On the Difference between Innovation and the Wild West: How to Ensure ...

On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers’ Funds and Data with Payment Account Access Services

25 October 13

Share This

On 24 July 2013 the European Commission (the Commission) published a ‘payments legislative package’ (see link below), which includes the Commission proposal for a revised Payment Services Directive (). According to the related Commission press release, “the review of the European Union (EU) payments framework, especially the PSD, and the responses to the Commission’s Green Paper ‘Towards an integrated European market for card, internet and mobile payments’ in 2012, led to the conclusion that further measures and regulatory updates, including adjustments to the PSD, are required. This would help the payments framework to better serve the needs of an effective European payments market.”

The Commission’s proposal for the will have to be adopted by the European Parliament and the Council of the EU representing EU Member States; i.e. the EU legislator. (For information on the EU legislative process including the implementation of EU Directives at the level of EU Member States, refer to the links below). According to the ‘Frequently Asked Questions’ published by the Commission with the ‘payments legislative package’, the Commission counts “on the European Parliament (Economic and Monetary Affairs Committee ‘ECON committee’) and the Lithuanian Presidency [of the Council of the EU] to launch the negotiations work on the measures as soon as possible after the summer with a view to reach an agreement on the Commission’s proposals by Spring 2014.” Based on that timeline and considering that the Commission proposes that EU Member States are given two years to implement this revised EU Directive into national law, the forthcoming could take effect at the earliest in 2016.

The Commission’s proposal for the includes rules on access to payment accounts of bank customers. Payment account access services are also offered by providers currently operating outside the scope of the PSD; i.e. that are neither licensed nor supervised. This blog addresses key considerations of the with regard to access to consumers’ payment accounts by currently non-licensed, non-supervised third-party service providers.

The invites the legislator, i.e. the European Parliament and the Council of the , to consider latest central bank research which identifies major factors driving and hampering innovation in retail payments

The Committee on Payment and Settlement Systems (CPSS) is a standard setting body for payment, clearing and securities settlement systems. It also serves as a forum for central banks to monitor and analyse developments in domestic payment, clearing and settlement systems as well as in cross-border and multicurrency settlement schemes. To obtain an overview of payments innovation globally, the CPSS established the Working Group on Innovations in Retail Payments. The CPSS Working Group focused on fact-finding, in order to define the most relevant developments and to identify the major factors driving and hampering innovation. In 2012, the CPSS published the report ‘Innovations in Retail Payments’ (see link below). The report contains a number of elements geared to assessing how an innovation-friendly environment should look. In his contribution to the Newsletter (see link below), Dirk Schrade, Chairman of the CPSS Working Group, commented: “One big question remains: how will the payment landscape develop? Will it be a revolution or an evolution? In Europe, there are factors speaking in favour of the latter. The infrastructure is already well developed, many innovations are, therefore, incremental improvements of well-established products (...) it is of utmost importance that European regulators set up a clear, transparent and reliable framework for future developments in the field of payments. Last but not least, it should guarantee a level playing field between all payment service providers [], whether within or outside the banking area, and should strike a balance between competition and cooperation as well as between economic freedom and consumer protection.”

The legislative process leading to the adoption of the will provide an excellent opportunity for the European Parliament and the Council of the EU to determine the appropriate legal and regulatory framework to foster consumer protection, innovation and competition in the European payments market, while guaranteeing a level playing field between all – “whether within or outside the banking area” – as recommended by the CPSS Working Group on Innovations in Retail Payments.

The Commission’s proposal for the includes rules on access to payment accounts of bank customers. Payment account access services are nothing new. The novelty is this: payment account access services are also offered by providers currently operating outside the scope of the PSD

To ensure a common understanding of terms and concepts, this blog relies on definitions included within the draft ‘Recommendations for Payment Account Access Services’ (see link below) published by the European Central Bank (ECB) for consultation in January 2013. These draft recommendations were developed by the European Forum on the Security of Retail Payments (SecuRe Pay), a “voluntary cooperative initiative between relevant authorities from the European Economic Area () – supervisors of payment service providers and overseers in particular – formed with the objective of facilitating common knowledge and the understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations.”

The SecuRe Pay draft recommendations explain that payment account access services can be offered by ; i.e. regulated and supervised entities as defined in the PSD. In commonly used language, – which include credit institutions, payment institutions and other types of – are often referred to as ‘banks’. The SecuRe Pay draft recommendations for internet-based payment account access services refer to issuing payment accounts to their customers as “account servicing ”. The draft recommendations point out that payment account access services are also offered by “third-party service providers” that “are often merely non-licensed service providers and not ”. This is a more recent development. The SecuRe Pay Forum clarifies that, unlike , non-licensed third-party service providers offering payment account access services “are not subject to supervisory requirements.” In the political debate, such third-party service providers are often referred to as ‘non-banks’. The SecuRe Pay draft recommendations distinguish between two types of internet-based payment account access services, which are offered by and third-party service providers:

  • Account information services “provide information on several accounts held by a person with one or several and present that information to the person in a consolidated and user-friendly way.” To provide this service a third-party service provider “needs to have access to the person’s payment account(s).”
  • Payment initiation services “initiate payment transactions via a person’s internet-enabled payment account. The technical implementation of this service can differ depending on whether or not the payee is actively involved in the payment initiation (e.g. during online shopping) and whether the [third-party service provider’s] TP’s software is used by the account owner to transmit his/her credentials to the account servicing .” Payment initiation services are based on a range of different models on how to initiate a payment on behalf of a consumer via their internet-enabled payment account.

The consultation period on the SecuRe Pay draft recommendations for payment account access services concluded on 12 April 2013. It is not known when the final recommendations will be published.

In January 2012, the Commission released its Green Paper, entitled: ‘Towards an integrated European market for card, internet and mobile payments’. In the Green Paper, the Commission states (italics added): “As keepers of the bank account, banks have a ‘gateway function’ that effectively determines the viability of many business models. Even if for certain new payment services consumers would agree that information on the availability of funds in their bank account is given to payment service providers [] of their choice, banks may refuse to give other payment service providers [] access to this information. Given the importance of secure payments and confidence in the payment system in general and the fact that banks are subject to supervision, such refusals may be justified in some cases. However, it creates a conflict of interest for banks, which may have an incentive to refuse to cooperate, despite the willingness of their customers. This could unduly hinder the emergence of safe and efficient alternative payment solutions, even if they are subject to prudential requirements.”

To clarify: information on the availability of funds in a payer’s account is made available by regulated and supervised to other regulated and supervised with, for example, millions of card transactions – which often entail a payment guarantee to the payee – every day. These processes are governed by applicable international and national legal regimes and detailed in contractual agreements between the parties involved. As outlined above, the novelty is that since a couple of years ago have been faced with requests for payment account access by third-party service providers that are not ‘payment service providers’ as defined in the PSD and, consequently, not subject to any prudential requirements. It is regrettable that the Commission; i.e. the author of the PSD, fails to make the distinction between and non-regulated, non-supervised third-party service providers in those sections of the Green Paper, which address payment account access services. Accurately defined, the – unresolved – questions remain:

  1. Should grant access to consumers’ payment accounts to non-licensed, non-supervised third-party service providers that are not subject to any prudential requirements? The difficulty in answering this question is that there is currently a lack of legal harmonisation across the in the areas of data protection and security relating to online payments.
  2. In the event that the legislative process leading to the adoption of the revised PSD by the legislator, (i.e. the European Parliament and the Council of the representing Member States) should find that the answer to question 1 is ‘no’: how are supposed to handle requests for access to payment accounts by third-party service providers until the revised Directive will be implemented in all Member States?

The legislator might decide to include currently non-licensed, non-supervised third-party service providers, whose business model requires access to consumers’ payment accounts, in the scope of the revised PSD. These entities would then become and, consequently, subject to the legal regime governing the operations of . It has to be noted however, as outlined above, that adoption of the revised PSD by the legislator, followed by implementation of the Directive in all Member States, might take several years.

Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two

Some may argue that the current legal vacuum with regard to payment account access services simply reflects the thrill and excitement of payment innovation in action. From the perspective of , who are responsible for safeguarding their customers’ funds and data privacy, the current situation detailed above is best described as the Wild West of payment account access services. On a more general note: innovative payment services must be convenient and easy to use for both payers and payees. However, convenience should never come at the cost of security. Anyone with an interest in incentivising payers and payees to embrace innovative payment solutions – regardless of whether these are offered by ‘banks’ or ‘non-banks’, existing or new players – should adhere to the principle of ‘safety first’. The impact of any security breach on customers’ trust in forward-looking payment technologies will hardly be conducive to realising the Commission’s vision of Europe being “at the cutting edge of what ‘making a payment’ could mean in the future.”

The considers it essential that there is an appropriate level of security to protect consumers against the risk of fraud and abuse of sensitive private data in the online banking and payment environment. The , therefore, stresses the need for the new regulatory and supervisory regime (the revised PSD and other legislative and regulatory initiatives) to address key requirements related to payment account access services such as supervision and licensing, security, consumer and data protection, transparency, liability allocation and the need for explicit consent.

Regulators must take the following actions to ensure the continued security of consumers’ funds and data:

  • The legislator, i.e. the European Parliament and the Council of the representing Member States, will have to define appropriate legal and security requirements to be included within the revised PSD regarding access to consumers’ accounts by third-party service providers.
  • To safeguard a level playing field in the payments market, proper licensing and supervision of all types of service providers (including third-party service providers offering payment account access services) should be ensured. Payment account access services should become part of the scope of ‘payment services’ under the revised PSD.
  • Regulators and supervisory authorities must address the current legal vacuum; i.e. create an interim solution, which gives certainty to on how to handle requests for access to consumers’ accounts by non-licensed, non-supervised third-party service providers until the revised PSD becomes effective.

The stresses that the only means to effectively implement legal and security requirements applicable to payment account access services are contracts between the parties concerned in line with established market best practice.

The legislative process leading to the adoption of the revised PSD should contribute to creating a coherent legal framework governing Single Euro Payments Area online payments including internet-based payment account access services. The July 2013 edition of the Newsletter features an article detailing open questions, and related recommendations, with regard to payment account access services which have yet to be addressed based on further dialogue between all stakeholders including the European regulators (see link below). In the interest, first and foremost, of the account-holding payer, the joint commitment of both account servicing and third-party service providers must be to preserve customers’ trust in the safety and reliability of payment methods.

Related links:



Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.