ESBG Position Paper on Draft EBA Guidelines on the security measures for operational and security risks of payment services under PSD2
ESBG Position Paper on Draft EBA Guidelines on the security measures for operational and security risks of payment services under PSD2 Question 1: Do you agree with the level of detail set out in the Guidelines as proposed in this Consultation Paper or would you have expected more or less detailed requirements on a particular aspect of the Guidelines? If not, please provide your reasoning.
ESBG welcomes the opportunity to review and comment on these draft Guidelines.
ESBG overall welcomes these draft Guidelines as they aim to establish an appropriate set of highlevel requirements regarding the security measures to be taken for the operational and security risks arising from the implementation of PSD2. However, while ESBG recognises that this approach may make the Guidelines more stable over time, we would have expected additional detail on the security measures, in order to help new payment service providers (PSPs) comply with the requirements under PSD2. Security measures are specific by nature, and contrary to legal rights and obligations, which can be set through high-level principles, need detailed requirements in place.
Also, ESBG considers it needs to be taken into account that especially cybersecurity cannot be treated nor regulated with proportionality criteria. All companies should prevent Cyber-attacks, it must not be limited to the largest companies. As the European Parliament stated in its recently-approved FinTech Report, “a connected system is only as safe as its weakest element”, and due to the interconnectedness of the financial sector, it will be critical that every PSP ensures the same level of cybersecurity. Therefore, even though it initially makes sense to apply proportionality criteria to facilitate smaller PSPs’ compliance with the Guidelines, and ESBG encourages authorities to do so, ESBG believes this cannot be done in a way where the level of security is lessened for those smaller PSPs or where these can benefit from waivers in the field of security. Proportionality may be applied to Business Continuity Plans, for example, but not to Cybersecurity or Physical security measures. Therefore, ESBG believes that the proposed Guidelines should apply to all PSPs, regardless of their size or type of PSP. And considering that national competent authorities (NCAs) will be able to apply proportionality to PSPs, ESBG deems it necessary that the EBA proposes some criteria that NCAs should take into account to apply proportionality.
Additionally, ESBG would kindly remind the EBA that currently there is no pan-European framework for improving critical infrastructure cybersecurity, equivalent to the US NIST Framework, and that a similar one should be in place in the European regulatory environment. Therefore, ESBG would support a recommendation from the EBA to the European Commission entrusting a European authority or specialized agency with the definition of such a framework; this could be delivered, for instance, by the ENISA, as its remit is being currently reviewed by the Commission. Furthermore, ESBG would like to recall the issue of the current overlapping of reporting obligations regarding (cyber) security-related incidents to different authorities (national and European) on different timelines. ESBG believes a one-stop-shop mechanism should be established for every report related to PSD2, NIS, GDPR and eIDAS.
Finally, even though PSD2 requires NCAs to undertake a periodic assessment of the operational and security risks related to payment services, ESBG is of the opinion that EBA should: (i) clarify and provide guidance on the criteria that NCAs should take into account to require a PSP to submit the assessment with a frequency shorter than one year (ESBG believes that the frequency should be shorter in particular for new PSPs, at least during an initial phase-in period); and (ii) withdraw PSPs that are also banks from these assessments, as they are already subject to the SREP ICT Risk Assessment.
Question 2: Do you agree with the proposed Guideline 1 on Governance? If not, please provide your reasoning.
Guideline 1.6 (Risk management and control models) – apart from the security measures being audited by internal or external independent and qualified auditors, ESBG considers this Guideline should include a statement regarding the certification required for the auditing of security measures especially under PSD2. ESBG believes the audit should be performed either by a certified auditor or the PSP qualifies to obtain the relevant external qualification. For instance, in the case of card Payments, the PCI Security Standards Council has defined a set of requirements for being recognised a Qualified Security Assessor (QSA). This approach could be extended to other types of Payments.
In addition to that, in relation to the frequency of such audits, ESBG is of the view that where a PSP has not been operational for a minimum period of time (e.g. 3 years), its NCA should request the PSP to perform an independent external audit of the security measures.
Guidelines 1.7-8 (Outsourcing) – similar to the previous paragraphs, ESBG believes that EBA could indicate that NCAs should define and agree on a common European certification process to assess the security level of PSPs to which payment services are outsourced.
Question 3: Do you agree with the proposed Guideline 2 on Risk assessment? If not, please provide your reasoning.
Question 4: Do you agree with the proposed Guideline 3 on Protection? If not, please provide your reasoning.
Guideline 3.5 (Data and systems integrity and confidentiality) – due to the recent ongoing developments relating the RTS on strong customer authentication and open and secure communications, there is a severe risk that Payment Initiation Service Providers (PISPs) or Account Informations Service Providers (AISPs) are to be allowed to access, store and use the personalized security credentials (PSCs) of payment service users (PSUs). So, in order to protect PSUs’ sensitive data regarding payments, in particular PSCs, ESBG is of the opinion that these Guidelines should include a requirement that enhanced security measures should be taken by PISPs and AISPs when they access, store and use the PSCs of PSUs.
Guideline 3.7 (Data and systems integrity and confidentiality) – in order for PSPs, especially account service payment service providers (ASPSPs), to correctly apply the data minimisation principle, these Guidelines could indicate that PSUs should give clear direct consent for every transactional payment data PSPs (in particular account information service providers, AISPs) can access.
Question 5: Do you agree with the proposed Guideline 4 on Detection? If not, please provide your reasoning.
Question 6: Do you agree with the proposed Guideline 5 on Business continuity? If not, please provide your reasoning.
Guideline 5.5 (Scenario based business continuity planning) – ESBG believes that Guideline 5.5 could state that in cases of termination of operations, PSPs should ensure that data and PSCs stored on their systems are thoroughly and permanently erased once the applying legal retention period has expired.
Question 7: Do you agree with the proposed Guideline 6 on Testing of security measures? If not, please provide your reasoning.
Guideline 6.3 (Testing of security measures) – Considering that the manufacturing of most of the payment terminals and devices used for the provision of payment services might be outsourced to external companies, and that these will be entitled to obtain independent security certificates, ESBG considers outsourcing PSPs should not be required to repeat the testing of the same terminals and devices that already have been certified.
Guideline 6.5 (Testing of security measures) – Regarding the periodicity of the testing of security measures, ESBG considers that these Guidelines should provide a timeline for the periodic review of non-critical systems too, especially considering that the liability of the consideration of a system as critical or non-critical is carried out by PSPs themselves, and therefore the unintended incentives might be set by these Guidelines.
Guideline 6.6 (Testing of security measures) – this Guideline should include a specific deadline for the fixing of deficiencies discovered through tests conducted, based on the criticality of the assets affected and the severity of the security deficiencies.
Question 8: Do you agree with the proposed Guideline 7 on Situational awareness and continuous learning? If not, please provide your reasoning.
Guideline 7.1 (Threat landscape and situational awareness) – It could be beneficial that the EBA promoted the setup of working groups with European authorities dealing with fraud and cybersecurity in payments in order to define the type and level of information to be shared, in order to achieve broader awareness of payment fraud and cybersecurity issues.
Question 9: Do you agree with the proposed Guideline 8 on PSU relationship management? If not, please provide your reasoning.
Guideline 8.7 (PSU secure communication and reporting procedures) – In addition to PSUs being informed of suspected security breaches, ESBG believes that this Guideline should indicate that also any PSP indirectly affected by the suspected breach should be informed by the PSP directly affected. Moreover, in order to give PSUs certain decision power, this Guidelines could add that PSUs should have the right to revoke the consent given to a PSP for storing and using their PSCs.
Question 10: Do you consider the extent of the requirements proposed in the Guidelines to be sufficient and clear? If not, please provide your reasoning.
About ESBG (European Savings and Retail Banking Group)
The European Savings and Retail Banking Group is a Brussels-based association that helps its member savings and retail banks thrive, focus on providing service to local communities and boost SMEs. ESBG brings together nearly 1000 savings and retail banks in 21 European countries that believe in a common identity for policy in Europe. Its members represent one of the largest European retail banking networks, comprising one-third of the retail banking market in the European Union, with 190 million customers, more than 60,000 outlets, total assets of €7.1 trillion, non-bank deposits of €3.5 trillion, and non-bank loans of €3.7 trillion. ESBG members come together to agree on and promote common positions on relevant regulatory or supervisory matters.
European Savings and Retail Banking Group – aisbl Rue Marie-Thérèse, 11 ￭ B-1000 Brussels ￭ Tel: +32 2 211 11 11 ￭ Fax : +32 2 211 11 99 Info@wsbi-esbg.org ￭ www.wsbi-esbg.org
Published by ESBG. August 2017.