The European Commission approved rules on Monday to increase competition and toughen up security in how people pay for goods and services across the European Union, pitting banks against financial technology firms.
The rules flesh out an update to the bloc’s payment services law and are among the most disputed in recent financial regulation, sparking intense lobbying as banks and fintech firms clashed over access to customer data.
“These new rules will guide all market players, old and new, to offer better payment services to consumers while ensuring their security,” European Commission vice president Valdis Dombrovskis said in a statement.
Brussels hopes that by boosting e-commerce it can erase borders in trading to increase growth.
The revised law comes into force on 13 January, though some of the security elements approved on Monday won’t be binding until September 2019 to give banks and fintech firms time to adjust.
The rules will require two security features for online or “bricks-and-mortar” shops, instead of a single password or details on a credit card at present, to help crack down on fraud.
Features accepted include a password, “PIN” code, card, mobile phone, iris scan or fingerprint. Exemptions for “contactless” payments over 50 euros would continue.
The EU executive has sought to tread a fine line between banks which complain that giving too much access to accounts could weaken security, and fintechs who accuse banks of thwarting competition.
“At a time when cybersecurity becomes increasingly important the EU risks introducing a system for online payments that is potentially harmful for bank account holders and the banks that offer these accounts,” the European Banking Federation said in a statement.
Account holders must give permission for their data to be accessed by a licensed third party who wants to offer payment services that do away with the need for a credit card, or services that offer an overview of different accounts and balances.
In a nod to banks, the rules stop so-called “screen scraping” or a fintech obtaining broad data by using a customer’s security credentials, so that its identity is not revealed to the bank.
In a nod to fintechs, banks will have to give access to a third party either by adapting a bank’s online customer interface, or by creating a new, dedicated interface for fintech firms. If a dedicated interface is used, there must be a “fall-back” option if it goes down.
EU states and the European Parliament have three months to object to any of the rules.