Worldline Submission on Draft FMI Standards

18 November 2022 Submission: Feedback on draft FMI Standards

1. Paymark Limited, trading as Worldline NZ (Worldline) is pleased to submit to the Reserve Bank of New Zealand (RBNZ) and Financial Markets Authority (FMA) together the “Regulators” on the draft Financial Market Infrastructure (FMI) standards1 (the standards).
2. Worldline has made several submissions previously on this topic: in 2013 on the draft policy entitled "Strengthening Statutory Payment Oversight Powers"; in response to the revisions made to the “Designation and Oversight of Designated Settlement Systems” in 2014; on the proposed FMI Bill in 2019; and finally, on both the framework for identifying systemically important FMIs and developing standards for designated FMIs in 2021.
3. Worldline largely endorses the Payments New Zealand submissions on the current and previous consultation papers, so far as they relate to Worldline, and to systems and rules with which Worldline engages. Note that this submission contains commercially sensitive information and that a separate, confidential version is provided.
4. Established in 1984, Worldline enabled low-cost Eftpos transaction processing for ASB, ANZ, BNZ and Westpac, and we continue to provide safe and secure payment processing services for New Zealanders. We have evolved over time and today we process transactions for more than 45 financial institutions and 80,000 merchants in New Zealand. In addition to Eftpos, we process transactions that are routed out to the global card schemes, such as Visa and Mastercard (the schemes), provide payment gateway solutions to ecommerce platforms and directly to ecommerce merchants, and we have an API-based platform enabling open banking payments products. Whilst Worldline is a subsidiary of a global company that is listed on the Paris stock exchange, it maintains local directors and is a registered New Zealand business. Worldline has been under the general oversight of the RBNZ for several uneventful years. Worldline’s system sends messages between banks, merchants, and gateways. Worldline prepares settlement files for retail payments which it sends to the banks, and the banks use the Payments New Zealand and RBNZ systems to clear and/or settle funds.
5. In 2015, the RBNZ concluded that Worldline is “probably not of systemic importance because of the existence of viable substitutes”.2 The RBNZ then removed Worldline from the preliminary list of FMIs that might be of systemic importance in or to New Zealand.3 Nonetheless, the RBNZ has recently indicated that Worldline might in fact 1 https://www.rbnz.govt.nz/hub/-/media/project/sites/rbnz/files/consultations/fmi/fmi-standards-exposure-drafts.pdf 2 https://www.rbnz.govt.nz/-/media/f6db0e7fa10a4b5cb74a403d255cfbc9.ashx?sc lang=en page 16 3 https://www.rbnz.govt.nz/-/media/f6db0e7fa10a4b5cb74a403d255cfbc9.ashx?sc_lang=en Page 26

WORLDLINE NEW ZEALAND – NON-CONFIDENTIAL 4 14. 15. 16. 17.

WORLDLINE NEW ZEALAND – NON-CONFIDENTIAL 5 Cyber resilience is a manageable operational risk 18. Worldline has been effectively managing its cybersecurity risk long before others even contemplated their own vulnerability. There are existing international frameworks (such as NIST CSF and Mitre Att&ck) that provide sufficient guidance for FMIs and there are certification standards (such as PCI DSS4 and ISO 270015) that can be used to provide evidence that a FMI's cybersecurity posture is appropriate. Worldline currently uses a number of these frameworks to help manage its cybersecurity risk and is assessed annually by an independent organisation to provide assurance that its cybersecurity controls are appropriate. The security of information is important to us, and we have invested significant efforts to follow best industry practice to protect information we hold. As an entity that handles cardholder data, we operate in accordance with strict requirements for that data as set out in the PCI DSS. Worldline maintains compliance with the PCI DSS and evidence of its certification is available on request. The increasingly competitive landscape also ensures Worldline is incentivised to continue to invest in security. Any perceived security vulnerability would likely result in merchants and banks moving to other systems. Rules and standards are managed by others 19. The rules for payments are managed by parties other than Worldline, such as Payments NZ for Eftpos and the international card scheme rules. Worldline itself does not have rules nor does it have participants. If rules are to be designated, then they need a specific framework and, any standards should be tailored to each system. Existing standards should only be used where it makes sense to do so, and they must be proportionate to the size, nature, scope and risk profile of the FMI – one size does not fit all. Worldline itself is held to a high standard via its bilateral contracts with its bank customers and industry requirements, such as PCI DSS. 6 4 https://www.pcisecuritystandards.org/ 5 https://www.iso.org/isoiec-27001-information-security.html 6 https://www.pcisecuritystandards.org/

WORLDLINE NEW ZEALAND – NON-CONFIDENTIAL 6 Worldline is neither an FMI nor a pure payment system 20. The Act states that an FMI “means a multilateral system [emphasis added] for the clearing, settling, or recording [..]” and that that “an FMI is a pure payment system7 if— a. the FMI is a designated FMI and the FMI’s designation notice specifies under section 29(2)(c) that the FMI is a pure payment system; or b. the FMI is not a designated FMI but the FMI is a multilateral system solely for the clearing or settlement of payment obligations.” [emphasis added] 21. Worldline operates a bilateral system that records the authorisation of payment transactions, but not the payments obligations themselves. Worldline prepares the files that are used for settlement but does not perform, nor participate in, clearing or settlement functions (as defined in the Act8). Worldline’s payment system is not a multilateral system. Worldline clearly falls outside the definition of both an FMI and a pure payment system. Accordingly, Worldline should not be designated as systemically important 22. As Worldline does not fall within the definition of an FMI nor a pure payment system, it therefore follows that Worldline should not be designated as systemically important. Moreover, no risk has been identified regarding Worldline’s electronic messaging system. Many of the risks identified in the standards are neither relevant nor applicable to the electronic messaging system operated by Worldline. Designation would result in an overly onerous bureaucratic burden and Worldline incurring significant costs for little to no gain. 23. Worldline’s system is safe, secure and reliable, and Worldline manages its operational risks effectively. Neither Worldline nor its customers would benefit from the statutory guarantee for finality of settlement and netting, which is the only upside we see to designation. Further, there is no practical benefit to society or the payments environment of Worldline being designated over and above Worldline’s current obligation to supply the Reserve Bank with information. In fact, an increased regulatory burden on Worldline could result in increased fees to merchants and consumers to recover the costs associated with regulatory compliance with no increase in protection or upside for consumers. Responding to these regulatory requirements is likely to result in a redirection of resources away from developing new products and services. This change in focus would limit Worldline’s ability to respond quickly to changing market dynamics and lead to barriers to innovation. We would much rather prioritise spending our time and resources innovating to develop better products and services for New Zealanders than on compliance, reporting and monitoring. Furthermore, designation could create a competitive disadvantage for Worldline and accelerate the introduction of global payments processors resulting in a 7 section 10(2) of the Financial Market Infrastructure Act 2021 https://www.legislation.govt.nz/act/public/2021/0013/latest/whole.html 8 Section 5 of the Financial Market Infrastructure Act 2021 https://www.legislation.govt.nz/act/public/2021/0013/latest/whole.html

WORLDLINE NEW ZEALAND – NON-CONFIDENTIAL 7 loss of a local payment processor, increased costs for merchants and enhanced risk for the entire New Zealand retail payment system. 24. Internationally, systems that perform interbank clearing and settlement facilities and/or that involve the transfer of funds are designated FMIs. Worldline supports that. Those systems are different to Retail Payment Systems (RPS). Globally, it is uncommon that retail payment systems are identified as systemically important FMIs.9 Those that are, generally perform clearing and settlement functions — neither of which are performed by Worldline. Despite this, and despite the position held in 2015,10 the RBNZ continues to decline to confirm that Worldline would not receive a designation notice under section 29(2)(c) of the Act. 25. The risks and issues associated with funds transfer and settlement are far greater than those that arise from the processing of authorisation messages and preparation of files. In saying that, if Worldline is to be designated, then it so follows that other New Zealand-based RPS (such as Verifone and Windcave) and the international card payment schemes (Visa, Mastercard, Amex and Union Pay International) must as well. There has to be a level playing field. The international schemes together have the largest share of retail payment transactions in New Zealand, if anything they should be considered before Worldline, especially as they perform clearing and settlement services themselves, and the processing takes place outside of New Zealand making our reliance on their systems all the more risky. Most of the draft FMI standards are not relevant 26. The Reserve Bank has said that the standards should not require operators to do something they cannot do and that an operator only needs to comply with a standard that’s relevant to them. 11 Because Worldline NZ does not hold funds, provide clearing and settlement services, most of the proposed FMI standards do not apply, or will only have partial application. This, in itself, provides a strong indication that Worldline’s system is not systemically important. 27. We consider that the following will not apply to us, in their entirety: • FMI Standard 4: Credit Risk • FMI Standard 5: Collateral • FMI Standard 6: Margin • FMI Standard 7: Liquidity Risk • FMI Standard 8: Settlement Finality • FMI Standard 9: Money Settlements • FMI Standard 10: Physical Deliveries • FMI Standard 11: Central Securities Depositories • FMI Standard 12: Exchange of Value Settlement Systems 9 https://www.rbnz.govt.nz/-/media/project/sites/rbnz/files/regulation-and-supervision/financial-market-infrastructure￾oversight/regulatory-developments/a-framework-for-identifying-systemically-important-financial-market￾infrastructures.pdf?sc lang=en&hash=DF9D5A31B76F1652CF37C796F1B9307C page 21 10 https://www.rbnz.govt.nz/-/media/f6db0e7fa10a4b5cb74a403d255cfbc9.ashx?sc lang=en page 16 11 See section 7.11 of https://www.rbnz.govt.nz/-/media/0d633fd56b9d4f0ba62e9684c92d1a97.ashx

WORLDLINE NEW ZEALAND – NON-CONFIDENTIAL 8 • FMI Standard 13: Participant-Default Rules and Procedures • FMI Standard 14: Segregation and Portability • FMI Standard 16: Custody and Investment Risks • FMI Standard 17B: Critical Service Providers • FMI Standard 19: Tiered Participation Arrangements • FMI Standard 20: FMI Links 28. We consider that the following will only have partial application: • FMI Standard 15: General Business Risk • FMI Standard 18: Access and Participation Requirements Rapid decline in Eftpos, increase in contactless and ecommerce: 29. Covid-19 has changed the way consumers pay. Consumers would rather pay by contactless methods when they are instore. Furthermore, consumers have embraced ecommerce for shopping previously done instore, such as buying their groceries. 12 This changes the dynamic (processing and pricing) of retail payments. Both online and contactless transactions are routed to the acquirer, who passes it to the international scheme, who passes it to the issuer for authorisation. Whereas Eftpos transactions go straight to the issuer for authorisation. This difference in routing makes Eftpos transactions significantly cheaper for merchants to accept. All switch-to-acquirer transactions (contactless and online) are made using international card scheme products which attract interchange fees and scheme processing fees. As Eftpos declines, a competitive constraint on schemes is removed. Contactless transactions are rapidly becoming the dominant instore transaction type. This will be cemented with initial pricing standard set out in the Retail Payments System Act. The move to scheme products from proprietary Eftpos will pave the way for large international acquirers, such as Adyen and Stripe to increase market share. Merchants can contract with these acquirers for all their payment needs both online and instore. Windcave, which is dominant in New Zealand’s ecommerce market, is a payments switch and an acquirer, and it will be best placed to take advantage of this change in consumer behaviour. Worldline suggests that the RBNZ might want to assess how this change in payment type impacts merchant and consumer reliance on acquirers and ecommerce gateways, and the international card schemes. 30. As Eftpos cards are swapped out for contactless debit cards, and ecommerce increases, our reliance on the international schemes deepens, creating risk to the New Zealand financial system on several levels. First, through the potential for limited competitive constraints on the schemes and increased costs to consumers. Second, to the resiliency and independence of New Zealand’s payments infrastructure in the event the schemes cannot (or choose not to) operate. And third, the ability to manage and process data flows securely within New Zealand. 12 https://www.nzpost.co.nz/about-us/media-centre/media-release/kiwis-spend-767-billion-online-in-2021

WORLDLINE NEW ZEALAND – NON-CONFIDENTIAL 9 Minimise uncompensated and avoided costs 31. The payments industry is navigating its way through several regulatory initiatives. Retail payment service providers are being caught in the regulatory tide despite there being no real problem statement with their systems. We would like reassurance that the Regulators are minimising the uncompensated and avoidable costs of this regulatory regime. There is unlikely to be anything but inefficiency and deadweight costs if Worldline is subjected to routine reporting on, and obtaining approval for, processes, changes, and decisions that up to now, and for the foreseeable future, are undertaken internally by highly capable personnel. 32. Including this FMI regime, Worldline may be subject to three other designation regimes under four different regulators: i) New Zealand Commerce Commission as regulator for the Retail Payment System Act 202213; ii) the RBNZ; iii) the FMA; and iv) potentially a new regulator for the Consumer Data Right. 14 Worldline considers this to be disproportionate for its risk profile and the maturity of its business. Further, the potential for conflict and overlap is significant and determining which regime takes precedence in the case of conflict would be challenging, onerous and dangerous. Conclusion Worldline is grateful for the opportunity to submit on the standards relevant to FMIs who perform settlement services. Most of the standards are not applicable to Worldline’s business, indeed only the very general risk management, governance-type standards are relevant (and indeed, these could apply to any mature business across several industries). Worldline already has robust risk management processes in place and has done so for many years. Designating Worldline’s system as systemically important would not result in any tangible benefit for Worldline nor New Zealand society - it would simply result in increased compliance costs. Worldline would like to have certainty of the Regulators intentions as regards its electronic messaging system. It would be useful for us to understand what problem RBNZ is seeking to solve in respect of our system, and the risks compliance with the standards would, in practical terms, mitigate. Perhaps it would be beneficial if the Regulators were to facilitate a limited consultation regarding RPS to define the problem statement and determine how the industry and government can best work together to provide the reassurance the RBNZ needs. Worldline would welcome the opportunity to work collaboratively and cooperatively with the RBNZ. Should you wish to discuss any of the points raised in this submission, please do not hesitate to contact us. 13 https://www.legislation.govt.nz/act/public/2022/0021/latest/whole.html note the New Zealand Commerce Commission, has suggested that the ‘Eftpos System’ may be the next designated system. Worldline, alongside Payments New Zealand and the issuing banks, would be part of that system. 14 Government has confirmed that it will legislate for CDR on a sector-by-sector basis, starting with the financial services sector. Worldline may be designated itself or at a minimum, significantly impacted as a service provider to financial institutions.