The European Banking Authority (EBA) has released a new opinion on strong customer authentication (SCA), revealing a possible route for extensions ahead of the September 14 deadline.
Ahead of the new payment services directive (PSD2), the EBA has said it acknowledges that implementing the new standards may prove to be more difficult than expected for some merchants.
New SCA regulations mean that European shoppers will have to authenticate online payments over €30 with two of the following: something that they know (password/email/PIN), something that they own (mobile phone) or something that they are (biometrics).
EBA believes “sufficient time” has been made available for the industry to prepare for SCA, having first been set out in 2015 alongside the additional 18-month extension period on PSD2 already granted.
However the regulator also realises the challenges that comes with new regulation, noting in particular actors that are not payment service providers (PSPs) such as e-merchants.
Alison Donnelly, director of compliance consultancy fscom, told PaymentExpert: “While we’ve known for many years that SCA would be a requirement, the details and interpretation have emerged slowly to where we are now – a looming deadline with significant changes to be implemented and the necessary solutions only becoming available recently.
“PSPs who will not meet the deadline must notify their regulator and outline by when they will be compliant. This should be within weeks or a few months, not longer.”
EBA stated that although it is unable to postpone the September deadline due to legal reasons, there can be flexibility for an extension via national competent authorities (NCAs).
The EBA explained: “On an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.
“This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.”
It continues by noting that this supervisory flexibility is only available if the PSP in questions has set clear a migration plan that’s been agreed with the national competent authorities and can clearly be executed.
The European Commission stressed the importance for firms to “step up their efforts in the run-up to 14 September.”
In a response statement, the European Commission commented: “It is indispensable that all stakeholders, banks, acquirers, merchants, etc. equip themselves with the relevant IT tools to apply the new requirements on time.
“It is also indispensable that proper communication and information campaigns be rapidly launched in order to raise awareness among all stakeholders, including bank customers, about the forthcoming changes.”
“The Commission will be particularly vigilant in monitoring this transition, ensuring that all players, including NCAs, play their full role and assume their responsibilities.”