Revised Payment Directive 2 (PSD2) overview
As of 14 September 2019, the European Economic Area faces new regulatory obligations for authenticating online payments. Part of the second Payment Services Directive (PSD2), the core of these obligations is referred to as Strong Customer Authentication (SCA) and has a stated objective of “ensuring that payments across the EU are secure, easy and efficient.” The European Banking Authority (EBA) has indicated that supervisory flexibility of approximately fifteen months should be sufficient in migrating to SCA, thus implementation and testing by merchants should be completed by 31 December 2020.
In the summer of 2019, the Financial Conduct Authority (FCA) agreed to delay enforcement for SCA until 14 March 2021 in the UK – although this deadline did not apply to the rest of the European Economic Area (EEA).
In the exceptional circumstances of the COVID crisis, the Financial Conduct Authority (FCA) in the UK again stated they would allow additional time to implement SCA for ecommerce. The new PSD2 timeline of 14 September 2021 replaces the 14 March 2021 date.
After 14 September 2021, any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action.
- Pursuant to the European Banking Authority’s (EBA’s) opinion issued on 21 June 2019, the EBA provided clarity on the different elements of SCA.
- They indicated that Competent Authorities throughout Europe could provide limited additional time for enforcement PSD2’s SCA obligations.
- To align the National Competent Authorities, the European Banking Authority’s (EBA’s) opinion issued on 16 October 2019, presents a harmonised plan for enforcement flexibility, indicating migration to SCA should be completed by 31 December 2020.
Below is a PSD2 compliance timetable regarding the next fifteen-month period leading up to the EBA migration completion date of 31 December 2020.
| Country | Competent authority | Latest announcement regarding SCA |
|---|---|---|
| Austria | Financial Market Authority | 19 August 2019 — “FMA will extend the deadline for implementing strong customer authentication (‘2-Factor Authentication’) for e-commerce card payments to allow additional time for technical switch-over to payment service providers and trading companies.” Translated |
| Denmark | Finanstilsynet | 4 September 2019 — “[I]t is the opinion of the Danish Financial Supervisory Authority that the market may be ready to comply with the new rules on March 14, 2021. Therefore, the Danish FSA will allow card issuers, card acquirers and e-commerce to receive an additional 18 months to ensure compliance with the new rules.” Translated |
| Finland | Finanssivalvonta (Fin-FSA) | 5 September 2019 — “On a temporary basis, the FIN-FSA does not intend to impose administrative sanctions on its supervised entities, […] The additional time granted by the FIN-FSA for the implementation of requirements and change processes is temporary. The FIN-FSA will decide on the length of the transitional period this year after consulting the European Banking Authority and the supervisors of other Member States on the issue.” |
| France | Autorité de contrôle prudentiel et de Resolution | 9 July 2019 — The Bank of France plan provides for a three-year migratory period until full compliance in 2022, while setting a target for the majority of transactions be compliant with SCA by December 2020. The plan also includes an intermediate assessment in June 2021 on the residual “customers of SMS OTP” — as a disfavored technology for the possession element — in order to determine how to best continue the phase-out of the transition. |
| Germany | BaFin and Bundesbank | 21 August 2019 — “The extension will be limited in time. BaFin will determine when it will expire after consulting the market participants and coordinating with the EBA and the national European supervisory authorities.” Translated |
| Greece | Bank of Greece | 26 August 2019 — “The Bank of Greece will adopt the EU-wide time frame to be specified by EBA (following the collection and processing of individual national data) and to be announced during the last quarter of this year” |
| Hungary | Central Bank of Hungary | 10 September 2019 — “[T]he Central Bank of Hungary decided to provide the domestic market players an additional 12 months period to comply with the requirements of strong customer authentication in case of e-commerce transactions.” |
| Ireland | Central Bank of Ireland | 8 August 2019 — “A limited migration period will be put in place for firms regulated by the Central Bank of Ireland in relation to the application of SCA requirements under the PSD2 Directive.” |
| Italy | Banca d’Italia | 6 August 2019 — “The Bank of Italy has decided to provide the Italian financial industry additional time to complete the adjustments [for] card-based online payments… During the migration period, payments carried out without strong customer authentication may continue to be sent and accepted according to the current procedures.” |
| Netherlands | De Nederlandsche Bank | 8 August 2019 — “DNB intends to allow market parties that were unable to prepare for the introduction of SCA for credit card transactions in time to have limited additional time. How much additional time will be allowed has not yet been determined.” Translated |
| Poland | Polish Financial Supervision Authority | 19 August 2019 — “The framework conditions, including maximum time limits for the implementation of the SCA solutions within the ‘migration plan’, will be indicated after the conclusion of the arrangements at EBA, which will take place most likely after 14 September 2019.” |
| Portugal | Banco de Portugal | |
| Spain | Banco de España | 11 September 2019 — “In order to avoid possible negative consequences for some payment service users after 14. September[, t]he Banco de España [will] provide limited additional time allowing issuers of payment instruments and acquirers to migrate to solutions that are compliant with SCA [and] will review the migration plans presented by the PSPs, in accordance with the Opinion of the EBA[.]” |
| Sweden | Finansinspektionen | 4 September 2019 — “The rules will … start to apply when they are introduced on September 14, 2019[.] However, those companies that are under the supervision of Finansinspektionen who consider themselves to need additional time for the application of strong customer authentication for transactions made via card payment in e-commerce … have the opportunity to submit a detailed plan … which should be in line with the timetable that the EBA will state later this year.” Translated |
| UK | Prudential Regulation Authority and Financial Conduct Authority | 20 August 2019 — “The FCA [will] not to take enforcement action [for] firms that can demonstrate that they have taken the necessary steps to comply with the UK Finance co-ordinated plan to deliver SCA by 14 March 2021.” |
Please also see our separate pages on 3DS2 (and read why it doesn’t constitute SCA on its own) and Signifyd’s Payments Optimization products.
