Online Marketplaces: Navigating the Regulatory Landscape for Seamless Transactions

The Evolution of Online Marketplaces

Online marketplaces have revolutionized the way we buy and sell goods and services. From on-demand services and B2B online marketplaces to crowdfunding and the sharing economy, these online marketplaces have unlocked access to global customer bases, expanded consumer choices, and enabled sellers to scale their businesses like never before.

In the tech-savvy world of e-commerce, where innovation is the name of the game, you know the drill: disrupt, innovate, and adapt.

For all online marketplaces offering goods and services, the path to growth is intertwined with a complex web of regulations. European regulators aim to ensure customer protection, prevent money laundering, and enforce fair competition rules in response to technological advancements.

Payment processing lies at the very foundation of how an online marketplace functions. Yet, it’s not just about seamlessly facilitating transactions but also about ensuring compliance with various critical regulatory frameworks. The journey to thriving in this digital era involves mastering a multifaceted regulatory landscape, a daunting task for many online marketplaces.

\\ Payment Processing

The PSD2 revolution

Back in January 2018, the emergence of the Payment Services Directive (EU) 2015/2366 (PSD2) marked a significant turning point in the financial world as it introduced groundbreaking requirements aimed at fostering innovation and competition, which aided in the rapid expansion of the FinTech industry, and, most importantly, protecting consumers.

Let’s reflect on key changes introduced by PSD2:

1. Enhanced Security: The strong customer authentication (SCA) requirement compelled businesses to bolster security measures, leading to a decrease in fraud and building stronger customer trust.

2. Data Access: Embracing APIs and open banking not only ensured compliance but also improved payment processes, delivering a more seamless experience for users.

3. Compliance Pays Off: Adhering to the PSD2 and related regulations proved to be more than just a box-ticking exercise. It opened doors to the FinTech industry, to new markets and fostered valuable partnerships, enhancing business prospects.

Regulated Payment Services under PSD2

In the European Union, the following activities are categorized as regulated payment services:

1. Operating a payment account and facilitating deposits and withdrawals from the account. For example, holding funds on behalf of a merchant in a bank account and settling them according to the merchant's instructions.

2. Carrying out payment transactions, such as processing payments from customers to merchants.

3. Issuing payment instruments or acquiring payment transactions. This includes activities like acquiring and processing credit card transactions.

4. Money remittance, which involves transferring funds from a payer to a payee.

5. Payment initiation services which refers to initiating payments, like bank transfers, from a customer's bank account to a merchant.

6. Account information services which involves providing consolidated or aggregated information about payment accounts held with payment service providers.

Understanding Online Marketplace Operations

1.       Contractual Setup

Most online marketplaces operate as intermediaries, facilitating transactions between buyers and sellers without directly selling products or services themselves. In this setup, the online marketplace does not receive payments owed by buyers to sellers. Instead, the seller contracts directly with the buyer, and the buyer owes a payment to the seller. The online marketplace passes on the economic risk and certain financial, legal, and tax obligations to the seller. These obligations may include product liability, returns, VAT requirements, and licensing or insurance requirements for certain products or services.

The contractual setup of online marketplaces, where the online marketplace facilitates but does not make sales itself, is crucial for their economic success. Online marketplaces often include specific language in their contracts with sellers to clarify their role as facilitators rather than sellers. This contractual arrangement allows online marketplaces to operate within the legal framework and create a seamless buying and selling experience for their users.

2.       Payments Setup

Although buyers owe payments to sellers, we have seen many online marketplaces manage payments themselves, again acting as intermediaries between buyers and sellers. However, in this setup, when a buyer makes a payment for a product or service, the online marketplace receives the payment and subsequently pays the seller. As a result, this flow of payments does not align with the contractual liability between the buyer and the seller. The online marketplace receives the payment owed to the seller but does not settle or extinguish the buyer's debt to the seller.

In the eyes of PSD2, managing payments in this manner is considered a regulated activity. Online marketplaces that take possession of or control funds beneficially owned by the seller are considered to be providing regulated payment services and thus are typically required to obtain a payments license, unless they fall within an exemption.

3.       Commercial Agent Exemption

Online marketplaces have historically relied on the “commercial agent” exemption under the Payment Services Directive (EU) 2007/64/EC (PSD1) to avoid triggering licensing requirements. This exemption applied when an online marketplace was acting as a commercial agent authorized to negotiate or conclude the sale or purchase of products or services on behalf of the seller or the buyer. The buyer's payment is considered to be made to the seller via the commercial agent (the online marketplace). However, the commercial agent exemption underwent significant changes under PSD2.

PSD2 clarifies that the commercial agent exemption is only available when a commercial agent acts solely on behalf of either the payer or the payee, but not both. If an online marketplace acts on behalf of both the payer and the payee, it can only avoid licensing requirements if it does not possess or control funds.

4.       Regular Occupation or Business Activity

In addition to the commercial agent exemption, online marketplaces should consider whether their payment services constitute a "regular occupation or business activity." PSD2 confines licensing requirements to service providers who offer payment services as a regular occupation or business activity. The nature and scale of an online marketplace's payment services determine whether they fall within this category. Online marketplaces that provide payment services as a regular occupation or business activity, rather than as ancillary services, are more likely to require licensing under PSD2.

5.       Limited Network Exemption

Online marketplaces may also explore the “limited network” exemption, which applies to a narrow range of activities such as closed-loop payments. However, even if an online marketplace falls within the limited network exemption, it may still be required to notify the relevant regulator if its payment transactions exceed €1 million in a 12-month period. The regulator may then assess whether the online marketplace needs to obtain a payments license.

Using a PSD2 Licensed Provider

Numerous licensed payment service providers in the European Union are now offering specialized payment solutions for marketplaces to ensure that online marketplaces are not involved in handling funds. As mentioned earlier, considering the commercial realities, most online marketplaces aim to facilitate sales rather than directly making sales.

Key benefits of using a PSD2 Licensed Provider:

• Major payment service providers establish contractual agreements with both the seller and the online marketplace to handle the settlement of payments to the seller and fees to the online marketplace, ensuring segregation between the online marketplace’s own funds and the funds of its sellers.

• At no point does the online marketplace have possession or control of the funds owed by the buyer to the seller. Instead, these funds are directed to a regulated client money bank account held by the payment service provider for the benefit of the seller.

• The payment service provider disburses the funds to the seller, sparing the online marketplace from the significant regulatory and compliance burden associated with obtaining a payments license or falling under an exemption.

Important considerations when using a PSD2 Licensed Provider:

• It is important for online marketplaces to check and ensure that the payment service provider they are using is duly licensed in the appropriate jurisdictions where they are offering their services under the applicable rules to avoid being caught under the relevant licensing requirements.

• Review carefully the terms of service offered by the payment service provider to understand the risks and liabilities that may fall on the online marketplace as ‘merchant on record,’ which may require negotiations and revisions.

\\ GDPR: Safeguarding User Data in the Digital Age

In an era where data is considered the new currency, the General Data Protection Regulation (EU) 2016/679 (GDPR) came into effect as a game-changer for online marketplaces. GDPR, enforced since May 2018, was designed to enhance data protection and privacy for European citizens, impacting businesses worldwide. For online marketplaces operating in Europe, GDPR compliance is not just a legal obligation but a strategic imperative.

Key aspects of GDPR for online marketplaces:

1. User Consent: GDPR mandates clear and transparent consent mechanisms. Online marketplaces must ensure that users provide informed consent for data collection and processing.

2. Data Minimization: Online marketplaces should collect and retain only the data necessary for the purposes specified, reducing the risk of data breaches.

3. Data Subject Rights: GDPR grants users the right to access, rectify, and erase their personal data. Online marketplaces must have mechanisms in place to facilitate these rights.

4. Data Protection Impact Assessments (DPIAs): For high-risk data processing activities, DPIAs are essential to identify and mitigate risks to user data.

5. Data Breach Notifications: In the event of a data breach, online marketplaces must promptly notify both affected users and relevant authorities.

6. Data Protection Officers (DPOs): Appointing a DPO may be necessary for businesses engaging in extensive data processing.

Achieving GDPR compliance in a nutshell:

• Conduct a comprehensive data audit to identify and classify user data.

• Implement robust data protection policies and practices.

• Train your staff to understand and comply with GDPR requirements.

• Regularly assess and update your privacy policies and consent mechanisms.

• Collaborate with data protection authorities to ensure compliance.

By prioritizing GDPR compliance, online marketplaces not only avoid hefty fines but also earn the trust and loyalty of their users in an era where data security and privacy are paramount.

\\ AML: Battling financial crime in e-commerce

In the digital age, online marketplaces are not only reshaping the way we shop but are also attracting the attention of financial criminals. Like any technology-driven solution, online marketplaces have opened the doors to new types of criminal activity. To stay ahead of the curve, cybercriminals are constantly on the lookout to find new ways to take advantage of weaknesses in online transactions. To their benefit is the inherent anonymity of the internet that makes it easier to engage in a broad spectrum of crimes, including fraud and money laundering. To combat financial crime effectively, online marketplaces must adhere to AML requirements (under 4th Anti Money Laundering Directive (EU) 2015/849 (4AMLD), as amended by the 5th Anti Money Laundering Directive (EU) 2018/843 (5AMLD)). This can be a difficult task, especially for online marketplaces that operate in various jurisdictions, necessitating compliance with the laws of each jurisdiction.

Key aspects of AML for online marketplaces:

1. Know Your Customer (KYC): Implementing robust KYC procedures is crucial to verify the identity of customers and screen them against sanction lists.

2. Transaction Monitoring: Online marketplaces should continuously monitor transactions for suspicious activity and report any anomalies to relevant authorities.

3. Customer Due Diligence (CDD): Conduct enhanced due diligence for high-risk customers and transactions, such as large purchases or frequent transactions.

4. Record Keeping: Maintain records of customer information and transactions to facilitate investigations when necessary.

5. AML Policies and Procedures: Develop and implement comprehensive AML policies tailored to the e-commerce environment.

Achieving AML compliance in a nutshell:

• Invest in AML software solutions to automate transaction monitoring and customer due diligence.

• Train your team to recognize and report suspicious activities.

• Stay updated with changing AML regulations, adopt customized AML policies, and adapt your practices accordingly.

• Cooperate with law enforcement and regulatory agencies in case of investigations ensuring compliance with data privacy rules.

By adhering to AML requirements, online marketplaces not only protect themselves from legal repercussions but also contribute to the broader effort to combat financial crime and maintain the integrity of the financial system.

\\ Additional Regulatory Considerations

Payment Card Industry Data Security Standard

As credit card fraud is one of the most common crimes that online marketplaces may be exposed to, there are additional considerations to take into account. Online marketplaces that undertake the payment processing themselves (or the licensed PSD2 provider used by an online marketplace not undertaking payment processing) must comply with the Payment Card Industry Data Security Standard (PCI DSS).

The PCI DSS is a set of security standards developed by prominent card schemes American Express, Discover Financial Services, JCB International, Mastercard, and Visa. More specifically, the PCI DSS applies to entities that collect, process, store, or transmit cardholder data and was created to ensure that such entities maintain a secure cardholder data environment. It is important for online marketplaces, regardless of whether they are handling the payment processing or not, to be able to navigate a card fraud dispute. For example, if a victim of fraud requests an online marketplace to stop a transaction because of an alleged card fraud incident, the correct route for the victim is contacting their bank which will go through the schemes under PCI DSS and not the online marketplace. Besides, there are specific rules under GDPR on the instances where an entity can disclose personal data to victims of fraud, their representatives, and law enforcement authorities.

Digital Services Act

Online marketplaces will soon be subject to a variety of new requirements, depending on the nature and size of the services they are offering, under the upcoming Regulation (EU) 2022/2065, known as the Digital Services Act (DSA). These requirements include measures to be taken by online marketplaces to detect and stop illegal content, goods, and services, setting up a complaint-handling system, providing out-of-court dispute settlement mechanisms, ensuring transparent advertising, preserving a high level of privacy and security for minors, and, in general, providing their users with necessary information to make informed decisions when purchasing their goods and services. Check out our article on DSA here.

Digital Operations Resilience Act

Another framework that online marketplaces will need to consider and start preparing for is the upcoming Regulation (EU) 2022/2554, known as the Digital Operations Resilience Act (DORA). The DORA will apply to various financial entities, including payment institutions, payment institutions exempted pursuant to PSD2, credit institutions, crypto-asset service providers, information and communication technology (ICT) third-party service providers and many more. Entities caught under DORA’s scope will be required to have a sound and comprehensive ICT risk management framework, have policies and mechanisms in place to detect anomalous activities, respond and resolve ICT-related incidents (e.g. cyber-attacks) and develop restoration and recovery procedures and methods.

\\ Final Thoughts

The dynamic nature of the digital commerce ecosystem demands constant vigilance and adaptation. By staying informed, embracing innovation, and adhering to these diverse regulations, online marketplaces can thrive while ensuring trust, security, and compliance in an ever-evolving landscape.

\\ More information

If you would like to learn more about navigating the complex regulatory landscape around e-commerce and marketplaces, please contact us.

Our firm specialises in providing comprehensive legal solutions for all aspects of e-commerce, including compliance with payment services rules, consumer protection rules, data protection, anti-money laundering requirements, and more. We offer expert guidance to ensure your online marketplace thrives while remaining fully compliant in this ever-evolving digital commerce environment.