EBA ignores industry concerns about timetable for new internet payment security guidelines

Out-Law News | 22 Dec 2014 | 3:03 pm | 3 min. read

The European Banking Authority (EBA) has ignored concerns from a number of major payment industry bodies and set new internet payment security guidelines (42-page / 352KB PDF) that will have effect from August 2015.

As Out-Law.com reported last month, the UK Payments Council and Financial Fraud Action UK, the Association of German Banks, European Banking Federation, European Payments Council and Electronic Money Association had all called on the EBA to step back from introducing the new guidelines until reforms to EU payments laws had been concluded and brought into force.

However, the EBA said that problems with fraud mean that it is "not a plausible option" to delay the implementation of new internet payment security guidelines until after the Payment Services Directive reforms (PSD2) had come into force.

"This is a classic cart before the PSD2 horse approach from the EBA and doesn’t augur well for future working relationships within the developing global regulatory payments sphere," payment regulations expert Tony Anderson of Pinsent Masons, the law firm behind Out-Law.com, said. "The risk of significant, additional compliance costs remains high for PSPs looking to enter the market."

The EBA's approach will see the new guidelines take effect from 1 August 2015 and be subject to revision once the PSD2 framework has been finalised, it said. This two-step approach was preferred to an alternative proposal the EBA had consulted on which would have seen it try to second-guess the final version of the PSD2 reforms by implementing a single set of new guidelines from next August.

"The EBA has assessed the responses and concludes that, due to the continually high levels of fraud observed on internet payments, a delay in the implementation of the guidelines until the transposition of the PSD 2 in 2017/18 is not a plausible option," the EBA said.

"Furthermore, given the preferences expressed by respondents, the EBA concludes that a one-step approach is not desirable. The EBA is therefore issuing the final guidelines with the substance as consulted, i.e. a conversion of the original SecuRe Pay recommendations, with an implementation date of 1 August 2015, and the implementation of any potentially more stringent requirements under the PSD2 at a later stage – by the date set in the PSD2," it said.

In response to the EBA's consultation on the guidelines, the UK Payments Council had warned that PSPs could face "considerable cost" by having to implement changes to correspond to new guidelines only to have to "make further changes once the PSD2 text is finalised."

The Association of German Banks (AGB) also questioned the reasoning behind "the need for implementation [of the guidelines] before publication of PSD2".

"The PSD2 requirements will have a huge impact on account-holding payment institutions’ security management systems," the AGB had said. "Implementation of appropriate measures may presuppose basic new developments and involve corresponding migration. It would be difficult to manage such comprehensive adjustments with the required care and security within six months… The risks outlined can be avoided and legal certainty achieved at the same time if guidelines take effect after publication of PSD2."

The EBA's guidelines are an adaptation of internet payment security guidelines previously developed by the European Forum on the Security of Retail Payments (SecuRe Pay) and endorsed by the European Central Bank. The guidelines, which do not apply in the mobile payments sphere other than to those made via web browsers on mobile devices, will be of relevance to online retailers as well as PSPs.

The new guidelines are not legally binding, but the EBA said regulators and financial institutions "must make every effort to comply" with them. It said national regulators should incorporate the new guidelines "into their supervisory practices as appropriate" and that they have a legal duty to explain any decision not to apply the new guidelines.

The guidelines set new expectations on PSPs' governance of internet payment security arrangements and in relation to their assessment and documentation of the risks involved.

PSPs will also be expected to apply "multiple layers of security defences" and monitor, handle, follow-up and report "security incidents" they experience, according to the new guidelines. To comply, PSPs will also have to ensure that the transactions they help to process are traceable and that "strong customer authentication" measures are in place and have been adhered to before payments are initiated.

The guidelines cover a number of other aspects of internet payment security, including forcing PSPs to set limits on the number of times individuals can enter the wrong authentication details before being blocked from trying again, and requiring them to operate a "specific screening and evaluation procedure" for "suspicious or high risk transactions" and "prevent, detect and block fraudulent payment transactions".