of audits and customer complaints, and instances of insolvency.

Companies seeking to obtain a license, to appoint officers, or to engage with investors who must obtain holding or control permits should examine the list of circumstances in order to assess the transaction’s prospects.

***

Barnea Jaffa Lande’s Regulation Department and Partner Anat Even-Chen are at your service to answer and guide clients through the new regulation.

Tags: Credit | ISA | Payment Services

Together is powerful