Author: Marc Vermylen (Loyens & Loeff)
Publication date: 21/10/2019
On 16 October 2019, the European Banking Authority (EBA) issued an Opinion concerning one of the most important features of the Payment Services Directive II (PSD II), being strong customer authentication (SCA). EBA gives card-issuing and acquiring payment services providers (PSPs) until the end of December 2020 to migrate to SCA supporting approaches and solutions. This article intends to provide some background and highlights some pinpoints to be remembered from this hodgepodge of terminology and abbreviations.
Needless to introduce, PSD II greatly impacts the European payments market, providing the puzzle pieces that were missing under the Directive’s predecessor, PSD I. In a nutshell, PSD II (amongst other things) widens the scope of application in terms of territory and currency, narrows the scope of the exemptions and regulates two new payment services, namely payment initiation services and account information services.
Customer safety: SCA
Apart from responding to innovation, PSD II has a strong focus on customer safety. The Directive’s pre-eminent feature in this regard is SCA. SCA should increase the level of security of electronic payments and mitigate the risk of fraud. PSPs are obliged to apply SCA which allows to verify the identity of the payment service user or the validity of the use of a payment instrument. This authentication combines at least two elements of the categories knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). Following PSD II, these elements should be independent from each other, meaning that the breach of one cannot negatively impact the reliability of the others. Moreover, the SCA cannot combine two elements that stem from the same category. Though there are exemptions, PSPs must apply the SCA each time a payer accesses its payment account online, initiates an e-payment, or carries out any action through a remote channel which may imply a risk of payment fraud or other abuse.
EBA sets deadline for SCA compliance
PSDII mandates EBA to develop regulatory technical standards (RTS) on SCA. The initial deadline for compliance with the RTS was 14 September 2019. However, due to the complexity of the payments market and the necessary changes, EBA has allowed for supervisory flexibility implying that national supervisors can be lenient towards issuing and acquiring PSPs whose authentication approaches are not yet fully compliant with SCA (link).
In its Opinion of 16 October 2019, EBA has set the date on which supervisory flexibility comes to an end. By 31 December 2020, issuing and acquiring PSPs should have migrated to SCA compliant approaches and solutions. In the Opinion, PSPs can find tables in which EBA has listed some milestones and expected actions from national supervisors towards issuing and acquiring PSPs. Through this information, PSPs receive some guidance as to what the national supervisor will pay attention to (link).