The PSD2 requires payment service providers to perform Strong Customer Authentication (“SCA”) when the user accesses its payment account online, initiates a payment, or when he s She carries out an action remotely which may imply a risk of payment fraud or other abuses.
The PSD2 has been implemented in Austria with the Payment Services Act 2018 (“ZaDiG 2018”). Pursuant to PSD2, as implemented in Austria, and the relevant Regulatory Technical Standards (RTS) the SCA requirements become applicable on 14 September 2019.
However, following an EBA opinion on the elements of strong customer authentication under PSD2 from 21 June 2019, the Austrian Financial Market Authority (“FMA”) has announced on 19 August 2019 that it will extend the SCA implementation period for card payments made online to give payment service providers and merchants more time to migrate to SCA-compliant authentication approaches (see the ‘no action letter’ here).
The new deadline for the migration to SCA-compliant approaches in e-commerce, and the finer detail of the implementation process as well as regular information requirements shall be adopted at European level until the end of September 2019, the FMA stated. The information requirements refer to the obligation for payment service providers to submit a migration plan to and regularly update the FMA on the migration progress made.
The FMA also stated that other areas that require strong customer authentication in future – such as online access to payment accounts, electronic credit transfers or point-of-sale payments – are not affected by this extension.
The FMA’s announcement is similar to various no-action-letters from other national competent authorities across the EU, e.g. Italy, Poland, Germany, UK, Denmark, France and Finland (see here for a regularly updated list of countries, serviced by PayPal’s Braintree Blog).
The objective of this ‘supervisory standstill’ is clear: after concerns raised by important European payment providers and the entire ‘e-commerce world’, the extension shall ensure continuity of online card payments and avoid unnecessary inconvenience to cardholders.
Despite the FMA’s announcement, we believe that from 14 September 2019, the liability shift between the cardholders and issuers, as well as between issuers and acquirers/merchants as provided for in the PSD2 will apply. This includes the requirement to provide correct information to cardholders on the liability of each party to a payment transaction in case of misuse or fraud.
Although this no-action-letter is a relief for respective payment providers and merchants, all Austrian issuers and acquirers engaged in online card payments should prepare presenting their plans for implementing the SCA to the FMA. We expect that more guidance from EBA will become available within the upcoming weeks.