Do The EBA Security Guidelines Ensure Card Scheme Control Over Retail Transactions?

The European Banking Authority recently issued payment security guidelines, as part of its security remit under PSD2. The guidelines take effect in August 2015 and will  require subtantial work on the part of payment service providers and merchants. They will be followed by 'stronger’ guidelines under PSD2 that will take effect in 2017/18. As anticipated, the guidelines could well present a significant obstacle to the evolution of payments services and competition from new entrants. At the same time, even if they reflect best practice today, the guidelines do not really overcome inherently unsecure features of legacy payment methods - like cards.

To be fair, the authorities have a difficult balancing act here. They have a responsibility for ensuring that PSPs implement appropriate security measures - and should at least point to best practice in the area - yet the authorities cannot afford to be so prescriptive as to delay implementation of those measures and/or prevent PSPs keeping pace with wider technological developments, the development of new payment services and the efforts of hackers. Unfortunately, the EBA appears to have struck a balance in favour of banks and card schemes, rather consumers, merchants and alternative payment service providers, as discussed below.

The guidelines cite card fraud as the main driver of this initiative, rather than fraud in relation to other types of payment service that do not involve card payments. Yet payment cards and the related IT systems have not really evolved fundamentally since they were introduced in the 1960s, which means that 'legacy' systems are effectively dictating the approach to payment security. True, there are many payment methods that are exempt from the guidelines. But the prevalence of card payments means that PSPs and merchants are being forced to divert resources to shoring up security on that front, rather than investing in more advanced payment methods.

At the heart of the guidelines is the concept of 'strong customer authentication', which is quite prescriptively defined. Yet this form of authentication would seem likely to evolve, and it is conceivable that customer authentication in the payment step of a transaction process might not remain relevant over time, particularly where the payment is being made in the course of a wider customer activity within a secure environment.

Many of the guidelines also go beyond the realms of payment security. While these may reflect obligations under other regulations, such as Money Laundering Regulations, Payment Services Regulations and the Data Protection Act, they are quite prescriptive and therefore will require additional legal and compliance time to review, implement and monitor changes to those other compliance procedures, as well as extra IT and operational resources.

The need for "customer education and awareness programmes" are also likely to require the involvement of marketing teams and their support staff. The concern here must be that customers who deal with multiple PSPs (as competition authorities should hope!) will begin to ignore the educational materials as just so much clutter or junk mail. The adverse customer experience may also drive consumers to prefer less secure payment options (e.g. cash).

Requirements for merchant co-operation, through enforcement of their contracts with PSPs, are also very concerning. For example, PSPs are asked to require merchants to "clearly separate payment-related processes from the online shop" and to enable customers to sign a dedicated payment contract with the PSP rather than having those terms included in a wider service contract. Yet merchants are not directly bound by Payment Services Regulations (except in very limited respects), so the EBA is arguably exceeding its authority in requiring merchant compliance with broader security requirements. In addition, we have already seen significant data security costs imposed by card schemes on merchants who must comply with the PCIDSS requirements. These resulted in most merchants choosing not to hold payments data at all. Indeed, many chose to deal through payment aggregators who accept and process payments on their behalf. However, PSD2 will require technology service providers to contract directly with PSPs under PSD2, rather than merchants if they wish to remain exempt from regulation, which must be likely to reduce the number of independent service providers. Such requirements seem to be aimed at large retailers and e-commerce marketplace operators who may otherwise legitimately offer a seamless consumer experience under current regulations. So it may be that the EBA guidelines will help drive control of e-commerce transactions to financial institutions – particularly banks and card schemes - rather than opening up competition for transaction processing from large merchants and others who have developed competing payment functionality.

As a result, the EBA's security guidelines deserve careful consideration by the competition authorities.

Credit Where It's Due

Having spent the past seven years banging on about the changes needed to democratise the financial system, it's only fitting that my last post for 2014 should give a little credit to the authorities for making some very significant changes this year.

The FCA published its rules to specifically regulate peer-to-peer lending in February, and its rules on crowd-investment in March. At the same time, the Chancellor announced the expansion of the ISA scheme to include peer-to-peer loans. In the Autumn Statement, he announced that consumers who lend to other consumers and sole traders through P2P platforms will be able to offset any losses against interest received. And there will be a consultation on expanding the ISA scheme to encourage crowd-investing in bonds and other debt securities.

We are still at the start of a long journey. The rules could be simpler and the EU could yet muddy the waters if the UK position is not well represented. But if you'd asked me in 2007 whether so much would be achieved by 2014 - particularly on the ISA front - I'd have been optimistic (naturally) but expecting the worst. Yet in 2015 we'll have both the regulatory 'blessing' and the incentives necessary to enable people with surplus cash to get it directly to creditworthy consumers and small businesses who needed it, instead of leaving the money tied up in low yield bank deposits or having it eaten away by fees in managed investment funds. 

Perhaps this is partly why 2014 also saw the bank bosses' swagger and bravado turn to panic. The trends which are combining to democratise the financial system have not only revealed that the stuffed shirts are powerless to stem the flow of fines for corrupt practices on virtually every front, but those trends have also produced competition from the banks' very own customers. 

Hell, even their auditors are finally coming under scrutiny!

But let's not get carried away. While crowdfunding is growing at over 150% a year, the crowd will probably produce 'only' about £5bn of funding in 2015, based on Nesta figures and assuming a boost from the ISA changes. 

So, while we've come along way since Bobby "Dazzler" Diamond infamously suggested that the time for bankers' remorse was over if the UK was to recover, we will still have a small business funding gap next year - eight years after the financial meltdown. In fact, in many ways the financial system is in worse shape now than in 2007, with less competition and appalling inefficiency in banking, vast public sector debt, a larger 'shadow banking' sector than every before (depending on how you measure it), and many key economies around the world suffering low/no growth. Events such as those in Russia, Greece and the Eurozone are applying further pressure to a system that is still broken. In these circumstances we remain terribly vulnerable to financial shocks. 

Still, the UK government deserves plenty of credit for the changes announced to date. Whether they have come early enough to help us through the next storm remains to be seen, but at least the national funding solution now lies substantially in our own hands. 

If we don't take the opportunity to crowdfund the recovery, we will only have ourselves to blame.

Good News For #FinTech And #Crowdfunding in Autumn Statement

The government has announced bad debt relief for lending through P2P platforms; a consultation on whether to extend ISA eligibility to crowd-investing in debt securities and an intention to review some rules that add unnecessary costs for institutional lending through P2P platforms.

Individuals lending through P2P platforms to offset any losses from loans which go bad against other P2P income. It will be effective from April 2016 and will allow individuals to make a self-assessment claim for relief on losses incurred from April 2015.

The government will also consult on the introduction of a withholding regime for personal income tax to apply across all P2P lending platforms from April 2017. This will help many individuals to resolve their tax liability without them having to file for Self Assessment.

The government will call for evidence on how APIs could be used in banking to enable financial technology companies to develop innovative solutions to allow customers compare banks and financial products.

From January 2015, the majority of card acquirers will offer a new service for small businesses to receive the funds from debit and credit card transactions much more quickly. Two acquirers will not meet this commitment, and the government will ask the Payment Systems Regulator (PSR) to examine whether small businesses are being disadvantaged as a result.

The government will allow gains that are eligible for Entrepreneurs’ Relief (ER) and deferred into investment under the Enterprise Investment Scheme (EIS) or Social Investment Tax Relief (SITR) to benefit from ER when the gain is realised. The government will also increase the annual investment limit for SITR to £5 million per annum, up to a total of £15 million per organisation, from April 2015 and will also consult further on a new relief for indirect investment in social enterprises.

To better target the tax reliefs, the government will exclude all companies substantially benefiting from other government support for the generation of renewable energy from also benefiting from tax-advantaged venture capital schemes, with the exception of community energy generation undertaken by qualifying organisations. The government will also make it easier for qualifying investors and companies to use the tax-advantaged venture capital schemes by launching a new digital process in 2016.

Officials Alarmed By PSD2 And Barriers To Innovation In Payments

In a joint study, Ofcom and the UK's new Payment Systems Regulator have explored the reasons for limited innovation in the UK payment services market, sounding the alarm over the potential impact of PSD2. But the study does not thoroughly explore the most recent proposals, which would make the situation worse than officials seem to appreciate.

The study confirms that most of the innovation is facing retail customers and relies on the existing payments infrastructure.

Various factors act as a barrier to the scale and pace of innovation seen in other technology sectors. There is a low tolerance for system failures, naturally, but the resulting high security and resilience requirements make systems more rigid and less open to the usual market forces of present in other IT sectors. New entrants also find it hard to break through the network effects that support existing payment methods (e.g. cards). Investment is further constrained by significant uncertainty around regulation and technological standards. Finally, the interests of consumers, merchants, telcos and financial institutions are not aligned in the types of services being offered - in essence we're seeing an attempted 'land grab' by competing institutions at customers' expense.

It is critical that the European Council considers this report as it finalises the proposals for PSD2, which would make this situation worse. Equally, however, it is a pity that this study was not able to more thoroughly explore the potential impact of those proposals.

Let's hope for some more joined up thinking in the weeks to come!

The End Of Merchant-hosted Checkouts?

Source: LoudMouth Media

You may have noticed that I'm madly trying to keep up with the blast of confetti from Brussels known as "PSD2". It's very fortunate that the SCL's editor is blessed with a good sense of humour, not to mention the readership. In advance of my latest update, here's a warning of a fairly brutal provision for e-commerce merchants in the latest version of PSD2.

Not satisfied with forcing 'gateway' service providers to supply their services directly to regulated institutions rather than merchants, if they wish to remain exempt, it seems the EU Council also considers that e-commerce checkout pages on merchant sites are "payment instruments" in their own right (not just the payment methods displayed on them).

A new information requirement seems to mean that where customers are shown a range of different card-scheme brands as payment options prior to checkout (itself referred to as “the issuance of a payment instrument”), they should be informed that they have the right to select a particular brand and to change their selection at point of sale.

On the surface, this requirement adds nothing. It's how checkout processes already work. If you want to pay by card, you click on the card scheme logos, and up comes a page that asks you to enter a card number from any of the brands displayed. But describing a checkout process as a “payment instrument” (rather than merely the payment methods available on it), suggests that the entity which serves up the web page that enables checkout is itself the issuer of a payment instrument and should be authorised accordingly.

It's likely that many e-commerce merchants will host their own checkout page or process, and the transaction only moves to the acquirer’s servers either once the customer has selected which type of payment instrument she wishes to use, or (if the merchant is PCI compliant) once the transaction is captured and sent to the acquirer.

So this provision would actually require such a merchant to either cease hosting any aspect of the checkout process or become authorised as a payment instrument issuer (or the agent of an authorised firm). It also raises the question whether such a merchant is also 'initiating payment transactions', with the same consequences.

This is revolutionary stuff. If passed in this form, PSD2 could drive the need for significant website re-development work. Of course, it could also mean good business for e-commerce marketplaces, or regulatory specialists who help firms apply for authorisation (pick me!). But it's really just overkill.

In their quest for 'the highest standards of consumer protection', the European authorities seem oblivious to the adverse impact on competition and innovation in the payments sector that will come from delivering control over key aspects of e-commerce infrastructure to the comparatively few firms who will bother becoming authorised. Ironically, it was this sort of concentration that drove the need for the current PSD - to open up the banking/card scheme monopoly. Perhaps the banks and their schemes are winning the battle to retain their dominance after all...