Out-Law News 3 min. read
15 Apr 2013, 1:32 pm
The Payments Council, a body which is responsible for ensuring that payment services work in the UK, called on the European Central Bank (ECB) to amend its recommendations for new standards for the security of internet payments, in order to give greater emphasis to improving information-sharing practices around risks in the payment services industry.
"We think that the suggested requirements for TPPs, Gas (governance authorities) and PSPs (payment service providers) to inform each other of major security incidents should be a 'Key Consideration' rather than a 'Best Practice'," the Payments Council said in its response to a consultation by the ECB(16-page / 225KB PDF).
"Such notification/liaison on major incidents will need to recognise the security risks inherent in information sharing and be guided by the purpose – dealing with the incident, preventing it from re-occurring, and/or learning best practice," the Payments Council said.
The industry body, whose members consist of major financial services institutions operating in the UK, including Lloyds TSB, RBS and HSBC, also said that it should be "mandatory for all parties to coordinate in responding to security incidents", with the responsibilities divided up between access service (AS) PSPs and providers of payment account access services (PAAS).
Earlier this year the ECB set out a number of "recommendations" to boost the security and integrity of the internet payments system. The ECB called for banks, credit card companies and other PSPs to put in place multiple layers of security measures to protect systems from being hacked into and also called for all online transactions to be "traced" and for new methods for authenticating the identity of consumers making payments to be put in place, amongst its other recommendations. It also encouraged 'e-merchants', or online retailers, to adopt its recommendations too.
The Payments Council has now said that it backs the ECB's recommendations. However, it said that adoption of the recommendations should be part of wider reforms to the regulation of PAAS and not imposed separately.
"It is positive that the ECB is seeking to create a level-playing field by ensuring that all parties in the payment chain have to meet minimum security requirements," the Payments Council said in response to the ECB's consultation on PAAS. "However, the topic of payment account access services is complex and there is a potentially wide impact for consumers and payment service providers (PSPs) alike, as well as implications for e-merchants. A number of issues around these services remain to be clarified, of which the security requirements are just one part."
"In order to properly address all of these issues we believe that a legal and regulatory framework around payment account access services needs to be defined. Payments Council therefore strongly agrees that payment account access services should be regulated under the amended Payment Services Directive," it said.
The Payments Council said that there were advantages to bundling the recommendations on internet payments security within wider PAAS regulatory reforms.
"Bringing payment account access services under regulation will also allow the legislators (if they wish to do so) to establish the certain rights and responsibilities of the parties in the payment chain," it said. "The legal relationship between the parties involved will vary by service, however, clarity as to by and to whom the services are provided is vital to ensure effective regulation. For example, it may be appropriate to allow services provided to corporates to opt out of consumer protection measures around transparency (but not, for example, security)."
"Consequently we believe it would be preferable that these security recommendations only be finalised once the regulatory underpinning/legal framework for payment account access services has been established. Furthermore, there may be merit in revisiting the recommendations at a later stage to analyse whether they need to evolve to take into account further market developments as this is still a maturing sector," the Payments Council said.
"Finally, from a practical perspective, we believe that rather than having a separate (but ultimately very similar set of recommendations for PAAS services), it may be simpler in the long-term to include PAAS within the security of internet payment recommendations, with any PAAS-specific requirements clearly identified in a separate section," the Payments Council added.
It also said that checks should be made to ensure that the terminology contained within the ECB's recommendations conform to existing and proposed EU legislation on matters such as anti-money laundering, data protection and network security.
"We see it as critical that these recommendations are not viewed in isolation but are assessed to ensure they can assist, or at least sit alongside each other and other relevant legislation, and do not open up loopholes, risking uncertainty and/or the creation of an uneven playing field," it said.
The Payments Council also called for the ECB to clarify whether its security standards recommendations should apply to electronic and mobile 'Wallets' as well as third-party "technical service providers". It also said that it would be "inefficient and impractical" for PSPs to have to "vet" third party providers of payment services.
