Re: Security of Internet Payments
Consultation Paper on the Implementation of draft EBA Guidelines on the security of internet payments prior to the transposition of the revised Payment Services Directive (PSD2) (EBA/CP/2014/31), 20 October 2014.
Introduction
RBS is pleased to have this opportunity to respond to the EBA’s consultation paper on the security of internet payments.
Internet payments are now a core part of the economic landscape and continue to grow rapidly in volume and value. As a major bank, RBS operates a variety of online and mobile banking services which enable the full spectrum of customers to make internet payments - from personal customers and small businesses through mid-sized corporates to multi-nationals. Some 5.5m personal customers currently use our online banking services making more than 10m payments and transfers each month.
We are very focussed on ensuring that our customers can operate in a safe and secure internet environment and therefore welcome the interest of the EBA, European Commission and SecuRePay in this area.
Response
RBS supports the thrust of the responses of the European Banking Federation (EBF), the European Payments Council (EPC) and the UK Payments Council.
In particular we would strongly encourage the EBA to consider taking a different implementation approach from either of the Options articulated in the Consultation document and:
1. Await the finalisation of the PSD2 text and then adapt and adopt the SecuRePay recommendations in light of this definitive text;
2. Allow a longer implementation period than that envisaged in the Consultation document.
We believe this approach would be more effective than either of the EBA’s current suggested approaches.
Rationale for Awaiting PSD2 Finalisation
• There continues to be considerable uncertainty and debate around the final wording of the PSD2 text, in particular surrounding the way in which Payment Initiation Service Providers and Account Information Services will be brought into scope and how key issues such as ensuring the protection of Payment Services Users’ personalised security credentials will be resolved. As such, there remains scope for material amendments to requirements in this regard with a direct bearing on payment security and the topics covered in the current EBA consultation document.
• The most recent Italian Presidency drafting proposals for PSD2 (12 November 2014) propose delegating to the EBA the responsibility of developing the necessary technical standards on authentication and communication. However, it seems to us that this can only be commenced once the text is finalised, and that there would be risks involved in anticipating what might - or might not - be in the final version. Certainly it would be extremely challenging to incorporate any changes relating to PSD2 requirements in this area in time to incorporate these into PSPs’ processes by August 2015.
• It seems very likely that PSD2 may require PSPs to make significant changes to their online banking / payments services. Such changes would therefore need a reasonable implementation period in the context of needing to be scheduled against an already busy change agenda and given the critical need to implement the changes in a way that maintains reliability and security of service and the integrity of the customer proposition/experience.
• In this context, we have noted that the current Italian Presidency compromise text proposes a period of thirty months after entry into force of PSD2 before Member States must apply its provisions – representing two years for Member States to implement the requirements into national law and a further 6 months period to allow all impacted stakeholders (including PSPs and their clients) to adjust to the new regime. We believe this 30 month period would also be the appropriate period for bringing the EBA’s internet payment security requirements into force – giving effectively an 18 month period for the new standards to be developed and adopted, and a 1 year period for the market to implement against these standards.
Conclusion
Against this background, our view is that progressing either of the EBA’s current suggested implementation options in the Consultation, both of which involve an initial August 2015 implementation, would run a significant risk of duplicated effort and spend to meet requirements that may then be quickly superseded.
Accordingly, and against the background outlined above, we believe that the most effective and efficient way forward would be to await the definitive PSD2 text before further updating and finalising SecuRe Pay Recommendations. We believe that it would be appropriate to finalise and implement these in line with the 30 months envisaged in the most recent Presidency compromise text.
If the EBA feels that it needs to proceed with a shorter-term implementation approach along the lines of the options set out in the consultation document, RBS would see ‘Option A’ (the two-step approach) as the more practical of the two. This would mean that the Guidelines enter into force from 1 August 2015 and apply during a transitional period until they are amended in the light of PSD2 at a later date. In this context though it would also be relevant to recall that the existing SecuRePay Recommendations do not yet have a formal status in every EU country.
