Security of Internet payments – National authorities enforcing EBA Guidelines

Frederik Mennes, May 27, 2015

Last Thursday, on 21 May 2015, the European Banking Authority (EBA) published the compliance notifications from the various European national authorities regarding the enforcement of the EBA Guidelines for the Security of Internet Payments.

I already discussed the Guidelines in an earlier blogpost. This blogpost provides an update in light of the publication of the compliance notifications by the EBA.


On December 19, 2014, the European Banking Authority (EBA) published its final guidelines regarding the security of Internet payments.

In accordance with Article 16 of the EBA Regulation, national authorities and financial institutions need to make every effort to comply with the guidelines. However, it is possible for national authorities to decide not to comply with the guidelines.

National authorities were expected to notify the EBA by 5 May 2015 whether or not they intended to comply with the Guidelines, and so the answers are available since 21 May 2015.

Compliance notifications

The table below summarizes the compliance notifications from the various member states of the European Union (EU) and the European Economic Area (EEA).

Member state   Notification
Belgium, Bulgaria, Czech Republic, Denmark, Germany, Ireland, Greece, Croatia, Spain, France, Italy, Latvia, Lithuania, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Finland, UK (FSC in Gibraltar), Liechtenstein, Norway   Complies or intends to comply
Estonia, Slovakia, UK (FCA), Iceland   Is not compliant
Cyprus, Sweden   Intends to comply partially

As the table shows, 26 national authorities stated that they will comply with the Guidelines, while two indicated partial compliance and four reported that they will not comply.

As such a large majority of the national authorities will enforce the Guidelines. Because of this, I believe that one of the most important objectives of the Guidelines, namely the harmonization of security of Internet payments across Europe, can be achieved.

The FCA’s standpoint

One of the most notable national authorities not to enforce the Guidelines is the UK’s Financial Conduct Authority (FCA). This is not surprising though, as it is in line with statements FCA made in March 2014 and April 2015 on its website.

FCA itself provides two reasons for this non-compliance. Firstly, FCA states it does not have the power to enforce the Guidelines without legislative changes to its mandate. Secondly, FCA believes that the requirements from the Guidelines come with significant costs for payment service providers, and since it is not entirely clear yet how the upcoming Payment Services Directive 2 (PSD2) will affect investments made by payment service providers in the context of the Guidelines, FCA prefers to wait until PSD2 is clear and adopt the Guidelines and PSD2 at the same time.

A third reason might be as follows: as mentioned in the European Central Bank’s Third Report on Card Fraud, the UK is one of very few member states that managed to reduce its Card-Not-Present (CNP) fraud levels in absolute terms during the period 2008 to 2012 (the other countries being Sweden and Greece). Since the EBA sees rising fraud levels as one of the main reasons for adopting the Guidelines, the decrease of fraud (before the Guidelines existed) might be seen as a good reason for not needing the Guidelines.

Hence, it can be imagined that payment service providers in the UK were reluctant to adopt the Guidelines, given the potential of additional costs for compliance with PSD2, and given that they already reduced CNP fraud without the Guidelines.

Effect of compliance notifications

Payment service providers that operate in a country whose national authority has decided to enforce the Guidelines have to comply by 1 August 2015.

In particular, this means that payment service providers have to implement strong, two-factor customer authentication when a customer consults sensitive payment data, and when the customer initiates a payment.

British payment service providers now have a competitive advantage compared to payment service providers from other European countries, as they face fewer compliance requirements. This might prompt payment service providers from outside the UK to relocate there in order to escape the requirements until PSD2 comes into effect.

PSD2: Which Strong Authentication and Transaction Solutions Comply?

PSD2: Which Strong Authentication and Transaction Solutions Comply?

Discover the most important requirements from the final RTS and which authentication solutions are most likely to meet requirements.

Download Now

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.