EBA paves the way for payment security deadline extension

Out-Law News | 24 Jun 2019 | 3:37 pm | 2 min. read

Businesses could be given more time to implement new payment security standards after the European Banking Authority (EBA) responded to industry lobbying for the approaching deadline for compliance to be extended.

EU law states that new strong customer authentication (SCA) standards, which will apply to many payment transactions in Europe, must be implemented by payment service providers (PSPs) by 14 September. However, the EBA has provided national regulators with scope to apply extensions "on an exceptional basis and in order to avoid unintended negative consequences for some payment service users".

"[Competent authorities (CAs)] may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA … and acquirers to migrate their merchants to solutions that support SCA," the EBA said in a new opinion.

"This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their CA, and execute the plan in an expedited manner," it said.

Financial services and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law, said the EBA’s announcement is driven by warnings from the e-commerce community about preparedness for the SCA deadline. He said, though, that there is potential for implementation of the SCA standards to be confusing.

McFadyen said: "The EBA has recognised the potential for national regulators to interpret its opinion differently. It will monitor for inconsistencies and use the powers at its disposal to 'remedy' the situation. However, the prospect of a confusing implementation of the SCA standards remains, which could be a real issue for e-commerce operators active in a number of member states."

"In addition, lost amidst the calls for regulators to step back from enforcing the SCA is the fact that the SCA requirements, and the date for implementation, are fixed in EU law. There may be implications regarding liability in cases where an extension has been applied but the law is in effect should errors or fraud occur in transactions," he said.

McFadyen also said that there is a real question over whether the SCA standards are necessary in developed e-commerce economies, like the UK and other countries in northern and western Europe, where industry is already able to "control fraud levels to an extent already". He said the new requirements are "perhaps designed more to help improve user trust and confidence in less e-commerce-driven economies" but questioned whether a solution from the early 2010s "still works today".

McFadyen also said the EBA has helpfully provided clarity on a number of issues beyond the issue of delay, including on how businesses can achieve SCA, which he said the market will welcome. However, he said there are likely to be other unintended consequences resulting from some businesses being ready for the technical implementation of SCA while others are not. More clarity from the regulators on this issue will be required before long, he said.