EBA Pushes for a Synchronised Deadline for SCA Across Europe
As many of you know, the new PSD2 requirements for Strong Customer Authentication (SCA) were due to come into effect on September 14th. PSD2 requires applying strong two-factor authentication for in-scope payment transactions, which includes most remote commerce payments. However, as we outlined in our July 2019 report “Strong Customer Authentication in Europe: A Source of Differentiation for Payment Service Providers”, the industry was not ready. Had the requirements been strictly enforced from Day 1, the effects may have been devastating.
On June 21, the European Banking Authority (EBA) issued a statement recognising that the industry will struggle to meet September 14 deadline, and allowed National Competent Authorities (NCAs) “to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.” Most NCAs across Europe jumped at the opportunity. For example, in the UK, the Financial Conduct Authority (FCA) announced it would be working with the UK Finance to defer mandatory SCA for 18 months until March 2021. France announced a three-year migration plan, although they were expecting the majority of participants to be compliant after 15 months. Hungary went for 12 months, while many other regulators said they will delay enforcing the requirements without specifying the timeframes.