Strong Customer Authentication – EBA extends deadline for e-commerce card-based payments

On the 16 October 2019, the European Banking Authority (“EBA”) published an opinion on the deadline and process for Strong Customer Authentication (“SCA”) under the revised Payment Services Directive ((EU) 2015/2366) (“PSD2”) for e-commerce card-based payment transactions (the “Opinion”).

In light of concerns within the payments industry of the challenges in complying with the PSD’s requirements on SCA, the EBA has set out in the Opinion a framework for an EU-wide, harmonised period of regulatory forbearance.

The PSD2 has since 14 September 2019 required online businesses in Europe to use SCA for most customer-initiated online payments. SCA must be based on two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is), which are independent of each other.

A migration deadline of 31 December 2020 is set in the Opinion, along with an explanation of actions that national competent authorities (“NCAs”) should be taking during the migration period to ensure a consistent approach. The EBA is of the view that migration plans of payment service providers (“PSPs”), including the implementation and testing by merchants, should be completed by the migration deadline.

The EBA has made clear that the supervisory flexibility granted in respect to the deadline, is not equivalent to a delay in the application date of the SCA requirements in PSD2, but rather, NCAs would not take enforcement action and will instead focus on monitoring PSPs’ migration plans to ensure they respect the milestones and the expected actions specified in the Opinion.

The Opinion follows from the EBA's 21 June 2019 opinion on the elements of SCA on elements of strong customer authentication under PSD2. In that opinion, the EBA acknowledged that some participants in the payments chain that were not PSPs (such as e-merchants) may not be ready for SCA migration by the 14 September 2019 deadline, and that on an exceptional basis, NCAs might provide limited additional time for e-commerce card-based payment transactions to allow card-issuing PSPs to migrate SCA complaint authentication processes and acquiring PSPs to migrate their merchants to solutions that support SCA.

The EBA state in the Opinion that, notwithstanding this forbearance, the liability regime under Article 72 of PSD2 still applies, without any delay. Therefore, issuing and acquiring PSPs will be liable for unauthorised payment transactions. The EBA observes that this creates a self-interest for PSPs to migrate to SCA-compliant solutions as soon as possible.

The EBA expects NCAs to take specific actions and meet key milestones which are listed in the tables provided. The actions aim at ensuring harmonised and consistent migration to SCA compliance and readiness. The actions do not however restrict NCAs from requiring more detailed information.

The flexibility granted in the Opinion will be welcomed by market participants and the implementation of PSD2 should help reduce fraud rates and enhance the overall security of online card-based payment transactions.

The EBA’s opinion published on the 16 October 2019 can be viewed here.

The EBA’s opinion published on the 21 June 2019 can be viewed here.