On 1st August 2019 the Bank of Italy issued a press release where it announced that it will grant, in line with the decisions taken at European level, more time to the Italian financial industry to complete the enforcement required by the legislation on the security of online payment card transactions.
Transitional period - implementation of strong customer authentication procedure
The Directive (EU) no. 2015/2366 (the so called "Second Payment Services Directive" or "PSD2") and the related implementing legislation – Delegated Regulation (EU) no. 2018/389 – set 14th September 2019 as the deadline for the mandatory adoption by banks and other payment service providers ("PSPs") of strong customer authentication systems based on the use of at least two factors (e.g. passwords, biometric fingerprints, smart phone certificates, etc.) to allow customers to safely access online accounts and execute electronic payments.
In view of the complexity of the enforcement, which is particularly significant in the online card payments field, and the need for active user involvement, on 21st June the European Banking Authority (EBA) granted national Authorities the possibility to postpone the 14th September deadline in order to allow the implementation of new authentication tools by all customers, with exclusive reference to the above category of payments.
The Bank of Italy, having heard the main stakeholders – banks, card schemes, service providers, users' associations – also in the context of dedicated meetings of the Payments Italy Committee, has considered that a gradual transition can greatly reduce the risks of inefficiencies in online payments by card, avoiding solutions of business continuity in vital economic sectors such as electronic commerce.
The Bank of Italy has therefore decided to grant (upon request of the PSPs) an extension for a limited period, on the basis of the maximum term that will be defined by the EBA and subsequently disclosed to the market. PSPs wishing to make use of this extension will have to submit a detailed transition plan, including communication and customer preparation initiatives, both on the merchant and cardholder sides.
During the transitional period, payments made without strong authentication may continue to be sent and accepted in the existing way, bearing in mind however the immediate enforceability of the rules for attributing liability in the event of fraud to transactions that do not meet the security requirements of the legislation.