On 13 January 2018, the new Payments Service Directive II (PSD2) came into force, and the most important element of this regulation was the requirement for Strong Customer Authentication (SCA) on most electronic payments. These new rules are intended to enhance payments security and to limit frauds during this authentication process.
Although PSD2 went into full effect on 14 September 2019, the European Banking Authority (EBA) allowed due delays for the implementation of the SCA requirements, which should be fully enforced by 31 December 2020 at the latest. As a result of EBA’s announcement, some European regulators had announced a 18-month longer enforcement delay, as the following contained below:
- In the UK, the Financial Conduct Authority (FCA) agreed on August 2019 an 18-month plan to implement SCA. In that way, the FCA has communicated that they “will not take enforcement action against firms where there is evidence that they have taken the necessary steps to comply with the plan”. Once this 18-month period has ended, the FCA “expects all firms to have made the necessary changes and undertaken the required testing to apply SCA”.
If you are asking about how Brexit will affect this matter… Do not worry, because in this case it is not a determinant success. The SCA will be applied in any case.
- France is proceeding in the same vein. L’Observatoire de la sécurité des moyens de paiement has created a migration plan in accordance with EBA’s communication and has established two different deadlines to implement the SCA and the 3D-secure. Related to SCA, it should be working since December 2020.
Meanwhile, the Bank of Spain has communicated its decision to grant an additional period of time to comply with PSD2, but without specifying the concrete deadline to implement it.
It is important to be aware of the fact that EBA makes its "Opinions" but each single country is responsible for enforcing and adapting these Opinions the best way possible taking into account its internal policy. The EBA is expected to publish shortly an Opinion to ensure that all national regulators grant the same period of time.
For example, in Sweden the Financial Supervisory Authority (SFSA) has confirmed that no general transition period will be applied in relation to remote card-based transactions. Instead, issuers and acquirers can apply to the SFSA on an individual basis, and more time may be granted to comply with SCA on a case-by-case basis. This announcement is potentially problematic, because it is going to be difficult to know if Swedish issuers did or did not apply to the SFSA to benefit from an adjustment period.
This fact leads us to ask ourselves the following: an unequal delay of the SCA implementation could be an opportunity or a risk? Let us know what you think!