In light of the current state of the art of the new proposed European legal instruments for the payments industry, my advice to cross-border ecommerce providers on mitigating the regulatory risks would vary depending on the moment in time. If giving the advice right away, when the initiatives have still not been enacted, there are mainly three must-do things that cross-border ecommerce providers should consider:
Firstly, it is key to keep up to speed on a daily basis, with the new initiatives and their side-effects for the business (which is one of the reasons why networking events, like the Visa Europe Risk Acceptance Forum, are so important for sharing knowledge and expertise with other players in the industry), and to provide input within one’s own company when needed, especially to:
The Board of Directors.
The Information Technologies and Security departments (for them to perform a technical impact assessment before the deadline).
The Finance Department (for them to allocate enough resources conveniently to become compliant).
Secondly, cross-border ecommerce providers should engage with policymakers for them to be fully aware of the business implications of the proposed measures, as these policymakers are not focused on them in their day-to-day operations. To achieve this goal, Payvision became a member of the European Payment Institutions Federation (EPIF), giving us the opportunity to discuss and influence the legislative process with the aim of shaping the future framework such that a competitive internal European market for Payments is feasible.
Thirdly, to mitigate regulatory risks, cross-border ecommerce providers should plan actively and imagine themselves in the worst-case scenario, just in case there will be no changes to the proposals’ wording.
Once the Proposals are finally approved (especially if there are no changes to the currently proposed requirements), I would suggest that all the players active in the cross-border ecommerce arena should:
Seek guidance from regulators, especially in those gray areas, where the onus of interpreting the letter of the law correctly lies with the providers.
Adopt holistic (or risk-based) compliance systems, avoiding a rigid (‘one size fits all’) approach, as this way it is easier to adapt to future rule changes and to integrate with the rest of the business processes (ongoing internal training is very important in this respect). Today’s reality is fairly fluid, and rules are supposed to cover this, so it’s better just to stick to this fact as far as possible.