European regulators begin to signal implementation of EBA security guidelines

The European Banking Authority (EBA) published its final guidelines on the security of internet payments late last year (19 December 2014) with an implementation deadline of 1st August 2015. The guidelines are required to be implemented by payment service providers within this deadline, with an obligation to ‘make every effort’ to comply.

Member state competent authorities on the other hand are required to either comply or to explain a departure from the Guidelines and to notify their position to the EBA within 2 months of publication (of the Guidelines) in the official EU languages. This took place on the 5th of March, and so notification is required by the 5th of May.

We have set out below a list of member states that have notified compliance, and we have contacted others to enquire of their intentions.

In January, Denmark stated it will adopt the EBA Guidelines on 1 August 2015, and it was closely followed by Malta on the 23rd of January, which stated that it will be issuing a Banking Rule implementing the guidelines

In February, Luxembourg issued a circular confirming compliance, and the Dutch Central Bank similarly confirmed compliance by 1st of August.

Bafin, the German competent authority has recently completed a national consultation exercise and is expected to issue a final circular providing for a six-month transition period for compliance.

The Financial Services Commission in Gibraltar has recently confirmed their intention to comply with the EBA guidelines as well.

Significantly however the UK FCA have indicated that they will not be incorporating the obligations into their supervisory framework by the 1st of August deadline, as they are anticipating changes to IT security obligations that will be set out in the forthcoming PSD2. This is expected to reach political agreement next week at a meeting on the 5th of May, and adoption would then follow late in 2015, and implementation by mid-2017.

The FCA’s view is that the objectives are desirable, but the changes to IT security systems will soon be eclipsed by new obligations – within two years or so. The implication is that firms should not have to adopt standards that require changes to their systems, when new standards are anticipated within a short period of time. Given the time it takes small and large organizations to implement IT projects, this appears to be is a helpful position.

It is not clear what approach will be taken by other member state competent authorities; whether they will enforce against firms that delay implementation, or how they will police compliance.

[Update 18 May 2015]
The EMA has seen further responses from Austria, Finland, Latvia, Lithuania, Slovenia, Spain and Sweden all broadly indicating the intention to adopt the guidelines but with some caveats.

[Update 22 May 2015] The European Banking Authority (EBA) has now made public a compliance table (.pdf)  summarising the responses it received from EU and EEA member states.