Proposed Variation to the MasterCard and Visa Access Regimes: Consultation Document – December 2013 3. Reasons for a Review of Regulation

There are two interrelated problems that the current review seeks to address. First, while the 2004/05 reforms to access arrangements widened potential access to the MasterCard and Visa systems, there is evidence that access arrangements may still be more restrictive than necessary, potentially reducing competition, efficiency and innovation. This arises because the Access Regimes prevent parties other than ADIs/SCCIs from joining the schemes, even if the schemes would otherwise have been willing to admit them. Second, APRA's prudential framework for ADIs/SCCIs requires an authorisation process and ongoing compliance with a range of prudential requirements, together with application and ongoing fees. Taken as a whole, the prudential framework establishes a relatively high hurdle to entry and results in costs for potential entrants, some existing members and for APRA itself.

Access Arrangements May Be More Restrictive than Necessary

As noted, only two entities have gained SCCI status in Australia since the current access framework was implemented. This modest take-up of the SCCI arrangements of itself suggests that membership of the schemes might not have been opened up as much by the 2004/05 reforms as had been hoped. While this might simply indicate that relatively few non-traditional parties have seen a business case for joining the schemes, the Bank is aware of some parties that have considered pursuing the SCCI path, but decided against it.

More recently, the Bank has become aware of at least five entities focused on new or niche business models that have indicated an interest in issuing or acquiring credit card transactions in Australia. Most have indicated that they consider the requirements to become an SCCI to be significantly more onerous than warranted for the business they plan to pursue and out of line with arrangements in some overseas jurisdictions.[1] [2] Some have nonetheless indicated that they would pursue SCCI status in order to gain entry. The card schemes themselves have indicated that they would be prepared to admit a wider range of entities than currently hold ADI/SCCI status in Australia and a wider range than they would have been prepared to admit prior to the reforms. Both schemes have changed their corporate structure since the initial access reforms, moving away from member associations of banks to publicly listed companies. This could be expected to alter the schemes’ incentives in favour of allowing wider participation.

The current requirements for participation may be preventing users of the payments system from gaining the benefits that new entrants might bring. For instance, the virtual card products proposed by several prospective entrants have the potential to significantly improve the efficiency of payments and reconciliation for businesses operating in the travel industry. Other potential entrants offer improvements in efficiency for other types of payments system users. More generally, any additional entry is likely to exert pressure on the prices and service levels of incumbent payments system participants.

A second element that suggests that the existing access arrangements might be too restrictive is that the Access Regimes in their present form prevent the Reserve Bank from participating in the international card schemes. This arises because the Access Regimes restrict eligibility for participation in the schemes to ADIs. The Reserve Bank is not an ADI, but it is nonetheless able to undertake banking business under the Reserve Bank Act 1959. This appears to be an artificial constraint which prevents the Bank from delivering services to the Commonwealth in the most efficient possible way. It also results in an inconsistent treatment of card schemes in Australia, with the eftpos payment system able to accept the Reserve Bank as a member, but not the MasterCard and Visa systems. This may be detrimental to competition between the schemes.

To summarise, the aim of the access arrangements is to encourage competition and efficiency in the payments system by striking an appropriate balance between new entry and controlling risk. There is some evidence that the correct balance is not currently being achieved.

Public Supervision of Participants as ADIs Might Not Be Appropriate

In large part the level of the hurdles for participation in the card schemes in Australia reflects the fact that SCCIs fall within APRA's prudential supervision regime for ADIs. While SCCIs do not take deposits like other ADIs (at least not to any material extent), they must by and large meet the same standards as other ADIs. This reflects an important principle that all ADIs should be supervised to the same standard; applying a lower level of supervision for some ADIs would create confusion about what ADI status and prudential supervision means and could cause reputational damage if an entity supervised to a lower standard were to fail, potentially reducing confidence in more systemically important institutions.

APRA supervision is directed to ensuring that ADIs manage risk prudently so as to minimise the likelihood of financial losses to depositors. However, the nature of risks in a credit card system is quite different to those being addressed by APRA for other ADIs (see Box A for a fuller description). Holders of credit cards do not in the normal course of events have an exposure to credit card issuers as they are receiving credit rather than providing deposits. Therefore APRA's depositor protection mandate does not appear relevant. Merchants may have a financial exposure to card acquirers, as merchants require settlement of the funds owed to them for credit card purchases. Risk to merchants is reduced to an extent by the fact that acquirers are largely passing through funds from issuers and the schemes have mechanisms in place to provide confidence that settlement between issuers and acquirers will occur.

In effect, the largest exposures are managed within the card schemes, while participants must cover losses arising from the credit provided to their cardholders (for issuers) and non-performance by a merchant (for acquirers), and some merchants may have exposures with respect to funds passed through by their own acquirer.

This suggests that, although not intended, APRA supervision of SCCIs largely operates to protect the MasterCard and Visa systems rather than the users of those systems. This might be justified if these exposures were of a scale that presented some risk to financial stability, but the average daily value of transactions in all credit card systems in Australia averaged only $720 million per day in 2012/13, compared with RTGS payments of $158 billion and Direct Entry payments of $40 billion.[3]

APRA believes that supervising credit card system participants is no longer an appropriate use of its resources and is not consistent with its core mandate. In APRA's view, responsibility for determining access to the card schemes rests with the schemes themselves, not a prudential regulator charged with the protection of depositors.

Box A: Risks in Credit Card Systems

Participants in the MasterCard and Visa systems can be issuers or acquirers (or in most cases both). When a cardholder purchases goods from a merchant, the issuer undertakes to make payment for those goods (to the acquirer) and recoups the funds from the cardholder according to the terms of their agreement. The acquirer receives the funds from the issuer – one or two days after the transaction for a domestic payment in Australia – and settles with the merchant. The acquirer is entitled to delay settlement with the merchant until it has received the funds from the issuer, or for risk management purposes, but in some cases it will settle earlier.

Risk in the system stems primarily from the potential that a party in the chain may not meet its obligations. The highest probability risk is that of a cardholder failing to meet its obligations to the issuer. The issuer bears this risk and therefore must screen cardholders and monitor and manage the risks they present appropriately. Since the issuer exposure to any individual cardholder is small, the overall risk to an issuer with robust credit risk management is low.

A much larger concern arises if the issuer itself is unable to settle with the acquirers. If not managed, settlement risk of this type has the potential to adversely affect both participants and users of a payment system. Both MasterCard and Visa have various risk control mechanisms in place, aimed at providing confidence that settlement to surviving members will be completed. Issuer risks are monitored and managed by the schemes, including by restricting the entities that can participate or the activites they can undertake, and where appropriate by requiring collateral to be posted.

Given that acquirers are receiving funds from issuers and paying them to merchants, they are generally not exposed to either cardholders or merchants for most transactions. The exception is where a chargeback is initiated via the issuer – for example, either because the cardholder did not participate in the transaction, or because the goods or services were not satisfactorily provided. Where a chargeback is successful, the disputed transaction may be reversed, with the acquirer having to recover the funds from the merchant. The incidence of chargebacks varies from sector to sector, but is most acute if a merchant becomes insolvent without having delivered goods or services. The most notable example is the Ansett collapse, where the acquirer was required to meet very large chargeback obligations for tickets purchased in advance by credit card. Since that time, acquirers have become more conscious of managing these risks. The scheme risk controls that protect acquirers from the failure of an issuer equally apply to protect issuers from the failure of an aquirer with unsettled chargeback obligations.

A number of conclusions can be drawn about risk from this framework. First, financial risk to the cardholder is minimal. Should a participant in the system fail, in most cases the cardholder will not be affected because they will already have possession of the goods in question or will have used the service. Where the goods or services have not been delivered, the cardholder is protected by chargeback rights and the mechanisms put in place by the payment systems to address unpaid positions among members (and otherwise by the cardholder's rights as a creditor of the merchant). If a cardholder's own issuer were to fail, they would face the inconvenience of being unable to use their card or access their accounts.

Merchants that accept payment cards will always be subject to some chargeback risk arising from disputes and, for online merchants in particular, fraud. However, the schemes' risk controls mean that merchants generally should not be exposed to the failure of an issuer. A merchant may however have an exposure to its own acquirer where the acquirer is holding settlement funds in transit from issuers to merchants.

In summary, exposures between card scheme members are protected by each scheme's risk controls, including the use of collateral. Issuers face credit exposures to cardholders. Acquirers face chargeback exposures to merchants. In some cases, merchants may face exposures to their own acquirer where the acquirer holds settlement funds in transit. Cardholders generally do not face risks in these systems and in fact benefit from chargeback protections.


The business undertaken might for instance include issuing cards only to corporate customers or acquiring only for post-paid services where there is no chargeback risk from the default of a merchant that has yet to deliver its services. [1]

For instance, the ‘Payment Institutions’ framework in Europe was established to regulate entities which were not already covered by banking or e-money regulations, in part because prospective participants had found the then-existing regulation too restrictive for the services they wish to provide. Accordingly, the current framework establishes a prudential regulatory regime that takes into account the different operational and financial risks posed by seven specified payment services. Once an entity is authorised to provide one or more of these services by the national regulator responsible for its prudential supervision, it can offer those services throughout the European Union. [2]

Credit card transaction figures include American Express and Diners Club. All debit card transactions (including eftpos) averaged around $540 million per day. [3]