It seems payments legislators really did write checks the industry couldn't cash... The Central Bank of Ireland, among other EU financial regulators, is now saying that it will agree limited plans deferring the need for local payment service providers to comply with "strong customer authentication" (SCA) requirements that were designed to cut payment fraud from 14 September 2019. [Update, the CBI has deferred enforcement action until 1 January 2021, but the 'liability shift' for any payment service provider failing to implement SCA when required by the issuer will apply in the meantime].
This follows a decision by the European Banking Authority to allow local financial regulators to provide limited additional time for SCA compliance by the payment service providers they supervise “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users" on that date. The EBA says that the PSPs must have agreed a migration plan with their regulator and execute it "in an expedited manner." The regulator should also monitor the execution of the plans "to ensure swift compliance..." The EBA's opinion also contains tables listing the types of features that will (or, in marginal cases, will not) constitute compliant elements for the purpose of SCA (two of either "inherence", "possession" or "knowledge" - i.e. what the customer is, what the customer possesses, or what the customer knows).
That follows an earlier EBA opinion and a Q&A on how SCA applies, but it remains to be seen how many retailers are aware of the new requirements at all, let alone the potential impact on customer experience and 'conversion' (customers dropping out at the payment step when asked to complete one or more additional authentication steps).
Whether payments are affected depends on whether PSD2 applies - some may be out of scope based on currency or location, while others may be within the scope of PSD2 but excluded. There is then a question whether the transaction is interpreted to be one caught by the SCA requirement. For instance, is it remote or electronic and initiated by the payer (rather than being a 'merchant initiated transaction')? Even transactions that are in scope may not be caught if the issuer (not the merchant or acquirer) of the payment instrument/account applies any of the potential exemptions:
- Low-value transactions: up to €30 per transaction (limit of five separate transactions or €100);
- Recurring transactions: e.g. subscriptions for the same amount and payee (SCA applied to the first transaction);
- Whitelisted: payers can add payees to a whitelist of trusted beneficiaries with the issuer, but payees can't request this;
- Corporate payment processes: dedicated process for non-consumers, approved by the regulator (member states may exclude micro-enterprises as consumers);
- Contactless: up to €50 (limit of five separate transactions or €150 without an SCA check);
- Unattended terminals: only for paying transport fares or parking fees;
- Low-risk of fraud: as determined by the issuer, depending on its average fraud levels for the relevant acquirer (not by merchant/channel), with different limit for cards and credit transfers.
It will be interesting to see how much progress is really made in the next 6 to 18 months...
...a limited migration period will be put in place for firms regulated by the Central Bank of Ireland in relation to the application of SCA requirements under the PSD2 Directive. This migration period relates to ecommerce transactions only. As such, there will be no disruption to payments systems from 14 September, when the RTS on SCA of the Directive is due to come into force.