Update on the EBA’s guidelines on the security of internet payments

Written on 1 May 2015

In our last edition we reported that the European Banking Authority (EBA) had published its final Guidelines on the Security of Internet Payments. Although not legally binding, the EBA has said that it expects that financial institutions will be compliant come implementation in August 2015 and that the force of the guidelines will be strengthened by national regulators incorporating the provisions into their supervisory practices. 

Having considered the guidelines, the Financial Conduct Authority (in its role as the UK’s national regulator) published a statement on 2 April 2015 as follows: 

We are fully supportive of the objectives behind the Guidelines and agree with the importance of consumers being protected against fraud when making payments online. Ensuring the security of payments and the protection of sensitive customer data is a critical part of the infrastructure of robust payment systems.

Many firms already have in place measures for strong customer authentication, and we would remind payment service providers of their responsibility to ensure consumers’ payments are safe and secure. We will be incorporating the detail of the requirements of the Guidelines into our supervisory framework in line with the revised Payment Services Directive (PSD2) transposition timeline.” 

The FCA is holding firm that it will not formally incorporate the EBA guidelines into its national supervisory practice until it is required to implement PSD2. There are a number of potential reasons why we believe the FCA may have taken this approach:

  • A key focus of PSD2 is the security of, and around, payment transactions, so the FCA may be of the view that it would be better, clearer and more efficient to make changes in this field in one fell swoop once the (potentially more stringent) provisions of PSD2 are known.
  • The working draft of PSD2 contains provisions that require the EBA to produce guidelines and technical standards on a range of matters and specifically on the establishment, implementation and monitoring of security measures. There is likely to be some overlap between the two sets of documents and so again the FCA may prefer to implement on a consolidated basis, especially as the PSD2 mandated guidelines will be subject to public consultation.
  • Finally, the guidelines as published lack clarity in some areas. These are likely to be addressed and refined in PSD2 and any subsequent guidelines issued by the EBA pursuant to PSD2.