Security of Internet payments – National authorities enforcing EBA Guidelines
Last Thursday, on 21 May 2015, the European Banking Authority (EBA) published the compliance notifications from the various European national authorities regarding the enforcement of the EBA Guidelines for the Security of Internet Payments.
I already discussed the Guidelines in an earlier blogpost. This blogpost provides an update in light of the publication of the compliance notifications by the EBA.
On December 19, 2014, the European Banking Authority (EBA) published its final guidelines regarding the security of Internet payments.
In accordance with Article 16 of the EBA Regulation, national authorities and financial institutions need to make every effort to comply with the guidelines. However, it is possible for national authorities to decide not to comply with the guidelines.
National authorities were expected to notify the EBA by 5 May 2015 whether or not they intended to comply with the Guidelines, and so the answers are available since 21 May 2015.
The table below summarizes the compliance notifications from the various member states of the European Union (EU) and the European Economic Area (EEA).
|Belgium, Bulgaria, Czech Republic, Denmark, Germany, Ireland, Greece, Croatia, Spain, France, Italy, Latvia, Lithuania, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Finland, UK (FSC in Gibraltar), Liechtenstein, Norway||Complies or intends to comply|
|Estonia, Slovakia, UK (FCA), Iceland||Is not compliant|
|Cyprus, Sweden||Intends to comply partially|
As the table shows, 26 national authorities stated that they will comply with the Guidelines, while two indicated partial compliance and four reported that they will not comply.
As such a large majority of the national authorities will enforce the Guidelines. Because of this, I believe that one of the most important objectives of the Guidelines, namely the harmonization of security of Internet payments across Europe, can be achieved.
The FCA’s standpoint
One of the most notable national authorities not to enforce the Guidelines is the UK’s Financial Conduct Authority (FCA). This is not surprising though, as it is in line with statements FCA made in March 2014 and April 2015 on its website.
FCA itself provides two reasons for this non-compliance. Firstly, FCA states it does not have the power to enforce the Guidelines without legislative changes to its mandate. Secondly, FCA believes that the requirements from the Guidelines come with significant costs for payment service providers, and since it is not entirely clear yet how the upcoming Payment Services Directive 2 (PSD2) will affect investments made by payment service providers in the context of the Guidelines, FCA prefers to wait until PSD2 is clear and adopt the Guidelines and PSD2 at the same time.
A third reason might be as follows: as mentioned in the European Central Bank’s Third Report on Card Fraud, the UK is one of very few member states that managed to reduce its Card-Not-Present (CNP) fraud levels in absolute terms during the period 2008 to 2012 (the other countries being Sweden and Greece). Since the EBA sees rising fraud levels as one of the main reasons for adopting the Guidelines, the decrease of fraud (before the Guidelines existed) might be seen as a good reason for not needing the Guidelines.
Hence, it can be imagined that payment service providers in the UK were reluctant to adopt the Guidelines, given the potential of additional costs for compliance with PSD2, and given that they already reduced CNP fraud without the Guidelines.
Effect of compliance notifications
Payment service providers that operate in a country whose national authority has decided to enforce the Guidelines have to comply by 1 August 2015.
In particular, this means that payment service providers have to implement strong, two-factor customer authentication when a customer consults sensitive payment data, and when the customer initiates a payment.
British payment service providers now have a competitive advantage compared to payment service providers from other European countries, as they face fewer compliance requirements. This might prompt payment service providers from outside the UK to relocate there in order to escape the requirements until PSD2 comes into effect.