On 10 September 2019, the Hungarian National Bank (HNB) issued a press release (available in English here and in Hungarian here) in which it provides Hungarian cards issuers and acquirers with additional time to comply with the PSD2 strong customer authentication (SCA) requirements, as implemented within Hungarian, but only in relation to online card-based payments.
Pursuant to PSD2 and the related regulatory technical standards for strong customer authentication and common and secure open standards of communication (the RTS), Hungarian banks and other payment service providers (PSPs) are required to apply SCA as of 14 September 2019 when the user (1) accesses its payment account online, (2) initiated an electronic payment, or (3) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. SCA means that at least two strong factors should be used to authenticate the user (e.g. a device plus a password, or a device plus a fingerprint).
On 21 June 2019, the European Banking Authority (EBA) published an Opinion (here) empowering national competent authorities (NCAs) to grant more time to PSPs in order to comply with the SCA requirements, based on migration plans to be submitted by the PSPs to their NCA for approval.
Given the particular technical complexity of SCA for online card-based payments, as well as the number of players involved in the payment chain (e.g. merchant, acquirer, issuers, cardholder, card scheme, processors, etc), HNB had discussions with those players to assess whether they needed more time to comply with SCA for online card-based payments, and if so how much. Based on those discussions, HNB decided to grant issuers and acquirers (and ultimately e-commerce merchants) an additional 12 months to comply with the SCA requirements for online card-based payments (i.e. until September 2020).
In order to benefit from this 12-month adjustment period, issuers and acquirers need to submit detailed migration plans to HNB, which will be monitored by HNB on a continuous basis. Issuers and acquirers should also inform cardholders and e-commerce merchants of the adjusted timing for compliance.
HNB highlighted in its press release that liability regime set out in PSD2 (as implemented within Hungarian law) will apply during the adjustment period. In short, this liability regime broadly reflects the rules of the international card schemes, namely that "the weakest link bears the risk of fraud". In other words, if during the adjustment period an acquirer does not send a 3D Secure flow to the issuer, presumably HNB is of the view that the acquirer (and ultimately the merchant) should bear the liability in case of fraud. Conversely, if during the adjustment period the acquirer does send a 3D Secure flow to an issuer benefiting from an adjustment period, the issuer will bear the liability in case of fraud.
It is worth noting that the 12-month period put forward by HNB is not in line with what most EU regulators have announced so far. For example:
- Other countries have announced the principle of a country-wide adjustment period being granted to PSPs, but have not yet publicly specified the duration – see Bird & Bird publications on Italy here, Germany here, The Netherlands here, Poland here, see Finland here.
- Sweden seems to be an outlier, having announced that it will not be granting a country-wide extension (therefore enforcing the 14 September 2019 deadline), although it may possibly be granting an adjustment period to issuers or acquirers on a case-by-case basis – see Bird & Bird client alert here
The EBA is expected to publish shortly an Opinion that is meant to ensure that all national regulators granting adjustment periods for SCA for e-commerce card-based payments will grant the same period of time. Watch this space, therefore…