As a start-up market company, we welcome the current EBA Guidelines.
With reference to the question stated we believe that the security standards outlined in the EBA Guidelines should enter into force on 1st August 2015 in order to ensure legal and business certainty and the same level playing field for all the players in the payment market during the transitional period until PSD2 enters into force at a later date.
Today, it is not sure if the above mentioned objectives can be achieved by anticipating the stronger PSD2 requirements. We think that preserving current best practices compliant with the EBA guidelines (ex.: two factors authentication and authorization mechanics for on-line-banking;) whose value is recognized by citizens, enterprises and PAs is an abiding priority, also in consideration of the fact that the text of the proposal for a PSD2 may change, since discussions are still underway and in turn these requirements may change as well.
Besides, we believe that it would be important for the market to take immediate advantage of the precise wording in the EBA Guidelines. We are referring particularly to the issuance of the electronic mandate, where we fully share the EBA Guidelines expressions “to authorise e-mandates” or “e-mandates issuance” and point 7.1 where it is expressly stated “[CT/e-mandate/e-money] PSPs should perform strong customer authentication for the customer's authorisation of internet payment transactions (included bundled CTs) and the issuance or amendment of electronic direct debit mandates.”
We think that the clarity of this provision, in stating that a strong customer authentication is a necessary and sufficient condition to issue or amend e-mandates, can be a milestone for the secure development of e-mandates across EU.
At this moment it seems to us that this level of clarity is not present in the latest version of the proposal for PSD2 (the Presidency compromise text of 14 October 2014).
As a matter of fact, the current EBA Guidelines are the means through which legal uncertainty voiced by some regional stakeholders can be overcome. A European harmonisation can be achieved within this domain already in the transitional period. This is why we deem preferable to have the current Guidelines into force on 1th August 2015.