Two recent developments for payment services in Europe warrant attention: First, the UK Payment Systems Regulator has set its 2017 / 2018 agenda. The Regulator is only two years old, so much of the agenda is still about the organization finding its footing. For the coming year, it has identified three areas of focus: the implications for consumers of a changing payments sector, the increasing use of payments data, and changing competitive dynamics.
Second, the European Banking Authority recently published final draft regulatory technical standards under the revised Payment Services Directive (PSD 2*) on strong customer authentication and common and secure communication.
The most notable aspect of these standards is not necessarily the substance of particular requirements, but rather the kind of requirements that they impose. These standards make more specific recommendations than is typical. Other cybersecurity regulators often take a less direct approach by requiring regulated entities to do what is “reasonable” or “risk-based”, leaving what is “reasonable” or “risk based” as blanks to be filled in later. For example, the United States Federal Trade Commission regulates cybersecurity mostly through case-by-case adjudications of whether or not a company’s cyber defenses are “reasonable.” Although companies can glean some guidance from the Commission’s precedents and informal guidance, the Commission has not specifically articulated a comprehensive set of “reasonable” protections. Although PSD 2 and the technical standards also contain certain undefined mandates – like ensuring that communications interfaces be “secure” – there is substantially more technical guidance for regulated entities.
Notably, Article 97(1) of PSD 2 requires “strong customer authentication.” To implement this, the RTS require authentication based on two or more elements categorized as knowledge, possession and inherence; this will result in the generation of an authentication code. As an international comparison, the New York Department of Financial Services recently issued its own cybersecurity regulation, which (in some contexts, at least) also requires authentication using two of three factors – also defined as knowledge, possession, and inherence.
The standards also require payment service providers to have transaction monitoring mechanisms in place that enable them to detect unauthorized or fraudulent payment transactions. These mechanisms must be based on the analysis of payment transactions taking into account normal use by the user of its personalized security credentials.
The standards further mandate the creation of “interfaces” to allow different entities to connect with and contribute to a transaction. (This doesn’t necessarily mean a user interface—it’s more about building back-end infrastructure interfaces between different systems.) Articles 27 – 30 of the RTS establish detailed requirements that the interface(s) must satisfy. For example, Article 28(3) says that the interface must “use[] ISO 20022 elements, components or approved message definitions [] for financial messaging”.
A secure industrywide set of interfaces will likely make it easier for customers to use their payment accounts across multiple services, as well as reassuring customers that their money and identity are safe.
Whether the technical focus of the standards provides a model for future regulation in the area is yet to be seen. It’s likely that they will provide a template for future regulation on if: (1) entities can actually comply and (2) the technical standards are actually effective and flexible enough to change with evolving technology, market demand, and counter-methods.
(* PSD 2 is one of three recent EU-level mandates that affect cybersecurity – although not all of them focus as directly on cybersecurity as PSD 2 and the technical standards. There is also the Security of Network and Information Systems (NIS) Directive and the General Data Protection Regulations (GDPR).)