Strong Customer Authentication (SCA): EBA opinion allows for 15-month migration period

The background to the Opinion

Pursuant to PSD2 and the related regulatory technical standards for strong customer authentication and common and secure open standards of communication (RTS), PSPs are required to apply SCA, since 14 September 2019, when the user (1) accesses its payment account online, (2) initiated an electronic payment, or (3) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. SCA means that at least two strong factors should be used to authenticate the user (for example a device plus a password, or a device plus a fingerprint). 

On 21 June 2019, the EBA stated in an Opinion that it was acceptable, "on an exceptional basis", for NCAs to allow PSPs "limited additional time" for the implementation for SCA, provided that the PSPs (1) had set up a migration plan, (2) had agreed that plan with their NCA, and (3) executed the plan in an expedited manner and within a given timeframe (see our client alert here). In the press release that accompanied that Opinion, the EBA also indicated that “the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans”. 

Although the EBA June 2019 Opinion was not limited to remote card-based payments, during the Summer all NCAs in the EU (except Bulgaria to our knowledge) and Norway made announcements in relation to remote card-based payments:

- Sweden announced that it would not grant a country-wide adjustment period to issuers and acquirers, but would only perhaps grant adjustment periods to one or more select issuers and/or acquirers on a case-by-case basis (see our client alert here).

- Most NCAs announced that they would grant a general adjustment period to issuers and acquirers under their supervision – without however specifying how long that adjustment period would be (see our client alerts on Italy here, The Netherlands here, Poland here, Germany here, Finland here, Spain here). 

- Despite the above EBA announcement of forthcoming unified timetable, some countries went further and indicated the length of the adjustment period that they were prepared to give to issuers and acquirers under their supervision: Hungary 12 months (see our client alert here), UK and Denmark 18 months (see our client alert on UK here and on Denmark here), and France even longer than 18 months (with June 2022 as the ultimate milestone). 

What does the EBA Opinion say?

In its 16 October 2019 Opinion, the EBA reminds NCAs and stakeholders involved in card payments that the SCA requirements are legally applicable since 14 September 2019, and that "any PSP not complying with them is in breach of the law" (paragraph 10). The EBA also reminds them that the liability shift mechanism set out in Article 74(2) PSD2 (generally described as "the weakest link pays for the fraud") is also legally applicable. 

However, in order to avoid the potential negative impact that different adjustment periods in different EU countries may cause, the EBA recommends that NCAs grant the same amount of time to fully comply with SCA, i.e. until 31 December 2020. Clearly this not an ideal deadline as it will fall in between Christmas and New Year, which is a period of high online purchase activity… 

The Opinion also sets out various milestones between now and 31 December 2020 (e.g. 31 December 2019, 31 March 2020, 30 June 2020, 30 September 2020, etc) – see table 1 and table 2 in the EBA Opinion for more details on what those milestones encompass. It is worth nothing that those milestones do not specify certain SCA migration targets that would need to be met (unlike in the migration plan that the French NCA had put forward, for example). However the EBA expressly sets out that "these actions do not restrict NCAs from requiring more detailed information" (paragraph 24). 

A number of stakeholders involved in card payments (i.e. issuers, acquirers, merchants, card schemes) had expressed a preference for an 18-month adjustment period in their responses to a survey that the EBA had carried out during the Summer (and potentially even more time in relation to merchants active in the travel and hospitality sector). The French and UK NCAs were also requesting an 18-month migration period in light of their above-mentioned announcements. Those parties may therefore be disappointed by the EBA "only" granting a 15-month extension. The EBA justifies granting "only a 15-month migration period, essentially because:

1. The RTS have been known for a long time and therefore the various stakeholders involved in remote card-based payments (allegedly) had sufficient time to implement the necessary changes.
2. The card industry justified the necessity of an 18-month extension on the basis that sufficient time is needed in order to implement the 3D Secure 2.2 (3DS2.2) protocol. However the EBA considers that the implementation of this protocol is not needed in order to comply with SCA, but is instead needed to avoid SCA to the maximum extent possible (i.e. to maximise the use of the exemptions, and to allow Merchant Initiated Transactions (MIT) to proceed without SCA). 
3. There is always a risk that the timing for the implementation of 3DS2.2 may need to be extended. 
4. There are "market challengers that provide competing payment services [to cards that] are already ready to offer SCA-compliant solutions […] the EBA’s view cannot be based solely on providing a benefit to one or more incumbent providers" (paragraph 10). 

What happens next? 

In its Opinion dated June 2019, the EBA had already indicated that “[t]he EBA will monitor the consistency of SCA implementation across the EU, including by monitoring the way in which the views expressed in this opinion are taken into account and by requesting relevant information from CAs. Where the EBA identifies inconsistencies, despite the guidance contained in this opinion and the previous clarifications provided in the Opinion on the implementation of the RTS and Q&As, it will take the actions needed to remedy those inconsistencies in line with the powers conferred on the EBA in its founding regulation” (paragraph 15).

We expect that the NCAs that have announced the principle of an adjustment period, but not indicated how long it would be, will follow the timetable set out in the EBA Opinion. 

We would also expect that Hungary, that had announced 12-month adjustment period, will align to the EBA timetable too. 

As regard the countries that have announced a longer adjustment period (i.e. UK, France, Denmark), it will be interesting to see in the next few weeks or months, how those NCAs will react: will they change their plan and align to the EBA Opinion? Or will they continue with the previously announced plans?

- As far as we are aware, Denmark had not yet performed an in-depth consultation with the Danish payments industry, and can therefore be expected to align to the EBA Opinion.

- UK and France had performed such an in-depth industry consultation and will probably be reluctant to change their plan to align to the EBA timetable. Should one of these countries, or both, decide not to comply with the EBA timeline, one may expect a possible legal challenge to be introduced. While the EBA Opinion is not legally binding, the PSD2 SCA requirements (as transposed within the national laws of EU/EEA Member States), as well as the RTS, are legally binding, with a legal deadline of 14 September 2019 (as the EBA clearly restated above). Should the UK and/or France not conform to the EBA timeline, the EBA and EC could initiate legal action against the relevant NCA(s), which consist in various procedural steps. The first one would be for the EBA to open a formal investigation against the relevant NCA(s) (something that the EBA has recently done against the Danish and Estonian NCAs for an alleged breach of the EU rules on AML - the formal investigation was closed without fines – see here), which may result in an EBA recommendation against the relevant NCA(s). If the NCA does not comply with that EBA recommendation, the EC may then issue a binding formal opinion against the NCA which, if not complied with, may result in an EBA binding individual decision. The EC may also initiate proceedings against the relevant Member State before the Court of Justice of the EU (CJEU). 

We will continue following this topic closely and will keep you informed.

Should you have any questions concerning the above, please do not hesitate to contact one of the members of the Bird & Bird global Payments team.

If you would like to receive our Payments alerts directly in your inbox, please click here.