PSD2 and increased security obligations

(Note: the below is a high level review of certain potential issues and is not to be relied upon in any definitive manner nor as legal and/or regulatory advice).

What are the proposals?

While each of the Commission, the EU Parliament and the Council have presented differing drafts on the increased security obligations, the key matters include:

  • Mandatory use of ‘strong customer authentication’: proposing the requirement that (at a minimum) what is known by many as two factor authentication (“2FA”) is carried out for remote / online / electronic payment transactions.
  • The establishment of formal internal security frameworks to assess and report on operational matters expressly including security issues.
  • Security incident reporting: both to regulators and customers under certain circumstances.
  • Mandatory security assessment reporting to regulators: on security measures and their effectiveness.
  • Increased role of EBA and ECB: on setting the security protocols, technical standards and policies to be followed in connection with the above obligations.

Why are they being introduced?

As stipulated in Recital 6 of the Commission’s proposal:

“In recent years, the security risks related electronic payments have increased, which is due to the greater technical complexity of electronic payments, the continuously growing volumes of electronic payments worldwide and the emerging types of payment services. As safe and secure payment services constitute a vital condition for a well-functioning payment services market, users of payment services should be adequately protected against such risks.”

Why are they important?

  • In addition to data protection regulators and other EU initiatives (such as the proposed NIS Directive), payment regulators are putting in place substantive and prescriptive security requirements to be followed by PSPs. These will have a substantive impact both internally (in setting up the appropriate compliance functions and operations) but also in the firm’s user experience.

Comments 

  • The use of 2FA is already used by many PSPs and has been picked up by some payment start-ups as the industry norm (see for example virtual currency / bitcoin wallet providers) – although it is sometimes used at the discretion of the customer (depending on their individual risk profiles). It is proposed that this will no longer necessarily be the case and will have impact on the user experience and potential increased product work for existing players who still rely on the use of sole password credentials. It will also be interesting to monitor what technical requirements will be required of TPPs to access account information of their customers with other PSPs to ensure that the authentication methods are kept secure.
  • It is likely that many regulated PSPs will already have in place formal security policies and procedures to assess the risks and allow for internal reporting of security incidents as part of their current compliance and information security functions. Under the proposals, there will be more specific requirements on what these will need to look like and reviews and possible amendments of these will need to be carried out. There is also the additional compliance burdens (including costs) on reporting on such matters (both to regulators and to customers).
  • Of particular interest to PSPs will be the circumstances under which they must disclose any security incidents to customers – any such notice will have substantial brand and reputation issues and may also impact on data protection laws which (some of which are also currently under review).
  • The EBA will have increased responsibility for setting the standards to be followed by the industry and the manner and methods by which it allows for consultation will be of key interest to stakeholders – particularly those who are not part of the existing banking fraternity.

Key draft provisions

Commission Proposal (24 July 2013)  EU Parliament (3 April 2014) Council composite text (1 December 2014) ‘Final Compromise Text’ 2 June 2015
Article 4(22)
strong customer authentication’ means a procedure for the validation of the identification of a natural or legal person based on the use of two or more elements categorised as knowledge, possession and inherence that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.		 strong customer authentication’ means a procedure to verify the validity of a payment instrument based on the use of two or more elements categorised as knowledge (something only the userknows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data. strong customer authentication’ means an authentication based on the prompt use of two
or more elements categorised as knowledge, possession and inherence[ ] that are
independent, in that the breach of one does not compromise the reliability of the others and
is designed in such a way as to protect the confidentiality of the authentication data;		 Article 4(22)
strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data. 
 Article 5
Applications for authorisationFor authorisation as a payment institution, an application shall be submitted to the competent authorities of the home Member State, together with the following:….(j) a security policy document, a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect the payment services users against the risks identified, including fraud and illegal use of sensitive and personal data;… The security control and mitigation measures referred to in point (j) shall indicate how they ensure a high level of technical security, including for the software and IT systems used by the applicant or the undertakings it sub-contracts to for the whole or part of its operations. Those measures shall also include the security measures laid down in Article 86(1). Those measures shall take into account the guidelines on security measures of the European Banking Authority (EBA) referred to in Article 86(2) when in place.		 New Article 5, para 3(a) – sub paragraph 13a. EBA shall, after consulting an advisory panel set up in accordance with Article 41 of Regulation (EU) No 1093/2010, which represents all stakeholders, including those operating outside the banking industry, develop draft regulatory technical standards specifying the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of paragraph 1.See for example Art. 5(1)(j):(j) a security policy document, a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect the payment services users against the risks identified, including fraud and illegal use of sensitive and personal data; Article 5
Applications for authorisationFor authorisation as a payment institution, an application shall be submitted to the competent authorities of the home Member State, together with the following:…(j) a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken
to adequately protect the payment services users against the risks identified, including
fraud and illegal use of sensitive and personal data;…The security control and mitigation measures referred to in point (j) shall indicate how they ensure a high level of technical security, including for the software and IT systems used by the applicant or the undertakings it outsources for the whole or part of its operations. Those measures shall also include the security measures laid down in Article 86(1). Those measures shall take into account the guidelines on security measures of the European Banking Authority (EBA) referred to in Article 86(2) when in place.		 Article 5 Applications for authorisation  

1. For authorisation as a payment institution, an application shall be submitted to the competent authorities of the home Member State, together with the following:

 

 

(j) a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect the payment services users against the risks identified, including fraud and illegal use of sensitive and personal data;

 

The security control and mitigation measures referred to in point (j) shall indicate how they ensure a high level of technical security and data protection, including for the software and IT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures shall also include the security measures laid down in Article 86(1). Those measures shall take into account the guidelines on security measures of the European Banking Authority (EBA) referred to in Article 86(2) when in place.

 

 
Chapter 5 Operational and Security and Authentication Chapter 5 Operational and Security Risks and authentication  Chapter 5 Operational and Security Risks and authentication 
Security Requirements and incident notificationArticle 85(1): Payment service providers are subject to Directive [NIS Directive] [OP please insert number of Directive once adopted] and notably to the risk management and incident reporting requirements in Articles 14 and 15 therein. Article 85(1). Payment service providers shall establish a framework with appropriate mitigation measures and control mechanisms to manage the operational risks, including security risks, relating to the payment services they provide. As part of that framework payment service providers shall establish and maintain effective incident management procedures, including the detection and classification of major incidents. Management of operational and security risks Article 85(1): Payment service providers shall establish a framework with appropriate mitigation
measures and control mechanisms to manage the operational risks, including security risks,
related to the payment services they provide. As part of this framework payment service
providers shall define and maintain effective incident management procedures, including
the classification of major operational and security incidents.		 Article 85  

Management of operational and security risks

 

1. Payment service providers shall establish a framework with appropriate mitigation measures and control mechanisms to manage the operational risks, including security risks, related to the payment services they provide. As part of that framework payment service providers shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.

 
Article 85(2): The authority designated under Article 6(1) of Directive [NIS Directive] [OP please insert number of Directive once adopted] shall without undue delay inform the competent authority in the home Member State and EBA of the notifications of NIS incidents received from payment services providers. Article 85(2): Payment service providers shall without undue delay notify any major operationalincident, including security incidents, to the competent authority in the home Member State of the payment serviceprovider.New Article 85(2a)Upon the receipt of the notification, the competent authority in the home Member State shall, without undue delay, provide the relevant details of the incident to EBA. Article 85(2) Member States shall ensure that payment service providers provide to the competent
authority under this Directive on a yearly basis, or at such intervals as determined by the competent authority, an updated assessment of the operational and security risks associated with the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to these risks.		 Article 85 Management of operational and security risks

2. Member States shall ensure that payment service providers provide to the competent

authority under this Directive on a yearly basis, or at shorter intervals as determined by the

competent authority, an updated and comprehensive assessment of the operational and

security risks associated with the payment services they provide and on the adequacy of the

mitigation measures and control mechanisms implemented in response to these risks.
Article 85(3): Upon receipt of the notification, and where relevant, EBA shall notify the competent authorities in the other Member States. Article 85(3). Upon receipt of the notification EBA shall, in cooperation with the competentauthority in the home Member State, assess the relevance of the incident, and, based on that assessment, notify competent authorities in the other MemberStates. New 3a. The national competent authority shall act preventively, if necessary, and in order to protect the immediate safety ofthe financial system. Article 85(3) EBA shall, in close cooperation with the ECB, develop guidelines with regard to the establishment, implementation and monitoring of the security measures, including certification processes when relevant. Article 85 Management of operational and security risks-3. By [18 months of entry into force of this directive], EBA shall, in close cooperation with

the ECB and after consulting all relevant stakeholders, including in the payment services

market, reflecting all interests involved, develop guidelines with regard to the

establishment, implementation and monitoring of the security measures, including

certification processes when relevant.

 
Article 85(4): In addition to the provisions of Article 14(4) of Directive [NIS Directive] [OP please insert number of Directive once adopted], where the security incident has the potential of impacting the financial interests of the payment service users of the payment service provider, it shall without undue delay notify its payment service users of the incident and inform them of possible mitigation measures that they can take on their side to mitigate the adverse effects of the incident. Article 85(4): Where the security incident has the potential of impacting the financialinterests of the payment service users of the payment service provider, it shall without undue delay notify its payment service users of the incident and inform them of all available mitigation measures that they can take on their side to mitigate the adverse effects of the incident.New 4a. EBA shall, in close cooperation with the ECB and after consulting the advisory panel referred to in Article 5(3a), develop guidelines specifying the framework for the notification of major incidentsreferred in the above paragraphs. The guidelines shall specify the scope and treatment of information to be submitted, including the criteria of relevance of incidents and standard notification templates to ensure a consistent and efficient notification process. New 4b. 4b. Member States shall ensure that payment service providers regularly provide data on fraud related to differentmeans of payment to national competent authorities and to EBA. 

 

 Article 85(4) EBA shall, in close cooperation with the ECB, review the guidelines on a regular basis, but at least every two years. Article 85 Management of operational and security risks3(3). EBA shall, in close cooperation with the ECB, review the guidelines on a regular basis, but

at least every two years.

 

3a. Taking into account experience acquired in the application of the guidelines referred to in paragraph 3, EBA shall, where requested by the Commission as appropriate, develop draft regulatory technical standards on the criteria and on the conditions for establishment, and monitoring, of security measures. Power is conferred on the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with the procedure laid down in Articles 10 to 14 of Regulation (EU) No 1093/2010.

 
  Article 85(5) EBA shall promote the cooperation in the area of operational and security risks associated with payment services among the competent authorities under this Directive, the ECB and,
where relevant, the European Union Agency for Network and Information Security.		 Article 85 Management of operational and security risks 

85 (4) EBA shall promote the cooperation, including the sharing of information, in the area of operational and security risks associated with payment services among the competent authorities and the ECB and, where relevant, the European Union Agency for Network and Information Security

 
Security Implementation and Reporting Article 86(1)Member States shall ensure that payment service providers provide to the authority designated under Article 6(1) of Directive [NIS Directive] [OP please insert number of Directive once adopted] on a yearly basis updated information of the assessment of the operational and security risks associated with the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to these risks. The authority designated under Article 6(1) of Directive [NIS Directive] [OP please insert number of Directive once adopted] shall without undue delay transmit a copy of this information to the competent authority in the home Member State.
  1. Member States shall ensure that payment service providers provide to the competent authority on a yearly basis updated and comprehensive information on the assessment of the operational and security risks associated with the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to these risks.
 Article 86 Incident reporting

  1. In the case of a major operational, including security, incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State under this Directive. Where the incident impacts the financial interests of its payment service users, the payment service provider shall without undue delay inform its payment service
    users of the incident and of the possible measures that they can take to mitigate the adverse effects of the incident.
 Article 86a Incident reporting 

1. In the case of a major operational, including security, incident, payment service providers shall, without undue delay, notify the competent authority under this Directive in the home Member State of the payment service provider. Where the incident has or may have an impact on the financial interests of its payment service users, the payment service provider shall without undue delay inform its payment service users of the incident and of all available measures that they can take to mitigate the adverse effects of the incident.

 

 

 
Article 86(2)Without prejudice to Articles 14 and 15 of Directive [NIS Directive] [OP please insert number of Directive once adopted], EBA shall, in close cooperation with the ECB, develop guidelines with regard to the establishment, implementation and monitoring of the security measures, including certification processes when relevant. It shall, inter alia, take into account the standards and/or specifications published by the Commission under Article 16(2) of Directive [NIS Directive] [OP please insert number of Directive once adopted].
  1. EBA shall, in close cooperation with the ECB, develop implementing technical standards with regard to the establishment,

implementation and monitoring of the security measures, including certification processes when relevant. It shall, inter alia, take into account the standards and/or specifications published by the Commission as well as the ECB Eurosystem’s recommendations for the security of internet payments under the “SecuRePay” forum.

 

 

EBA shall submit those draft

implementing technical standards to the Commission by …*

Power is conferred on the Commission to adopt the implementing technical

standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1093/2010.

 
  1. Upon receipt of the notification under paragraph 1, the competent authorities in the home Member States under this Directive shall, without undue delay, provide the relevant details
    of the incident to EBA and to the ECB and, after assessing the relevance of the incident for other domestic authorities, shall notify them accordingly. EBA and the ECB shall assess the relevance of the incident for other European authorities and shall notify them accordingly. The ECB shall notify the members of the European System of Central Banks on issues relevant for the payment system.
 2. Upon receipt of the notification under paragraph 1, the competent authority in the home Member State under this Directive shall, without undue delay, provide the relevant details of the incident to EBA and to the ECB. That competent authority shall, after assessing the relevance of the incident to relevant authorities of that Member State, notify them accordingly. 

EBA and the ECB shall, in cooperation with the competent authority in the home Member State, assess the relevance of the incident to other relevant Union and national authorities and shall notify them accordingly. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system.

 

On the basis of the notification, where appropriate, the competent authorities shall take all the necessary measures to protect the immediate safety of the financial system.

 
Article 86(3) EBA shall, in close cooperation with the ECB, review the guidelines on a regularly basis, but at least every two years.
  1. EBA shall, in close cooperation with the ECB, review the implementing technical

standards referred to in paragraph 2 on a regularly basis, but at least every two years.

 

 3. By the [insert date, which should be the same as the one provided for in Art. 102, paragraph 1] EBA shall, in close cooperation with the ECB, issue guidelines:
– for payment service providers, on the classification of major incidents referred to in paragraph 1, and on the content, the format and the procedures for notifying such incidents, and- for the competent authorities under this Directive, on the criteria on how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities.		 3. By the [insert date, which should be the same as the one provided for in Art. 102, paragraph 1] EBA shall, in close cooperation with the ECB and after consulting all relevant stakeholders, including in the payment services market, reflecting all interests involved, issue guidelines: 

–        for payment service providers, on the classification of major incidents referred to in paragraph 1, and on the content, the format, including standard notification templates, and the procedures for notifying such incidents, and –

–        for the competent authorities under this Directive, on the criteria on how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities.

 
Article 86(4) Without prejudice to Articles 14 and 15 of Directive [NIS Directive] [OP please insert number of Directive once adopted], EBA shall issue guidelines to facilitate payment service providers in qualifying major incidents and the circumstances under which a payment institution is required to notify a security incident. Those guidelines shall be issued by (insert date – two years of the date of entry into force of this Directive).
  1. EBA shall coordinate the sharing of information in the area of operational and security risks associated with payment

services with the competent authorities and the ECB.

 4. EBA shall, in close cooperation with the ECB, review the guidelines referred to in paragraph 3 on a regular basis, but at least every two years. 4. EBA shall, in close cooperation with the ECB, review the guidelines referred to in paragraph 3 on a regular basis, but at least every two years. 
  Article 86(5): While issuing and reviewing the guidelines referred to in paragraph 3, EBA shall consider
standards and/or specifications developed and published by the European Union Agency
for Network and Information Security for sectors pursuing activities other than payment
service provision.		 5. While issuing and reviewing the guidelines referred to in paragraph 3, EBA shall consider standards and/or specifications developed and published by the European Union Agency for Network and Information Security for sectors pursuing activities other than payment service provision. 

4b/5a?. Member States shall ensure that payment service providers provide, at least yearly, statistical data on fraud related to different means of payment to their competent authority. That competent authority shall provide EBA and ECB with such data in an aggregated form.

 

 
Authentication Article 87
Article 87(1) Member States shall ensure that a payment service provider applies strong customer authentication when the payer initiates an electronic payment transaction unless EBA guidelines allow specific exemptions based on the risk involved in the provided payment service. This also applies to a third party payment service provider when initiating a payment transaction on behalf of the payer. The account servicing payment service provider shall allow the third party payment service provider to rely on the authentication methods of the former when acting on behalf of the payment service user. No amendments proposed from the Commission proposal. Article 87(1) Member States shall ensure that a payment service provider applies strong customer
authentication when the payer:(a) accesses his payment account on-line;
(b) initiates an electronic remote payment transaction;

(c) carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses.

 1. Member States shall ensure that a payment service provider applies strong customerauthentication when the payer:

(a) accesses his payment account on-line;

(b) initiates an electronic payment transaction;

(c) carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses.
  Article 87(1)(a) In the case of paragraph 1 (b), Member States shall ensure that payment service providers apply strong customer authentication that shall include elements dynamically linking the
transaction to a specific amount and a specific payee. 		 1a. In the case of paragraph 1 (b) for electronic remote payment transactions, Member States shall ensure that payment service providers apply strong customer authentication that shall include elements dynamically linking the transaction to a specific amount and a specific payee. 
  Article 87(1b) In the case of paragraph 1, Member States shall ensure that payment service providers adopt specific security requirements, to protect the confidentiality and the integrity of the payment service users’ personalised security credentials.  1b. In the case of paragraph 1, Member States shall ensure that payment service providers have in place adequate security measures to protect the confidentiality and the integrity of the payment service users’ personalised security credentials. 
  Article 87(1c) Paragraphs 1a and 1b shall also apply when payments are initiated through a payment
initiation service provider. Paragraph 1and 1b shall also apply when the information is
requested through an account information service provider. 

Article 87(1d) Member States shall ensure that the account servicing payment service provider allows the authorised payment initiation service provider and the registered account information
service provider, to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user in accordance with paragraph 1b and, where the authorised payment initiation service provider is involved, also in accordance with paragraph 1a.

 1c. Paragraphs 1a and 1b shall also apply when payments are initiated through a payment initiation service provider. Paragraph 1 and 1b shall also apply when the information is requested through an account information service provider. 

1d. Member States shall ensure that the account servicing payment service provider allows the payment initiation service provider and the account information service provider, to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user in accordance with paragraphs 1 to 1b and, where the payment initiation service provider is involved, also in accordance with paragraph 1a.

 

 
Article 87(2): Where a payment service provider provides services referred to in point 7 of Annex I, it shall authenticate itself towards the account servicing payment service provider of the account owner.
  1. Where a payment service provider provides services referred to in point 7 of Annex I, it shall authenticate itself towards

the account servicing payment service provider of the account owner in accordance with the common and secure open standards of communication as

defined under Article 94a.

 

 N/A
Article 87(3): EBA shall, in close cooperation with the ECB, issue guidelines addressed to payment service providers as set out in Article 1(1) of this Directive in accordance with Article 16 of Regulation (EU) No 1093/2010 on state of the art customer authentication and any exemption to the use of strong customer authentication. Those guidelines shall be issued by (insert date – two years from the date of entry into force of this Directive) and be updated on a regular basis as appropriate.
  1. EBA shall, in close cooperation with the ECB and after consulting the EDPS and the advisory panel referred to in Article 5(3a), issue guidelines addressed to payment service providers as set out in

Article 1(1) of this Directive in accordance with Article 16 of Regulation (EU) No 1093/2010 on how third-party payment service providers are to be authenticate

themselves towards account servicing payment service providers, on state of the

art customer authentication and on any exemption to the use of strong customer authentication. Those guidelines shall enter into force before …* and be updated on a

regular basis as appropriate.

* OJ please insert the date of

transposition of this Directive (two years after the date of adoption of this Directive)

 N/A
  N/A
  New proposed Article 87aRegulatory technical standards on authentication and communication Article 87a Regulatory technical standards on authentication and communication 
 
  1. EBA shall, in close cooperation with the ECB, develop draft regulatory technical standards
    addressed to payment service providers as set out in Article 1(1) of this Directive in accordance with Article 16 of Regulation (EU) No 1093/2010 specifying:

a) the requirements of the strong customer authentication procedure referred to in
Article 87 (1) and (1a);

b) the exemptions to the application of Article 87 (1), (1a) and (1b), based on the
criteria established in paragraph 1.b;

c) the requirements that technical security measures have to comply with in accordance
with Article 87 (1b), to protect the confidentiality and the integrity of the payment
service users’ personalised security credentials, and

d) common and secure requirements for communication for the purpose of
authentication, notification and information between account servicing payment
service providers, payment initiation service providers, account information service
providers, payers and payees.

 1. EBA shall, in close cooperation with the ECB and after consulting all relevant stakeholders, including in the payment services market, reflecting all interests involved, develop draft regulatory technical standards addressed to payment service providers as set out in Article 1(1) of this Directive in accordance with Article 10 of Regulation (EU) No 1093/2010 specifying: 

(a) the requirements of the strong customer authentication procedure referred to in Article 87 (1) and (1a);

 

(b) the exemptions to the application of Article 87 (1), (1a) and (1b), based on the criteria established in paragraph (1b) of this Article;

 

(c) the requirements that security measures have to comply with in accordance with Article 87 (1b), to protect the confidentiality and the integrity of the payment service users’ personalised security credentials, and

 

(d) the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between account servicing payment service

providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers.

 

 

 
  1a. The draft regulatory technical standards shall be developed by EBA according the
following objectives:
– to ensure an appropriate level of security for payment users, through the adoption of
effective and risk-based requirements;
– to ensure the safety of payment users’ funds and personal data;
– to allow for a fair competition among payment service providers;
– to ensure business-model neutrality;
– to allow the development of user-friendly and accessible means of payment.		 1a. The draft regulatory technical standards shall be developed by EBA in accordance with the following objectives:- to ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements;

 

– to ensure the safety of payment service users’ funds and personal data;

 

– to secure and maintain fair competition among all payment service providers;

 

– to ensure technology and business-model neutrality;

 

– to allow for the development of user-friendly, accessible and innovative means of payment.

 
  1b. The exemptions referred to in paragraph 1 (b) shall be based on the following criteria:
(a) the level of risk involved in the provided service;
(b) the amount and/or the recurrence of the transaction;
(d) the payment channel used for the execution of the transaction.		 1b. The exemptions referred to in paragraph 1 (b) shall be based on the following criteria: 

(a) the level of risk involved in the provided service;

 

(b) the amount and/or the recurrence of the transaction;

 

(d) the payment channel used for the execution of the transaction.

 
  2. EBA shall submit those draft regulatory technical standards to the Commission by (insert
date) […within 12 months of the date of entry into force of this Directive]. Power is conferred on the Commission to adopt the regulatory technical standards referred
to in paragraph 1 in accordance with the procedure laid down in Articles 10 to 14 of
Regulation (EU) No 1093/2010.		 2. EBA shall submit those draft regulatory technical standards to the Commission by (insert date) […within 12 months of the date of entry into force of this Directive]. Power is conferred on the Commission to adopt the regulatory technical standards referred to in paragraph 1 in accordance with the procedure laid down in Articles 10 to 14 of Regulation (EU) No 1093/2010. 
  3. EBA shall review and, if appropriate, update the regulatory technical standards on a
regular basis.		 3. EBA, in accordance with Article 10 of Regulation (EU) No 1093/2010, shall review and, if appropriate, update the regulatory technical standards on a regular basis in order to inter alia, take account of innovation and technological developments. 
 

 

Leave a Reply

Your email address will not be published. Required fields are marked *