During my panel at the 5th Electronic Money Association (EMA) Conference in Brussels about the updated Payments Service Directive (PSD2) provisions on IT security, I shared my views together with other panelists from the European Banking Authority (EBA) and the EMA, on the EBA Guidelines issued in 2014, and the more stringent requirements that will apply once PSD2 is implemented.
After acknowledging some potential benefits to the industry, such as more standardization and increased customer awareness and trust, I dug into the most pressing issues.
In my opinion it is difficult, under the current and proposed rules, to strike a balance between security and business efficiency.
Balancing security with convenience – 01’34”
In my opinion it is difficult, under the current and proposed rules, to strike a balance between security and business convenience as these requirements are to be implemented via a two-step approach.
Legal uncertainty – 02’11”
I discussed the complexity and legal uncertainty that the new rules imply for the industry, especially to authentication. For example, within the context of the currently applicable EBA Guidelines, providers from certain countries are still waiting for a local supporting framework for implementation. On top of that, despite providers’ willingness to comply at all times, it is hard to justify the investment in money and human resources, when it is unlikely to conform to the more stringent requirements that will apply following PSD2.
Uneven playing field and unfair competition – 03’22”
I also raised competition issues that may arise from several angles. For example, the current EBA Guidelines do not apply to all existing categories of providers, since some will only be in scope under PSD2.
This may foster an uneven level playing field within the EEA, and the same scenario applies once the more stringent requirements apply once PSD2 is effective. This is, among other reasons, because the commonly advised risk-based approach will be difficult to implement, and thus may penalize smaller players that have less means to face these burdensome conditions.
On top of these issues, this is in an EU-mandate for a global environment. This clearly implies a competitive disadvantage for European players. We should not forget that our overall goal is to build a stronger Europe. It would be interesting to know, therefore, if EU policy makers are eventually planning to co-operate with non-EU peers to promote these measures globally.
Damaging customer experience – 05’05”
Such local deviations are likely to take their toll on customer experience, and should play a pivotal role in the current and proposed rules. Consider successful examples such as Amazon, and how important their checkout experience is to their success. It is obvious that authentication, if not correctly addressed, can be a conversion killer.
My overall opinion is that, in a global environment such as online commerce where there are no physical borders, high complexity and varying business models, regulations should stick to worldwide, simplified patterns.
How high is the ratio for authenticated transactions? – 06’00”
The rationale behind this set of new security requirements, including two-factor authentication, was based on the excessive fraud ratios for online transactions. The main source for this is the ECB Report on card fraud, which indicate figures that justify its adoption.
The report mainly states that the fraud levels for online transactions are higher than for offline ones. This is certainly a fact. However, it does not provide us with a clear breakdown between non-authenticated and authenticated fraud. So we should ask ourselves, is the fraud-to-sales ratio for authenticated transactions really that high?
More space for self-regulation – 07’18”
Unless more solid figures are shown, I believe the problem lies on lack of authentication rather than on the currently used methods. There are already effective and widely accepted authentication methods and considerable investment was already made by most stakeholders. Perhaps this was not the best moment to require such two-fold investment, potentially reducing competition and growth for the sector.
There are already liability shift systems in place, steering players to more secure authentication methods. Most European customers are already familiar with these, primarily based on 3-D Secure technology.
In conclusion, day by day we see how the industry promotes new and safer solutions, such as those based on tokenization or risk-based models. Overregulating has the potential to hinder industry efforts. In my opinion, self-regulation seems more appropriate, at least until PSD2 comes into play.