One of the fundamental changes introduced by the EU’s second Payment Services Directive1 (“PSD2”) is to formalise payment security requirements in national law. One such requirement is for payment service providers ("PSPs") to apply strong customer authentication ("SCA") when a payer (a) accesses its payment account online, (b) initiates an electronic payment transaction or (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Under PSD2, SCA is defined as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.
In 2018, the European Banking Authority (“EBA”) adopted regulatory technical standards (RTS) on SCA and common and secure communication (CSC)2, which underpin the new security requirements under PSD2 and regulate the access by account information service providers and payment initiation service providers to customer payment account data held by account servicing payment service providers. The RTS were published in the Official Journal of the European Union on 13 March 2018 and legally apply as from 14 September 2019, which is accordingly the legal deadline for PSPs to comply with the SCA requirements.
On 21 June 2019, however, the EBA published an opinion on the elements of SCA under PSD2. The opinion is addressed to national supervisory authorities and provides useful guidance for PSPs, payment schemes and payment service users with regard to the RTS on SCA and CSC. In essence, the opinion is EBA’s response to key industry questions about which authentication factors comply with the requirements for SCA.
Importantly, the EBA Opinion of 21 June 2019 accepts that, on an exceptional basis and to avoid unintended negative consequences for payment service users after 14 September 2019, supervisory authorities may decide to cooperate with PSPs and relevant stakeholders, including consumers and merchants, to agree on an additional migration time to implement the SCA requirements.
The delay is made under the condition that PSPs set up a migration plan, that they agree on the plan with their supervisory authority, and execute it in an expedited manner.
The National Bank of Belgium’s response to the Opinion
On 27 August 2019, the National Bank of Belgium ("NBB") issued an announcement in response to the EBA Opinion of 21 June 20193 ("NBB SCA Announcement"), which is available on the NBB’s website in English. The NBB SCA announcement explains the NBB's expectations with regard to the implementation of the SCA requirements in the framework of e-commerce transactions.
In its announcement, the NBB reiterates that the legal deadline for complying with the RTS and the SCA requirements remains 14 September 2019, but acknowledges the challenges thereof for Belgian issuers of payment cards and Belgian acquirers for card transactions in relation to e-commerce transactions.
Therefore, the NBB indicates that it will cooperate with industry stakeholders (i.e., PSPs, card schemes, merchants and consumer representative organisations) to agree on a reasonable and acceptable plan for migrating the industry to SCA implementation for card payments as soon as possible after 14 September 2019.
The migration plan that is to be agreed upon between the NBB and the industry stakeholders will contain a blueprint for compliance and readiness, a timetable and key milestones and targets to achieve improved customer authentication security and a reduction of payment fraud. As soon as the migration plan is finalised and agreed upon with the NBB, it will be published on the NBB’s website.
The NBB expects that PSPs will fully comply with the migration plan and meet the identified milestones and targets, in order to ensure full compliance with the SCA requirements by the final delivery date as set forth in the migration plan. In order to benefit from the migration plan, PSPs will have to provide the NBB with sufficient evidence that they have taken appropriate steps to ensure compliance with the SCA requirements by the final delivery date.
Meanwhile: publication of a second EBA Opinion
The NBB SCA Announcement was shortly followed by a new EBA Opinion of 16 October 2019 on the deadline for the migration to SCA for e-commerce card-based payment transactions.
In this new opinion, the EBA sets the deadline for migration to SCA to 31 December 2020 and prescribes the expected actions to be taken during the migration period. This means that the final delivery date as set forth in the NBB's migration plan can be no later than 31 December 2020 and that supervisory flexibility should then end. At this point, the NBB has not yet published its migration plan.
Furthermore, the EBA reiterates that the supervisory flexibility granted by the EBA is not equivalent to a delay in the application date of the SCA requirements in the PSD2, which indeed remains 14 September 2019. Any PSP not complying with the SCA requirements after that date is still in breach of the law. Rather, it means that, until 31 December 2020, national supervisory authorities will not take enforcement actions against PSPs if they respect the milestones and the expected actions.
1 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
2 As endorsed by Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.
3 Announcement NBB_2019_23 on the EBA Opinion on the elements of strong customer authentication under PSD2.