The UK has rejected the chance to sign up for new European Banking Authority (EBA) guidelines on online payment security, making the FCA one of only three EU countries to resist the change.
The new guidelines, which are due to come into force from 1 August, require firms to
include stronger customer authentication, where customers making payments must provide non-reusable security details. Some 24 national authorities have already signed up out of the 28 EU member states. The UK, Estonia and Slovakia have opted-out.
Pressed on the reason for this, the UK’s Financial Conduct Authority (FCA) said that it “does not have the power, without legislative change, to make binding rules requiring all payment service providers (credit institutions, payment institutions and e-money institutions) to comply with the EBA Guidelines”. The FCA insists however that it is “supportive” of the EBA’s objectives and is considering issuing its own guidance to payment service providers
The EBA guidelines are being introduced as a stopgap and will be superseded by the upcoming revised Payments Services Directive (PSD2) in 2018/19. The FCA notes that it requires compliance with the SecuRe Pay Recommendations that are in place for PSD2 transposition.
Experts have questioned if this move will open up UK banks to online fraud and cyber-attacks, although some say that they are already “one step beyond these requirements” considering their increasing use of biometrics.