Financial servicesEuropean Banking Authority introduces new security requirements for electronic payment transactions

Today, the European Banking Authority (EBA) issued new security guidelines on electronic payments in the EU. As part of the Payment Services Directive 2, which is in effect since 2015, EBA was commissioned to draw up these technical security rules in cooperation with the European Central Bank (ECB) and stakeholders. Before these rules become EU law, they need to be approved by the European Commission, the European Parliament and member states. These are some central aspects of the proposals:

  • So far, any exemptions to the application of a strong customer authentication in payment services was related to the level of risk involved in the service provided, the amount and recurrence of the transaction and the payment channel used for the specific transaction.
  • Now, EBA introduced two new exemption rules to customer authentication: The first will be based on a transaction-risk analysis on the grounds of pre-defined fraud levels. The second is for payments at so-called “unattended terminals” for transport or parking fares.
  • Moreover, the threshold for so-called remote payment transactions was increased from previously 10 € to 30 €. This would imply that to payments below 30 € none of the new security features apply. For payments between 30 € and 500 €, the security measures would only apply depending on the rate of fraud at the bank. 

In the light of these proposals, the European Consumer Organization BEUC is alarmed and urges EU institutions to enshrine the principle of consumer protection in the future Payment Services Directive.

Monique Goyens, Director General of BEUC, commented on this: "Stronger rules to make electronic payments safer are desperately needed. (…) The EBA is also proposing that banks apply the new security measures depending on the rate of fraud on the bank’s books, rather than applying the same level of security to all payments. But that’s like asking the fox to guard the henhouse. Only the banks have access to this data and it will be near impossible for public authorities to assess if banks are breaking the rules."

Source: European Banking Authority (EBA) and European Consumer Organization BEUC

More information and BEUC-statement