All other countries have said that they will comply with the guidelines, which come into force on 1 August, the EBA said in a statement.
The guidelines set minimum security requirements for payment services providers across the EU, to help protect EU consumers against payment fraud on the internet. They are an interim measure until the upcoming revised Payments Services Directive (PSD2) comes into force in 2018/19. The European Commission Council and Parliament are currently in the final negotiation stages of PSD2.
The guidelines as based on a 'comply or explain' principle, the EBA said, in that national authorities have to notify the authority of whether they will comply, and give reasons if they will not.
The UK's Financial Conduct Authority (FCA) said that it will not be compliant because it "does not have the power without legislative change to make binding rules requiring all payment service providers (credit institutions, payment institutions and e-money institutions) to comply with the EBA Guidelines".
It will, however, incorporate the detail of the guidelines in its supervisory framework, and will subsequently add further guidelines under PSD2. The FCA is, it said, "fully supportive of the objectives behind the EBA Guidelines and agrees with the importance of consumers being protected against fraud when making payments online", and has "reminded payment service providers of their responsibility to ensure consumers’ payments are safe and secure".
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "These rules are coming to the UK, but it looks like we’ll be a couple of years behind much of the rest of Europe – not a bad thing for those that would need to comply."
"That said, businesses that operate on a cross-border basis, perhaps with a website targeting Spanish or German customers, will need to be aware that they could still be caught by compliance requirements from August of this year," said McFadyen.
Slovakia and Estonia also said that their current national frameworks will not allow compliance.
Sweden and Cyprus named specific clauses which they will not be able to meet.
The EBA released details of the compliance notifications as part of an announcement about its on-going work on harmonising regulatory and supervisory practices in payment services across Europe.
The EBA is developing requirements to fulfil its mandates under the revised Payments Services Directive (PSD2) and the Interchange Fee Regulation (IFR).
Once PSD2 is agreed, the EBA will work with the European Central Bank to improve operational and security requirements for payment services. The EBA will also approach the industry and "other interested parties" to gather input on its plans, it said.