e-finance & payments law policy: Security of internet payments in EU could be jeopardised

Artikel veröffentlicht in e-finance and payment law & policy, 12 Juni 2015, Heft 06

The UK, Slovakia and Estonia have said that they are unable to comply with the European Banking Authority’s (‘EBA’) final guidelines on the security of internet payments which come into force on 1 August, due to a conflictwith their legal frameworks, according to a 21 May EBA press release. The UK’s Financial Conduct Authority stated that it ‘does not have the powerwithout legislative change to make binding rules requiring all payment service providers […] to comply with the EBA Guidelines,’ but that it remains ‘fully supportive’ of the EBA’s objectives and will incorporate the requirements set out in the guidelines in its supervisory framework.

The EBA’s guidelines aim to harmonise the regulatory and supervisory practices applicable to internet payments and set minimum security requirements for payment services providers (‘PSPs’). The guidelines are an interim measure until the revised Payment Services Directive (‘PSD2’) comes into force. Maximilian Riege, Partner at Hambach & Hambach, thinks that the aim of the EBA’s guidelines could be jeopardised if the national authorities take very different approaches on if or how to implement the guidelines. “On the one hand, PSPs in countrieswith less strict regulations might have a competitive advantage with regard to those PSPs located in more strictly regulatedmarkets,” adds Riege.

“On the other PSPs that offer their products cross-border could face the challenge of complying with different or even contradicting regulations.” Germany’s federal financial supervisory authority, BaFin, published a circular on 5 May, which transposes the EBA’s guidelines and defines the minimum requirements for online payment services. BaFin’s circular came into effect on 5 May and companies have six months to comply.

In addition to the three Member States that are unable to comply, Cyprus and Sweden have also indicated that they will only be able to partially comply with the guidelines. “The unacceptable provisions are related to ‘strong customer authentication,’” explains Dr. Carsten Lösing, Partner at White & Case LLP. “It seems that the level of customer protection will be different between countries that apply the guidelines and those that do not. Thus the EU landscape may differ with respect to local enforcement of this requirement. It is unclear how BaFin will react to PSPs offering crossborder payment services into Germany that do not comply with these requirements.”

For further information please check www.e-comlaw.com