European supervisor sets new deadline for strong customer authentication
Rules for payment service providers requiring strong customer authentication for some electronic payments have, strictly speaking, applied since 14 September 2019. But, earlier in the year, the European Banking Authority suggested that firms could be given extra time to implement SCA. It has now set a long-stop date for completing the move to SCA, but it is a shorter timeframe than that proposed by most of the industry and some regulators, including the UK’s FCA.
SCA migration to be completed by the end of 2020
The EBA has published an opinion calling for payment service providers’ migration to SCA to be completed by 31 December 2020. This is three months shorter than the 18-month extension period which, based on an EBA survey, was requested by most of the industry.
In the UK, following industry discussions, the Financial Conduct Authority had announced it would delay enforcing SCA for e-commerce card transactions until March 2021. The Banque de France had also had indicated that more time would be needed for full SCA compliance. It is unclear how the FCA and Banque de France will respond to the latest EBA announcement. Most other national regulators were waiting for the EBA to announce an EU-wide deadline.
Before SCA took effect in September, the EBA had suggested that some payment service providers may be given additional time to prepare for SCA in relation to e-commerce card transactions. That additional time does not cover SCA for accessing online banking (although, separately, the FCA has allowed a six-month grace period for this in the UK).
Why did the EBA not provide a longer extension?
The EBA opinion acknowledges the calls from industry for an 18-month extension but notes that:
- the request for a longer extension was based, in part, on the time it would take for specific technology (the 3DS V2.2 communication protocol) to be developed which is not, in the EBA’s view, the only way to achieve SCA compliance;
- that technology would factor in the full range of exemptions available for SCA but, in the EBA’s view, this was not reason enough to delay the general application of the rules; and
- the relevant technical standards have been public for long enough for the industry, in the EBA’s view, to have implemented the necessary IT changes.
For these reasons, the EBA concluded that providing “supervisory flexibility” until the end of next year should allow enough time for payment service providers, and merchants, to complete the move to SCA.
What is SCA?
Strong customer authentication aims to increase the security of payments and reduce the risk of fraud. It was introduced under PSD2 and involves authenticating electronic payments using at least two out of three of the following:
- knowledge (something only the user knows, like a password)
- possession (something only the user has, like credit card)
- inherence (something the user is, like a fingerprint).
Milestones laid down for achieving SCA migration
As well as setting a long-stop date for compliance, the EBA opinion sets out a timeline with various objectives for national regulators to meet at specific milestones during the SCA extension period.
For example, by the end of this year regulators must require payment service providers to:
- identify the authentication approaches that they currently use,
- divide them into those that are SCA compliant and those that are not, and
- provide plans for “expedited migration” of non-compliant approaches.
What happens next?
The EBA recommends that regulators:
- Stick to the new deadline;
- Require payment service providers to meet the milestones in the timeline;
- Emphasise that regulatory forbearance for not complying with the law is subject to the payment service providers respecting the milestones; and
- Remind payment service providers that the PSD2 liability regime applies and that therefore payment service providers have a self-interest in complying with SCA as soon as possible.
The FCA has not yet made a statement in response to the EBA opinion and so it remains to be seen whether it will bring forward its March 2021 deadline.