Out-Law News 2 min. read
Internet payment security guidelines will apply where UK payment service providers operate in other EU countries, says expert
30 Jul 2015, 5:30 pm
UK-based payment service providers (PSPs) that serve customers based across the EU will need to adhere to new internet payment security guidelines that come into effect from 1 August even though UK regulators will not enforce them at this time, an expert has said.
The new guidelines set minimum security requirements for PSPs across the EU, to help protect EU consumers against payment fraud on the internet. However, the guidelines, finalised by the European Banking Authority (EBA) late last year, are not absolutely binding on EU countries.
Earlier this year, the UK's Financial Conduct Authority (FCA) said that it will not enforce the EBA guidelines because it "does not have the power without legislative change to make binding rules requiring all payment service providers (credit institutions, payment institutions and e-money institutions) to comply with the EBA guidelines".
Slovakia and Estonia also said that their current national frameworks will not allow for their compliance, whilst Sweden and Cyprus named specific clauses which they will not be able to meet. The new guidelines will be enforced in all other EU countries.
"Payment service providers that operate on a cross border basis will need to comply with the guidelines even if they are based in the UK," McFadyen said. "They need to comply with the rules of the countries that they are operating in."
The decision of the EBA to apply the internet payment security guidelines from 1 August was controversial. This is because a number of payment industry bodies, including the UK Payments Council and Financial Fraud Action UK, the Association of German Banks, European Banking Federation, European Payments Council and Electronic Money Association, had all called on the EBA to step back from introducing them until reforms to EU payments laws had been concluded and brought into force.
The EBA had justified its decision by claiming that problems with fraud mean that it was "not a plausible option" to delay the implementation of the guidelines until after the Payment Services Directive reforms (PSD2) had come into force. EU law makers have reached political consensus on the PSD2 reforms but they have still to be formally adopted.
Earlier this week legal news service M-Lex reported that European Commission officials had raised concerns that banks would rely on anti-fraud provisions within the EBA's internet payment security guidelines to restrict customers' access to new third party payment services. They said that such restrictions "may amount to infringements of the competition rules", according to the M-Lex report.
"The PSD2 proposals make clear that access needs to be granted to third party payment service providers (TPPs) and that access arrangements set by the account servicing PSPs should not discriminate against TPPs other than for objective reasons," McFadyen said.
Under the PSD2 reforms, the EBA will play a role in developing operational and technical standards, including on TPPs' access, customer authentication and security measures. McFadyen said it is a "valid challenge" to lay down to the EBA to require it to "tread carefully" when developing those standards to "avoid creating barriers" to market entry.
"There have been questions raised about whether PSD2 requires authentication between account servicing PSPs and TPPs so frequently that it would ruin the experience of using a TPP," McFadyen said. "This is the kind of issue that the EBA can iron out through the work that it is doing."
Contact an adviser
