Online Payment Systems Technology in China—Trojan Horse or Forbidden Fruit?

September 15, 2015

Powerful new computational technology pioneered in e-commerce presents Chinese regulators with potential concerns and solutions to the perennial problem of information, pricing, and settlement capacity.

Online payment systems,[1] which harness speed-of-light telecommunications with powerful algorithmic and encryption technologies, have the power to bring trustworthiness (or make trustworthiness irrelevant) to whole classes of human transactions that previously required the intermediation of various types of agents (such as financial intermediaries) to overcome trust issues in anonymous interactions that arise from distance or scale factors. In the United States (and western Europe), pioneers of this technology have been, up until now, the beneficiaries of a central government approach that thus far has declined to reflexively or precipitously impose extensive central regulation over a budding technological disruption absent clear and present systemic risk of (a) fraud or unfairness to the market, (b) operational disruption to settlements, or (c) threats to national security (Core Risks). The presumptive first approach is dialogue between the regulatory and business communities and the pragmatism to give disintermediation a chance to overcome malevolent gaming or inadvertent error risks. The main obstacle, instead, is often entrenched technology interests. [2]

Chinese regulation of online payment systems—and the response of innovators, especially in the e-commerce space—start from a different philosophical premise. In China, there is little analogue to US-style “federalism” (in which federal agencies such as the Consumer Financial Protection Bureau and the Federal Trade Commission share oversight responsibilities with state bodies, such as the state attorney generals and state banking authorities). Equally significant, with few exceptions (most notably the banks that some of the e-commerce providers have themselves set up), the banks comprising the Chinese banking/payment ecosystem are all controlled by the government (notwithstanding that all the major banks are also publicly traded). Relative to their US peers, these innovators are required to be yet more intrepid. Thus, “[i]t is better to ask for forgiveness than permission.” Ultimately, the conflicts of interest among regulators, banks, and privately owned payment systems may resolve by means of profit and fee allocation (rent and tax), but the balance will be necessarily tilted in favor of the banks.

Online payment systems have as their chief potential policy benefits—aside from customer satisfaction—(a) the reduction of settlement times and therefore risk, (b) increased transparency of information regarding pricing and participant identity and fraud detection, and (c) greater security. The Chinese policy ambition is to patiently and under a watchful regulatory eye spur these admirable aspirations. This is to be accomplished under the control of banking institutions administered by the China Banking Regulatory Commission (CBRC) and payment systems administered by the People’s Bank of China (PBOC) and nonbank financial institution “paying institutions” (also administered by the CBRC)—the chief commercial interest of which is customer satisfaction--play an important instrumental but subordinate (controlled) role. The entry fee into this market is a willingness to be controllable, which presents a paradox to foreign competitors and, to some extent, even to “domestic” companies that operate and/or have listed abroad.

Substantive regulation and licensing requirements imposed by the Chinese government permeate the entire ecosystem composed of the Internet, information technology infrastructure, retail and related logistics and distribution, and media. In practice, these areas (and, in particular, online payment systems) are not clearly open to foreign investment or operation. Also in practice, foreign competitors in the online payment space have resorted either to the “variable interest entity” (VIE) structure[3] to participate or to self-curtail the scope of their activities in China. Famously, a leading e-commerce business (to the chagrin of its major foreign shareholders) terminated its own VIE arrangement with its online payment affiliate in 2011—notwithstanding many companies’ continuing VIE arrangements in other industries—because of the conventional wisdom that the payment system as it fell under PBOC jurisdiction was even more sensitive in matters of foreign investment than other telecommunications, media, and technology sectors.

Safety and Soundness

The safety and soundness of the payment system in China is regulated principally by the PBOC, which promulgated the Administrative Measures of the PBOC on Payment Services Provided by Non-Financial Institutions (September 1, 2010). These measures forbid entities that are not CBRC regulated from engaging in online payment, issuance or acceptance of prepaid cards, or bank card acceptance, unless they obtain a Payment Business License from PBOC. In any such case, a nonfinancial institution must entrust custodial functions over money to banks  and comply with anti-money laundering laws, as well as know-your-customer and business continuity requirements. Although these nonfinancial institutions cannot hold or use customer excess reserves, their paid-in-cash capital cannot fall below 10% of the aggregate of such reserves.

Starting in 2014, the CBRC has been embroiled in controversial rulemaking about the subject of bank network security, “informationization” of banking, and bank technology.[4] As supervisor over the safety and soundness of the members of the payment system, the CBRC is responsible for the integrity of the data and source codes used, stored, and employed by banks, and the Edward Snowden revelations instilled fear that reliance on foreign technology and its embedded source codes could undermine the CBRC’s ability to exercise control in this area. The dilemma, which caused CBRC to temporarily withdraw its proposal to require foreign bank technology providers to submit source codes and encryption keys to the authorities in China, is that only foreign technology is currently capable of performing critical banking operations (whether for domestic or for foreign-owned banks).

Consumer Protection and Data Security

Under the PRC Consumer Rights Protection Law, as amended, e-commerce platforms can be held to joint and several liability with the seller and/or manufacturer of the goods/services sold on such platforms. This liability, grounded in tort, imposes a duty of care on such platforms in terms of knowing their vendors and knowing their products, which at a minimum requires platforms to provide authentic contact details of such providers and establishes liability when platforms knowingly or negligently allow the sale of defective or fake goods or other infringements of consumers’ rights. This law also restricts the ability of such platforms to use customer data, except with the explicit, informed consent of the customer. Other sources of law that buttress customer rights over personal data provided online to such platforms include the 2012 Decision on Reinforcing the Protection of Internet Information of the Standing Committee of the National People’s Congress and the 2013 Provisions on Protecting the Personal Information of Telecommunications and Internet Users of the Ministry of Industry and Information Technology (MIIT).

The PBOC has proposed further draft rules (Administrative Rules on Online Payment Business of Non-Bank Payment Firms, July 31, 2015) with regard to customer documentation, account opening, settlement limits, and customer data for payment firms.

Allocation of transaction fees within the online payment ecosystem, among banks, Unionpay (which is the utility that currently holds a monopoly on all RMB card settlements in China as the sole domestic bankcard association approved by PBOC for this purpose[5]) and the payment channel are regulated by the National Development and Reform Commission (NDRC). The NDRC has stipulated that these fees should stand in a ratio of 7:1:2.

National Security

Given the political sensitivities of the integrity of the payments system and consumer rights combined with the current dependency on foreign technology of banking organizations in China with respect to the clearance and settlement of RMB-denominated transactions (let alone cross-currency transactions), there is an inherent national security element to the regulation of online payment systems and their content. Various administrative bodies play a role in such regulation, including the MIIT, the newly established Cyberspace Administration of China, Ministry of Public Security, and Ministry of National Security.

Although the present leadership is committed to reducing the role of government in the market in general, its attitude toward Core Risks is that “it is better to be safe than sorry” and that it (the government and its instruments, such as banks), through the notion of control, is best placed to ensure safety and avoid sorrow. Online payment systems and their cutting-edge coding and encryption technology are, to the Chinese, as alluring as a Trojan Horse or forbidden fruit, at once (at least in the case of the most cutting-edge technology) an affront to Chinese vulnerability and a potential answer to the Chinese quest to be master-maker of markets instead of perennially dependent on technology and prices made abroad. But the leading US and European banks will not lightly cede their traditional mastery in this area.

[1]. As used herein, “online payment systems” refers generally to the chain of transaction processes from pricing to purchasing to settlement done in an electronic, automated, real-time manner over the Internet or a subset thereof, including but not limited tobusiness-to-customer retail commerce and business-to-business interbank transactions.

[2]. Leading banks are recognizing that central clearing and exchange-based trading, brought on by the Dodd-Frank Act, and online payment systems, if seen to address Core Risks better than traditional banking, could undermine the raison d’etre of traditional banking. For example, the US banking sector, in part spurred by competitive considerations, increasingly is agitating in favor of greater regulation of online nonbank payment systems and services. A spirit of creative destruction is spurring other (mostly non-US) banks directly to participate (by ownership and operation) in radical technologies such as distributed ledger technology (BlockChain, which harnesses [and rewards] massive computing power around the globe to solve encryption problems to render secure a cascading chain of market-making, clearance, and settlement across a variety of asset classes). Aside from making customers and counterparties happier, such technology might lead to reduced regulatory capital costs that would otherwise arise from the myriad of risks that accompany longer settlement times, potentially across a wide range of asset classes.

[3]. Under a VIE structure, typically used to provide foreign investors with exposure to industries restricted to foreign investment by Chinese law, a licensed and regulated Chinese operating company (the VIE) enters into a series of contracts with the wholly owned subsidiary of a foreign company. Pursuant to these contracts, various economic rights flow to such subsidiary, allowing the parent to financially consolidate the economics of such VIE without having any ownership interest therein. Various legal and commercial considerations, including common ownership interests (of Chinese residents) in the VIE and the foreign parent and collateral arrangements, may (but do not necessarily always do) provide sufficient incentive for the VIE to comply with its contractual obligations.

[4]. See Guiding Opinions of CBRC on Strengthening the Banking Network Security and Informationization Development Through Application of Secure and Controllable Information Technologies (September 3, 2014); Notice of the General Offices of the CBRC and MIIT on the 2014-15 Guidelines for Secure and Controllable Information Technology in the Banking Industry (December 26, 2014); and CBRC Explanation Relating to the Banking IT Guidelines (February 12, 2015).

[5]. In a long-awaited response to World Trade Organization (WTO) requirements, the State Council issued Decision of the State Council on Implementing Access Administration of Bank Card Clearing Institutions (June 1, 2015) as a first step in opening up bankcard clearance and settlement to the qualifying Chinese subsidiaries of qualifying applicants from WTO member states.