1. The Recommendation presents the
FSA’s expectations towards
payment service providers (‘PSPs’)
in terms of adequate and safe rules
for online payment solutions, as
well as adequate control
mechanisms in this field. The
Recommendations are based on
European standards, in particular
the ‘Guidelines on the Security of
Internet Payments’ issued by the
European Forum on the Security
of Retail Payments (SecuRe Pay),
that have been in force since 1
February 2015, and the ‘Guidelines
on the security of internet
payments’ (EBA/GL/2014/12),
issued by the European Banking
Authority (‘EBA’), and in force
since 1 August 2015.
The Recommendation is in line
with the European guidelines,
enhancing certain
recommendations, which concerns
in particular the provisions on
secure access to customers’
payment accounts by access
devices. At the same time, the
Recommendation indicates the
need to substantially reduce the
risk of stolen customer identities
being used for fraudulent purposes
to open payment accounts via wire
transfer (Recommendation 6.1).
The Recommendation is much
more detailed than the European
guidelines, allowing for much less
flexibility in implementation.
The recommendations
The Recommendation is composed
of 14 recommendations, divided
into three sections: 1. Principles
and organisational measures of
process management and risk
assessment; 2. Specific measures of
control and security in online
payments; and 3. Awareness and
education of customers and
communicating with them.
Section 1
Sets out the security policy in
banks, credit unions and other
institutions, and highlights the
issues of risk management or
suspicious transactions associated
with these stakeholders. PSPs
should have a formal security
policy and regularly carry out
detailed risk assessments in
relation to online payment and
related services, and if necessary,
make relevant changes. The
analysis should take into account,
inter alia, the technology used, the
technical environment and other
outsourcing issues.
Section 2
PSPs should always use strong
customer authentication
mechanisms for online payments,
and for access to sensitive payment
data, except in exceptional cases.
Also, the Recommendation states
that PSPs should provide
customers with safe tools for
authorising online transactions,
and should adopt a general focus
on the safety of the transaction.
PSPs should also use appropriate
systems to help identify and block
fraudulent transactions.
Section 3
Educational activities should take
place through regular
informational events and
incidental warnings of threats, as
well as ongoing communication
with customers via a secure
informational channel.
The key objectives
The Recommendation’s main
purpose is to protect customers’
interests when making online
payments. The most important
recommendations are as follows:
Recommendation 6 - Verify the
customer’s identity prior to the
online payment. Banks should be
required to confirm the customer's
personal identity when opening a
new account via wire transfer. In
practice, this will block the
opening of bank accounts via wire
transfer, which is currently offered
by many Polish banks.
Recommendation 6.2. - PSPs
should inform customers about
how to use authentication data
safely and how to keep this
information secure, and should
remind them not share it with any
third parties.
Recommendation 7 - PSPs
should apply strong customer
identification, based on the
combination of two authentication
methods.
Recommendation 9 - PSPs
should limit the number of log-in
or authentication attempts, define
rules for internet payment services
session ‘time out’, and set time
limits for the validity of
authentication.
Recommendation 12 - PSPs
should provide customers with
assistance and support for safe
online transactions, as well as
communicate with them in a way
that allows the confirmation of the
authenticity of the received
messages. Banks and credit unions
E-Finance & Payments Law & Policy - December 2015 15
SECURITY
In November, the Polish Financial
Supervision Authority (‘FSA’) issued
a ‘Recommendation on the security
of online payment transactions
made by banks, national payment
institutions, national electronic
money institutions and savings and
credit union’ (‘Recommendation’).
This aims to harmonise the
minimum requirements for the
security of online payments in
connection with the provisions of
payment services. Maciej
Gawronski and Joanna Galajda of
Bird & Bird, assess the objectives of
the Recommendation and the
potential for conflicts to arise
between payment service providers
and consumers.
The Polish FSA issues new
payment security guidelines
2. E-Finance & Payments Law & Policy - December 201516
version of the Recommendation
allows customers to open bank
accounts by confirming their
identity via wire transfer, but
imposes an additional requirement
on banks: if the account is opened
via wire transfer, the bank cannot
allow customers to use the given
account to open a new account in
another bank using the same
procedure. This will require banks
to determine whether such a
transfer order is made from the
account opened via wire transfer.
Recommendation 6 aims to
protect customers against cyber
crime. It states that: ‘PSPs shall
ensure the integrity of the
application process for a payment
account contract and placing an
order to make bank transfer to
open an account.’
Phishing is a common form of
cyber crime used to obtain
confidential data needed for log-in
and transfer authorisation. Data
obtained by phishing is used to
open a new account via the
transfer identification method.
Opening a fake account in this way
is simple - thieves publish a
fictitious job offer, asking
candidates to provide their
personal information which is then
used to open a new account. They
then ask them to transfer a small
amount to the fake account, and
the identification is authorised by
the bank and, as a result, the
account is opened.
Once the fake account is opened,
the thieves can use it to open the
next fake account via wire transfer.
All these fake accounts can then be
used for transferring money from
fake online auctions and money
laundering, as well as introducing
funds derived from illegal sources
into the financial system.
Conclusion
The Recommendation focuses
mainly on technical and
organisational issues. In our
opinion, the Recommendation, to
a certain extent, removes payment
institutions’ responsibility for
actual risk assessments of online
transactions. The
Recommendation says relatively
little about risk management
performed by customers, and their
responsibility for this risk. Further,
we believe that this is the main area
where conflicts of interest between
PSPs and customers will
materialise. In other words, it will
be the main area of future disputes.
If this Recommendation was
directed to banks, the FSA’s
approach would have been
disappointing. However, there is
some method in its madness. The
payment institution sector is much
larger than the banking sector. The
FSA apparently decided that the
most urgent requirement was to
provide practical solutions and
determine the reference point for
the sector, more important than
providing high level principles,
hoping that the fast-growing
FinTech market will understand
what is really expected.
There are certain reservations
about the subtlety of the FSA’s
actions. However, we cannot
underestimate the effectiveness of
the FSA’s actions and their
practical approach.
Maciej Gawronski Partner
Joanna Galajda Associate
Bird & Bird, Poland
Maciej.Gawronski@twobirds.com
SECURITY
should ensure safe ways of
communicating with customers.
Customers should be informed
that only information received in
this way is safe and credible. The
Recommendation also emphasises
the need to educate customers
appropriately about protecting
sensitive data.
Recommendation 13 - PSPs
should set amount limits for
internet payment services and
provide customers with the
possibility to change such limits.
Wire transfers
Polish banks commonly use wire
transfers as an identification tool,
i.e. customers can open new
accounts via wire transfer simply
by transferring funds. Instead of
having to visit the bank or
financial institution in person, the
customer need only provide their
personal information in an online
form, and confirm these details by
wire transfer. This method is
practical and saves time, however it
increases the risk of identity theft.
The Polish Banks Association
(‘PBA’) has identified this problem,
and in December last year issued a
recommendation on how to secure
the procedure of identification via
wire transfer. Later, the PBA even
suggested stopping this practice.
The FSA has also noticed the
increasing risk related to customer
identification through wire transfer
and addressed this in the
Recommendation. The first draft
of the Recommendation
prohibited this customer
identification method, however
this was not included in the final
version of the Recommendation.
Recommendation 6 in the final
The FSA has
noticed the
increasing
risk related to
customer
identification
through wire
transfer
SIGN UP FOR FREE EMAIL ALERTS
E-Finance & Payments Law & Policy provides a free email alert service. We send out updates on exclusive content, forthcoming events and each month
on the day of publication we send out the headlines and a precis of all of the articles in the issue.
To receive these free email alerts, register on www.e-comlaw.com/efplp or email sara.jafari@e-comlaw.com