Whose Regulation Is It Anyway?

Andrew Churchill explores the impact of emerging regulations and security standards on the card and mobile payments industries worldwide.

SOMETIMES IT IS difficult enough for the industry to keep up with new technology threats and opportunities domestically, let alone regionally or internationally. Given the frenetic pace with which new technology is hitting the market, it is understandable for industry professionals to focus on the technology and worry about how this will sit in the market later. It is understandable but potentially dangerous.

THE REGULATORY REVOLUTION 

The regulatory environment in which new technologies will operate has been quietly evolving in the background, and now presents a different landscape to that of even a few years ago. A couple of years back, we all knew about data protection, know your customer (KYC) requirements and strong authentication. The strictures on these were relatively straight-forward to comply with, so much so that in the 2012 European Central Bank (ECB) guidance 3D-secure used to be defined as strong authentication.

Revised legislation and emerging security definitions have now almost overtaken the industry’s ability to comply. The plethora of sometimes conflicting requirements have left many wondering which way to turn. This is true in Europe and a quick glance across to the first four working groups under the US Federal Reserve’s Safer and Faster Payments task forces illustrates that this is global concern.

The scope of the various task forces includes work around managing identity, mitigating fraud, data protection and co-ordination of laws and regulations. These US priorities map directly onto the eIDAS Regulation (electronic identification and trust services for electronic transactions in the internal market), the revised Directive on Payment Services (PSD2) and the General Data Protection Regulation (EU GDPR). The fourth task force acknowledges that sometimes contradictory priorities can emerge.

It is this fourth area — co-ordination of laws and regulations — that is perhaps the issue causing most angst in the industry today. Is the safety of customers’ personally identifiable information (PII) paramount as the EU GDPR outlines, or is it more important to enable customers to grant access to their data through third party providers as the PSD2 suggests? How should anti-money laundering requirements be managed whilst respecting the right to anonymity online? Clearly these need not necessarily be mutually exclusive, but the tensions are apparent with elements of these regulations pulling in dichotomous directions.

GETTING THE BALANCE RIGHT 

Getting the right balance of regulatory frameworks is crucial to driving innovation both within and across countries and customer segments. Ensuring that stakeholders operate within regulatory frameworks but also understand how they inter-relate is central to this.

Another potential layer of complexity exists as some of these European legislations are formulated as Directives, while others are Regulations — a distinction that is not always fully appreciated. In the case of Regulations, the position should be relatively straight-forward. Regulations are harmonised requirements across all 28 EU member states. Directives are essentially guidelines for the measures that need to be transposed into individual member states’ national legislation, potentially leading to 28 different interpretations of the same Directive.

Clearly, there is potential for complications around cross-border transactions, which span two member states with differing interpretations of these requirements. Or where a different balance of priorities exists between Directives and Regulations.

Disagreements on interpretations of standards can cause legal uncertainty as in the recent issues surrounding the Safe Harbour agreement. In October 2015, the European Court of Justice ruled that the Safe Harbour agreement, allowing data to be transferred between the EU and US, was invalid. This caused legal uncertainty on the status of European citizens’ data held by US companies, or merely held on US servers. Urgent steps to redress this through the EU-US Privacy Shield may or may not meet the intended due date of June 2016. Even in advance of adoption, concerns are growing that this too could be set aside by the courts.

SETTING THE STANDARDS 

Where they are in place, standards may provide a clearer understanding of the requirements to which the regulators will hold industries to account. Where they are in development, standards can provide an invaluable opportunity for dialogue to help foster such understanding. This is both from the industry perspective as to what will be expected of them, and to assist the regulators’ understanding of the industry’s point-of-view.

With regard to identity and authentication standards, and how they fit with wider data protection considerations within the payments and mobile industries, the British Standards Institution and MIDAS Alliance are now developing a publicly available specification (PAS) standard to address these issues and provide an opportunity for all interested parties to engage.

Andrew Churchill is a security consultant to industry and government, secretary of the MIDAS Alliance, and technical author on the forthcoming BSI standard on identity and authentication.