(Note: the below is a high level review of certain potential issues and is not to be relied upon in any definitive manner nor as legal and/or regulatory advice).
The European Banking Authority (EBA) issued a consultation paper on 20 October 2014 regarding its proposed draft guidelines on the security of internet payments. Such guidelines are proposed to come into force before the transposition of the revised Payment Services Directive, known as PSD2.
The deadline for responses to the consultation is 14 November 2014.
What does the consultation cover?
Purpose & background
The purpose of the EBA guidelines is to define common minimum security requirements for certain internet payment services (such as the execution of certain payment cards and e-money services over the Internet). The EBA is proposing to issue guidelines that are based on the SecuRe Pay recommendations that formed the basis of the European Central Bank (ECB) final recommendations for the security of internet payments. The rationale for the EBA guidelines is to contribute to fighting payment fraud and enhance consumer trust in internet payments.
The guidelines are broken down into separate sections, with some of the key guideline topics set out below.
General Control and Security Environment
- Governance – implementing and regularly reviewing a formal security policy for internet payment services
- Risk assessment – carrying out risk assessments with regard to the security of internet payment services before releasing new products and services and regularly thereafter
- Incident monitoring and reporting
- Risk control and mitigation
- Traceability – being able to ensure the tracing of all transactions and e-mandates.
Specific Control and Security Measures for Internet Payments
- Initial customer identification, information – compliance with AML and information disclosure requirements
- Strong customer authentication – eg two factor authentication (“2FA“) used as part of the initiation of internet payments as well as access to sensitive payment data
- Enrolment for, and provision of, authentication tools and/or software delivered to the customer – secure processes to be put in place for the enrolment of authentication tools
- Log in attempts, session time out, validity of authentication – eg limits to the number of log in attempts etc.
- Transaction monitoring – to prevent, detect and block fraudulent payment transactions
- Protection of sensitive payment data
Customer awareness, education and communication
- Customer education and communication – eg providing secure communication channels such as a dedicated mailbox on the PSPs website
- Notifications, setting of limits – eg of certain payment amount etc
- Customer access to information on the status of payment initiation and execution
Best practices are also set out in Annex 1 to the draft guidelines.
When would the guidelines come into force?
1 August 2015.
Why are the guidelines important?
The proposed EBA guidelines have a legal basis under Article 16 of the EBA Regulation such that competent authorities and financial institutions must make every effort to comply with them.
Given that the implementation date is 1 August 2015, firms will not have long to comply. This will particularly be the case if they have not started to implement the European Central Bank (ECB) final recommendations for the security of internet payments.
The key question under the consultation is whether the proposed increased security obligations under PSD2 be incorporated into these guidelines which would likely bring effective compliance with those requirements forward by at least a year (if not more) – referred to in the consultation as the “one-step approach”. It also makes the monitoring of the developments of the PSD2 much more important in the short term.
If the “one-step approach” were to be implemented it is very probable that many firms would face substantial challenges in meeting these requirements within such a short timeframe, as not only do they impact the internal compliance operations, but also have an implication on their customer’s user experience. There could be critical consequences to a firm if it does not comply in time – for example, if a PSP does not put in place the necessary payment authentication procedures, then from the EBA’s perspective, a PSP would not be able to provide the necessary proof that the payment was unauthorised if ever challenged.
Moreover, such a short implementation time-frame would not always be achievable within the product planning cycles of many firms. Firms should carefully review the guidelines and determine if they are in a position to readily comply. If not, it is advisable to respond to the consultation and raise your concerns.
Please note, however, that not all internet payment services are covered and firms should carefully review the scope of the guidelines to see if they are indeed included. However, even if a business is not within scope please be aware that the EBA recommends that service providers to regulated firms, such as unregulated technical service providers are to be contractually required to comply with the guidelines. Further, PSPs offering acquiring services to e-merchants will also need to require such e-tailers to implement certain security measures consistent with the guidelines. This may come as a surprise to such organisations who may find themselves needing to increase their own compliance operations in order to contract with regulated firms that fall within scope. They may also wish to respond to the consultation on this basis.