On 16 October 2019, the European Banking Authority (EBA) published its latest opinion on the deadline for the migration to strong customer authentication (SCA) under the revised Payment Services Directive (PSD2) for e-commerce card-based payment transactions.
Earlier this year the EBA published an opinion providing a non-exhaustive list of the authentication approaches currently observed in the market and stated whether or not they were considered to be SCA compliant. The opinion also acknowledged that some firms not directly subject to the PSD2 (such as e-merchants) might not be ready by the SCA application date of 14 September 2019. The EBA therefore accepted that, on an exceptional basis, Member State competent authorities might provide some stakeholders with limited additional time. Following the EBA opinion Member State competent authorities (NCAs) made a series notifications concerning SCA compliance, notably in the UK, Germany and the Netherlands.
In its latest opinion on SCA the EBA communicates a deadline of 31 December 2020 by which the period of supervisory flexibility should end. The EBA also sets out a table starting on page 5 of the opinion prescribing the expected actions that NCAs should take during the migration period. Whilst the opinion is addressed to NCAs, the supervisory expectations being conveyed should also prove useful for payment service providers (PSPs), card schemes and payment service users, including merchants.
The EBA recommends that NCAs communicate to PSPs that the supervisory flexibility they have exercised does not represent a delay in the application date of the SCA requirements. It means instead that NCAs will be able to focus on monitoring migration plans rather than pursuing immediate enforcement actions against PSPs that are not compliant with the SCA requirements.