Major payments bodies object to new internet payment security guidelines before PSD2 reforms

Out-Law News | 21 Nov 2014 | 3:08 pm | 4 min. read

Payments industry bodies from across Europe have raised objections with the European Banking Authority's (EBA) plans to finalise new internet payment security guidelines before new EU legislation on payment security is brought into force.

The UK Payments Council and Financial Fraud Action UK, the Association of German Banks, European Banking Federation, European Payments Council and Electronic Money Association all said the EBA should step back from plans to make new internet payment security guidelines effective from 1 August 2015.

Technology and payments expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "It’s not entirely clear how these guidelines would be implemented in each EU country and then enforced through to the people who this matters most to – the online retailers.  Most importantly, these guidelines aren’t on the radar of many retailers given that implementation has been up in the air for some time. Clarity on this is needed as a matter of urgency given that the retailers’ IT roadmaps for the next 12 months will already be laid out."

Currently, EU law makers are involved in negotiating the wording of a new EU Payment Services Directive (PSD2). According to recent draft proposals on the reforms, payment security rules are set to be stiffened to mandate, among other things, two-factor customer authorisations for transactions.

The reforms, however, appear to be many months from being finalised. Even after the PSD2's wording is finalised the new rules would not come immediately into force. EU countries would be given time to introduce their own national laws to account for the Directive's requirements.

Last month, though, the EBA outlined plans to set new internet payment security guidelines from 1 August next year. The EBA's proposed guidelines are an adaptation of internet payment security guidelines previously developed by the European Forum on the Security of Retail Payments (SecuRe Pay) and endorsed by the European Central Bank.

Although the EBA could not force payment services providers (PSPs) to adhere to the new guidelines itself, the EBA said national regulators would have to justify any decision not to apply the guidelines to it.

In its consultation, the EBA said it recognised that there is potential for its internet payment security guidelines to be superseded by stiffer rules under the PSD2 reforms. To account for this possibility, it gave stakeholders the choice of two options.

The EBA said it could apply the guidelines as they are currently drafted from 1 August 2015 and update them once the final PSD2 enters into force. Alternatively, it said it could update the draft guidelines to try to anticipate the potentially stiffer requirements on payment security that look like being introduced under the new Directive and apply those guidelines from 1 August 2015. By adopting the second option, "the substance" of the guidelines would "continue to apply under PSD2", the EBA had said.

However, in its response to the EBA's consultation, the European Banking Federation (EBF) said it would be "impossible to 'anticipate' or second-guess what will be the result" of the ongoing debate between EU law makers on what the new payment security requirements should be under PSD2.

The EBF said it strongly opposed such an approach and instead backed a third option, which would be the introduction of new internet payment security guidelines "at a date later than 1 August 2015". This third approach is the only way to provide "legal certainty for all stakeholders", it said.

The EBF's views received support from the Association of German Banks (AGB). It said "the reasoning behind the need for implementation [of the guidelines] before publication of PSD2 is not clear".

"The PSD2 requirements will have a huge impact on account-holding payment institutions’ security management systems," the AGB said. "Implementation of appropriate measures may presuppose basic new developments and involve corresponding migration. It would be difficult to manage such comprehensive adjustments with the required care and security within six months… The risks outlined can be avoided and legal certainty achieved at the same time if guidelines take effect after publication of PSD2."

The AGB said PSPs should be given three years to adhere to the new internet payment security guidelines.

In its joint response to the EBA's consultation with Financial Fraud Action UK, the UK Payments Council said it would be better to wait for the PSD2 reforms to be finalised before new internet payment security guidelines were imposed. It also said it supposed "a longer period for implementation".

"It would be premature to attempt to anticipate or second-guess the outcome [of the PSD2 reform negotiations] at this stage," the UK Payments Council said. "There would be a high risk that PSPs would implement changes, at considerable cost, only to have to make further changes once the PSD2 text is finalised."

The Electronic Money Association (EMA) said it does not think it would be "in the interests of the industry or of users for any guidance to be introduced before PSD2 has been adopted".

"The early implementation of PSD2 standards, even if they could be contemplated at this stage, has not been planned and budgeted for by CIs (credit institutions), EMIs (electronic money issuers) and PIs (payment institutions) and so would be disruptive to the operation of their businesses," the EMA said. "This would carry the risk of placing an increased financial burden on firms in order to implement changes ahead of the originally anticipated date, and rushed and inadequately planned implementations of such standards."

"The increased financial burden would disproportionately harm SME EMIs and PIs with the potential of reducing their available resources hence reducing their effectiveness and ability to compete in the market. Furthermore, rushed and inadequately planned implementations would mean, that the objective of PSD2, i.e. more robust systems, would not be achieved," it warned.

The EBA has yet to outline what approach it will take to the implementation of new internet payment security guidelines in light of the responses received to its consultation.