With a view to ensuring that security is at an appropriate level, PSD2 introduces new security-requirements. If things go wrong, the payment service provider may be liable towards clients and third parties. The same potentially goes for managing directors and supervisory directors. In order to avoid (personal) liability, it is advisable to perform a technical and legal due diligence.
PSD2 and Open Banking
PSD2 caters for the possibility of third party service providers (TPPs) having access to payment accounts held at other payment service providers, the so-called 'account servicing payment service providers' (read: banks). In this regard, PSD2 makes a distinction between two types of services: payment initiation services and account information services. A 'payment initiation service' is a service to initiate a payment order with respect to a payment account held at another payment service provider.
An ‘account information service’ is an online service to provide consolidated information on one or more payment accounts with either another payment service provider or with more than one payment service provider. Banks are - in principle - obliged to provide access to providers of payment initiation or account information services provided that the relevant payment accounts are accessible online and the third party service provider is duly licensed. Banks may not require contracts with the third party service provider in order to have account-access.
Open banking creates additional security risks
PSD2 thus forces bank to ‘open up’. Access must be granted via dedicated interfaces (APIs) or by allowing to the TPPs to use the existing interfaces made available to the payment service users for directly accessing their payment accounts online. The involvement of TPPs obviously creates additional security risks.
First, the data that the TPP intends to exchange with the bank can be compromised. A cyber criminal might seek to e.g. change the account number of the payee.
A second risk is that a cybercriminal ‘steals certificates’ and presents to be a licensed TPP. The cybercriminal can thus try to send payment batches to the bank for execution.
A third risk is that sensitive payment data (such as personalized security credentials) are stolen from the TPP. The cybercriminal can subsequently use those credentials to log into the consumer interfaces. With the TPPs under the PSD2, cybercriminals have new parties to ‘attack’, with the potential to certain TPPs appear to the be weakest link in the payment chain.
New security requirements
With a view to ensuring that security is at an appropriate level, PSD2 introduces new security-requirements. Those requirements do not apply to TPPs that will obtain a PSD2-license, but also to existing payment service providers (PSPs). One of the requirements is that PSPs are required to establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, PSPs shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.
The European Banking Authority has also provided specific guidelines on those topics. Relevant is also the Delegated Regulation of the Commission (EU) 2018/389 of 27 November 2017 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication
Liability and protection
If things go wrong, the payment service provider may be liable towards clients and third parties. The same potentially goes for managing directors and supervisory directors. Formal measures (e.g. fines) by the competent financial regulator are also possible. Such measures can potentially also be imposed on the directors and other officers.
In order to avoid (personal) liability, it is advisable to perform a technical and legal due diligence. The technical due diligence will enable management to establish the status of the cyber resilience of the company and to think about IT-improvements. The legal due diligence will related to contracts with the most important suppliers, third parties and clients. It will map contractual responsibilities and liabilities in case of cyber security breaches.
The third step is to think about adequate insurance for identified (financial) risks. As cyber insurances become more and more common, it could well be that directors liability will at some point be accepted if management has not taken out sufficient insurance and damages occur that can not be paid by the company itself. As a final action point, a solid cyber security action plan is advisable.
How can we help?
We have a dedicated Cyber Security Team that can help you with e.g. the legal due diligence and review of insurance contracts. The team also assists companies and directors that were already confronted with cyber attacks. Please also visit our dediccated FinTech page.
Seminar 04-09-2018: How to protect agains cyber threats
The Board of ACAMS, Netherlands Chapter, and Van Doorne organise the seminar on "How to protect against cyber threats". Speakers are Rogier Besemer, Kim Gunnink and Arno Voerman. Roger is Program manager TIBER at De Nederlandsche Bank N.V. (DNB). TIBER stands for DNB’s program ‘Threat Intelligence Based Ethical Red Teaming (TIBER)’, aiming to increase cyber resilience of core financial systems. Kim is advisor cyber resilience at de Volksbank N.V. and discusses the human factor in cyber security. Arno talks on the challenges of PSD2/Open Banking from a cyber security perspective.