In March 2014, the FCA, the prudential supervisor for UK based payment institutions and e-money providers, outlined that it would not be strictly assessing the compliance with the Securepay Recommendations on the security of Internet Payments. This announcement was quite interesting as in February 2014, the Forum also published an assessment guide that assists payment service providers with the implementation of these Recommendations by February 2015.
We have decided to await the publication of guidance from the European Banking Authority on measures for the security of internet payments and will begin to assess firms’ implementation of these security measures when the updated Payment Services Directive requirements take effect.
The updated Payment Service Directive will enter into effect at the earliest by mid 2016. It will assign the European Banking Authority with the task of further developing guidance for the security of retail payments. The FCA has chosen to wait for this guidance rather than pre-empt it.
Kicking the security-can down the road
It is interesting to note that the FCA seeks a pragmatic middle ground. It carefully states that it finds security an important issue while at the same time outlining that it will wait for a solid legal basis to assess the security of retail payments. In doing so it effectively kicks the tricky security can down the road.
I can well understand the FCA desire to kick this can. The Securepay recommendations on security lead to quite some questions in their practical application for different technologies (see the blog here). On top of that, the detailed prescriptions on the basis of the new Payment Services Directive may lead to further rules that limit the choices that market entities can make to achieve a certain level of security.
Rather than confuse the market with layering requirements which quickly follow each other, the FCA apparently chose to wait and see, hoping that the final rules on security for retail payments may become more balanced.
It will be interesting to see if other supervisors follow suit.