TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

Similar documents
TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

CONSULTATION ON THE DRAFT RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES - COMMENTS FROM THE DANISH BANKERS ASSOCIATION

Contact Details: Mr Lars Rutberg

SecuRe Pay Forum. Recommendations for the security of internet payments. Comments of German Banking Industry Committee (GBIC) General Comments

the security of retail payments

Opinion of the European Banking Authority on the transition from PSD1 to PSD2

EPCA PAYMENT SUMMIT Arno Voerman (Van Doorne N.V.) Edwin Jacobs (Time.Lex)

OPINION OF THE EUROPEAN CENTRAL BANK

Rapport ECB Recommendation on Security for Internet Payments Swedbank Response Specification/version: v

The EBA and its mandate on strong customer authentication & secure communication under Article 98 PSD2

Bird & Bird on the most important consequences of PSD2

Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC )

Guidelines. on major incident reporting under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/10 19/12/2017

oversight framework for credit transfer Schemes october 2010

Dear Sirs, Response to the Review of the AML/CTF Regime Issues Paper

EBA GL on fraud reporting requirements under Article 96(6) PSD2 Helene Oger-Zaher Consumer Protection, Financial Innovation and Payments, EBA

GUIDELINES ON AUTHORISATION AND REGISTRATION UNDER PSD2 EBA/GL/2017/09 08/11/2017. Guidelines

Principles of Processing the Personal Data of Clients

Summary of memorandum

Consultation: ESMA s draft Technical Advice to the European Commission on possible implementing measures of the AIFMD

Draft EBA Guidelines on fraud reporting requirements

Pension Trustees. Final Countdown to the GDPR

Policy Management Framework

Protection of Personal Information (POPI) Policy. Sigma SA (Pty) Ltd FSP: 45643

I. Ensuring the Basis for an Effective Corporate Governance Framework

2018 Australian privacy outlook

EBA mandate on the RTS on strong customer authentication & secure communication Status update

NEWSLETTER UPCOMING EBA PUBLICATIONS (JUNE SEPTEMBER 2016)

Responses by the Ministry of Finance of the Slovak Republic on the Public consultation on Credit Rating Agencies

WHAT DECISIONS WILL YOU NEED TO TAKE? GETTING READY FOR THE GDPR PART FOUR LEGAL ISSUES AND TRUSTEE DECISIONS

Consultation Paper. on Draft Guidelines on fraud reporting requirements under Article 96(6) of Directive (EU) 2015/2366 (PSD2) EBA/CP/2017/13

PUBALI BANK LIMITED Internet Banking Service

TRAVELTOKENS SALE PRIVACY POLICY Last updated:

Common approach across Hong Kong AML regulators

Scheme Agreement. Qualitätssicherung. Vom Landwirt bis zur Ladentheke. referring to the bilateral agreement between QS and Belpork v.z.w.

ABBOTT DIABETES CARE Effective Date: February 4, 2018

PSD2 and draft EBA RTS: a lot of issues remain unclear. Scott McInnes, Bird & Bird LLP. 3 May 2017

Council of the European Union Brussels, 23 November 2018 (OR. en)

ARTICLE 29 Data Protection Working Party

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. on restrictions on payments in cash

EBA FINAL draft Regulatory Technical Standards

The I-REC Code. version 1.4

Final Report Draft regulatory technical standards on indirect clearing arrangements under EMIR and MiFIR

EUROPEAN COMMISSION Directorate General Internal Market and Services

to the CESR s technical advice on the European commission on the level 2 measures related to the UCITS management company passport CESR/09.

THE PASSPORT UNDER MIFID

INFORMATION NOTE FOR TRUSTEES ON THEIR SERVICE PROVIDERS & ADVISERS

CENTRAL BANK OF MALTA DIRECTIVE NO 1. in terms of the. CENTRAL BANK OF MALTA ACT (Cap. 204 of the Laws of Malta)

The EU s General Data Protection Regulation enters into force on 25 May 2018

Replies to Questions

GUIDE FOR THE ASSESSMENT OF CREDIT TRANSFER SCHEMES AGAINST THE OVERSIGHT STANDARDS

OVERSIGHT EXPECTATIONS FOR LINKS BETWEEN RETAIL PAYMENT SYSTEMS

Privacy Policy. For the purposes of Data Protection Legislation the data controller is the Company.

Registry General September 2015

Testimony. Submitted for the Record. American Bankers Association. Financial Institutions and Consumer Credit Subcommittee

WORKING PAPER. Brussels, 15 February 2019 WK 2235/2019 INIT LIMITE ECOFIN FISC

Ms Sabine Lautenschläger Member of the Executive Board European Central Bank By

ZURICH. The New FINMA Outsourcing Circular

IOPS Technical Committee DRAFT GOOD PRACTICES FOR GOVERNANCE OF PENSION SUPERVISORY AUTHORITIES. Version for public consultation

HSBCnet. Product Disclosure Statement. Effective 1 December 2016

FATF Report to the G20 Finance Ministers and Central Bank Governors

EBA FINAL draft regulatory technical standards

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Terms and Conditions of N26 Bank GmbH for the Product N26 Invest (Statement: Juli 2016)

Payments Services: Regulatory Timeline. February 2017

Brussels, 23 rd September 2013

The Terms and Conditions of the Internet Bank Agreement. for Private Persons

Response to Cayman Islands Monetary Authority Private Sector Consultation on Corporate Governance

STATUTORY INSTRUMENTS. S.I. No. 60 of 2017 CENTRAL BANK (SUPERVISION AND ENFORCEMENT) ACT 2013 (SECTION 48(1)) (INVESTMENT FIRMS) REGULATIONS 2017

Payment Services and Electronic Money Our Approach

GUIDELINES FOR THE CONTRACTING OUT OF RESEARCH ACTIVITIES

JC/GL/2017/ September Final Guidelines

ERGO Versicherung AG UK Branch Data Privacy Notice

DATA PROCESSING ADDENDUM

Money Laundering and Terrorist Financing Risks in the E-Money Sector

General comments We welcome the Commission consultation on an issue that has sparked so much public debate in recent times.

Annex to II.6 MANDATORY PROVIDENT FUND SCHEMES ORDINANCE (CAP. 485) INTERNAL CONTROLS OF REGISTERED SCHEMES

2 Harmonised statistics on payment services in the Single Euro Payments Area

Import payee, Biller and Direct Debit Information Service. Terms and Conditions

Cuprum Token AML/KYC POLICY. Last updated:

SUMMARY OF BINDING CORPORATE RULES

Data Privacy is important please read the statement below.

3. Obligations of the Investment Manager

Requirements of explicit consent

PRINCIPLES ON CLIENT IDENTIFICATION AND BENEFICIAL OWNERSHIP FOR THE SECURITIES INDUSTRY

Module 3 TOOLS FOR TRANSPARENCY

ABBOTT DIABETES CARE Effective Date: February 4, 2018

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Recommendation of the Council on Good Practices for Public Environmental Expenditure Management

Dialogue with the Private Sector

PSD2 and other European legal developments

Consultation response regarding the Inquiry on Cash Handling s report, Cash handing in Sweden (SOU 2014:61)

STATUTORY INSTRUMENTS. S.I. No. 604 of 2017 CENTRAL BANK (SUPERVISION AND ENFORCEMENT) ACT 2013 (SECTION 48(1)) (INVESTMENT FIRMS) REGULATIONS 2017

General agreement terms and conditions 1 (9) governing services with access codes

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Notre référence Votre référence Date Page HGD/AWE

Delegations will find in the Annex a Presidency compromise on the abovementioned proposal.

Freedom & Choice in Pensions: The Government s Response and FCA Guidance Guarantee Consultation

REPORT ON INVESTMENT MANAGEMENT INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS

Transcription:

BDB Response to the SecuRe Pay s Recommendations for Payment Account Access Services - FINAL EUROPEAN FORUM ON THE SECURITY OF RETAIL PAYMENTS ECB-PUBLIC 12 April 2013 TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES" Contact details (will not be published) Mr Marcus Nasarek Marcus.Nasarek@bdb.de +4930 1663-2323 The comments provided should NOT be published The table below shall serve as a template collecting comments received in a standardised way. o Please add to the table only issues where you consider that a follow-up is necessary, i.e. no general statements like We welcome the recommendations. o All comments should be separated per issue concerned so that a thematic sorting can be easily applied later on. (i.e. one row for each issue). o If needed, replicate page 2 for the provision of further comments. The assessment form consists the four items which are suggested to be filled as follows: Originator: Name of the originator and ISO code of the country of the originator (e.g. NAME (AT/BE/BG/...)) Issue (states the topic concerned): General comment, Scope, Terminology, REC 2, 1.1 KC, 3.2 BP, Glossary, Comment: Suggestion for amendment, clarification or deletion Reasoning: Short statement why the comment should be taken on board EPC086-13 v0.5 Page 1 of 7

Originator: Name of the originator (e.g. name of the company or association) Association of German Banks ISO code of the country of the originator DE Comments on the recommendations for payment account access services N Issue Comment Reasoning 1 General It is to be welcomed that payment account access services (PAAS) offered by TPs are to be subject to the same stringent security standards as those applying to internet payment services offered by PSPs. The cooperation repeatedly called for in the report should be based on binding contractual arrangements. This is necessary because it is the only basis on which liability issues can be clearly regulated. The agreement between the PSP and TP should cover issues such as fees for services provided by the PSP. Furthermore, PSPs like all other market participants should be under no obligation to enter into cooperation agreements. 2 General It needs to be ensured that the service provider can only access account information with the explicit consent of the customer (to safeguard banking secrecy and data protection) and that this access does not give rise to any security problems in online banking (no increase in civil liability risk). In their present form, the PAAS recommendations address this customer need only in terms of technical security. Measures required to guarantee banking secrecy and consumer protection, by contrast, need to be fleshed out in more detail so as to safeguard the rights of the customer in the customer-service provider relationship (consumer protection). EPC086-13 v0.5 Page 2 of 7

3 General The bank is liable to the customer for breaches of security and integrity in online banking. In consequence, the bank has a strong legitimate interest in limiting access to its online banking interface to authorised parties. This access control is essential in order to safeguard online banking security and banking secrecy. If a customer wishes to grant access to the online banking interface to a third party he/she considers trustworthy, the bank has a legitimate interest in being actively involved in this process and in at least limiting such access to service providers which meet the PAAS security standards. This interest is not adequately recognised in the recommendations as things stand. It needs to be clearly spelled out that access to the online banking interface requires the consent of the bank as well. The bank should have a special interface with the TP in the form, for example, of a dedicated interface to online banking. 4 General The recommendations automatically assume that, if a service provider s technology is secure, it should have access to the online banking interface. This fails to take account of the legitimate interests of the operator of the interface outlined above. A fair balance of interests can only be achieved if the bank gives its consent. It should be borne in mind that the service provider is not a contractual partner of the bank and has no automatic right to use an interface dedicated exclusively to the customer for its own commercial interests. 5 Implementation A double consent approach should apply. The customer should agree to the payment account access service and the TP should have access to the customer s data only with the agreement of the bank. This will require a bilateral agreement between the bank and TP. 6 Implementation We would basically welcome it if TPs were regulated by the PSD. However, careful consideration needs to be given to the question of which party in the customer-tp-account servicing PSP loop holds which risk and has which liability. A fair division of risks and liabilities between the bank and TP needs to be ensured if the scope of the PSD is extended to cover TPs. 7 General (security policy and sanctions) The recommendations should make the third party security policy more stringent so that it matches the same level of security requirements as those applicable to PSPs and avoids compromising user confidence. Sanctions to be imposed in the event of a breach of the recommendations should be set by lawmakers or competent authorities. EPC086-13 v0.5 Page 3 of 7

8 General (data protection and banking secrecy) 9 Scope and addressees 10 Scope and addressees ECB-PUBLIC A thorough legal assessment needs to be carried out to ensure compliance with data protection and banking secrecy laws. In particular, it should be ensured that TPs do not compromise any existing requirements. This section should clearly specify whether the scope of the recommendation covers e/m-wallet providers. The exemptions on page 3 are extremely broad and there is no guidance on how to deal with them. The future treatment of these exemptions should reflect the requirements to be met by PAAS. 11 REC 1 This recommendation could be made more concrete by referring to internationally agreed security standards such as ISO/IEC 27001. The basis of governance should be a two-phase approval of TPs (security certification and bilateral agreement between the TP and PSP). 12 1.1 BP Deletion 1.1 BP could be deleted as it is already covered by 1.1 KC 13 REC 3 TPs and GAs should also be required to report security incidents and data breaches to the customer and the account servicing PSP. 14 REC 3 Reporting thresholds need to be defined for incident reporting. It should be clarified which threshold will trigger what kind of report. 15 3.3 KC Any fraud affecting a PSP s customer (even a single one) should be reported to the PSP. This is also necessary so that the PSP can fulfil its regulatory obligations to manage fraud effectively. 16 REC 3 In line with other data breach guidance, the recommendation should be extended to include the need for TPs/GAs to advise consumers of any incident that might place their account details at risk. This will be particularly important if the PSP is not directly involved in providing the service. 17 3.1 BP Deletion 3.1 BP should be deleted as it is already covered by 3.3 KC. EPC086-13 v0.5 Page 4 of 7

18 4.1 KC / Security and control measures will need to be robust and minimum requirements will have to be made clear to all parties. Furthermore, TPs and GAs should be supervised in the same way as PSPs. 19 4.5 KC The word gathering should be replaced by authorised retrieval. 20 4.5 KC Footnote 14: Please provide a definition of privacy by design. 21 4.5 KC Banks could, for instance, make a special credit transfer page available to TPs for the sole, explicit purpose of exercising the functions agreed between the PSP and TP. The TP could then carry out its tasks (executing a payment/guaranteeing a payment to a merchant) without being able to view all transactions and holdings on all accounts. This will prevent customer profiling. 22 4.5 KC It should be spelled out in the context of data minimisation that sensitive payment data such as credentials should not be stored permanently by the TP. 23 REC 5 / REC 6 An additional recommendation should be addressed to TPs since traceability is not, in itself, sufficient. Customers and PSPs have a right to know all relevant details about TPs from the outset before using or relying on their services. This should be reflected in a KC. Furthermore, an additional KC should reflect the need for TPs to authenticate themselves to PSPs prior to accessing an account in line with the objective set out at the top of page 3 (first indent). An example of proper authentication in all communications is the logging of data connections. 24 5.2 KC TPs should implement log files in accordance with an appropriate standard (e.g. ISO 2700x). It is not common practice to make additions, changes or deletions of transaction data in a log file. A new transaction should therefore be created instead. 25 5.6 KC & 5.1 BP / Although it seems sensible to require the account servicing PSP to be able to differentiate between account access by a TP and by a customer, it would be complex, costly and ineffective in practice. We do not believe that all customers would be able to handle two sets of security credentials with due diligence. In addition to being costly and complex, there would be a danger of credentials being used erroneously. EPC086-13 v0.5 Page 5 of 7

26 6.1 KC What does where applicable mean? 27 6.1 KC It should be mentioned that the procedures used should comply with anti-money laundering regulations. 28 6.2 KC Where applicable should be deleted. 29 REC 7 / Many KCs and BPs mention the need for strong authentication (to which we have no objection). However, they mostly fail to specify whether the strong authentication should be provided by the TP or whether it would also be sufficient to rely on the strong authentication mechanisms of the account servicing PSP. Only Recommendation 7 (7.1 KC) contains the rather vague statement that a TP could agree with an account servicing PSP to rely on the latter s authentication methods. This should be formulated much more precisely along the following lines: - If a TP wishes to rely on a PSP s strong authentication, it should enter into an agreement with the PSP to this effect. - This agreement should be a formal contract between the two parties. - If a TP does not have an agreement of this kind with an account servicing PSP, it should not use or rely on that PSP s strong authentication mechanisms, but should instead establish and maintain such authentication mechanisms itself. 30 7.2 KC Deletion This KC should be deleted because consultative services are not the subject matter of the recommendations. 31 7.1 BP Please clarify whether the purpose is really to link strong customer authentication to transaction authentication. 32 REC 8 & 9 We believe a requirement should be added to the effect that if a TP uses security mechanisms of the account servicing PSP, the TP s PAAS should not negatively impact security solutions provided by that account servicing PSP. For example, if the account servicing PSP stops an internet banking session after a certain period of inactivity, the TP should not artificially generate activity to keep the internet banking session going. 33 8.2 KC TPs should actively mandate (instead of encourage) customer enrolment for strong authentication to the TP. EPC086-13 v0.5 Page 6 of 7

34 REC 9 Deletion Where applicable should be deleted. 35 REC 11 / The definition of the term sensitive payment data in the glossary covers payment as well as authentication data. We strongly recommend making a distinction between different classes of sensitive payment data, especially payment transaction data and user authentication data. While payment transaction data are usually also known or generated by the merchant, authentication data should remain with the PSP. A further recommendation should be added to the effect that TPs should be restricted to executing only those business transactions which are essential for the specific PAAS. For example, the provider of payment initiation services should only be allowed to initiate payments and not to access non-payment accounts. Likewise, the provider of account information services should not be allowed to initiate payments. If these restrictions cannot be ensured technically, they should be contractually agreed between the TP and PSP. A violation of this principle should entitle the PSP to cancel the relevant agreement. The recommendation fails to mention that technical solutions could help to mitigate concerns regarding the protection of sensitive payment data. 36 11.6 KC It should be added that in case of misuse, PSPs should be entitled to cancel any contractual agreement. 37 11.2 BP Deletion 11.2 BP should be deleted as it is already covered by 11.4 KC. 38 12.2 KC Customers also need to be informed about the risks of involving a TP. 39 12.6 KC This should be in line with the applicable legislation. 40 Glossary A definition of secure channel should be added to the Glossary. 41 Glossary A definition of GA should be added to the Glossary. EPC086-13 v0.5 Page 7 of 7

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback