Regular payment security reporting called for under PSD2, say latest plans

Out-Law News | 17 Oct 2014 | 9:57 am | 3 min. read

Banks and other payment service providers (PSPs) would have to submit regular updates to regulators noting their assessment of security risks facing their organisations and the measures they have taken in response, under measures proposed by EU ministers.

The measures are contained in the latest draft of the planned new EU Payment Services Directive (PSD2), which has been published by the Presidency of the Council of Ministers (the Presidency). The Council, together with the European Parliament, must reach a consensus on draft proposals before they can be fixed into EU law.

PSPs are likely to face overarching security requirements under a separate new Network and Information Security (NIS) Directive that is currently being negotiated by EU law makers, but the latest PSD2 proposals (117-page / 1.18MB PDF) would add further to PSPs' security responsibilities.

"In addition to the general measures to be taken at member states' level in [the NIS] Directive, the security risks related to payment transactions should also be addressed at the level of the payment service providers," the Presidency's compromise proposal said. "The security measures to be taken by the payment service providers need to be proportionate to the security risks concerned."

"A regular reporting mechanism should be established, so as to ensure that payment service providers provide the competent authorities on a regular basis with an updated assessment of their security risks and the measures that they have taken in response to these risks," it said.

Technology and payments expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "There has been an increased focus on security around payments, including standards being issued by the European Central Bank, the recent PSD2 changes, and the parallel developments around the planned data protection reforms and new NIS Directive."

"Legislators need to be careful here though not to ignore the good steps being made by industry and innovations in technology which increase security through relatively subtle means, such as geo-location tagging and keystroke analysis – legislating at a principle level can be helpful but mandating procedures such as strong authentication across the board can limit this innovation and may have unintended consequences as users seek out the most friction free means of transacting," he said.  

The Presidency also gave its backing to rules which would extend the scope of the new PSD2 rules, when finalised, to account information services.

"These services provide the payment service user with aggregated information on one or more payment accounts held with one or more other payment service providers, thus enabling the payment service user to have an overall view of his financial situation at a given moment," one of the Presidency's draft amendments said. "These services should also be covered by this Directive in order to provide consumers with adequate protection and legal certainty about their status."

The Presidency said account information services should have to abide by "a specific prudential regime", but will be able to provide their services across national borders within the EU under 'passporting' rules, which is where the licensing of business operations by a regulator in one EU country is recognised by regulators in other countries.

The new proposals also explain that businesses acting as payment initiation service providers and those acting as PSPs should share liability for the parts of a payment transaction that are under their respective control. The "balanced liability repartition" should "clearly point to the responsible party in case of incidents", it said.

The proposals also contain suggested revisions to new rules on customer authentication either when consumers access their payment accounts or initiate a transaction. PSPs would have to allow payment initiation service providers and account information service providers to rely on the "personalised security credentials" given to consumers by their PSPs when acting on consumers' behalf to make a payment or access their account through those third party services.

McFadyen said: "This represents a position that has changed numerous times with one of the original concerns about these service providers being that they are, today, being given the online banking login details of consumers and that exposes the internet banking interface to significant security risk – it may well be that differential security credentials will be issued by account servicing PSPs for use by individuals with these service providers, but that is not yet clear."

Account information service providers will require the "explicit consent" of consumers to access their account data, however, under the Presidency's plans.

Further developments around PSD2 are expected to be released towards the end of the year before it is moved into trilogue next year – trilogue is the negotiation process between the Parliament, the Council and the Commission.