Banks win, consumers lose in security rules proposed on electronic payments

PRESS STATEMENT - 23.02.2017

Today the European Banking Authority proposed new security requirements for all electronic payments in the EU. These rules leave a lot to be desired when it comes to tackling fraud, which is the reason the rules are being introduced in the first place. In the Eurozone the value of all fraudulent transactions using cards online amounted to €1.44 billion in 2013, which represented an increase of 8% from 2012 [1]. 


The EBA has proposed a threshold for payments of €30 below which none of the new security features would apply and, for payments between €30 and €500, the security measures would only apply depending on the rate of fraud at the bank. This is unacceptable because it would exempt a high number of consumer transactions from the new security rules.

Monique Goyens, Director General of BEUC, The European Consumer Organisation, said: “Stronger rules to make electronic payments safer are desperately needed. The financial and psychological impact of somebody making a fraudulent transaction on your behalf can be extremely damaging.

“Unfortunately in some areas these rules are illogical. What is the reasoning for exempting all remote payments of less than €30? As a result, many of our daily payments will not be secure and will more easily pass under the radar.

“The EBA is also proposing that banks apply the new security measures depending on the rate of fraud on the bank’s books, rather than applying the same level of security to all payments. But that’s like asking the fox to guard the henhouse. Only the banks have access to this data and it will be near impossible for public authorities to assess if banks are breaking the rules.”

The security requirements issued today are part of the Payment Services Directive 2, which became EU law in 2015. The EU had tasked the European Banking Authority with drawing up these technical rules which now need to be approved by the European Commission, the European Parliament and national governments before they, in turn, become EU law.

BEUC now urgently calls on the EU institutions to take stock of these concerns and make sure the principle of consumer protection, as it was enshrined in the Payment Services Directive 2, is not watered down. The credibility of the electronic payment system is at stake!


 [1] Most transactions online by card simply require the cardholder’s name, the card number and the CVV code on the back of the card to authorise a transaction. A thief who has stolen the card can easily make use of the card.

For more information on this issue, BEUC recently a blog.