You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH: www.schoenherr.eu
The revised Payment Services Directive (PSD2), applicable since 13 January 2018, brought significant changes to the payment markets in the EU. In particular, PSD2 requires certain payment services providers (PSPs) to apply strong customer authentication (SCA, also referred to as two-factor authentication) in remote electronic transactions.
The application of SCA in e-commerce, which was scheduled to enter into force on 14 September 2019, has been delayed due to concerns about market unpreparedness. In line with an Opinion by the European Banking Authority (EBA), the Austrian regulator FMA has extended the deadline for implementation by 15 months until 31 December 2020.
SCA is defined in PSD2 as "authentication based on the use of two or more elements categorised as (i) knowledge (something only the user knows), (ii) possession (something only the user possesses) and (iii) inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data". SCA will be required for all electronic payments, unless one of certain exemptions applies. Specifically, when (i) a payment user accesses its payment account online or (ii) initiates an electronic payment transaction or (iii) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses, SCA will have to be used.
The European Banking Authority (EBA) has developed regulatory technical standards (RTS), setting out details on SCA but refraining from specifying particular authentication processes to ensure that the RTS remain future-proof. It has also published an Opinion on 21 June 2019, responding to the queries of the market actors and providing non-exhaustive examples of compliant SCA:
In addition to the above-described rather technical details of SCA implementation, the EBA also addressed market preparedness in the Opinion. While acknowledging the complexity of the payment markets in the EU and the challenges posed by the required changes, the EBA stressed that in its view the market actors have had sufficient time to implement SCA by the 14 September 2019 deadline.
However, to avoid unintended negative consequences for some payment service users after the deadline, the EBA has decided to accept that the deadline may be extended for SCA in e-commerce by national competent authorities.
In particular, the EBA (and other European regulators) are concerned that merchants accepting (in particular card-based) online payments are not thoroughly prepared for SCA application in their payment processes which could, in the regulators' view, result in negative consequences (e.g. increased number of cancelled/unsuccessful payment transactions) both for payment service users and accepting companies/merchants.
In line with the EBA's Opinion and views, the Austrian Financial Market Authority (Finanzmarktaufsichtsbehörde – FMA) has announced that it will exercise "regulatory flexibility" and has extended the deadline for SCA application for online card-based payment transactions until 31 December 2020. Despite this delay for SCA application, the PSPs are required to transmit a migration plan to the FMA and to keep the FMA informed of the implementation process. This extra transitional period, however, extends only to regulatory aspects; potential civil law implications and liabilities are not affected.
Similar extensions have been announced by other European market authorities, for example Germany's Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) or the UK's Financial Conduct Authority.
Author: Matthias Pressler
Matthias
Pressler
Counsel
austria vienna