On 21 May 2015, the Financial Conduct Authority (FCA) confirmed that it was unable to comply with the guidelines issued by the European Banking Authority (EBA) for internet payment security. These guidelines are intended to provide minimum levels of security in respect of internet payments involving EU payment service providers.
The FCA has stated that it does not have the power without legislative change “to make binding rules requiring all payment service providers….to comply with the EBA Guidelines”. Despite this, the FCA remains supportive of the objectives behind the guidelines and agrees with the importance of protecting consumers against fraud when making payments online.
The EBA introduced the guidelines in December 2014 as an interim measure designed to reduce the recent influx of online payment fraud until the revised Payment Services Directive (PSD2) comes into force in 2018/2019. The EBA guidelines are set to come into effect on 1 August 2015. So far, only the UK, Slovenia and Estonia have said that they cannot comply. However, Sweden and Cyprus have also indicated they will not able to comply fully with the guidelines.
The guidelines include a requirement for “strong” customer authentication, discourage retention of sensitive customer data and where necessary, encourage appropriate data storage arrangements at e-merchants and ongoing monitoring of e-merchants by payment service providers to check compliance with these and thematically similar measures. The recent announcement has caused some speculation about whether the UK will now be at higher risk of fraudulent attacks on online payments and banking methods. However, given the matters covered by the guidance and that the majority of UK institutions already have a number of stringent and sophisticated login mechanisms; which themselves may be super-equivalent to the EBA guidelines, this speculation appears to lack substance.
The success of the UK’s existing systems is demonstrated in the European Central Bank’s Third Report on Card Fraud, where the UK was one of only three Member States that managed to reduce Card-Not-Present fraud between 2008 and 2012. It would seem from this that, at least for the time being, the UK’s systems are robust enough to discourage such attacks until PSD2 is implemented.