Banks must ensure '24/7' authentication service as European Central Bank backs time limits on inactive account access

Out-Law News | 14 May 2014 | 4:45 pm | 2 min. read

Companies that provide consumer payment accounts will have to set 'time out' limits on how long users can leave accounts inactive but still accessible under new security standards published by the European Central Bank (ECB).

The ECB has accepted recommendations made by the European Forum on the Security of Retail Payments (the Forum) on how to protect against illegitimate access to payment accounts and fraudulent activity.

Under the measures third party providers (TPPs) of payment account access services will be required to restrict the length of time inactive users can spend logged in to accounts, as well as limit the number of times people can enter the wrong log-in details before they are blocked from doing so.

The standards also state that "account-servicing payment service providers" (AS PSPs), such as banks, ensure that they provide "24/7 technical availability" to respond to requests from the third party providers for "the authentication of the customer". The European Banking Authority (EBA) will be responsible for setting "maximum response times for the authentication" under new guidance it is to issue to accompany the new standards.

The recommendations also include measures designed to ensure transactions made to and from payment accounts are traceable and that sensitive payment data is "protected when stored, processed or transmitted".

The ECB said that the recommendations were aimed at promoting the security of payment account access services (25-page / 389KB PDF) and, ultimately, users of those accounts.

"The recommendations should not be interpreted as a warning against established TPPs in Europe," the ECB said in its report. "TPPs fill a gap by providing efficient and customer-convenient e-commerce services. The Forum has suggested that a secure European standard/interface for payment account access should be established and should allow any TPP to access payment accounts at any PSP throughout the EU. This standard could be defined by the EBA in close cooperation with the ECB and include technical and functional specifications, as well as related procedures."

"Standardisation is a normal part of European market integration and further developments should allow the industry to rely on a secure common standard that allows strong customer authentication without any sharing of the AS PSP’s credentials between the AS PSP and the TPP. This would reduce technical workload for TPPs, foster innovation and at the same time ensure trust in safe and efficient payment services," it said.

Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "Payment account access is a real hot topic, particularly so with the growth of non-bank third party providers of payment initiation or account information services. How risk and liability are apportioned between the customer and the customer’s bank and any third party provider used by the customer, and what conditions can be set around giving access to a third party provider, are both up for debate with the proposed reforms of the Payment Services Directive."

The ECB has previously set requirements for the security of internet payments and is in the process of outlining new security standards for mobile payment services.