Strong customer authentication for e-commerce card payment transactions: an EU harmonised extension of 14 months to be compliant
11 November 2019
In June of this year, the European Banking Authority (EBA) issued an opinion1 in which it acknowledged concerns about the preparedness and compliance of some actors in the payments chain to comply with the strong customer authentication (SCA) requirements by the 14 September 2019 deadline in respect of e-commerce card payment transactions2. On such basis and even if this legal deadline could not be postponed, it accepted that national competent authorities (NCAs) could work with payment service providers (PSPs) and relevant stakeholders, including consumers and merchants, and agree on limited additional time for compliance3.
In order to ensure harmonisation of administrative practice in that respect at EU level, the EBA issued an additional opinion (expected by NCAs and relevant stakeholders)4 last month (EBA-Op-2019-11, the Opinion)5.
Although the EBA’s Opinion is still primarily addressed to NCAs, it is useful also for PSPs, payment service users (PSUs) and payment schemes.
I. EU harmonised deadline for SCA migration
In the Opinion, the EBA acknowledges that all EU NCAs decided to rely on the flexibility offered in its previous Opinion and also the need, expressed by the various stakeholders, to have consistent and harmonised implementation of SCA for e-commerce card-based payment transactions throughout the EU.
While a majority of stakeholders seemed to have a preference for an 18 months’ transition delay, the EBA considers that a transition extension of roughly 14 months is sufficient and has therefore set the final deadline for SCA migration to 31 December 2020. The EBA urges all NCAs to stick to this harmonised deadline in order to ensure a consistent approach toward the SCA migration throughout the EU.
The EBA, however, reiterates that this flexibility granted to the relevant stakeholders is not equivalent to a legal postponement in the application date of the SCA requirements set out in PSD II and the RTS: all PSPs not complying with these requirements as of 14 September 2019 are in breach of law. The above flexibility only means that NCAs will not take enforcement/sanction actions against PSPs, provided nonetheless the PSPs have taken all necessary actions in accordance with the transitioning process described below. NCAs are expected to communicate on this point with non-compliant PSPs.
II. Milestones in the SCA transitioning process
While the final deadline for SCA migration is set at 31 December 2020, the EBA expects NCAs to take at least certain actions by pre-defined dates to ensure the smooth and timely transition to SCA6. This implies that issuing and acquiring PSPs will have to provide certain information to their respective NCAs by 31 December 2019, 31 March 2020, 30 June 2020 and 30 September 2020. PSPs are also expected to take ongoing educational measures towards PSUs and e-merchants respectively. A quarterly reporting to NCAs in that regard is expected starting 14 December 2019.
The details of the transitioning process are set out in the below tables.
Table 1. Milestones and expected actions from NCAs towards issuing PSPs
|1. NCAs should require issuing PSPs to identify the authentication approaches that they are currently making available to their customers and separate them into two categories: those that fulfil the requirements of SCA under PSD2 and the RTS and are in line with clarifications provided by the EBA and those that are not.||31.12.2019|
|2. NCAs should obtain information from issuing PSPs on the authentication approaches (which should include new authentication approaches and those specified under row 1) and the SCA exemptions they intend offering to ensure compliance. NCAs should also request from issuing PSPs plans for the expedited migration, including PSUs’ enrolment into these authentication approaches. These plans should contain clear migration targets of the progress made for adoption of SCA-compliant authentication approaches and the SCA exemptions (eg on the stages of implementation, testing and rollout). The migration plans should be based on a risk-based approach taking into account the types of transactions and the fraud rates.||31.12.2019|
3. NCAs should take stock of the overall readiness of issuers to meet the SCA requirements in terms of the:
|The above data should cover the period between 14 September 2019 and 13 March 2020.|
|4. NCAs should require issuing PSPs to report on the progress made from 14 March to 13 June 2020 and from 14 June 2020 to 13 September 2020 by providing updated information under item 3 above. This reporting should be such that it provides a reliable picture of the change in the types of transactions and the fraud rates, the progress of adoption of ADS2.X protocol where it is envisaged, and other metrics depending on the authentication approaches, for instance percentage of customer telephone numbers obtained to the total number of customers for SMS-OTP based approaches.||30.06.2020
|5. NCAs should require issuing PSPs to inform PSUs about the SCA-compliant authentication approaches, the SCA exemptions and out-of-scope of SCA transactions they intend offering, and to establish educational campaigns as needed.||Continuous|
|6. NCAs should require issuing PSPs to make available to their NCAs information about the communications with PSUs under item 5 above.||Every 3 months starting 14.12.2019|
|7. NCAs should require issuing PSPs to have completed their migration plans.||31.12.2020|
|8. EBA to develop a report on the status of SCA-compliance by the issuing PSPs based on consolidated information provided by NCAs.||Q1 2021
Table 2. Milestones and expected actions by NCAs towards acquiring PSPs
|1. NCAs should require acquiring PSPs to identify the technologies through which hey allow issuing PSPs to request PSU authentication that they are currently making available to merchants and separate them into two categories: those technologies that support SCA-compliant authentication and the SCA exemptions and those that do not.||31.12.2019
|2. NCAs should obtain information on the plans of acquiring PSPs for the expedited migration, including migration by e-merchants to technologies that support SCA, the SCA exemptions and/or the out-of-scope of SCA transactions. These plans should contain clear migration targets of the progress made towards:
a) adoption of technologies that support SCA, the SCA exemptions and the out-of-scope of SCA transactions, if applicable; and
b) the implementation of these technologies by merchants. The migration plans should be based on a risk-based approach taking into account the types of transactions and the fraud rates.
3. NCAs should take stock of the overall readiness of acquiring PSPs to meet the SCA requirements, and should do so by requesting the following figures:
|4. NCAs should require acquiring PSPs to report on the progress made from 14 March to 13 June 2020 and from 14 June to 13 September 2020 by providing updated information under item 3 above. This reporting should also reflect the change in the types of transactions and the fraud rates, the progress made by the different types of merchants and the progress of adoption of 3DS2.X protocol where it is envisaged.||20.06.2020
|5. NCAs should require acquiring PSPs to inform the e-merchants they work with about the necessary changes that need to be introduced to the existing technologies used to support SCA, the SCA exemptions and the out-of-scope of SCA transactions.||Continuous|
|6. NCAs should require acquiring PSPs to provide information about the communications to e-merchants under item 5 above.||Every 3 months starting 14.12.2019|
|7. NCAs should require issuing PSPs to have completed their migration plans.||21.12.2020|
|8. EBA to develop a report on the status of SCA-compliance by acquiring PSPs based on consolidated information provided by NCAs.||Q1 2021
Should you wish to obtain assistance for your SCA transitioning process or know more about the position taken by the NCA in your jurisdiction in respect of this flexible approach, please contact the experts identified in the "Related people" section of this page.
Pursuant to Article 97 of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (PSD II) and the Commission Delegated Regulation 2018/389/EU of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the RTS).
Please refer to our previous e-Alert for more information: https://bit.ly/2Co1wpj
For instance, the Luxembourg regulator of the financial sector, the CSSF, accepted to grant an extension to the relevant stakeholders for the implementation of SCA for e-commerce card payment transactions but did not set a national deadline. On the contrary, the CSSF stated that it would align with the harmonised compliance deadline expected at EU level. Please refer to our previous publication for more information: https://bit.ly/36N9HJB
To access the full text please use the following link: https://bit.ly/2CqObww