Starting September 14, electronic payment service providers must ensure strong customer authentication, a measure for which the Bank of Spain has granted an extension.

Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication entered into force on September 14, 2019. One of the aims of this Regulation is to improve the security of electronic payments and to reduce fraud in the authentication process following the entry into force of the new Payment Services Directive (PSD2).

From the above-mentioned date, payment service providers (PSPs) must apply strong customer authentication (SCA) in electronic payments, which from now on must be based on two of the following three elements:

  • Knowledge factor: something the customer knows, such as a personal password.
  • Possession factor: something the customer possesses, such as his or her mobile device.
  • Inherence factor: something that the customer is, such as his or her fingerprint.

However, as the European Banking Authority (EBA) has acknowledged in its Opinion of June 21, 2019 in response to the ongoing demands of the sector, payment markets in the EU show significant complexities and challenges due to the changes – mainly technological – that are required, in particular, by actors that are not PSPs (such as e-merchants) and that, therefore, are not directly subject to PSD2 and the technical guidelines published by the EBA. This circumstance, from the EBA’s standpoint, made it advisable to provide an extension in the actual implementation of the SCA requirements.

In this context, the Bank of Spain, as the supervisor with jurisdiction over this matter in Spain, has adopted, together with other national and supranational supervisors, a resolution to apply a moratorium for a limited time period when it comes to the application of the new SCA requirements laid down in the Regulation. The moratorium seeks to avoid possible adverse effects for some users of payment services after September 14.

Accordingly, in its Informative Note of September 11, 2019, the Bank of Spain informed the sector that the EBA accepts, on an exceptional basis, that PSPs and other relevant stakeholders – including consumers and merchants – set up, agree with the supervisor and execute, in an urgent manner, plans for effective migration to solutions that comply with the SCA requirements. The Bank of Spain has not indicated a specific deadline for submitting these plans.