The European Banking Authority (EBA) has set a new deadline of 31 December 2020 for SCA (Strong Customer Authentication), under the PSD2 legislation to be enforced.
The EBA and National Competent Authorities carried out a fact-finding exercise in July and August 2019. The EBA assessed the feedback of respondents and followed up with a suggestion of an 18-month timeline of the development of 3DS Secure 2, which was the major sticking point in terms of implementation down the chain.
In the paper, the EBA outlines that NCAs and PSPs are to be expected to meet a set of milestones. The first of these is a 31 December 2019 deadline for PSPs to inform their national regulators of the authentication methods they are making available to customers and which comply under SCA.
Everyone is now expected to fall in line: PSPs, merchants and software vendors by this time, through this new communication they are aiming to create some consistency across EU NCAs.
“consistent approach toward the SCA migration period.”
The NCAs are to ensure that their respective payment service providers (PSPs) carry out the actions set out in the opinion paper.
Something that we’ve been mentioning around the ‘delay’ terminology previously used by the media has also been commented on by the EBA. NCAs need to impress upon payment providers that the flexibility granted by the EU is not equivalent to a delay in the application of the regulation around SCA, it is merely an understanding and reprieve from enforcement.
Just like Brexit, now we’re all a bit more aware of what is required and how we might achieve it, it’s time to actually create a plan, implement it and communicate it effectively from NCAs down. Some payment providers have done a better job than others in doing this, but there is still a fog for or complete ignorance for some merchants and software vendors on the issues.