Global menu

Our global pages


Payment Matters 29: Europe and beyond

Payment Matters 29: Europe and beyond
  • United Kingdom
  • Financial services - Payment services


In this update:

EBA consults on Guidelines on security measures for operational and security risks under the PSD2

The European Banking Authority (EBA) has published its consultation paper on the security measures for operational and security risks of payment services under the revised Payment Services Directive (PSD2).

Article 95(1) of PSD2 requires payment service providers to establish a framework to mitigate against, control and manage day to day operational and security risks derived from the services they provide. Payment service providers are also required to provide an updated and comprehensive assessment of the risks associated with the payment services they provide on an annual basis, or at shorter intervals as determined by the competent authority.

In accordance with these obligations, the EBA, in connection with the European Central Bank, has been mandated to issue guidelines with regard to the requisite framework. The guidelines are stated to apply from 13 January 2018 and support the main objectives of PSD2: improving competition; reducing security risks around electronic payments; and critically, reinforcing the integrated payments market in the European Union.

The EBA is now seeking feedback on the proposed guidelines by 7 August 2017 and a public hearing is scheduled to take place on 20 June 2017.

What this means for you

The EBA paper details proposals in a number of areas which will affect providers of payment related services. These include guidance on: 

  • establishing an effective governance procedure for managing risks, including an operational and security risk management framework, implementation of three lines of defence or equivalent internal risk management control models and developing security measures to mitigate risks associated with payment services that are outsourced;
  • identifying, establishing and regularly updating risk assessments;
  • developing policies to protect the integrity of data, systems and confidentiality, physical security and asset control. In particular, the guidance suggests the establishment and implementation of a ‘defence-in-depth’ approach by instituting multi-layered controls;
  • establishing procedures to continuously monitor and detect risks, activities and events in the provision of payment services and implement lines of reporting for security incidents; and
  • implementing business continuity management, scenario-based continuity plans, incident management and crisis communication, the testing of security measures, and situational awareness and continuous learning.

Payment services business of all types will need to analyse the paper closely to understand where changes need to be made to their existing operational and security risk processes and collateral, and where new processes need to be built to include additional operational/security measures. If you need support with analysing and feeding back on the paper, please contact Richard Jones.

European Banking Authority sets out standard terminology for services linked to a payment account in final draft Technical Standards

The EBA has published the final draft Technical Standards outlining the standardised terminology for services linked to payment accounts and the standardised formats and common symbols of the fee information document and the statement of fees.

Directive 2014/92/EU mandates the EBA to develop regulatory technical standards to help consumers compare offers from different payment services providers, particularly in relation to fees, across the European Union. 

Following on from a lengthy consultation process, including consumer testing, the EBA decided to standardise eight common terms associated with payment accounts and provide consumer-friendly definitions in all the official languages of the EU – the translation process is currently underway and expected to be completed by the end of May.

In the meantime, the eight standardised terms (maintaining the account, providing a debit card, providing a credit card, overdraft, credit transfer, standing order, direct debit and cash withdrawal) defined by the EBA have been drafted in English and the definitions are available in the EBA’s final report here.

Once the terminology is adopted by the European Commission, all member states will have to integrate these terms into provisional lists of the most representative services and issue their final national lists.  

What this means for you

As discussed, the EBA technical standards introduce eight standardised terms for services linked to a payment account, in addition to consumer-friendly definitions of these terms in all EU official languages. Payment service provides will, therefore, be required to:

  • incorporate the standardised terms into the fee information document and the statement of fees associated; and
  • adopt the EBA prescribed templates for both the fee information document, the statement of fees and the associated symbol(s) to ensure the information is clear, consistent and easy to understand.

Please contact Richard Jones if you would like assistance with updating your collateral.

ECB consults on future RTGS service 

On 10 May 2017 the European Central Bank (ECB) launched a consultation on the user requirements for the future Real Time Gross Settlement (RTGS) service in the context of the TARGET2 (T2) and TARGET2-Securities (T2S) consolidation. This followed on from the release of an executive summary in advance of the consultation.

The Eurosystem, the ECB and national central banks of countries that have adopted the Euro, are carrying out the T2-T2S consolidation and optimisation project linked in with the overall provision of liquidity to services such as the TARGET instant payment settlement (TIPS).  The Eurosystem has looked at the current scope of RTGS services as well as identifying  the potential new features and development opportunities to meet the changing needs of the payment business.

What this means for you

The Eurosystem aims to further decrease the running costs of the market infrastructures. The consultation outlines a number of key proposals to help achieve this. They include:

  • the creation of a new central liquidity management service to ensure adequate liquidity provisioning and allocation of liquidity for market infrastructure services for instant payments, settlement of securities and high value payments;
  • harmonising the organisation of support functions for the new RTGS, T2S and TIPS services; and
  • embedding ISO 20022 as the standard format for communication between the different Eurosystem market infrastructures.

The ECB has requested feedback on its proposals for the new central liquidity management service, the future RTGS and the T2-T2S consolidation.  The deadline for this feedback is 30 June 2017.

EPC Scheme Technical Forum latest minutes published

The minutes and agenda for the latest meeting of the European Payments Council (EPC) Scheme Technical Forum (ESTF) have been published. The March meeting included an update on the implementation status of the forthcoming EPC’s SEPA Instant Credit Transfer (SCT Inst) scheme due to be launched in November 2017.  The pan-European scheme aims to eliminate the risks of lack of interoperability between national euro payment solutions.

The ESTF has identified the following obstacles to the implementation of the SCT Inst scheme:

  • Adherence - The current maximum amount of 15,000 euros per transaction is considered to be too low;
  • Technical Challenges – The SCT Inst scheme requires new risk assessments, a new technical implementation approach and further IT investments;
  • Risk Management – The SCT Inst may become attractive for fraud and money laundering; and
  • Clearing and Settlement – PSPs are concerned that there will be no or limited interoperability between CSMs, TIPS, ASI6RT and TARGET2.

The Forum also considered various options for the evolution of all SEPA payment schemes particularly in regard to ISO 20022 and the extension of remittance information.

What this means for you

The EPC Director General has explained that as of November 2018, the maximum amount per transaction can be adapted. PSPs will be able to submit a change request to increase the maximum amount, however, the EPC Director General has not stated whether there will be a cap on this.

The ESTF also advised that change requests to the EPC rulebooks should be sent to the e-mail address by 31 December 2017 at the latest.

The date of the next meeting will be 22 June 2017.

European Parliament adopts a report calling for an EU-wide legal framework for FinTech

ECON, the European Parliament’s Economic and Monetary Affairs Committee, has adopted a report urging the European Commission to implement a set of rules that would enable FinTechs to develop a comprehensive framework.

The report comments on the great opportunities for Europe given that new technologies are rapidly changing the nature of the financial infrastructure worldwide. The key areas of focus for ECON are cybersecurity, data protection, easing barriers to market entry for innovative FinTechs, avoiding regulatory arbitrage and ensuring businesses are able to passport services throughout the EU. 

The report does not offer technical solutions but sets out to pose the questions that must be addressed in the creation of a forward looking European policy on FinTech. We understand that the European Commission will consider the report during its ongoing public consultation on the FinTech sector.

What this means for you

As discussed, the European Commission will be responsible for drafting any new specific rules and is currently running a consultation on the FinTech sector. We recommend that you monitor any such developments closely. We will also continue to provide updates within our payment matters monthly updates.