The new strong customer authentication (“SCA”) requirements under the Payment Services Directive (EU) 2015/2366 (“PSD2”) went live on 14 September 2019. While the new requirements apply only to payment service providers such as banks and non-bank payment processors, their implications will be felt by regulated and non-regulated businesses throughout the payment processing chain. The implications on the payment industry are expected to be so significant that transitional arrangements have been put in place by EU regulators.
In summary, SCA is a process whereby a payment service provider authenticates a customer’s identity by using at least two elements from three specified categories:
- Knowledge - something only the customer knows (such as a password);
- Possession - something only the customer has (for example a token generator);
- Inherence - something the customer is (essentially, biometrics such as fingerprints).
Knowing one element must not compromise the other, and each of the two elements must come from a different category.
For remote electronic payments, such as online payments, the transaction must also be dynamically linked to a specific amount and a specific payee (for example, via a one-time passcode).
SCA must be applied (i.e. the two-factor authentication must be activated) when a customer:
- Accesses their payment account online;
- Initiates an electronic payment; or
- Carries out any action through a remote channel that may imply fraud,
in each case, unless an exclusion/exemption is available.
It is always the payer’s payment service provider (e.g. a card issuer) that determines whether or not to apply SCA or use any exemption. However, the payee’s payment service provider (such as a merchant acquirer) can decide on certain exemptions (subject to the issuer’s final decision).
What is the potential impact?
The new requirements are different from most of the existing two-factor authentication methods on the market. For example, a password and a PIN will not meet the SCA requirements, because both factors are from the “knowledge” category; details printed on the card itself such as the card number and CVV number (typically on the back of a card) cannot be used as “knowledge” and they may not even be used to prove “possession”. This means that changes inevitably need to be made to the existing processes. With respect to card payments, the major card schemes (Visa, Mastercard and Amex) are deploying Version 2 of the 3D Secure authentication protocol (currently at Version 1) across the EU card payment market.
Regulated payment service providers are directly impacted as it is their regulatory/legal obligations to comply. Non-regulated businesses (such as high street retailers or online merchants) may also likely need to implement changes as required by their payment service providers so that the payment service providers themselves can comply. Further, in certain circumstances, merchants can be statutorily liable for SCA failures.
What are the exclusions/exemptions?
Electronic payments initiated by a payee such as a merchant (known as “merchant initiated transactions” or “MIT”) are excluded. This includes utilities payments (typically through direct debit) and certain payments for subscription services. However, the initial set-up of the MIT mandate may require SCA.
Payments via telephone are generally outside the scope as they are not considered to be “initiated” as electronic payments (albeit the payments may ultimately be processed electronically) but there are uncertainties.
There are nine exempted situations where SCA is not required:
- Accessing accounts within 90 days (rolling) to check balances and transactions, provided that no sensitive payment data (such as a password) is disclosed;
- Contactless payments not exceeding €50 (individually) where either the number of consecutive transactions does not exceed five or the cumulative value does not exceed €150;
- Payments made at unattended terminals for transport fares or parking fees (e.g. touching in and out in the London Underground);
- Payments made to trusted beneficiaries that the customer set up in advance with their account payment service provider;
- Recurring payments to the same payee with the same amount (such as a standing order);
- Credit transfers between one’s own accounts with the same payment service provider;
- Remote payments not exceeding €30 (individually), where either the number of consecutive transactions does not exceed five or the cumulative value does not exceed €100;
- Corporate payments through dedicated processes (such processes being subject to regulatory approval);
- Remote payments where the payment service provider’s overall fraud rate is within specified thresholds.
The timing and other thresholds above are calculated by reference to the last time SCA was applied.
These exemptions are set out in an EU “Regulation” (which does not require national transposition) and thus the substantive rules should be the same across the EU. However, there may be differences in interpretation and practical application from one member state to another.
Given the potentially significant impact, the European Banking Authority (“EBA”) opined in June 2019 that member states could have a no-enforcement period for online card payments. As a result, while the rules formally applied from 14 September 2019, national regulators may choose not to enforce them during a short period. Subsequently, the EBA further opined in October 2019 that compliance should be completed by 31 December 2020 for all EU member states.
The UK Financial Conduct Authority has effectively set two transitional periods: a 6-month “adjustment period” ending on 14 March 2020 for direct account access under the open banking regime; and another no-enforcement period ending on 14 March 2021 for e-commerce card payments. The FCA announced its approach in August and the FCA has stated it intends to keep the UK-specific transitional arrangements (notwithstanding the EBA October opinion).
Application of SCA is currently fluid across the EU. In the UK, online payments should be “business as usual” for now, but changes are expected to be gradually implemented to meet the new deadline. However, certain in-store payments may require immediate changes. Frictions may also arise for cross-border payments given the inconsistency between the UK position and the EBA approach which, although expected to be followed by other member states, may be adopted with local differences.
Further, the FCA has indicated that there will be no further extension to the UK transitional arrangements and that it will likely take action even before the EU deadline (i.e. 31 December 2020) if it does not see sufficient progress along the timetables agreed by the industry (UK Finance has published a timetable setting out the compliance milestones for the payment industry). Therefore, it is imperative that the industry act sooner rather than later, particularly card acquirers and other payment service providers that deal with merchants directly because they will need to communicate and coordinate with merchants with respect to the SCA implementation.