On the Difference between Innovation and the Wild West: How to Ensure ...

On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers' Funds and Data with Payment Account Access Services

Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two

17 April 14

Share This
What are internet-based payment account access services offered by third party providers?

To ensure a common understanding of terms and concepts, this article relies on definitions included within the draft ‘Recommendations for Payment Account Access Services’ (see ‘related links’ below) published by the European Central Bank (ECB) for consultation in January 2013. These draft recommendations were developed by the European Forum on the Security of Retail Payments (SecuRe Pay), a “voluntary cooperative initiative between relevant authorities from the European Economic Area () – supervisors of payment service providers and overseers in particular – formed with the objective of facilitating common knowledge and the understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations.”1

The SecuRe Pay draft recommendations explain that payment account access services can be offered by payment service providers (); i.e. regulated and supervised entities as defined in the European Union (EU) Payment Services Directive (PSD). In commonly used language, – which include credit institutions, payment institutions and other types of – are often referred to as ‘banks’. The SecuRe Pay draft recommendations for internet-based payment account access services refer to issuing payment accounts to their customers as “account servicing ”. The draft recommendations point out that payment account access services are also offered by “third-party service providers” that “are often merely non-licensed service providers and not ”. This is a more recent development. The SecuRe Pay Forum clarifies that, unlike , non-licensed third-party service providers offering payment account access services “are not subject to supervisory requirements.” In the political debate, such third-party service providers are often referred to as ‘non-banks’.

The SecuRe Pay draft recommendations distinguish between two types of internet-based payment account access services, which are offered by and third-party service providers:

Account information services “provide information on several accounts held by a person with one or several and present that information to the person in a consolidated and user-friendly way.” To provide this service a third-party service provider “needs to have access to the person’s payment account(s).”

Payment initiation services “initiate payment transactions via a person’s internet-enabled payment account. The technical implementation of this service can differ depending on whether or not the payee is actively involved in the payment initiation (e.g. during online shopping) and whether the [third-party service provider’s] TP’s software is used by the account owner to transmit his/her credentials to the account servicing .” Payment initiation services are based on a range of different models on how to initiate a payment on behalf of a consumer via a consumer’s internet-enabled payment account.

The consultation period on the SecuRe Pay draft recommendations for payment account access services concluded on 12 April 2013. It is not known when the final recommendations will be published.

On 24 July 2013, the European Commission (the Commission) introduced a legislative proposal to amend the PSD (see ‘related links’ and ‘related articles in this issue’ below). This proposal includes rules on access to consumers’ payment accounts by third-party service providers. This article does not comment on the provisions with regard to payment account access services included with the Commission’s proposal for the revised PSD published on 24 July 2013 as the European Payments Council () is in the process of analysing these in detail.

This article addresses key considerations of the with regard to access to consumers’ payment accounts by currently non-licensed, non-supervised third-party service providers.

On the difference between innovation and the Wild West

In January 2012, the Commission released its Green Paper, entitled: ‘Towards an integrated European market for card, internet and mobile payments’ (the Green Paper, see ‘related links’ below). It identifies 'gaps' perceived by the Commission with regard to competition, choice and innovation in the area of card, mobile and internet payments. In the Green Paper, the Commission states (italics added): “As keepers of the bank account, banks have a ‘gateway function’ that effectively determines the viability of many business models. Even if for certain new payment services consumers would agree that information on the availability of funds in their bank account is given to payment service providers [] of their choice, banks may refuse to give other payment service providers [] access to this information. Given the importance of secure payments and confidence in the payment system in general and the fact that banks are subject to supervision, such refusals may be justified in some cases. However, it creates a conflict of interest for banks, which may have an incentive to refuse to cooperate, despite the willingness of their customers. This could unduly hinder the emergence of safe and efficient alternative payment solutions, even if they are subject to prudential requirements.”

To clarify: information on availability of funds in a payer’s account is made available by regulated and supervised to other regulated and supervised with, for example, millions of card transactions – which often entail a payment guarantee to the payee – every day. These processes are governed by applicable international and national legal regimes and detailed in contractual agreements between the parties involved.

As outlined above, the novelty is that since a couple of years ago have been faced with requests for payment account access by third-party service providers that are not ‘payment service providers’ as defined in the PSD and, consequently, not subject to any prudential requirements. It is regrettable that the Commission; i.e. the author of the PSD, fails to make the distinction between and non-regulated, non-supervised third-party service providers in those sections of the Green Paper, which address payment account access services. Accurately defined, the – unresolved – questions remain:

  1. Should grant access to consumers’ payment accounts to non-licensed, non-supervised third-party service providers that are not subject to any prudential requirements? The difficulty in answering this question is that there is currently a lack of legal harmonisation across the in the areas of data protection and security relating to online payments.
  2. In the event that the legislative process leading to the adoption of the revised PSD by the legislator, i.e. the European Parliament and the Council of the  representing Member States2, should find that the answer to question 1 is ‘no’: how are supposed to handle requests for access to payment accounts by third-party service providers until the revised Directive will be implemented in all Member States3?

The legislator might decide to include currently non-licensed, non-supervised third-party service providers, whose business model requires access to consumers’ payment accounts, in the scope of the revised PSD. These entities would then become and, consequently, subject to the legal regime governing the operations of . It has to be noted however, that adoption of the revised PSD by the legislator, followed by implementation of the Directive in all Member States might take several years.

Some may argue that the current legal vacuum with regard to payment account access services simply reflects the thrill and excitement of payment innovation in action. From the perspective of , who are responsible for safeguarding their customers’ funds and data privacy, the situation is best described as the Wild West of payment account access services. On a more general note: anyone with an interest in incentivising payers and payees to embrace innovative payment solutions (regardless of whether these are offered by ‘banks’ or ‘non-banks’) should adhere to the principle of ‘safety first’. The impact of any security breach on customers’ trust in forward-looking payment technologies will hardly be conducive to realising the Commission’s vision of Europe being “at the cutting edge of what ‘making a payment’ could mean in the future.”4

The way forward: funds (money) held by bank customers in their accounts as well as customers’ data privacy must be safeguarded at all times

The joint commitment of both account servicing and third-party service providers must be to preserve customers’ trust in the safety and reliability of payment methods.

The considers that it is essential to ensure an appropriate level of security to protect consumers against the risk of fraud and abuse of sensitive private data in the online banking and payment environment. The , therefore, stresses the need for the new regulatory and supervisory regime; i.e. the revised PSD and other legislative and regulatory initiatives, to address key requirements related to payment account access services such as supervision and licensing, security, consumer and data protection, transparency, liability allocation and the need for explicit consent.

This article details the recommendations of the with regard to internet-based payment account access services. These recommendations are designed to ensure that the security of funds (money) held by bank customers in their accounts as well as customers’ data privacy are safeguarded at all times. In addition, the most appropriate means to implement security and regulatory requirements with regard to access to the account of bank customers by third parties must be determined. In the view of the and in line with established best market practice, this requires a contractual agreement between the account servicing and the third-party service provider. This ensures that both the account servicing and the third party requesting access to a payer’s bank account meet applicable legal and security requirements  as well as their obligations towards each other and – most importantly – the payer.

Open questions with regard to payment account access services which have yet to be addressed based on further dialogue between all stakeholders including the European regulators

The legislative process leading to the adoption of the revised PSD should contribute to creating a coherent legal framework governing Single Euro Payments Area () online payments including internet-based payment account access services. In the interest, first and foremost, of the account-holding payer, the following topics need to be addressed when considering new payment account access services:

Oversight and regulatory framework: proper licensing and supervision of all types of service providers

To safeguard a level playing field in the payments market, proper licensing and supervision of all types of service providers (including third-party service providers offering payment access account services) should be ensured. Payment account access services should become part of the scope of ‘payment services’ under the revised PSD. The existing regulatory framework should also be amended to guarantee the clear allocation of liabilities and definition of roles, rights and obligations of the involved parties, which is crucial, in particular in case of failures, unauthorised transactions or disputes.

Security and fraud prevention

Allowing a third party access to one’s account entails risks, because sharing relevant data with the third party increases exposure to security threats such as hacking. Particular attention must therefore be placed on ensuring that payment account access services are secure for all parties involved, including consumers, and third-party service providers. Any vulnerability could lead to a loss of trust and to systemic risk even beyond online payments. The involvement of a third-party service provider should not compromise the security or service level of the ’s online banking environment. To this end, compliance with the ‘Recommendations for the security of internet payments’ developed by the SecuRe Pay Forum (see ‘related links’ below) is key. In particular, dedicated secure authentication and identification of the third-party service provider vis-à-vis the is an essential requirement.

To allow consumers to make an informed decision on which third party they wish to grant access to information on their account, consumers should be fully aware of the following aspects:

  • Who has access to their accounts and related information? The legitimacy of such access, and the organisations asking for such access, should be clearly defined.
  • Subject to which legal framework (e.g. when logging into servers located outside the ) does access to the account by third parties take place?
  • Which operator (the third-party service provider, the account servicing or yet another party such as, for example, an intermediary) is responsible for the payment services the consumer uses?
  • What would be the extent of access to their accounts and what personal data would their chosen third-party service providers be able to see or collect about them?     

Protection of account holders’ personal data

Consumers, i.e. payment account holders, rely on to protect the integrity of their funds and personal data which are under the ’s custody. Clarity about consumers’ rights and obligations vis-à-vis third parties requesting access to consumers’ payment accounts and is indispensable. Third-party providers’ service and performance levels need to be made contractually transparent towards consumers. The revised PSD should include the relevant provisions concerning rights and obligations of the various parties impacted by internet-based payment account access services. Such provisions must be consistent with the forthcoming data protection legislation.5

Secure systems have to be in place to ensure that data protection is not compromised at any stage in the payment process. The scope of the information that are supposed to make available to third-party service providers accessing the payment accounts of bank customers must be defined. A distinction should be made between access to information on the availability of funds for a given transaction, access to a customer’s account information in general and direct or indirect access to a customer’s payment account. Each party in the payment chain should only have access to data relevant to its processing; third party access should be limited to binary (‘yes-no’) information on the availability of funds.

As set out in the report on the Green Paper prepared by the European Parliament’s Committee on Economic and Monetary Affairs (see ‘related links’ below), clear regulation as to which role each actor plays in collecting data and for which purpose data is collected must be in place. In addition, a definition of the actors responsible for collecting, processing and retaining data is a prerequisite to ensure protection of personal data.

Transparency and (dual) consent

In each case of payment account access, the involvement of a third-party service provider must be transparent at all times for all relevant parties. Transparency of conditions of use of payment account access services needs to be ensured for consumers. Explicit consent from the consumer and the account servicing is required before the services can be implemented and used. This allows addressing the security requirements and the need for identification of parties, clarifying the allocation of liabilities between parties and complying with banking secrecy, data protection and other legislative requirements which aim to protect consumers.6 Explicit agreements between and third-party service providers on secure authentication and identification methods are indispensable to avoid fraud and security breaches.

Liability allocation

The allocation of liabilities between the and third-party providers and the rights for compensation in case of damages need to be clarified. It is recommended that the revised PSD would reflect the following concept for liability allocation between the third-party service provider, the and the account holder, whilst recognising the principle of contractual freedom:

a) The should have agreed with the account holder (a consumer, for example) and the third-party service provider on the consumer’s use of the payment account access services provided by the third party service provider. The third-party service provider should securely identify itself to the and should be mandated by the account holder. It could be that the claims any compensation from the third-party service provider for any failures or unauthorised payment transactions resulting from the third party’s services. Such taking over of liability should be contractually agreed between the account-servicing and the third-party service provider.

b) In the absence of such an agreement as provided under (a), the account holder does not have a claim for compensation against the relating to any failures or unauthorised payment transactions resulting from its use of a third-party service provider, and

c) The account holder has a claim for compensation against the third-party service provider relating to any failure or unauthorised payment transactions resulting from its services.

Coherence of the legal regime with regard to the use of personalised security features including online banking credentials: no ‘impersonation’

Article 56 of the PSD defines the obligations of the payment service user in relation to payment instruments. A payment instrument “means any personalised device(s) and/or set of procedures” agreed between the payment service user and the and used by the payment service user in order to initiate a payment (Article 4 (23) PSD). This definition is meant to cover physical devices (such as cards or mobile phones) and/or a set of procedures (such as personal identification number (PIN) codes or transaction authentication number (TAN) codes, digipass, login/password etc), which “a payment service user can use to give instructions to his in order to execute a payment transaction.”7 Article 56 explicitly states that the payment service user shall take all reasonable steps to keep its personalised security features safe. As frequently highlighted in information on payment security shared with consumers by and consumer organisations, this normally entails not to disclose such details to others. In some countries, the legislator even explicitly requires the payment service user to obtain prior authorisation of its before disclosing the access codes for the use of a service or payment instrument to third parties.8 Article 57, §1(A) of the PSD stipulates that the is obliged to make sure that the personalised security features of the payment instrument “are not accessible to parties other than the payment service user entitled to use the payment instrument (...).” The coherence of the legal regime implies that these provisions contradict the concept of sharing one’s personal online banking credentials such as, for example, one’s password and PIN used to access one’s account online, with a third party.

Payment initiation services offered in the market today include a scenario where the consumer purchasing goods or services online discloses its personal online banking credentials (password and PIN, for example) to a third-party service provider. The third-party service provider then uses the consumer’s password and PIN to access the consumer’s account and initiates the payment. In other words, the third-party service provider ‘impersonates’ the consumer when accessing the consumer’s account online.

To protect the consumer against abuse of its personal online banking credentials for illegitimate access to its data or funds, the should always be able to identify the third-party service provider requesting access to a consumer’s payment account and the should be informed that the third-party service provider acts on the basis of a valid mandate from the account holder. The revised PSD should, therefore, include a provision prohibiting third-party service providers to request consumers to provide their personal online banking credentials to them. The revised PSD should also include a provision which prohibits consumers to share their personal online banking credentials with third parties. As mentioned above, this is in line with the recommendations from both consumer organisations and informing consumers on security of payments today.

At a more technical level, IP addresses of third-party service providers should not be accepted as a secure means of identification. Only secure certificates or similar industry standards should be permitted which should be reflected in the final SecuRe Pay recommendations for internet-based payment account access services. Agreements between third-party service providers and should provide for the necessary mutual security and technical requirements.

Development of standard interfaces

The supports the adoption of standard interfaces between and third-party service providers which would foster efficiency, innovation and competition. Multi-stakeholder forums, for example under the guidance of the Council, could define common interfaces, protocols or process flows, using available international standards. (The Council, which brings together representatives of both the demand and supply sides of the payments market including the , was established by the Commission and the ECB in June 2010; for information, refer to the ‘related links’ below).

Effective implementation of regulatory requirements governing internet-based payment account access services requires contractual agreements between third-party service providers and account servicing

In the Green Paper, the Commission mentions an “agreement of the customer” as a condition to making information available on the availability of funds in the customer’s account.

However, the mere fact that a payer expressed such agreement to a third-party service provider does not mean that the requirement to comply with existing legal, regulatory and contractual obligations is actually met. Even if an agreement between the account holder and the third-party service provider exists, the Commission does not seem to consider the “agreement of the ”, that is responsible for safeguarding the integrity of its customers’ accounts, as a condition to offering payment account access services. A contractual relationship between the entities involved is indeed a prerequisite to determining the specific account information that third-party service providers have access to, and under which conditions the can share data required by the third-party service provider to initiate a payment on behalf of the payer (e.g. non-discriminatory, fair and reasonable commercial terms). A contract between a third-party service provider and a is also needed to address operational requirements, security aspects and liability in case of fraud. For example, a contract would serve to describe in detail the respective parts of a payment transaction that are under the control of the contracting partners and the related responsibilities.

Article 60 of the PSD states that “(…) in the case of an unauthorised payment transaction, the payer's payment service provider refunds to the payer immediately the amount of the unauthorised payment transaction and, where applicable, restores the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place.” Consequently, from a liability point of view, it is of the essence that transparent rules between the involved parties exist. This can only be achieved through a contractual agreement between and third-party service providers requesting access to the account of a payer.

A contract would provide both parties with a degree of legal certainty which neither the revised PSD nor the final recommendations on payment account access services currently being developed by the SecuRe Pay Forum will be able to offer. Most importantly, a contract between the account servicing and the third-party service provider would ensure effective implementation of such requirements aimed at protecting consumers; i.e. account holders, against the risk of fraud and abuse of sensitive private data in the online banking and payment environment.

Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two.

In a previous edition of this newsletter, Vice Chair Günther Gall, a banker with more than forty years of experience in managing all aspects of payments, analysed the factors driving forward innovation (see ‘related articles in previous issues’ below). He commented: “Service providers have to create a positive buying experience for customers when bringing new products to the market. This is particularly difficult in the area of payments. No one likes to make a payment; services provided in this context are rarely met by customers eager to embrace new solutions.” Forward-looking payment services, he pointed out, must therefore be convenient and easy to use. However, convenience should never come at the cost of security. As outlined above, adhering to this principle is the very prerequisite to fostering innovation in payments, maintaining trust in payment systems and, ultimately, incentivising payers and payees to adopt new solutions.

The , therefore, rejects allegations publicised by the Commission that would “refuse” third party providers to access information on payment accounts, thus “limiting market access” (see document, entitled: ‘Follow up to Green Paper: Towards an integrated European market for card, internet and mobile payments, incl. the reviews of Directive 2007/64/EC on payment services in the internal market (PSD) and Regulation (EC) No. 924/2009 on cross-border payments in the Community’ included with the ‘related links’ below). The current legal environment simply does not allow to grant third-party service providers access to accounts without a contractual agreement, including the customer’s prior consent.

An amended legal framework; i.e. the revised PSD, which provides the necessary attention to data protection, limits fraud risk, identifies the roles and related liabilities of all parties concerned while creating a level playing field is a prerequisite to ensure the safe access which both the Commission and the ECB advocate. In the meantime, regulators and supervisory authorities will therefore have to provide an interim solution to address the current legal vacuum with regard to payment account access services.

To obtain an overview of payments innovation globally, the Committee on Payment and Settlement Systems (CPSS)9 established the Working Group on Innovations in Retail Payments (the Working Group). The Working Group focused on fact-finding, in order to define the most relevant developments and to identify the major factors driving and hampering innovation. In 2012, the CPSS published the report ‘Innovations in Retail Payments’ (see ‘related links’ below). In his contribution to the Newsletter (see ‘related articles in previous issues’ below), Dirk Schrade, Chairman of the Working Group, commented: "(...) it is of utmost importance that European regulators set up a clear, transparent and reliable framework for future developments in the field of payments. (...) it should guarantee a level playing field between all [], whether within or outside the banking area, and should strike a balance between competition and cooperation as well as between economic freedom and consumer protection."

Javier Santamaría is the Chair of the . Gert Heynderickx, in house Legal Counsel to the , contributed to this article.

   

Related links:

European Central Bank: Draft Recommendations for “Payment Account Access” Services (SecuRe Pay)

European Commission (24 July 2013): Payments Legislative Package

European Commission Green Paper ‘Towards an Integrated European Market for Card, Internet and Mobile Payments’

EPC Response to the European Commission Green Paper ‘Towards an Integrated European Market for Card, Internet and Mobile Payments’

European Central Bank: Recommendations for the Security of Internet Payments (SecuRe Pay)

European Parliament Committee on Economic and Monetary Affairs Report on “Towards an Integrated European Market for Card, Internet and Mobile Payments” (2012/2040(INI))

SEPA Council Page of the European Central Bank

European Commission October 2012 Roadmap - Follow up to Green Paper: Towards an integrated European market for card, internet and mobile payments, incl. the reviews of Directive 2007/64/EC on payment services in the internal market (PSD) and Regulation (EC) No. 924/2009 on cross-border payments in the Community

Committee on Payment and Settlement Systems (CPSS). Innovations in Retail Payments. Report of the Working Group on Innovations in Retail Payments

  

Related article in this issue:

European Commission Published ‘Payments Legislative Package’ on 24 July 2013. The package includes proposals for a revised Payment Services Directive and a new Regulation on interchange fees for card-based payment transactions

   

Related articles in previous issues:

Committee on Payment and Settlement Systems' Working Group Publishes Report 'Innovations in Retail Payments'. Central bank research identifies market trends and elements geared to assessing what an innovation-friendly environment should look like ( Newsletter, Issue 15, July 2012)

Towards an Integrated European Market for Card, Internet and Mobile Payments’: Striking the Balance - Interoperability and the Access Dilemma. European Commission publishes feedback report on its Green Paper ( Newsletter, Issue 15, July 2012)

What Drives Innovation in Payments? EPC Invites European Authorities to Take the Market Perspective into Consideration. The most important factors incentivising innovation are customer demand and a viable business model ( Newsletter, Issue 15, July 2012)

EPC Newsletter Articles Published in the Section: 'Focus: On Integration and Innovation'

EPC Newsletter Articles Published in the Section 'Legal and Regulatory Issues'

 


 

1 European Central Bank press release (31 January 2013): ‘ECB releases final Recommendations for the security of internet payments and starts public consultation on payment account access services’ - http://www.ecb.int/press/pr/date/2013/html/pr130131_1.en.html.

2 The vast majority of European laws are adopted jointly by the European Parliament and the Council of the EU representing EU Member States under the so-called ordinary legislative procedure. This legislative procedure gives the same weight to the European Parliament and the Council of the EU in a wide range of areas. http://www.europarl.europa.eu/aboutparliament/en/0081f4b3c7/Law-making-procedures-in-detail.html.

3  Directives lay down certain end results that must be achieved in every Member State. National authorities have to adapt their laws to meet these goals, but are free to decide how to do so. (...) National implementation measures are texts officially adopted by the authorities in a Member State to incorporate the provisions in a directive into national law. http://ec.europa.eu/eu_law/directives/directives_en.htm.

4 European Commission press release: ‘Breaking down barriers to secure and innovative card, internet and mobile payments’ (11 January 2012): http://europa.eu/rapid/press-release_IP-12-11_en.htm?locale=en.

5 See the Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.

6 The ‘position paper on the issue of access to the payment account’ recently published by the Dutch central bank reflects the consensus of the Dutch community (consumers, e-merchants, central bank and banks). It “proposes to regulate the payment account access services within the PSD, based on the dual consent approach”. See http://www.dnb.nl/publicatie/publicaties-dnb/incidentele-publicaties/index.jsp.

7 PSD Expert Group: PSD Guidance Document (August 2009): http://www.europeanpaymentscouncil.eu/knowledge_bank_detail.cfm?documents_id=412.

8 For example in Italy, see http://www.bancaditalia.it/sispaga/sms/normativa/sispag/bi/attuazione-dlg-11-270110/Provvedimento-050711_en.pdf.

9 The Committee on Payment and Settlement Systems (CPSS) contributes to strengthening the financial market infrastructure through promoting sound and efficient payment, clearing and settlement systems. The CPSS is a standard setting body for payment, clearing and securities settlement systems. It also serves as a forum for central banks to monitor and analyse developments in domestic payment, clearing and settlement systems as well as in cross-border and multicurrency settlement schemes. http://www.bis.org/cpss/ 



Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.