The European Banking Authority (‘EBA’) published a consultation paper on the implementation of its Guidelines on the security of internet payments, the output of work undertaken in conjunction with the European Central Bank (‘ECB’), with the basis of much of the guidelines being work by the European Forum for the Security of Retail Payments. The EBA expects these proposed guidelines to enter into force in August 2015. Dr. Matthias Terlau and Dr. Daniel Walter of Osborne Clarke discuss the compliance expectations for payment service providers and analyse the critical aspects of the proposed guidelines.
On 20 October 2014 the European Banking Authority (‘EBA’) published a consultation paper on the implementation of its Guidelines on the security of internet payments. These Guidelines are the first output of the joint work undertaken by the EBA and the European Central Bank (‘ECB’) on the security of payment services. In a concurrent press release the ECB stressed the cooperation between the two European institutions on the basis of the work of the European Forum for the Security of Retail Payments (the ‘SecuRe Pay Forum’), a voluntary cooperative initiative between regulatory authorities and central banks and from the European Economic Area (‘EEA’) under the leadership of the ECB including the EBA.
The context – a number of regulatory projects to make payments safer
The proposed EBA Guidelines form part of a number of regulatory projects on the security of payments. The SecuRe Pay Forum under the auspices of the ECB was founded in 2011. In January 2013 after public consultation in 2012 and based on the work of the SecuRe Pay Forum, the ECB published the recommendations on the security of internet payments and in February 2014 a complementary assessment guide; the recommendations provide for their implementation by no later than 1 February 2015. In May 2014 (after consultation in January 2013), the ECB’s recommendations on recommendations for (the security of) ‘payment account access’ services were published in view of their transmission to the EBA. Another set of rules on the security of mobile payments was published by the ECB as a draft in November 2013 for public consultation but has not resulted in a final version yet.
At the same time, the EU Commission finalised its draft proposal for a reform of the payment services directive (‘PSD2’). This proposal was published on 23 July 2013 and held a number of provisions on the security of ‘electronic payments,’ in particular the concept of strong customer authentication. The draft PSD2 has meanwhile undergone lengthy discussions within the EU Parliament and the EU Council and the current ‘compromise’ draft (as of 31 October 2014) contains some further provisions on the security of payments, in particular the new concept of strong transaction authentication. Also, the draft PSD2 foresees the mandate of the EBA to develop (among others) regulatory technical standards for strong customer authentication procedures and for exemptions therefrom. The entry into force of PSD2 can be expected not before spring 2015. The mentioned EBA standards developed under the PSD2 mandate would – as is currently foreseen – enter into force 30 months after PSD2.
The ultimately binding rules – what payment service providers must comply with
The EBA envisages its currently proposed guidelines to enter into force on 1 August 2015. The content of the guidelines is nearly the same as the January 2013 ECB recommendations on the security of internet payments.
Guidelines of the EBA are internal law. This means they will be binding for the EBA itself and its future regulatory practice. The EBA Regulation further provides that competent authorities such as the Financial Conduct Authority (‘FCA’) and the German Bundesanstalt für Finanzdienstleistungsaufsicht (‘BaFin’) ‘shall make every effort to comply with those guidelines.’ However, under the EBA Regulation competent authorities may also declare that they do not intend to comply with the guidelines; the EBA will then publish such non-compliance and may also publish the reasons given by the national authority in such a case. Certain financial institutions can also be required to report on their compliance with the guidelines; that requirement does not, however, apply to payment institutions or e-money institutions, where the EBA’s competence is limited.
For the currently proposed EBA Guidelines, it will be important to watch the positioning of the national regulatory authorities such as the UK FCA and the German BaFin. If and insofar as they agree to comply, payment institutions and e-money institutions must expect the guidelines to become a part of their national payment supervisory law. This may in turn lead to a regulatory segmentation of the EU and the EEA, with some jurisdictions following the EBA and some not. This again will lead to a situation that contravenes the concept of full harmonisation under the PSD and under the 2nd E-Money Directive.
Further confusion is caused by the fact that neither the ECB nor the EBA have clearly stated whether the ECB recommendations on the security of internet payments remain in force including their transformation date of 1 February 2015. The UK FCA has stated on its website that it will not apply the ECB recommendations as long as the EBA has not enacted them. Other European regulatory authorities, such as BaFin, seem to take the opposite standpoint.
Finally, the EBA Guidelines other than the ECB recommendations do not foresee the principle of ‘Comply’ or ‘Explain and Justify.’ Under the ECB recommendations payment service providers are allowed not to comply with the recommendation but are then asked to provide reasons why they will not comply and justify that the procedure they propose is superior (for their business or overall) to the recommendation. The wording of the proposed EBA Guidelines, in particular the auxiliary verb ‘should’ which appears in most guidelines, suggests that this principle will also be upheld in the EBA Guidelines. However, that is – as of now – not clearly provided for in the draft EBA Guidelines.
The critical aspects of the EBA guidelines – strong customer/transaction authentication
Strong customer authentication is certainly one of the most debated items in the context of the ECB recommendations, but also within the discussions of PSD2. It is not surprising that the same topic becomes a focus point in the consultation of the draft EBA guidelines. Strong authentication – in simple words – means an identification of the institution’s customer by means of at least two factors.
In the recent discussions on PSD2 the concept of a strong transaction authentication (as opposed to simple customer authentication) was brought up. This would – also simplified – additionally require the institution to link the transaction to the amount authorised to be paid and the recipient of the payment by means of a strong authentication.
The EBA in its consultation specifically asked the question of whether it would be preferable for the EBA Guidelines to enter into force with or without this recently proposed concept of the strong transaction authentication and other new developments from the discussion around PSD2. The second option (without the new concepts from the PSD2) would entail a revision of the guidelines at the point in time when the deadline for transforming PSD2 into national law will have elapsed, presumably in spring 2017 or later.
At least some market participants will vote in favour of the second option as the entire concept of strong authentication is seen as critical by them – and that would apply even more so for the recently proposed strong transaction authentication. While the strong authentication is criticised for its ‘one fits all’ approach with only a few exceptions, the ‘strong transaction authentication’ is said to have a difficult impact on the checkout processes of e-commerce merchants. This dilemma may become worse if the EBA guidelines do not actually allow for the ‘comply or explain/ justify’ approach (as highlighted above). In that case innovation of new risk management and control procedures (such as geolocalisation, realtime information, customer behavioural pattern, biometric identification technologies, etc.) may be stifled. Also some market participants expect customers to more frequently opt for deferred payments methods (payment upon open invoice, payment on credit) in the future rather than instant payments.
The resumé – regulatory security for market participants
During the last 20 months payment service providers in Germany have begun to implement the ECB recommendations. It would have been advantageous for regulated entities if the ECB recommendations which are not binding but rather are ‘soft’ law had become clearly binding via a European regulation or other act of directly applicable law. The ‘transformation’ of the ECB recommendations into EBA guidelines on the basis of the authorisation in the EBA EU Regulation 1093/2010 does not close the gap of legality. Especially if some of the national regulatory authorities decide not to comply with the guidelines, we foresee another European ‘Delaware effect,’ meaning a run for the least regulated jurisdiction. That will be harmful for the integrity of the European idea as a whole.