Teal blue header image

Possible delay in enforcement of Strong Customer Authentication announced by the EBA and the FCA

The European Banking Authority (EBA) has recently expressed concerns over the state of preparedness of the payments market to achieve the September deadline for implementation of SCA under PSD2.

Whilst the deadline remains, the EBA have indicated that national competent authorities (the Financial Conduct Authority (FCA) in the UK) should work with payment service providers (such as banks, card issuers and merchant acquirers) and relevant stakeholders including consumers and merchants to provide 'limited additional time' to implement SCA authentication methods which are compliant with the requirements of PSD2.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is intended to make electronic payment transactions more secure. New requirements to apply SCA have been introduced as part of the revised Payment Services Directive (PSD2). Subject to limited exceptions, these changes mean that companies who accept electronic transactions will have to verify a customers' identity using SCA when customers wish to make electronic payment transactions by applying security checks using two of the following three elements:

  • something the customer possesses (e.g. one time pass code sent via SMS);
  • something only the customer knows (e.g. password, PIN);
  • something the customer is (e.g. fingerprint scan, voice recognition).

What have the EBA said?

At the time of writing, the deadline for implementation of SCA under PSD2 is 14 September 2019.

However on 21 June 2019, the EBA published its opinion in relation to SCA which suggests this deadline may be deferred subject to compliance with any published industry migration plan/guidance discussed in further detail in this article.

In its opinion, the EBA suggests that national competent authorities (e.g. the Financial Conduct Authority (FCA) in the UK) should work with payment service providers (such as banks, card issuers and merchant acquirers) and relevant stakeholders including consumers and merchants to provide 'limited additional time' to implement SCA authentication methods which are compliant with the requirements of PSD2.

Why the delay?  

In the opinion, there is an acknowledgment by the EBA of the complexity of the payments market across the EU and the significant changes that will be required across the market to enable all actors in the payments market (including merchants and customers) to understand, apply and implement SCA. This will involve significant technical and business process change for many market participants. The EBA believes that there is a general state of unpreparedness across the payments market which could result in unintended negative consequences for some payment services users if the deadline of14 September 2019 is maintained.

Across the industry, there is a general feeling that there is a low awareness of SCA (particularly in relation to its impact on merchants and customers), deriving from the delayed availability of technological solutions used to apply SCA and the delayed communications from regulators which has created uncertainty thus delaying industry preparations. This low level awareness is reflective of general industry awareness and understanding of PSD2, borne out by our research in relation to the future of Open Banking and PSD2.

What conditions are attached to the 'limited additional time'?

In its opinion, the EBA have suggested that national competent authorities (such as the FCA in the UK) should grant 'limited additional time' to allow: card issuers the opportunity to fully migrate to authentication approaches which are compliant with SCA; merchant acquirers to migrate merchants to solutions that support SCA; and the industry additional time to make customers aware of the implications of SCA.

The EBA has indicated the national competent authorities (the FCA in the UK) should only grant the 'limited additional time' where payment service providers (such as card issuers, merchant acquirers etc.) have clear migration plans in place to execute the implementation of SCA in an expedited manner. The EBA expects that national competent authorities should monitor the execution of these plans to ensure swift compliance with SCA.

Crucially and perhaps of most significance, the FCA has indicated that it will not take enforcement action against payment service providers if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed migration plan, where there is evidence that the relevant payment services provider has taken the necessary steps to comply with the plan.

What's next?

The deadline of 14 September 2019 presently remains. In the UK all eyes turn to the FCA who in response to the EBA opinion is working to quickly agree a plan with stakeholders across the UK payments industry that encompasses a blueprint for compliance and readiness for SCA, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way. On Friday 28 June 2019, the FCA responded to the opinion stating that it will work in close cooperation with all industry stakeholders and other supervisory authorities, including the Payment Systems Regulator, to ensure delivery of SCA at pace.

Once the FCA has finalised the plan and it has been agreed by industry stakeholders, the FCA expects that all participants in the UK payments market will work to meet the agreed milestones, targets and final delivery date.

The EBA has stated that it will monitor the approach taken to any 'limited additional time' for SCA implementation to ensure there is a consistent approach taken across Europe, so any disparity in the approach of the FCA and its European counterparts (or vice versa) may draw further comment from the EBA.

Use your time wisely

So, the key for affected businesses who accept electronic payment transactions will be to work with your payment services providers to understand what they are doing in this space, what you need to do to be compliant with SCA and how you need to communicate any changes in the way transactions are authenticated to your customers. For payment services providers who are affected by SCA, you will need to engage with the FCA and any FCA published migration plan to work towards ensuring SCA compliance.

Should you wish to discuss any aspect of this article, please contract our Payments team who would be delighted to assist.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.


Insights & events View all