Andrew Churchill explores the impact of emerging regulations and security standards on the card and mobile payments industries worldwide.
Sometimes it is difficult for an industry to keep up with new technology threats and opportunities domestically, let alone regionally or internationally. Given the frenetic pace with which new technology is hitting the market, it is understandable for industry professionals to focus on the technology and worry about how this will sit in the market later. It is understandable but potentially dangerous.
A regulatory revolution
The regulatory environment in which new technologies will operate has been quietly evolving in the background, and now presents a different landscape to that of even a few years ago.
A couple of years back, we all knew about data protection, know your customer (KYC) requirements and strong authentication. The strictures on these were relatively straightforward, so much so that in the 2012 European Central Bank (ECB) guidance 3D-secure was defined as strong authentication.
Revised legislation and emerging security definitions have now almost overtaken the industry’s ability to comply. The plethora of sometimes conflicting requirements have left many wondering which way to turn. This is true in Europe and a quick glance across to the first four working groups under the US Federal Reserve’s Safer and Faster Payments task forces illustrates that this is global concern.
The scope of the various task forces includes work around managing identity, mitigating fraud, data protection and coordination of laws and regulations. These US priorities map directly onto the eIDAS Regulation (electronic identification and trust services for electronic transactions in the internal market), the revised Directive on Payment Services (PSD2) and the General Data Protection Regulation (EU GDPR). The fourth task force acknowledges that sometimes contradictory priorities can emerge.
It is this fourth area — coordination of laws and regulations — that is perhaps the issue causing most angst in the industry today. Is the safety of customers’ personally identifiable information (PII) paramount as the EU GDPR outlines, or is it more important to enable customers to grant access to their data through third party providers as the PSD2 suggests? How should anti-money laundering requirements be managed whilst respecting the right to anonymity online? Clearly these need not necessarily be mutually exclusive, but the tensions are apparent with elements of these regulations pulling in dichotomous directions.
Setting the balance
Getting the right balance of regulatory frameworks is crucial to driving innovation both within and across countries and customer segments. Ensuring that stakeholders operate within regulatory frameworks but also understand how they interrelate is central to this.
Another potential layer of complexity exists as some of these European legislations are formulated as Directives, while others are Regulations — a distinction that is not always fully appreciated. In the case of Regulations, the position should be relatively straight-forward. Regulations are harmonised requirements across all 28 EU member states. Directives are essentially guidelines for the measures that need to be transposed into individual member states’ national legislation, potentially leading to 28 different interpretations of the same Directive.
Clearly, there is potential for complications around cross-border transactions, which span two member states with differing interpretations of these requirements. Or where a different balance of priorities exists between Directives and Regulations.
Disagreements on interpretations of standards can cause legal uncertainty as in the recent issues surrounding the Safe Harbour agreement. In October 2015, the European Court of Justice ruled that the Safe Harbour agreement, allowing data to be transferred between the EU and US, was invalid. This caused legal uncertainty on the status of European citizens’ data held by US companies, or merely held on US servers.
Where they are in place, standards may provide a clearer understanding of the requirements to which the regulators will hold industries to account. Where they are in development, standards can provide an invaluable opportunity for dialogue to help foster such understanding. This is both from the industry perspective as to what will be expected of them, and to assist the regulators’ understanding of the industry’s point-of-view.