Payment Services Directive - Innovation and security should go hand in hand
The European Banking Federation (EBF) notes with interest the long-awaited revision of the EU Payment Services Directive (PSD), disclosed today in a European Commission Proposal.
“The new proposal should bring some positive developments such as a more inclusive regulatory approach for the various types of payment services providers,” says Sébastien de Brouwer, EBF Executive Director, in charge of Retail, Legal, Economic and Social Policy.
Europe’s banks also appreciate the fact that sufficient flexibility has been maintained in relation to business users who benefit from having the freedom to require more tailor-made payment propositions and services from their payment service providers. Banks, however, express serious concerns, notably, over the approach adopted by the new Directive on third party access to payment accounts.
The Commission Proposal appears to provide for an explicit right for payers to make use of a third party payment service provider in order to have payment services carried out, without a legal and contractual frame binding the payers, the third party payment service provider and the payers' bank. It would enable those third-party service providers to access the consumer’s online banking account and initiate a payment from that account, impersonating the customer.
“This model – if not properly regulated – would fail to meet the high security standards which authorities and Payment Service Providers as well as consumers would like to see in the current and future payment services in the Single Market,” notes de Brouwer.
Europe’s banks oppose the simple handing over of confidential personal credentials to third-parties and the practice of impersonation – mimicking a payment order even by the consumer - through an extended use of overlay services – without express consent, both from the bank account owner and the account-holding institutions. Dual consent as well as contractual arrangements between the parties involved is a prerequisite to avoid fraud, identity theft and the respect of data protection.
“For security and privacy reasons, only services that respect clear and fair allocation of rights, obligations and liabilities should be authorised by EU authorities,” says de Brouwer.