While I was in the UK, I noticed how common it was for people to pay for their transactions by simply tapping their smartphone or smartwatches via payment terminals, apparently via Google Pay or Apple Pay (GPAP for brevity). It was perhaps payment convenience at its best. This is why I was elated to learn recently that the Bangko Sentral ng Pilipinas (BSP) announced that Google Pay and Apple Pay (GPAP) services are not required to obtain an Operator of Payment System (OPS) license to offer their products in the Philippines because “[BSP] deemed them not to be an OPS because their activity is not an OPS activity.”

However, the question that immediately arose was “why?” What do these tech giants do that kept those specific services outside the regulatory sphere? One of the key concerns businesses have, particularly in terms of compliance, is whether the options they have (or they think have) fit the existing (usually patchwork of) regulatory framework/s of a particular jurisdiction. In other words, does a particular business model operate within or outside a regulatory framework, and if it does, fully or partially, is there a work-around that is both commercially and legally viable. This however would usually be a two-way scenario.  

On one hand, businesses may interpret this as highlighting the need for enhanced regulatory clarity, particularly with respect to operational implementation. On the other hand, regulators may see this as a call to deepen their understanding of the diverse business models in the market, in order to accurately determine in advance which specific activities fall within or outside the scope of an intended regulation.

Both perspectives of course have their own challenges. Let’s take the case of an OPS as an example. Under the law, an “operator” is “any person who provides clearing or settlement services in a payment system, or defines, prescribes, designs, controls or maintains the operational framework for the system” whereas a “payment system” refers to “the set of payment instruments, processes, procedures and participants that ensures the circulation of money or movement of funds.” The BSP in turn articulated that an OPS is a person that performs, among others, the following functions

 

1.       “maintains the platform that enables payments or fund transfers, regardless of whether the source and destination accounts are maintained with the same or different institutions.” The BSP provides the following as examples “owns or operates a computer application system that enables payments or fund transfers” or one that “allows accounts of system users to be linked to their accounts with other financial institutions (Fls) (e.g., deposit account, e-money account, credit card account).” For instance, a platform that allows account holders of financial institution X to be able to top-up their account by transferring the account holders’ funds held by E-wallet provider Y can be an example of an entity covered in this example.

 

2.     “operates the system or network that enables payments or fund transfers to be made through the use of payment instruments.” BSP provides examples such as one that (i) Provides a system or network infrastructure that enables payments and financial services of FIs” or (ii) “Transfers payment information (e.g., card transaction details) to and from participating institutions.” The latter example may evoke well-known entities such as Mastercard or Visa, whose trademarks are prominently featured on most credit and debit cards out there. However, such deduction may be more complex than it seems.

For one in 2022, the Supreme Court discussed that every credit card transaction involves three contracts, namely: 

a.     Sales contract between the credit card holder and the merchant or the business establishment that accepted the credit card;

b.     Loan agreement between the credit card issuer and the credit card holder (once the credit card issuer has approved the credit card holder’s purchase request) and

c.      promise to pay between the credit card issuer and the merchant or business establishment.

One other contract that was left out however is the contract entered into between the merchant and an acquirer (i.e., institution that accepts and facilitates the processing of the credit card transaction which is initially accepted by the merchant). This means that the existence of such contract is not as obvious as it may seem.  For another, these international card networks are not BSP-OPS license holders. In short, their activity seems covered by the regulation but not by actual regulatory practice.

Revisiting points one and two above, the key phrase appears to be 'enables payment or fund transfers.' However, the term 'enables' is broad and may encompass activities that arguably should/may not fall within the intended regulatory scope. Thus, it is not surprising that in December 2024, the BSP’s position regarding the possible availability of GPAP in the Philippines was: “They’re exploring, and then we had a discussion on their activities. And then, it was clear to us that they touch the payment system. So because of that, we deem them as operators of payment systems. Therefore, they need to register. That’s our guidance.” How then did the “[BSP] deemed them not to be an OPS because their activity is not an OPS activity” just a few days ago?

At the very least, this requires us to very briefly analyze as far as practicable (i.e. legal submissions from Google and Apple itself may be the best source of what, from a legal lens, it exactly does) what ordinarily happens “behind the scenes” when a user uses GPAP.

A user must possess a device equipped with GPAP—either pre-installed or downloaded—and have registered their payment card details within the respective digital wallet (i.e., GPAP). Once the user holds his/her device near the payment terminal to pay using GPAP, the latter generates a token (instead of the user’s card details), which is sent to and received by the merchant’s Point-of-Sale (POS) system together with the transaction details. These data in turn are transmitted to the merchant’s payment processor, which may or may not be the provider of the physical POS terminal (hardware). The processor in turn forwards the transaction details to the relevant card network, which in turn identifies the user’s bank (issuer bank) from whom the user’s funds/credit would come. If the issuer bank approves the purchase, this is relayed back up to the merchant’s POS causing the merchant to issue a receipt in favor of the user.

At no point thus did GPAP operators collect, receive, store, or possess the user’s funds in the payment process. What they appeared to have done is simply (at least for our present purpose) to add an additional layer of privacy and security in the payment process. But that alone does not satisfy the law’s definition of what an “operator” is – “controls… the operational framework for the system…” - and/or of what a “payment system” is -- “[that which] ensures the circulation of money or movement of funds.” This means that even if their service seems to “enable payment or fund transfers” if such “enabling” feature does not otherwise (i) amount to collecting, receiving, storing, or possessing the funds and/or (ii) normally constitute “operating” a “payment system” then the activity is NOT an OPS activity. This last clause is important because, as mentioned, one that “transfers payment information (e.g., card transaction details) to and from participating institutions” (like a card network) does not also necessarily collect, receive, store, or possess the user’s funds in the payment process and yet such activity, at least on paper (although not necessarily by regulatory practice), is classified as an OPS activity.

In sum, the BSP’s recent pronouncement offers partial clarity on what constitutes an OPS activity. However, the extent such pronouncement may serve as useful guidance in future legal interpretations or regulatory contexts, especially for the other different types of OPS activities under BSP Circular No. 1049 vis-à-vis actual business models involved in a payment process, remains to be seen.