Payment Matters: No 7 - EU News

• Financial services

24-02-2014

Round Table Discussion considers Security Breaches connected to PSD II

A roundtable discussion was held in the European Parliament on 7 January 2014 in relation to PSD II, in which EU policymakers argued that the draft rules are not robust enough to protect consumers from fraud and data security breaches.

The Assistant European Data Protection Supervisor (“EDPS”), Giovanni Butarelli, advised the roundtable discussion consumer protection was sorely missing from the proposed data protection clauses. Acting as the EU’s watchdog on data protection issues, the EDPS have concerns about the “increasingly significant amount of personal details processed by stakeholders, including names, personal data, bank numbers, contacts and so on”. The EDPS believe that mobile operators should only have access to simple and necessary details relating to the transaction.

As mobile payments become more popular in Europe, and a number of new players seek to enter the market, Farid Aliyev, the financial services officer at European consumer group, BEUC, suggests that fraudsters will be attracted by new opportunities. In his opinion, the solution to this would be to restrict third party access to certain consumer data details, within a specific remit to access the information.

What this means for you

Payment providers need to be alive to the security issues discussed by the EDPS. The new systems and processes being introduced potentially give fraudsters a new opportunity to access customer information. The development of PSD II needs to be monitored carefully to ensure that adequate security provisions are included and payment processors should ensure that they are aware of and have in place strategies to deal with the problems raised by the introduction of new technology and processes.

However, nothing in PSD II replaces the need for stakeholders to put in place good quality, effective security measures of their own. The frustration is that with the possible exception of EMV/Chip & Pin, there have been very few innovations over the last few years which have proved to be fraud-proof. Hackers simply like and enjoy the new challenge presented by the latest products. This is a yet another example of the authorities looking to target the static stakeholders rather than the more elusive fraudsters.

Further Amendments to PSD II tabled

The European Parliament’s Committee on Legal Affairs have published their proposal for a new Directive to adapt the proposed PSD II.

The Committee on Legal Affairs (the “Committee”) has set out its proposals detailing its aim to ensure legal certainty and a level playing field.  New rules will be introduced to enhance transparency, innovation and security in the field of retail payments with more consistency among national rules.

On the face of it, the Committee’s proposed Amendment 6 in relation to the freezing of funds and whether a payment institution should retain or release them, creates a clear conflict between the users’ obligations under PSD II and the effect of a judicial decision seeking to freeze funds. In circumstances where a court has been satisfied as to the reason why funds are not being released, is it really desirable where there has been a detailed judicial review of the underlying circumstances behind the dispute to release the funds in any event.

The Committee’s proposed Amendment 12 to set a maximum amount of funds that may be blocked in relation to payments where the amount of the transaction is not known at the time of purchase is sensible. However, there is a danger in adopting a “one cap fits all” approach. What may seem an appropriate period of time for one type of industry may not be appropriate in others. Each industry should be looked at individually to ensure the appropriateness of any timeframe set.

What this means for you

The original Payment Services Directive left a number of important questions for the industry unanswered or open to a variety of interpretations. The current draft of PSD II still leaves a vacuum in specific areas, which require certainty. It would seem sensible for the payment services industry to be given the opportunity to have a stronger voice in the Directive’s formation and implementation as opposed to handing over their voice to committees and representatives.

EPC publishes final version of white paper on mobile wallet payments

The EPC’s white paper on mobile wallet payments was published on 21 January 2014.  The paper includes:

• An updated description of scenarios where a mobile wallet is used for financial services.
• A high-level overview of the mobile wallet ecosystem and an updated description of the different stakeholders involved.
• Information on the technical aspects of mobile wallets.
• Greater emphasis on the security aspects of mobile wallet infrastructures with their components and the secure environment to host the mobile payment application, or data, or both.
• An annex providing a short description of the SEPA payment instruments.

The white paper concludes with a number of considerations and challenges faced to ensure that mobile wallet payments can be evolved successfully.

What this means for you

The EPC’s white paper provides a good starting point for all those in the industry to develop their understanding of mobile wallet payments.  It sets out a comprehensive introduction to the use of mobile wallet payments. As the use of smart phones and other devices increases, there can be no doubt that mobile payments will increase in popularity. As such, all those in the industry would benefit from becoming more familiar with them.

Last chance saloon for banks and payment providers on SEPA migration

The European Council recently approved an agreement with the European Parliament on the proposed draft SEPA Migration Regulation relating to credit transfers and direct debits.

Following increasing evidence that many European businesses were struggling to meet the 1 February 2014 deadline, it comes as no surprise that the European Commission has extended the deadline for compliance by 6 months.

The European Parliament is expected to vote accordingly in its plenary session in February and the Council will then formally approve the legislation without further discussion. The proposed regulation should enter into force as a matter of urgency and apply, with retrospective effect, from 31 January 2014.

What this means for you

The Commission was concerned that migration rates towards SEPA credit transfers and SEPA direct debits were not high enough to ensure a smooth transition and this additional 6 months will allow banks and other payment service providers to continue the processing of non-compliant payments through their currently existing legacy payments schemes, alongside Sepa credit transfers and SEPA direct debits, until 1 August 2014.

The introduction of this period is considered as an exceptional measure by the Commission which will not be extended any further, so the message is very much that this is the ‘last chance saloon’.