Payments Council Limited and Financial Fraud Action UK
We have given consideration to the consultation question and we recommend the EBA gives consideration to an alternative regulatory approach for the reasons outlined below. We think it would be sensible to await finalisation of the PSD 2 text and then review the SecuRe Pay Recommendations against these new requirements before issuing draft guidelines and/or technical standards; and to allow a longer period for implementation.
Otherwise, if faced only with a choice between the options proposed in the paper, we strongly believe that it would be preferable for a two-step, rather than a one-step, approach to be adopted. In other words, it would be more appropriate for the EBA guidelines “to enter into force, as consulted, on 1 August 2015” to apply during the transitional period prior to the transposition of PSD2, rather than attempt to anticipate “stronger PSD 2 requirements and include them in the final guidelines under PSD 1 that enter into force on 1 August 2015, the substance of which would then continue to apply under PSD 2”.
Our analysis of the PSD 2 proposals and understanding of the current state of play regarding the Council of the EU level discussions indicate that there will be a significant, rather than an incremental, step change to the European payments landscape in terms of the interactions between the various types of PSP and the user. In addition, as noted in the Executive Summary in the consultation paper, recent negotiations indicate that “the final PSD 2 text may potentially include provisions that require stronger security standards than the EBA guidelines”. At the same time there remains considerable uncertainty around issues such as the use of personalised security credentials and the precise nature of the technical standards on authentication and communication that the European Parliament and the Council both appear to wish the EBA to develop. We therefore think it is premature to attempt to anticipate the final outcome of the PSD 2 negotiations.
The SecuRe Pay Recommendations do not currently have a formal legal mandate within the UK. In addition, there is a strong likelihood that PSD 2 will require PSPs to review and make further (possibly significant) technical changes to their online banking platforms and customer and payment systems interfaces. Any technical changes will require time to develop, test and implement, especially in view of the pan-European nature of the proposals, in order to ensure interoperability and to safeguard the integrity of the payments system. Awaiting finalisation of the PSD 2 text, then reviewing the SecuRe Pay Recommendations and subsequently issuing draft guidelines and/or technical standards would ultimately be more efficient and cost-effective in enabling a one-step approach.