Out-Law / Your Daily Need-To-Know

BaFin latest to defer PSD2 authentication rules enforcement

Out-Law News | 26 Aug 2019 | 7:54 am | 2 min. read

Online payment processes in Germany are unlikely to adhere to new standards on customer authentication and security any time soon, a Frankfurt-based expert in payments law has said after the country's regulator announced an enforcement holiday on the issue.

'Strong customer authentication' (SCA) standards, drawn up under the EU's second Payment Services Directive (PSD2), are due to take effect on 14 September this year.

The standards aim to make sure that banks or payment services providers know that the person requesting access to an account or trying to make a payment is either the customer or someone who has their consent. They are intended to enhance the security of payments and limit fraud.

However, concern has grown in recent months about the lack of preparedness for the new SCA requirements. This led the European Banking Authority (EBA) to announce in June that national regulators could delay their enforcement of the new rules in certain circumstances to give businesses more time to update their systems and processes.

A number of regulators across EU member states have since outlined their plans to delay enforcement.

A three-year migration plan is envisaged in France, with an interim deadline of December 2020 set out for most transactions, while in the UK the Financial Conduct Authority (FCA) has endorsed a plan drawn up by UK Finance that will see it delay enforcement in the context of e-commerce payments up until 14 March 2021 where businesses are working towards compliance. Further details of the agreed 'managed rollout' of SCA were confirmed in an FCA letter to chief executives dated 20 August.

The Central Bank of Ireland confirmed earlier this month that it too would delay its enforcement of SCA requirements in the area of e-commerce to provide for "a limited migration period". A similar approach has now been confirmed by Germany's Federal Financial Supervisory Authority (BaFin).

Like the Central Bank of Ireland, BaFin has not announced how long it will give businesses to update their systems before it will pursue enforcement of the new standards.

In its announcement, BaFin said that while it believes card-issuing payment service providers in Germany are prepared for the new requirements, retailers that accept credit card payments over the internet are not.

"To allow consumers and companies to continue using credit cards for online payments, BaFin will temporarily refrain from applying the requirements for strong customer authentication for online credit card payments," BaFin said.

The regulator said it will consult industry, the EBA and other regulators across Europe before confirming how long its enforcement holiday will apply. It said it expects businesses to "adjust their infrastructures as soon as possible so that they are able to facilitate strong customer authentication where this is required by law", and confirmed that it expects "concrete migration plans" to be put in place.

Ruth Maria Bousonville of Pinsent Masons, the law firm behind Out-Law, said that the BaFin announcement follows recent research published in Germany which revealed that only two thirds of retailers have already implemented the technical means to conform to the SCA requirements and that 82% believe the new standards will lead to an increase of aborted purchases.

"This deferral means we won’t see SCA in Germany for a while," Bousonville said. "The payment providers are ready, but those online retailers who are ready as well won’t implement SCA for fear of aborted online purchases. They just won’t put themselves at a disadvantage compared to those retailers who haven’t done their homework yet."