Alphabet soup

Feature | 13 April 2017

Jonathan Williams asks how all the regulation you're not looking at is going to affect trade and trade finance

The world is undergoing a period of unprecedented regulatory change driven by the need to fight crime, improve financial stability and protect consumers. Since many of the regulations affect only financial institutions directly, many businesses are unaware of the implications.

Regulation in the EU is a good place to start. While much has been said about the impact of EMIR, BASEL III and MIFID, some of the other (more technical) pieces of regulations have received less attention. This is a brief look at some of these and examines what the effects and unintended consequences could be, primarily for businesses.

Payment Services Directive 2

It is a common misconception that the update to the original Payment Services Directive (PSD), or aspects of it, apply only to consumer payments. Natural and legal persons have the same rights and protections and it is therefore essential that businesses, too, assess the impact to their trading operations.

The first implication of PSD2 is the extended scope. It encompasses:

  • All electronic payments starting or ending in the EU; and

  • EU and non-EU currencies.

Many trade payments will now fall within its scope. You must assess processes and procedures previously exempt, so don't assume it's not relevant.

Second, PSD2 mandates strong customer authentication for both electronic payments and remote interactions which could result in fraud or misuse. In essence, strong customer authentication means using two of the following three methods:

  • Something you know;

  • Something you have; or

  • Something you are.

If you're currently using passwords or shared secrets, these fit into the first category and your bank or payment service provider will need to use an additional technology, or more likely two or three,
to authenticate you and your colleagues. So be prepared to train your staff on all the different tokens and biometrics they'll need to use for each bank, which will choose its own technologies.

At the very least, the way that businesses initiate their payments, manage mandates and obtain letters of credit will be subject to these new rules, so businesses must draw up lists of authorised individuals with their bank(s).

Banks may well also change their electronic banking products and you should investigate what changes are made and when.

Third, PSD2 allows regulated third parties to access account information or make payments. This facet of the "Open Banking" initiative is forecast to revolutionise the way consumers and businesses manage their money and make payments.

You should therefore identify your key problems, whether supply chain finance, better working capital management, or simple reconciliation to see how these services could help to solve them.

You must also be aware of the threat. If you can access your accounts through a third party, so, in theory, could criminals. This is why strong authentication is an essential part of the proposal. You must consider protecting or insuring yourself from this form of account takeover.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) strengthens and enforces better protection of data on individuals and as such has a reduced application on business to business transactions. Where it may impact trade and trade finance is in the area of personal contacts, business with individuals and sole traders, or where personal data is part of a service being delivered. Fines (a proportion of global turnover) are potentially huge for multinational organisations and preparation must be taken seriously. While GDPR is a topic for a series of articles in itself, here are some issues to consider.

First, employees at suppliers or customers are assessed as data subjects as are any consumers or individuals with whom you do business, for example micro-enterprises. Ensure you are dealing appropriately with their personal data, which could be as little as an IP address.

Second, are you clear with individuals about why you need their data? There are some exemptions for legal and contractual obligations, but the assumption is the informed consent of the
data subject.

Third, do you have good processes to immediately notify individuals and the relevant authority after a data breach?

Finally, GDPR categorises genetic and biometric data as 'sensitive', which requires additional care. With PSD2 encouraging biometric authentication and some biometric information stored on business-issued mobile devices, is this an area which you need to look into in more detail?


The Fourth Directive on Anti Money Laundering (AMLD4) establishes a risk-based approach for 'obliged entities' to assess payments. While this mainly affects financial and credit institutions, (because it deals with corporate payments) you must play a part in achieving compliance. Key to the risk assessment is the data provided by businesses, so ensure that the bank receives all the information on transfers it requires, or they will fail.

The related Wire Transfer Regulation on data accompanying credit transfers again applies directly to banks, but has implications for business. The main implications are around correctly identifying the parties, such as by name and address, document, or unique identifier. Businesses that do not comply are at risk of having their payments blocked. Some banks have interpreted this requirement strictly and require data in specific formats; you must assess whether it may require work on ERP systems or conversion.

EU banking structural reforms

On the face of it, reforming banking may not seem to be a huge issue for international trade, but the potential for confusion is huge. One key part is the splitting of risky 'casino' banking from the ordinary, consumer savings and loan operations.

In many cases, different legal entities in a banking group will offer commercial accounts from those that cater to SMEs and consumers. Where those accounts do not have separate bank codes today, it is likely that separation will be required which means that your corporate account may be moved to a new bank or branch code, and thus change the international bank account number (IBAN) and bank identifier code (BIC), and possibly the name of your banking providers too.

So while this is purely a banking change, it may have an implication for your invoices, ERP and payment systems and bank agreements. Some transitional arrangements may be made but now is the time to investigate what will be required.

Payment Accounts Directive

This is a piece of EU regulation you may well have missed. This EU legislation gives legal residents of any member states the right to open a bank account in any EU country without discrimination. The implication is that, even if you're paying into an account in Austria, it could be for a Zimbabwean citizen. This may already have increased the complexity of your know your customer procedures, but if not, there may be an assumption of a link between location and citizenship on which you are relying. Finally, the position of the UK within the EU will change as a result of Brexit. If you trade between the two, look out for unintended consequences. In summary, businesses should talk to their banking partners and identify current problems to ensure they can meet their deadlines.

Jonathan Williams is principal consultant at MK2 Consulting

Already registered? Login to access premium content

Give Feedback