The Swedish Financial Supervisory Authority (the "SFSA") confirms that no general transition period will apply in Sweden for the implementation of strong customer authentication (SCA) in relation to remote card-based transactions. However the SFSA will grant additional time to issuers and acquirers for implementation purposes on a case-by-case basis.
Like in the rest of the EU, the PSD2 rules regarding SCA, as implemented within the Swedish payments legislation, will apply as of 14 September 2019.
On 21 June 2019, the European Banking Authority (EBA) stated that it was acceptable, under certain circumstances, for national regulators to allow a time limited extension for the implementation for SCA, provided that the payment service provider (PSP) seeking an extension presents a migration plan to its competent authority, and that such plan is executed within a given timeframe.
Further to that EBA Opinion, the national regulators in a number of EU countries have announced they were granting a general adjustment period on a country-wide basis to issuers and acquirers with respect to remote card-based payments (see Bird & Bird's publications regarding UK here, Germany here, Italy here, Denmark here, Poland here; see also France here and The Netherlands here).
However the SFSA, contrary to the above national regulators, has announced on 4 September 2019 (see here – only available in Swedish) that is will not grant a country-wide extension. Instead issuers and acquirers can apply to the SFSA on an individual basis, and may be granted more time for compliance with SCA for card-based e-commerce transactions on a case-by-case basis. Consequently, issuers and acquirers that require additional time for their implementation should apply for such additional time to the SFSA without further delay.
One of the reasons put forward by the SFSA in their publication to justify their different approach compared to other EU Member State regulators is that, in Sweden, there are already a number of solutions that allow for compliance with SCA in relation to e-commerce card transactions, BankID being one of these solutions. BankID includes the major Swedish banks, and several million users in Sweden (total population in Sweden: approximately 10 million) use BankID on a regular basis for a wide variety of services, including e-commerce. The SFSA is therefore of the opinion that Swedish issuers, acquirers and e-commerce merchants are well-prepared, and that the number of available solutions in the market should allow for compliance with SCA in relation to e-commerce card transactions as from 14 September 2019.
The SFSA's announcement is potentially problematic for issuers, acquirers and e-merchants in other Member States than Sweden. Indeed, if a Swedish card is used to purchase from, say, a French web-merchant relying upon a French acquirer, how are the French merchant and French acquirer going to know that this particular Swedish issuers did, or did not, apply to the SFSA to benefit from an adjustment period? And if it did, how will the French merchant and acquirer know whether that Swedish issuer does, or does not, benefit from an adjustment period granted by the SFSA on an individual basis, and therefore whether to initiate a 3D Secure flow or not in relation to that particular Swedish issuer? If no 3DS flow is initiated by the French merchant and acquirer (because French acquirers benefit from an adjustment period granted by their national regulator), but the particular Swedish issuer is not granted an adjustment period by the SFSA, the Swedish issuer will presumably have no choice but to decline the transaction, and the French merchant and acquirer will have to re-submit the transaction, this time with a 3D Secure flow? This may be problematic in practice and result in foregone transactions, and therefore revenue, for all stakeholders (i.e. merchants, acquirers, issuers, card schemes) – and of course payer dissatisfaction for not having been able to buy the goods or services.
The EBA is expected to publish shortly an Opinion that is meant to ensure that all national regulators granting adjustment periods for SCA for e-commerce card-based payments grant the same period of time. We do not expect that such an Opinion will influence the SFSA to move from a case-by-case approach, to a country-wide approach. However perhaps the SFSA, if and when it grants case-by-case adjustment periods to some Swedish issuers and/or acquirers, will seek to align the duration of that adjustment period to whatever duration the EBA will recommend in its forthcoming Opinion?