European Union Regulatory Initiatives Impacting the Security of Euro P...

European Union Regulatory Initiatives Impacting the Security of Euro Payments: the 2015 Outlook

09 January 15

Share This

Regulatory action rolling out in 2015 will determine the foreseeable future with regard to the security of payments in Europe. In the Newsletter article entitled ‘Tensions in Cyberspace: Competing Priorities and Legislative Initiatives in the Online Payments World’, the authors Dermot Turing, Simon Crown and Maria Troullinou consider the interaction between relevant initiatives recently launched or adopted by various European Union (EU) regulatory bodies aimed at promoting the security of payments. The authors point out that tensions between these initiatives “are the inevitable product of attempting to put in place various legislative initiatives relating to similar areas simultaneously.”

They outline that tensions “exist between security on the one hand and the promotion of competition, technological neutrality and access on the other.” As each proposal goes through the EU legislative process, “the risk is that the end result will be a series of measures that when put together reveal the underlying tensions between theory and practice”. Another question is whether, and to what extent, all of these proposals “will keep in sync with the plethora of technological developments”. It therefore, remains to be seen whether the end result will be an “uneasy compromise between the interests of the relevant actors and policymakers” or “a series of harmonious provisions” that promote a secure, competitive and innovative payments landscape.

The answer to these questions remains pending until relevant legislation currently in progress and other regulatory initiatives are fully implemented by the various actors concerned, including EU Member States as well as payment service and other providers.

This blog takes a further look, specifically, at the proposed revised Payment Services Directive (), the proposed new Network and Information Security Directive, the guidelines on the security of internet payments released by the European Banking Authority in December 2014 and initiatives considered by the European Commission with regard to virtual currencies.

Sources providing further background information as well as those cited in this blog are included in the ‘related links’ below.

Proposed revised Payment Services Directive (PSD2): state of play

EU Directives, such as the forthcoming PSD2 and Network and Information Security Directive, lay down certain end results that must be achieved in every EU Member State. National authorities have to adapt their laws to meet these goals; i.e. have to implement an EU Directive by a date determined by the EU co-legislators, but are free to decide how to do so. National implementation measures are texts officially adopted by the authorities in a Member State to incorporate the provisions of an EU Directive into national law.

The European Commission, which has the right of initiative to propose laws for adoption by the European Parliament and the Council of the EU, published its proposal for PSD2 on 24 July 2013. (The formal title of this proposed legislative act is “Proposal for a Directive of the European Parliament and of the Council [of the EU] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC”.) This draft legislative act remains subject to review and adoption, respectively, by the EU co-legislators. These are the European Parliament and the Council of the EU. The Council of the EU is the EU institution where the EU Member States’ government representatives sit, i.e. the ministers of each EU Member State with responsibility for a given policy area.

EU legislation proposed by the Commission related to payments is considered by the European Parliament’s Economic and Monetary Affairs Committee (ECON) prior to the European Parliament taking a vote on a proposal. The members of the European Parliament approved the final ECON report on PSD2 at its plenary session on 3 April 2014. However, the European Parliament postponed the vote (in first reading) on the related draft legislative resolution until after the May 2014 European Parliament elections. The European Parliament has to date not voted the proposal in first reading. It is expected that the European Parliament will only take a vote once the final text of the proposed PSD2 has been agreed in further dialogue with the Council of the EU and the European Commission.

On 5 December 2014, the Council of the EU representing EU Member States agreed its final compromise text on PSD2. In a next step, the so-called ‘trialogue’ process will be initiated, whereby the Commission, the European Parliament and the Council of the EU will have to agree the final version of the forthcoming PSD2. Provided that there are no delays, it could be adopted in the first half of 2015, and be implemented in national legislation some two years after its adoption.

It has to be recalled that with the proposed PSD2, the Commission introduces the notion of ‘third party payment service provider (TPP)’, which is relevant, specifically, to the security of payments. TPPs are described in PSD2 as payment service providers () pursuing business activities which are based on access to payment accounts provided by a who is not the ‘account servicing’ PSP, in the form of (a) payment initiation services and / or (b) account information services. Payment account access services are now also offered by ‘third-party service providers’ that are often merely non-licensed service providers and not PSPs. Unlike PSPs, non-licensed third-party service providers offering payment account access services are currently not subject to supervisory requirements.

The European Payments Council (EPC), (which is not part of the EU institutional framework), fully acknowledges the existence of a market demand for PSPs granting third parties access to their online payment services in a regulated and secure way to enable a wider range of payment services to European merchants and consumers. To achieve this goal, the EPC reiterates that the final version of the forthcoming PSD2 will have to meet the following requirements:

The EPC strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties. This is a pre-condition to ensuring the continued security of consumers’ funds and data in the online banking environment. The European Commission however, proposes abandoning the principle established with Article 56 of the PSD currently in effect that under no circumstances should a consumer share his or her personalised security credentials with third parties. Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party other than the account servicing PSP issuing such credentials to the account holder (the consumer).

The EPC stresses that personalised security credentials are developed by an account servicing PSP – and issued to the account holding consumer – to mitigate specific security threats. The risks involved with the sharing of credentials such as, for example, mobile TANs result from the overall security context in which internet payments are conducted. Generally speaking, it is obvious that risks will increase as more communication channels are involved in a remote payment and the handling of consumer credentials. If the EU lawmaker invites consumers to share their personal credentials with third parties, then consumers would be exposed to, among others, the risk of impersonation, i.e. identity theft. Lowering consumer protection standards would, therefore, decrease security and, in consequence, increase the risk of infringing on privacy.

Weakening the requirement to maintain confidentiality of personalised security credentials would also counteract long-standing efforts carried out by consumer organisations and PSPs to date helping consumers to safely make online payments. Communication with bank customers today, in line with the principles established with the PSD in effect, is based on a clear message: personalised security credentials serve as your firewall against security threats in the online banking environment. Therefore, do not disclose these credentials to third parties.

If the EU lawmakers endorse the PSD2 as proposed by the Commission, PSPs would have to communicate to consumers that they may disclose their credentials to some third parties, namely, TPPs operating in accordance with the PSD2. Consumers would have to acquire the expertise required to identify TPPs. Contrary to the stated intentions of the Commission, this appears to put a burden on, and create confusion for, consumers rather than improve their payment experience and promote secure electronic commerce.

With regard to the proposed new set of rules related to the activity of TPPs offering payment initiation and / or payment account information services, the EPC also stresses that it is of the utmost importance that TPPs would authenticate themselves in an unequivocal manner towards the account servicing PSP when accessing a payment service user’s account. In addition, the EPC recommends that all TPPs be subject to authorisation prior to commencing the provision of their services. The EPC is of the opinion that under no circumstances should the account servicing PSP be held liable for the TPP’s mistakes, failures or for specific risks resulting from the TPPs’ sphere of activities. Moreover, an interim solution, until the forthcoming PSD2 will be implemented in EU Member States, would be required to address the current lack of legal framework regarding the licensing of TPPs.

Proposed new Network and Information Security (NIS) Directive: state of play

In February 2013, the European Commission tabled its proposal for a ‘Directive of the European Parliament and of the Council [of the EU] concerning measures to ensure a high common level of network and information security across the Union’, often referenced as the Cyber-security or Network and Information Security (NIS) Directive.

As outlined by Dermot Turing, Simon Crown and Maria Troullinou in the EPC Newsletter, the proposed NIS Directive aims at promoting online security through a combination of voluntary and regulatory measures. Accordingly, EU market operators, including credit institutions and critical financial services infrastructure entities, will have to abide by security requirements (including incident reporting obligations) and to ensure service continuity. Specifically, the draft NIS Directive defines a “market operator” as “an operator of infrastructures that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, financial market infrastructures, internet exchange points, food supply chain and health, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions”. Not all of the draft NIS Directive provisions apply to all aspects of a “market operator's” business – some of the Article 14 obligations for example only apply to “core services” provided by market operators, which term is in turn not defined. In order to add teeth to its proposals, the proposal contains enforcement provisions which empower competent authorities to request market operators to provide information relating to their security measures for accessing their networks.

Turing, Crown and Troullinou point out that PSPs are worried that their obligations – ensuring that their customers’ data and privacy are protected, preventing the misuse of customer information and achieving the security objectives set out in the draft NIS Directive do not sit well with the new provisions that have been introduced with the proposed PSD2 primarily to foster competition in the new online payments market. There is an expectation to comply (but not to over-comply) with new security standards and the balance is not an easy one to strike.

With regard to the information sharing initiative on cyber security threats envisaged under the draft NIS Directive, reported in September 2014 that the European Central Bank (ECB) called on plans for the Directive to be amended to account for existing rules and procedures PSPs are subject to on assessing cyber security risk and notifying regulators of incidents they identify. “The ECB said that “procedures for early warnings and coordinated responses” have already been established in relation to “systemically important payment systems” and “deal with possible cyber-security threats”. There are “existing oversight arrangements”, involving financial regulators, for these procedures, it added.”

“The assessment of security arrangements and incident notifications for payment and settlement systems and PSPs is one of the core competences of prudential supervisors and central banks,” the ECB said in its opinion on the draft NIS Directive. “Responsibility for developing oversight requirements in the abovementioned areas should therefore remain with these authorities, and should not be subject to potentially conflicting requirements imposed by other national authorities.”

According to, the ECB further commented that “risk management, including security requirements in respect of payment and settlement systems and other market infrastructures within the euro area, is set by the Eurosystem, comprising the ECB and NCBs (national central banks) from those member states that have adopted the euro. Through this oversight function, the Eurosystem aims to ensure the smooth functioning of payment and settlement systems by applying appropriate oversight standards and minimum requirements. The proposed [NIS] directive should take into account the oversight framework already in place and ensure regulatory consistency across the Union”.

“In its opinion paper, the ECB said that there is a “strong case” for financial regulators in the EU to work with other bodies in the trading bloc to share information on cyber security threats and incidents under the new framework. “There is a strong case for sharing information with the European Network and Information Security Agency or competent authorities under the proposed directive, and with the EBA (European Banking Authority) or ESMA (European Securities and Markets Authority) as the competent authority for the coordination of incidents relating to PSPs,” the ECB said.”

Informing on the state of play regarding the legislative process leading to the adoption of the NIS Directive, the Council of the EU representing EU Member States commented on 19 November 2014 that following a thorough examination of its detailed provisions, the Permanent Representatives Committee (Coreper) granted the Presidency of the Council of the EU “a mandate to start informal exploratory talks” with the European Parliament on the proposed NIS Directive. (The Coreper is responsible for preparing the work of the Council of the EU. It consists of representatives from the EU Member States with the rank of Member States’ ambassadors to the EU and is chaired by the EU Member State which holds the Council Presidency.)

According to the Council of the EU, the main outstanding issue concerns the scope of the proposal. Whereas the Council of the EU text would allow EU Member States to assess, on the basis of defined criteria, whether or not certain operators in identified sectors would be subject to the obligations regarding security requirements and incident notifications in the forthcoming NIS Directive, the European Parliament “envisages an approach whereby all operators in all of the sectors identified are subject to the obligations but with a possible varying degree of providing evidence of effective implementation of security policies. The identification and inclusion of certain sectors, to be listed in an Annex, also remains an open issue, including the question whether Internet enablers should be added to the list, as the Commission advocates.” Other outstanding issues “concern the architecture, objectives and extent of strategic and operational cooperation and the modalities and criteria for national incident notification and for notification in the EU context.”

Guidelines on the security of internet payments released by the European Banking Authority (EBA)

The European Banking Authority (EBA) was created in 2011 to ensure “effective and consistent prudential regulation and supervision across the European banking sector”. In October 2014, the EBA published a consultation paper on the implementation of its guidelines on the security of internet payments. The paper was based on the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary cooperative initiative between relevant authorities from the European Economic Area. SecuRe Pay released previous recommendations on the security of internet payments in January 2013 with an implementation deadline of 1 February 2015. However, it became apparent that a more solid legal basis would be needed to ensure consistent implementation across all EU Member States and to reassure financial institutions that required investment and system changes have a consistent regulatory framework. The guidelines cover three main categories; the general control and security environment, specific control and security measures for internet payments and customer awareness, education and communication.

The consultation on these guidelines, which ran until 14 November 2014, asked the question: “Do you prefer for the EBA Guidelines to:

  1. Enter into force, as consulted, on 1 August 2015 with the substance set out in this consultation paper, which means they would apply during a transitional period until stronger requirements enter into force at a later date under PSD2.
  2. Anticipate these stronger PSD2 requirements and include them in the final Guidelines under PSD1 that enter into force on 1 August 2015, the substance of which would then continue to apply under PSD2.”

The EBA received 45 responses (including one from the EBA’s Banking Stakeholder Group), of which 39 were published on the EBA’s Website. In response to the EBA consultation, the EPC recommended a third option (‘option c’). This recommendation is a scenario whereby the EBA guidelines would be issued only after entry into force of PSD2 (according to Article 103 of the draft PSD2) and publication of the regulatory technical standards as may be mandated by PSD2, following a consultation of the market and safeguarding an adequate timeframe for implementation. In the response the EPC had added that if the EBA were to not accept the recommended ‘option c’, it would have a preference for ‘option a’ (i.e. the two-step approach) subject to the EBA guidelines remaining based on the SecuRe Pay recommendations published in 2013 which was the basis for the ongoing implementation efforts.

The EBA published the finalised guidelines on 19 December 2014. The guidelines set the minimum security requirements that PSPs in the EU will be expected to implement by 1 August 2015. The EBA has retained the two-step approach whereby the guidelines will need to be implemented as consulted on 1 August 2015, with potentially more stringent requirements necessary under the PSD2 being implemented at a later stage. The EBA has, therefore, concluded that a delay in implementation of the guidelines until the transposition of the PSD2 in 2017/2018 would not be feasible in view of the continuously growing and high levels of fraud in the domain of internet payments.

The EPC recognises the importance and urgency of addressing internet payment fraud and hence supports the objectives pursued by the EBA in this area. At the same time the EPC wishes to stress that regulation should strive to achieve legal certainty, technology neutrality and a level playing field amongst all players. 

(A dedicated article on the guidelines on the security of internet payments released by the EBA will be included in the next edition of the EPC Newsletter to be published by the end of January 2015.)

Way forward on virtual currencies in the EU?

In July 2014, the EBA published its opinion on virtual currencies (VCs) which states, among other things: “Following three months of analysis, the EBA issued a public warning on 13 December 2013, making consumers aware that VCs are not regulated and that the risks are unmitigated as a result. The question that remained unaddressed at the time was whether VCs should or can be regulated. This EBA opinion sets out the result of this assessment and is addressed to EU legislators as well as national supervisory authorities in the 28 [EU] Member States. (…) More than 70 risks were identified across several categories, including risks to users; risks to non-user market participants; risks to financial integrity, such as money laundering and other financial crime; risks to existing payment systems in conventional FCs [(Conventional) Fiat currency], and risks to regulatory authorities. A regulatory approach that addresses these drivers comprehensively would require a substantial body of regulation, some components of which are untested. It would need to comprise, amongst other elements, governance requirements for several market participants, the segregation of client accounts, capital requirements and, crucially, the creation of ‘scheme governing authorities’ that are accountable for the integrity of a VC scheme and its key components, including its protocol and transaction ledger.” The EBA opinion also recommends several “immediate responses” to be taken by national supervisory authorities and the EU legislator, respectively.

It remains to be seen what specific EU regulatory action, if any, will result based on the EBA opinion.

It has to be noted however, that Jonathan Hill, who was appointed Commissioner for Financial Stability, Financial Services and Capital Markets Union in the new European Commission that took office on 1 November 2014, is tasked with, among other things, ensuring “the safety and the modernisation of the Union´s regulatory framework on digital/electronic payments in order to facilitate online purchases. The safety and appropriateness of certain virtual currencies should also be assessed and, where appropriate, relevant policy measures should be proposed.”

Considering the plethora of regulatory initiatives aimed at ensuring the security of payments now in the pipeline, the EPC reiterates the need to carefully coordinate efforts with a view to ensure consistency of policy. As mentioned above, the hope remains that the end result will not be tensions in cyberspace, i.e. possibly conflicting and competing compliance requirements, but a series of harmonious provisions that promote a secure, competitive and innovative payments landscape.

Related links:

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website Terms and Conditions.