Out-Law / Your Daily Need-To-Know

Irish central bank confirms SCA migration period for e-commerce

Out-Law News | 12 Aug 2019 | 11:14 am | 2 min. read

Banks and other businesses in the Irish payments market will have more time to implement new security standards due to take effect next month after the Central Bank of Ireland said it will apply "a limited migration period".

The Central Bank of Ireland confirmed, though, that the migration period will impact e-commerce transactions only and it has still to define exactly how long the migration period will last for. It said it is seeking a "harmonised approach" to the issue across the EU.

The 'strong customer authentication' (SCA) standards were drawn up under the EU's second Payment Services Directive (PSD2) and are designed to combat payment fraud.

Under PSD2, providers of account information services and payment initiation services have new rights to access payment accounts, like current accounts, and statement details, as well as other account information, held by banks and other account servicing payment services providers where customers consent to such access.

The detailed requirements on third party access are contained in the SCA standards. ASPSPs must either enable third party access to the data through the customer's normal online banking websites, or alternatively develop a new 'dedicated interface' (API) for that purpose. Those requirements, though, do not apply until 14 September this year.

However, the European Banking Authority (EBA) gave scope to national regulators to apply an enforcement holiday in certain circumstances to give businesses more time to update their systems and processes. That concession came after concerns were raised about the lack of preparedness for the forthcoming standards within the market.

Research commissioned by Stripe published earlier this year suggested that up to €57 billion of sales are at risk in the first year that the SCA rules apply. Other industry figures have predicted as many as 25 or 30% of e-commerce transactions could be declined in the immediate aftermath of the switch to SCA.   

Since the EBA outlined its position, the UK's Financial Conduct Authority (FCA) has been working with industry to agree on a delay to enforcement. Now the Central Bank of Ireland has outlined its position on the issue too. It said it "recognises the difficulties" firms face in meeting the 14 September deadline.

"We have been engaging with the industry to develop a migration plan to implement SCA for ecommerce transactions, as soon as possible after this date," the Central Bank of Ireland said. "In line with the EBA opinion published in June, a limited migration period will be put in place for firms regulated by the Central Bank of Ireland in relation to the application of SCA requirements under the PSD2 Directive. This migration period relates to ecommerce transactions only. As such, there will be no disruption to payments systems from 14 September, when the RTS on SCA of the Directive is due to come into force."

"The Central Bank of Ireland will continue to engage with the EBA and other national competent authorities in the European Union in relation to this issue, aiming to agree a harmonised approach to the migration time periods across the European Union. The Central Bank of Ireland will continue to communicate on this issue as it develops," it said.