UK Opts Out of EBA Guidelines: What Now?

In a rather surprising move, the UK’s Financial Conduct Authority (FCA) has opted out of implementing the European Banking Authority’s (EBA) Final Guidelines on the Security of Internet Payments scheduled to come into effect on August 1st of this year.

According to the FCA’s statement; “[It] does not have the power without legislative change to make binding rules requiring all payment service providers (credit institutions, payment institutions and e-money institutions) to comply with the EBA Guidelines.”, but nevertheless supports the EBA’s objectives and is considering releasing its own guidance to service providers. However, any guidance released by either party is only an interim gesture and a prelude to the more intensive security requirements included in the Payment Services Directive (PSD2) transposition scheduled to take effect in 2018/19.

Whilst the regulatory complexity of enforcing any guidelines is significant, to not immediately propose an interim alternative for how the UK will protect its citizens from online fraud will leave many questions unanswered. According to the UK Cards Association, rates of online fraud have increased by 35% year-over-year since 2012, and without significant changes this will likely continue for the next 3 years.

So what will the FCA guidelines look like, and what should UK service providers do to make sure that they are ready for PSD2?

It is possible that the decision to pass on the EBA guidelines was in some way affected by the significant advancements of Identity Management and authentication, especially as they related to both biometrics and the ever-increasing adoption of smartphones. While authentication is not in itself sufficient security alone, it can significantly reduce the risk of fraud, so that the remaining security program processes can be put into place appropriately over the next 3 years.

Clearly multi-factor authentication is a must-have in the EBA guidelines, and it should be on the forefront of not only any FCA guidance, but every service provider’s plan to meet the PSD2.

That said, the EBA’s guidelines are a minimum set of requirements and if not already in place suggests a disregard for basic security practices. It is likely that the FCA will closely follow these guidelines and will hopefully build in the requirement for the single most important factor in security; Senior Management buy-in.

As things stand the 14 EBA guidelines include such fundamentals as:
1. Governance – The primary foundation of all security and represents senior leadership’s commitment to act responsibly
2. Risk Assessment – The first step in the protection of data in all its forms
3. Incident Monitoring & Reporting – Effective Incident Response is the only way to prevent a security event from becoming a business crippling disaster
4. Strong Customer Authentication – Self explanatory
5. Protection of sensitive payment data – What the guidelines are all about
6. Customer education and communication – Self explanatory

Nothing in the 14 guidelines goes outside of the intent of two security frameworks that have existed in some form for decades. ISO 2700X (20 years old) and the PCI DSS (almost 10 years old) cover these subjects to a greater extent despite being minimum standards in their own right.

Robust authentication, inclusive of as many factors as possible, is a quick-win for service providers and the technology is readily available.