EBA sets December 2020 migration deadline for SCA compliance
The European Banking Authority (EBA) has published an opinion on the migration to strong customer authentication (SCA) under the second Payment Services Directive (PSD2), setting a new deadline at 31 December 2020.
The opinion also recommends that national competent authorities (NCAs) take a “consistent approach toward the SCA migration period” across the EU and ensure that their respective payment service providers (PSPs) carry out the actions set out in the opinion paper.
The EBA also requires that NCAs impress upon payment providers that the flexibility granted by the regulator is not equivalent to a delay in the application of the regulation, but rather a reprieve from sanctions and enforcement actions.
“Since the publication of the EBA Opinion on the elements of SCA in June 2019, the EBA took note that all NCAs in the EU made use of the flexibility granted and communicated this to their respective industries,” the regulator writes.
“Furthermore, and in order to be able to make a well-informed decision as to the most appropriate deadline and the actions that the industry should take until then, the EBA and NCAs carried out a fact-finding exercise in July and August 2019.”
A majority of those asked by the regulator communicated that they needed a “consistent and harmonised” implementation of SCA, as well as a single common deadline.
Another large slice of respondents were keen to implement an 18-month period to enable a “smooth, frictionless and ordered migration”.
According to the EBA, it assessed the feedback and noted that the 18-month suggestion put forward appeared to be driven significantly by the timeline of the development of 3DS Secure 2.
“Other means of payment are available,” the regulator writes, “and taking into account the objectives of PSD2 and the RTS of technical neutrality and increasing competition in the payments market, the EBA’s view cannot be based solely on providing a benefit to one or more incumbent providers.”
It adds that there are existing market challengers to 3DS Secure 2.2 which can provide competing payment services and are already ready to offer SCA compliant solutions.
Further in the opinion paper, the EBA outlines that NCAs and PSPs are to be expected to meet a set of milestones. The first of these is a 31 December 2019 deadline for PSPs to inform their national regulators of the authentication methods they are making available to customers and which comply under SCA.
“These actions should also allow NCAs to ensure that PSPs follow their migration plans and to keep track of the progress made,” writes the EBA. “The actions aim at ensuring harmonised and consistent migration to SCA compliance and readiness.”