Security and competition
The draft revised Payment Services Directive ()1 proposed by the European Commission is envisaging, among other things, the opening up of the payments market by officially recognising (and regulating) a new type of entity: third party payment service providers (TPPs). The Commission proposals enable TPPs to obtain access to the account information of the payer, subject to certain (heavily negotiated) safeguards, including confining the ability to utilise such information for limited purposes. The fact remains, however, that the PSD2 proposal essentially grants TPPs access behind the payment service providers' firewall. Although it remains to be seen where the dust will settle over the safeguards relating to these proposals (for example, the requisite level of customer authentication), access in itself raises concerns around security.
Payment service providers are worried that their obligations – ensuring that their customers' data and privacy are protected, preventing the misuse of customer information and achieving the security objectives set out in the draft Cyber-security Directive2 do not sit well with the new provisions that have been introduced primarily to foster competition in the new online payments market. There is an expectation to comply (but not to over-comply) with new security standards and the balance is not an easy one to strike.
Security and technology neutrality
The Regulation on electronic identification (eID) and trust services for electronic transactions in the internal market (eIDAS Regulation), recently adopted by the European Union (EU) co-legislators, encourages payment service providers to recognise new forms of identification. At present, most eID models operate on the basis that there is no sharing of personalised security credentials with third parties. Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party other than the account servicing payment service provider issuing such credentials to the account holder (the consumer).
At the same time, as discussed above, PSD2 will introduce new regulatory security standards, including strong customer authentication, and various bodies – such as the European Banking Authority – are producing guidelines that will need to be factored into the practices of payment service providers. The interaction between the eIDAS Regulation and PSD2 and what they have to say on acceptable forms of identification is not yet fully certain, but it is clear that the eIDAS Regulation does not prohibit the sharing of identification information which will be a necessary part of some TPP models.
Another source of complexity comes from anti-terrorist measures, which require account providers to operate taking into account their obligation to prevent access to the financial system by terrorists and sanctioned persons, pushing them in a different direction from the strict liability requirement under PSD2 to ensure that payment transactions are promptly executed.
The question is whether, and to what extent, all of these proposals and standards will work harmoniously together and how they will keep in sync with the plethora of technological developments. Technology providers of services such as e-commerce platforms, payment gateways and cloud services appear to have been left out of the March 2014 European Parliament Cyber-security Directive text, which means that the controls and consequences of filing data breach reports, with the franchise risk implications that these have and the threat of regulatory intervention, will not affect such entities.
Security and access
The Directive on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features (PAD) aims to promote fee transparency and account switching, as well as to enhance access to bank accounts by reducing discrimination based on residency. It is hoped that the transparency drive will help fight illegal payments by shedding light into some dark parts of the economy. The idea of offering the right to a basic bank account to everyone is one of equality and fairness, but sits uneasily next to some of the other obligations that account providing payment service providers are subject to, such as the duty to refuse accounts under Anti-Money Laundering legislation and to ensure that in their capacity as entities promoting the public interest, security breaches are controlled and reported under the Cyber-security Directive. This latter duty would presumably imply an obligation to deny accounts to suspected fraudsters and hackers. Another aspect of the interaction of access and security lies in the ability of basic account holders to keep up with the requirements of the new legislation regarding identification – it will be interesting to see where the legislators will draw the line, as one wonders whether ‘two-factor’ customer authentication may just be a step too far for some.
The tensions outlined above are the inevitable product of attempting to put in place various legislative initiatives relating to similar areas simultaneously. As each proposal goes through the EU legislative maze, and gets amended through the trialogue process3 and lobbying, the risk is that the end result will be a series of measures that when put together reveal the underlying tensions between theory and practice, as well as the uneasy compromise between the interests of the relevant actors and policymakers.
Dermot Turing is a Consultant, Simon Crown is a Partner and Maria Troullinou is a Senior Associate in the financial regulation group at Clifford Chance in London.
European Commission (7 February 2013): Proposal for a Cyber-security Directive (the formal title of this legislative act is “Proposal for a Directive of the European Parliament and of the Council [of the EU] concerning measures to ensure a high common level of network and information security across the Union”)
European Commission (24 July 2013): Proposal for a Revised Payment Services Directive (PSD2) (the formal title of this proposed legislative act is “Proposal for a Directive of the European Parliament and of the Council [of the EU] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC”)
Directive 2014/92/EU of the European Parliament and of the Council [of the EU] of 23 July 2014 on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features (PAD)
European Central Bank: Final Recommendations for the Security of Payment Account Access Services Following the Public Consultation (developed by the European Forum on the Security of Retail Payments)
EPC Blog (18 September 2014): Next Steps in the Area of Online Payments: Is Europe Ready for e-Identity? A guest blog by Marine Sauvaget
Related articles in this issue:
Next Step to Create the Digital Single Market: EU Lawmakers Adopt the New Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market. European Union authorities seek to enhance trust in electronic transactions
The New European Commission: a Closer Look at President Juncker’s Vision for the EU Internal Market and Economic and Monetary Union. The European Commission will continue to play a principal role in the SEPA process going forward
The European Court of Justice Has Ruled that Interchange Fees Are Permitted if They Provide Benefits to Merchants. What are the Implications of the MasterCard Judgment for Interchange Fees in Europe? The Court leaves an unresolved question: what are the permitted multilateral interchange fee levels?
Related articles in previous issues:
PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties. Update on legislative process leading to the adoption of the revised Payment Services Directive ( Newsletter, Issue 23, July 2014)
The Concept of an Open Standard Interface for Controlled Access to Payment Services (CAPS). A commentary: “Access to accounts – why banks should embrace an open future.” (EPC Newsletter, Issue 21, January 2014)
EPC Newsletter: Articles Published in the Section ‘Legal and Regulatory Issues’
1 The formal title of the proposed PSD2 is “Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/100/EC and repealing Directive 2007/64/EC”.
2 The formal title of the proposed Cyber-security Directive is “Proposal for a Directive of the European Parliament and of the Council [of the EU] concerning measures to ensure a high common level of network and information security across the Union”.
3 Trialogue process refers to negotiations between the EU-colegislators, i.e. the European Parliament and the Council of the EU representing EU governments, and the European Commission on the final text of an EU legislative act.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website Terms and Conditions.