Frits Bolkestein (a member of the European Commission in charge of the Internal Market and Taxation) gave a speech in Brussels on 16 September 2003 on the security of online payments in the EU. A copy of his speech can be found by clicking here. The speech highlighted what the EU has done (since 2001) and what it intends to do in 2003/04, with regard to online security. Future plans include; preparation of a new legal framework on payments in the Internal Markets and a communication to stakeholders on what (if any) legislation is needed to evaluate the security of products and components.
As highlighted in his speech, the increasing use of the Internet to buy goods/services or manage bank accounts means that companies that wish to provide this type of service over the Internet have to provide a secure means by which customers (whether they are companies or individuals) can pass their bank and other personal details. There is nothing more damaging to a company than the publicity of a hacker stealing, or a computer error revealing, customer information (whether to other customers or the public in general).
Ensuring security and confidentiality of customer information is not as easy as it sounds. Even though technology is constantly being developed to keep up with the pace of growth of the Internet, companies may never be able to give a cast iron guarantee that customer information will be kept secure and remain confidential. As fast as technology is developed to protect, technology is developed to hack. And of course, no technology is human-error-proof!
The European Commission is continually looking at ways to make the online environment safe by ensuring that adequate legal protection is given to those who use it; either as part of their business or in their private life.
On 28 May 2001, the EC launched an initiative against fraud and counterfeiting affecting payment cards, electronic money, cheques, home banking and other non-cash means of payment. Member States were required to implement suitable measures necessary to comply by 2 June 2003.
The framework decision proposes a joint action by EU Member States to make fraud, using all forms of non-cash transactions, a criminal offence throughout the EU. The framework decision lists the various types of behaviour which could be criminal offences e.g., theft or other unlawful appropriation of a payment instrument, receiving, obtaining, transporting, sale or transfer to another person etc.
The framework decision gives Member States the power to impose penalties which are, (depending on whether natural or living individuals commit them), “effective, proportionate and dissuasive”.
It is also important to ensure that goods or services ordered over the Internet can be paid for by using a secure method of payment. So far, the traditional method of payment is by credit or debit cards. But as the Internet becomes a larger part of every-day life and a paradise for computer hackers, businesses fear that consumers will avoid online payment.
Electronic money is an alternative method of payment being looked at (as well as e-money wallets) by banks. The EU has implemented two Directives to deal with electronic money. Directive 2000/28/EC amends Directive 2000/12/EC relating to the taking up and pursuit of the business of credit institutions and Directive 2000/46/EC on the taking up, pursuit of and prudential supervision of the business of electronic money institutions. These two Directives are known as the E-Money Directives. They provide:
- that electronic money may only be issued by supervised institutions which meet certain legal and financial conditions; and
- for electronic money institutions to be treated as credit institutions for some, but not all, purposes.
Directive 2000/46/EC defines electronic money as:
“an electronic surrogating for coins and banknotes, which is stored on an electronic device such as a chip card or computer memory and which is generally intended for the purpose of effecting electronic payments of limited amounts”.
There are areas in the E-Money Directives which are not dealt with sufficiently and it is likely that the EU will introduce further legislation to deal with its shortcomings. Directive 2000/46/EC gives the holder of electronic money a right to ask the issuer to redeem it at par value in coins and bank notes or by transfer to an account.
The United Kingdom has implemented the E-Money Directives in the following legislation:
the Financial Services and Markets Act 2000 (Regulation Activities) (Amendments) Order 2002 which came into force on 11 April 2002 “for the purpose of making rules under articles 9G and 9H” of the Financial Services and Markets 2000 (Regulated Activities) Order 2001 and 27 April 2002 “for all other purposes” (the “2002 Order”); and
the Electronic Money (Miscellaneous Amendments) Regulations 20002 which came into force on 27 April 2002 (the “2002 Regulations”).
In summary, the 2002 Order and 2002 Regulations provide:
- that the issuing of electronic money is to be a regulated activity under the Financial Services and Markets Act 2000 (“FSMA”) – defining electronic money as “monetary value represented by a claim on the issuer which is (a) stored on an electronic device; (b) issued on receipt of funds; and (c) accepted as a means of payment by persons other than the issuer” (Section 2 of the FSMA);
- that the Financial Services Authority now has the power to grant waivers on a case-by-case basis to Electronic Money Institutions (referred to as EMIs who are defined as institutions that wish to provide money or money equivalent tokens to consumers trading on the Internet) so that waived firms will not be treated as carrying on regulated activities; and
- that those issuing electronic money before 27 April 2002 will not be subject to the regulation for 6 months after which they must have permission under the FSMA.
The 2002 Order and 2002 Regulations amend certain references to “credit institutions” in UK legislation so that they do not include references to EMIs.
Useful Further Reading
The DTI’s White Paper, A New Future for Communications - www.communicationswhitepaper.gov.uk.