European supervisor offers some flexibility on deadline for strong customer authentication

New EU standards for securing electronic payments apply from 14 September. In response, payment firms have been developing strong customer authentication procedures, but some may not be ready in time. So the European Banking Authority has suggested that regulators could give some firms extra time to apply SCA.

Background to strong customer authentication

What is SCA?

SCA involves authenticating a payment based on two out of the following three elements: 

  • knowledge (something only the user knows, like a password)
  • possession (something only the user has, like credit card)
  • inherence (something the user is, like a fingerprint).

The elements must be independent so that the breach of one does not compromise the reliability of the others. The authentication process must also keep the payer’s security credentials confidential.

What do the rules mean?

From 14 September 2019, EU firms providing payment services must apply these new authentication standards in certain scenarios e.g. when a payer accesses her account online or tries to make an electronic payment.

For many payment service providers, this means developing SCA-compliant processes and investing in hardware systems and/or new communication interfaces.

EBA opinion

What has the EBA said?

The EBA has published an opinion on SCA in which it acknowledges that implementing the new standards in time might be difficult for some. The EBA says that it cannot postpone the deadline for compliance but that national regulators may on “an exceptional basis” give additional time to allow firms to prepare.

What are the conditions?

The EBA says that the additional time must be limited. Payment service providers must have agreed a plan with their regulator for meeting the new rules. This plan must also be executed “in an expedited manner”. Even so, where this regulatory flexibility is applied, firms should have some breathing space to finish building their SCA processes and systems and communicate the changes with customers.

Examples of SCA

What could be used to comply with SCA?

The opinion also suggests whether some authentication approaches which are already used in the market may comply with SCA.

For example, according to the EBA:

  • knowledge may include passcodes, PINs and memorised swiping paths (but not email addresses or user names)
  • possession of a card can be evidenced by a card reader or a QR code (but an app installed on a phone would not be sufficient)
  • inherence covers iris scanning, voice recognition and keystroke dynamics (but not memorised swiping paths).
What happens next?

EBA actions

The legal deadline for implementing SCA has not changed. The EBA says it does not plan to publish any more guidance on SCA other than via its Q&As. It will, however, specify later in the year a long-stop date by which plans agreed with regulators to migrate to SCA standards need to be completed.

UK regulator response

The UK Financial Conduct Authority has released a response to the EBA opinion. The FCA aims to quickly agree a migration plan with the industry for the implementation of SCA. According to the FCA, the resulting blueprint will include a timetable with milestones and targets for compliance and a final delivery date.

The FCA says it will not take enforcement action against firms for non-compliance with SCA standards from 14 September 2019 provided that those firms can show that they are complying with the migration plan.