The latest EBA Opinion, published on 16 October 2019, recommends that the period of supervisory flexibility for implementation of strong customer authentication (SCA) requirements under the second Payment Services Directive 2015/2366 (PSD2) should end on 31 December 2020, 15 and a half months after entry into force of the requirements on 14 September this year. Although the Opinion is addressed to the national competent authorities (NCAs), it is also relevant to payment service providers (PSPs), card schemes and payment service users, including merchants.
Although the SCA requirements for e-commerce card-based payment transactions officially came into force on 14 September 2019, few European banks or PSPs have started enforcing these requirements and declining non-authenticated payments. This delay follows an original opinion published by the EBA on 21 June 2019 (see our previous post on this here) which suggests that NCAs should temporarily suspend their enforcement on the SCA requirements. This June opinion accepted that NCAs may exercise supervisory flexibility in order to grant PSPs limited additional time for SCA implementation, but did not set any definitive period for implementation. NCAs subsequently started to publish their own migration plans (including the UK, French and Danish regulators which each announced an 18 month enforcement delay until March 2021).
What does the latest EBA opinion say?
The latest EBA Opinion now recommends that NCAs grant PSPs a maximum enforcement delay of 15 and a half months until 31 December 2020, after which the period of supervisory flexibility should end. In addition to this deadline, the EBA Opinion recommends that the NCAs should:
- require PSPs to meet the various “milestones” and “expected actions” during the migration period (see table 1 and table 2 starting on page 5 of the Opinion for more details);
- communicate to PSPs within their jurisdiction that the supervisory flexibility granted by NCAs does not represent a delay in the SCA application date, but a non-enforcement period (where NCAs will not take sanction actions against PSPs provided that they comply with the milestones and expected actions found within the Opinion); and
- remind PSPs that the Article 74 PSD2 liability regime (which establishes a PSPs liability for unauthorised payment transactions) already applies to PSPs and that therefore PSPs have a self-interest in complying with the SCA requirements as soon as possible.
Impact of the latest EBA Opinion
The new recommended deadline of 31 December 2020 is sooner than many had expected. Indeed, the EBA acknowledges that the majority of the respondents to its questionnaires indicated that they would prefer an 18-month period for smooth, frictionless and ordered migration of the entire e-commerce card-based payment ecosystem to SCA-compliant approaches and solutions. An 18-month implementation period would have been in line with the migration plan published by the UK Financial Conduct Authority (FCA) and numerous other NCAs, and it would have enabled the roll-out and implementation of the 3DS V2.2. communication protocol that is made available by the major card schemes, which seems to be the dominant technical solution for ensuring compliance with SCA requirements (the 3DS V2.2. communication protocol should enable the application of the full range of SCA exemptions specified in the RTS and the out-of-scope of SCA transactions, such as payee initiated transactions). Our sense is that, for some industry players, 18 months was already an ambitious timeline and that some may struggle to be compliant within a 15-month period. This problem is particularly acute in industries with complex payment flows or booking models e.g. the travel and hospitality industries; for smaller, less sophisticated retailers; and for those that are working to tailor solutions to vulnerable customers e.g. consumers that may not have a mobile phone or online banking but that make card purchases online.
At the moment, it is unclear whether the FCA will bring forward its deadline in order to comply with the EBA Opinion. The FCA has not yet updated their implementation deadline of 14 March 2021 (which was reached following in-depth industry consultation and still appears on their website) or issued a statement in response to the Opinion. (The FCA has recently published a Policy Statement 19/26 which confirms that it will make its own UK RTS for SCA and common and secure open standards of communication in the event that the UK leaves the EU without a ratified withdrawal agreement).
Regulated and unregulated clients should continue to implement SCA as quickly as reasonably possible and monitor for any updates released by the FCA and other NCAs. We anticipate the FCA will make a statement in the coming weeks as to whether it will continue with its migration plan, or whether it will revise its implementation timeline to align with the EBA Opinion.
UK Finance is continuing to coordinate SCA implementation via various SCA working groups, incorporating various card scheme providers, issuers, acquirers, gateways, merchant trade associations, and other stakeholders. Clients should ensure that they follow these developments in order to keep fully up-to-date with FCA expectations in this area. Clients in certain sectors, like the travel and hospitality sector, may continue to lobby for additional time in order to implement the SCA requirements within their more complex payment flows or booking models.
Please get in touch with Mardi MacGregor or Chris Finney from the Financial Services Regulatory team if you would any further assistance with this matter.