European Banking Authority - "Strong Customer Authentication" Harmonized Migration Update

On October 16, 2019, the European Banking Authority (“EBA”) published an opinion (“the Opinion”) on the deadline and process for completing the migration to strong customer authentication (“SCA”) for e-commerce card-based payment transactions under the revised Payment Services Directive (“PSD2”). 

• In a previous opinion on the elements of SCA under PSD2, published in June 2019, the EBA accepted that, “on an exceptional basis”, National Competent Authorities (“NCAs”, which are the national regulators of each EU country) may grant, under certain conditions, “limited additional time” for the migration to SCA after September 14, 2019, which was the deadline to implement SCA. According to a survey conducted by the EBA, the vast majority of stakeholders in the payments sector across the EU prefer a “single common deadline”. In the new Opinion of October 16, 2019, the EBA sets December 31, 2020 as the “common deadline” for the complete migration to SCA for e-commerce card-based payment transactions; nevertheless, the legal obligations remain applicable as of September 14, 2019.
• The EBA recommends that the NCAs communicate to payment service providers (“PSPs”) that the “supervisory flexibility” does not mean “a delay in the application date of the SCA requirements in PSD2 and the EBA's Technical Standards”. The EBA also recommends that during this transition period, the NCAs “focus on monitoring migration plans instead of pursuing immediate enforcement actions against non-compliant PSPs”, although issuing and acquiring PSPs are still liable for loss caused by unauthorized payment transactions under Article 74 of PSD2.
• The Opinion further provides timetables with the actions to be taken by issuing and acquiring PSPs during the migration period. The timetables through December 31, 2020, also contain interim milestones applicable to PSPs in order to ensure a consistent and synchronized migration to SCA compliance. As a reminder, the deadline of December 31, 2019 applies to PSPs’ obligation to make available for the relevant NCAs their authentication approaches (distinguishing the SCA-compliant from non-compliant ones) as well as to inform the relevant NCAs about their plans containing “clear migration targets”.