On 21 June 2019 the EBA published an opinion on the elements of strong customer authentication. As well as setting out some important clarifications on the interpretation of the requirements, the EBA has set out a structure for national regulators to allow a degree of tolerance for slow implementation of SCA in their jurisdictions.
Although the implementation date is set for 14 September 2019 it has recently become apparent that there is still a lot of work to do to ensure that the technical changes required are in place, particularly for card payments. This has resulted in retailers, payment service providers and card schemes lobbying both nationally and at EU level for a more flexible approach to the implementation date.
The EBA has acknowledged that there are potential difficulties due to the complexity of payment systems and has set out the conditions under which a national regulator could allow a delay. This supervisory flexibility is available provided that payment service providers have set up a migration plan, have agreed the plan with the regulator, and the plan can be expedited. The EBA wants the national regulator to monitor the plans to ensure swift compliance with the PSD2, engaging directly with card issuers and merchant acquirers to ensure compliance and effective communication plans with consumers. However, the EBA does not set out any particular timeframes – although it refers to "limited" additional time, suggesting it is thinking in months rather than years. It is likely that this approach will, in the short term at least, lead to different approaches across the EU. This may be challenging for some retailers and payment service providers who operate in a number of member states. And note that this is not a delay but "supervisory flexibility" – 14 September 2019 is still the implementation date!
The EBA has also set out additional detail on the 3 elements of SCA – possession, inherence and knowledge. Unlike the FCA, the EBA does not think that card details can be used as a possession element unless the number is dynamically generated. In addition, whilst confirming that inherence can include behavioural biometrics, it states that these are limited to something which relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these. So key strokes may be inherence but an individual's spending pattern would not qualify. For knowledge elements the EBA states that these must exist before the SCA step so this is will not include an OTP sent during the initiation of the payment transaction.
Many participants will welcome the flexibility being shown by the EBA – the focus will now be on the local regulators and what level of flexibility they will be prepared to give.