Neil Williams of Rahman Ravelli explains the reasons behind the UK’s delayed implementation of SCA and the effect it has on transactions that go beyond its borders.
When the original Payment Services Directive (PSD) was adopted by the European Union (EU) in 2007 it established an EU single market for payments to encourage the creation of safer, more innovative payment services. It was also intended to make payments across borders within the EU as straightforward and safe as those made within a member state.
The revised Directive (PSD2) has taken the original Directive’s purpose further by increasing customer rights, enabling third-party access to account information and – which is what this article is concerned with - enhancing security through strong customer authentication (SCA) criteria. Yet the timing of the implementation of SCA has been subject to revision – and that revision could have implications for a post-Brexit UK.
In June this year, the European Banking Authority (EBA) published an opinion on the elements of SCA under PSD2; which were due to come into force on 14 September 2019. Prompted by this opinion, the UK’s Financial Conduct Authority (FCA) announced a phased roll-out plan to move the UK to full compliance by 14 March 2021. This delayed compliance with SCA is set to have a profound effect on the UK’s payments industry.
SCA is defined in the Directive as an "authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data." The Directive also provides that SCA is to be applied to all electronic payments, with exemptions only being available for transactions that are:
• Face-to-face contactless payments, involving single transactions under €50, with a limit of five transactions and a total value of €150.
• Online payments, involving single transactions under €30, with a limit of five transactions and a total value of €100.
• Classed as “low risk’’, which requires certain conditions to be met.
• Corporate payments, including ‘secure virtual payments’ made using virtual cards or B2B cards. Such a transaction must be initiated by a legal person, such as a business, rather than a consumer.
• Whitelisted. Consumers can whitelist merchants so that all future transactions with that merchant do not require additional security checks.
• Recurring payments made to the same merchant for the same amount.
The EBA’s Opinion
While most of the requirements of PSD2 became on January 13th 2018, the SCA requirements (along with the measures relating to third-party access) were to come into force eight months later.
On the 21st of June 2019, the EBA published an opinion in accordance with Article 29(1)(a) of its Founding Regulation on the issue, which expressed concern over the preparedness of some links in the transaction chains. The EBA published its opinion as a result of queries from those in the industry regarding what authentication approaches the EBA considers to be compliant with SCA.
Importantly, the opinion made it clear that the EBA was legally not able to postpone an application date that is set out in EU law. It also stated that sufficient time had been made for the industry to prepare for the SCA application date, as the definition of SCA was set out in PSD2 when it was published in 2015 – and this gave clear indications that existing authentication approaches would need to be phased out - and because PSD2 had already granted an additional period for the industry to implement SCA.
Yet, the EBA’s opinion acknowledged that complexity of payments markets across the EU and the challenges arising from the required changes may lead to some of those in the payments chain not being ready by 14 September 2019. As a result, the EBA stated that national competent authorities (NCAs) may work with payment service providers (PSPs) and stakeholders to provide a limited period of additional time to ensure that issuers of payment instruments have in place or migrate to authentication approaches that are compliant with SCA and/or that acquirers of payment transactions offer solutions to their merchants that can support SCA.
However, additional time may only be granted if the relevant PSPs:
• have set up an appropriate migration plan which has been approved by their NCA and which is to be implemented in an expedited manner
• have adequate customer communication plans in place. NCAs will then have to monitor the effective implementation of the migration plan in due course.
The FCA’s Response
In August, the FCA announced that it had agreed an 18-month plan to implement SCA with the e-commerce industry of card issuers, payments firm and online retailers. It acknowledged that the plan reflected the EBA’s opinion that more time was needed to implement SCA given the complexity of the requirements, a lack of preparedness and the potential for a significant impact on consumers.
The FCA stated that it had been working with the industry to put in place stronger means of ensuring that anyone seeking to make payments was not attempting to commit fraud. It intended to do this, it said, by implanting SCA measures via “a phased plan for their timely introduction’’.
The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA that were to have been enforced from 14 September 2019, provided that there is evidence that the firms have taken the necessary steps to comply with the plan. The FCA expects all firms to have made the necessary changes and undertaken the required testing to apply SCA by the end of the 18-month period.
The FCA will also continue to monitor the extent to which banks and payment service providers are meeting its expectation that they consider the impact of SCA on different groups of consumers and provide alternative means of authentication where needed.
The Effect of the FCA Decision
What has to be remembered is that the delayed implementation that the FCA has sanctioned only applies to payments within the UK itself. If, therefore, a UK business collects a payment in the European Economic Area (EEA), SCA will still apply.
In the wake of the EBA Opinion, there does not appear to be a unified approach within the EEA. In the absence of any clear indicators otherwise from other national regulators - or from the European banking industry - then the SCA will still apply to a significant number of transactions conducted beyond UK borders.
The EBA itself has highlighted the risks posed by lack of preparation by financial institutions for the departure of the UK from the EU. It has already asked NCAs to ensure that financial institutions take practical steps now to prepare for the possibility of a withdrawal of the UK from the EU with no ratified withdrawal agreement in place and no transition period.
The EBA has emphasised the importance of financial institutions in both the UK and other EU states identifying all possible risks and implications of the potential departure of the UK without a ratified withdrawal agreement in place.
Andrea Enria, Chairperson of the EBA, has said: "Firms cannot take for granted that they continue to operate as at present nor can they rely on as yet unrealised political agreements or public policy interventions. Risks, capacity and legal implications must be examined and addressed.
" Based on the EBA's assessment, financial institutions should take adequate steps to mitigate the impact without relying on possible public sector solutions that may not be proposed and/or agreed in time. Financial institutions should ensure they have the correct regulatory permissions, and associated management capacity in place ahead of time. They should identify and mitigate risks around access to financial market infrastructures and funding markets. Financial institutions should also assess and take necessary actions to address any impacts on rights and obligations of their existing contracts, in particular derivative contracts.
If financial institutions have any concerns in relation to the EBA’s statements, the EBA encourages them to contact their NCA for further guidance. The EBA will continue to monitor the level of readiness of EU financial institutions.