Preparing for the unknown: the EBA consults on security measures under PSD2

The European Banking Authority (EBA) has published its consultation paper on its draft guidelines on security measures for operational and security risks under Article 95(3) of the second Payment Services Directive (PSD2). EBA Guidelines are not legally binding but competent authorities must make every effort to comply and must notify the EBA if they do not intend to do so. This raises questions as to how the FCA could impose these guidelines on the industry.

The EBA has deliberately opted to take a high-level approach to the Guidelines: in the context of a rapidly evolving payments landscape, it is important to maintain flexibility to ensure that the Guidelines continue to be relevant and capable of application in the future.

The Guidelines can broadly be split into two categories: those which aim to address current identified threats and those which require payment service providers (PSPs) to monitor their risk position on an on-going basis and to identify any emerging threats.

Many more established players, with the benefit of existing sophisticated risk management systems, can expect that their current processes will go some way towards satisfying the requirements but may equally find that legacy systems make it more difficult and costly to implement the updates necessary to comply in all respects. Whatever the position, PSPs should not stand still: the EBA emphasises the need for continuous monitoring and pro-active responses to changing circumstances.


The customer is king

The EBA views service users as "critical stakeholders" in the development of the Guidelines and draft Guideline 8 is dedicated to how PSPs should be communicating with them. This is aligned with the broader general approach under PSD2: one of the key aims of the Directive is to secure the protection of service users in an increasingly complex environment.

Draft Guideline 8 builds on some of the existing obligations under PSD2 in this area and specifies particular information that should be provided to service users, such as "clear and straightforward" instructions on their responsibilities, and details of security procedures. The Guideline also stresses that the guidance provided by PSPs to service users should be "constantly" updated in light of new threats and vulnerabilities. There is little detail about the scope of this obligation, and in particular the potential for the application of any materiality thresholds. The Guidelines should, however, be applied proportionately by PSPs.

Guideline 8 also requires PSPs to offer bespoke solutions depending on the needs of particular service users: individual users should be able to disable specific payment functionalities, reduce any spending limits and set alerts. Whilst this sort of functionality looks sensible and straight-forward on paper, it is likely to require significant systems development (and cost) for some PSPs.

Similarly, the Guidelines propose that alerts about significant emerging risks should be provided via a secure communication channel. It is unlikely that all PSPs will currently have secure channels available to communicate with all customers (for example, customers who have not signed up to internet or mobile platforms), and unclear how this applies if the emerging risk relates to the secure channel itself.


No man is an island

To combat the range of current and emerging threats, the EBA emphasises the importance of collaboration: by operating in isolation, PSPs may not be able to identify their own internal control weaknesses as effectively as possible. Draft Guideline 7 requires PSPs to share information with third parties and other PSPs to achieve broader awareness of payment fraud and cyber-security issues. The Guideline also envisages information sharing with parties beyond the payments industry.


Time to take stock

Whilst the EBA awaits responses to its consultation by 7 August 2017, the FCA will need to consider the potential implications for its Approach Document and for the Handbook and in particular, the interaction between the EBA's proposals and existing risk management provisions under the Senior Management Arrangements, Systems and Controls (SYSC) requirements.

To the extent that the Guidelines require PSPs to introduce new user functionality not specifically required under PSD2, such as the ability of users to 'pick and choose' payment functionality on an account or device, it is arguable that they go beyond the mandate granted by the Directive.

Given that the Guidelines will apply from 13 January 2018, at the very least PSPs will want to point out the cost and time implications of complying with some of them, which the EBA appears to have under-estimated.

Back to main blog
Loading data