On 21 June 2019, the European Banking Authority (EBA) published an opinion on the elements of strong customer authentication (SCA) under the second Payment Services Directive 2015/2366 (PSD2).
What is SCA?
The purpose of the new SCA rules is to make online payment more secure and to reduce the risk of fraud. Under the new rules, a payment service provider must apply SCA where a payment service user accesses its payment account online; initiates an electronic payment transaction; or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
SCA is based on the use of two or more of the following elements:
- knowledge (something only the user knows);
- possession (something only the user possesses); and
- inherence (something the user is).
These elements must be independent of each other: breach of one must not compromise the reliability of the others.
What does the EBA opinion say?
The EBA opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and whether these are considered compliant with the requirements of SCA. The EBA also provides some commentary on each of the three SCA elements listed above, and on the combinations of these elements.
In addition, the EBA opinion considers the possibility of making more time available for regulated entities (and therefore the rest of the industry) to prepare for the application date of SCA, and ultimately confirms that SCA will apply from 14 September 2019. The EBA does, however, acknowledge concerns raised regarding the preparedness of e-commerce businesses for SCA, and recognises that the entire payments chain, including card schemes and merchants, must take steps to apply or request SCA in order to avoid situations where payment transactions are interrupted, blocked or rejected.
As a result, the EBA’s opinion allows for the possibility that some National Competent Authorities (NCA), such as the FCA, will choose to work with some authorised entities “and relevant stakeholders, including consumers and merchants” to help them prepare, and may “provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA… and acquirers to migrate their merchants to solutions that support SCA” - on an “exceptional basis” (only). These delays will only be available where payment service providers have agreed a migration plan with the NCA.
What does the FCA say?
The FCA has released a statement in response to the EBA opinion confirming that it will quickly agree a plan with all stakeholders across the payments industry that encompasses a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver SCA.
The FCA have confirmed that they will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed migration plan, where there is evidence that they have taken the necessary steps to comply with the plan.