European Union Regulatory Initiatives Impacting the Security of Euro P...

European Union Regulatory Initiatives Impacting the Security of Euro Payments: the 2015 Outlook

09 January 15

Share This

Regulatory action rolling out in 2015 will determine the foreseeable future with regard to the security of payments in Europe. In the Newsletter article entitled ‘Tensions in Cyberspace: Competing Priorities and Legislative Initiatives in the Online Payments World’, the authors Dermot Turing, Simon Crown and Maria Troullinou consider the interaction between relevant initiatives recently launched or adopted by various European Union ( ) regulatory bodies aimed at promoting the security of payments. The authors point out that tensions between these initiatives “are the inevitable product of attempting to put in place various legislative initiatives relating to similar areas simultaneously.”

They outline that tensions “exist between security on the one hand and the promotion of competition, technological neutrality and access on the other.” As each proposal goes through the legislative process, “the risk is that the end result will be a series of measures that when put together reveal the underlying tensions between theory and practice”. Another question is whether, and to what extent, all of these proposals “will keep in sync with the plethora of technological developments”. It therefore, remains to be seen whether the end result will be an “uneasy compromise between the interests of the relevant actors and policymakers” or “a series of harmonious provisions” that promote a secure, competitive and innovative payments landscape.

The answer to these questions remains pending until relevant legislation currently in progress and other regulatory initiatives are fully implemented by the various actors concerned, including Member States as well as payment service and other providers.

This blog takes a further look, specifically, at the proposed revised Payment Services Directive ( ), the proposed new Network and Information Security Directive, the guidelines on the security of internet payments released by the European Banking Authority in December 2014 and initiatives considered by the European Commission with regard to virtual currencies.

Sources providing further background information as well as those cited in this blog are included in the ‘related links’ below.

Proposed revised Payment Services Directive ( ): state of play

Directives, such as the forthcoming and Network and Information Security Directive, lay down certain end results that must be achieved in every Member State. National authorities have to adapt their laws to meet these goals; i.e. have to implement an Directive by a date determined by the co-legislators, but are free to decide how to do so. National implementation measures are texts officially adopted by the authorities in a Member State to incorporate the provisions of an Directive into national law.

The European Commission, which has the right of initiative to propose laws for adoption by the European Parliament and the Council of the , published its proposal for on 24 July 2013. (The formal title of this proposed legislative act is “Proposal for a Directive of the European Parliament and of the Council [of the ] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/ and 2009/110/EC and repealing Directive 2007/64/EC”.) This draft legislative act remains subject to review and adoption, respectively, by the co-legislators. These are the European Parliament and the Council of the . The Council of the is the institution where the Member States’ government representatives sit, i.e. the ministers of each Member State with responsibility for a given policy area.

legislation proposed by the Commission related to payments is considered by the European Parliament’s Economic and Monetary Affairs Committee (ECON) prior to the European Parliament taking a vote on a proposal. The members of the European Parliament approved the final ECON report on at its plenary session on 3 April 2014. However, the European Parliament postponed the vote (in first reading) on the related draft legislative resolution until after the May 2014 European Parliament elections. The European Parliament has to date not voted the proposal in first reading. It is expected that the European Parliament will only take a vote once the final text of the proposed has been agreed in further dialogue with the Council of the and the European Commission.

On 5 December 2014, the Council of the representing Member States agreed its final compromise text on . In a next step, the so-called ‘trialogue’ process will be initiated, whereby the Commission, the European Parliament and the Council of the will have to agree the final version of the forthcoming . Provided that there are no delays, it could be adopted in the first half of 2015, and be implemented in national legislation some two years after its adoption.

It has to be recalled that with the proposed , the Commission introduces the notion of ‘third party payment service provider ( )’, which is relevant, specifically, to the security of payments. are described in as payment service providers ( ) pursuing business activities which are based on access to payment accounts provided by a who is not the ‘account servicing’ , in the form of (a) payment initiation services and / or (b) account information services. Payment account access services are now also offered by ‘third-party service providers’ that are often merely non-licensed service providers and not . Unlike , non-licensed third-party service providers offering payment account access services are currently not subject to supervisory requirements.

The European Payments Council ( ), (which is not part of the institutional framework), fully acknowledges the existence of a market demand for granting third parties access to their online payment services in a regulated and secure way to enable a wider range of payment services to European merchants and consumers. To achieve this goal, the reiterates that the final version of the forthcoming will have to meet the following requirements:

The strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties. This is a pre-condition to ensuring the continued security of consumers’ funds and data in the online banking environment. The European Commission however, proposes abandoning the principle established with Article 56 of the PSD currently in effect that under no circumstances should a consumer share his or her personalised security credentials with third parties. Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party other than the account servicing issuing such credentials to the account holder (the consumer).

The stresses that personalised security credentials are developed by an account servicing – and issued to the account holding consumer – to mitigate specific security threats. The risks involved with the sharing of credentials such as, for example, mobile TANs result from the overall security context in which internet payments are conducted. Generally speaking, it is obvious that risks will increase as more communication channels are involved in a remote payment and the handling of consumer credentials. If the lawmaker invites consumers to share their personal credentials with third parties, then consumers would be exposed to, among others, the risk of impersonation, i.e. identity theft. Lowering consumer protection standards would, therefore, decrease security and, in consequence, increase the risk of infringing on privacy.

Weakening the requirement to maintain confidentiality of personalised security credentials would also counteract long-standing efforts carried out by consumer organisations and to date helping consumers to safely make online payments. Communication with bank customers today, in line with the principles established with the PSD in effect, is based on a clear message: personalised security credentials serve as your firewall against security threats in the online banking environment. Therefore, do not disclose these credentials to third parties.

If the lawmakers endorse the as proposed by the Commission, would have to communicate to consumers that they may disclose their credentials to some third parties, namely, operating in accordance with the . Consumers would have to acquire the expertise required to identify . Contrary to the stated intentions of the Commission, this appears to put a burden on, and create confusion for, consumers rather than improve their payment experience and promote secure electronic commerce.

With regard to the proposed new set of rules related to the activity of offering payment initiation and / or payment account information services, the also stresses that it is of the utmost importance that would authenticate themselves in an unequivocal manner towards the account servicing when accessing a payment service user’s account. In addition, the recommends that all be subject to authorisation prior to commencing the provision of their services. The is of the opinion that under no circumstances should the account servicing be held liable for the ’s mistakes, failures or for specific risks resulting from the ’ sphere of activities. Moreover, an interim solution, until the forthcoming will be implemented in Member States, would be required to address the current lack of legal framework regarding the licensing of .

Proposed new Network and Information Security (NIS) Directive: state of play

In February 2013, the European Commission tabled its proposal for a ‘Directive of the European Parliament and of the Council [of the ] concerning measures to ensure a high common level of network and information security across the Union’, often referenced as the Cyber-security or Network and Information Security (NIS) Directive.

As outlined by Dermot Turing, Simon Crown and Maria Troullinou in the Newsletter, the proposed NIS Directive aims at promoting online security through a combination of voluntary and regulatory measures. Accordingly, market operators, including credit institutions and critical financial services infrastructure entities, will have to abide by security requirements (including incident reporting obligations) and to ensure service continuity. Specifically, the draft NIS Directive defines a “market operator” as “an operator of infrastructures that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial market infrastructures, internet exchange points, food supply chain and health, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions”. Not all of the draft NIS Directive provisions apply to all aspects of a “market operator's” business – some of the Article 14 obligations for example only apply to “core services” provided by market operators, which term is in turn not defined. In order to add teeth to its proposals, the proposal contains enforcement provisions which empower competent authorities to request market operators to provide information relating to their security measures for accessing their networks.

Turing, Crown and Troullinou point out that are worried that their obligations – ensuring that their customers’ data and privacy are protected, preventing the misuse of customer information and achieving the security objectives set out in the draft NIS Directive do not sit well with the new provisions that have been introduced with the proposed primarily to foster competition in the new online payments market. There is an expectation to comply (but not to over-comply) with new security standards and the balance is not an easy one to strike.

With regard to the information sharing initiative on cyber security threats envisaged under the draft NIS Directive, reported in September 2014 that the European Central Bank (ECB) called on plans for the Directive to be amended to account for existing rules and procedures are subject to on assessing cyber security risk and notifying regulators of incidents they identify. “The ECB said that “procedures for early warnings and coordinated responses” have already been established in relation to “systemically important payment systems” and “deal with possible cyber-security threats”. There are “existing oversight arrangements”, involving financial regulators, for these procedures, it added.”

“The assessment of security arrangements and incident notifications for payment and settlement systems and is one of the core competences of prudential supervisors and central banks,” the ECB said in its opinion on the draft NIS Directive. “Responsibility for developing oversight requirements in the abovementioned areas should therefore remain with these authorities, and should not be subject to potentially conflicting requirements imposed by other national authorities.”

According to, the ECB further commented that “risk management, including security requirements in respect of payment and settlement systems and other market infrastructures within the euro area, is set by the Eurosystem, comprising the ECB and NCBs (national central banks) from those member states that have adopted the euro. Through this oversight function, the Eurosystem aims to ensure the smooth functioning of payment and settlement systems by applying appropriate oversight standards and minimum requirements. The proposed [NIS] directive should take into account the oversight framework already in place and ensure regulatory consistency across the Union”.

“In its opinion paper, the ECB said that there is a “strong case” for financial regulators in the to work with other bodies in the trading bloc to share information on cyber security threats and incidents under the new framework. “There is a strong case for sharing information with the European Network and Information Security Agency or competent authorities under the proposed directive, and with the (European Banking Authority) or ESMA (European Securities and Markets Authority) as the competent authority for the coordination of incidents relating to ,” the ECB said.”

Informing on the state of play regarding the legislative process leading to the adoption of the NIS Directive, the Council of the representing Member States commented on 19 November 2014 that following a thorough examination of its detailed provisions, the Permanent Representatives Committee (Coreper) granted the Presidency of the Council of the “a mandate to start informal exploratory talks” with the European Parliament on the proposed NIS Directive. (The Coreper is responsible for preparing the work of the Council of the . It consists of representatives from the Member States with the rank of Member States’ ambassadors to the and is chaired by the Member State which holds the Council Presidency.)

According to the Council of the , the main outstanding issue concerns the scope of the proposal. Whereas the Council of the text would allow Member States to assess, on the basis of defined criteria, whether or not certain operators in identified sectors would be subject to the obligations regarding security requirements and incident notifications in the forthcoming NIS Directive, the European Parliament “envisages an approach whereby all operators in all of the sectors identified are subject to the obligations but with a possible varying degree of providing evidence of effective implementation of security policies. The identification and inclusion of certain sectors, to be listed in an Annex, also remains an open issue, including the question whether Internet enablers should be added to the list, as the Commission advocates.” Other outstanding issues “concern the architecture, objectives and extent of strategic and operational cooperation and the modalities and criteria for national incident notification and for notification in the context.”

Guidelines on the security of internet payments released by the European Banking Authority ( )

The European Banking Authority ( ) was created in 2011 to ensure “effective and consistent prudential regulation and supervision across the European banking sector”. In October 2014, the published a consultation paper on the implementation of its guidelines on the security of internet payments. The paper was based on the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary cooperative initiative between relevant authorities from the European Economic Area. SecuRe Pay released previous recommendations on the security of internet payments in January 2013 with an implementation deadline of 1 February 2015. However, it became apparent that a more solid legal basis would be needed to ensure consistent implementation across all Member States and to reassure financial institutions that required investment and system changes have a consistent regulatory framework. The guidelines cover three main categories; the general control and security environment, specific control and security measures for internet payments and customer awareness, education and communication.

The consultation on these guidelines, which ran until 14 November 2014, asked the question: “Do you prefer for the Guidelines to:

  1. Enter into force, as consulted, on 1 August 2015 with the substance set out in this consultation paper, which means they would apply during a transitional period until stronger requirements enter into force at a later date under .
  2. Anticipate these stronger requirements and include them in the final Guidelines under PSD1 that enter into force on 1 August 2015, the substance of which would then continue to apply under .”

The received 45 responses (including one from the ’s Banking Stakeholder Group), of which 39 were published on the ’s Website. In response to the consultation, the recommended a third option (‘option c’). This recommendation is a scenario whereby the guidelines would be issued only after entry into force of (according to Article 103 of the draft ) and publication of the regulatory technical standards as may be mandated by , following a consultation of the market and safeguarding an adequate timeframe for implementation. In the response the had added that if the were to not accept the recommended ‘option c’, it would have a preference for ‘option a’ (i.e. the two-step approach) subject to the guidelines remaining based on the SecuRe Pay recommendations published in 2013 which was the basis for the ongoing implementation efforts.

The published the finalised guidelines on 19 December 2014. The guidelines set the minimum security requirements that in the will be expected to implement by 1 August 2015. The has retained the two-step approach whereby the guidelines will need to be implemented as consulted on 1 August 2015, with potentially more stringent requirements necessary under the being implemented at a later stage. The has, therefore, concluded that a delay in implementation of the guidelines until the transposition of the in 2017/2018 would not be feasible in view of the continuously growing and high levels of fraud in the domain of internet payments.

The recognises the importance and urgency of addressing internet payment fraud and hence supports the objectives pursued by the in this area. At the same time the wishes to stress that regulation should strive to achieve legal certainty, technology neutrality and a level playing field amongst all players. 

(A dedicated article on the guidelines on the security of internet payments released by the will be included in the next edition of the Newsletter to be published by the end of January 2015.)

Way forward on virtual currencies in the ?

In July 2014, the published its opinion on virtual currencies (VCs) which states, among other things: “Following three months of analysis, the issued a public warning on 13 December 2013, making consumers aware that VCs are not regulated and that the risks are unmitigated as a result. The question that remained unaddressed at the time was whether VCs should or can be regulated. This opinion sets out the result of this assessment and is addressed to legislators as well as national supervisory authorities in the 28 [ ] Member States. (…) More than 70 risks were identified across several categories, including risks to users; risks to non-user market participants; risks to financial integrity, such as money laundering and other financial crime; risks to existing payment systems in conventional FCs [(Conventional) Fiat currency], and risks to regulatory authorities. A regulatory approach that addresses these drivers comprehensively would require a substantial body of regulation, some components of which are untested. It would need to comprise, amongst other elements, governance requirements for several market participants, the segregation of client accounts, capital requirements and, crucially, the creation of ‘scheme governing authorities’ that are accountable for the integrity of a VC scheme and its key components, including its protocol and transaction ledger.” The opinion also recommends several “immediate responses” to be taken by national supervisory authorities and the legislator, respectively.

It remains to be seen what specific regulatory action, if any, will result based on the opinion.

It has to be noted however, that Jonathan Hill, who was appointed Commissioner for Financial Stability, Financial Services and Capital Markets Union in the new European Commission that took office on 1 November 2014, is tasked with, among other things, ensuring “the safety and the modernisation of the Union´s regulatory framework on digital/electronic payments in order to facilitate online purchases. The safety and appropriateness of certain virtual currencies should also be assessed and, where appropriate, relevant policy measures should be proposed.”

Considering the plethora of regulatory initiatives aimed at ensuring the security of payments now in the pipeline, the reiterates the need to carefully coordinate efforts with a view to ensure consistency of policy. As mentioned above, the hope remains that the end result will not be tensions in cyberspace, i.e. possibly conflicting and competing compliance requirements, but a series of harmonious provisions that promote a secure, competitive and innovative payments landscape.

Related links:

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.