Smart mobility is hot. Fuel, parking, toll fees, on-board entertainment and even subscriptions for seat heating and software features are examples of goods and services which can be purchased through in-car payments. The automotive industry is responding to the global trend and adjusting to diverse consumer needs worldwide by incorporating and building in payment services and electronic money in their vehicles. While we often see that a car manufacturer concludes a partnership with a payment service provider, it is also possible for the car manufacturer to provide in-car payment services itself. In this article, we discuss a few attention points in relation to the in-car payments, such as the license requirement for those parties providing the payment services themselves, integration into the payment system, cooperation with third parties and sharing of payment and customer data.
Licensing requirement: payment services and e-money
The provision of in-car payments may trigger a license requirement of the automotive company as a payment service provider (PSP) on the basis of the Payment Services Directive II (2015/2366/EU, PSDII) or electronic money institution (EMI) on the basis of the Electronic Money Directive (2009/110/EC, EMD), each as amended.
PSDII, as implemented in the Dutch Act on Financial Supervision (Wet op het financieel toezicht, AFS) prohibits anyone to engage in the provision of payment services in the Netherlands without a license granted by the Dutch Central Bank (DCB) or license passported into the Netherlands for that purpose. This license obligation may be applicable to an automotive company allowing customers to pay for goods of services from their payment account, via in-car payments, to the account of the vendor of those goods or services. In this case, a payment service may be provided by the automotive company if it is involved in the payment flow between the payor and payee. Secondly, a set of procedures that facilitates in-car payments may qualify as a payment instrument, with the automotive company being the issuer of such payment instruments, thereby qualifying as a PSP.
Besides the provision of payment services, the AFS also prohibits the issuance of electronic money (e-money) without a license granted by DCB for that purpose. E-money is defined as a monetary value, which (i) is stored electronically or magnetically (e.g., on a server or chip), (ii) represents a claim against the publisher, (iii) is issued in exchange for money; and (iv) can be used to make payment transactions to anyone other than the issuer. These so-called prepaid products, such as plastic gift cards or the electronic equivalent, are often used to pay in (web) stores. When customers can deposit money in a digital wallet linked to their vehicle prior to their trip, for example in order to recharge, settle toll charges or park using the money in that wallet during their trip, this qualifies as electronic money, for which the issuer as a starting point requires a license as an EMI.
Although in principle a license is required for the provision of payment services and issuing e-money, exemptions may be available. For instance, so-called small PSPs or EMIs can use an exemption from the licensing requirement but need to be registered with DCB under a light regime. In this regard, a small PSP means that the average amount of payment transactions does not exceed EUR 3 million per month (over the past 12 months). Similarly, a small EMI issues e-money in the Netherlands only, and the value of the financial obligations in relation thereto is on average below EUR 5 million (over the past 12 months). Furthermore, payment instruments or electronic money that can only be used within a limited network of providers or for a limited range of goods are also exempted from the licensing requirement (such as a public transport card, customer card or fuel card). Please refer to our earlier news update on the limited network exclusion.
Car manufacturers may choose to partner with an existing PSP or EMI in respect of the payment flows in relation to the in-car payment service. If a license holder is responsible for the issuance of e-money and/or the provision of payment services, and the automotive company is not involved in the payment process, it does not require a license for the offering of smart mobility solutions. Involving a third party in the payment process may however trigger other attention points, one of which is ensuring a smooth payment process, involving not only the existing PSP/EMI, but also the vendor, such as a petrol station, and the banks where the payment accounts of customers are held.
Data protection and privacy
An important concern for car brands offering in-car payment services is the topic of data protection and privacy. Car brands may process personal data when offering in-car payment services, such as financial data, but also biometric data, for example, when using fingerprint or facial recognition of drivers to authenticate their in-car payments. As a result, these car brands (either established in the EU or processing personal data of data subjects in the EU) are subject to the General Data Protection Regulation (GDPR), which amongst others, provides for requirements regarding inter alia (i) accountability, (ii) transparency (iii) the engagement of data processors, (iv) data security, (v) data breach reporting, and (vi) (international) data transfers. In addition, car brands should be aware that the processing of biometric data is in principle prohibited under the GDPR, unless an exemption applies, for instance: in case the data subject has given his/her explicit consent thereto or (for the Netherlands specifically) in case it is necessary for authentication or security purposes. Furthermore, certain conditions should be met prior to the processing of biometric data. In such case, for example, data protection impact assessment must be carried out.
Similar attention points are applicable when partnering with a third-party PSP or EMI when offering smart mobility applications when sharing customer data (e.g., financial data and biometric data). Depending on whether the car brand and the PSP/EMI qualify as (joint) controller or processor of the data, either a joint controller agreement (if both parties qualify as controller) or a data processing agreement (if a party qualifies as controller and a party qualifies as processor) needs to be concluded prior to the sharing of the data. If the data is shared with a party located outside the European Economic Area, the rules of (international) data transfers as provided for in the GDPR must also be complied with.
What to do?
To conclude, smart mobility applications in the automotive industry provide many chances, both for car manufacturers and customers. It should carefully be considered whether any financial regulatory requirements, such as licensing as a PSP or EMI, and attention points in the field of data privacy are relevant to the smart mobility application. If you wish to receive further information on the licensing requirements for PSPs/EMIs in the Netherlands or need further guidance about the privacy/data protection rules, our multidisciplinary Automotive team is available to help you out and is happy to discuss these topics in more detail with you.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
