Challenges and objectives
The security of payment instruments is an essential prerequisite for public confidence in money. It is therefore important for users of payment services to have access to effective, reliable and secure payment instruments, whether they are private individuals, businesses or public administrations.
Framework of the remit
The public authorities assigned the Banque de France the task of ensuring the security of cashless payment instruments under the Everyday Security Act of 15 November 2001 (Article L. 141-4 of the Monetary and Financial Code). This remit was expanded following the transposition of the first and then the second European Payment Services Directive (Directive 2015/2366, known as PSD2), which strengthens the security of payment transactions and access to accounts.
This remit covers all payment instruments except cash, in particular payment cards, cheques, transfers, direct debits and electronic money. It also encompasses certain special payment vouchers that not fall within the regulatory framework for traditional payment instruments and that can only be used in France, such as universal employment vouchers, luncheon vouchers, holiday vouchers and culture vouchers.
As part of its remit, the Banque de France is committed to promoting innovation and ensuring fair treatment of all stakeholders. Its recommendations to payment market players must therefore be independent of the technical solutions implemented by payment services providers (PSPs).
Implementing its remit
The Banque de France's remit of overseeing the security of payment instruments is based on five pillars: defining security objectives, the assessment of service providers prior to their authorisation, off-site controls and on-site inspections, the collection of regulatory statistics and ongoing dialogue with market players.
Defining security objectives
A number of security objectives are defined directly in the regulations governing payment service providers. In addition, the Banque de France conducts a detailed risk analysis for each payment instrument and determines the security measures required to manage these risks. These are then set out in publicly available security principles and assessment guides. The Banque de France can also refer to the Eurosystem's oversight frameworks for payment instruments.
Assessment of service providers prior to authorisation
The Banque de France contributes to the authorisation process for payment institutions (PIs) and electronic money institutions (EMIs), by drawing up an opinion for the Autorité de contrôle prudentiel et de résolution (ACPR – Prudential Supervision and Resolution Authority) on their technical, IT and organisational resources relating to the security of payment instruments for the activities proposed by the institution.
Off-site controls and on-site inspections
In order to carry out its remit, the Banque de France is authorised by law to obtain from any payment service provider any information needed to assess the security of payment instruments, terminals and associated technical systems. Within this framework, the Banque de France is notified by payment service providers of major security incidents and receives from them an annex on the security of payment instruments which is part of the annual internal control report they send to the ACPR. In addition, the Banque de France receives the results of their security principles assessments and may request supervisory interviews and put any written or oral questions to the parties concerned.
The Banque de France may carry out on-site inspections of institutions and their subcontractors in order to verify or supplement the findings of its documentary inspections. This allows it to make a more detailed and thorough assessment of specific segments of the payments market.
Regulatory statistical data collection
As part of its oversight role, the Banque de France collects regular statistical data on the use of payment instruments and the level of fraud recorded. These data are collected from both payment service providers and card payment networks, and enable the Banque de France to meet the statistical requirements of European and international regulators (the European Banking Authority, European Central Bank and the Bank for International Settlements).
Ongoing dialogue with market players
The Banque de France provides the secretariat for the Observatoire de la sécurité des moyens de paiement (OSMP – Observatory for the Security of Payment Means), which was also established by law (Article L. 141-4 of the Monetary and Financial Code). The OSMP maintains an ongoing dialogue with market players, public administrations and users on payment card fraud, by conducting monitoring work and compiling benchmark statistics. Through its participation in other interbank bodies, such as the Comité Français d'Organisation et de Normalisation Bancaire (CFONB – French Committee on Banking Organisation and Standardisation) and the Groupement Cartes Bancaires (GCB – Bank Card Grouping), the Banque de France also regularly exchanges with market players to identify new vulnerabilities and possible responses to them.
The use of means of payment in 2022