17/10/2019: The European Banking Authority (EBA) published an Opinion on the deadline for the migration to strong customer authentication (SCA) under Directive 2015/2366/EU of 25 November 2015 on payment services in the internal market (PSD2) for e-commerce card-based payment transactions (EBA-Op-2019-11). The Opinion is a follow-up to the Opinion on the elements of SCA that the EBA published on 21 June 2019 (EBA-Op-2019-06). This last Opinion allowed the national competent authorities (NCAs) to provide limited additional time for issuing and acquiring payment service providers (PSPs) to migrate their merchants to SCA compliant solutions.
The deadline for migration to SCA has now been postponed to 31 December 2020 (instead of 14 September 2019). The EBA also sets out the actions it expects NCAs to take towards PSPs during the migration period. The Opinion is addressed to NCAs but, given the supervisory expectations it is conveying, it should also prove useful for PSPs, card schemes and payment service users, including e-merchants.
The Opinion is directed towards the NCAs, which are asked to take a consistent approach towards migration to SCA compliance and readiness across the EU and to require PSPs to carry out the actions set out in the Opinion. These milestones and expected actions are detailed in two tables, applicable to respectively issuing PSPs and acquiring PSPs. The migration plans of PSPs, including the implementation and testing by merchants, should be completed by 31 December 2020, by which the supervisory flexibility should also end.
The NBB already announced on 27 August 2019 (NBB_2019_23), following the EBA Opinion of 21 June 2019, that it would agree to set up reasonable migration plans in close cooperation with industry stakeholders. In light of this new Opinion, further NBB guidance on migration plans should therefore be awaited.
In addition, the EBA recommends that, where required, NCAs communicate to PSPs in their jurisdiction that this supervisory flexibility does not represent a delay in the application date of the SCA requirements. Rather, it means that NCAs will focus on monitoring compliance with migration plans instead of pursuing immediate enforcement actions against PSPs that are not SCA-compliant.
The EBA also notes that consumers should be protected against fraud as required by the law and that NCAs should therefore communicate to their PSPs that the liability regime under Article 74 of the PSD2 applies, and that issuing and acquiring PSPs are still liable for unauthorised payment transactions. PSPs therefore have a self-interest to migrate to SCA-compliant solutions (such as 3D Secure V2.2 that is made available by the major card schemes) and approaches in an expedited way.