The core objectives of Payment Services Directive (PSD2) included enhancing the security of payments and limiting fraudulent transactions. In this regard, the regulatory technical standards (RTS) on strong customer authentication (SCA) that underpin certain security requirements under PSD2 were scheduled to come into force on 14 September 2019.
Following a recent Central Bank of Ireland (CBI) announcement, the implementation of RTS on SCA have been delayed to allow payment service providers (PSPs) more time to implement SCA for e-commerce transactions. No specific timeline has been confirmed; rather the CBI announced that it has been "engaging with the industry to develop a migration plan to implement SCA… as soon as possible."
Strong Consumer Authentication
To recap, one of the key features introduced by PSD2 in order to reduce fraud and increase security is a requirement known as SCA. SCA is a mandatory two-step verification process required for the majority of online banking transactions. In effect, prior to accessing online accounts or making payments online, the PSP must require the consumer to prove their identity by providing at least two of the following three elements:
- Knowledge: something the consumer knows (e.g. a pin or password);
- Possession: something the consumer has (e.g. a card or their phone); or
- Inherence: something the consumer is (biometrics e.g. fingerprint, face recognition or iris scan)
Exemptions from SCA
Some low-risk payments will be exempt from SCA. Retailers and merchants, and PSPs on their behalf, will still be able to carry out their own risk analysis on transactions with consumers and determine whether an exemption should apply. The consumer's bank will receive the request for exemption and ultimately decide whether to approve the exemption request or require SCA.
Exemptions from SCA include:
(a) Low-value online transactions under €30, except when a cumulative value of €100 is reached, or when 5 payments of up to €30 have been made;
(b) Contactless transactions under €30, except when the exemption has been applied in the previous 5 transactions or a cumulative value of €150 has been reached;
(c) Payments to "trusted beneficiaries" accounts set up through the consumer's bank;
(d) Recurring payments to the same business for the same amount (e.g. subscriptions); and
(e) Accessing some account information, such as account balances and recent transactions.
Implementation of SCA
As outlined above, the initial deadline for compliance with the RTS on SCA was 14 September 2019. However, both the European Banking Authority (EBA) and the CBI have acknowledged that there are complexities surrounding the requirements of PSD2 and that certain PSPs are not as prepared for SCA as they had anticipated. New systems are still undergoing testing and many firms do not have the necessary software in place to provide SCA. If a PSP does not have SCA set up, the consumer's bank can decline the payment. Research carried out by UK Finance trade body, and supported by the European Savings Bank Group and European Association of Co- operative Banks, has estimated that by the scheduled implementation date (14 September 2019), approximately 25%-30% of online transactions will be impossible to complete, resulting in severe loss to businesses and causing extensive disruption to consumers.
In a recent Opinion, the EBA outlined that although it does not have the authority to postpone the application date that is set out in EU law; it accepts that in exceptional circumstances national competent authorities might consider postponing the implementation of SCA in order to avoid unintended negative consequences for consumers.
The CBI has since proposed to put in place a limited migration period to allow all regulated entities time to update their security systems and to adapt new authentication solutions that are compliant with SCA. While the period of extension has not yet been set, the CBI has stated that it is engaging with the EBA and other EU competent authorities to secure a harmonised approach when adopting any additional time period.
In the UK, the Financial Conduct Authority (FCA) has agreed to an 18 month transition period to enable banks and PSPs to implement SCA effectively in accordance with a migration plan developed by UK Finance and the payments industry. Provided there is evidence that firms have taken the necessary steps to comply with the plan, enforcement action will not be taken for failure to comply with SCA requirements. The approved extension by the FCA is based on a managed rollout and limited to card-not-present e-commerce transactions. Other jurisdictions such as France, Germany, Italy, Austria and the Netherlands, have also opted to postpone full implementation of the SCA rules from the September deadline, although the scope of the exemption and the duration of extension differs for each jurisdiction.
Notwithstanding the extension to the implementation deadline, payment institutions will need to continue to take steps to manage their fraud risk while continuing to work on SCA implementation projects.