Google

Wednesday, 29 October 2014

The Cost Of Leaving Payment Security To The Beurocrats: #PSD2

The more I study the latest proposal for a new Payment Services Directive (PSD2), the more I'm concerned that it will reduce innovation and competition. Not only does it hand control of wider transaction technology to regulated payment service providers (PSPs), but security standards will also be centrally controlled by the European Banking Authority, as explained below. It seems the authorities are busy creating a new version of the banking monopoly that the PSD was designed to break down. But maybe the idea is to create work for the new Payment Systems Regulator...

Putting aside the ability for PSPs to control the wider transaction infrastructure, PSD2 empowers the EBA to set technical standards governing 'strong customer authentication', as well as how PSPs communicate among themselves and with customers.

These standards are very far-reaching.

Subject to any exemptions the EBA may grant (based on risk, amount/recurrence of a transaction and the channel), all PSPs will have to apply strong authentication when a customer who wishes to make a payment (the 'payer'):
  • accesses a payment account online;
  • initiates an electronic payment transaction; and/or
  • "carries out any action through a remote channel which may imply a risk of fraud or other abuses".
In the case of an electronic payment transaction that is initiated via the Internet or 'other at-a-distance channel' (a "remote payment transaction"), the authentication must “include elements dynamically linking the transaction to a specific amount and a specific payee”).

In addition, PSD2 proposes numerous different security requirements for different types of PSP depending on whether they initiate payments, issue a payment instrument or provide account information services. PSPs will also have a 'framework' to manage operational risk and provide the regulator with their assessment of the risks and the adequacy of their controls. They must classify “major incidents” and report them to their regulator without undue delay. The regulator must then report the incident to the EBA and the European Central Bank. If the incident affects the financial interests of users, the PSP must also inform them without undue delay, along with possible measures they can take to mitigate the problem.

While we should acknowledge the challenge at the heart of all European law, that an Englishman's red tape is a Frenchman's business manual, everyone should question the wisdom of tying the development of payments security to the speed of European bureaucracy. PSD2 provides that the first draft of the EBA’s technical standards will only be available 12 months after PSD2 is approved, and there is no explicit deadline for the standards to be finalised (although the EBA is consulting on 'guidelines' here). Beyond the initial drafting, the EBA is merely tasked with reviewing and, if appropriate, updating the standards “on a regular basis” - but neither the frequency nor regularity of those reviews is specified. Surely, the EBA's role should be limited to reviewing standards (if any) as the market develops them - hopefully a step ahead of the fraudsters? How many business plans will otherwise stall in anticipation of the EBA's pronouncement and the resulting talkfest?

Conspiracy theorists will be pleased to see restrictions on the extent to which payment account service provider (ASPs) can use the security measures to discriminate against any third party PSP (TPP) who wishes to access their payment accounts. But there do not seem to be any such restrictions on discrimination the other way around. So PSD2 would hard-wire the current (mistaken) assumption that the ASP is 'king' in the context of its customers' day-to-day activities, while the dominant customer relationship increasingly lies elsewhere. Indeed, in the digital world, large TPPs could end up dictating the number and type of ASPs we all use, as well as the payment services those ASPs provide. Perhaps the new Payment Systems Regulator could address this by designating such a powerful TPP as a 'payment system' (which is very loosely defined), but it would be preferable to avoid creating the potential for such power in the first place.


Post a Comment
Related Posts with Thumbnails