EBA sets end of 2020 as deadline for new card payment authentication

Out-Law News | 21 Oct 2019 | 3:50 pm | 1 min. read

The European Banking Authority (EBA) has set a deadline of 31 December 2020 for payment services providers (PSPs) to move to new ‘strong customer authentication’ (SCA) standards for online transactions.

In an opinion the EBA set out the actions it expects national authorities and PSPs to take in the run-up to the deadline, recommending that regulators take a consistent approach to the SCA migration period.

Banking expert Andrew Barber of Pinsent Masons, the law firm behind Out-Law, said the opinion was the first announcement on the topic since June 2019, when the EBA acknowledged the complexity of the payments market across the EU and the challenges arising from the changes required.

The rules were due to come into force with the implementation of revised technical standards on 14 September, but in June the EBA said that it would exceptionally delay the deadline to implement the changes to SCA requirements for ‘card-not-present’ transactions in order to give regulators time to work with PSPs and other stakeholders to avoid “unintended negative consequences”.

Barber said: “Having realised the challenges which its SCA rules would pose to card-not-present e-commerce but placing the onus on national competent authorities to develop transition plans, its latest intervention may not be universally welcomed".

“Some member state regulators, such as France, Denmark, Finland and the UK, have already finalised 18-month implementation plans which will now have to be shortened. Other domestic authorities, however, may benefit from confirmation of this long-stop deadline,” Barber said.

“Given the course of events so far, this is unlikely to be the last intervention from the EBA, which may eventually try to align the transition processes already in place,” Barber said.

The SCA rules are set out in regulatory technical standards to the revised Payment Services Directive (PSD2) and aim to make sure that banks or PSPs know that the person requesting access to an account or trying to make a payment is either the customer or someone who has their consent. They are intended to enhance the security of payments and limit fraud.

The latest opinion recommends that regulators focus on monitoring PSPs’ migration plans instead of pursuing immediate enforcement actions against PSPs that are not compliant with the SCA requirements.

The EBA added that consumers would still be protected against fraud through PSD2, and both issuing and acquiring PSPs were still liable for unauthorised payment transactions.

In August the UK’s Financial Conduct Authority confirmed it was giving e-commerce firms 18 months from the 14 September deadline to comply with the SCA standards.

Other regulators, including the Irish Central Bank and Germany’s Federal Financial Supervisory Authority, have also announced they would defer enforcement.