New German legislation allows access to the iPhone's NFC antenna

The access to technical infrastructure shall be opened.

As part of the implementation of the fifth Anti-Money Laundering Directive (AMLD5), the German Parliament has decided to require providers of technical infrastructures, such as Apple in relation to the Near Field Communication (NFC) antenna contained in iPhones, to grant access to those technical infrastructures to payment service providers (PSPs). This new legal requirement is applicable since 1 January 2020.

This German initiative comes while the European Commission (EC) is already investigating Apple to determine if Apple has breached the EU competition law rules by refusing to grant access to the NFC antenna to card stored in other e-wallets on iPhones than the Apple Pay e-wallet (e.g. a bank e-wallet).

We address below in turn the background to this German initiative, as well as its provisions and possible outcomes.

What's the problem that the law seeks to address?

Payments with a mobile phone are becoming increasingly popular in Europe. Most of those mobile payments rely on:

- a token, i.e. a dematerialised version of a plastic card, stored either on the phone (e.g. in the Secure Element (SE)) or in the cloud, and

- an exchange of data between that the phone and the merchant's contactless terminal, through the phone's NFC antenna (or chip).

NFC-based mobile contactless payments differ from mobile payments based for example on the user scanning a QR code with the phone's camera and other interfaces such as sound or video recording.

To our knowledge:

- all large phone manufacturers have left the NFC antenna in the phone "open", meaning that a card stored in any e-wallet on the phone will be able to access that NFC antenna in order to perform mobile contactless payments;

- Except Apple, which has "closed" the NFC antenna in the iPhone so that only a card/token stored in the Apple wallet will be able to access the NFC antenna and communicate with a contactless terminal. A card/token stored in another e-wallet on the phone (e.g. in a bank wallet) cannot have access to the NFC antenna and therefore cannot be used to make a mobile contactless payment. In order for a mobile contactless payment to take place with an iPhone, the card issuer needs to first enter into an agreement with Apple that will allow the cards it issues to be loaded into the Apple Pay wallet, and then used to make mobile contactless payments. It is our understanding that such agreement comes with a fee that the issuer needs to pay to Apple; in economic terms this means that the issuer has to share its interchange fee revenue (which is regulated for consumer cards in the EEA) with Apple. It is also our understanding that the Apple Pay standard agreement is pretty much imposed by Apple upon issuers on a "take it or leave it" basis.

For quite some time, issuers have been complaining that the "lock" applied by Apple on the NFC antenna was a measure adopted by Apple in order to monetise payments. Indeed, without the lock on the NFC antenna, it is to be expected that issuers would generally encourage their customers to provision their card/token into another wallet on the iPhone than the Apple Pay wallet (perhaps a bank wallet), so that transactions taking place through that other wallet would not require the issuer to have to pay a fee to Apple. Faced with such behaviour, it could be expected that Apple would stop charging a fee for payments made via the Apple Wallet in order to get issuers and cardholders to send more transactions via the Apple Pay wallet, rather than a competing wallet on the iPhone. This would potentially prevent Apple from monetising payments.

In response to the above issuer criticism about the Apple "lock" on the NFC antenna, one could argue that no issuer is required to allow its customers (i.e. cardholders) to make mobile payments with iPhone – i.e. iPhone holders can continue paying with their (contactless) plastic card; no card issuer is expected to allow its cardholders to pay with their iPhone. However:

- Other handset manufacturers or other mobile OS providers than Apple who also offer an e-wallet (e.g. Samsung Pay, Google Pay) have not placed a lock on the NFC antenna, and as a result are providing access to their own e-wallet free of charge. This makes it attractive for issuers to get connected to those e-wallets, and therefore offer their customers the possibility to make mobile contactless payments with their phone. This can put the issuer in a situation where its customers that hold an iPhone sometimes feel "discriminated against" since customers with e.g. a Samsung phone or other Android operated phone are able to make Samsung Pay/Android Pay contactless mobile payments, whereas customers with a (typically more expensive) iPhone are not able to make mobile contactless payments.

- There are precedents of large issuers in some EU countries deciding not to connect to Apple Pay (perhaps because they do not want to share their regulated interchange fee revenue with Apple?), but Apple managed to convince smaller issuers in those EU countries to get connected to Apple Pay (perhaps by giving them a discount on the standard Apple Pay fee?). This in turn has put pressure on the larger card issuers to, in turn, get connected to Apple Pay for fear of perhaps losing customers to the smaller issuer(s) – i.e. a "domino effect". As has become clear by now, consumers are more likely to switch their card issuer than to switch the brand of their mobile phone…

It is against this background that the EC has recently decided to open a competition law investigation against Apple, in order to determine in particular if the lock placed by Apple on the NFC antenna would constitute a violation of EU competition law, more particularly an abuse of a dominant position under Article 102 of Treaty on the Functioning of the European Union (TFEU).

The recently adopted German legislation

It is also against the above background that, as part of the implementation of AMLD5 into German law, the German legislator has decided to impose a requirement, effective 1 January 2020, that providers of technical infrastructures that may contribute to the provision of payment services or the operation of e-money activities should give access to those infrastructures (see Section 58a of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz - ZAG)). The preparatory documents refer specifically to the example of the iPhone NFC antenna as being one of the primary focuses of this legislation. According to the new law, PSPs should be entitled to have access to those technical infrastructures that are necessary and reasonable for them to be able to provide payment and e-money services.

Technical infrastructure services are defined as functions of the operating system (OS) on mobile phones such as for example an NFC antenna , a software development kit (SDK - a manual for developing the software under the corresponding operating system), or a card emulation which displays the card information on the mobile device. Note that the access requirement is not subject to this infrastructure already being used for this purpose – the mere fact that it is suitable for the provision of payment or e-money services is enough to grant the PSP a right to access to that infrastructure.

This requirement is imposed on so-called "system enterprises", but a PSP may also qualify as a system enterprise if it owns a technical infrastructure to which other PSPs would need access in order to provide payment services or e-money services.

As an exception to the above access requirement, infrastructures that are only used by 10 or less PSPs are not subject to the access requirement. Furthermore, a system enterprise is not subject to the obligation if it has less than 2 million registered users. Those thresholds are to be assessed at the level of the entire corporate group to which the system enterprise belongs (rather than on an individual company level). In terms of timing, those thresholds are assessed on the day that the PSP makes the request for access.

System enterprises can legally refuse to grant access to an infrastructure if there are objective reasons to deny that access, such as for example a concrete threat to the safety and integrity of its technical infrastructure services. The system enterprise bears the burden of proof of the existence of a "concrete threat". In addition, the system enterprise should be able to demonstrate that it has made reasonable efforts in order to minimise the security risk of that concrete threat materialising.

The system enterprise is entitled to charge "an appropriate fee" for granting access to the PSP. Obviously what constitutes an appropriate fee will be up for discussion.

If an infrastructure provider were found to have illegally denied access to a PSP, the PSP could introduce civil law litigation before the ordinary courts seeking damages from the system enterprise.

The new regulation has no effect on obligations based on other legal grounds, such German competition law (GWB) and/or a contract.

What's next?

As mentioned above, the new legal requirement only became applicable on 1 January 2020. It is therefore too early to draw any conclusions in terms of its potential impact on the market.

In principle, this new requirement should allow PSPs operating in Germany to equip iPhone holders with wallets other than the Apple Pay wallet, in which they could store their card credentials/tokens and allow them to make mobile contactless payments with an iPhone through those wallets other than the Apple Pay wallet. It should therefore allow for competition between the Apple Pay wallet and other wallets for mobile contactless payments with iPhones which does not exist today.

One burning question is likely to be whether the "appropriate fee" that Apple will want to charge to issuer seeking access will be higher than, lower than, or identical to the fee that Apple typically charges today to issuers, and in particular German issuers, in relation to payments made through the Apple Pay wallet. Apple may be tempted to charge an "appropriate fee" that is higher than the standard Apple Pay fee in order to incentivise issuers to sign-up to Apple Pay and to continue to send transactions through the Apple Pay wallet (rather than a competing wallet) so as to continue to have access to the transaction data?

As regards PSP not operating in Germany, the law will not bring about any changes – and therefore we would expect:

- the EC to continue with their competition law investigation against Apple to determine whether Apple would be acting in breach of competition, in EU Member States other than Germany, by refusing to grant access to the NFC antenna to cards issued by non-German PSPs and stored in wallets other than the Apple Pay wallet?

- Perhaps other EU countries to adopt similar legislation?

As regards the PSD2 provisions on strong customer authentication (SCA), we do not anticipate any impact, at least based on the market practice to date. Indeed, as far as we are aware, Apple and other handset manufacturers currently allow issuers to use the fingerprint and/or face recognition technology that is currently available in those handsets, for free (e.g. fingerprint recognition to unlock a mobile banking app, face recognition to authentication a remote card-based payment triggered from a mobile phone). The EBA has explicitly recognised that this is an acceptable delegation under PSD2, to the extent of course that if it were to constitute an outsourcing the PSP complies with the EBA guidelines on outsourcing (EBA answer here). Arguably, based on the new legal requirements, system enterprises may seek to charge an "appropriate fee" in relation to those activities – however, since access is currently provided for free, we believe it would be difficult for system enterprises to start charging for them?